40 FATF 40 Recommendations
11

Recommendation 11 · Group D · Preventive Measures

Former: R.10

Record keeping

Recommendation 11 requires financial institutions to maintain — for at least five years (commonly extended to 10) — all records on transactions, customer identification data, account files, business correspondence and the results of any analysis undertaken. Records must be sufficient to permit reconstruction of individual transactions and must be available swiftly to competent authorities upon request.

Who must comply?

  • Banks, credit institutions, securities firms, insurers
  • Money or value transfer services (MVTS) and money changers
  • Virtual Asset Service Providers (VASPs)
  • DNFBPs subject to AML obligations

Key requirements

  1. 1

    Five-year minimum retention (often 10)

    Records on all transactions must be kept for at least five years following completion of the transaction. CDD records and account files must be kept for at least five years after the end of the business relationship.

  2. 2

    Sufficient to reconstruct transactions

    Records must be sufficient to permit the reconstruction of individual transactions — including amounts, currencies, dates, parties, instructions and any related correspondence — to provide evidence for prosecution if necessary.

  3. 3

    Includes CDD and analysis records

    Beyond transaction logs, the duty extends to copies of identification documents, business correspondence, results of any analysis (e.g., risk assessments, ongoing-monitoring decisions, suspicious-transaction analyses).

  4. 4

    Swift availability to authorities

    Records must be made available swiftly to domestic competent authorities upon appropriate authority. Financial institutions must have systems to retrieve records efficiently — including from archived/legacy systems.

  5. 5

    Format-neutral retention

    Records may be kept in any reliable form — paper, electronic, microfilm — provided they remain legible, complete and accessible. Electronic retention with appropriate cybersecurity is increasingly the norm.

Practical example

Example: SAT inspection of a Mexican real-estate developer

Three years after a real-estate sale subject to LFPIORPI, the SAT requests the full client file. Under R.11 (and Mexican law), the developer must produce: copy of buyer's INE/CURP/RFC, beneficial-owner identification, source-of-funds declaration, payment receipts and bank statements showing the transfer, the SPPLD aviso XML filed with SAT, and any internal risk-assessment notes. All of this must be available within the period stated in the inspection notice — typically 10 business days — under penalty of fine.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México extiende la conservación a 10 años en todos los regímenes PLD:

LFPIORPI Art. 18 Fr. IV — 10 años para AV

La reforma de julio 2025 elevó la conservación de expedientes de actividades vulnerables de 5 a 10 años contados desde la fecha de la operación. Aplica a copia de identificación, datos del beneficiario controlador, comprobantes de operación y avisos al SAT.

Art. 95 Bis LGOAAC — 10 años para SOFOMes ENR

Las SOFOMes ENR conservan expedientes y comprobantes 10 años desde la última operación o desde el cierre de cuenta. La CNBV verifica durante visitas de inspección que los archivos sean completos y recuperables.

Conservación electrónica

El SAT y la CNBV aceptan conservación electrónica con NOM-151-SCFI-2016 (constancia de conservación) y firmas electrónicas avanzadas. La integridad e inalterabilidad de los archivos digitales debe poder comprobarse.

Milestones

  1. 1990

    Original Recommendation 10 on record keeping

  2. 2012

    Renumbered as Recommendation 11

  3. 2025

    October 2025 update emphasises swift retrieval and digital integrity

Related Recommendations

Other Recommendations in Group D — Preventive Measures

9 R.9 Financial institution secrecy laws 10 R.10 Customer due diligence (CDD) 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 15 R.15 New technologies & virtual assets 16 R.16 Payment transparency (Travel Rule) 17 R.17 Reliance on third parties 18 R.18 Internal controls & foreign branches 19 R.19 Higher-risk countries 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 11, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org