Regulation on Record Retention

`

2018/R52 : ު ްބަރ ނަނ ު އިދ ާ ގަވ

 ގާަވއިދުތަކާ ިއ އުސޫލުތަ ްއ ގެޒެ ުޓގަ ިއ ޝާ ިއޢުކު ާރނީ ކޮން ެމ ހަފާްތއެ ްއގެ ހޯމަ ދު ަވ ާހ ިއ ބުރާސްފަތި ުދވަ ުހއެ ެވ.  ހޯމަ ދު ަވހު ެގ ގެޒެ ުޓގަ ިއ ޝާ ިއޢުކު ުރމަ ްށ ފޮ ުނ ްއވާ ގާަވއިދު ަތކާއި އުސޫލު ަތ ްއ ފޮ ުނއްވު ުމގެ އެން ެމ ަފހު ަވގުތަކ،ީ ކު ީރ ަހފްތާގެ ބުރާ ްސފަތި ުދ ަވހުގެ ެމން ުދ ުރ 12:00 ގެ ކުރިން ެނވ.ެ އަދި ުބރާސްފަތި ުދވަ ުހ ެގ ގެ ެޒ ުޓގަ ިއ ޝާ ިއޢުކު ުރމަށް ފޮ ުނ ްއ ާވ ގާަވއިދުތަކާއި އުސޫލު ަތއް ފޮ ުނއްވު ުމގެ ެއން ެމފަހު ަވގުތަކ،ީ ހިނގަ ުމންދާ ހަފުތާ ެގ އަ ްނގާރަ ުދވަ ުހގެ މެން ުދރު 12:00 ގެ ކުރިން ެނވ.ެ  ގާަވއިދުތަކާއި އުސޫ ުލތައް ގެޒެޓު ަގއި ޝާއިޢުކޮށްދިނުމަށް ެއދި ފޮނު ްއ ާވ ީނ .ވެ ެށައ legalaffairs@po.gov.mv ރައީސުލް ުޖމޫްހރި ްއޔާ ެގ އޮ ީފ ްސ ބޮޑުތަކުރުފާ ުނމަ ުގ މާލ،ެ ިދވެ ިހރާ ްއ ެޖ ޯނ:ު 6334 333 ފ ފެކްސ:ް 0274 331 ވެބްސައިޓ:ް mv.gov.gazette.www ވޮލިއުމް 47 އަދަދު : 83 ތާރީޚ:ު 29 ޝަޢުބާން 1439 – 15 މޭ 2018 : އަންގާރަ REGULATION ON RECORD RETENTION

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 3 REGULATION ON RECORD RETENTION Arrangement of Paragraphs PART I PRELIMINARY

1. INTRODUCTION .............................................................................................................................. 4
2. TITLE................................................................................................................................................4
3. APPLICATION ..................................................................................................................................4
4. COMMENCEMENT .......................................................................................................................... 4
5. PURPOSE.........................................................................................................................................4
6. DEFINITIONS ...................................................................................................................................5 PART II RECORD RETENTION REQUIREMENTS
7. RECORD RETENTION POLICY .......................................................................................................... 5
8. RECORD RETENTION PERIOD ......................................................................................................... 6
9. FORM OF RECORD KEEPING........................................................................................................... 6 PART III CORRECTIVE MEASURES
10. REMEDIAL MEASURES AND SANCTIONS ................................................................................... 7 Schedule – 1............................................................................................................................................9

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 4 ` Maldives Monetary Authority Male’, Republic of Maldives REGULATION ON RECORD RETENTION PART I: PRELIMINARY

1. INTRODUCTION This Regulation is issued pursuant to Section 36 and Section 66 of Law No. 24/2010 (Maldives Banking Act).

2. TITLE This Regulation shall be cited as “Regulation on Record Retention.”

3. APPLICATION This Regulation shall apply to all banks licensed under the Act. This Regulation applies to records currently retained by the banks as well as all future records created by the banks after the commencement of this Regulation.

4. COMMENCEMENT This Regulation shall come into effect from the date of its publication in the Government Gazette.

5. PURPOSE The purpose of this Regulation is to stipulate the minimum record retention periods for different types of records held by the banks, and to prescribe minimum requirements that the banks must comply with in retaining such records.

