Record Keeping: A Comprehensive Guide

Ashwin Greedharee: "In my years of experience in the compliance and auditing field, I have witnessed firsthand the importance of meticulous and efficient record-keeping practices. Through my deep understanding of the applicable legal frameworks, particularly in areas such as corporate governance, financial accountability, and regulatory compliance, I have gathered valuable insights on how businesses can optimize their record-keeping systems. This guide is designed to offer a holistic and practical approach, informed not only by legal requirements but also by the challenges and best practices I’ve encountered in real-world scenarios. It aims to provide readers with a comprehensive understanding of the essential elements of record-keeping, while offering actionable strategies for ensuring that records are maintained in a way that supports transparency, efficiency, and compliance across various sectors."

Introduction

Record-keeping is an essential aspect of business operations, serving not only as a tool for tracking financial transactions and maintaining organizational efficiency but also as a key component of regulatory compliance. Proper record-keeping ensures that businesses can provide accurate documentation of their activities, which is crucial in industries subject to strict regulatory frameworks. Beyond the operational benefits, maintaining comprehensive and accessible records helps businesses demonstrate compliance with laws such as the Financial Intelligence and Anti-Money Laundering Act (FIAMLA) and FIAMLA Regulations, both of which require businesses to retain specific records for a defined period to combat financial crimes like money laundering and terrorist financing.

From a legal perspective, poor record-keeping can have significant consequences. Non-compliance with regulations like FIAMLA or data protection laws can lead to penalties, fines, or even criminal charges. In addition to legal records, businesses must manage various types of data, including customer identification documents, financial statements, contracts, and internal communications. Effective management of these records not only ensures adherence to legal standards but also enhances operational integrity and supports ongoing business functions like audits, risk management, and strategic decision-making.

Legal obligation for record keeping

The main regulation for record keeping emanates from Section 17F (1) of FIAMLA 2002 which provides that “a reporting person must keep all books and records with respect to his customers and transactions”. These provisions in FIAMLA 2002 ensure that financial institutions and other reporting persons maintain comprehensive records that support compliance with AML/CFT regulations and enable authorities to trace financial transactions and customer identities when necessary. The FIAML Regulations 2018 outline detailed legal obligations for record keeping, which will be elaborated in the subsequent sections of this article.

Minimum record retention period

As per Section 17F (2) of FIAMLA 2002 “records should be maintained for a period not less than 7 years:

·??????? after the business relationship has ended;

·??????? after the completion of the transaction;

·??????? from the date the suspicious transaction report was made”.

Physically record keeping vs Digital record keeping

Maintaining a filing system for accounting records over a seven-year period can be both resource-intensive and costly. Physical storage requires significant space and dedicated personnel to manage and retrieve documents, often leading to inefficiencies when attempting to locate records from previous years. A more effective solution is needed to ensure the swift and economical retrieval of information. Under the Companies Act 2001, records may be kept “in a form or in a manner that allows the documents and information that comprise the records to be easily accessible and convertible into written form.” This provision permits the maintenance of records in electronic form, thereby offering businesses the flexibility to manage their records digitally while remaining compliant with legal requirements. Additionally, the Electronic Transactions Act 2000 governs the use of electronic records in Mauritius, further affirming the legality of digital record-keeping for business operations.

Section 7 of the Electronic Transactions Act 2000 establishes the legal framework for keeping records, documents, or information in electronic form, as opposed to physical form, in Mauritius.

What does the law say?

1. Electronic records satisfy legal requirements: If a law requires keeping records, this requirement can be fulfilled by keeping the records in electronic form, provided certain conditions are met.
2. Conditions for electronic record-keeping: Accessibility: The information must remain accessible and usable for future reference. Accuracy: The electronic record must either be kept in its original format or in a format that accurately represents the original. Identification: The electronic record must preserve information that allows the identification of the origin, destination, and the date and time it was sent or received. Supervision: If a public sector agency oversees the record-keeping requirements, their consent must be obtained for electronic records.
3. Exclusion of system-generated data: The obligation to keep records does not extend to information that is automatically generated by systems for the purpose of transmission, like metadata.
4. Outsourcing: The responsibility for keeping records can be delegated to a third party.
5. Exceptions and additional requirements: The section does not apply if another law specifically addresses electronic record-keeping. Public sector agencies can impose additional rules for electronic records they oversee.

