FATF Rec 11: What It Requires and Who It Applies To

What is FATF Rec 11?

FATF Recommendation 11 is the record-keeping standard within the FATF 40 Recommendations, the international AML/CFT framework that 200-plus jurisdictions have committed to implement. The Financial Action Task Force, an intergovernmental body established by the G7 in 1989 and currently comprising 37 member jurisdictions plus the European Commission, issued Rec 11 to give law enforcement and financial intelligence units the evidence trails they need to reconstruct financial crimes months or years after they occur.

The core obligation has two components. First, financial institutions must retain transaction records for at least five years from the date of the transaction. Second, CDD documentation must be kept for at least five years after the business relationship ends or a one-off transaction completes. The records must be detailed enough to reconstruct individual transactions. A batch file showing daily net positions is not sufficient.

Before the 2012 revision, FATF scattered record-keeping requirements across multiple recommendations under the old numbering. The 2012 consolidation brought everything into Recommendation 11, making national transposition cleaner. The US implemented the equivalent through the BSA (US-FinCEN), which requires five-year retention under 31 CFR 1010.430. The UK's UK MLR 2017 (UK-FCA) imposes the same five-year floor. The EU's EU AMLR (EU) extends it to seven years in certain circumstances.

FATF's Interpretive Note to Recommendation 11 requires that records be held in original form or certified copy. They must be available to domestic competent authorities promptly on request. The standard applies to domestic and cross-border transactions equally. There's no de minimis threshold: a €5 cash deposit requires the same retention as a €50 million wire.

Why did FATF introduce this? Investigations into major financial crime networks consistently showed that banks had discarded the transaction records prosecutors needed. FATF Rec 11 closes that gap.

Who does FATF Rec 11 apply to?

The standard applies to "financial institutions" as defined in the FATF Recommendations and to designated non-financial businesses and professions (DNFBPs). In practice, that covers a wide range of entity types.

Financial institutions:

• Commercial banks, savings institutions, and credit unions
• Investment banks and broker-dealers
• Insurance companies issuing life insurance and investment products
• Electronic money institutions and payment service providers
• Money service businesses and currency exchange operators
• Virtual asset service providers (VASPs): exchanges, custodians, and peer-to-peer trading platforms
• Mortgage lenders and consumer finance companies

DNFBPs:

• Casinos and online gaming operators
• Real estate agents handling property transactions
• Dealers in precious metals, stones, and art for cash transactions above the applicable threshold
• Lawyers and notaries handling client funds or company formation
• Accountants managing client assets

There's no revenue or size threshold. A single-branch credit union and a global correspondent bank face the same five-year retention floor. FATF's dedicated FATF VA Guidance (FATF) extends Rec 11 explicitly to VASPs, who must retain blockchain transaction records, wallet addresses, and the Customer Due Diligence (CDD) documentation collected at onboarding.

The jurisdictional scope is global in principle. FATF members have committed to implement Rec 11 in national law. Mutual Evaluation Reports from FATF and its regional bodies assess compliance country by country. A jurisdiction rated non-compliant or partially compliant on Rec 11 faces reputational pressure and potentially placement on FATF's grey or black list.

What does FATF Rec 11 require?

The Interpretive Note to Recommendation 11, published at fatf-gafi.org, sets out the specific obligations:

1. Retain transaction records for at least five years. This applies to all transactions, not just suspicious ones: domestic and international, high-value and low-value. Records must include the date, amount, currency, counterparty details, and, for wire transfers, originator and beneficiary data (see FATF Rec 16 (FATF) for wire-specific requirements).

2. Retain CDD documentation for at least five years after end of relationship. This covers identity documents collected under FATF Rec 10 (FATF), Ultimate Beneficial Owner (UBO) records, and any Enhanced Due Diligence (EDD) files for higher-risk customers including politically exposed persons.

3. Keep records in original or certified copy form. A scanned PDF of a passport is acceptable. A summary note saying "ID verified" is not.

4. Make records available to competent authorities promptly. FATF doesn't define "promptly" in hours, but FSRB assessments treat delays beyond a few business days as a control failure. The FinCEN CDD Rule (US-FinCEN) requires US institutions to respond to law enforcement requests without delay.

5. Ensure records are sufficient to reconstruct individual transactions. This is the test that trips most institutions. The record must be granular enough for a prosecutor to trace money flows step by step.

6. Maintain records regardless of whether a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) was filed. The absence of a filed report doesn't reduce the retention obligation.

7. Apply the same standards to correspondent banking relationships. Records of transactions processed through nostro and vostro accounts must meet the same five-year floor. See FATF Rec 13 (FATF) for correspondent-specific due diligence requirements.

Some jurisdictions exceed the FATF floor. Singapore's MAS Notice 626 (SG-MAS) requires retention for at least five years from the transaction date, consistent with FATF. Australia's AML/CTF Act (AU-AUSTRAC) requires seven years for certain record types.

What evidence do regulators expect?

Examiners from the OCC, FCA, MAS, and equivalent supervisors are looking for a documented, tested, and audited record-keeping program, not just a policy statement.

Policies and procedures:

• A written record retention policy that maps each record type to a specific retention period
• Clear ownership: who is responsible for maintaining which records in which system
• Documented procedures for responding to law enforcement requests, including a committed response time

System evidence:

• Logs showing that transaction records are written to retention-compliant storage with timestamps
• Retrievability tests: auditors may pull a sample of transactions from three years ago and verify the complete record is available within the committed response time
• Access control evidence showing who can read, modify, or delete records (the correct answer to "who can delete" is "nobody during the retention period")

CDD documentation:

• Onboarding files with dated copies of identity documents
• Periodic review records showing when CDD was last refreshed and why
• UBO documentation linked to business account records

Training records:

• Evidence that staff who collect CDD or process transactions have been trained on retention requirements
• Annual sign-offs or assessment completion records

Independent testing:

• Internal audit reports covering record completeness and accessibility
• Findings, management responses, and remediation evidence

OCC published examination guidance notes that institutions most commonly fail on retrievability, not existence. The records exist somewhere; they can't be produced quickly in a consistent format. That's still a finding, and examiners treat it as seriously as records that are simply missing.

