HomeArt MarketAML at Five: What Art Market Participants Must Now Destroy

AML at Five: What Art Market Participants Must Now Destroy

  • July 28, 2025
  • Posted by: FCS Compliance
  • Category: Art Market, News
No Comments
paper flying out of a shredder

Happy fifth anniversary to the art market’s obligation to comply with the UK Money Laundering (ML) Regulations. One key consequence of this milestone is that each Art Market Participant (AMP) must now consider which Anti-Money Laundering (AML) records they are required to destroy.

The UK ML Regulations entitle Art Market Participants to request private information to comply with the law. This is an exception to general data privacy rules, which restrict the collection and use of personal information.

The risks of ignoring this fifth anniversary — and failing to destroy certain records — are significant. In addition to potential civil or criminal penalties for individuals and businesses, there is the risk of imprisonment and reputational damage. Financial penalties start from £1,500 for HMRC’s minimum civil administrative charge and have the potential to dramatically escalate, as the penalty amount has no ceiling.

For serious breaches, criminal penalties may include up to two years in prison. The severity of enforcement depends on the nature of the breach, its impact, and the organisation’s compliance history.

Below is a summary of high-level answers to some key questions.

What Are AML Records?

To avoid both civil and criminal risks, the first question to ask is: What counts as a record? We suggest considering both documents and information as part of this definition. This may include notes on your decision-making process as you apply a risk-based approach.

Consider how — and for how long — you are storing the following categories of records:

  • Customer due diligence (CDD) documents and associated notes, including risk-based decisions
  • Internal and external Suspicious Activity Reports (SARs)
  • Details of the strengths and weaknesses of your AML programme
  • Training logs and records of steps taken to raise staff awareness of money laundering, terrorist financing, sanctions, and other legal obligations
  • Your AML policies, controls and procedures — especially your annual risk assessments and any earlier drafts
  • Agreements with third-party CDD service providers

Any personal data collected may only be processed for the prevention of money laundering, sanctions breaches or terrorist financing — or where use is permitted by other legislation or where consent has been obtained.

Proper record-keeping is not only a legal requirement but also a vital defence in the event of an investigation or enforcement action.

Where Should AML Programme Records Be Kept?

General records may include your AML policy and procedures, training logs, annual written risk assessments, and internal communications about your AML programme. The AML policy, in particular, should be made available to all relevant staff, in both print and digital form.

More sensitive records — such as due diligence documents (e.g. identity verification) — should be stored separately from routine client or transaction files. These should be securely stored and, ideally, backed up to the cloud.

Other sensitive documents include suspicious activity reports, whether filed internally with the Nominated Officer or externally with government agencies such as the National Crime Agency (NCA) or the Office of Financial Sanctions Implementation (OFSI).

How Long Should You Keep AML Records?

Some records must be destroyed after five years. Others should be retained for a reasonable period, while a few may be kept longer in specific circumstances. These include:

  • Legal or regulatory requirements to retain the data
  • Reasonable grounds to believe the data may be needed for legal proceedings
  • Consent from the data subject to retain their information

Records that are generally subject to the five-year retention period include transaction records, passport copies, and reliance letters.

Records that can typically be retained for a reasonable period include training records and both internal and external Suspicious Activity Reports (SARs).

Final Thoughts

This summer is an ideal time to review your record-keeping and document destruction procedures. Staying on top of these requirements helps reduce risk and demonstrate your ongoing compliance.