Applied logic and re-read everything that I read yesterday and 5 years is a suitable retention period.
Shredder at the ready!
RECORD KEEPING Why may existing document retention policies need to be changed? What should be considered regarding retention policies? What considerations apply to SARs and consent requests? What considerations apply to training records? Where should reporting records be located? What do businesses need to do regarding third-party arrangements? What are the requirements regarding the deletion of personal data? 7.1 Why may existing document retention policies need to be changed? 7.1.1 Records relating to CDD, the business relationship and occasional transactions must be kept for five years from the end of the client relationship. 7.1.2 All records related to an occasional transaction must be retained for five years after the date of the transaction. 7.1.3 The 2017 Regulations do not specify the medium in which records should be kept, but they must be readily retrievable. 7.2 What should be considered regarding retention policies? 7.2.1 Businesses must be aware of the interaction between of MLTF laws and regulations with the requirements of the Data Protection Regime. The Data Protection Regime requires that personal information be subject to appropriate security measures and retained for no longer than necessary for the purpose for which it was originally acquired. 7.3 What considerations apply to SARs and consent requests? 7.3.1 No retention period is officially specified for records relating to: internal reports; the MLRO’s consideration of internal reports; any subsequent reporting decisions; issues connected to consent, production of documents and similar matters; suspicious activity reports and consent requests sent to the NCA, or its responses. 7.3.2 Since these records can form the basis of a defence against accusations of MLTF and related offences, businesses may decide that five years is a suitable retention period for them. 7.4 What considerations apply to training records? 7.4.1 Businesses must demonstrate their compliance with regulations that place a legal obligation on them to make sure that certain of their relevant employees are, (a) aware of the law relating to MLTF, and (b) trained regularly in how to recognise and deal with transactions and other events which may be related to MLTF. 7.4.2 These records should show the training that was given, the dates on which it was given, which individuals received the training and the results from any assessments. 57 7.5 Where should reporting records be located? 7.5.1 Records related to internal and external SARs of suspicious activity are not part of the working papers relating to client assignments. They should be stored separately and securely as a safeguard against tipping off and inadvertent disclosure to someone making routine use of client working papers. 7.6 What do businesses need to do regarding third-party arrangements? 7.6.1 A business may arrange for another organisation to perform some of its AML related activities – CDD or training, for example. In which case, it must also ensure that the other party’s record keeping procedures are good enough to demonstrate compliance with the MLTF obligations, or else it must obtain and store copies of the records for itself. It must also consider how it would obtain its records from the other party should they be needed, as well as what would happen to them if the other party ceased trading. 7.7 What are the requirements regarding the deletion of personal data? 7.7.1 Regulation 39(4) of the 2017 Regulations require that once the periods specified in 7.1 of this guidance have expired, the business deletes any personal data unless: The business is required to retain it under statutory obligation, or the business is required to retain it for legal proceedings, or the data subject has consented to the retention. 7.7.2 The business is not required to