Data Protection and Confidentiality:

As per Section 14 of the Data Protection Act 2017, any person acting as controller or processor should be registered with the Data Protection Commissioner.

Controller

A controller “means a person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing”.

In simple terms in the case of a management company, a management company would typically act as a Data Controller when it:

Collects and determines the purpose of processing personal data of its clients, employees, or investors.

Makes decisions on how the personal data will be used, such as for compliance purposes (e.g., KYC, AML/CFT), payroll, customer service, or investor relations.

In these cases, the management company has the authority to decide how and why personal data is processed and, therefore, would be classified as a Data Controller. It would need to apply for a Data Controller license to fulfill its obligations under the Data Protection Act.

Processor

A processor “means a person who, or public body which, processes (that is, any action or series of actions done to personal data, whether done automatically or not. This includes things like collecting, recording, organizing, structuring, storing, changing, retrieving, using, sharing, or making the data available. It also covers actions like restricting access, erasing, or destroying the data) operates personal data on behalf of a controller;

In simple terms in the case of a management company, a management company may also act as a Data Processor if it processes personal data on behalf of other entities (clients) following their instructions. For example:

If the management company manages the data of a client's investors or customers but does not decide how that data should be used, it acts under the instruction of the client.

If it provides administrative services, accounting, or compliance support for its clients and processes personal data solely based on their requests, it is functioning as a Data Processor.

In this case, the management company would need a Data Processor license as it is processing data on behalf of another party.

Therefore, both the controller and the processor has the legal obligations for the collection, handling, processing, deletion and the confidentiality of data.

Types of Records

As per Section 17F of FIAMLA 2002, “books and records with respect to his customers and transactions” means:

“All records obtained through CDD measures, including account files, business correspondence and copies of all documents evidencing the identity of customers and beneficial owners, and records and the results of any analysis undertaken;

records on transactions, both domestic and international, that are sufficient to permit reconstruction of each individual transaction for both account holders and non-account holders;

copies of all suspicious transaction reports made pursuant to section 14 or other reports made to FIU in accordance with this Act, including any accompanying documentation”.

1. Policies, Control and Procedures:

Section 17A(c) of FIAMLA requires maintaining a written record of the following:

the policies, controls, and procedures established under paragraph (a); (ii) any modifications to these policies, controls, and procedures following the review and update as required under paragraph (b); and (iii) the actions taken to communicate these policies, controls, procedures, or any updates internally.

2. Third Party Record Keeping Requirements

Regulation 21 of the FIAMLA regulations emphasizes the following regarding record-keeping when relying on third parties for customer due diligence (CDD):

The reporting person must ensure that they can immediately obtain the necessary CDD information and take steps to confirm that copies of identification data and other relevant documents will be available from the third party without delay.

The third party must be regulated, supervised, or monitored for compliance with CDD and record-keeping requirements in line with the Act and the regulations.

If the third party is part of the same financial group, the group must apply CDD and record-keeping requirements and be supervised at a group level by a competent authority.

In essence, the regulation mandates that a reporting person should ensure that necessary CDD documents are accessible and that third parties maintain adequate compliance with record-keeping requirements.

3. High Risk Third Country and Record Keeping

Regulation 24(1)(a)(iii) of the FIAMLA regulations specifies that, when identifying a high-risk third country, consideration should be given to whether that country has strategic deficiencies in its legal and institutional framework concerning record-keeping. Specifically, the country should be evaluated on whether it has proper measures in place to ensure that records, especially those related to customer due diligence (CDD) and financial transactions, are maintained as required by anti-money laundering (AML) and combating the financing of terrorism (CFT) standards.

4. Identification actions and difficulties wrt Beneficial owners

Regulation 6 of the FIAML Regulation mentions that:

The reporting person must keep records of all the actions taken to identify and verify the beneficial owners.

They must also document any difficulties or challenges encountered during the verification process.

5. Transaction Records:

The importance of tracking financial transactions and ensuring they are accessible.

Regulation 14 of the FIAML Regulations provides that reporting persons are required to keep detailed records of all transactions in a manner that allows for quick and efficient reconstruction of each individual transaction when needed. This means that all necessary information about the transaction should be readily accessible, including:

(a) The full name of the party making the payment.

(b) The full name of the party receiving the payment.

Cross Border Wire Transfer

This has also been emphasized in Regulation 20 which ensure that cross border wire transfers should always be accompanied by:

a) Originator Information:

Name of the originator – The full name of the individual or entity initiating the transaction.

Account number – The originator's account number used to process the transaction. If no account is involved, a unique transaction reference number that allows the transaction to be traced must be provided.

Additional details – The originator's address, national identity number, customer identification number, and date and place of birth must be included.

(b) Beneficiary Information:

Name of the beneficiary – The full name of the individual or entity receiving the transaction.

Account number – The beneficiary's account number used to process the transaction. If no account is involved, a unique transaction reference number that allows the transaction to be traced must be provided.

Specific Situation requiring 7 years of record keeping:

In cases where technical issues prevent full originator or beneficiary information from being transmitted with a domestic wire transfer following a cross-border transfer, the intermediary financial institution is obligated to retain the relevant information for 7 years, ensuring compliance and traceability of the transaction.

Suspicious Transaction Reports

Section 17 (f)(2c) FIAMLA 2002:

All copies of suspicious transaction reports (STRs) made under Section 14, along with any accompanying documentation, must be retained for at least 7 years from the date the report was submitted to the Financial Intelligence Unit (FIU).

Section 13(5) FIAMLA 2002:

While records are generally required to be kept for 7 years, the section you referenced allows the Director (likely of the FIU) to issue a notice requiring a reporting person or auditor to retain records related to a suspicious transaction for a different period, as specified in the notice. This means that in certain cases, the Director can extend or adjust the retention period beyond the standard 7 years, based on the nature of the suspicious transaction or ongoing investigations.

7. Customer Due Diligence (CDD) Records:

Section 17F(2a) of the FIAMLA 2002 states that CDD records should be kept and these includes:

• Customer identification documents: Copies of passports, national identity cards, or other government-issued documents verifying customer identity.
• Beneficial owner identification: Documentation identifying the ultimate beneficial owner(s) of an account, company, or entity, including shareholding certificates, trust deeds, or partnership agreements.
• Source of funds and wealth: Evidence of how the customer's funds were accumulated, especially for high-risk customers. This may involve salary slips, business income statements, or declarations made to the MRA.
• Transaction monitoring records: Documentation of flagged transactions and any unusual activity, with an emphasis on transactions that might have been reported to regulatory bodies like the FSC or the FIU.
• Customer risk assessments: Comprehensive records detailing the AML/CFT risk posed by each customer, based on factors like the customer's profile and previous interactions, including any sanctions screenings or adverse media checks.
• Regulatory submissions: CDD-related filings made to the FSC or the Registrar of Companies, particularly when changes to beneficial ownership, company structure, or compliance obligations require regulatory notification.
• Directors and Shareholder identification be it individuals or corporate.

For corporate directors or shareholders, including entities such as trusts, funds, limited partnerships, or sociétés, the identification and verification process involves more complex documentation due to the layered structures and legal entities involved. The FSC Handbook and AML/CFT regulations require reporting entities to gather the following key documents for proper due diligence:

Corporate Shareholders and Directors:

Certificate of Incorporation: To verify the legal existence of the corporate entity.

Memorandum and Articles of Association (or equivalent documents): To understand the purpose of the company, its shareholding structure, and the appointment of directors.

Register of Directors and Shareholders: A detailed record of the company’s directors and shareholders, including any changes over time.

Identity documents of individual directors/shareholders: For corporate shareholders or directors who are natural persons, copies of passports, national ID cards, and proof of address must be provided.

Resolution of the board (or equivalent): Confirming the authority of the individual(s) acting on behalf of the company.

Trusts:

Trust deed: A legal document establishing the trust, naming the settlor, trustees, and beneficiaries, and outlining the terms under which the trust operates.

Details of the settlor, trustee(s), and beneficiaries: Copies of identification documents (passports, national ID cards) and proof of address for the individuals involved in the trust.

Letter of wishes: If applicable, to understand the intent of the settlor regarding the trust’s operation and distribution of assets.

Trustee resolutions: Any documents demonstrating the authority of the trustees to act on behalf of the trust.

