ECSH33520 - Record keeping

Introduction

During a compliance check, you should confirm what procedures the business follows for keeping records that have been obtained for the purposes of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

The requirements for record keeping are set out in regulation 40 of MLR 2017 and you can read full details in ECSH 63620 Regulation 40 Record keeping including what records must be kept and how long they must be kept for.

There are several factors you must consider when testing a business’s record keeping such as:

  • the types of records
  • the format of the business records
  • where the records are stored
  • the record retention periods
  • whether any records are subject to legal professional privilege

These are discussed below in more detail.

Types of records

It’s important that you establish the types of records held by the business to determine whether the business is meeting its record keeping requirements. You must refer to sector specific guidance in ECSH50000.

Some questions you could consider asking about the types of records include:

  • what documentation is raised, issued or received during the course of a transaction or business relationship?
  • what records of identity checks, other customer due diligence (CDD) and monitoring are kept?
  • how are records relating to reliance arrangements (either relying on another relevant person to hold its CDD records or being relied upon) maintained? See ECSH33550.
  • does the business have CCTV cameras or other recording devices which record customers transacting with the business?
  • how is each record created (manual/automated)?
  • who is responsible for creating them/retaining/archiving them?
  • when are they created/deleted?

You should ask the business to explain the progress of a transaction from beginning to end  to ensure you understand, and record details of, all of the different types of records used – from receipt of a customer’s instruction to payment for completion of the transaction or service. You can then use this when testing transactions, to know what specific documents to ask for. Regulation 40(2) covers the different types of records which must be kept as detailed below:

  • Records kept under regulation 40(2)(a)

As required by regulation 40(2)(a), the business must keep any records obtained as part of its CDD measures under regulation 28(2) to (6) and (10) or reporting discrepancies in registers measures under regulation 30A.

Case study 1: an accountancy service provider (ASP) collects a copy of a customer’s passport and a utility bill as part of its CDD procedures. The ASP also conducts a check against the HM Treasury consolidated sanctions list. These records (copies of passport, the utility bill and results of the check against the sanctions list) are part of the ASP’s CDD procedures and therefore must be kept under regulation 40(2)(a).

  • Records kept under regulation 40(2)(b)

As required by regulation 40(2)(b), the business must keep sufficient supporting records in respect of a transaction which is the subject of CDD or ongoing monitoring to enable the transaction to be reconstructed (creating an audit trail).

Case study 2: an art market participant (AMP) has sold a painting for more than 10,000 euros. The AMP organised the shipping of the painting overseas on behalf of the client. The AMP received the shipping documents from the freight forwarder used to export the painting. The shipping documents confirm that the art was shipped to the person on whom the CDD checks have been carried out. They therefore form part of the supporting records which will enable the transaction to be recreated and must be kept under regulation 40(2)(b).

Case study 3: during your compliance check of a high value dealer (HVD), you identify multiple bank transfers into the HVD’s business bank account from the same account number. You ask the business to explain these regular transfers and the director says that he gets cash paid into his personal bank account by his customers to avoid bank charges, he then transfers the money from his personal bank account to the HVD’s business bank account. The director’s personal bank statements form part of the HVD’s audit trail and must be kept under regulation 40(2)(b).

For details of how long each type of record must be kept for, see heading “Record retention periods” below.

Format of records

From your initial review and through questioning, you should establish whether the business records are stored manually (paper copies), digitally or a mixture of both. You will need to consider the format of the records when you come to test that the business has sufficient record keeping procedures in place and that the record keeping procedures are working in practice.

You must consider the specific circumstances of the business, ensuring that the records you ask for are reasonably required to complete your check.

For records which are digital and stored in IT systems, you should consider how you will request to see these records. You might need a data handler to extract the information from the business’s IT system..

Some questions you could consider asking about the format of records include:

  • are the records paper copies, digital copies or a mixture of both?
  • where are the records stored? Are they held off-site? If so, how does the business refer to the information, for example for ongoing monitoring purposes.
  • are they stored securely? Who has access to the records?
  • when and how are records archived? Is there a charge to retrieve them?
  • for paper copies, what happens if there’s a fire or flood?
  • for digital copies, are they backed up? If so, how and when are they backed up?

If the business operates from a number of premises or branches, establish what happens where, and where both the transaction and CDD data is held. For example, are records retained in the branch or transferred to head office?

