Source: OJ L 150, 9.6.2023, pp. 1–39Current language: EN
- Anti-money laundering
Basic legislative acts
- Transfer of funds regulation (TFR)
Article 26 Record retention
Summary What does Article 26 of the Transfer of funds regulation (TFR) say?
This article establishes the data retention rules that directly complement the information-gathering obligations set out in the earlier articles of the regulation (Articles 4 to 7 for fund transfers and Articles 14 to 16 for crypto-asset transfers).
It sets a standard five-year retention period for all required payer, payee, originator, and beneficiary records, while also defining what must happen once that period expires — namely, deletion of personal data.
The article also carves out flexibility for Member States to extend retention under defined conditions, and includes a transitional provision covering proceedings that were already pending as of 25 June 2015.
Important points:
- Retain records of required transfer information for a period of five years, after which personal data must be deleted.
- Member States may permit or require a further retention period of up to five years, but only after assessing the necessity and proportionality of doing so in the context of money laundering or terrorist financing prevention, detection, or investigation.
- A transitional provision allows payment service providers to retain information relating to legal proceedings that were already pending on 25 June 2015, with the possibility of a further five-year extension under national law.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Information on the payer and the payee or on the originator and beneficiary shall not be retained for longer than strictly necessary. Payment service providers of the payer and of the payee shall retain records of the information referred to in Articles 4 to 7, and crypto-asset service providers of the originator and beneficiary shall retain records of the information referred to in Articles 14 to 16, for a period of five years.
Upon expiry of the retention period referred to in paragraph 1, payment service providers and crypto-asset service providers shall ensure that the personal data is deleted, unless otherwise provided for by national law which determines under which circumstances payment service providers and crypto-asset service providers may or shall further retain such data. Member States may allow or require further retention only after they have carried out a thorough assessment of the necessity and proportionality of such further retention, and where they consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five years.
Where, on 25 June 2015, legal proceedings concerned with the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing are pending in a Member State, and a payment service provider holds information or documents relating to those pending proceedings, the payment service provider may retain that information or those documents in accordance with national law for a period of five years from 25 June 2015. Member States may, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings, allow or require the retention of such information or documents for a further period of five years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.
Relevant recitals
Recital 54 Five-year retention period and conditions for extension
As it may not be possible in criminal investigations to identify the data required or the individuals involved in a transaction until many months, or even years, after the original transfer of funds or transfer of crypto-assets, and in order to be able to have access to essential evidence in the context of investigations, it is appropriate to require payment service providers or crypto-asset service providers to keep records of information on the payer and the payee or the originator and the beneficiary for a period of time for the purposes of preventing, detecting and investigating money laundering and terrorist financing. That period should be limited to five years, after which all personal data should be deleted unless national law provides otherwise. If necessary for the purposes of preventing, detecting or investigating money laundering or terrorist financing, and after carrying out an assessment of the necessity and proportionality of the measure, Member States should be able to allow or require retention of records for a further period of no more than five years, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings and in full compliance with Directive (EU) 2016/680 of the European Parliament and of the Council(21). Those measures could be reviewed in light of the adoption of a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
crypto-asset services
Definition
funds
Definition
originator
Definition
electronic money
Definition
crypto-asset account
Definition
crypto-asset
Definition
payment service provider
Definition
payment account
Definition
transfer of funds
- a credit transfer as defined in Article 4, point (24), of Directive (EU) 2015/2366;
- a direct debit as defined in Article 4, point (23), of Directive (EU) 2015/2366;
- a money remittance as defined in Article 4, point (22), of Directive (EU) 2015/2366, whether national or cross-border;
- a transfer carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics;
Definition
crypto-asset
Definition
DLT
Definition
terrorist financing
Definition
distributed ledger technology
Definition
beneficiary
Definition
crypto-asset service provider
Definition
transfer of crypto-assets
Definition
distributed ledger address
Definition
payee
Definition
payer
Definition
money laundering
Footnote 21