Funds:

Constitutional documents: Such as the prospectus or offering memorandum, outlining the fund's objectives, structure, and investment strategy.

Fund management agreements: To verify the authority of the fund managers or administrators.

Register of unit holders/investors: Detailing the ultimate beneficial owners or investors in the fund, along with their identification documents.

AML policies: In some cases, reporting entities may need to review the fund’s own AML/CFT policies to ensure compliance with relevant laws.

Limited Partnerships:

Partnership Agreement: Documenting the partnership’s structure, the role of the general and limited partners, and their respective shares in the partnership.

General partner identification: For the general partner(s), copies of identification documents (passports, national ID cards), proof of address, and, if the general partner is a corporate entity, the same documents required for corporate directors/shareholders.

Beneficial owner identification: For limited partners, identification documents and any other relevant information to ascertain the identity of the ultimate beneficial owners.

Société:

Acte de Société: To establish the legal structure and purpose of the société.

List of associates/members: Including identification of the managing partner and any beneficial owners, with corresponding identity documents and proof of address.

Resolutions and mandates: Where applicable, showing the authority of representatives to act on behalf of the société.

8. Accounts, Bank and Billing Records:

Finance and Accounting:

• Invoices to customers: Invoices issued to clients for services rendered, including consultancy fees, management fees, or other services related to the company’s activities. These should include payment terms and records of receipt of payments.
• Audited financial statements: Annual or periodic audited financial statements prepared by external auditors to ensure the company's financial health and adherence to accounting standards. These include balance sheets, profit and loss statements, and cash flow statements.
• Audit fee receipts: Invoices and receipts for fees paid to external auditors for conducting statutory audits.
• Internal financial reports: Periodic reports generated internally for management's review of financial performance, liquidity, and profitability.
• Annual reports and statutory filings: Documentation of annual reports and other financial documents submitted to regulatory authorities, including the Registrar of Companies and the FSC.
• Financial statement submission receipts: Proof of submission of annual financial statements or other statutory documents to the Registrar of Companies, the FSC, or other relevant bodies.

For FSC and ROC

• FSC license fee receipts: Proof of payment for Financial Services Commission (FSC) license fees, including renewal fees and additional compliance-related fees (e.g., penalties for late submission of required documentation).
• Trade licence fee receipts: Invoices and receipts for the annual renewal of business licenses from local authorities.
• Registration fee receipt with the Registrar of Companies: Proof of payment for the registration of the company or any annual registration fees paid to the Registrar of Companies.

For MRA

• Tax Clearance Certificates: These certificates are issued by the Mauritius Revenue Authority (MRA) and confirm that the company has met all its tax obligations. This includes corporate income tax, VAT, and any other applicable taxes. It is a key document for demonstrating tax compliance, particularly when engaging with banks or regulatory bodies.
• Correspondence with the MRA: This includes any written communications between the management company and the MRA regarding tax filings, payments, or tax status inquiries. It also includes any disputes, clarifications, or resolutions related to the company’s tax obligations.
• VAT Filings and Receipts: Documentation of VAT submissions made to the MRA, including receipts for payments and any correspondence regarding VAT compliance. This includes regular filings and any additional documentation or clarifications required for VAT-related queries.
• Tax Residence Certificate: This certificate, issued by the MRA, confirms that the company is a tax resident in Mauritius. It is often required to benefit from double taxation treaties and demonstrate the company’s tax residency status to international authorities or investors.
• Corporate Tax Filings: Annual or quarterly corporate tax return filings submitted to the MRA, showing the company’s taxable income and the taxes paid. This ensures the company is in good standing with the local tax authorities.
• PAYE (Pay As You Earn) Receipts: For companies with employees, PAYE receipts serve as proof of income tax withheld from employees' salaries and submitted to the MRA.
• Social Security and NPF/NSF Payments: Proof of social security contributions and National Pension Fund (NPF) or National Savings Fund (NSF) payments made on behalf of employees.

