How long must BSA records be kept?

Many CDD and transaction records must be retained for five years from account closure or transaction date, depending on the record type.

What CDD records should I retain?

Identification documents, verification results, beneficial ownership forms, risk ratings, screening dispositions, and EDD notes.

Can records be stored electronically?

Yes, if they are accurate, accessible, reproducible for examiners, and protected with appropriate controls.

Do SAR workpapers have special handling?

Yes. SARs and supporting materials are highly confidential with restricted access and separate retention procedures.

When does the five-year clock start?

It depends on record type—often from account closure for CDD or from transaction date for transactional records. Policies should cite specific regulatory sections.

What if my sponsor bank requires seven years?

Meet the stricter contractual requirement even when BSA mandates five.

AML Record Retention: What to Keep and For How Long

Regulators can forgive growing pains; they rarely forgive missing records. BSA recordkeeping rules require US financial institutions to maintain evidence that demonstrates compliance long after transactions occur.

This guide explains what to retain, for how long, how to organize files for examinations, and how retention intersects with SAR confidentiality and litigation holds.

Why record retention is an AML pillar

AML compliance is proven with paper and pixels: policies, risk assessments, CDD files, screening results, monitoring alerts, SAR workpapers, and training logs. When FinCEN, banking agencies, or state examiners visit—directly or through your sponsor bank—they request samples. Inability to produce records implies controls do not exist.

Retention is also operational: analysts investigating repeat behavior need historical context from ongoing customer monitoring.

Core BSA retention periods

While specific rules vary by institution type, widely cited standards include:

Five-year retention

Many BSA rules require retaining records for five years from the date of transaction, account closure, or filing—whichever is specified in the applicable section. Examples often cited in examiner manuals:

CDD and identification records for customers
Transaction records sufficient to reconstruct activity
SAR supporting documentation (not copies of SARs shared improperly)
OFAC match dispositions and escalation notes
CTR copies and related forms

Confirm your institution classification and cite the exact CFR section in your policy.

Longer retention in practice

Many firms adopt seven years for litigation comfort and state law alignment. Longer is acceptable; shorter is not when BSA mandates five.

CDD and onboarding files

For each customer, retain:

Application data and contracts
Government ID images or verification vendor reports
Beneficial ownership certifications and verification evidence
Risk tier assignments and EDD checklists for PEPs
Screening hits and analyst dispositions (sanctions, PEP, adverse media)

These files support Customer Due Diligence (CDD) examinations.

Transaction and monitoring records

Store:

Raw transaction feeds or reconciled ledgers
Monitoring rule versions and alert histories
Analyst notes through closure
Linkage to SARs when filed

Monitoring data volume can be enormous—use tiered storage with indexed metadata for quick retrieval.

SAR and investigation workpapers

Retain:

Investigation timelines
Documents reviewed (statements, KYC refresh, news articles)
Decision memos approving or declining SAR filing
Legal review correspondence where applicable

SAR forms themselves are highly confidential—control access per FinCEN SAR Filing guidance.

AML program governance records

Keep:

Board-approved policies and annual updates
Enterprise risk assessments
Independent testing reports and remediation tracking
Training attendance and materials
BSA Officer appointment letters

Foundational context appears in What Is AML Compliance?.

OFAC and sanctions records

Document screening queries, list versions, false positive analysis, and blocked property reports. OFAC expects institutions to maintain records supporting compliance with its regulations—often aligned to five-year norms.

Format and integrity

Records may be electronic if accurate, accessible, and reproducible. Requirements:

Immutable or WORM storage for critical logs
Access controls and audit trails
Backup and disaster recovery tested annually
Ability to export examiner samples quickly

Organization tips

Use consistent customer IDs across systems
Map retention classes in a records schedule
Automate deletion holds when litigation or exams start
Tag records by product line for sponsor bank requests

Privacy and data minimization

Retain what BSA requires—avoid hoarding unrelated PII that increases breach risk. Redact where copies are used for training.

