Why is Record-Keeping of Customer Identity and Transactions necessary?

Table of Contents

Why is Record-Keeping of Customer Identity and Transactions necessary?

Illicit financial activities, such as money laundering, financing terrorism, and proliferation financing (ML/FT and PF), hamper the integrity of the economy as well as the operations of business entities. To combat these illicit activities, businesses adopt robust Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) measures, which are aligned with the regulatory framework.

As part of the UAE’s AML/CFT regulatory framework, all regulated entities, including Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs), are required to maintain records of KYC, CDD, EDD, transactions, audit logs, software audit trail, AML/CFT policy, procedures, etc.

In this article, we’ll discuss why record keeping of customer identity and transactions is important and what its best practices are.

What is AML Record-Keeping?

Whenever regulated entities undertake measures and activities to mitigate ML/FT and PF risks, such as customer due diligence, transaction monitoring and AML audit, they generate several documents in the process. Maintaining these documents is necessary as it makes it easier for them to access data as and when required, which is crucial for combating financial crimes, including ML/FT and PF.

This is the essence of AML record-keeping. Therefore, record-keeping in the AML framework means maintaining documents pertaining to AML measures that include customer identity records, transaction records, adverse media checks, etc. Record-keeping thus carries a significant purpose in ensuring AML compliance.

With our AML expert guidance,

Start your AML compliance journey smoothly.

What type of records are required to be maintained?

The types of records that regulated entities need to maintain depend on the regulations they need to follow. In the UAE, regulated entities must maintain records related to various compliance measures undertaken by them.

Here is a comprehensive list of customer-related information and transactions which require record-keeping in the UAE:

1. EWRA, Internal policies, Procedures and Control Measures

The Regulated Entities must take a Risk-Based Approach and conduct an ML/TF/PF Enterprise-Wide Risk Assessment. Regulated entities are required to establish internal policies and procedures as part of their AML framework and maintain their version history.

As part of policies and procedures, regulated entities need to establish a risk appetite statement that provides the entity’s stand on accepting risks and sets a base to analyse trade-off decisions. A risk appetite statement helps everyone understand the level of risks the entity is willing to take and accordingly apply suitable control measures. 

Furthermore, based on risk appetite, the regulated entity must also identify and enforce AML control measures to combat ML/FT and PF risks associated with the entity.

2. Customer Due Diligence

It is essential for regulated entities to conduct the CDD process to measure ML/FT and PF risks associated with customers. There are various elements for an effective CDD. The CDD process includes conducting know-your-customer (KYC) measures to verify the customer’s identity. It is required to maintain KYC records along with supporting documents like Emirates ID, Passport, Utility Bill, etc.

Customer risk assessment is a key component of the CDD process that helps detect and prevent ML/FT and PF risks by evaluating the risk associated with each customer. Regulated entities must maintain customer risk assessment documents as evidence of their risk profiling.

Based on customer risk assessment, regulated entities are needed to undertake Enhanced Due Diligence (EDD) for higher-risk customers that pose ML/FT and PF risks and thus present increased exposure to them. They need to maintain any additional information related to customers within CDD records concerning EDD.

3. Transactional Records

Regulated entities have to keep a record of the business relationship- transactions involved from five years of completing the transaction. The various transaction records involve purchase orders, sales orders, invoices, receipts, payments, credit and debit notes and correspondence with the business. Regulated entities must maintain all the documents to establish a proper audit trail.

4. Regulatory Reports

To meet the internal and external reporting requirements, regulated entities must maintain all submissions made to the regulatory authorities.

As a part of his responsibility, the compliance officer prepares a semi-annual AML compliance report, which he submits to the senior management. These reports must be preserved. Further, semi-annual reports submitted to the regulatory authorities must be preserved for a period of 5 years.

However, the record keeping duration varies from one supervisory authority to another. 

  • The Virtual Assets Regulatory Authority (VARA) mandates Virtual Assets Service Providers (VASPs) to maintain records for a duration of 8 years
  • Dubai International Financial Centre (DIFC) requires DNFBPs to maintain AML/CFT compliance and CDD records for 6 years.
  • Abu Dhabi Global Market (ADGM) requires DNFBPs and VASPs to maintain AML/CFT compliance and CDD records for 6 years.

The AML regulations in the UAE mandate the regulated entities to identify suspicions related to ML/FT and PF and report such suspicions by filing a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). As part of record-keeping compliance, they must keep records of STR/SAR.

