Maintenance of Records by Banks and Financial Institutions

Money laundering is, at bottom, a problem of concealment — and the most effective antidote to concealment is the audit trail. The Prevention of Money Laundering Act, 2002 (PMLA) therefore does not rely solely on prosecution after the fact; it builds a forward-looking, preventive architecture that conscripts the very institutions through which illicit money flows. Section 12, read with the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, casts statutory duties on every "reporting entity" — banking companies, financial institutions and intermediaries — to record, retain, verify and report transactions to the Financial Intelligence Unit-India (FIU-IND). This chapter unpacks those obligations clause by clause, the penalty regime in Section 13 that enforces them, and the constitutional gloss the Supreme Court placed on the scheme in Vijay Madanlal Choudhary v. Union of India. For the foundational scheme, see our introduction to the FATF recommendations and the genesis of the PMLA and the broader PMLA notes hub.

Why Record-Keeping Sits at the Heart of Anti-Money-Laundering Law

Laundering is a three-stage process — placement, layering and integration — and each stage leaves a documentary residue inside the formal financial system. A wire transfer, a cash deposit, a property registration: each is a node in a network that, if faithfully recorded, allows investigators to "reconstruct" the movement of tainted funds. The Financial Action Task Force (FATF), whose Forty Recommendations India committed to implement, treats customer due diligence and record-retention as the cornerstone of the global AML framework. India translated those standards into binding law through Chapter IV of the PMLA, the operative core of which is Section 12.

The genius — and the burden — of the scheme is that it deputises the private sector. Banks and financial institutions are not merely passive conduits; they are made the first line of detection, obliged to flag anomalies and preserve the evidentiary record long before any prosecution under Section 3 (the offence of money-laundering) is contemplated. The Supreme Court in Vijay Madanlal Choudhary v. Union of India, (2022) 10 SCC 1, expressly recognised this preventive, regulatory character, holding that the reporting and record-keeping machinery operates independently of, and as a complement to, the penal provisions of the Act.

Who Is a "Reporting Entity"? — Section 2(1)(wa)

The obligations of Section 12 attach to a "reporting entity," a term inserted by the Prevention of Money-Laundering (Amendment) Act, 2012 (Act 2 of 2013) and defined in Section 2(1)(wa) as "a banking company, financial institution, intermediary or a person carrying on a designated business or profession." Each of these limbs is separately defined: "banking company" under Section 2(1)(e) (incorporating the Banking Regulation Act, 1949), "financial institution" under Section 2(1)(l) (which folds in the definition under the Reserve Bank of India Act, 1934, and expressly includes chit-fund companies, co-operative banks, housing finance institutions and non-banking financial companies), and "intermediary" under Section 2(1)(n) (covering stock-brokers, sub-brokers, portfolio managers, registrars, depository participants and the like registered with SEBI).

The phrase "person carrying on a designated business or profession" — defined in Section 2(1)(sa) — extends the net beyond traditional finance to casinos, payment-system operators, dealers in precious metals and stones (when prescribed), and, controversially, certain professionals. Before drilling into the duties, it is worth consolidating the statutory vocabulary in our chapter on key definitions under the PMLA, since the precise contours of "financial institution" and "intermediary" determine who actually bears the Section 12 burden.

The Core Obligations — Section 12(1)

Section 12, headed "Reporting entity to maintain records" (the heading and structure substituted by Act 2 of 2013), imposes a cluster of duties. Stripped to essentials, Section 12(1) requires every reporting entity to:

(a) "maintain a record of all transactions, including information relating to transactions covered under clause (b), in such manner as to enable it to reconstruct individual transactions"; and

(b) "furnish to the Director within such time as may be prescribed, information relating to such transactions, whether attempted or executed, the nature and value of which may be prescribed."

Clause (c) required verification of the identity of clients; clause (d) (which dealt with maintaining records of identity) was omitted by the Finance (No. 2) Act, 2019 (Act 23 of 2019), with its substance migrating into a reframed clause; and clause (e) obliges the entity to "maintain record of documents evidencing identity of its clients and beneficial owners as well as account files and business correspondence relating to its clients." The recurring phrase "as to enable it to reconstruct individual transactions" is the doctrinal hinge: the standard is not mere storage but retrievable, audit-ready completeness.

