Chapter 31 AML: Record keeping, training and awareness Flashcards
31.1 document retention policies
Records relating to CDD, the business relationship and occasional transactions must be kept for five years from the end of the client relationship (from end of the transaction for occasional transactions). The records must be readily retrievable. A business must remember the Data Protection Regime and must have appropriate security measures and not retain documents longer than necessary.
31.2 SAR and consent requests
No retention period is specified for records relating to internal reports, the MLRO’s consideration of internal reports, any subsequent reporting decisions, issues connected to consent, production of documents and similar matters and SARs and consent requests sent to the NCA or its responses. Since these records can form the basis of a defence against accusations of MLTF, businesses may decide it is suitable to keep them for the five-year retention period.
31.3 Training records
Businesses must demonstrate their compliance with regulations that place a legal obligation on them to ensure employees are aware of the law relating to MLTF and are trained regularly in how to recognise and deal with transactions related to MLTF. The records should show what training was given, the dates of the training, the individuals taking part and any results from the training.
31.4 Storing records relating to SARs
Records relating to internal and external SARs are not part of the working papers relating to client assignments. They should be stored separately and securely as a safeguard against tipping off.
31.5 Third Party arrangements for record keeping
A business may arrange for a third party to perform its AML activities, CDD or training. It must ensure that the other party’s record keeping procedures comply with the MLTF obligations or store copies of the records itself. It must consider how it would obtain the records if needed and what would happen if the other party ceased trading.
31.6 Deletion of personal data
Once periods have expired, the business should delete any personal data unless the business is required to retain it under statutory obligation or required to retain it for legal proceedings or the data subject has consented to the retention. The business is not required to keep any records for more than 10 years after the end of the business relationship.
31.7 training responsibilities
All relevant employees need to have training but thought should be given to who else might need AML training. The MLRO or a member of senior management is responsible for ensuring employees are trained. Someone accused of a failure to disclosure offence has a defence if their employer did not give them relevant training.
Training should cover an explanation of the law within the business’s own commercial context, red flags that employees should be aware of, how to deal with transactions related to MLTF, confidentiality and the data protection requirements. Training should be tailored to each business area, the aim is not to make employees develop a specialist knowledge of criminal law, but they should be able to apply a level of legal and business knowledge that would be expected of someone in their role.
The frequency of training can be influenced by changes in legislation, regulation, guidance, case law and judicial findings, the business’ risk profile, procedures and service line. It is not necessary to repeat a complete training programme regularly, but it is appropriate to provide concise updates. Businesses are encouraged to mount periodic MLTF awareness campaigns to keep employees alert with individual and firm-wide responsibilities.