In addition to MLRO and STR/SAR, the regulated entity needs to submit additional reports based on the nature of the customer’s business, circumstances and place of the customer’s business or transactions. These reports include the High-Risk Country Report, High-Risk Country Activity Report, Real Estate Activity Report, Fund Freeze Report, Partial Name Match Report and Dealers in Precious Metals and Stones Report. Regulated entities in the UAE are mandated to maintain such reports.

An Independent AML Audit report issued by the external auditor must be preserved for at least 5 years.

5. Correspondence and Directives Issued by Regulatory Authorities

Regulated entities should also keep records related to communication and directives issued by regulatory bodies, ensuring compliance with applicable laws and regulations. With such records, regulated entities in the UAE can effectively manage risks associated with their customers and transactions and help supervisory authorities keep checks and balances.

6. Training Logs

Training logs are key tools within the AML/CFT framework. They ensure that staff and employees within businesses are adequately trained to fulfill their responsibilities effectively. By maintaining comprehensive training logs, regulated entities demonstrate their commitment to AML/CFT compliance, fostering a culture of compliance within the organization and empowering staff to detect and prevent financial crimes effectively.

Make your record-keeping accurate, easier, and effective.

Why is record-keeping of customer-related information necessary?

Why is record-keeping of customer-related information necessary?

Record-keeping is an integral part of the AML/CFT framework. It supports various compliance activities like customer due diligence, transaction monitoring, reporting, compliance documentation, regulatory examinations, and investigations. Properly maintained customer records are essential for compliance with AML regulations.

Here is the list of reasons that make record-keeping of customer information and transactions necessary:

Differences-between-AML-risk-management-and-AML-compliance

Legal and Regulatory Compliance

The AML/CFT regulatory framework requires regulated entities to maintain customer-related AML records. If a regulated entity fails to maintain records, it can result in legal consequences, fines, or penalties. Therefore, having a system for record-keeping helps in avoiding legal implications.

Customer Due Diligence

AML regulations require regulated entities to conduct due diligence on their customers to assess their risk levels and verify their identities. Record keeping helps regulated entities maintain proper documentation of customer information, identity verification, and risk assessments. Furthermore, it helps them avoid any financial and reputational loss in case a customer is engaged in illicit activities.

Proactive Monitoring

Regulated entities are required to monitor customer transactions for suspicious activities that may indicate money laundering or other illicit activities. Record-keeping plays a vital role in enabling proactive monitoring from an AML/CFT standpoint.

Regulatory Reporting

When suspicious activities are detected, financial institutions must file SAR/STR with the appropriate regulatory authorities. Proper record-keeping ensures that all necessary information related to the customer’s suspicious activity is documented and can be provided to regulatory authorities.

Performance Evaluation

Record-keeping helps regulated entities assess the performance of AML measures across the entire organisation, including those measures incorporated for customers. By tracking KPIs over time, regulatory entities can easily identify AML measures’ strengths, weaknesses, and gaps for improvement.

Decision Making

Records provide valuable data and insights that aid in making informed decisions. Whether it’s about customer-business relationships, control measures, or strategic direction, having access to historical records enables better decision-making. A well-structured record-keeping system allows for better tracking of suspicions, which in turn helps in making informed decisions.

Independent AML Audit

Regulated entities need to appoint an independent AML auditor to carry out the audit of their AML/CFT compliance. Record-keeping facilitates such audits.

Inspections and Investigations

Often, regulatory authorities come for inspections and ask for various compliance records. Record-keeping also helps investigators conduct investigations into cases related to money laundering and terrorist financing.

How do you maintain customer identity and transaction records?

Record keeping procedure depends on local and global regulatory requirements. The number of records required to be maintained affects the manner in which such records are maintained. The records can be maintained physically or in an electronic form. Ideally, the following documents should be maintained:

  • Original documents
  • Photocopies of original documents
  • Documents stored in electronic form

It is noteworthy that the records maintained should be easily accessible. If the source documents are available in a foreign language, then translated copies must be made available to ensure AML/CFT compliance.

Ensure accurate maintenance of AML records,

With the expertise of AML UAE

Challenges for maintaining customer records

Although it is necessary to keep records of customer information and transactions, regulated entities face various challenges in maintaining an efficient system.

The following are some major challenges:

Large and Complex Data

Customer records are comprehensive data that include information relating to customer due diligence, transactions, ongoing monitoring, suspicion reports and internal policies, procedures, and controls. Thus, handling the large volume and complexity of AML records becomes challenging for businesses.