For Bank:

• Account Opening Application Form: This form is completed and signed, detailing the nature of the account (corporate), the company's business activities, and the purpose for which the account will be used. This form serves as the primary document for initiating the account opening process.
• Board Resolution for Bank Account Opening: A resolution passed by the company’s board of directors authorizing the opening of the bank account. The resolution also designates specific individuals (signatories) who are authorized to operate the account on behalf of the company, along with their levels of authority (e.g., single or joint signatories).
• Bank Mandate Forms: These forms outline the authority granted to specific individuals (signatories) to perform transactions, issue instructions, and operate the account. The mandate specifies whether the signatories can act individually or jointly, ensuring clear operational control over the account.
• Signatory Identification Documents: Banks require identification documents for each authorized signatory, including passports, national ID cards, and proof of address. This is part of the Know Your Customer (KYC) process, ensuring the bank has verified the identities of those with control over the account.
• Indemnity Forms: Some banks may require the management company to sign an indemnity form, which releases the bank from certain liabilities in the event of miscommunications, errors in instructions, or internet banking mishaps. This document is crucial for limiting the bank’s exposure to risk associated with the company’s account operations.
• Internet Banking Authorization: If the company plans to use online banking, the authorized signatories for internet banking must be specified. These individuals will be given secure access to the account via the bank's online platform, with specific rights (e.g., viewing transactions, approving payments, or initiating transfers) clearly defined.
• Internet Banking Security Protocols: Banks may require additional documents related to security measures for internet banking, such as token access or dual authorization for high-value transactions. These protocols ensure that sensitive transactions are processed securely and with adequate oversight.
• Authorized Signatory Form for Internet Banking: This form specifies which individuals are permitted to access and operate the company’s bank account through the bank’s internet banking system. It may include specific authorizations such as viewing rights, transactional authority, or administrative control for managing the account.

Account Opening and Agreements

• Account Application Forms: These forms are completed and signed during the opening of a business or personal account. They provide key details such as the type of account (corporate, individual, or other), the nature of the business, and the purpose for which the account will be used. Along with this, identification documents (passports, national ID cards) and Know Your Customer (KYC) forms are submitted to meet regulatory compliance and confirm the legitimacy of the company and its operations.
• Terms and Conditions: These are the terms governing the operation of the account, which are agreed upon and signed by the account holder. This document outlines the bank’s policies on the use of the account, fees, transaction limits, and any other terms related to the account’s operation. Any future amendments to the terms must also be acknowledged by the account holder to ensure continued compliance with the bank's policies.
• Bank Mandates and Signatory Authorizations: These documents specify who is authorized to operate the account on behalf of the management company. They include the conditions under which the account can be accessed, such as whether transactions require a single or joint signatory approval. This ensures clear accountability and security in the company’s financial transactions, including the authority to approve payments, transfers, or other banking activities.
• Service Agreements with Clients: These agreements outline the services provided by the management company to its clients. They include details on the scope of services (such as administration, compliance, and advisory services), the fees associated with each service, and the terms of payment. Service agreements ensure that both parties understand their responsibilities and obligations, providing a legal framework for the ongoing business relationship.
• Client Management and Advisory Agreements: In addition to service agreements, a management company may enter into advisory or consultancy agreements with its clients. These agreements specify the terms of the consultancy, including strategic or financial advice, and any specific goals or deliverables. It ensures that both parties are aligned on expectations, payment terms, and duration of the engagement.
• Other Client Agreements: Depending on the nature of the services, a management company may also have specific agreements with clients covering compliance services, corporate secretarial services, or investment management services. These documents outline the exact responsibilities of the management company, fees for additional services, timelines, and any necessary regulatory requirements that must be met.
• Non-Disclosure Agreements (NDAs): To protect sensitive client information, the management company may have NDAs in place with clients or third-party service providers. These agreements ensure confidentiality and limit the use of proprietary or personal information for purposes outside of the contracted services.
• Client Engagement Letters: These are letters sent to clients at the start of the business relationship, detailing the services to be provided, the expectations, and any terms and conditions that govern the relationship. Engagement letters act as a formal agreement between the management company and its clients, clearly outlining deliverables and timelines.
• Service-Level Agreements (SLAs): If the management company provides ongoing services like administrative or compliance support, SLAs might be in place to define performance standards, response times, and other expectations regarding service delivery. These agreements help manage client expectations and ensure that both parties are clear on the terms of service quality.

