One of the fundamental principles of GDPR is that you should only keep personal data for as long as necessary. Lawyers usually retain client files for at least 6 or 7 years for PII purposes, and much longer in some cases (e.g. property, children and private client).
Within most client files you will probably find client due diligence documents, copy passports, utility bills etc.
Whilst this is wholly reasonable and standard practice, there is a risk that it may inadvertently fall foul of the anti-money laundering legislation.
What’s the issue?
Section 40 of the Money Laundering Regulations 2017 states that you should keep CDD documents for a period of five years, but once this period has expired you ‘relevant person must delete any personal data obtained for the purpose of these Regulations’.
This is subject to a ten year long stop where there is an ongoing business relationship.
Records may be kept for longer, but only with the client’s consent.
The guidance for the legal sector states:
‘Many practices will wish to retain the complete file of papers, including CDD records, for a period exceeding that which is specified in Regulation 40(3). For example, your practice’s retention policy may specify longer retention times to take account of the expiry of limitation periods for potential negligence against the practice. If there (is) any variation on the period prescribed in Regulation 40(3), the client’s consent must be obtained. This consent clause can be contained in your engagement letter or terms of business and should be signed or acknowledged by the client’
That leaves us in a position where:
- the retention period for CDD documents is different to that of the rest of the file, which is problematic for many firms who keep all the documents together.; and
- for those firms not relying on consent to process client data under GDPR (most of you, hopefully), there is potentially a requirement to obtain consent for just the CDD element under the AML rules.
- The guidance above suggests that ‘consent’ is closer to the very high bar in GDPR, rather than the old data protection rules, where we could assume consent if we gave the client the option to opt out, or infer consent from silence.
- When does the 5 years start? The regulation state when ‘the transaction is complete’ so going from your file closure date is not going to be sufficient unless you are really on top of your file closures.
- How many CDD documents do you have in archive files that are older than 5 years? You need to consider whether a trawl of these documents is necessary.
- Where do you store CDD documents? We know many firms store the documents on paper files, electronic files, and in separate CDD folders – the more places you store the documents the more problems it could cause you.
- One possible solution is to remove CDD documents from the file when closing the file. So, part of your file closure procedure could be to remove documents from the client file into an AML folder. You could also put a date of destruction on the AML documents 5 years from the date the transaction completed.
- The other solution is to obtain your client’s consent to keep the documents longer than 5 years and in line with your general file retention policy. If you choose this option remember to have a procedure for those clients who refuse to give consent.
We would be interested to hear how you are dealing with this is practice.