Record keeping

Why Record-Keeping is Essential

1. Regulatory Compliance

Accurate record-keeping and the appropriate retention of documents ensure compliance with MLR 2017 and POCA (in respect of suspicious activity). This, in turn, protects firms from enforcement action by supervisory authorities and the stress of having to remedy shortcomings while your clients are vying for your attention. Apart from possible financial penalties and the ability of a supervisory authority to restrict your right to practise, supervisory action may give rise to reputational damage.

2. Supporting AML Monitoring and Investigations

Appropriate record-keeping is an AML compliance requirement in itself. But adequately maintained records also provide critical evidence of compliance for your supervisory authority during an AML compliance visit or in the less likely scenario that the supervisory authority decides to investigate your firm on the basis of information it has received (e.g. through whistleblowing channels). If you have omitted to record sufficient information about a potential client, for example, you will find it difficult to demonstrate to your supervisory authority that your risk assessment was reasonable.

3. Risk Management

The UK government has an obligation to undertake a national risk assessment (NRA) to identify, assess, understand and mitigate the risks of money laundering, terrorist financing and proliferation financing affecting the UK. Taking the NRA into account, each supervisory authority must identify and assess the money laundering risks to which its supervised population is subject. Such information provided by your firm’s supervisory authority should feed into your firmwide risk assessment (FWRA).

Although not a specified requirement of MLR 2017, retaining copies of the latest NRA and information and guidance issued by your supervisory authority helps to demonstrate the steps taken to develop your FWRA. Retaining this risk management information will help your firm identify trends and red flags, monitor high-risk clients, and refine AML policies to address emerging threats. It can also form a basis for effective training of relevant employees.

4. Audit and Oversight

More generally, if records are maintained diligently, they can serve as a clear audit trail, not only demonstrating the firm’s commitment to AML compliance, but providing a basis for effective decision-making. Comprehensive records also evidence the decision-making process (e.g. in respect of client acceptance and the reporting of suspicious activity), which enables an AML Compliance Officer to reflect on decisions made when performing an internal compliance review.

Records to be Retained

The following records may be regarded as the minimum necessary to demonstrate compliance with MLR 2017:

1. Client Due Diligence (CDD): 

It is worth reminding ourselves that a firm is required to apply CDD measures (reflecting the assessed risk) whenever it:

• establishes a business relationship,
• suspects money laundering or terrorist financing, or
• doubts the authenticity (or adequacy) of documents or information previously obtained for the purposes of CDD.

CDD measures must also be applied to existing customers at other times, on a risk-based approach. In other words, CDD must be regularly reviewed in respect of higher risk clients, and whenever the firm becomes aware that the circumstances of a client have changed such that the risk assessment of that client may have changed.

For completeness, we should note that CDD must be applied if a firm carries out an occasional transaction amounting to the equivalent of 15,000 euro or more. However, an “occasional transaction” is defined as “a transaction which is not carried out as part of a business relationship”, and so this situation is unlikely to be relevant to your practice.

CDD measures are set out in regulation 28 of MLR 2017, and entail:

• identifying the client,
• verifying the client's identity, and
• understanding and assessing the intended nature of the business relationship.

In the case of an incorporated client, you would usually be required to determine and verify:

• the company’s name and registration number,
• the address of its registered office and principal place of business,
• the law to which the company is subject,
• the company’s constitution (e.g. its articles of association),
• the names of the directors,
• the names of the senior persons responsible for the company’s operations and anyone else purporting to act on behalf of the client, and
• the ownership and control structure of the company, including the company’s ultimate beneficial owner.

Similar provisions apply in respect of other types of entity, such as charities and trusts, and MLR 2017 sets out a firm’s CDD obligations if it has been unable to identify the beneficial owner.

MLR 2017 requires that any documents and information obtained by the firm to meet its CDD obligations must be retained. This includes evidence of enhanced CDD measures that may be required under regulation 33.

2. Transaction Records: Regulation 40 specifies that detailed records must be retained in respect of any transactions (not just “occasional transactions”) that are the subject of CDD. Details of relevant transactions should include dates, amounts, the parties involved, the method of transferring the funds, and anything else known to the firm that could be relevant to the nature of the transaction.

3. Requirement to Report Discrepancies: Documents and information specified by MLR 2017 to be retained include those necessary to meet the requirements of regulation 30A, relating to the requirement to report discrepancies in the registers maintained by the Registrar of Companies or HMRC. Broadly speaking, before establishing a business relationship with a company or LLP, a firm must collect an excerpt of the relevant register, including details of the company’s beneficial owners. Similar details must be gathered in respect of other entities, such as a trust.

The firm must report any material discrepancy between information gathered from the register and other information that has become available to the firm while carrying out its CDD processes when establishing the business relationship. It must do the same when undertaking ongoing monitoring and CDD (i.e. after the business relationship with the client has been established).

A material discrepancy in relation to a company or LLP must be reported to the Registrar of Companies, while a discrepancy in relation to a trust must be reported to HMRC. In this context, a “material discrepancy” is one described in Schedule 3AZA.

