Under the EU’s Anti-Money Laundering Directives (AMLD), financial institutions are legally obligated to keep customer due diligence (CDD) records, including information on business activities, for a specific period. The 4th and 5th AMLD mandate that records must be retained for five years after the business relationship has ended. The frequent changes in business activity represent a significant risk indicator, making the retention of this historical data crucial for ongoing monitoring and potential future investigations. The bank's internal policies must be aligned with these legal requirements. Therefore, retaining the information as specified by both internal policy and EU directives is the correct procedure.

A. Holding records for only one year is insufficient and would violate the minimum five-year post-relationship retention period required by the EU AMLD.

C. Data privacy regulations like GDPR allow for data retention to comply with legal obligations, such as AML laws. Destroying historical data would impede risk management and investigations.

D. This is incomplete. The legal requirement extends beyond the life of the account, mandating a specific retention period after the customer relationship has ended.

1. Directive (EU) 2015/849 (Fourth Anti-Money Laundering Directive)

European Parliament and the Council

20 May 2015.

Article 40

Paragraph 1: "Member States shall require obliged entities to retain the following documents and information in accordance with national law for the purpose of preventing

detecting and investigating possible money laundering or terrorist financing... (a) a copy of the documents and information which are necessary to comply with the customer due diligence requirements... for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction."

2. ACAMS CKYCA Study Guide

Association of Certified Anti-Money Laundering Specialists.

Chapter 2: Legal and Regulatory Frameworks: This chapter details the global standards and specific regional regulations

including the EU AML Directives. It emphasizes that financial institutions must establish record-retention policies that comply with the legal minimums set by their jurisdictions

which in the EU is five years after the relationship ends. The guide clarifies that this legal obligation for AML purposes is a valid reason for data retention under data privacy laws like GDPR.

3. "The interaction between the GDPR and the AML/CFT legal framework

" European Banking Authority (EBA)

Opinion of the European Banking Authority on the interplay between the AMLD and the GDPR

2018.

Section 3.2

Paragraph 18: This opinion clarifies that the processing of personal data for AML/CFT purposes is considered "necessary for compliance with a legal obligation to which the controller is subject" under Article 6(1)(c) of the GDPR. This provides the legal basis for retaining customer data as required by the AMLD

even when it is historical.