Keeping detailed records of customers and red flags alerts of their activity is an important process of compliance with key jurisdictions. Record retention of compliance documents for SARs, UBOs and CDD is mandatory for a number of jurisdictions, albeit with differing amounts of time required.
In the U.S., MSBs must retain records of the SARs submitted to FinCEN for a period of 5 years. In the UK, firms must retain their records related to CDD of a client’s transactions for 5 years after the business relationship has ended. Under Art 7 of Switzerland’s Federal Act on Combating Money Laundering and Terrorist Financing (Anti-Money Laundering Act, AMLA) – an AML legislation applicable to exchanges in the country – records must be retained of Id documents of contracting parties, the beneficial owners of the entities and the past transactions for 10 years after the termination of the business relationship or after completion of the last transaction.
As the total crypto asset market has swelled to a more than 2 trillion valuation, a number of additional financial industry-applicable laws have become more applicable, such as fiat off and on ramps of payment processors. More and more crypto-asset exchanges are moving into the area of payments by offering debit cards in partnership with Visa, Mastercard or other provider (i.e. Coinbase, Binance, Crypto.com, etc). Retaining records extends to payment processing, for instance, under the European Union’s Regulation (EU) 2015/847, payment service providers (PSPs) must maintain a record for 5 years of the payee and payer to a transaction of 1,000 EUR and greater including credit transfers, direct debit transactions as well cross-border transactions “carried out using a payment card, an electronic money instrument, or a mobile phone, or any other digital or IT prepaid or postpaid device”.
Altogether, it is important to have a comprehensive record retention policy for your exchange to keep in compliance with the various jurisdictions’ requirements. Whilst this aspect of compliance can slightly lengthen a compliance team’s RBA process, it becomes imperative once an exchange is faced by an audit from an FIU.