Confidentiality and the Good-Faith Shield — Section 12(2)

Reporting suspicious activity about one's own customer is commercially delicate and legally fraught — it risks both a breach-of-confidence claim and a "tipping-off" that defeats investigation. The PMLA addresses this through Section 12(2), which mandates that "every information maintained, furnished or verified, save as otherwise provided under any law for the time being in force, shall be kept confidential." Complementing this, the statutory and regulatory scheme — and the parallel structure familiar from the Banking Regulation framework — extends a good-faith immunity: a reporting entity, its directors and employees who furnish information to the Director in good faith are protected from civil or criminal proceedings for that disclosure.

This immunity is indispensable. Without it, the duty to report under Section 12(1)(b) would collide head-on with the banker's duty of secrecy recognised since Tournier v. National Provincial and Union Bank of England, [1924] 1 KB 461. The PMLA resolves the tension in favour of disclosure to the regulator, while preserving confidentiality vis-a-vis the world at large — a balance the Supreme Court found constitutionally unobjectionable in Vijay Madanlal Choudhary.

How Long Must Records Be Kept? — Section 12(3) and (4)

A record is only as useful as its availability when an investigation finally crystallises — which may be years after the transaction. The PMLA therefore prescribes minimum retention periods. Section 12(3) provides that the transaction records under clause (a) "shall be maintained for a period of five years from the date of transaction between a client and the reporting entity." Section 12(4) separately provides that the identity and account-file records under clause (e) "shall be maintained for a period of five years after the business relationship between a client and the reporting entity has ended or the account has been closed, whichever is later."

The distinction is deliberate. Transaction data is anchored to the date of the transaction; customer-identity data is anchored to the end of the relationship — because a dormant or closed account remains a potential evidentiary thread for half a decade after closure. The earlier statutory period was ten years; it was rationalised to five years by the 2017 amendment to align with international practice. Section 12(5) empowers the Central Government, by notification, to exempt any reporting entity or class of entities from any obligation under the section.

The practical significance of the bifurcated clock is that investigators routinely arrive late. A predicate scheduled offence may surface years after the laundering layer was executed; by anchoring identity records to the close of the relationship rather than to any single transaction, the legislature ensures that the "who" behind a closed account survives long enough to be traced even when the "what" of an individual transaction has aged. Reporting entities must therefore design retention systems that segregate the two streams, because a uniform deletion policy keyed only to the transaction date will, for closed accounts, destroy identity records prematurely and expose the entity to a Section 13 penalty.

Access to Information and Enhanced Due Diligence — Sections 12A and 12AA

Two provisions inserted by later amendments deepen the verification obligation. Section 12A, introduced by the Finance Act, 2018, empowers the Director to call for records and information from any reporting entity for the purposes of the Act, and obliges the entity to furnish them within the prescribed time. This converts the passive record-keeping duty into an active, on-demand disclosure obligation enforceable by the Director.

Section 12AA, also inserted by the Finance Act, 2018, prescribes "enhanced due diligence." Before commencing a "specified transaction" or a business relationship in respect of one, the reporting entity must (a) examine the ownership and financial position of the client; (b) record the purpose behind the transaction; and (c) take reasonable measures to ascertain the source of funds. Where the entity fails to comply, Section 12AA(3) directs that it shall not allow the specified transaction to be carried out. These provisions move Indian law decisively towards the risk-based approach mandated by the FATF, layering graduated scrutiny on top of the baseline customer due diligence found in the 2005 Rules.

The Operative Detail — Rule 3 of the 2005 Rules

Section 12 is a skeleton; the flesh is in the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, framed under Section 73. Rule 3 enumerates the categories of transactions of which a reporting entity must maintain records:

(A) all cash transactions of the value of more than ten lakh rupees, or its equivalent in foreign currency; (B) all series of cash transactions integrally connected to each other which have been individually valued below ten lakh rupees where such series of transactions have taken place within a month and the monthly aggregate exceeds ten lakh rupees; (BA) all transactions involving receipts by non-profit organisations of value more than ten lakh rupees; (C) all transactions where forged or counterfeit currency notes or bank notes have been used as genuine; (D) all suspicious transactions whether or not made in cash; (E) all cross-border wire transfers of more than five lakh rupees (or equivalent); and (F) all purchase and sale of immovable property valued at fifty lakh rupees or more.

