regulatory Published: Updated: By

How long must banks keep AML records?

Quick answer

US banks must keep AML records, including SARs and CTRs, for five years under the Bank Secrecy Act. EU and UK regulations set the same five-year floor. Legal holds can extend that timeline indefinitely. Some EU member states require seven years.

The full answer

US banks must keep AML records for five years under the Bank Secrecy Act, codified at 31 CFR Part 1010. That five-year clock starts at different points depending on the record type: from the filing date for SARs and CTRs, from account closure (or the date the record was made, whichever is later) for CDD and beneficial ownership records, and from the transaction date for wire transfer records over $3,000.

The EU's Fourth Anti-Money Laundering Directive (2015/849), Article 40, and the UK's Money Laundering Regulations 2017, Regulation 40, both set five years from the end of the business relationship or the date of the transaction. Member states can extend this. Germany and the Netherlands require seven years. FATF Recommendation 11 sets five years as the international minimum for most record categories.

One figure that catches banks out: the long-term customer. If someone banks with you for fifteen years, the CDD records from onboarding must survive for five years after account closure. Documents that are twenty years old can still be under an active retention obligation.

Legal holds override all standard timelines. An enforcement action, a subpoena, or a consent order freezes the deletion schedule until the matter closes completely.

Why this matters

Retention failures appear consistently in enforcement actions, and they create two distinct problems.

First, regulators treat missing records as evidence of a control failure. During an AML examination, if a bank can't produce SAR documentation or CDD files within 24 to 48 hours of a request, examiners treat it as a systemic deficiency regardless of whether the underlying compliance work was done. The OCC's Comptroller's Handbook on BSA/AML is explicit that record accessibility is within examination scope.

Second, missing records obstruct law enforcement cooperation. When FinCEN or a foreign financial intelligence unit requests transaction history in support of an investigation, incomplete records don't just fail the regulatory test. Banks under consent orders have been required to reconstruct historical records at significant cost when gaps were identified.

Operational implications for compliance teams:

  • SAR files must include more than the form. Keep the underlying investigation notes, transaction data, analyst sign-offs, and supervisory approvals. FinCEN examiners want the complete file.
  • Destruction must be logged. When records reach the end of their retention period, document the destruction. Undocumented purges look identical to missing records.
  • Legal hold tracking must be systematic. A bank with dozens of open investigations needs a formal register that maps each hold to specific record sets and custodians. Email threads don't satisfy this.
  • Periodic KYC refresh doesn't reset the original record's clock. A refreshed customer file creates a new record on its own retention schedule, but the original onboarding documentation still runs from account closure.
  • CDD and EDD records are treated the same for retention purposes. The more intensive due diligence applied to high-risk customers doesn't alter the five-year retention floor.

If a bank's record-keeping failures surface during an examination, the consequences move quickly. See what happens when a bank fails an AML exam.

Adopting perpetual KYC models introduces a related complexity: continuous monitoring generates a continuous stream of records, each with its own retention schedule. Banks moving from periodic reviews to event-driven refresh need to map their data architecture carefully or they'll end up with retention obligations they can't track.

Related questions

Related concepts and regulations

← All compliance questions