AML data retention in Belgium: 10-year duration, format and GDPR articulation
Everything on AML data retention in Belgium: 10-year legal duration (Article 60), start of countdown, admissible format (timestamped PDF/A), GDPR articulation, controlled deletion and litigation impact.
In brief
Article 60 of the Act of 18 September 2017 requires all Belgian regulated professions to retain AML data for 10 years from the end of the business relationship (not from file opening). The recommended format is PDF/A with TSA timestamp to guarantee integrity. Retention is a legal obligation under GDPR Article 6.1.c, which justifies refusing the right to erasure throughout the entire retention period.
The retention obligation in 1 minute
Article 60 of the Act of 18 September 2017 requires every regulated profession to retain for 10 years:
- Identification documents of the client and UBOs
- Internal analyses (AMLCO notes, risk assessments)
- Documents of each significant operation
- Alerts generated by monitoring (reported or not)
- CTIF reports and their receipts
- Reasoned non-reports (frequently forgotten)
- Exchanges with the client on AML aspects
- Log of AMLCO decisions
- Trainings provided (program, certificates, scores)
For the detailed KYC file content to retain, see our dedicated article.
Start of countdown
This is where many err. The 10 years start at:
- End of the business relationship for KYC and global analyses
- Date of the last significant operation for transactional documents
- CTIF report date for documents tied to that report
Example: a client onboarded on 1 January 2010, off-boarded 30 June 2026. The countdown starts 30 June 2026. You must retain everything until 30 June 2036 — in reality 26 years from file opening.
Admissible format
The law does not prescribe a specific format but requires:
Criterion 1 — Legibility
The document must be readable throughout the retention period. Avoid:
- Proprietary formats (old DOCX, files specific to obsolete software)
- Magnetic media (floppies, cassettes)
- Paper retention on thermal (fades)
Prefer PDF/A (ISO 19005), recognized for long-term archiving.
Criterion 2 — Integrity
No modification after creation. If modified, tracked history:
- TSA timestamp (Time Stamping Authority) on archiving
- Separately-stored cryptographic hash
- Qualified electronic eIDAS signature if signature is required
Criterion 3 — Authenticity
You must be able to prove a document is the one collected at the time. Method:
- Creation metadata (author, date, source)
- Chain of custody (who handled, when)
- AMLCO electronic signature for internal documents
Criterion 4 — Accessibility
Extractable on authority request within 48 hours. If your archive is on offsite tapes, the deadline will be tight.
Practical recommended format
| Document type | Format | Timestamp | Signature |
|---|---|---|---|
| Client ID copy | PDF (scan) | Yes | No |
| BCE extract | Yes | No | |
| UBO cascade | Generated PDF | Yes | No |
| AMLCO note | Yes | eIDAS | |
| Risk assessment | PDF/A | Yes | eIDAS management |
| Domiciliation contract | PDF/A | Yes | Qualified eIDAS |
| CTIF report | goAML XML copy + PDF | Yes | No (compartmentalized) |
| Decision log | Encrypted DB + PDF export | Yes | No |
Articulation with GDPR
AML and GDPR may seem contradictory:
- AML requires 10-year retention
- GDPR requires retention limited to purpose
Solution: AML retention is a legal obligation under GDPR Article 6.1.c. It overrides the right to erasure.
To document in your GDPR processing register:
- Legal basis: GDPR Article 6.1.c (legal obligation) + Article 60 of the Act of 18/09/2017
- Purpose: AML/CTF compliance
- Concerned categories of persons: clients, UBOs, directors, agents
- Data categories: identity, address, photo (ID), financial information
- Recipients: authorities (CTIF, SPF Economie, NBB, FSMA), service providers (RegTech, hoster)
- Duration: 10 years after end of relationship
- Security measures: AES-256 encryption, access limited to authorized persons, access log
Limited client rights
The client keeps GDPR rights but limited:
- ✅ Access: they can ask what data you have
- ❌ Erasure: denied while AML obligation applies
- ❌ Restriction: denied for data useful to investigation
- ✅ Rectification: possible for factual errors
- ❌ Info on CTIF report: tipping-off prohibition
Information notice
The client must be informed at KYC:
- Of the AML purpose of collection
- Of the 10-year duration
- Of their limited rights
- Of the possibility of CTIF reporting (non-specific mention)
Format: integrated in domiciliation contract or annexed notice.
Controlled deletion at term
After 10 years, deletion is mandatory (unless pending litigation). Method:
If litigation: extended retention until resolution + 5-year margin.
What exactly to retain
Exhaustive list per category:
Identification
- ID copies (both sides)
- Dated BCE/KBO extracts
- Company articles
- Powers of representation
- Documented UBO cascade
- Belgian UBO register comparison
Risk assessment
- Matrix used (versioned)
- AMLCO-signed risk grade per file
- Written criteria justification
Monitoring
- List of generated alerts
- Internal analyses
- Decisions (report or not, motivation)
CTIF
- goAML report copy (XML)
- CTIF acknowledgement
- Transmitted context documents
Ongoing surveillance
- Annual review log
- Reported events (UBO, director, sanction change)
- Written client exchanges (limited to AML aspect)
Governance and training
- Versioned AML policy
- AMLCO appointment minutes
- Training program + certificates
- Annual audit reports
Frequent mistakes
How Company Belgium handles retention
Company Belgium's archiving module:
- Automatic PDF/A for each critical document
- TSA timestamp on AMLCO documents
- AES-256 encryption at rest, TLS 1.3 in transit
- EU hosting (GDPR-compliant)
- Access log per user, document, date
- Automatic 10-year countdown from end of relationship
- Controlled deletion at term with proof
- Integrated GDPR articulation: client notice, processing register
- Full export on authority request in < 48 hours
See also our RegTech landscape and Company Belgium support.
Bottom line
AML data retention rests on 3 pillars: 10 years from end of relationship, timestamped PDF/A format, GDPR articulation via Article 6.1.c (legal obligation).
The classic trap: believing the countdown starts at file opening (when it starts at closing). The right reflex: automate the countdown in your RegTech tool, document every term-end deletion, and keep the client notice current.
Frequently asked questions
When does the 10-year AML data retention period start in Belgium?
The 10-year countdown starts at the end of the business relationship, not at file opening. For transactional documents, it is the date of the last significant transaction. For documents linked to a CTIF report, it is the date of that report. A relationship opened in 2010 and closed in 2026 requires retention until 2036 — 26 years from opening.
In what format must AML data be retained in Belgium?
The law does not prescribe a specific format but requires legibility, integrity, authenticity and accessibility throughout the period. PDF/A (ISO 19005) is recommended for long-term archiving. Each document must be timestamped by a Time Stamping Authority (TSA), and important documents (risk assessments, AMLCO decisions) must be electronically signed to the eIDAS standard.
Does AML data retention conflict with GDPR?
No, both are reconcilable. AML retention is a legal obligation under GDPR Article 6.1.c, which overrides the client right to erasure. During the 10 years, the regulated entity may lawfully refuse any deletion request. It must, however, inform the client at KYC time of the retention duration, the AML purpose and their limited rights.
What must happen at the end of the 10-year AML retention period?
Deletion is mandatory unless a dispute is pending or an authority has made an access request. Deletion must be secure (cryptographic erasure for digital, shredding for paper), documented (who deleted what, when, on what basis) and noted in the GDPR processing register. In case of litigation, retention is extended until resolution plus a 5-year margin.
Comments
Related articles

Notaries: verifying beneficial owners before an authentic act
Notaries are on the front line to block money-laundering setups via companies. Incorporation, merger, share transfer, real estate sale: every act demands enhanced UBO due diligence. Here is the complete checklist to secure an authentic act without burdening practice.

The Belgian trial period is back: what the Clarinval reform changes for SMEs from day one
On 21 May 2026, the Belgian Chamber voted to reinstate a trial regime covering the first six months of the employment contract. Notice cut to one week, written reasoning, scope limited to new contracts: what employers need to grasp before publication in the Moniteur belge.

Branch in Belgium and the UBO register: what the foreign company must do
A foreign company opening a branch in Belgium is not a Belgian company: the branch has no separate legal personality. That changes everything for the UBO register. Find out who must declare what, and why a Belgian SRL subsidiary offers a cleaner compliance footprint.
