Guernsey document and records retention
07 March 2017
Over recent years, businesses and employers in Guernsey (as in the rest of the world) have come under increased pressure from legislators and regulators alike to take steps to combat financial crime, including money laundering and terrorist financing. Some of the measures introduced to counter these threats include a drive towards more comprehensive record keeping, and various laws have now been passed requiring businesses and employers to retain certain records/documents for a prescribed period of time (amongst other things), so that they may be provided to law enforcement officers if required. On the other hand, where records contain personal data, businesses are obliged to comply with general data protection principles, including the requirement not to keep personal data for any longer than is necessary.
With these conflicting tensions in mind, this briefing aims to summarise the minimum obligations imposed upon businesses and employers by the relevant Guernsey enactments and the possible consequences for failing to adhere to the same. It also looks at the general considerations which businesses ought to bear in mind when considering how and for what length of time to keep documents and records.
The key sources of the various obligations are:
- Financial services regulations and anti-money laundering/combating terrorist financing ('AML/CFT') legislation, including The Criminal Justice (Proceeds of Crime) (Financial Services Businesses) (Bailiwick of Guernsey) Regulations, 2007 (the 'Regulations'), which should be read in conjunction with the Guernsey Financial Services Commission Handbook for Financial Services Businesses on Countering Financial Crime and Terrorist Financing (the 'Handbook');
- Companies and accounting law including The Companies (Guernsey) Law, 2008 (the 'Companies Law');
- Data protection law emanating from The Data Protection (Bailiwick of Guernsey) Law, 2001 (the 'Data Protection Law'); and
- Practical considerations relating to document and record management and potential future litigation.
Generally speaking, by retaining documents for at least 6 years, businesses will ensure that any prescription periods are covered and that the requirements under the various rules and regulations are met.
We set out below a more detailed analysis of the legal requirements and conclude with some key points on risk management and document storage.
Financial Services Regulations and AML/CFT Legislation
Under Regulation 14 of the Regulations Financial Services Businesses ('FSBs'), are required to keep certain documents/records for a prescribed period of time.
Pursuant to Regulation 14(4)(b), documents and CDD which FSBs are required to keep may be stored in any manner or form provided they are readily retrievable and made available promptly when required, whether by an auditor or an enforcement officer or some other person where such documents or CDD are requested pursuant to the Regulations.
In addition to the above, FSBs in Guernsey are required, pursuant to section 7 of the Transfer of Funds (Guernsey) Ordinance, 2007, to keep records of any wire transfers for a period of 5 years from the date of the transfer of funds.
There are both criminal and regulatory sanctions for non-compliance.
Criminal Sanctions for Non-Compliance
Under Regulation 17(1), any person who contravenes the requirements under Regulation 14 shall be guilty of an offence and liable:
- on conviction on indictment, to imprisonment not exceeding a term of 5 years or a fine or both; or
- on summary conviction, to imprisonment for a term not exceeding 6 months or a fine not exceeding level 5 on the Uniform Scale or both.
Body corporates and partnerships (or an unincorporated association other than a partnership) are punishable under paragraphs (2) to (4) of Regulation 17, together with, in the case of a body corporate, any director, manager, secretary (or other similar officer) or member of that body corporate who is proved to have been involved in the commission of the offence or, in the case of a partnership, any partner or a person concerned in the management of control of the association who is proved to be so involved.
Regulatory Sanctions for Non-Compliance
For regulated and unregulated FSBs, failure to meet the above requirements will be taken into account by the GFSC when considering whether to renew their licence/registration.
The GFSC also has the power, under section 11D of the Financial Services Commission (Bailiwick of Guernsey) Law, 1987, to impose a discretionary financial penalty of up to £200,000(1) where it is satisfied that a licensee, former licensee or relevant officer:
- has contravened in a material particular a provision of, or made under the 'prescribed laws'; or
- does not fulfil any of the minimum criteria for licensing specified in the regulatory laws and applicable to the party.
The prescribed laws include the regulatory laws administered by the GFSC, the Regulations (mentioned above) and all other Guernsey AML/CFT legislation (and regulations and rules made under these laws). Financial penalties can therefore be imposed across the range of regulated and supervised activities.
The GFSC may also, where it comes across a suspected or apparent breach of the prescribed laws, refer the matter to Her Majesty's Procureur or directly to the law enforcement agencies – the Guernsey Police or the Guernsey Border Agency. A decision whether to commence an investigation and/or bring criminal charges is a matter solely for H. M. Procureur.
Similar provisions to those set out above apply to lawyers, accountants and estate agents under the Criminal Justice (Proceeds of Crime) (Legal Professionals, Accountants and Estate Agents) (Bailiwick of Guernsey) Regulations, 2008. The maximum penalty for contravention of this legislation is imprisonment for five years or an unlimited fine, or both.
Companies and Accounting Law
Under section 228 of the Companies Law, companies are required to keep records of resolutions of members (passed otherwise than at a general meeting), minutes of general meetings and details of any decisions taken by a sole member (in accordance with section 230) for at least 6 years after the date of the resolution, meeting or decision (as appropriate). Where a company fails to comply with this requirement, it is guilty of an offence. As an officer of the company, a director becomes responsible for ensuring these duties are satisfied and could therefore be held personally liable for a breach of these requirements.
