Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 9 Record Keeping

www.gfsc.gi 9. Record Keeping AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 Table of Contents 9.1 Record Keeping Requirements......................................................................................................... 3 9.1.1 General Record Keeping ........................................................................................................... 3 9.1.2 Record Keeping for Simplified Due Diligence ........................................................................... 3 9.1.3 Record Keeping for Enhanced Due Diligence ........................................................................... 4 9.1.4 Record Keeping for Non-Face-to-face ...................................................................................... 4 9.1.5 Record Keeping for Politically Exposed Persons....................................................................... 5 9.1.6. Record Keeping Retention Periods................................................................................................. 6 9.2 Record keeping when relying on third parties to conduct CDD....................................................... 7 9.3 End of Retention Period ................................................................................................................... 7 9.4 Other Records................................................................................................................................... 7 9.4.1 Records to consider keeping .................................................................................................... 7 9.4.2 Compliance Monitoring Records.............................................................................................. 8 9.5 Format and Location of Records ...................................................................................................... 8 9.6 Data Protection Regime.................................................................................................................... 8 9.7 Record Keeping Examples ................................................................................................................ 8

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3 9.1 Record Keeping Requirements AML/CFT/CPF Requirements R27 A regulated entity must be able to provide documentary evidence of its compliance with legislative and regulatory requirements, including these Guidance Notes. R28 A regulated entity must keep appropriate supporting records in respect of transactions which are the subject of either CDD measures or ongoing monitoring, for audit trail purposes. Guidance

1. The underlying principle is that a regulated entity must know who its customers are and have the necessary customer identification documentation, or data, to evidence this in accordance with the record keeping requirements under POCA1 . In addition to the due diligence performed on each customer, a regulated entity must also demonstrate that all other requirements have been met.
2. The requirement outlined in Section 25 of POCA relates to the records of customer identification and transactions. This is an essential component of the audit trail that the provision seeks to establish.
3. In determining what relevant records are and what should be maintained, a regulated entity needs to consider that notes, e-mail exchanges and any other forms of correspondence may be relevant or crucial to the firm’s understanding of its customers and transactions, and therefore, would be caught by record keeping requirements. It should be noted that record keeping requirements are not subject to a risk-based approach and there is no room for subjective assessment of the extent to which a regulated entity must comply. Sections 9.1.1 to 9.1.5 of these Guidance Notes clearly set out the records that must be maintained in accordance with Section 25 of POCA. 9.1.1 General Record Keeping
4. General record-keeping requirements includes the matters detailed below:

• The application of CDD measures in all circumstances outlined in Section 11 of POCA;
• Documents which evidence the verification of the identity of the customer and any beneficial owner before the start of a business relationship or the carrying out of an occasional transaction;
• Sufficient supporting records to enable the transaction/matter to be reconstructed (original or copies) as this may, for example, lead to an investigation;
• Evidence of ongoing monitoring of business relationships including records showing the scrutinising of transactions undertaken throughout the course of the relationship; and
• Evidence that reviews of existing records have been carried out, and updated, where necessary. 9.1.2 Record Keeping for Simplified Due Diligence

5. Record keeping for simplified due diligence measures includes the matters detailed below: 1 Section 25, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4

• When applying simplified due diligence measures, records showing that the regulated entity has identified areas of lower risk such as those set out in Schedule 6 of POCA, has ascertained that the business relationship or transaction presents a lower degree of risk, and has not identified a suspicion or knowledge of ML, TF or PF; and
• When taking account of the factors of potentially lower risk situations for the purposes of applying simplified due diligence, documentation of a risk assessment must be kept. This must include geographical risk factors including those identified within any information that is made available to the regulated entity pursuant to the National Coordinator for Anti-Money Laundering and Combatting Terrorist Financing Regulations 2016 and any geographical risk factors contained in such information which, will take precedence. 9.1.3 Record Keeping for Enhanced Due Diligence

6. Record keeping for enhanced due diligence measures includes the matters detailed below:

• Documentation which shows the application of enhanced due diligence measures including maintaining documents which show that the regulated entity has examined, as far as reasonably possible, the background and purpose of all transactions that are complex, unusually large, conducted in an unusual patten or have no apparent economic or lawful purpose, etc.;
• When applying enhanced due diligence measures, documentation demonstrating that the regulated entity has assessed the risks of ML, TF and PF and has taken into account the factors of potentially high-risk situations set out in Schedule 7 of POCA; and
• In relation to business relationships or transactions involving high-risk third countries, a regulated entity must maintain records of the following enhanced due diligence measures: ▪ Records of additional information on the customer and on the beneficial owners; ▪ Records of additional information on the intended nature of the business relationship; ▪ Records on information on the source of funds and source of wealth of the customer and of the beneficial owners; ▪ Records on information on the reasons for the intended or performed transactions; ▪ Documentation demonstrating that approval of senior management for establishing or continuing the business relationship has been obtained; and ▪ Records which demonstrate that there is enhanced monitoring of the business relationship. 9.1.4 Record Keeping for Non-Face-to-face