Regulatory Variations

Global businesses have to adhere to multiple laws and regulations. Such variations in regulatory requirements pose a constant challenge as every jurisdiction requires different record-keeping obligations, making adherence to regulatory frameworks challenging for the entities.

Privacy and Consent

KYC information is personal in nature. Before keeping records, regulated entities must obtain consent from the person to whom such information belongs. However, customers are hesitant to provide information due to privacy concerns. Further, remote onboarding procedures require liveness checks, IP address logging, etc. If customers are not willing to part such information, it becomes difficult to onboard customers.

Data Security

Keeping a large amount of data requires effective security measures. Businesses face challenges in ensuring the security of sensitive data. Additionally, information pertaining to customers and their transactions is very sensitive and is targeted by criminals for facilitating their illicit activities. This obligates regulated entities to deploy enhanced data security measures.

Incomplete and Inaccurate Data

There is an abundance of information collected by the regulated entity from various sources while undertaking AML measures. However, not all information is relevant, complete, or accurate. It becomes a challenge to segregate qualitative and accurate data from the amount of information available.

Best practices for effective record-keeping of customer information

It is essential for regulated entities to implement effective record-keeping measures to maintain accurate documentation concerning customers and third parties.

Here are some best practices that regulated entities can establish for record-keeping of customer information:

Implement Document Management Software

Document management tools provide a harmonious and logical filing system that is easy to understand and use. Regulated entities can implement such tools to standardise AML record-keeping processes for maintaining customer information and transactions across their operations.

Use Cloud-based Storage

Regulated entities collect a large volume of customer data for which they can use cloud-based storage. The transition to cloud-based storage solutions can help them store records while providing scalability and accessibility.

Implement Security and Privacy Guidelines

Customers have privacy concerns about data usage and retention, which makes it difficult for regulated entities to obtain consent from them. Thus, to maintain their trust, they should establish clear data usage and retention policies which comply with relevant privacy regulations.

Deploy Data Security Tools

Keeping a large amount of data requires effective security measures. For this purpose, regulated entities should implement encryption technology, firewalls, etc., to limit unauthorised access and tackle data breaches.

Deploy Data Security Tools

Keeping a large amount of data requires effective security measures. For this purpose, regulated entities should implement encryption technology, firewalls, etc., to limit unauthorised access and tackle data breaches.

Backup and recovery

Maintaining customer information is very important for regulated entities, and any loss of data can lead to major repercussions. Thus, regulated entities must implement backup procedures for records to prevent data loss by system failure or cyber-attacks. Further, they should also develop a recovery plan to ensure that records can be quickly restored in the event of loss.

Regular Updates and Review

Regulated entities must regularly update their systems and underlying procedures to remain compliant with the ever-changing regulatory environment. Internal health-check reviews must be conducted to find discrepancies in record-keeping and take immediate remedial measures.

Final Words on Maintaining Effective Customer-related Records

For regulated entities, record-keeping of the identities of their customers and transactions is crucial to ensure compliance with regulations, manage risks, and easily access data for submitting it to the authorities as and when required.

AML UAE is a global AML/CFT consulting firm assisting regulated entities in deploying countermeasures to curb financial crimes.

FAQs related to record-keeping under the AML Regulatory Framework

Record-keeping in the UAE’s AML regulatory framework means maintaining documents related to AML measures that include customer identity records, transaction records, adverse media checks, etc.

As per the UAE’s AML regulations, regulated entities need to maintain AML records for five years. However, for ADGM and DIFC-regulated entities, it is necessary to keep the AML records for six years. For VASPs based out of VARA, it is required to maintain records for eight years.

Record keeping is an integral part of AML compliance as it acts as a proof of having followed regulatory requirements and risk-based approach.

The types of records that must be maintained are as follows:

  • Customer information
  • Transactional information
  • Internal/External suspicious reported
  • Records pertaining to ongoing monitoring
  • Training Logs
  • Compliance officer reports
  • Copies of reports filed on the goAML portal

Record-keeping is an integral part of the AML framework. A well-structured record-keeping system allows for easy tracking of any suspicious transactions and facilitates effective AML compliance measures with AML regulations.

Want to have an effective record-keeping strategy for your business?

Let’s connect and discuss your requirements.

Share via :

Share on facebook
Share on twitter
Share on linkedin

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 25 years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.