AML record keeping requirements are the regulatory obligations that compel banks, fintechs, and other financial institutions to retain documented evidence of every customer verification decision, transaction processed, suspicious activity identified, and compliance action taken, for a minimum period defined by the applicable regulatory framework.
For African financial institutions, AML record keeping is both a legal obligation and the primary evidence that protects an institution during regulatory examination. A bank that applies perfect controls but cannot document and retrieve that evidence on demand is treated by regulators as having no controls at all.
What Is AML Record Keeping and Why Does It Matter?
AML record keeping is the systematic retention of compliance-related documentation in a form that is retrievable, tamper-resistant, and available for regulatory examination.
FATF Recommendation 11 requires all financial institutions globally to maintain records of transactions and customer due diligence for at least five years. That global floor is the minimum. Several African jurisdictions require longer periods, and the CBN's March 2026 circular has added specific technical requirements around tamper-proofing and audit trail integrity that go beyond simple document retention.
The distinction between keeping AML records and keeping audit-ready records is material. Keeping AML records means storing documents somewhere. Keeping audit-ready records means storing them in a format that: is timestamped and immutable from the moment of creation; can be retrieved by customer, by transaction, by alert, or by date range within minutes of a regulatory request; demonstrates the complete chain of events from initial alert to final decision; and is accessible to the regulator without requiring the institution to reconstruct the narrative manually.
Global AML enforcement penalties reached $4.6 billion in 2024, according to Fenergo. TD Bank paid $3.09 billion in 2024 partly for failure to maintain adequate records and documentation of its AML programme. Binance paid $4.3 billion in 2023 for AML failures that included inadequate customer identification records.
In Nigeria, Stanbic IBTC Bank was fined 200 million naira by the CBN in 2021 specifically for AML compliance failures, including inadequate record keeping and failure to report suspicious transactions. These penalties share a consistent feature: the institution had controls, but could not document that the controls operated correctly.
AML Record Keeping Requirements by African Jurisdiction
African financial institutions face different minimum retention periods and specific documentation obligations depending on their regulatory jurisdiction. The following breakdown sets out the specific requirements in each of the five primary African markets.
1. Nigeria: MLPPA 2022, CBN CDD Regulations, and the March 2026 Circular
Nigeria's AML record keeping obligations flow from three regulatory sources. The Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA) requires all financial institutions to maintain records of customer identification information and transactions for a minimum of five years from the end of the business relationship or the date of an occasional transaction. Records must include both hard copies and electronic copies of key documents: customer identification, transaction receipts, and all correspondence with the customer and with regulators.
The CBN Customer Due Diligence Regulations (2023) expand the requirement to cover the full CDD workflow: customer risk assessments and the rationale for the assigned risk rating, evidence of beneficial ownership verification for corporate customers, documentation of the purpose and nature of the business relationship, records of enhanced due diligence applied to high-risk customers and PEPs, and decisions where CDD could not be completed and the relationship was terminated or refused.
CBN Circular BSD/DIR/PUB/LAB/019/002 (March 10, 2026) introduces the most specific technical requirements in Nigerian AML history. The circular explicitly mandates: tamper-proof audit trails covering every alert, analyst decision, and regulatory report submission; role-based access controls so that only authorised personnel can view or act on compliance records; secure authentication requirements for all compliance system access; and records that must be producible for regulatory examination on request. All Nigerian institutions must submit implementation roadmaps to the CBN by June 10, 2026. Deposit Money Banks must achieve full compliance by September 2027; other financial institutions, including fintechs and PSPs, by March 2028.
For STR and CTR records specifically, the NFIU requires that every submission to the goAML portal is logged with the submission timestamp, reference number, analyst who prepared and approved the report, all supporting case evidence, and the outcome of NFIU's receipt confirmation. This record must be retained for five years minimum.
2. South Africa: FICA Five-Year Retention
South Africa's Financial Intelligence Centre Act 38 of 2001 (FICA), as amended, requires all accountable institutions to retain records of customer identification and verification for five years from the end of the business relationship. Transaction records must be retained for five years from the date of the transaction. All STRs filed with the FIC via the goAML portal, plus the internal case documentation supporting each filing, must also be retained for five years. Records must be stored in a manner that allows their retrieval without delay when requested by the FIC or FSCA during examination.