Common failure modes

Most record-keeping enforcement actions don't stem from a deliberate decision to destroy evidence. They come from system fragmentation, data migration projects, and inadequate policies.

• Siloed storage across legacy systems. Records exist, but they're split across a core banking platform, a wire transfer system, and a document management system with no unified search. When examiners ask for all records related to a specific customer, the institution can't produce a complete picture within the required timeframe.

• Migration without retention mapping. A bank moves from one core banking system to another and migrates active accounts but leaves closed-account records on an unsupported system that gets decommissioned two years later. Those records are gone.

• CDD files not linked to transactions. KYC onboarding files sit in a document management system. Transaction records sit in the banking platform. There's no link, so reconstructing the full customer relationship is manual, slow, and incomplete.

• VASPs retaining blockchain hashes only. Some VASP compliance teams believe a blockchain transaction hash satisfies Rec 11. It doesn't. The obligation requires counterparty data, wallet ownership information, and the associated CDD file. A hash proves the transaction happened; it doesn't tell you who did it.

Real enforcement examples show the cost. In January 2021, FinCEN imposed a $390 million civil money penalty on Capital One partly for BSA record-keeping failures, including failure to file thousands of SAR and CTR (Currency Transaction Report) reports and failure to maintain adequate records for Check Cashing Group transactions (FinCEN enforcement action, January 2021). In 2020, AUSTRAC reached an A$1.3 billion settlement with Westpac that included failures to retain records for correspondent banking transactions processed through its LitePay service (AUSTRAC media release, September 2020).

Penalties for non-compliance

Record-keeping failures rarely generate standalone penalties. They appear alongside broader AML failures: inadequate CDD, missed SARs, ineffective monitoring. Regulators consistently treat poor record-keeping as an aggravating factor that elevates the total penalty.

United States. FinCEN can impose civil money penalties of up to $1 million per day for willful BSA violations, including record-keeping failures. The Rabobank case in 2018 resulted in a $369 million settlement that explicitly cited failure to maintain adequate records for cash transactions and wire transfers processed through its California branches (DOJ press release, February 2018). Capital One's 2021 settlement included $290 million specifically linked to record-keeping and reporting failures.

United Kingdom. The FCA issued Deutsche Bank a £163 million fine in 2017, the largest AML fine in FCA history at the time, partly for inadequate transaction monitoring records and failure to maintain complete audit trails for the Russian Mirror Trading scheme (FCA press release, January 2017).

Australia. AUSTRAC's power under the AML/CTF Act includes civil penalties of up to A$21 million per contravention for serious record-keeping breaches. The Westpac A$1.3 billion settlement and the Commonwealth Bank A$700 million settlement in 2018 both had record-keeping components among the cited failures.

FATF-level consequences. At the sovereign level, a country rated non-compliant on Rec 11 faces listing as a high-risk jurisdiction, which triggers Enhanced Due Diligence (EDD) requirements from banks worldwide and can restrict access to correspondent banking relationships, raising the cost of cross-border payments for every institution in that country.

Related regulations and frameworks

FATF Rec 11 is the evidence foundation that makes every other AML requirement enforceable.

AML framework dependencies. FATF Rec 10 (FATF) defines what CDD must be collected; Rec 11 defines how long to keep it. FATF Rec 20 (FATF) requires SAR and STR filing; Rec 11 requires keeping the underlying records whether or not a report was filed. FATF Rec 1 (FATF) drives risk-based decision-making; Rec 11 supplies the audit trail proving that a risk-based decision was made and what evidence it rested on.

Travel Rule connection. FATF Rec 16 (FATF) requires originator and beneficiary data to travel with wire transfers. Rec 11 requires institutions to retain that data. The two work together: Rec 16 ensures the data exists in the payment message; Rec 11 ensures the receiving institution keeps it for five years.

National implementations. The US BSA implements Rec 11 through 31 CFR Part 1010, requiring five-year retention for most transaction records. The FinCEN CDD Rule (US-FinCEN) adds specific retention requirements for beneficial ownership records collected at account opening. In the EU, the EU AMLR (EU) extends the retention period to seven years in certain circumstances and adds explicit requirements for digital asset records under MiCA (EU).

Data protection tension. GDPR creates a genuine conflict with Rec 11: financial institutions have an AML obligation to retain data and a data protection obligation to delete it. The EU has resolved this by treating AML retention as a legal obligation that overrides the right to erasure, but institutions must document this justification in their privacy notices and data retention schedules.

DNFBP extension. FATF Rec 22 (FATF) extends the same CDD requirements to DNFBPs; Rec 11's retention obligation applies equally to lawyers, accountants, and real estate agents handling covered transactions.

How FluxForce supports FATF Rec 11 compliance

FluxForce's AI agents automatically archive transaction records, CDD documentation, and decision audit trails in tamper-proof storage at the point of activity, not as a batch process. Every automated compliance decision, from customer risk scoring to SAR filing, generates an immutable evidence record linked to the underlying customer and transaction data. Retention schedules are configurable by jurisdiction, so a global institution can apply five-year rules for FATF jurisdictions and seven-year rules for EU entities without manual intervention. To see how this works in practice, request a demo from the FluxForce team.