You may need to consider if records are held in multiple places, including those held by a third party or overseas.

Records held by a third party or overseas

Where there is a reliance arrangement, the person relied upon must immediately make available any CDD records (shown at regulation 40(2)(a) above) to the business.   

If you establish that records are held by another third party, you must ask details regarding the arrangement and consider the best way to access the records.  You should discuss this with the business and decide whether you need to use powers under regulation 66 of MLR 2017 to require a person to produce a document.  See ECSH71500.  Regulation 66(8) extends the power to a third party where it appears that the document is in their possession.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

If you believe records are kept overseas, see ECSH33735.  

It is important to remember that a business must maintain systems which enable it to respond “fully and rapidly”to enquiries from law enforcement agencies as to whether it maintains, or has maintained during the previous five years, a business relationship with any person, and the nature of that relationship – regulation 21(8) refers. Where you encounter difficulties or delays in accessing records, you must ask the business to explain how it meets this requirement.

Records stored using systems/software provided by external companies

Where records are stored electronically, and the business uses software or a system from an external company to hold the records, you must consider whether the business can access them if they were to stop using that company or the company were to cease trading. This is likely to be applicable where the business uses an independent identity provider or carries out customer verification using a credit reference agency as part of its customer due diligence procedures.

Some of these third parties provide a secure link to access the customer details and anti-money laundering reports. If you are offered a link, you should ask the business to access it and show you the documents held; you should not access the link yourself. Make sure you record sufficient detail to be able to describe the checks carried out, see ECSH33715. 

You must not endorse any external companies offering these services. It is the business’s decision as to whether they choose to use the services of an external company. It is for the business to check it meets their requirements, including data protection, and consider the support/aftercare the company provides should issues arise.

Record retention periods

There are different record retention periods depending on the types of records, and whether the records have been obtained as part of a business relationship or as an occasional transaction. You should have gained sufficient understanding of the business’s activities through your initial review and through questioning, to understand the relationship with customers.

A business may also be required to retain records for other statutory reasons, for example for tax purposes. Guidance published on GOV.UK will explain the record keeping requirements relating to specific taxes and duties. If the business explains it is required to keep records for any other purpose, ask for details of the types of records which must be retained. If the records relate to personal data, discuss with the business how it meets GDPR obligations.

For occasional transactions, a copy of any documents and information obtained to satisfy the CDD requirements, and transaction records must be kept for 5 years beginning from the date a transaction is considered to be complete.

For example, an art gallery registered as an art market participant (AMP) sells a painting to a customer and arranges for it to be framed and installed in the customer’s home. The customer receives an invoice for the painting and the additional services to be provided by the gallery at the time of the sale. The gallery takes an initial payment by credit card, as well as a copy of the customer’s driving licence to verify their identity. A payment plan is arranged to pay the outstanding balance in 4 equal monthly instalments. Once full payment is received, the artwork is installed in the customer’s home. There is no further contact expected by the gallery. In this scenario, the CDD records must be kept for 5 years from the date the artwork was installed. Until that point, the transaction is not complete. The invoice, instalments by bank transfer shown in the business’s bank statements, and the original credit card receipt support the transaction and must also be kept. However, these will need to be kept for at least 6 years, for VAT purposes, whereas the CDD information must be deleted after 5 years.

For business relationships, a copy of any documents and information obtained to satisfy the CDD requirements, and transaction records must be kept for 5 years beginning from the date a business relationship ends. Transaction records don’t have to be kept for more than 10 years if they form part of a business relationship.

For example, a trust or company service provider (TCSP) has had an ongoing business relationship with a customer since 1999. CDD checks were carried out when the relationship commenced, and ongoing monitoring checks have been carried out annually to ensure the customer’s information hasn’t changed. The business relationship ended in December 2022; therefore, all of the CDD and ongoing monitoring records must be kept until December 2027 and then deleted. However, records relating to the specific services carried out between 1999 and 2012 can be deleted.

Regardless of whether it was an occasional transaction or a business relationship, personal data (that which identifies a natural person)obtained by the business as required by MLR 2017must be deleted after the period described above has expired. There are exceptions to this where the business is required to keep it for other reasons as per regulation 40(5). For example, the business may have obtained the customers’ consent for retaining the data or has kept the records as part of legal or court proceedings or to meet other legal requirements.

