AML record keeping, or any type of record keeping can be a tedious task which gets pushed down the list of daily duties, however it is a core part of your AML compliance programme, and it will pay in the long run to get this essential task right.
Staying organised and ensuring you include the required information in your records will make life easier when working with regulators and will help avoid the pain of non-compliance. Here’s the essentials of record keeping to help you stay on track.
AML record keeping requirements
If you think about everything you do for customer due diligence (CDD), every task, every check, then as a basic starting point, if you have done your CDD right, you will have the documents needed for a large proportion of your record keeping requirements.
You will need to keep records on:
- Your customer and how you identified them
- The beneficial owner and how you identified them
- Any persons acting on behalf of your customer, and how you verified their identity, i.e., proof of address
- Source of funds
- Nature of transactions
- Company records and extracts
These records will be something you’ll refer to help understand whether your relationship with the client has changed over time, whether more risk has been introduced, and whether you need to do additional or different due diligence to mitigate the risk.
These will also be key documents that the regulator will examine to ensure you have the necessary records to be able to understand the changing nature and purpose of client relationships.
While the above are a key part of your AML record keeping, you’ll also need to include records of other parts of your compliance programme.
What else to include in your records:
- Documents showing how you have assessed and recorded risk
- Reports of suspicious activities
- Your AML/CFT Risk Assessment and programme updates and reviews
- Transactions and monitoring of transactions so they can be reasonably reconstructed at any time as per section 49 of the AML/CFT Act
- Any other records obtained in your business relationships
What to monitor
If you have an ongoing relationship with a client and you deal with them a lot you need to go back and review records regularly. Someone who is high risk vs low risk you might review more often.
Look at what work you started with a customer and whether the nature of activity has changed. Assess whether the new activity means their risk profile should change, and whether or not the information recorded is still up-to-date.
A robust CDD programme is at the heart of everything we do and part of that CDD is ongoing due diligence. Without comprehensive records you can’t carry out ongoing due diligence which means robust record keeping is essential to maintaining ongoing compliance.
This is something MT Global would have done well to remember before receiving a hefty 23 million GBP fine for, in part, breaches related to record keeping. CLSA Premium Auckland branch may also have been able to avoid a large fine in 2021 if correct due diligence measures were in place and accurate records of transactions had been kept.
How to store your records
You need to be able to show how you store records and demonstrate records can be accessed at the request of an auditor or supervisor. Best practice is to:
1. Store electronically
If you can, store all your records electronically. This will make your life a whole lot easier than relying on physical copies, and it is increasingly becoming expected by regulators that they will be able to review electronic records for entities.
There is also a risk of files being lost or forgotten if physical files are stored offsite and staff move on.
2. Restrict access
Not everybody in your company needs access to records, so restrict it. Generally, compliance officers would have full access but other staff should only have access to their clients.
3. Separate SARs
Any records that are kept on suspicious activity or relates to investigations should be kept separately from customer files so that inadvertent tipping off can’t happen.
If CDD is being done on a client and something is suspicious you might tell the compliance officer but not necessarily the client account manager as it could be hard for them to manage their client relationship if they suspect the client is involved in illegal activity.
4. Know your privacy requirements
All entities need to abide by the Privacy Act 2020 and in addition your company may have their own rules around confidentiality that you need to follow.
5. Ensure secure destruction
Records must be kept for 5 years and then they must be destroyed. Note, you might need to keep them for longer if requested by the Police Commissioner.
To destroy records, you should use a secure destruction service or ensure permanent deletion from electronics sources.
Note, regulators will check records are being destroyed properly. And, if a regulator sees records are being held for too long they will question why. Some companies will need to hold some records for longer than 5 years, i.e., accountants may need to for tax reasons, but AML specific records should be destroyed after the requisite period of time.
Accurate AML record keeping is good for compliance and good for business. It means you have access to understand the changing nature and purpose of relationships with clients and can identify areas of risk. It may take a little time to ensure records are kept accurately but doing so makes life easier when managing supervisor visits or audits, and can help improve efficiency and reduce costs to your business.