Wwft 5-year retention for client investigation: what comes after?
The Wwft (the Dutch anti-money-laundering and counter-terrorism financing act) requires banks, financial advisers, accountants, notaries, lawyers and other gatekeepers to perform client investigation. That investigation produces files with identification data, UBO extracts, risk assessments and transaction monitoring. Article 33 Wwft requires that the data be kept for 5 years after the end of the business relationship or transaction. And after that? Then the file has to go, unless another law requires a longer period. This article explains how that works in practice.
Audience: compliance officers, office managers, partners at accountancy, law and notarial firms, financial advisers and banks.
What does article 33 Wwft require, exactly?
The text is unambiguous. Institutions keep the following data in an accessible manner for five years from the moment the business relationship ends or the transaction is executed:
- Copies of the documents by which the client was identified
- Data on the nature, time and scale of the transaction
- Data on the client's risk profile
- Data on the purpose and intended nature of the business relationship
- Records relating to the transaction
The 5-year period is a retention duty, not a maximum. But as soon as the 5 years are up and no other law prescribes a longer period, GDPR article 5 (storage limitation) requires destruction.
Start of the 5 years: end of relationship or end of transaction
The period starts on the latest of:
- Date on which the business relationship ends (termination, bankruptcy, takeover, forced termination)
- Date on which the last relevant transaction was executed
For a client of 8 years who closed in 2020, the Wwft period runs until 2025. For an incidental transaction in 2020 without an ongoing relationship the period also runs until 2025. For a relationship ended in 2020 with a follow-up transaction in 2023: until 2028.
The calendar only starts when all relevant actions are completed. Anyone miscounting can cheerfully destroy 3 years too early, and then it is a different kind of Wwft breach.
Interplay with other laws
A client file at a notary, lawyer or accountant usually contains more than just Wwft documents. The most common overlaps:
- Tax retention duty (AWR art. 52): 7 years. At an accountant that means the client's annual accounts are kept for 7 years, even though Wwft would allow destruction after 5.
- Wft and MiFID II: 5 to 7 years for investment advice. Often 7 years held for coherence.
- Professional liability: civil-law periods (up to 20 years for hidden defects). In practice files are often held for 10 years, labelled as liability evidence.
- NOvA rules of conduct and KNB: their own file-retention rules for lawyers and notaries. See our article on NOvA rules of conduct and file handling.
In practice many firms split the file into a Wwft part (strictly 5 years) and a substantive file (sometimes 7 or 10 years). After the Wwft period the Wwft portion is separated and destroyed.
What does "kept accessibly" mean?
The law requires it "in an accessible manner". That is to say:
- Within a reasonable period able to be presented to DNB, AFM, BFT or the Tax Authority (usually within a few working days).
- Integrity: the document must not be capable of being manipulated without an audit trail.
- Readable: no outdated file formats that nobody can open any more.
- Available: not on a tape in an archive that only becomes accessible after weeks of searching.
An archived PDF in a DMS with access control suffices. A box in a basement where nobody knows where the key is no longer does.
Destroying after 5 years: the procedure
As soon as the period expires and no overlap argument remains:
- Make a list of files to be destroyed per client number.
- Have a second pair of eyes (compliance officer or DPO) validate the list.
- Destroy paper to DIN 66399 P-5 (special category because of identification documents).
- Destroy digital media at E-4 or E-5 if scanned documents are on USB or external storage.
- Have a certificate drawn up stating number of client numbers, period, date, method and DIN level.
- Keep the certificate for at least 5 years as evidence for the supervisor.
Wwft files past their retention period?
We come to your office, destroy paper and data carriers to DIN 66399 P-5 and E-5, and deliver a certificate per job. Rush within 24 hours also possible for audits or takeovers.
Request a quotePractice by sector
Banks
Almost entirely digital. KYC files live in dedicated systems. Destruction translates into a controlled purge with audit log. Physical destruction only for backup tapes and old scan archives. See also clearing out backup tapes.
Notaries
Deeds themselves have their own retention regime (100 years under the Wna). Wwft investigation is a separate file. After 5 years the Wwft research portion may go, even if the deed remains. See notarial practice and the KNB audit.
Lawyers
NOvA rule of conduct 16 requires careful retention and archiving. Often 7 to 10 years is followed. Wwft documents can be destroyed as a sub-file after 5 years provided they are separable.
Accountants
NBA regulations, 7-year tax, civil-law periods. Often the whole file is kept for 7 years and destroyed in one go.
Financial advisers and insurers
Wft has its own rules (5 to 7 years). Often overlapping with MiFID II and AFM rules.
Fines on error
Destroying too early (before 5 years are up): fine under Wwft from DNB, AFM or BFT. Fines run from 5,000 to 5 million euro depending on the institution and severity.
Destroying too late (5 years plus no reason held longer): fine under the GDPR from the Dutch Data Protection Authority. Up to 20 million euro or 4 per cent of annual turnover.
The only safe path is planning on time. Read also our retention periods cheatsheet for a total overview.
Planning an annual destruction round? Call us or request a quote via desnipperaar.nl. We help think about classification, volume and scheduling.