How long must banks keep AML records?

The full answer

Five years is the number, but the clock doesn't always start when banks assume it does.

Under the Bank Secrecy Act, US banks must retain:

• SARs and supporting documentation: five years from the date of filing, per 31 CFR 1020.320(d). That includes the filed report, every internal memo, every transaction report, and any analysis considered in the decision to file or not to file.
• CTRs: five years from the date of filing, per 31 CFR 1010.306.
• CDD and CIP records: five years from account closure, per 31 CFR 1020.220. Not five years from when the CDD was conducted. From when the account closes.
• Wire transfer records: five years from the date of the transfer, per 31 CFR 1010.410, for transactions of $3,000 or more.

That last distinction matters more than it looks. A customer opens an account in 2019. CDD is completed, then refreshed in 2021 and 2023. The account closes in 2026. Every version of the CDD file stays accessible until 2031. Banks that measure from the transaction date rather than account closure are systematically under-retaining.

FATF Recommendation 11 sets five years as the international minimum. Jurisdictions following FATF guidance have codified this directly. The EU's Fourth AML Directive (Directive 2015/849) requires five years from the end of the business relationship or the transaction date. The Fifth AMLD permits member states to extend this to ten years through national legislation.

The UK's MLR 2017, Regulation 40, mirrors this structure. Five years is the floor, from the end of the business relationship or transaction completion. Extensions to ten years apply where supervisors direct it for active investigations or criminal proceedings.

One record type that often gets missed: no-SAR documentation. If a compliance analyst reviewed suspicious activity and decided not to file, the written rationale for that decision is a record subject to the same five-year retention rule. Regulators treat missing no-SAR documentation as evidence that the review never occurred.

Why this matters

Record gaps are standalone violations, separate from whatever AML failure a regulator is actually investigating.

When FinCEN or the OCC pulls a transaction from three years ago and the bank can't produce the associated CDD file or monitoring notes, that failure gets added to the examination findings as a recordkeeping violation on top of the underlying issue. What triggers a regulatory exam often includes tip-offs or prior exam findings about weak documentation practices. The examination then confirms the pattern.

What happens when a bank fails an AML exam frequently starts here. A regulator requests five years of records for a set of customers and the bank can't produce them on time or in full. The operational burden compounds fast. Banks that end up in monitorships typically find that record retrieval is one of the most disruptive parts of the process, sometimes requiring dedicated project teams just to respond to document requests.

The CDD clock is the most common miscalculation. Banks that use transaction date rather than account closure date as the retention trigger are building systematic gaps. Given that CDD and EDD records include every periodic review and risk reassessment, and given that customer risk ratings should be refreshed on a defined cycle, a single account can accumulate dozens of individual records each with its own retention obligation running from account closure.

The SAR confidentiality overlay adds operational complexity. Banks must retain SARs and supporting documentation, but access has to be restricted to prevent inadvertent disclosure to subjects. A discovery request in civil litigation can expose SAR records if the bank doesn't have adequate access controls. Most banks keep SAR files in segregated systems. If yours don't, who files the SAR is a less urgent question than where it's stored and who can reach it.

Automated systems introduce a related question: if AI is used for AML transaction monitoring, the alert records and underlying model decisions are part of the audit trail. Whether alerts that didn't result in SARs need to be retained isn't uniformly settled by regulation, but the conservative position is to treat them as supporting documentation and apply the same five-year rule.

SAR filing deadlines interact with retention in a way that's easy to overlook. The 30-day filing window (60 days where no suspect can be identified) means the five-year retention clock for a SAR doesn't start until filing. Underlying transaction records may have a different effective retention end date than the SAR itself. Systems that don't account for this can purge transaction records that are still needed to support a filed SAR.

Penalties for missing CTRs give a sense of the broader enforcement posture. Recordkeeping failures attract the same penalty frameworks, and regulators don't treat them as technical oversights when they're systematic.

Related questions

• How long do banks have to file a SAR?
• What is the penalty for a missed CTR?
• What is the difference between CDD and EDD?
• What triggers a regulatory exam?
• Who files a SAR: the MLRO or the compliance officer?

Related concepts and regulations

• Bank Secrecy Act: compliance overview
• Suspicious Activity Report (SAR): definition and filing rules
• Customer Due Diligence (CDD): requirements and thresholds
• Currency Transaction Report (CTR): when and how to file
• FATF Recommendations: the global AML standard