3. Kenya: POCAMLA Seven-Year Retention
Kenya imposes the strictest retention period among the primary African markets. Under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) 2009 and its subsequent amendments through 2025, all reporting institutions must maintain KYC files and transaction records for a minimum of seven years. This seven-year period applies to: customer identification documents, transaction records, STRs filed with the Financial Reporting Centre (FRC), internal case management records, and risk assessment documentation.
With over 227 CBK-licensed digital credit providers as of April 2026, Kenya's FRC is actively conducting examinations of record keeping adequacy, and shortfalls in the seven-year window are consistently flagged as findings.
4. Ghana: Bank of Ghana Five-Year Retention
Ghana's Bank of Ghana AML guidelines require all financial institutions to retain customer identity records and transaction documentation for five years from the end of the business relationship.
The BoG has progressively increased its supervisory focus on digital lenders and fintechs, and examination findings for inadequate record keeping have increased since 2024.
Records must be stored in a format that can be produced to the Financial Intelligence Centre and the BoG on request within a reasonable timeframe.
5. Ivory Coast and the WAEMU Zone: BCEAO Ten-Year Retention
BCEAO Instruction 01/2020 imposes the longest retention period of any major African AML jurisdiction: ten years for all customer identification, transaction, and suspicious activity records. Financial institutions in the WAEMU zone, including Ivory Coast, must retain CENTIF filings, internal case documentation, and risk assessment records for the full ten-year period.
This requires particular attention to long-term storage architecture, as systems configured for a five-year retention cycle will fall out of compliance in WAEMU markets without specific configuration for the longer period.
AML Record Retention Requirements: Africa Comparison Table
| Record Category | Nigeria | South Africa | Kenya | Ghana | Ivory Coast (WAEMU) |
|---|---|---|---|---|---|
| Customer ID and CDD documents | 5 years (MLPPA 2022) | 5 years (FICA) | 7 years (POCAMLA) | 5 years (BoG) | 10 years (BCEAO) |
| Transaction records | 5 years (MLPPA 2022) | 5 years (FICA) | 7 years (POCAMLA) | 5 years (BoG) | 10 years (BCEAO) |
| STR/SAR filings and case files | 5 years (NFIU) | 5 years (FIC) | 7 years (FRC) | 5 years (FIC Ghana) | 10 years (CENTIF) |
| Risk assessments | 5 years (CBN CDD Regs) | 5 years (FICA) | 7 years (POCAMLA) | 5 years (BoG) | 10 years (BCEAO) |
| PEP/EDD documentation | 5 years (CBN CDD Regs) | 5 years (FICA) | 7 years (POCAMLA) | 5 years (BoG) | 10 years (BCEAO) |
| Training and governance records | 5 years (CBN Circular 2026) | 5 years (FICA) | 7 years (POCAMLA) | 5 years (BoG) | 10 years (BCEAO) |
| Audit trail of compliance decisions | 5 years, tamper-proof (CBN March 2026) | 5 years (FICA) | 7 years (POCAMLA) | 5 years (BoG) | 10 years (BCEAO) |
| Regulatory reporting confirmation | 5 years (NFIU) | 5 years (FIC) | 7 years (FRC) | 5 years (FIC Ghana) | 10 years (CENTIF) |
Institutions operating across multiple African markets must configure their record retention systems for the longest applicable period in their footprint. An institution operating in Nigeria and Ivory Coast simultaneously must retain all shared-infrastructure records for ten years to satisfy BCEAO requirements, even if the Nigerian minimum is five years.
Need a tamper-proof AML audit trail that meets CBN 2026 requirements? Book a demo with our compliance experts to see how Youverify automates compliance record keeping for Nigerian, South African, Kenyan and Ivory Coast institutions.
What AML Records Must African Banks and Fintechs Keep?
