Record Retention in AML: What to Keep and For How Long in the UAE

A Practical Guide for DNFBPs on Documenting Compliance Without Drowning in Paperwork

Introduction

So much of AML compliance boils down to one question during inspections:

“Can you prove it?”

Whether you’ve conducted due diligence, submitted a suspicious transaction report (STR), or screened a politically exposed person (PEP), you must retain the documentation, or risk non-compliance.

In this guide, we break down what records UAE businesses must keep, for how long, and how to stay inspection-ready without drowning in disorganized files.

Why Record Retention Matters in AML

Under UAE AML laws, doing the right thing isn’t enough, you must be able to show that you did it. This makes record retention one of the most critical (and overlooked) aspects of compliance.

Poor recordkeeping is among the most common inspection findings, especially for Designated Non-Financial Businesses and Professions (DNFBPs). Regulators want clear, accessible proof that your business followed the rules, even years later.

How Long You Must Keep AML Records

According to Cabinet Resolution No. (10) of 2019, businesses must retain AML-related records for at least 5 years from:

  • The date of the transaction, OR
  • The end of the business relationship, OR
  • The submission date of an STR/SAR

Whichever comes latest.

This applies even if the client leaves, the case is closed, or the transaction seemed low-risk at the time.

What Records Must Be Retained

To ensure compliance, your retention system should cover these key areas:

  • Customer Due Diligence (CDD)
    Copies of IDs, utility bills, risk profiles, and verification steps.
  • Suspicious Transaction Reports (STRs/SARs)
    Copies of goAML reports, submission logs, and related investigation notes.
  • Internal Risk Assessments
    How each client’s risk level was determined and updated.
  • Staff Training Records
    Attendance logs, certificates, and training materials.
  • Transaction Logs
    Especially important for high-value, unusual, or cash-based activity.
  • PEP and Sanctions Screening Results
    Whether the result was a match, cleared, or flagged for further review.
  • Internal Review and Escalation Notes
    Including audit trails, justifications, and decisions.
  • Communication with Authorities
    Emails, letters, and memos to/from the FIU or Ministry of Economy.

Each of these items must be easily accessible and organized for inspection.

Paper or Digital: What’s Acceptable?

Yes, you can go paperless, and you probably should.

Digital records are fully acceptable under UAE law, provided that:

  • They are securely stored (cloud or encrypted systems)
  • They are readily accessible during inspections
  • They are timestamped and unaltered

Scanned copies of original documents are valid, but they must be legible and complete.

Modern businesses benefit from using a Document Management System (DMS) to keep things under control.

What AML Inspectors Look For

During inspections, regulators often request:

  • CDD files linked to each customer
  • Proof of re-screening or updates over time
  • STR/SAR submission history and related files
  • Documented training logs
  • Clear file organization by customer or case
  • Retention policy, stated in your AML program

If your files are scattered, missing, or outdated, you risk being flagged even if your actual compliance steps were sound.

Common Recordkeeping Mistakes to Avoid

  • Only retaining ID copies, but not risk assessments
  • Deleting files after the customer leaves, before the 5-year period
  • Not keeping records of cleared alerts
  • Retaining files, but with no clear organization
  • Saving documents in unsearchable formats (e.g., scanned images without filenames or indexing)

Bonus: How InfoAML Helps You Stay Audit-Ready

InfoAML isn’t just a screening tool, it’s built to support complete record management across the AML lifecycle.

Here’s how it helps:

  • Centralized Document Upload
    Upload KYC documents, STRs, risk forms, and more, all linked to the customer record.
  • Retention Trail and Timestamps
    Every file includes upload dates and version control, useful during audits.
  • Organized by Module
    Whether it’s screening results, transaction notes, or internal investigations, everything’s categorized and easy to find.
  • Searchable by Customer, Date, or Action
    No more digging through folders when inspectors ask.
  • Exportable Bundles
    Generate audit-ready exports for individual clients or cases on demand.
  • Exportable Bundles
    All client files and compliance records can currently be exported individually or in groups. 
In future versions, InfoAML will offer one-click export bundles for faster audit preparation.


With InfoAML, recordkeeping isn’t a separate chore, it’s part of your everyday workflow.

Final Thought

AML compliance isn’t just about taking the right action, it’s about proving it later. And when that day comes, your recordkeeping system will either save you or sink you.

By organizing files, applying the 5-year rule, and using smart tools like InfoAML, you’ll stay ahead of regulators, and sleep better at night.

👉 Book a Free Demo

See how InfoAML keeps your AML records secure, searchable, and inspection-ready, all in one place.

Share this post
Our blogs
Beneficial Ownership Transparency in the UAE: What DNFBPs Must Know
How to Declare UBOs, What Inspectors Ask, and Tools to Stay Compliant