Company Secretarial Documents

Minutes of Board Meetings:

Board minutes are a formal record of the discussions and decisions made during board meetings. They include the date, time, and location of the meeting, a list of attendees (directors, executives, and invitees), and the key points discussed. These minutes document resolutions passed, strategic decisions, approval of financial statements, or any other significant corporate actions.

The minutes must be approved by the board at the next meeting, signed by the chairman of the board, and maintained as a legal record of the company’s governance activities. In the case of management companies, board meetings may address compliance issues, approval of transactions, or changes in the company’s operational structure.

Board Resolutions of Directors:

Board resolutions of directors are formal decisions made by the board of directors that require documented approval, especially for matters such as opening a bank account, appointing new directors, approving financial reports, entering into major contracts, or making strategic business decisions.

These resolutions are often passed during board meetings and are recorded in the minutes. They are legally binding and ensure that the company’s management is acting in accordance with the governance framework and with the consent of the directors.

Board Resolutions of Shareholders:

Shareholder resolutions are decisions made by the shareholders of the company, either at an Annual General Meeting (AGM) or an Extraordinary General Meeting (EGM). These resolutions are required for significant corporate actions that affect ownership or governance, such as the issuance of new shares, changes to the Articles of Association, or the appointment or removal of directors.

These resolutions may also be necessary for mergers, acquisitions, or other major business transformations that require shareholder approval. Shareholder resolutions are documented in meeting minutes and kept as part of the corporate records.

Written Resolutions:

Written resolutions allow directors or shareholders to pass a resolution without holding a formal meeting. This is particularly useful for management companies when urgent decisions are needed, or when gathering all parties for a meeting is not practical.

The written resolution must be circulated among the relevant directors or shareholders for signature and approval. Once signed by all required parties, it holds the same legal weight as a resolution passed at a meeting. Written resolutions are commonly used for routine decisions like approval of contracts or administrative changes.

Correspondences:

Communications with regulators:

Correspondence between the reporting entity and the FSC, Registrar of Companies, or Bank of Mauritius regarding customer status, compliance queries, or regulatory reporting obligations.

MRA submissions:

Correspondence or applications made to the Mauritius Revenue Authority for tax registrations, tax compliance certificates, or other tax-related matters relevant to the customer.

Applications to financial institutions:

Copies of applications or forms submitted to banks for the opening of accounts, loan approvals, or other financial products, along with subsequent communications for account verification and updates.

Internal communication:

Notes or email exchanges between departments, such as compliance, legal, and operations, regarding customer account management, risk assessment, or CDD updates.

Correspondence with the customer:

Emails, letters, or other forms of communication documenting the relationship with the customer, requests for information, updates on their account, and compliance inquiries.

Updating and Reviewing Records

Regulation 3 of the FIAML Regulations 2018 emphasizes the importance of keeping Customer Due Diligence (CDD) records up to date. It specifically requires reporting entities to:

• Review and update customer records regularly, ensuring that any outdated or inaccurate information is corrected.
• Focus on higher-risk customers, where records should be reviewed more frequently to ensure that the information remains relevant and reflects any changes in the customer's circumstances or activities.
• Ensure that any changes in customer data, such as identity information or beneficial ownership, are promptly reflected in the records to maintain compliance with AML/CFT obligations.

Destruction of Records

Section 19 1(b) of FIAMLA 2002 provides that any person who “destroys or removes any record, register or document which is required under this Act or any regulations or leads to the destruction, alteration, or falsification of records that are required to be kept, especially if they are relevant to an investigation or prosecution for money laundering or terrorism financing will be liable to a fine of up to 1 million rupees and imprisonment for up to 5 years.

Access to records

By the regulator:

With regards to transaction records, Regulation 14(3) provides that “a reporting person shall ensure that all CDD information and transaction records are kept in such a manner that they are swiftly made available to the FIU or any relevant regulatory body or supervisory authority upon request”.

Section 19J of FIAMLA states that Regulatory bodies, under Section 19J of FIAMLA, have the authority to request and obtain any relevant information, records, or documents from members under their jurisdiction to fulfill their obligations under the Act. Members must comply with such requests without delay. Additionally, if the regulatory body deems it necessary, the information or documents provided can be subjected to verification or authentication, with the costs for these processes falling on the member. This ensures transparency and compliance with the regulatory body's demands.