Knowing the retention period is necessary but insufficient. Institutions must also know the specific categories of records required and what each category must contain to withstand regulatory examination. The following five categories cover the complete record keeping obligation for African financial institutions.
Category 1: Customer Identification and CDD Records
Every customer onboarded must have a file that contains: verified copies of all identity documents presented at onboarding (National ID, passport, BVN slip, NIN slip, driver's licence as applicable per jurisdiction); the result of each government database verification run (NIBSS for BVN, NIMC for NIN in Nigeria; DHA in South Africa; NIA in Ghana; IPRS in Kenya); the customer's risk rating and the documented rationale for that rating; evidence of beneficial ownership verification for corporate customers, including company registration documents and shareholder registers; documentation of the purpose and nature of the business relationship; and records of any enhanced due diligence applied for high-risk customers or PEPs.
The customer file must be updated when material changes occur: a change in identity or beneficial ownership, a change in the products or services used, or a periodic review triggered by the customer's risk rating. The update itself must be timestamped and the pre-update version must be retained alongside the updated version.
Category 2: Transaction Records
Every transaction processed through the institution must be logged with: the date and time of the transaction; the amount and currency; the accounts involved on both sides; the payment channel used; the geographic origin and destination; any counterparty information available; and the transaction monitoring decision, whether the transaction generated an alert, and if so what the alert disposition was. Transaction records must be retained even where no suspicious activity was identified. Regulators examining a bank for AML compliance will request transaction logs for specific customers or time periods to verify that monitoring was operating and that decisions were made correctly.
Category 3: Suspicious Activity Reports and Case Files
For every STR or CTR filed with the NFIU (Nigeria), FIC (South Africa), FRC (Kenya), or CENTIF (Ivory Coast), the institution must retain: the complete internal case file including the original transaction monitoring alert, all analyst investigation notes and supporting evidence, the MLRO review and approval record with timestamp, the final regulatory filing in the format submitted, the portal submission confirmation or reference number, and any subsequent correspondence with the regulator regarding the filing.
The internal case file must also be retained for alerts that were reviewed and closed without an STR filing. The decision to close an alert without filing must be documented with the analyst's rationale and the MLRO's concurrence. Regulators examining an institution's STR programme will specifically request closed alerts to verify that the institution is not systematically under-reporting.
Category 4: Risk Assessment Documentation
All risk assessments must be documented and retained: the firm-wide AML risk assessment including the risk ratings assigned to customer types, products, geographies, and delivery channels; individual customer risk assessments with rationale; the record of when and why risk ratings were updated; board or senior management approval records for the firm-wide risk assessment; and the results of any internal audit or compliance testing of the risk assessment programme.
Category 5: Training and Governance Records
CBN Circular BSD/DIR/PUB/LAB/019/002 (March 2026) specifically requires documentation of staff training as part of the compliance programme. Training records that must be retained include: attendance records for all AML and CFT training sessions; assessment or test results confirming comprehension; annual staff awareness declarations confirming knowledge of AML procedures and the identity of the MLRO; and board-level reports on the operation and effectiveness of the AML programme, including STR volumes, false positive rates, and monitoring effectiveness.
What Makes a Compliance Audit Trail Examination-Ready?
Regulators distinguish between institutions that have compliance records and institutions with examination-ready compliance programmes. The difference comes down to five qualities that examiners test for during on-site supervision.
1. Tamper-proof and timestamped from creation:
Every record must carry an immutable creation timestamp that cannot be altered after the fact. If a compliance analyst makes a note on a case, that note is timestamped at the moment of creation. Any subsequent amendment creates a new timestamped record, not an overwrite of the original. CBN Circular BSD/DIR/PUB/LAB/019/002 explicitly mandates this. Regulators who find that records have been altered or that timestamps are inconsistent will treat this as a significant finding, regardless of the content of the records.
2. Retrievable within minutes, not days:
A regulatory examiner asking for all STR case files for a specific customer over a three-year period expects to receive them promptly. Institutions that must manually search through multiple systems, export spreadsheets, or reconstruct decisions from emails are demonstrating inadequate record keeping even if all the underlying documents technically exist somewhere. The CBN and NFIU both conduct on-site examinations that include timed document production requests. Slow retrieval is itself a compliance finding.
