Record-keeping and Retention

Record-keeping and Retention

Record-keeping and retention are critical components in the context of anti-money laundering (AML) and combating the financing of terrorism (CFT). The legal framework governing these processes has evolved through various directives and national laws, notably the 4th and 5th EU Anti-Money Laundering Directives (AMLDs) and the German Money Laundering Act (GwG), along with interpretations provided by the Federal Financial Supervisory Authority (BaFin) in Germany.

What, Who, Why, When, and Where?

What are Record-Keeping and Retention?

Record-keeping in the AML/CFT context involves maintaining detailed records of all transactions and customer-related information that financial institutions and other obliged entities handle. Retention refers to the period during which these records must be kept before they can be legally disposed of.

Who is Obligated to Maintain These Records?

Obliged entities under these regulations include financial institutions like banks, real estate agents, auditors, accountants, legal professionals, and any other professionals involved in transactions that could potentially be used for money laundering or terrorist financing.

Why are Record-Keeping and Retention Important?

The primary purpose is to prevent, detect, and investigate money laundering and terrorist financing. Maintaining detailed records ensures transparency in financial transactions and aids in identifying suspicious activities. It also helps in the scrutiny of customer profiles and their transaction history over time.

What Specific Records Must be Kept?

Under the 4th AMLD:

  • Customer due diligence (CDD) information, including copies of documents used for verifying the identity of customers.
  • Transaction records and evidence, with a particular emphasis on original documents or copies admissible in judicial proceedings.

Under the 5th AMLD:

  • Enhanced emphasis on electronic identification means and trust services for CDD.
  • Records related to centralised mechanisms for identifying bank and payment account holders.

Under the German GwG and BaFin Guidance:

  • Information about contracting parties, beneficial owners, and persons acting on their behalf.
  • Implementation and results of risk assessments.
  • Details of transactions, including proof of transaction documents.
  • Reasons and justifications for assessment outcomes related to reporting obligations.

When Must These Records be Retained?

The retention period is generally five years after the end of a business relationship or the date of an occasional transaction. However, there are certain nuances:

Under the 4th and 5th AMLDs:

  • A possible extension of retention for up to five additional years is permissible under certain circumstances.
  • Specific provisions for ongoing legal proceedings as of June 25, 2015.

Under the German GwG and BaFin Guidance:

  • Flexibility in retention periods ranging from five to ten years, accommodating varying legal requirements.
  • Obliged entities must destroy records after a maximum of ten years.

Where Must These Records be Stored?

Records can be stored physically or digitally. Digital storage must ensure data consistency, availability during the retention period, and readability within a reasonable period. Moreover, for digital records, specific security measures against unauthorized access are imperative.

Additional Considerations

  • Data Protection: Adherence to data protection laws is crucial, particularly when dealing with personal customer information.
  • Access by Authorities: Records must be accessible to regulatory and law enforcement agencies upon request, within the bounds of legal provisions.
  • Presentation to Public Bodies: In Germany, obliged entities must facilitate the legibility of records for public bodies, including providing necessary tools or reproducing documents as required.

4th AMLD

Article 40 of the 4th AMLD (Directive (EU) 2015/849) addresses the requirements for record-keeping and retention by obliged entities for preventing, detecting, and investigating money laundering and terrorist financing. Here’s a summary focusing on the key aspects:

Retention of Documents and Information

  • Obliged entities are required to retain specific documents and information for a set period.
  • This includes customer due diligence documents (necessary to comply with the requirements in Chapter II) and records of transactions.
  • The retention period is five years after the end of a business relationship or the date of an occasional transaction.

Types of Records

  • For customer due diligence, a copy of the necessary documents and information should be retained.
  • For transaction records, supporting evidence and records should be kept. These can be original documents or copies admissible in judicial proceedings as per national law.

Expiration of Retention Period

  • After the retention period expires, obliged entities must delete personal data unless national law specifies otherwise.
  • National law may allow or mandate further retention of data for up to five additional years, but this requires a thorough assessment of the necessity and proportionality for preventing, detecting, or investigating money laundering or terrorist financing.

Special Provision for Ongoing Legal Proceedings

  • If legal proceedings related to suspected money laundering or terrorist financing were ongoing on 25 June 2015, and an obliged entity holds relevant information, they may retain it for five years from that date.
  • Member States may allow or require further retention for an additional five years, provided the necessity and proportionality for this retention are established.

5th AMLD

The amendment to Article 40 (1) of the 4th AMLD, as introduced in the 5th AMLD (Directive (EU) 2018/843), focuses on enhancing the specifics of record-keeping and retention related to customer due diligence. Here’s a summary of the key points:

Enhanced Requirements for Customer Due Diligence Records

  • The amendment specifies that copies of documents and information necessary for customer due diligence must be retained.
  • Notably, this includes information obtained through electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014, or other secure, remote, or electronic identification processes that are regulated, recognized, approved, or accepted by relevant national authorities.