4. Risk Assessments: The section of this guidance relating to firmwide risk assessments explains why the FWRA must be documented, including the steps taken to arrive at the overall assessment. In addition, as implied above, the money laundering and terrorist financing risk relating to each separate client is an important component of CDD, as the information gathered about the client and the ID verification processes must relate to that assessed risk. Naturally, you must document each client’s risk assessment and the rationale behind that assessment.

5. AML Policies and Procedures: Regulation 19 of MLR 2017 sets out a firm’s requirement to have suitable policies, controls and procedures. It specifies that the firm must maintain a written record of those policies, controls and procedures, and keep that record up-to-date. It must also record the steps taken to communicate the policies, controls and procedures, and any changes to them, within the firm.

Record-Keeping for Suspicious Activity Reports (SARs)

As we have seen above, regulation 40 specifies that detailed records must be retained in respect of any transactions that are the subject of CDD, including where there is reasonable suspicion of money laundering or terrorist financing, or some doubt about the veracity of documents or information previously obtained. In many of these situations, reasonable suspicion may be reported internally to the firm’s Nominated Officer (or MLRO) and the need to submit a SAR to the NCA will be considered. The section of this guidance concerning the reporting of suspicious activity explains where the reporting obligations of an accountancy practice come from.

SARs are a critical component of the fight against organised crime, and critical to a firm’s AML compliance, as the reporting of suspicious activity is a requirement of POCA and the Terrorism Act. Proper documentation is essential as a means of protecting the firm (and individuals within it) from allegations of noncompliance and even allegations of money laundering or terrorist financing. Key considerations include:

Documentation: Relevant employees must understand how to make a high quality report to the Nominated Officer, including as much detail as possible about the transaction or circumstances giving rise to the suspicion. The documentation must also evidence the important factors considered, and the relevant discussions and consultation undertaken, in arriving at the decision to submit (or not to submit) a SAR. In addition to this documentation, the firm must retain copies of submitted SARs, as its supervisory authority has the right to inspect them.

Confidentiality: If a SAR is submitted, the firm should seek to maintain strict confidentiality to avoid the offence of tipping off. Similarly, on receiving an internal report of suspicious activity, the Nominated Officer should take care to consult only with appropriate people and explain to the person making the internal report the importance of confidentiality. So, clearly, the documentation relating to any suspicious activity must be stored securely, using encryption and access controls as appropriate. To be clear, the offence of tipping off is set out in section 333A of POCA. It occurs when either a SAR or an internal report of suspicious activity has been made, and a person (made aware of the suspicion through their work) discloses the report of suspicious activity such that the disclosure is likely to prejudice any investigation that might be conducted as a result of a SAR.

Retention Period

Simply put, the retention period is five years. In the unlikely event of an “occasional transaction”, the period runs from the date on which the transaction is complete. In respect of a transaction occurring as part of a business relationship, or any CDD measures taken in connection with a business relationship, the period runs from the date the business relationship came to an end. But in any event, you are not required to retain records relating to a transaction for more than 10 years.

Once the necessary retention period has expired, the firm must delete any records containing personal data, unless the firm is required to retain the records for the purpose of court proceedings or it has reasonable grounds for believing that the records should be retained for the purpose of legal proceedings. The definition of “personal data” is consistent with that in the Data Protection Act 2018, and so it is advisable to have data retention policies that are aligned to comply with both the Data Protection Act and MLR 2017.

Under certain circumstances, a relevant person (such as an accountancy or legal practice) may be relied upon by another relevant person to keep the records referred to above for the period required by MLR 2017. But these instances are rare.

Accessibility

Subject to the need for confidentiality concerning suspicious activity, records relating to AML compliance should be easily accessible by relevant employees, and ordered in such a way that they may be made available to a supervisory authority upon request. The firm’s AML Compliance Officer (or the compliance team) will require easy access to the records when undertaking an AML compliance review.

Best Practices for Effective Record-Keeping

Implement a Document Management System

Adopt a centralised, secure system for storing and managing records. Ensures standard (but tailored) documentation is used consistently, that templates and completed documentation can be easily accessed, and that personal data and other confidential material are protected against data breaches.

Establish Clear Policies

Develop comprehensive, yet proportionate, record-keeping policies outlining:

• what records to retain,
• how records should be stored, and
• when and how records should be destroyed.

A system should operate to implement the firm’s data retention policy, ensuring compliance with the Data Protection Act and UK GDPR as well as MLR 2017.

Train Staff on Record-Keeping Requirements

Provide regular training to ensure employees understand the importance of record-keeping. This will include making them aware of the standard documentation and how to use it, where to file completed documentation, and whom to contact if in any doubt about their obligations. If the firm comprises several offices, consistency across all offices tends to enhance both efficiency and understanding across the firm.

Regulatory Guidance and Support

Supervisory authorities (including HMRC and many of the professional accountancy bodies) provide record-keeping resources in the form of standard templates and checklists. Some commercial organisations also provide effective solutions. But standard documentation will invariably need to be tailored to the needs and circumstances of your firm. Therefore, resources such as this Firmcheck guidance can provide (as part of your firm’s AML training) the understanding required to help tailor policies, procedures and documentation to the unique circumstances of your firm.

‍