FATF Rec 11: What It Requires and Who It Applies To

What is FATF Rec 11?

FATF Recommendation 11 is the international baseline for AML record-keeping, issued by the Financial Action Task Force (FATF), an intergovernmental body established by the G7 in 1989 and currently comprising 39 member jurisdictions plus the European Union. It sits within FATF's 40 Recommendations, first published in 1990, revised in 1996 and 2003, and comprehensively overhauled in February 2012. The 2012 update also introduced the risk-based approach that now runs through the entire framework.

The rule exists for a straightforward operational reason. Money laundering investigations routinely surface years after the underlying transactions. Law enforcement and financial intelligence units need to reconstruct financial histories reaching back five or more years to build cases that hold up in court. Without a minimum retention floor, critical evidence disappears before investigators can use it.

Rec 11 sets that floor. Transaction records must be retained for five years from the date of completion. Customer Due Diligence (CDD) files and Know Your Customer (KYC) documentation must be retained for five years from the end of the business relationship.

FATF doesn't enforce the recommendation itself. Member jurisdictions implement it through national legislation. In the US, the Bank Secrecy Act's record-keeping rules under 31 CFR § 1010.430 codify the same five-year floor. In the UK, Regulation 40 of the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) implements it directly. In the EU, Article 40 of the Fourth Anti-Money Laundering Directive (4AMLD, Directive 2015/849/EU) does the same. Several jurisdictions extend the period beyond five years. The UK allows extensions to ten years for certain ongoing investigations and higher-risk customers.

Who does FATF Rec 11 apply to?

The obligation covers the full range of entities FATF classifies as financial institutions and designated non-financial businesses and professions (DNFBPs) subject to AML obligations. Specifically:

• Banks and deposit-taking institutions, including credit unions, savings banks, and cooperative financial institutions of any size
• Electronic money institutions (EMIs) issuing stored-value products, prepaid cards, and mobile wallet services
• Virtual asset service providers (VASPs): cryptocurrency exchanges, custodial wallet providers, and fiat-to-crypto conversion platforms. FATF explicitly extended the framework to VASPs in its October 2018 amendment, with FATF Rec 15 providing the technology-neutral foundation for that extension.
• Insurance companies writing life insurance or investment-linked products
• Securities firms and investment banks
• Money service businesses (MSBs), including remittance operators and currency exchange houses
• Trust and company service providers
• Certain DNFBPs: lawyers, accountants, and real estate agents when handling financial transactions above thresholds defined by national law

There's no size threshold in Recommendation 11. A startup EMI with 5,000 customers and a global bank with 50 million accounts face the same five-year minimum. The risk-based approach may affect how deeply a firm conducts its due diligence, but it doesn't reduce how long the resulting records must be kept. A firm with a low-risk customer base still can't delete files at four years.

Jurisdictional reach is broad. FATF's 39 members plus the EU cover the G20 and the world's major financial centers. FATF-Style Regional Bodies (FSRBs) extend the framework to over 190 additional jurisdictions, making Rec 11 the effective global baseline regardless of where an institution is domiciled or licensed.

What does FATF Rec 11 require?

The obligation has five concrete requirements:

1. Transaction records, minimum five years. Institutions must retain records of all domestic and international transactions sufficient to reconstruct each individual transaction. "Reconstruct" means a reviewer starting from scratch can determine the parties involved, the amounts transferred, the dates, the account numbers or wallet addresses, and the payment type. Partial records don't satisfy this test.

2. CDD and KYC files, minimum five years post-relationship. Customer Due Diligence (CDD) documents, Enhanced Due Diligence (EDD) reports for higher-risk customers, Ultimate Beneficial Owner (UBO) documentation, and account files must all be retained for five years from the date the business relationship ends. A customer who closes their account today creates a file that must remain accessible until five years from that closure date.

3. Records sufficient for reconstruction and audit. The FATF Interpretive Note to Recommendation 11 specifies that records must support both internal compliance review and external investigations by financial intelligence units, law enforcement, and supervisory authorities. "Sufficient" is a functional test, not a format test.

4. Timely availability. Records must be available to competent authorities promptly on request. Most national implementations translate this to specific timeframes. The UK's MLR 2017 expects records "as quickly as possible." FinCEN enforcement practice generally treats 24 to 72 business hours as a reasonable production window for sampled records. Anything requiring an IT escalation ticket falls short.

5. Format-neutral, accessible retention. Records may be stored digitally or on paper. Digital records must remain legible and accessible throughout the full retention period. A record that technically exists on a decommissioned server or in a proprietary database format no longer supported by any software fails the standard. Backup integrity matters as much as initial storage.

Where an institution files a SAR or STR, the underlying transaction records supporting that filing must be preserved separately for five years from the date of filing under most national implementing laws, running in parallel to the general transaction-record retention clock.

What evidence do regulators expect?

