Source: OJ L 150, 9.6.2023, pp. 1–39

Current language: EN

Article 26 Record retention


Summary What does Article 26 of the Transfer of funds regulation (TFR) say?

This article establishes the data retention rules that directly complement the information-gathering obligations set out in the earlier articles of the regulation (Articles 4 to 7 for fund transfers and Articles 14 to 16 for crypto-asset transfers).

It sets a standard five-year retention period for all required payer, payee, originator, and beneficiary records, while also defining what must happen once that period expires — namely, deletion of personal data.

The article also carves out flexibility for Member States to extend retention under defined conditions, and includes a transitional provision covering proceedings that were already pending as of 25 June 2015.

Important points:

  • Retain records of required transfer information for a period of five years, after which personal data must be deleted.
  • Member States may permit or require a further retention period of up to five years, but only after assessing the necessity and proportionality of doing so in the context of money laundering or terrorist financing prevention, detection, or investigation.
  • A transitional provision allows payment service providers to retain information relating to legal proceedings that were already pending on 25 June 2015, with the possibility of a further five-year extension under national law.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Information on the payer and the payee or on the originator and beneficiary shall not be retained for longer than strictly necessary. Payment service providers of the payer and of the payee shall retain records of the information referred to in Articles 4 to 7, and crypto-asset service providers of the originator and beneficiary shall retain records of the information referred to in Articles 14 to 16, for a period of five years.

    1. Upon expiry of the retention period referred to in paragraph 1, payment service providers and crypto-asset service providers shall ensure that the personal data is deleted, unless otherwise provided for by national law which determines under which circumstances payment service providers and crypto-asset service providers may or shall further retain such data. Member States may allow or require further retention only after they have carried out a thorough assessment of the necessity and proportionality of such further retention, and where they consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five years.

    1. Where, on 25 June 2015, legal proceedings concerned with the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing are pending in a Member State, and a payment service provider holds information or documents relating to those pending proceedings, the payment service provider may retain that information or those documents in accordance with national law for a period of five years from 25 June 2015. Member States may, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings, allow or require the retention of such information or documents for a further period of five years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod