Record keeping

‍Why record keeping matters

AML record keeping isn’t just about storing documents. It’s about demonstrating that your firm is taking its responsibilities seriously and has the evidence to back it up. Done well, record keeping helps your firm to:

• Stay compliant with MLR 2017, POCA, and the Terrorism Act
  
• Protect against reputational damage and enforcement action
  
• Provide an audit trail for decisions made, including client acceptance and SARs
  
• Respond confidently to compliance reviews or supervisory visits
  
• Monitor high-risk clients and spot trends over time
  
• Refine your AML policies with real-world context and data
  

Failing to maintain proper records can result in financial penalties, restrictions on practice, and even criminal liability in serious cases.

How to manage AML record keeping effectively

1. Keep the right types of records

Your firm must retain key documentation across the following areas:

Client due diligence (CDD)

• Client ID and verification documents
  
• Information on beneficial ownership and control
  
• Risk assessments and rationale behind decisions
  
• Evidence of enhanced due diligence where applicable
  

Transactions

• Dates, amounts, parties involved, and method of transfer
  
• Contextual details relevant to the nature of the transaction
  

Discrepancy reporting

• Records used to identify and report material discrepancies in company or trust registers
  
• Copies of reports submitted to Companies House or HMRC
  

Risk assessments

• Your firm-wide risk assessment (FWRA) and how it was developed
  
• Client-specific risk assessments and supporting information
  

Policies and procedures

• Written versions of AML policies, controls, and procedures
  
• Record of updates and how these were communicated to staff
  

Suspicious activity reports (SARs)

• Internal reports of suspicion and any decisions made
  
• Copies of SARs submitted to the National Crime Agency (NCA)
  
• Notes on discussions, rationale, and confidentiality precautions
  
  

2. Follow legal retention periods

Most AML records must be retained for five years from:

• The end of the business relationship, or
  
• The date the transaction was completed (for occasional transactions)
  

After that period, personal data should be securely deleted unless there’s a legal reason to keep it (e.g. ongoing litigation). Your data retention policy should comply with both MLR 2017 and the Data Protection Act / UK GDPR.

3. Make records accessible and secure

• Records should be easy for your MLRO, compliance officer, or supervisory authority to access
  
• They must be clearly labelled and well-organised
  
• Access to sensitive records (e.g. SARs) should be tightly controlled
  
• Use encryption and secure storage for digital files
  

5. Train your team on what to keep and how

Staff should understand:

• What AML records need to be completed and where to store them
  
• The firm’s data retention and confidentiality rules
  
• Who to speak to when unsure about what needs to be documented
  

Consistent training and clear documentation standards help ensure reliable compliance across all offices and teams.

6. Tailor templates and tools to your firm

Standard templates from professional bodies or vendors can help — but you’ll still need to adapt them. Your firm’s size, services, risk profile, and operations will affect what good record keeping looks like.

Use resources like Firmcheck’s AML guidance to support your team in tailoring documentation, policies, and processes to fit your real-world needs.

Summary

Record keeping is the backbone of your firm’s AML compliance. It shows that you’ve done the work, made informed decisions, and have the documentation to prove it.

To get it right:

• Maintain clear, complete records across all required areas
  
• Follow the five-year retention rule (and delete records responsibly after that)
  
• Keep your documents accessible but secure
  
• Train staff and standardise your approach across the firm
  
• Regularly review and update your documentation tools and processes
  

Good record keeping doesn’t just meet legal requirements — it gives your firm clarity, consistency, and confidence in how you manage risk.

This article was summarised by the Firmcheck content team. The original content was written by an independent AML expert and is available on our blog.

‍

‍