3. Role-based access with access logging:
Only authorised personnel should be able to view, create, or amend compliance records. Every access attempt, whether successful or failed, should be logged with the user identity and timestamp. If a compliance record is ever disputed, the institution must be able to demonstrate who accessed it, when, and what action they took. CBN Circular BSD/DIR/PUB/LAB/019/002 specifically requires role-based access controls as a minimum standard.
4. Encrypted and jurisdiction-compliant:
AML records contain personal data that is subject to both AML retention obligations and data protection law. In Nigeria, the Nigeria Data Protection Act 2023 requires that personal data is stored securely with appropriate encryption. The CBN requires that biometric and identity data of Nigerian customers be stored within Nigeria, a data localisation requirement that cloud-based record keeping solutions must satisfy. Institutions that store compliance records in a jurisdiction other than Nigeria without complying with data localisation rules are simultaneously in breach of AML and data protection obligations.
5. Complete chain of evidence for every decision:
The most common examination finding in AML programmes is not that records are absent, but that the chain of evidence is broken. An alert exists in the transaction monitoring system. The analyst's notes exist in a separate case management tool. The STR filing exists in the regulatory portal. But no single record ties them together in a way that a regulator can follow from trigger to resolution without the institution reconstructing the narrative. An examination-ready audit trail is a single, unbroken chain from the original data that triggered the alert to the final disposition of the case.
Common Record Keeping Failures That Create Regulatory Exposure
The following failures appear consistently in CBN, FIC, and NFIU examination findings and in global AML enforcement cases. Each one is avoidable with the right system design.
1. Records Rolling Off Before the Minimum Retention Period
System defaults that delete logs after 90 or 180 days, storage migrations that corrupt historical records, and cloud providers whose standard retention policies are shorter than the regulatory minimum are the most common cause of this failure.
An institution that cannot produce a KYC record from four years ago for a customer that is still active has a material compliance gap, even if today's onboarding process is fully compliant. Stanbic IBTC Bank's 200 million naira CBN fine in 2021 included findings related to inadequate record keeping that failed to support the institution's claimed AML controls.
2. Siloed Systems That Cannot Produce a Coherent Timeline
Transaction monitoring alerts in one system. Customer KYC files in a second system. Case management notes in a third. STR filings in the goAML portal. When a regulator requests the complete case history for a customer who filed an STR three years ago, the institution must pull from four separate systems and manually construct the timeline. This is both operationally costly and evidentially weak. The gap between the systems is often where the evidence breaks, showing that an alert was raised but the case management record was not created, or that an STR was filed but the supporting case file cannot be located.
3. Audit Trails That Can Be Altered
Records stored in editable formats, case management notes stored in shared folders rather than write-once systems, and approval workflows that overwrite rather than append create the same evidential problem: the record cannot be trusted because it may have been altered. Regulators who find that compliance records are mutable will extend their examination scope and increase their scrutiny of every other control in the programme. CBN Circular BSD/DIR/PUB/LAB/019/002 responds directly to this failure by mandating tamper-proof records as a baseline requirement.
4. No Documentation of Closed Alerts
Regulators examining an STR programme will request not only filed STRs but also alerts that were reviewed and closed without filing. An institution that has no documentation of its alert disposition decisions cannot demonstrate that its compliance programme is operating correctly. If 98% of alerts are closed without filing and none of those closures are documented, the regulator cannot assess whether the 2% that are filed are representative of the risk the institution actually faces.
How to Automate AML Record Keeping: Five Implementation Steps
Manual record keeping does not satisfy the CBN's March 2026 requirements for tamper-proof, timestamped, role-controlled audit trails. Automation is not optional for institutions that need to meet both the letter of the regulation and the examination standard. The following five steps set out the implementation path.
Step 1: Audit your current record state:
Before deploying any technology, map every compliance record category against every system that currently stores it. Identify gaps: records that do not exist, records that exist but are not timestamped or immutable, records stored in editable formats, and records held in systems with retention periods shorter than the regulatory minimum. This gap analysis becomes the implementation brief and the basis for the CBN roadmap submission due June 10, 2026.