Section 19K(3) of FIAMLA states that members and their employees must allow the regulatory body full access to all relevant records and documents as deemed necessary for the inspection, ensuring complete transparency and cooperation during the process.

By the Compliance Officer

Regulation 22(2) of the FIAML Regulations 2018 states that “the compliance officer shall have unrestricted access upon request to all books, records and employees of the reporting person as necessary for the performance of his functions”.

By the MLRO/DMLRO

Regulation 27(e) of the FIAML Regulations 2018 states that ensure that the Money Laundering Reporting Officer should have “full access to any other information that may be of assistance and that is available to the reporting person”.

Board Responsibility in Record Keeping

1. Board Oversight:

Setting Policies for Record Retention and Regulatory Access:

The board is responsible for establishing policies that ensure proper retention, storage, and destruction of records, in line with legal requirements such as FIAMLA, the Data Protection Act, and other relevant laws.

As per Section 19J of FIAMLA, the board must ensure that the company is prepared to provide information to regulatory bodies upon request. This includes responding to inquiries from the Financial Services Commission (FSC), the Registrar of Companies, the Mauritius Revenue Authority (MRA), or any other supervisory authority in a timely and efficient manner. The board must ensure that internal policies allow for prompt access to records when requested by these regulators.

Additionally, Section 19K(3) of FIAMLA emphasizes that during an onsite inspection, the company must provide full and unrestricted access to all records and documents deemed necessary by the regulatory body. The board has a direct responsibility to ensure that these records are readily available and that internal staff are prepared to cooperate fully with inspectors during such visits.

The board must ensure that clear lines of responsibility are established, so designated officers can easily access these records and meet the requests of regulatory bodies without delay, fulfilling the company’s legal obligations.

2. Compliance Monitoring:

Ensuring Compliance with FIAMLA, Data Protection, and Other Laws:

The board's role extends to ensuring that the company complies with legal obligations outlined in FIAMLA and its regulations. This includes ensuring that the Compliance Officer and Money Laundering Reporting Officer (MLRO) have the appropriate level of access to records, employees, and other sources of information necessary for fulfilling their roles.

According to Regulation 27(2) of the FIAML Regulations, the Compliance Officer must have unrestricted access to all books, records, and employees within the company. It is the board’s responsibility to establish policies that guarantee this access, enabling the Compliance Officer to perform thorough compliance checks, audits, and investigations.

Regulation 27(e) also stipulates that the MLRO must have full access to information across the company. This includes access to transactional data, customer due diligence (CDD) records, and any other relevant documents required for detecting and reporting suspicious activities. The board must ensure that this access is built into the company’s governance framework, providing the MLRO with the tools necessary to meet AML/CFT obligations.

The board must also oversee regular compliance training for employees, ensuring that they understand the importance of cooperation with the Compliance Officer and MLRO, and the legal consequences of obstructing access to records or failing to meet regulatory obligations.

3. Auditing Records and Regulatory Access:

Regular Audits of Record-Keeping Processes to Ensure Compliance:

The board is responsible for conducting regular audits to ensure that the company’s record-keeping systems are in compliance with all legal and regulatory requirements. This includes ensuring that records are easily retrievable for inspections and audits conducted by external regulators.

As part of the board’s oversight, audits should assess whether the company is adequately prepared to comply with Section 19J (requests for information by regulatory bodies) and Section 19K (onsite inspections). These audits help ensure that internal policies are sufficient to handle such requests and that the company’s record-keeping infrastructure is robust enough to provide the necessary documentation quickly.

Furthermore, audits must verify that both the Compliance Officer and MLRO have the necessary unrestricted access to records and employees, as required by Regulation 27(2) and 27(e). This ensures that internal compliance checks are thorough and in line with legal obligations, safeguarding the company against potential regulatory breaches.

The board should also ensure that the record destruction process complies with FIAMLA requirements, confirming that records are only destroyed after the legal retention period and in a secure manner that protects sensitive information.

4. Providing Access to Regulatory Bodies and Internal Officers:

The board must establish and enforce policies that guarantee regulatory bodies, such as the FSC, FIU, or the Registrar of Companies, can access the company’s records when needed. Failure to provide timely and unrestricted access can lead to penalties and reputational damage.

As per Section 19J of FIAMLA, the board must ensure that all employees are aware that any request for information by regulatory bodies must be responded to immediately, with full cooperation.

