(a) Record-keeping

51. A bank should ensure that all information obtained in the context of CDD is recorded. This includes both (i) recording the documents the bank is provided with when verifying the identity of the customer or the beneficial owner, and (ii) transcription into the bank's own IT systems of the relevant CDD information contained in such documents or obtained by other means.

52. A bank should also develop and implement clear rules on the records that must be kept to document due diligence conducted on customers and individual transactions. These rules should take into account, if possible, any prescribed privacy measures. They should include a definition of the types of information and documentation that should be included in the records as well as the retention period for such records, which should be at least five years from the termination of the banking relationship or the occasional transaction. [See BCP 29, essential criterion 5(f) in Core principles for effective banking supervision, September 2012.] Even if accounts are closed, in the event of ongoing investigation/ litigation, all records should be retained until the closure of the case. Maintaining complete and updated records is essential for a bank to adequately monitor its relationship with its customer, to understand the customer's ongoing business and activities, and, if necessary, to provide an audit trail in the event of disputes, legal action, or inquiries or investigations that could lead to regulatory actions or criminal prosecution.