Data and document retention: Comments and recommendations by the NBB
1. Document retention modalities
In accordance with Article 60 of the Anti-Money Laundering Law, financial institutions should keep the following documents and information, using any type of record-keeping system:
1° the identification data of customers, agents and beneficial owners, where appropriate updated in accordance with Article 35 of the Anti-Money Laundering Law, and a copy of the supporting documents or of the result of consulting an information source, as referred to in Article 27, including:
a) where applicable, information obtained through electronic identification means such as those provided or recognised within the authentication service as referred to in Articles 9 and 10 of the Law of 18 July 2017 on electronic identification, confirming the identity of persons online;
b) where applicable, information obtained through relevant trust services referred to in Regulation 910/2014.
The aforementioned documents and information are kept for a period of ten years after the end of the business relationship with the customer or after the date of the occasional transaction;
2° the documents describing the measures taken to comply with the verification obligation in the case referred to in Article 23, § 1, third paragraph, of the Anti-Money Laundering Law, including the information on any difficulties that arose during the verification process. These documents are kept for a period of ten years after the end of the business relationship with the customer or after the date of the occasional transaction;
3° without prejudice to compliance with any other legislation on document retention, the supporting documents and records of transactions that are necessary to identify and accurately reconstruct the transactions carried out, for a period of ten years from the date of execution of the transaction;
4° the written report drawn up in the event of reporting to CTIF-CFI, for a period of ten years from the date of execution of the underlying transaction (according to the same terms and conditions as set out in point 3° above).
The retention period of ten years referred to above is reduced to seven years for transactions carried out in 2017, and to eight and nine years for transactions carried out in 2018 and 2019 respectively (see Article 60, second paragraph, of the Law). This period is also reduced to seven years for information and documents regarding business relationships ended or transactions concluded up to 5 years prior to the date of entry into force of the Anti-Money Laundering Law (see Article 62, § 2, of the Law). It should be noted that, by complying with this period provided for in the Anti-Money Laundering Law, the obligation set out in the European Regulation on transfers of funds to retain information on the payer and payee for a period of five years is automatically met.
The NBB notes that the copy of the supporting documents that have been used by the financial institution to verify the identity of the customer or his agent, may be taken on a durable data storage device (that, according to the definition of Article I.1.15° of the Code of Economic Law, may be an electronic storage device), which may also be used for its storage. The same retention obligations apply to documents that have been used by the institution to verify the identity of the beneficial owners or, failing that, to evidence that such verification did not prove to be reasonably possible.
Article 61 of the Anti-Money Laundering Law also provides that instead of keeping a copy of the supporting documents, financial institutions may keep the references of these documents, provided that, due to their nature and the modalities of their storage, these references allow them with certainty to produce the documents concerned immediately, at the request of CTIF-CFI or of other competent authorities (in particular the NBB), during the retention period laid down in the said Article, and that it has not been possible to modify or alter these documents in the meantime. Financial institutions considering making use of this derogation should specify in advance, in their internal procedures, the categories of supporting documents of which they will keep the references instead of a copy, as well as the procedures for retrieving the documents concerned so that they can be produced on request.
In order to ensure that financial institutions are able to demonstrate a posteriori, in particular to the NBB in the exercise of its supervisory powers, that they have effectively fulfilled their legal and regulatory obligations with regard to customer and transaction due diligence and to the analysis of atypical transactions and reporting of suspicions, and that they have complied with the provisions of the European Regulation on transfers of funds and the mandatory provisions on financial embargoes, Article 24 of the Anti-Money Laundering Regulation of the NBB requires that the written or electronic documents in which they have recorded the measures they have actually implemented to this end, be kept for the same periods as those indicated above.
In accordance with Article 62, § 1, of the Law, financial institutions are obliged to delete personal data at the end of the aforementioned retention periods.
In order to operationalise the rules set out in point 1 above, the NBB expects financial institutions to develop a document retention procedure (see also the page "Policies, procedures, processes and internal control measures").
This procedure should at least include:
a list of the information and documents to be kept,
the retention period,
the event from which the retention period is to be calculated, and
the rules to be respected regarding the confidentiality of the documents, i.e. their storage, persons having access to them, procedures for accessing data, etc. (even if the institution uses an external service provider to archive these data).
In this regard, the NBB invites financial institutions to set up mechanisms for accessing customer files and data relating to their transactions, that are adapted to their organisation and that allow the authorities responsible for AML/CFT to receive these files and data as soon as possible, in particular in order to be able to take them adequately into account in fulfilling their due diligence obligations and obligation to analyse atypical operations, and to be able to respond without delay to any request for additional information made by CTIF-CFI. Financial institutions must nevertheless take into account the recommendations on the processing of personal data issued by the Data Protection Authority.
the procedures for deleting personal data, in accordance with Article 62 of the Anti-Money Laundering Law, at the end of the retention period.