Additionally, under Section 19K(3), the board must ensure that staff and directors are fully prepared for onsite inspections, providing full and free access to all relevant documents and cooperating with inspectors as required by law.

The board is also responsible for ensuring that the MLRO and Compliance Officer have unrestricted access to records and employees, as mandated by Regulation 27(2) and 27(e) of the FIAML Regulations. This allows them to conduct necessary internal investigations, monitor compliance, and report suspicious activities.

Indexing for Easy Storage and Retrieval

A good indexing system for record keeping should be efficient, intuitive, and scalable. The choice of system depends on the nature of the records and the volume of data to be managed. Here are some commonly used indexing systems that can be adapted for various purposes:

Client-Centric Numeric/Alphanumeric Indexing

Each client gets a unique code. For example:

Client 001: APP-CLI001 (for general client records).

Client 002: APP-CLI002.

?

Compliance Date-Based Indexing

For compliance records like KYC, due diligence, and risk assessments, documents are indexed with the review date and client code:

KYC for Client 001 in 2024: APP-CLI001-KYC-2024.

Risk Assessment for Client 002 in 2023: APP-CLI002-RISK-2023.

?

Document Type Indexing (Alphabetical/Category-Based)

Under each client file, documents are categorized by type:

Client 001 Contracts: APP-CLI001-CON.

Client 001 Financial Statements: APP-CLI001-FIN.

Client 002 Compliance: APP-CLI002-COM.

Client 002 Correspondence: APP-CLI002-COR.

?

Geographical and Entity Type Indexing (for Global Business)

If Apple Corporate Services Ltd manages both Global Business Companies (GBC) and other entities like trusts, geographical and entity types can be incorporated into the indexing:

Client 001 Global Business Company in Europe: APP-EU-GBC-CLI001.

Client 002 Trust: APP-TRUST-CLI002.

Client 003 Global Business Company in Asia: APP-AS-GBC-CLI003.

?

Digital Keyword-Based Indexing (for Electronic Records)

In a digital platform, tags or keywords could be applied to documents for cross-referencing:

Tags for a 2024 Tax Filing for Client 001: "APP-CLI001," "Tax Filing," "2024."

Tags for Audit Report for Client 002: "APP-CLI002," "Audit Report," "Compliance."

?

Color-Coded/Folder-Based System (Physical Files)

For physical file systems, each client or document type can be color-coded:

Client 001 (Green for active clients): Green folders for APP-CLI001 documents.

Client 002 (Yellow for clients requiring additional review): Yellow folders for APP-CLI002.

Client 003 (Blue for compliant clients): Blue folders for APP-CLI003.

Compliance Records (Red): Red folders for compliance documents like KYC and risk assessments across all clients.

Complete Example:

For Client 001, a Global Business Company in Europe with an annual review conducted in 2024:

Client File: APP-EU-GBC-CLI001.

Compliance File for 2024: APP-CLI001-KYC-2024.

Financial Statements for 2024: APP-CLI001-FIN-2024.

Contracts: APP-CLI001-CON.

Correspondence: APP-CLI001-COR.

Audit Report 2024: APP-CLI001-AUD-2024.

This structure allows for both clear organization and easy retrieval of documents for compliance, audits, or general client servicing.

Conclusion

In conclusion, effective record-keeping, as mandated by the Financial Intelligence and Anti-Money Laundering Act (FIAMLA), the FIAMLA Regulations, and the FSC Handbook, is essential for compliance and risk management within financial institutions. By adhering to these regulations, businesses can mitigate risks related to money laundering and terrorist financing.

Furthermore, implementing strong data protection measures, maintaining records for the required period, and ensuring accessibility for both internal and external audits are critical components of a sound compliance framework.Failure to comply with these record-keeping obligations can result in severe penalties, including fines and imprisonment.

Therefore, it is imperative that businesses prioritize proper record retention and implement robust procedures for managing customer data, financial transactions, and compliance records. The board, compliance officers, and MLROs must ensure full cooperation and readiness for audits and inspections by regulatory authorities.

With clear guidelines, indexed storage systems, and continuous monitoring, businesses can maintain transparency and support the integrity of the financial system while fulfilling their regulatory obligations.