Step 2: Consolidate onto a single compliance data layer:
Every compliance decision, from KYC onboarding to STR filing, should write to a single, unified compliance record store. Integration between the transaction monitoring engine, case management system, KYC platform, and regulatory reporting portal should be bidirectional, with every action in any system creating an immutable record in the central store with timestamp, user identity, and action type.
Step 3: Configure tamper-proof storage:
Records must be written to an append-only, write-once storage architecture. No record can be deleted or overwritten. Amendments must create new records, preserving the full history. The storage system must generate integrity hashes at the point of record creation so that any subsequent tampering is detectable. For Nigerian institutions, the storage system must be configured for data localisation within Nigeria for customer biometric and identity data.
Step 4: Implement role-based access with access logging:
Define access tiers: compliance analysts can view and create case records but cannot modify or delete them. The MLRO can view, create, and approve STR filings. Audit and senior management can view records but cannot interact with them. IT administrators have technical access to the storage infrastructure but no visibility into compliance record content. Every access attempt logs the user, timestamp, and action.
5: Test retrieval against examination scenarios:
Before claiming examination readiness, test the system against the requests a regulator actually makes: all records for Customer X from the past five years; all STRs filed in Q3 2024 with their supporting case files; all closed alerts from January 2025 with disposition rationale; all training records for staff employed in the compliance function in the past three years. If the system cannot produce these in under ten minutes, the retrieval architecture needs redesign.
How Youverify Builds AML Record Keeping Into Your Compliance Programme
The challenge with AML record keeping is not storing documents. Every institution stores documents. The challenge is building a system where every compliance action, from the first transaction monitoring alert to the final STR submission confirmation, creates an unbroken, immutable, tamper-proof chain of evidence that a regulator can follow without any narration from the institution's compliance team.
Youverify's unified FRAML platform is designed around this requirement. Every action taken within the platform, including KYC verification decisions, transaction monitoring alert dispositions, PEP and sanctions screening results, MLRO approvals, and STR portal submissions, writes to a centrally managed, tamper-proof audit trail that meets the specific requirements of CBN Circular BSD/DIR/PUB/LAB/019/002:
- Tamper-proof, timestamped records. Every compliance action is logged at the moment of creation with an immutable timestamp and user identity. Records are append-only. No action can be retroactively altered or deleted. Integrity hashes are generated at the point of record creation.
- Unified compliance data layer. KYC verification, transaction monitoring, case management, MLRO approval, and STR filing all write to the same record store. There are no silos. A regulator requesting the complete history for any customer receives a single, coherent timeline from onboarding to present.
- Role-based access with access logging. Configurable access tiers with complete access audit logging. Every access attempt is recorded with user identity, timestamp, and action. Access logs are themselves tamper-proof and available for examination.
- Nigeria-compliant data localisation. Customer biometric and identity data for Nigerian customers is stored within Nigeria, satisfying the CBN's data localisation requirement. Configuration for South African, Kenyan, and Ivory Coast data residency requirements is also available.
- Jurisdiction-specific retention configuration. Retention periods are configurable per customer jurisdiction. Nigerian records are configured for five-year minimum retention. Kenyan records for seven years. Ivory Coast and WAEMU records for ten years. Automated alerts flag records approaching the deletion window for review before purge.
- STR and CTR automation with submission confirmation logging. Every STR and CTR generated by the platform creates a complete record: the source alert, analyst investigation notes, MLRO approval, portal submission, and NFIU or FIC confirmation reference. All elements are linked in the central audit trail. Retrieval by report reference, date, customer, or analyst takes seconds.
About the Author
Temitope Lawal is a RegTech and compliance specialist at Youverify. She has written for fintech companies and financial institutions across Nigeria and international markets, with a research focus on AML compliance, fraud prevention, and financial crime regulation. Her work covers regulatory developments from the FCA, NCA and FATF, and is informed by ongoing engagement with primary compliance sources and industry research.