Under The Income Tax (Keeping of Records, etc) (Amendment) Regulations, 2012:
Records must be kept of all amounts received, arising or accruing and from whom they were received, arose or accrued, and the periods to which the amounts relate. Documents which contain or may contain information relevant to any liability to tax to which that person may be subject, or the amount of any such liability, also have to be retained, together with the supporting documents relating to the same, including (without limitation) accounts, contracts, leases, licenses or other agreements, vouchers and receipts.
Documents referred to above must be kept for a period of 6 years, where the documentation relates to the income of a trust or foundation; for 6 years if the person concerned is a legal person (such as a company); and two years in any other case.
In each of these cases, the period for which records have to be retained runs from the end of the year in which the relevant income tax return is submitted, or where no such return is required to be submitted, from the end of the year in which the record or document was created, received or obtained.
A person who fails without reasonable excuse to comply with the above requirement is liable to a penalty of £2,500 or, upon summary conviction, to a fine not exceeding level 5 on the uniform scale (£10,000).
Section 239 of the Companies Law requires accounting records (and, where returns are sent, returns) to be kept by the company for a period of at least 6 years after the date on which they were made. Where a company fails to comply with this requirement, it is guilty of an offence.
Data Protection Law
Under the Data Protection Law, employees can write to their employers to request a copy of the information held about them, as well as a description of why the information has been processed, anyone it may have been passed to or seen by, and the logic involved in any automated decisions. Employers must reply within 60 days and a fee of no more than £10 can be charged by the employer.
As a matter of general prudence, employers should keep records for all members of staff for a minimum of 3 years after the employment ends, partly due to the potential for future litigation (see below). There is also a specific requirement under The Health and Safety at Work (General) (Guernsey) Ordinance, 1987 for employers to make and keep for 3 years a record of any accidents suffered by an employee at work (as set out at section 9 of the Ordinance). Additional employee information which should be kept on record includes:
- job title;
- place of work;
- date of birth;
- date employment started;
- Right to Work document reference number; and
- Right to Work document expiry date, if any.
Personnel records are likely to contain confidential information and 'personal data'. Under the Data Protection Law, 'personal data' means data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The Data Protection Law requires all organisations to take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. Serious breaches of the Data Protection Law can lead to criminal prosecution and, on summary conviction, a fine not exceeding £10,000 or, on conviction on indictment, imprisonment and/or an unlimited fine.
Risk Management and Potential Litigation
In Guernsey, the prescription period for most claims based on breach of contract or tort is 6 years (with the exception of fatal accident and personal injury cases, which have a 3 year prescription period, hence the requirement for employers to retain employee records for a minimum of 3 years).
It is therefore sensible for businesses to keep documents which may be relevant in litigation for at least 6 years, although there may be circumstances where it is not only wise, but it may also be required, for one reason or another, to keep documents longer than this. Businesses are required to exercise their own judgment in such matters.
For instance, most original deeds should be kept indefinitely - and certainly for at least 20 years from the date on which they were executed, for example on account of the prescription period for actions in respect of land being 20 years. Certain types of action against trustees have no prescription period.
When considering where, and how, documents are to be stored, the following considerations are likely to be relevant:
- Space/cost - physical documents take up a great deal of space, and the cost of retaining physical documents either on site or off site can be significant. One alternative is to convert hard copy documents (other than original deeds) into soft copy documents which can be stored on mass storage devices or on offsite servers. However, businesses should consider whether keeping documents other than in original paper form could pose legal evidential difficulties, for example, in civil court proceedings. Regard should also be had to possible data protection issues (as outlined below) and also how quickly documents can be accessed/retrieved given the requirement under the Regulations for certain documents to be readily retrievable and made available to law enforcement officers as and when required;
- Security from fire and/or theft - certain documents (such as original deeds) should be kept in a safe and secure location, such as a locked safe;
- Confidentiality and data protection, particularly as regards sensitive information including 'personal data' - in view of the potential consequences under the Data Protection Law, sufficient consideration must be given to whether a proposed storage location and provider is appropriate. Cloud storage for instance offers certain cost and productivity gains but could be a security nightmare unless data is adequately encrypted.
Citations and References
- The Guernsey Financial Services Commission provides Guidance on the AML/CFT framework which applies to Financial Services Businesses and Prescribed Businesses
- The Companies (Guernsey) Law, 2008
- Income Tax (Keeping of Records, etc) (Amendment) Regulations, 2012
- The Data Protection (Bailiwick of Guernsey) Law 2001
- Criminal Justice (Proceeds of Crime) (Legal Professionals, Accountants and Estate Agents) (Bailiwick of Guernsey) Regulations 2008
 The former Policy Council has recommended that the maximum level of fine available to the GFSC for licensees and former licensees (other than personal fiduciary licensees) be increased from the current level of £200,000 to £4,000,000 (with any fine over £300,000 being limited to a maximum of 10% of the turnover of the licensee/former licensee in question and the maximum level of fine for relevant officers and personal fiduciary licensees be increased to £400,000 (with an additional criterion required to be considered by the GFSC being the emoluments arising in respect of the relevant officer's (or personal fiduciary licensee’s) position) - see Billet D'Etat V of 2016.