A "suspicious transaction" is defined widely in Rule 2(1)(g) as one which, to a person acting in good faith, gives rise to a reasonable ground of suspicion that it may involve proceeds of crime, appears to be made in circumstances of unusual or unjustified complexity, appears to have no economic rationale or bona fide purpose, or gives rise to a reasonable ground of suspicion that it may involve financing terrorism — a definition that consciously casts a wide net.

CTRs, STRs and the Reporting Machinery — Rules 7 and 8

Recording is one duty; reporting to FIU-IND is another. Rule 7 requires every reporting entity to appoint a "Principal Officer" responsible for furnishing information to the Director, and a "Designated Director" on whom ultimate accountability for compliance rests. Rule 8 then fixes the timelines. The Cash Transaction Report (CTR) — capturing categories A, B, BA, C and E — must be furnished to the Director by the 15th day of the month succeeding the month of the transactions. The Suspicious Transaction Report (STR), by contrast, must be furnished promptly and in any event not later than seven working days from the date the entity is satisfied that the transaction is suspicious.

The asymmetry is purposeful: routine high-value transactions are reported on a periodic calendar, but suspicion triggers a near-immediate alert so that the FIU and law-enforcement agencies can act before the funds are layered away. Rule 9 separately codifies the client due diligence (CDD) and beneficial-ownership identification obligations, including the Aadhaar/officially-valid-document verification regime, which dovetails with the identity-record duty under Section 12(1)(e).

Enforcing Compliance — Section 13 and the Director's Powers

Obligations without sanctions are exhortations. Section 13 supplies the teeth. Under Section 13(2), where the Director — in the course of an inquiry — finds that a reporting entity, its designated director on the Board, or any of its employees has failed to comply with the obligations under Chapter IV, the Director may (a) issue a warning in writing; (b) direct such reporting entity, director or employee to comply with specific instructions; (c) direct it to send reports at prescribed intervals on the measures taken; or (d) "by an order, impose a monetary penalty on such reporting entity or its designated director on the Board or any of its employees, which shall not be less than ten thousand rupees but may extend to one lakh rupees for each failure."

Two features deserve emphasis. First, the penalty is calibrated per failure — so a systemic breach affecting thousands of transactions can aggregate into a very large figure. Second, Section 13(1) and (1A) frame the Director's power to inquire (either suo motu or on a reference) into compliance, making the Director both the supervisor and the adjudicator at first instance, subject to appeal. Section 13(3) clarifies that proceedings under the section are without prejudice to any other action that may be taken under the Act.

Section 13 in Practice — The FIU-IND Penalty Orders

The Section 13 power is no dead letter. In an order dated 1 March 2024, FIU-IND, exercising power under Section 13(2)(d), imposed a monetary penalty of Rs. 5,49,00,000 (five crore forty-nine lakh rupees) on Paytm Payments Bank Limited for violations of its obligations under the PMLA read with the 2005 Rules. The review was triggered by information from law-enforcement agencies that the proceeds of illegal operations — including online gambling — were being routed through accounts maintained with the bank, and FIU-IND found that the entity had failed in its reporting and record-keeping duties.

Comparable orders have been passed against other banks and intermediaries, underscoring that the per-failure penalty structure makes systemic compliance lapses commercially significant. These administrative actions sit alongside, and are distinct from, parallel regulatory penalties (for instance by the Reserve Bank of India under the Banking Regulation Act) — illustrating the layered supervisory environment in which reporting entities operate.

Constitutional Validity — Vijay Madanlal Choudhary

The reporting and record-keeping scheme survived constitutional scrutiny in Vijay Madanlal Choudhary v. Union of India, (2022) 10 SCC 1 (decided 27 July 2022). The three-judge Bench (Khanwilkar, Dinesh Maheshwari and C.T. Ravikumar, JJ.) upheld the broad architecture of the PMLA, including the obligations cast on reporting entities. The Court characterised the Chapter IV machinery as a preventive, regulatory mechanism — a compliance regime calibrated to detect and deter laundering at source — rather than a penal one, and therefore not offensive to Articles 14, 20 or 21.

