Record Keeping: What It Is, What Regulators Expect, and What Gets You Cited

What is Record Keeping?

Record keeping is a core compliance control that requires financial institutions to retain, index, and produce documentary evidence of customer relationships, transactions, and compliance decisions for a minimum retention period, most commonly five years from the end of the relationship or the date of the transaction, whichever is later.

In the AML/CFT and sanctions compliance stack, record keeping sits immediately downstream of controls like Customer Due Diligence (CDD) and Transaction Monitoring. It converts their outputs into auditable, searchable records. Without it, those controls exist only in memory.

The control has two distinct dimensions. The first is retention: keeping the right documents, in the right format, for the right period. The second is retrieval: producing them to regulators, law enforcement, or internal audit within the required timeframe, often 24-72 hours on a production order.

Scope is broad. It covers account-opening documentation, KYC files, Enhanced Due Diligence (EDD) packages, transaction records, SAR (Suspicious Activity Report) filings and no-file decisions, model tuning logs, screening hit disposals, and the reasoning behind any material compliance decision.

Poor record keeping is rarely the root cause of a financial crime. It's the control that determines whether you can reconstruct events after the fact, whether investigators can build a case, and whether examiners leave satisfied. When it fails, it amplifies every other control weakness on the exam finding sheet.

Why is Record Keeping required?

Record keeping obligations appear in virtually every major AML/CFT regulatory framework, and the underlying logic is consistent: if a decision can't be evidenced, it didn't happen.

FATF Recommendation 11 requires countries to mandate that financial institutions keep records of transactions, both domestic and international, and CDD information for at least five years. FATF Rec 10 (FATF) establishes the underlying CDD requirements, and the records generated under that process feed directly into the retention obligation. For high-risk customers and politically exposed persons, FATF Rec 12 (FATF) adds further documentation requirements for enhanced scrutiny decisions.

In the United States, the Bank Secrecy Act (31 U.S.C. § 5311 et seq.) requires banks to retain records sufficient to reconstruct significant transactions and identify account holders. FinCEN's implementing rules under 31 CFR Part 1020 specify which record types must be kept and at what retention periods, with five years as the standard floor for most BSA-required records.

The EU's Fourth and Fifth Anti-Money Laundering Directives impose a five-year retention rule across member states, extended by 5AMLD to cover beneficial ownership information and records generated through enhanced due diligence processes.

The Wolfsberg Group's AML Principles describe record keeping as foundational to all other AML controls. Without retained evidence, there's nothing to audit, nothing to produce in litigation, and no basis for demonstrating that controls were operated correctly.

The Basel Committee's 2014 guidelines also link record keeping directly to the risk assessment cycle. FATF Rec 1 (FATF) reinforces this: the risk-based approach depends on documented evidence that risk decisions were grounded in fact, not gut feel.

What do regulators expect to see?

On exam day, regulators aren't asking whether you have a record-keeping policy. They're asking whether your records are complete, consistent, retrievable, and evidenced. The gap between those two questions is where most institutions get cited.

Examiners typically look for:

Documented policies and procedures. A written record-keeping policy specifying what is retained, for how long, in what format, and who owns each category. The policy should be reviewed annually, approved by a named governance committee, and version-controlled so examiners can see what was in effect at any given date.

Complete CDD and EDD files. Customer files covering original identity verification, ongoing review outcomes, beneficial ownership determinations, and any EDD packages for high-risk relationships. Files must be retrievable within 24-72 hours of a production order. Missing or outdated files are a finding on their own, independent of whether any suspicious activity occurred.

Transaction records. A full audit trail for every material transaction: date, amount, counterparty, account numbers, and any exceptions or manual overrides applied.

Compliance decision evidence. Documentation of SAR decisions (file or no-file), screening hit disposals, and escalation outcomes, each with timestamps and named decision-makers. A no-file decision with no contemporaneous record is indistinguishable from a missed detection.

Model and rule governance logs. Calibration dates, threshold change approvals, backtesting results, and tuning rationale for any automated control. Regulators have cited institutions where transaction monitoring rules ran untouched for three or more years with no evidence of review.

Board and MI reporting. Evidence that record-keeping health, including completeness rates, retrieval SLAs, and backlog volumes, was reported to senior management and that issues were escalated and resolved with a documented owner and deadline.

The FCA's Financial Crime Guide is direct: firms must maintain records in a form from which they can be reproduced without undue delay. In practice, supervisors have interpreted "undue delay" as 24-72 hours in most production order contexts.

What does good Record Keeping look like?

A mature record-keeping program goes well beyond minimum retention periods. Here's what it looks like in practice.

1. Centralized, indexed repository. All compliance records sit in a single system or a federated environment with a unified search layer, indexed by customer, account, transaction reference, and date. Retrieval time for a complete customer file should be under one hour for a production order.

2. Retention schedules mapped to regulation. A documented matrix showing each record type, the applicable regulation or rule, the retention period, and the storage format. The Wolfsberg Group's AML Principles recommend this matrix as standard governance practice for any institution operating across multiple jurisdictions.

3. Automated capture at point of decision. Records are created in real time at the moment of each compliance decision, not reconstructed after the fact. SAR submissions, screening disposals, and CDD sign-offs are timestamped and linked to the underlying transaction or customer record automatically.

4. Tamper-proof storage. Records are stored in a format that prevents alteration after creation. FATF Recommendation 11 requires that records be available in their original form or be admissible as evidence; post-hoc modification defeats both requirements.

5. Regular completeness audits. At minimum annually, internal audit samples a population of customer files and transaction records against the retention matrix. Gaps are logged, reported to senior management, and remediated within a defined timeframe.