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 5 6. DEFINITIONS The terms and expressions used in this Regulation shall, except where expressly defined below in this Regulation or where the context otherwise requires, have the same respective meaning as in the Act “Act” means Law no. 24/2010 (Maldives Banking Act). “bank” means a party holding a license or permit under the Act, to engage in the banking business; all or part of the banking activities listed in Section 25 of the Act. “system” means an electronic record retention system as may be established by the banks in compliance with the requirements stipulated in this Regulation. “MMA” means the Maldives Monetary Authority established under Law no. 6/81 (Maldives Monetary Authority Act) “Board” means the board of directors of the bank. “records” includes all information and data related to the operations of the bank, including customer information and financial transaction documents. “electronic records” means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form. PART II: RECORD RETENTION REQUIREMENTS 7. RECORD RETENTION POLICY a. The Board of each bank shall adopt a written record retention policy which must be in compliance with this Regulation and all other applicable laws of the Maldives. b. The record retention policy should be sufficient to support the administrative, operational, business, internal audit functions and litigation of the bank, as well as allow the bank to comply with all applicable laws and regulations. c. The board shall, in formulating the policy, reasonably consider the facts and circumstances surrounding the relevant records, the nature of the business activity or transaction related to the relevant records, the risk of a legal proceeding or claim that may be submitted against the bank in relation to the relevant records, and increase the retention period for the bank as they may seem fit. d. The bank’s record retention policy shall not be instituted in bad faith to dispose of potentially harmful records that otherwise would be subject to discovery in a litigation or investigation. e. Record retention policy must include the manner of retention for records and the method of disposal of such records. It must also include an accurate, current, and comprehensive record retention schedule that lists records by major categories, subcategories, record type, and retention period. The Retention period provided in such schedules shall be appropriate for the

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 6 specific record and shall be consistent with applicable legal, regulatory, operational and business requirements. f. Record retention policy of the bank shall include internal controls and risk management procedures to protect the records from unauthorized access, alteration, theft, fire, vandalism, loss or damage. The bank shall also ensure that all records that require confidentiality are treated in accordance with the bank’s confidentiality, privacy and security policies. The record retention policy must also provide for appropriate back-up and recovery of electronic records to ensure the same authenticity as the primary records where electronic records are opted for by the bank. 8. RECORD RETENTION PERIOD a. Banks shall retain all records for at least the minimum time period specified in Schedule 1 of this Regulation. b. Where the bank does not maintain a record stipulated in this Regulation, but maintains a similar record which contains equivalent information, the record shall be retained for the period of time specified herein for such equivalent record. c. The bank shall ensure that all records are retained for the period prescribed under any other laws of the Maldives. Where a record retention period stipulated in this Regulation is shorter than a period prescribed under any other laws of the Maldives, the bank shall ensure that they comply with the longer retention period. d. The bank shall ensure the retention of all records that are relevant to any on-going litigation, or records which the bank reasonably determines may be required by an investigating authority for an on-going criminal investigation that the bank is aware of, or any records that the bank reasonably determines may be required for a reasonably foreseeable litigation action. Such records shall be retained despite the minimum record retention period stipulated in this Regulation, for such time as the bank reasonably determines that the records are no longer required for the purposes above. 9. FORM OF RECORD KEEPING a. A bank may retain their records in physical form or electronic form. Where the bank opts for electronic records to be used in compliance with the Act and this Regulation, such reduced copies shall have the probative effect of the original and shall be accepted in the Court as evidence. b. The bank shall ensure that they retain paper records for a minimum period of 3 years from the date of creation or receipt of that record, for all records which has a retention period of 3 years or more under Schedule 1. However, where the minimum retention period for a record

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 7 is shorter than 3 years under Schedule 1, the bank is only required to maintain such paper records for the duration specified in Schedule 1 c. All records shall be kept in a manner where it will be categorized, easy to find, and easily accessible for authorized personnel. d. Where the bank opts to keep the records in electronic form, any such system shall be maintained on immutable, write-protected status, which also provides for adequate back-up and recovery procedures that are in line with acceptable industry standards for such a system. e. Where a bank uses an electronic system to create, modify, or maintain electronic records, the bank shall have clear written procedures and controls to ensure the authenticity, integrity, and where appropriate, the confidentiality of electronic records, and ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls of the system shall at minimum include:

1. validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;
2. the ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by any authorized official or the MMA in on-site inspections;
3. protection of records to enable their accurate and ready retrieval throughout the record’s retention period;
4. limitation of system access to authorized individuals;
5. appropriate authentication for users to log in to the system, and the maintenance of user access logs;
6. use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information;
7. use of operational system checks to enforce permitted sequencing of steps and events during the archival process;
8. use of adequate system controls to determine the validity of the data source on the system;
9. the establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their user log-in;
10. use of sufficient back-up and recovery procedures to ensure that all electronic records are sufficiently backed-up so that recovered records will meet the same accuracy and integrity standards as the primary electronic version; and
11. back-up records that are stored in a secure off-site location with proper access controls, with periodic testing of the ability to recover the records. PART III: CORRECTIVE MEASURES

10. REMEDIAL MEASURES AND SANCTIONS If a bank, or any director or administrator of a bank, violates any provision of this Regulation, the MMA may take any one or more of corrective measures or impose any administrative

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 8 penalties as provided in the Banking Act. Such measures and penalties may include, but are not limited to, any or all following: a. send a written warning to the bank; b. enter into an informal agreement with the bank regarding measures to be taken to correct violations; c. give orders to the bank to cease and desist from particular actions, or require the bank to take affirmative action to correct the violations; d. require that the bank temporarily or permanently remove from office the managing director, any other executive officer or the designated branch manager, depending on the seriousness of the violation; e. require that the bank remove the chairman or any of the members of the bank’s board of directors; and/or f. impose an administrative penalty; administrative penalties may be imposed on a daily basis until the violation has eased or compliance is obtained. Such administrative penalties shall be of an amount between 10,000/- (ten thousand) Rufiyaa and 100,000/- (one hundred thousand) Rufiyaa on a daily basis. However, the total aggregate administrative penalty imposed on a bank shall not exceed 5 % (five percent) of the bank’s paid-up or assigned capital;

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 9 Schedule – 1 Record items Minimum Retention Period

1. Annual Audit Reports and Financial Statements Permanent
2. Memorandum of Association and Articles of Bank Permanent
3. Minutes and Resolutions of meetings of the Board of Directors and Board Committees Permanent
4. Minutes of general meetings of shareholders Permanent
5. Basic staff records (sufficient to provide a reference) Permanent
6. Transaction vouchers including customer requests/applications for the transactions 7 years
7. Correspondent banks’ arrangement files 5 years after relationship ends
8. Minutes of meetings of the Bank /Branch Committees formal committees 5 years
9. Quarterly Financial Reports 5 years
10. Suspicious transaction reports and information and documents related to such reports 5 years after the report was filed, unless otherwise instructed by the Financial Intelligence Unit

Customer files; including documents regarding customer identity, beneficial owners, agents, and business transactions with the customer and other business correspondence 5 years after business relationship ends; with respect to dormant deposit accounts, the business relationship will be considered as having ended only when the funds are withdrawn by the beneficiaries. 12. Customers’ credit files; including credit application, agreements, security documentation, insurance documentation, periodic credit reviews, valuations, correspondence and other related documents 5 years after settlement of the credit facility 13. Trade and Guarantee documents (such as Letters of Credit, Letters of Guarantee, Collection Documents) 5 years after settlement of the facility or guarantee 14. Applications for various services and products 5 years after the business relationship ends 15. Internal audit reports, including work papers and other documents related to audit 5 years after closing of the audit file; however reports with pending issues beyond this period should be retained until they are resolved.

ވޮލިއުމ:ް 47 އަދަދ:ު 83 ދިވެހިސަރުކާރުގެ ގެޒެޓް 10 16. Annual business plans and budgets 5 years 17. Procurement documents 5 years after the expiry of contract/purchase agreement 18. Bid documents 5 years from date of submission 19. General contracts 5 years after termination 20. Various registers relating to operations 5 years 21. Personnel files 5 years after leaving 22. Rejected Credit Applications 3 years 23. Uncollected returned cheques 6 months from the date of presentation of the cheque 24. Employment applications 6 months for unsuccessful applications 25. Uncollected cheque books 3 months from date of production/receipt 26. System journals, end-of-day reports including posting items reports Until both internal audit of the branch/ department and external audit for the year is complete 27. All other documents not listed above 3 years