Retention Period

  • The required retention period remains five years after the end of a business relationship with a customer or after the date of an occasional transaction.
  • This retention period, including any further retention period not exceeding five additional years, is also applicable to data accessible through centralised mechanisms referred to in Article 32a.

Broader Scope of Retention

  • The amendment broadens the scope of information retention by including advanced electronic and remote identification methods.
  • This change reflects the increasing use of digital identification technologies in financial transactions and the need for corresponding adjustments in anti-money laundering (AML) compliance.

Application to Centralised Mechanisms

  • The retention period is explicitly extended to apply to data accessible through the centralised mechanisms mentioned in Article 32a.
  • This implies that information held in these centralised systems is subject to the same retention rules.

German GwG

The German GwG (Money Laundering Act) outlines specific requirements for record-keeping and retention in Section 8 of the German GwG.

Record-Keeping Requirements

  • Obliged entities must record and retain data and information collected during due diligence, which includes:
    • Details on contracting parties, their representatives, and beneficial owners.
    • Information on business relationships and transactions, especially transaction documents.
    • Information on the implementation and results of risk evaluations.
    • Results of examinations as per specific sections of the GwG.
    • Reasons and evaluations related to reporting obligations.

Specifics of Record-Keeping

  • Records include measures taken for identifying beneficial owners and documenting ownership and control structures.
  • In cases where persons are deemed beneficial owners, measures for verifying identity and any difficulties encountered in the process must be recorded.
  • Details such as type, number, and issuing authority of identity verification documents must be recorded.
  • Right and duty to make copies or digitize identity verification documents.
  • Obliged entities must record details of video and audio made for due diligence requirements.
  • Specific details like service and card identifiers, and proof of electronic identity, must be recorded.

Digital Storage

  • Records can be stored digitally, ensuring consistency with collected data, availability during the retention period, and readability within a reasonable time.

Retention Period

  • Records and evidence must be retained for five years, unless other statutory provisions stipulate a longer period.
  • All records must be destroyed after no more than ten years.
  • The retention period begins at the conclusion of the calendar year in which the business relationship is terminated or the information was gathered.

Readability of Documents

  • If documents are required to be presented to a public agency, their readability must comply with section 147 (5) of the Fiscal Code.

BaFin-Interpretation and Application Guidance on the German GwG

The BaFin Interpretation and Application Guidance on the German GwG provides detailed guidelines on the record-keeping and retention obligations under section 8 of the GwG.


Obliged entities must record and retain the following:

  • Information Collected for Due Diligence:
    • Details about contracting parties, persons acting on their behalf, and beneficial owners.
    • Information includes measures to identify beneficial owners for legal persons.
    • Pertains to business relationships and transactions, especially documents proving transactions.
    • This applies to information collected directly or obtained from third parties under section 17 (1) and (5) of the GwG.
  • Risk Assessment Implementation and Results:
    • Information regarding the execution and outcomes of risk assessments as per sections 10 (2), 14 (1), and 15 (2) of the GwG.
    • Includes details about the suitability of measures based on these results.
  • Results of Examinations and Assessment Outcomes:
    • Results of examinations under section 15 (6) no. 1.
    • Reasons and explanations for the assessment outcome related to reporting obligations under section 43 (1) of the GwG.

Special Provisions

  • Identity Verification for Natural Persons:
    • Record type, number, and issuing authority of identification documents.
  • Complete Copies of Identification Documents:
    • Obligation to make complete copies or digital versions of identification documents.
    • Covers cases where documents are necessary for verification of a legal person’s identity.
    • For existing customers, new copies or records are not needed unless updating information.
  • Recording of Repeat Identification Exceptions:
    • Record the name of the person and the fact they were previously identified, if repeat identification is omitted.
  • Electronic Proof of Identity:
    • Record the service and card identifier for electronic identity verification.
  • Qualified Signature Verification:
    • Record the validation of identity verification by a qualified signature.
  • Information from Electronically Managed Registers:
    • A printout qualifies as a record for information collected from electronic registers or directories.

Digital Storage of Records

  • Records can be stored digitally, provided they:
    • Match the collected details and information.
    • Are available throughout the retention period.
    • Can be made readable within a reasonable time.

Retention Period

  • General Retention Period:
    • Five years, starting from the end of the calendar year in which the business relationship ends or the transaction occurs.
  • Exceptions:
    • Longer retention periods may apply based on other statutory provisions.
  • Maximum Retention Limit:
    • Records and documents must be destroyed after a maximum of ten years.

Presentation to Public Bodies

  • Obliged entities must provide necessary tools to public bodies to render documents legible.
  • Upon request, they must print out or produce legible reproductions of the documents.