Significantly, the Court harmonised the reporting duty with privacy and confidentiality concerns by noting the statutory confidentiality safeguard in Section 12(2) and the good-faith protection extended to entities that disclose to the Director. While the judgment is best known for its rulings on Sections 3, 5, 19, 24, 44 and 45, its endorsement of the preventive record-keeping framework is the doctrinal anchor for everything in this chapter. The review petition against Vijay Madanlal remains pending before a larger Bench on discrete issues, but the validity of the Section 12 scheme has not been disturbed.

Records as Evidence — Judicial Treatment

The evidentiary payoff of meticulous record-keeping is visible across PMLA jurisprudence. In adjudication and attachment proceedings, the bank and intermediary records furnished to FIU-IND frequently supply the documentary spine on which a "reason to believe" under Section 5 (provisional attachment of property) is built. In J. Sekar v. Union of India, (2018) 246 DLT 610, the Delhi High Court scrutinised the "reason to believe" standard for provisional attachment, reinforcing that the Directorate's belief must be grounded in tangible material — material that, in practice, is largely assembled from the transaction trail that Section 12 compels entities to preserve.

Records maintained under Section 12 are also admissible as bankers' books under the Bankers' Books Evidence Act, 1891, and increasingly under the electronic-records regime, giving the prosecution a reliable, contemporaneous evidentiary foundation. Because these records are generated in the ordinary course of business and contemporaneously with the transaction, they carry a strong presumption of authenticity and are difficult for an accused to dislodge — which is precisely why the State leans on them so heavily. The chain therefore runs unbroken: a transaction is recorded (Section 12(1)(a)), reported (Rule 8), used to ground attachment (Section 5) and adjudicated (Section 8), and finally relied upon at trial. A break anywhere in that chain — most often at the recording stage — is the gap through which laundered money escapes detection, which is the structural reason the legislature placed the heaviest preventive burden at the very front. For the next link, see our chapter on the Adjudicating Authority.

Interplay with Other Statutory Duties and the Wider Scheme

Section 12 does not operate in a vacuum. A banking company is simultaneously bound by the RBI's Know-Your-Customer (KYC) Master Directions, by SEBI's AML guidelines (for intermediaries) and by sector-specific advisories — all of which the PMLA Rules expressly incorporate by requiring compliance with directions issued by the regulator. The practical compliance burden is therefore cumulative, and a single lapse can simultaneously attract a Section 13 PMLA penalty and a regulatory penalty under the parent statute, as the Paytm episode demonstrated.

Viewed structurally, the record-keeping duty is the preventive front end of a continuum that ends in the penal back end. A failure to maintain records does not itself constitute the offence of money-laundering, but it cripples the State's ability to prove that offence and to trace proceeds of crime — which is why the legislature backed it with administrative penalties rather than leaving it to the criminal courts. For how the offence and its consequences operate at the far end, see punishment for money-laundering under Section 4.

Exam Takeaways and Common Pitfalls

For judiciary and CLAT-PG aspirants, a handful of precise points reliably distinguish a strong answer. First, get the section numbers right: the duty to maintain and furnish records is Section 12; the retention periods are in Section 12(3)–(4) (five years, measured differently for transactions versus identity records); the enforcement power is Section 13, with the penalty band of Rs. 10,000 to Rs. 1,00,000 "for each failure." Second, remember that the operative detail — the ten-lakh cash threshold, the five-lakh cross-border threshold, the CTR-by-the-15th and STR-within-seven-working-days timelines — lives in the 2005 Rules, not the bare Act.

Third, the standard for record-keeping is reconstruction, not mere storage. Fourth, do not confuse the "reporting entity" (the institution under Section 12) with the "reporting officer" — the relevant functionaries under the Rules are the Principal Officer and the Designated Director. Finally, cite Vijay Madanlal Choudhary v. Union of India, (2022) 10 SCC 1, for the proposition that the reporting and record-keeping regime is a valid preventive mechanism distinct from the penal provisions — a one-line citation that signals command of the subject.