State and contractual overlays

State MTL regulators may impose additional record rules. Sponsor banks contractually demand seven-year retention and immediate exam support. Meet the strictest applicable requirement.

Merchant and partner records (PSPs)

Payment processors should retain KYB packets, underwriting decisions, and monitoring alerts for merchants—Payment Processor Compliance.

Crypto-specific records

Retain blockchain analytics reports, travel rule messages, and wallet attribution notes—MiCA and FATF.

Common exam findings

CDD images missing after vendor contract ended
Alert notes stored only in personal inboxes
No version control on monitoring rules
Premature deletion after account closure miscounting the five-year start date

Practical checklist

Publish a records retention policy referencing BSA sections
Assign records coordinator outside engineering only
Integrate retention into vendor contracts (KYC providers)
Test annual “exam drill” record pulls
Align IT deletion jobs with legal holds

Who must retain? Covered BSA institutions—see Who Must Comply with BSA/AML?.

Examiner pull requests and sample design

When examiners request random samples, inability to produce within 48 hours signals weak indexing. Pre-build queries for high-risk cohorts and PEP inventory pulls.

E-discovery, litigation holds, and cloud vendors

Litigation holds override routine deletion schedules. Compliance must notify IT when matters involve customer subsets under investigation.

Cloud KYC vendors retaining images on your behalf should contractually guarantee examiner export within defined SLAs.

Version retention for machine learning monitoring models helps explain historical alert decisions during lookback reviews.

Geographic data residency is not a BSA exemption—US records must remain available to US examiners regardless of server region.

Periodic destruction certificates prove defensible deletion after retention expires, reducing breach blast radius.

Mapping records to BSA citations

Your records schedule should cite controlling CFR sections in plain English so non-lawyers executing retention know why each class exists. Examiners reward schedules that mirror examination manuals rather than generic IT retention defaults.

Disaster recovery for compliance archives

Backups must be restorable within examiner-tolerable windows. Test restores quarterly for CDD image stores and SAR workpaper repositories. Ransomware incidents do not excuse missing records—immutable backups are part of BSA resilience. Include compliance systems in enterprise business continuity tests, not only core banking ledgers.

Indexing for cross-system search

Customer identifiers should map across CRM, core ledger, KYC vendor, and case management so examiners receive coherent packages without manual CSV stitching across five admin panels.

Vendor termination and record portability

When KYC vendors contract ends, export images and verification logs before access shuts off—vendor bankruptcy is not a valid BSA excuse for missing CDD evidence. Legal should approve retention extensions beyond minimum statutory periods when litigation or exams are reasonably foreseeable. Operations teams need written authority to pause automated deletion jobs during regulatory inquiries without waiting for weekend counsel callbacks. Tag records with examination identifiers so partial samples do not scatter across email threads without central indexing. Scanning paper originals remains necessary for some legacy files—digitize with hash verification for chain of custody. Align records retention policy with information security data classification so encrypted archives remain searchable for BSA purposes without exposing PII broadly internally. Board packets should summarize records exceptions granted during the quarter so governance sees retention risk explicitly. Internal audit should test random deletion events quarterly to confirm jobs honored legal holds and retention extensions were approved in writing.

Get started with Legaltalent

Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.

Start your free trial and see how compliant onboarding and monitoring can scale with your business.

Practical next steps for your compliance program

Regulators expect documented policies, trained staff, and evidence that controls run in production—not slide decks. Map each obligation to an owner, a control, and a record type. Run tabletop exercises for SAR decisions, sanctions hits, and EDD escalations. When examiners or auditors arrive, they will ask for samples: show that your process is consistent, risk-based, and improving over time.

Technology should reduce manual error, not replace accountability. Automate identity verification, list screening, and case management, but keep human review for edge cases. Periodically validate vendor match quality and tune thresholds so you neither flood analysts with false positives nor miss material risk.