Remember, the business is only required to keep the records from the date it was required to be supervised by HMRC for anti-money laundering purposes. For example, an art market participant was only required to obtain and keep CDD and supporting records from 10 January 2020 for relevant activity that occurred on or after this date. The dates differ between sectors, see ECSH82796.

You may also need to consider the timings of the business relationship and occasional transactions in relation to the regulations in effect at the time. For example, if the business entered into a business relationship with a customer prior to 15 December 2007 (the date The Money Laundering Regulations 2007 came into force) there was no requirement to carry out CDD and therefore no requirement to obtain or keep records.

Some questions you could consider asking about record retention periods include:

  • how long are records kept for?
  • when are CDD records including personal data deleted?
  • when are transaction records deleted?
  • how are records deleted?
  • how do you know which records to delete and when to delete them?
  • for ongoing monitoring of a business relationship - ECSH 33375, Ongoing monitoring - are all records retained or are previous CDD records deleted?
  • If there is a reliance arrangement in place, how does the business ensure that CDD records are retained for the required period?

If the business says that the records are kept longer than the required period, ask what the reason is for this. For example, if a business says that it never deletes any records, you must ensure that it is aware of its obligations under GDPR in relation to client data and information -  ECSH33575 Data protection.

Records subject to legal professional privilege

If the business claims that you are unable to view a record because it is subject to legal professional privilege (LPP - where it has sought legal advice), make a note of the records you asked to view and what the business has said, continue with your visit and raise this with your team leader and the sector specialist on your return to the office.

As set out in regulation 72, a business may not be required to provide information, produce documents or answer questions if it is subject to LPP. Economic Crime- Supervision (EC-S) are waiting for a policy position with regards to this. In the meantime, follow the guidance in the Compliance Handbook, and ask the business to provide a list of each document or type of document that is being withheld for the purposes of LPP. This will enable ECS to challenge the claim of LPP where appropriate. The guidance in the Compliance Handbook includes suggested wording to use. You will then need to raise an Advice Request, to obtain further advice.

Please note, if you have issued a notice under regulation 66, 69, or 70, see ECSH 70000, that the business may not have breached the information notice and may not be required to produce the information, or documents requested where the records are subject to LPP.

Non-compliance with record keeping requirements

If a business is unable to provide you with records relating to a customer because it did not carry out any CDD checks, there is not a record keeping breach under regulation 40(2)(a) because the CDD records don’t exist.

Similarly, if a business provides CDD records dated after your compliance check has started, you must confirm if it carried out any CDD measures before establishing the business relationship or completing the transaction and ask to see records of those previous checks.

If CDD checks were not carried out, you must establish the reasons why, in order to consider where the breaches lie in relation to CDD and the timing of verification - see ECSH33300 Testing customer due diligence].

If records have been lost, for example due to fire or flood, you should consider the Compliance Handbook guidance for Reasonable Excuse. You should establish the circumstances of the incident, exactly which records were lost, the period covered and, if appropriate, details of any subsequent insurance claim. If the business advises that records were stolen, in addition to the above, you should also obtain a copy of the crime reference number when the incident was reported to the Police. You may be able to select a different period or alternative records to continue with your compliance check. It may also be possible to recreate transactions from other records available. You should consider whether the business has taken appropriate steps to ensure regulation 40 is complied with, for example if electronic records were backed up to a cloud (and which should be retrievable) or if paper records (especially personal data) were held in a secure location.

Where you establish that the business:

  • has not kept records for the period required or
  • has kept records longer than the periods required

you should tell the business that there is a breach of regulation 40 of MLR 2017, and it needs to correct the breach as soon as possible.

Where the business has kept records longer than the periods required, you should tell the business that it must delete any records set out in regulation 40(2) obtained for the purposes of MLR 2017 unless the business is required to keep them for the purposes specified in regulation 40(5) of MLR 2017. You should also remind them of their data protection obligations under regulation 41.

You must also consider any corresponding breaches such as a breach of regulation 19 where the business hasn’t established appropriate record keeping procedures or hasn’t followed (maintained) its procedures – see ECSH33210.

You must establish how and why any breaches occurred in order to consider if the business took reasonable steps to comply - see ECSH34005  before considering if a sanction is appropriate.