Skip to main content Skip to navigation

State of Financial Crime 2023 Report

Why Record-Keeping and Reporting is Important

AML Compliance Knowledge & Training

Risk management activities in financial crime prevention include preventive, detective, and corrective controls. Preventive controls include robust due diligence, recordkeeping, and record retention. Detective controls include reporting suspicious activity to the appropriate authorities. Corrective controls include the eventual dismissal of a customer relationship where necessary.

Part 4 of the Compliance Team’s Guide to Onboarding discusses the importance of preventative and detective controls, particularly record-keeping and reporting measures.  

Maintaining records 

To demonstrate how much control compliance teams have over the onboarding process, firms need secure and accessible records. These records are the essential breadcrumbs in the audit trail of any money laundering or terrorist financing investigation.

While there is no definitive set of record-keeping requirements for every business type, there must be enough documentation that underpins a firm’s onboarding process to demonstrate why a specific client was onboarded and what steps they went through. The length of time firms must retain this information depends on local laws and regulations.

The following types of records should be maintained:

  • Client identification and verification documents
  • Information on the transaction and role played by the institution
  • Customer due diligence prepared during the onboarding process
  • Printouts that identify whether the client is sanctioned, a politically exposed person (PEP), or the subject of any adverse media
  • Any information secured on the client’s source of wealth and source of funds
  • Information not acted upon — including evidence of the decision not to act
  • A record of clients not onboarded and the reasons why
  • Correspondence between the engagement team and the onboarding team
  • Proof of any internal and external escalations and decisions related to those escalations
  • Material generated in the context of enhanced due diligence and ongoing monitoring

Firms must also keep records about the formal risk-based assessment, anti-money laundering, counter-terrorist financing, and sanctions compliance policies. Any changes to these policies must be recorded.

Reporting suspicious activity

The first stage of the suspicious activity reporting process is the responsibility of the onboarding or transaction team. A subjective conclusion must be reached that there are grounds for suspicion of money laundering, terrorist financing, or sanctions breaches concerning a particular client or matter.

From there, firms must follow their internal escalation protocols – the details of which are listed below:

Internal escalation protocols

The escalation process should then lead to the money laundering officers, who can determine whether the report should be escalated externally. This decision should be communicated to the onboarding and compliance teams before it’s escalated to the external authorities.

The money laundering officer can delegate the preparation of the external report to the deputy money laundering officer, the internal legal function, or some other relevant person in the onboarding or broader compliance functions. But that officer should have a role in overseeing and agreeing to the actual suspicious activity report before it’s sent to the relevant external authorities.

A suspicious activity report (SAR) must include the following:

  • An explanation of the suspicion
  • The property in question
  • The activity the firm is being asked to undertake
  • The actions the firm will take following the external escalation
  • Whether or not permission is being sought to carry on any activity that may be construed as abetting money laundering

When a SAR has been filed, each institution should have a specific policy and process to follow. Staff responsible for contacting customers should receive training and fully understand the responsibility of not “tipping off” the customer about a possible SAR filing. Additionally, firms must observe local data protection and legislative requirements. Financial institutions cannot mention a SAR, whether they are considering filing one or having filed one. In some jurisdictions, the unauthorized disclosure of a SAR is a criminal offense.

Uncover more risk management best practices throughout each section of The Compliance Team’s Guide to Customer Onboarding, including:

  • How to determine what level of due diligence is appropriate for different customers
  • The importance of understanding ultimate beneficial ownership (UBO) structures
  • What training is required to equip new onboarding team members properly

Understanding record-keeping and reporting

Learn more about why comprehensive record-keeping and robust reporting methods matter in Part 4 of the Compliance Team’s Guide to Onboarding.

Read Part 4


Originally published 05 December 2022, updated 05 December 2022

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).