Data Retention
Regulation And UK Law
As of January 2020, Bittylicious Ltd is now a "relevant person" for the purposes of retaining customer records under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (most recently amended end of 2019 to include all UK cryptoasset companies).
Here is the exact wording of the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (or “MLR” for short):
PART 4 Reliance and Record-keeping (40)
- (1) Subject to paragraph (5), a relevant person must keep the records specified in paragraph (2) for at least the period specified in paragraph (3).
- (2) The records are—
- (a) a copy of any documents and information obtained by the relevant person to satisfy the customer due diligence requirements in regulations 28, 29 and 33 to 37;
- (b) sufficient supporting records (consisting of the original documents or copies) in respect of a transaction (whether or not the transaction is an occasional transaction) which is the subject of customer due diligence measures or ongoing monitoring to enable the transaction to be reconstructed.
- (3) Subject to paragraph (4), the period is five years beginning on the date on which the relevant person knows, or has reasonable grounds to believe—
- (a) that the transaction is complete, for records relating to an occasional transaction; or
- (b) that the business relationship has come to an end for records relating to—
- (i) any transaction which occurs as part of a business relationship, or
- (ii) customer due diligence measures taken in connection with that relationship.
- (4) A relevant person is not required to keep the records referred to in paragraph (3)(b)(i) for more than 10 years.
Industry Standards And Liability
Companies covered by this piece of UK legislation interpret this section to mean that failure to retain records for up to 10 years can result in civil and criminal liability for breach of the MLR, and therefore retention of records for 10 years has become both the industry standard and the expectation of the UK courts when investigating financial crime.
In reality, though a company might be found not to be in breach for destroying records between 5 and 10 years, they would have to argue this case in court, and risk losing their case as the legislation only explicitly protects them when they destroy records after 10 years, not 5.
This risk of criminal and civil liability is too great for other players in the industry (banks, etc), and is similarly too great for Bittylicious, now that all cryptoasset companies are obliged to comply with the same rules as other financial players (since January 2020).
GDPR Article 17 Right To Erasure
The GDPR specifically allows for instances where Article 17 (right to erasure) conflicts with other UK legislation, allowing for the other piece of UK legislation to take precedence, in this case the MLR. Article 17(3)(b) of the GDPR states that the right to erasure does not apply where processing is necessary "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject". To be clear, this provision of the GDPR means that in this case, the MLR takes precedence over the GDPR with respect to the right to erasure under GDPR Article 17.
This means that Bittylicious not only has the right, but has an explicit duty under UK law to retain these records for longer than used to be the case, before the cryptoasset industry was regulated and Bittylicious considered a "relevant person" under the MLR.
Standard GDPR right to erasure rules changed for Bittylicious as soon as it became a "relevant person" for the purposes of the MLR, along with all other UK cryptoasset companies, i.e. January 2020. This is why Bittylicious is now obliged to retain records for 10 years.