Source: OJ L, 2024/1624, 19.6.2024

Current language: EN

Article 77 Record retention

Summary What does Article 77 of the Anti-money laundering regulation (AMLR) say?

This article sets out the record-keeping obligations for obliged entities, directly supporting the customer due diligence and suspicious transaction reporting requirements established elsewhere in the regulation.

It specifies what must be retained — covering due diligence documents, transaction records, internal assessments, and information shared through information-sharing partnerships — and establishes the conditions under which records may be kept as references rather than full copies.

The standard retention period is 5 years from the end of a business relationship or the date of a transaction, after which personal data must be deleted.

Competent authorities can extend this by a further 5 years on a case-by-case basis, and additional transitional provisions apply where legal proceedings are already pending at the date the regulation takes effect.

Important points:

  • Retain customer due diligence documents, transaction records, internal assessments, and information-sharing partnership records — all in unredacted form.
  • The default retention period is 5 years, at which point personal data must be deleted, though competent authorities may require an extension of up to a further 5 years.
  • Obliged entities may retain references to information instead of full copies, provided the information can be supplied immediately to competent authorities and cannot be modified or altered.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Obliged entities shall retain the following documents and information:

      1. a copy of the documents and information obtained in the performance of customer due diligence pursuant to Chapter III, including information obtained through electronic identification means;

      2. a record of the assessment undertaken pursuant to Article 69(2), including the information and circumstances considered and the results of such assessment, whether or not such assessment results in a suspicious transaction report being made to the FIU, and a copy of the suspicion transaction report, if any;

      3. the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions;

      4. when they participate in partnerships for information sharing pursuant to Chapter VI, copies of the documents and information obtained in the framework of those partnerships, and records of all instances of information sharing.

    2. Obliged entities shall ensure that documents, information and records kept pursuant to this Article are not redacted.

    1. By way of derogation from paragraph 1, obliged entities may decide to replace the retention of copies of the information by a retention of the references to such information, provided that the nature and method of retention of such information ensure that the obliged entities can provide immediately to competent authorities the information and that the information cannot be modified or altered.

    2. Obliged entities making use of the derogation referred to in the first subparagraph shall define in their internal procedures drawn up pursuant to Article 9, the categories of information for which they will retain a reference instead of a copy or original, as well as the procedures for retrieving the information so that it can be provided to competent authorities upon request.

    1. The information referred to in paragraphs 1 and 2 shall be retained for a period of 5 years commencing on the date of the termination of the business relationship or on the date of the carrying out of the occasional transaction, or on the date of refusal to enter into a business relationship or carry out an occasional transaction. Without prejudice to retention periods for data collected for the purposes of other Union legal acts or national law complying with Regulation (EU) 2016/679, obliged entities shall delete personal data upon expiry of the five-year period.

    2. Competent authorities may require further retention of the information referred to in the first subparagraph on a case-by-case basis, provided that such retention is necessary for the prevention, detection, investigation or prosecution of money laundering or terrorist financing. That further retention period shall not exceed 5 years.

    1. Where, on 10 July 2027, legal proceedings concerned with the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing are pending in a Member State, and an obliged entity holds information or documents relating to those pending proceedings, the obliged entity may retain that information or those documents for a period of 5 years from 10 July 2027.

    2. Member States may, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings, allow or require the retention of such information or documents for a further period of 5 years where the necessity and proportionality of such further retention have been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod