CompanyBelgium

AML data retention in Belgium: 10-year duration, format and GDPR articulation

Everything on AML data retention in Belgium: 10-year legal duration (Article 60), start of countdown, admissible format (timestamped PDF/A), GDPR articulation, controlled deletion and litigation impact.

April 3, 20269 min read

In brief

Article 60 of the Act of 18 September 2017 requires all Belgian regulated professions to retain AML data for 10 years from the end of the business relationship (not from file opening). The recommended format is PDF/A with TSA timestamp to guarantee integrity. Retention is a legal obligation under GDPR Article 6.1.c, which justifies refusing the right to erasure throughout the entire retention period.

The retention obligation in 1 minute

Article 60 of the Act of 18 September 2017 requires every regulated profession to retain for 10 years:

  • Identification documents of the client and UBOs
  • Internal analyses (AMLCO notes, risk assessments)
  • Documents of each significant operation
  • Alerts generated by monitoring (reported or not)
  • Reasoned non-reports (frequently forgotten)
  • Exchanges with the client on AML aspects
  • Log of AMLCO decisions
  • Trainings provided (program, certificates, scores)

For the detailed KYC file content to retain, see our dedicated article.

Start of countdown

This is where many err. The 10 years start at:

  • End of the business relationship for KYC and global analyses
  • Date of the last significant operation for transactional documents
  • CTIF report date for documents tied to that report

Example: a client onboarded on 1 January 2010, off-boarded 30 June 2026. The countdown starts 30 June 2026. You must retain everything until 30 June 2036 — in reality 26 years from file opening.

Admissible format

The law does not prescribe a specific format but requires:

Criterion 1 — Legibility

The document must be readable throughout the retention period. Avoid:

  • Proprietary formats (old DOCX, files specific to obsolete software)
  • Magnetic media (floppies, cassettes)
  • Paper retention on thermal (fades)

Prefer PDF/A (ISO 19005), recognized for long-term archiving.

Criterion 2 — Integrity

No modification after creation. If modified, tracked history:

  • TSA timestamp (Time Stamping Authority) on archiving
  • Separately-stored cryptographic hash
  • Qualified electronic eIDAS signature if signature is required

Criterion 3 — Authenticity

You must be able to prove a document is the one collected at the time. Method:

  • Creation metadata (author, date, source)
  • Chain of custody (who handled, when)
  • AMLCO electronic signature for internal documents

Criterion 4 — Accessibility

Extractable on authority request within 48 hours. If your archive is on offsite tapes, the deadline will be tight.

Document typeFormatTimestampSignature
Client ID copyPDF (scan)YesNo
BCE extractPDFYesNo
UBO cascadeGenerated PDFYesNo
AMLCO notePDFYeseIDAS
Risk assessmentPDF/AYeseIDAS management
Domiciliation contractPDF/AYesQualified eIDAS
CTIF reportgoAML XML copy + PDFYesNo (compartmentalized)
Decision logEncrypted DB + PDF exportYesNo

Articulation with GDPR

AML and GDPR may seem contradictory:

  • AML requires 10-year retention
  • GDPR requires retention limited to purpose

Solution: AML retention is a legal obligation under GDPR Article 6.1.c. It overrides the right to erasure.

To document in your GDPR processing register:

  • Legal basis: GDPR Article 6.1.c (legal obligation) + Article 60 of the Act of 18/09/2017
  • Purpose: AML/CTF compliance
  • Concerned categories of persons: clients, UBOs, directors, agents
  • Data categories: identity, address, photo (ID), financial information
  • Recipients: authorities (CTIF, SPF Economie, NBB, FSMA), service providers (RegTech, hoster)
  • Duration: 10 years after end of relationship
  • Security measures: AES-256 encryption, access limited to authorized persons, access log

Limited client rights

The client keeps GDPR rights but limited:

  • Access: they can ask what data you have
  • Erasure: denied while AML obligation applies
  • Restriction: denied for data useful to investigation
  • Rectification: possible for factual errors
  • Info on CTIF report: tipping-off prohibition

Information notice

The client must be informed at KYC:

  • Of the AML purpose of collection
  • Of the 10-year duration
  • Of their limited rights
  • Of the possibility of CTIF reporting (non-specific mention)

Format: integrated in domiciliation contract or annexed notice.

Controlled deletion at term

After 10 years, deletion is mandatory (unless pending litigation). Method:

  • Identification of files at end of retention (quarterly script)
  • Verification that no litigation, control or authority request is pending
  • Secure deletion (cryptographic erasure for digital, shredding for paper)
  • Traceability: what deleted, when, by whom, on what basis
  • Update of GDPR register
  • If litigation: extended retention until resolution + 5-year margin.

    What exactly to retain

    Exhaustive list per category:

    Identification

    • ID copies (both sides)
    • Dated BCE/KBO extracts
    • Company articles
    • Powers of representation
    • Documented UBO cascade

    Risk assessment

    • Matrix used (versioned)
    • AMLCO-signed risk grade per file
    • Written criteria justification

    Monitoring

    • List of generated alerts
    • Internal analyses
    • Decisions (report or not, motivation)

    CTIF

    • goAML report copy (XML)
    • CTIF acknowledgement
    • Transmitted context documents

    Ongoing surveillance

    • Annual review log
    • Reported events (UBO, director, sanction change)
    • Written client exchanges (limited to AML aspect)

    Governance and training

    • Versioned AML policy
    • AMLCO appointment minutes
    • Training program + certificates
    • Annual audit reports

    Frequent mistakes

  • 10 years from opening instead of "from end of relationship"
  • Paper retention without digitization: illegible at 10 years for thermal
  • No timestamping: integrity not demonstrable
  • No encryption: GDPR violation on breach
  • No access log: impossible to prove who consulted what
  • No GDPR notice to client
  • Undocumented deletion at term
  • No procedure for litigation (extended retention)
  • AML archiving mixed with other (HR, accounting): different durations
  • Non-EU hosting without standard contractual clauses
  • How Company Belgium handles retention

    Company Belgium's archiving module:

    • Automatic PDF/A for each critical document
    • TSA timestamp on AMLCO documents
    • AES-256 encryption at rest, TLS 1.3 in transit
    • EU hosting (GDPR-compliant)
    • Access log per user, document, date
    • Automatic 10-year countdown from end of relationship
    • Controlled deletion at term with proof
    • Integrated GDPR articulation: client notice, processing register
    • Full export on authority request in < 48 hours

    See also our RegTech landscape and Company Belgium support.

    Bottom line

    AML data retention rests on 3 pillars: 10 years from end of relationship, timestamped PDF/A format, GDPR articulation via Article 6.1.c (legal obligation).

    The classic trap: believing the countdown starts at file opening (when it starts at closing). The right reflex: automate the countdown in your RegTech tool, document every term-end deletion, and keep the client notice current.

    Frequently asked questions

    When does the 10-year AML data retention period start in Belgium?

    The 10-year countdown starts at the end of the business relationship, not at file opening. For transactional documents, it is the date of the last significant transaction. For documents linked to a CTIF report, it is the date of that report. A relationship opened in 2010 and closed in 2026 requires retention until 2036 — 26 years from opening.

    In what format must AML data be retained in Belgium?

    The law does not prescribe a specific format but requires legibility, integrity, authenticity and accessibility throughout the period. PDF/A (ISO 19005) is recommended for long-term archiving. Each document must be timestamped by a Time Stamping Authority (TSA), and important documents (risk assessments, AMLCO decisions) must be electronically signed to the eIDAS standard.

    Does AML data retention conflict with GDPR?

    No, both are reconcilable. AML retention is a legal obligation under GDPR Article 6.1.c, which overrides the client right to erasure. During the 10 years, the regulated entity may lawfully refuse any deletion request. It must, however, inform the client at KYC time of the retention duration, the AML purpose and their limited rights.

    What must happen at the end of the 10-year AML retention period?

    Deletion is mandatory unless a dispute is pending or an authority has made an access request. Deletion must be secure (cryptographic erasure for digital, shredding for paper), documented (who deleted what, when, on what basis) and noted in the GDPR processing register. In case of litigation, retention is extended until resolution plus a 5-year margin.

    Ready to get started?

    Create your free account and get your API keys in minutes.

    Comments

    Loading comments…

    Leave a comment

    Not published — used only to notify you.

    Comments are moderated before publication.

    Related articles