Records management with

360 Documents

Product features

Conformance with ISO 15489-1:2016 and GeBüV

Swiss legal retention periods in the banking sector for clarifications and documents supporting the executed transactions under the Anti-Money Laundering Act (AMLA)


Last update: 6 October 2025

"The electronic storage of documents must meet the requirements of the Swiss Ordinance on Business Records. If the server used is not located in Switzerland, the FI must have up-to-date physical or electronic copies of the relevant documents in Switzerland" (Art. 74 para. 4 AMLO-FINMA)

Definition and typology


What needs to be archived


Swiss financial intermediaries are required under Art. 74 para. 1 OBA-FINMA ("Obligation to prepare and retain documents") (here) to retain and archive the following supporting documents:


  • All documents used to identify the contracting partner
  • A written declaration by the contracting party regarding the identity of the controlling person or the beneficial owner (Forms A and K)
  • A written note on the results of the application of the criteria for identifying business relationships with increased risks ("customer risk scoring")
  • A written note or the documents containing the findings of the additional investigations into business relationships or transactions with increased risks
  • The documents underlying the executed transactions
  • A copy of all suspicious activity reports (SARs) filed to the Money Laundering Reporting Office Switzerland (MROS), in addition to all records ("MROS case file") related to those reports (Art. 34 para. 1 AMLA)
  • A list of all business relationships subject to the Swiss AML Act


Ongoing due diligence


In accordance with Art. 7 para. 1bis AMLA (here), "the financial intermediary must periodically check the required records to ensure that they are up to date, and update them if need be. The periodicity, scope and type of checking and updating are based on the risk posed by the customer".


Legal retention periods


In Switzerland, the retention period for AML records is 10 years starting with the termination of the business relationship or the completion of the transaction (ibid., para. 3).


The legal retention period for MROS records is 5 years starting from the successful filing of the report to the reporting office (Art. 34 para. 4 AMLA).


Storage location


While ordinary Swiss companies can retain their accounting documents (apart from the share register and its equivalents) in foreign data centres, FINMA-regulated financial institutions must store the above records and file notes "in a secure location in Switzerland that is accessible at all times" (Art. 74 para. 3 AMLO-FINMA).


It should be noted that "if the server used is not located in Switzerland, the financial intermediary must have up-to-date physical or electronic copies of the relevant documents in Switzerland" (ibid., para. 4).


Reference should be made to the fact that all records relating to compliance with the duty to report ("MROS case file") must be stored in a separate dedicated case file (Art. 34 para. 1 AMLA). Given their shortened retention period of five years for reasons of data privacy, care must be taken in electronic records management systems to store those records in a separate data carrier or hard drive and not to mix them with other archivable records during automated backup or archiving processes. Otherwise, it will be virtually impossible to destroy the MROS case file without compromising the integrity of the other records or even rendering them unusable.


Information architecture


In accordance with Art. 22 AMLO-FINMA, "[FIs] shall prepare, organize, and store their documentation in such a way that one of the following authorities or persons can form a reliable judgement within a reasonable period of time on compliance with the obligations to combat money laundering and terrorist financing:


  • FINMA
  • an auditor appointed by FINMA
  • an investigator appointed by FINMA
  • an audit firm approved by the Federal Audit Oversight Authority
  • the supervisory organization


FIs shall prepare, organize, and store their documentation in such a way that they can comply with requests for information and confiscation requests by law enforcement authorities or other authorized bodies within a reasonable period of time, providing the necessary documents".

Quick start

Ingestion: Upload, Outlook, scanner

Data acquisition

OCR technology: text recognition

Text recognition

Indexation along your folder structure

Indexation

Full-text search with results highlighting

Full-text search

Product features of 360 Documents

Business logic


  • Capture documents and associated metadata: Via simple upload, drag & drop from Outlook, bulk scanning or via API calls
  • Support of over 100 file extensions: Ingest and display documents in commonly used file formats
  • File sharing: Give internal and external access, set passwords and link expirations
  • Capture email attachments: As linked records or as a single compound record
  • Import digital records and associated metadata: Migrate directly from an external application, either in bulk or individually
  • Date of origination: When migrating, set a retention trigger predating a record's creation in 360 Documents
  • Link workflows associated with records: Annotate records, validate metadata, post "To do" entries, sign with Swiss and EU electronic signatures
  • Duplicate records: Use them in multiple business contexts (for example, in both the accounting and HR department)
  • Lifecycle management: Produce reports on records capture, usage and disposal
  • Website archiving

Usability


  • Hands-on in-app documentation in 4 languages including the foundations of records mangement
  • Full-text enterprise search: Advanced filtering, keyword and synonyms search in EN, DE, FR, IT
  • OCR and business data extraction: Industry-leading computer vision stack with high confidence scores
  • Data extraction at scale: Automatically detect and capture pre-existing metadata
  • Automatic document recognition: Detect over 30 document types (invoices, Swiss QR bills, IDs, tickets)
  • Business intelligence: Translate, summarize and question PDFs across all major LLMs
  • Contextual metadata service: Define and capture custom metadata
  • Metadata templates: Capture entity metadata according to one or several pre-determined templates
  • Validate custom metadata values against syntactical standards (booleans, enums, numbers, strings, URLs, phones, timestamps)
  • Classification service: Associate records and folders to their business context (for example, Accounting, HR, Sales, AML, etc.)
  • Create, manage and maintain business classes

Regulatory


  • Global compliance: ISO 15489-1:2016, ISO 16175-1:2020, DoD 5015.2-STD, MoReq2010
  • Swiss compliance: CO, GeBüV, FADP, eCH-0026, eCH-0038, eCH-0160, eCH-0164 (Swiss disposal schedules come preconfigured)
  • Disposal scheduling service: Allocate legal retention periods for records and folders, modify and replace existing disposal schedules to meet new legal or business demands
  • Retain residual metadata after record disposal: As stipulated by applicable jurisdictional standards
  • FADP compliance: Comply with Art. 25 et seq. of the Swiss Data Protection Act ("Rights of the Data Subject"), especially in terms of being able to provide information about "the retention period for the personal data"
  • Legal holding service: Pause record disposal preventing records from being disposed of during lawsuits, audits or governmental inquiries
  • Transfer records of continuing value together with their metadata to a public archive
  • Retention triggers: date of creation / origination, from last addition to folder timestamp, from folder closed timestamp, customized triggers

Security


  • User and user group service: Apply security and access restrictions on record, folder, document type and business class level ensuring that only authorized agents can access records
  • Historical user data: Trace all actions of all past users of 360 Documents
  • Model role service: Assign user roles choosing from over 200 function definitions (FND)
  • Security logging: Create and maintain access, usage and security metadata, generating event logs for each system interaction
  • Object lock: Protect records from any alteration on network level
  • Generate checksums to support integrity and duplicates detection
  • Authenticate users via 2FA before giving access
  • Perform malware detection when uploading files
  • Swiss data centers in compliance with ISO 27001 and FINMA requirements
  • 3-2-1-Backup: Regular backups offline on tape in Switzerland to prevent ransomware

Related reading



360core archiving Add-in on Microsoft AppSource (here)


FINMA (2023) Anti-Money Laundering Ordinance-FINMA (here)


FINRA (2017) Regulatory Notice 17-18. Social Media and Digital Communications. Guidance on Social Networking Websites and Business Communications (here)


Dieter Pfaff, Ruud Flemming (2019) Schweizer Leitfaden zum Internen Kontrollsystem (IKS) (here)


Swiss Banking Ombudsman (Case number 2017/26) Time limits for retaining and providing bank documents (here)

Introduce 360 Documents in our financial institution