6. Tested retrieval capability. Production order simulations run at least annually to confirm that complete files can be assembled and delivered within the institution's stated SLA. The FCA's Financial Crime Guide and FinCEN's SAR reporting requirements both presuppose institutions can produce records promptly on demand.

7. Staff training. Everyone who creates a compliance record understands what's required. Training records are themselves retained and auditable as a secondary record category.

The Basel Committee's 2014 Sound Management Guidelines link each of these steps to the broader risk management framework, noting that record completeness is a prerequisite for supervisory confidence in any risk-based approach.

Common audit findings and exam citations

Record keeping findings are among the most frequent in AML examinations, and they rarely stand alone. They appear alongside transaction monitoring gaps, CDD failures, and SAR deficiencies, because weak records make every other weakness harder to defend.

The most consistent findings:

Incomplete customer files. CDD files missing beneficial ownership documentation, outdated identity verification, or absent EDD packages for high-risk customers. The Danske Bank 2018 enforcement action exposed approximately 200 billion euros in suspicious flows through the Estonian branch, with examiners finding wholesale failures to document the true nature of customer relationships. Records that existed were incomplete, inconsistent, and siloed with individual relationship managers rather than consolidated in any central system.

Rule governance gaps. Transaction monitoring rules not reviewed, tuned, or documented for years. The Deutsche Bank 2017 enforcement action, which followed 10 billion USD in mirror trades, included findings about inadequate documentation of AML controls and monitoring rationale alongside the underlying conduct failures.

SAR decision records. Institutions that filed SARs but retained no documentation of the analysis underlying the decision, or equally, no-file decisions with no contemporaneous record at all.

Retrieval failures. Institutions that technically retained records but couldn't produce them within a reasonable timeframe. If a production order takes three weeks to fulfill, examiners treat that as functionally equivalent to a missing record.

Governance trail gaps. No evidence that compliance committees reviewed record-keeping performance metrics, escalation logs with no resolution dates, and board MI that omitted record-keeping health indicators entirely.

The HSBC 2012 enforcement action, which resulted in a 1.9 billion USD deferred prosecution agreement, included findings about inadequate AML records and control documentation as systemic failures across multiple jurisdictions, not isolated gaps.

Metrics and KPIs

Measuring record-keeping control health requires metrics covering both completeness (are the right records being created?) and accessibility (can they be produced when needed?).

Customer file completeness rate. The percentage of active customer files with all required CDD and EDD documentation present and current. A mature program targets above 98%. Anything below 95% is a material gap under most supervisory frameworks.

Retrieval SLA compliance. The percentage of production order requests, both internal and regulatory, fulfilled within the stated SLA, typically 24 or 72 hours. Track both average and worst-case times. A single catastrophic retrieval failure can draw more scrutiny than a pattern of minor completeness gaps.

SAR decision documentation rate. The percentage of SAR decisions, file and no-file, with complete and retrievable contemporaneous records. This should be 100%. Any gap creates direct exam exposure.

Record-keeping exception rate. The number of exceptions logged per quarter against the retention matrix, the trend over time, and average resolution time. Rising exception rates signal either policy gaps or operational breakdowns in the teams that generate records.

Rule governance currency. The percentage of automated control rules, transaction monitoring thresholds and screening parameters, with a documented review, calibration record, and sign-off within the last 12 months. Regulators have cited institutions where rules ran unchanged for three or more years.

Audit completion and findings rate. Internal audit findings against record-keeping policy per examination cycle, and the percentage closed within the agreed remediation timeline.

Storage integrity checks. The frequency and pass rate of integrity checks on retained records, confirming that storage systems haven't corrupted or silently lost data over time.

FinCEN's BSA examination guidance treats documentation completeness as a leading indicator of overall AML program health, not just a standalone procedural metric.

How Record Keeping connects to other controls

Record keeping doesn't operate independently. It's the evidence layer that makes every upstream control auditable and every downstream investigation viable.

Transaction Monitoring generates the alerts that drive SAR decisions. Every alert, disposition, and escalation in that process needs a retained record: the rule that fired, the analyst's reasoning, the outcome, and the timestamp. Without that chain of custody, transaction monitoring becomes invisible to examiners reviewing the evidence trail.

Customer Due Diligence and PEP Screening produce the identity and risk classification decisions that anchor everything else. The records from CDD onboarding and ongoing review are the foundation of a customer file. Incomplete records at this stage leave every subsequent decision about that customer undefended.

Sanctions Screening and Adverse Media Screening generate hit disposals: documented decisions about whether a potential match is a true positive or a false positive. Those disposals are compliance records with their own retention obligations.

From a typology perspective, record keeping failures appear most often in cases involving Layering and Trade-Based Money Laundering. Both rely on transaction complexity to obscure trails. Strong record retention is the primary tool investigators use to reconstruct those trails after the fact, and weak records are what let layering schemes stay buried for years before detection.

Regulatory Compliance Automation touches record keeping directly: any automated compliance workflow needs to generate auditable records as a byproduct, not bolt them on as an afterthought.

How FluxForce supports Record Keeping

FluxForce agents create an audit trail automatically as they work. Every alert, screening decision, SAR disposition, and risk classification generates a timestamped evidence package that's immediately indexed and retrievable. Analysts don't create records separately from their workflow; the records are the workflow. Nova Sentinel and Aiden Flux both produce structured decision logs for every action, with the underlying data, the applied policy, and the outcome captured in a single retrievable object. For institutions that struggle to assemble complete customer files quickly, this removes the manual assembly step entirely. Request a demo to see how.