On exam day, whether it's a FinCEN examination, an FCA supervisory visit, or a review under EU joint supervisory standards, examiners arrive with a checklist:

• A written record-keeping policy. The policy must name specific record categories, formats, retention periods, responsible owners, and the legal basis for each period. "We comply with applicable law" isn't a policy. It's a placeholder that generates immediate findings.
• Transaction data completeness checks. Examiners pull a sample from the core banking system and verify required data fields are populated: originator name and account, beneficiary name and account, amount, currency, date, and transaction reference. Missing fields on sampled records are automatic findings.
• CDD file retrieval test. A sample of customer files, including accounts closed within the past five years, must be retrievable within the institution's documented SLA. Files that exist in the system but require IT escalation to access don't pass.
• Retention schedule documentation. A formal schedule listing each record type, its retention period, the triggering event (transaction date vs. relationship end date), and the legal basis. Multi-jurisdiction institutions must show how conflicting national requirements are reconciled, typically by applying the longest applicable period.
• Data integrity controls. Evidence that records can't be altered or deleted before expiry: access control logs, write-once or audit-logged storage, and change management records showing who last accessed or modified each file.
• Training records. Staff who create, manage, or access regulated records must be trained on retention obligations. Examiners check training completion records, not just the existence of a training program.
• Third-party storage contracts. If records are held with a cloud provider or archive vendor, the contract must guarantee access throughout the full retention period and require advance notice before any data destruction.

Common failure modes

These are the patterns that actually generate exam findings and enforcement actions:

• Early deletion during system migrations. Core banking platform replacements and data warehouse cleanups routinely purge transaction data before the five-year mark. FinCEN's 2021 enforcement action against Capital One (Consent Order 2021-01) cited incomplete records as part of a broader BSA program failure totaling $390 million in penalties.
• CDD files siloed from transactions. Both data sets exist but in separate systems with no shared customer identifier. An examiner can't link a specific transaction to the applicable CDD file without hours of manual cross-referencing. This is the second most common exam finding behind outright deletion.
• Legacy records on unreadable systems. Records stored on decommissioned servers or proprietary database formats from vendors that no longer exist can't be retrieved. Technically existing but functionally inaccessible data fails the regulatory test.
• Inconsistent retention across subsidiaries. A parent bank applies 7-year global retention; a subsidiary in a lower-risk jurisdiction follows only the local 3-year rule. On consolidated exams, the gap becomes a finding.
• Missing SAR evidence packages. An institution files a SAR but doesn't tag and preserve the underlying transaction data that triggered the alert. When law enforcement requests it 18 months later, it's gone.
• Inadequate VASP records. Crypto exchanges frequently omit on-chain transaction hashes, fiat equivalent values at time of execution, and full wallet address data. FATF's 2021 Updated Guidance for Virtual Assets identified this as a systemic gap across most VASP-active jurisdictions.

Penalties for non-compliance

Record-keeping failures rarely result in standalone fines. They compound other AML violations and significantly inflate the total penalty.

FinCEN fined Capital One Financial Corp $390 million in January 2021 (Consent Order 2021-01) for willful BSA violations, including record-keeping deficiencies tied to its former money services business customers over a multi-year period.

Rabobank NA paid a $369 million combined FinCEN and Department of Justice settlement in 2018. The DOJ criminal plea cited systematic failures in maintaining transaction records adequate to support law enforcement investigations over several years.

In the UK, the FCA fined Santander UK £107.7 million in December 2022 (FCA Final Notice, 9 December 2022) for persistent AML control failures that included deficiencies in customer risk assessment records across a material portion of its business banking portfolio.

Under EU law, member states must apply "effective, proportionate and dissuasive" penalties under AMLD4 Article 59. The 6AMLD, implemented by December 2020, added criminal liability provisions for serious ML offenses, including deliberate record destruction by natural persons.

Non-monetary consequences can be more damaging than the fines themselves. Loss of correspondent banking relationships, restrictions on new product launches, and personal MLRO liability under regimes like the UK's Senior Managers and Certification Regime (SMCR) routinely accompany record-keeping enforcement actions.

Related regulations and frameworks

FATF Recommendation 11 sits at the intersection of several adjacent obligations that either generate the records to be kept or depend on those records to function:

• FATF Rec 10 (CDD): Defines what information must be collected during onboarding and ongoing monitoring. Rec 11 specifies how long that information must be retained. The two are operationally inseparable; an institution that collects thorough CDD under Rec 10 but deletes it at year four violates Rec 11.
• FATF Rec 12 (PEPs): Politically exposed person files require additional documentation and Enhanced Due Diligence (EDD) reports. Those files fall under the same five-year retention floor.
• FATF Rec 16 (Travel Rule): Requires originator and beneficiary data to accompany wire transfers. Rec 11 is the retention anchor for that Travel Rule data at the receiving institution.
• FATF Rec 13 (Correspondent Banking): Respondent bank due diligence files, gathered before opening a correspondent relationship, fall under Rec 11 retention requirements at the correspondent bank.
• EU 4AMLD / 5AMLD / 6AMLD: Article 40 of the Fourth AMLD sets the five-year floor with a possible national extension to ten years. 6AMLD tightened criminal liability provisions that directly implicate record destruction.
• US Bank Secrecy Act (31 CFR § 1010.430): Requires five-year retention for CTR (Currency Transaction Report) filings and all records within scope of the rule. FinCEN's SAR regulations impose a parallel five-year retention requirement running from the date of filing.
• UK MLR 2017, Regulation 40: The UK national implementation. Five years from end of relationship or transaction date, whichever is later, with possible extension under a court or supervisory direction.

How FluxForce supports FATF Rec 11 compliance

FluxForce maintains a time-stamped, tamper-evident audit trail linking every transaction record, CDD file, alert disposition, and SAR evidence package to a shared case identifier. Retention policies are configurable per jurisdiction, so a multi-country institution can apply a 7-year EU schedule alongside a 5-year US schedule from one control plane. Records are indexed for fast retrieval; compliance teams can respond to examiner requests without manual IT escalation. The platform's regulatory compliance automation handles the full retention lifecycle automatically. Book a demo to see how FluxForce manages record-keeping end to end.