7. Record keeping for non-face-to-face business relationships includes the matters detailed below:

• Records which demonstrate that a customer’s identity has been established by additional documentation or information;
• Records which show that a regulated entity has taken supplementary measures to verify or certify any documents supplied; and
• Records showing that the customers first payment was carried out through an account opened in the customer’s name with a credit institution.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 5 9.1.5 Record Keeping for Politically Exposed Persons 8. When establishing or proposing to have a business relationship or carrying out an occasional transaction with a PEP (including a customer whose beneficial owner is a politically exposed person) a regulated entity must:

• Document approval from senior management;
• Document the source of wealth and source of funds of the customer and any UBOs; and
• Where the business relationship is entered into, maintain evidence of enhanced due diligence and ongoing monitoring of the relationship. Sector-Specific Guidance - Correspondent Banking

9. For correspondent banking relationships outside Gibraltar, credit or financial institutions must, in addition to records collected for CDD requirements under Sections 10-13 of POCA, gather the following:

• Sufficient information about the respondent to fully understand the nature of its business;
• Determine from publicly available information the reputation of the respondent and the quality of the respondent’s supervision;
• Determine from publicly available information whether the respondent has been subject to any ML, TF or PF investigation or regulatory action;
• Assess the respondent’s AML, CFT and CPF controls;
• Obtain evidence of approval from senior management before establishing a new correspondent banking relationship;
• Understand and document the respective responsibilities of the respondent and correspondent;
• Be satisfied that the respondent does not permit its accounts to be used by shell banks; and
• Be satisfied that, in respect of those of the respondent’s customer who have direct access to accounts of the correspondent, the respondent: o Has verified the identity of, and conducts ongoing monitoring in respect of, such customers; and o Is able to provide to the correspondent, upon request, the documents, data or information obtained when applying CDD measures and ongoing monitoring. Sector-Specific Guidance – Life Assurance and Pension Service Providers

10. When a regulated entity assesses the risks of ML, TF and PF, it must document that it has included the beneficiary of any life insurance policy or pension scheme as a relevant risk factor. A regulated entity that is involved in life insurance, pension scheme or other investment-related insurance activities must, in addition to CDD and ongoing monitoring requirements, keep records of the following:

• In the case of beneficiaries that are identified as specifically named persons or legal arrangements, the name of the person;
• In the case of beneficiaries that are designated by characteristics or by class, obtain sufficient information concerning those beneficiaries to be able to show that the identity of the beneficiary at the time of the payout, has been established; and

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 6

• Records showing that the regulated entity has established and verified the identity of the beneficiary before any payment is made to the beneficiary or before the beneficiary exercises its vested rights in the trust, entity, or legal arrangement. Guidance

11. A regulated entity must retain a copy of any documents and information obtained to satisfy its requirements for five years from the date on which the occasional transaction is completed, or the business relationship ends.
12. This requirement is not limited to information about the customer itself, but it must cover other relevant and appropriate data, such as those outlined in the non exhaustive list below: • Identifying and verifying the customer’s: ▪ Name; ▪ Address; ▪ Registration/company number; ▪ Board members/directors; ▪ Shareholding structure; and ▪ Beneficial owner(s). Identifying and verifying the identity of any person who intends to act on behalf of a customer. 9.1.6. Record Keeping Retention Periods What documentation? In what context? For how long? Records, documents, or information relating to an occasional transaction Occasional transactions Five years from the date when the transaction is complete Records, documents, or information relating to: ▪ Any transaction occurring as part of a business relationship; or ▪ CDD measures taken in connection with that relationship Business relationships Five years from the date when the business relationship has come to an end A copy of documents and information obtained to satisfy the legislative and regulatory requirements Where there is reliance on another relevant person Five years from the date on which reliance was placed
13. As detailed within the Customer Due Diligence section of these Guidance Notes, in exceptional circumstances where a regulated entity has not been able to identify the beneficial owner of a customer, or where a regulated entity is not satisfied that the individual is in fact the beneficial owner, the regulated entity may treat the customer’s senior managing official as its beneficial owner. In such cases, however, there must be written records of2 : • All actions taken to identify the beneficial owner (these must show that all possible means of identifying them have been exhausted); and • All reasonable measures taken to verify the identity of the senior managing official and any difficulties encountered in doing so. 2 Section 1A(C)(iii), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 7 9.2 Record keeping when relying on third parties to conduct CDD 14. Where a regulated entity is relying on a third party to conduct CDD, it should enter into a written agreement which allows it to obtain copies of any relevant documents and require the third party to retain those documents for five years. The provisions under POCA make it clear that where a third party is being relied on, it must immediately make available any information about the regulated entity’s customer (and any beneficial owner) which it obtained when applying CDD measures, if requested by the regulated entity3 . 9.3 End of Retention Period 15. Once the retention period, outlined in paragraph 9.1.6, is up, regulated entities must delete any personal data held, unless: a) Retention is required by another enactment4 ; b) Where the Minister by Order provides for the retention of records specific in that order5 ; or c) Where the regulated entity has reasonable grounds for believing that records containing personal data need to be retained for the purpose of legal proceedings6 . 9.4 Other Records 16. In addition to record keeping for CDD and transactions, POCA also sets out obligations for a regulated entity to document risk assessments7 as well as policies and procedures. This documentation must be maintained and kept up to date on an ongoing basis. 9.4.1 Other records 17. In demonstrating compliance with POCA, a regulated entity is expected to maintain records of:

• AML/CFT/CPF related training delivered to relevant staff members8 ;
• Logs of internal and external suspicious activity reports; and
• Compliance monitoring records e.g., annual compliance and independent audit reports.

18. It is also best practice to keep detailed records of any SARs made under POCA. This would include records of:

• Any red flags or concerns identified when monitoring the business relationship;
• Discussions with the MLRO regarding the activity;
• Copies of any disclosures made to the GFIU;
• Conversations with the GFIU, RGP and any other relevant authority; and
• A log setting out all internal and external SARs raised. In cases where a disclosure is not made, this should include the full rationale on the decision taken setting out that the concern did not amount to a suspicion. 3 Section 25(4), Proceeds of Crime Act 2015 4 Section 25(10)(a), Proceeds of Crime Act 2015 5 Section 25(1(b), Proceeds of Crime Act 2015 6 Section 25ZA(1), Proceeds of Crime Act 2015 7 Section 25A(3), Proceeds of Crime Act 2015 8 Section 27, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 8 9.4.2 Compliance Monitoring Records 19. To evidence compliance with the AML, CFT and CPF regimes, a regulated entity must maintain records of any periodic reviews and reports prepared by the MLRO or another member of compliance staff. This should also include a record of any discussions or considerations of those reports and actions taken as a result. 9.5 Format and Location of Records 20. It is important to note that POCA does not specify the format of the documentation (originals or copies/paper or electronic) or where they must be kept. The format and system used to store the documents is entirely at the discretion of the regulated entity. 9.6 Data Protection Regime 21. A regulated entity must be aware of the potential differences between the record keeping requirements under POCA and records that are required under the data protection regime. A regulated entity must therefore have due regard to both sets of obligations. 9.7 Record Keeping Examples 22. The below table is a non-exhaustive list which aims to assist a regulated entity in maintaining records by setting out some examples of documents that it must keep in order to comply with its duties under section 25 of POCA. This list can be adapted by a regulated entity in order to assist in complying with its record keeping requirements. Type of Record For how long? Documents and information relating to an occasional transaction Five years from the date when the transaction is complete Documents and information of a business relationship relating to occurring transactions or CDD measures applied as part of that business relationship Five years from the date when the business relationship has come to an end In exceptional circumstances, records where a regulated entity is unable to identify the BO of a corporate entity and intends to treat the senior managing official as its BO. The following documentation must be kept: ▪ All the actions taken to identify the BO (exhausting all options) ▪ All actions taken to verify identity of that senior person, and ▪ Any difficulties faced Five years from the date when the transaction is complete or, the business relationship has come to an end Where a regulated entity has been relied on by another firm, copies of the evidence of the customer’s identity Five years from the date on which the regulated entity is relied on The regulated entity’s business-wide risk assessment documentation As considered reasonable and appropriate Details of policies and procedures and records of decisions taken regarding the application of those policies and procedures As considered reasonable and appropriate Arrangements with third parties that the regulated entity is relying Five years from the date on which

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 9 on reliance was placed Records of SARs which include: ▪ Internal SARs raised by staff; ▪ Any red flags or concerns identified when monitoring the business relationship; ▪ Discussions with the MLRO regarding the activity; ▪ Copies of any disclosures made to the GFIU; ▪ Conversations with the GFIU, RGP and any other relevant authority; and ▪ A log setting out all internal and external SARs raised or, the rationale on the decision not to make a disclosure At least five years from the date the SAR is made Records of AML, CFT and CPF training. E.g., dates training was delivered, members of staff who received training, results of any tests undertaken As considered reasonable and appropriate Compliance monitoring and independent audit reports produced by the MLRO or another member of compliance staff As considered reasonable and appropriate

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission