# Article 26 — Record retention **Source:** [Regulation (EU) 2023/1113 — EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1113) 1. Information on the payer and the payee or on the originator and beneficiary shall not be retained for longer than strictly necessary. Payment service providers of the payer and of the payee shall retain records of the information referred to in Articles 4 to 7, and crypto-asset service providers of the originator and beneficiary shall retain records of the information referred to in Articles 14 to 16, for a period of five years. 2. Upon expiry of the retention period referred to in paragraph 1, payment service providers and crypto-asset service providers shall ensure that the personal data is deleted, unless otherwise provided for by national law which determines under which circumstances payment service providers and crypto-asset service providers may or shall further retain such data. Member States may allow or require further retention only after they have carried out a thorough assessment of the necessity and proportionality of such further retention, and where they consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five years. 3. Where, on 25 June 2015, legal proceedings concerned with the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing are pending in a Member State, and a payment service provider holds information or documents relating to those pending proceedings, the payment service provider may retain that information or those documents in accordance with national law for a period of five years from 25 June 2015. Member States may, without prejudice to national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings, allow or require the retention of such information or documents for a further period of five years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing. ## What this means in practice **Retention period: five years.** Article 26 requires PSPs and CASPs to retain the covered payer/payee or originator/beneficiary information for five years. Then: * **Deletion is mandatory** on expiry — unless a Member State has specifically extended retention under para 2. * **Extension up to a further five years** is at Member State discretion, but only after a documented necessity-and-proportionality assessment. The intermediary CASP retention obligation lives in [Art. 19](/tofr/transfer-of-funds-regulation/chapter-iii-casp-obligations/article-19-retention-of-information.md). The five-year baseline applies to originator-side and beneficiary-side records of [Arts. 14–16](/tofr/transfer-of-funds-regulation/chapter-iii-casp-obligations/article-14-information-accompanying-transfers-of-crypto-assets.md) information. ## Compliance checklist * [ ] Configure data systems with a **five-year retention clock** for covered transfer-information records. * [ ] Implement **automated deletion** at the five-year mark for any Member State that has not extended retention. * [ ] **Check national law** for retention extension — Member States vary; document the basis for any retention beyond five years. * [ ] Map retention to **GDPR storage-limitation** records (Art. 5(1)(e)) and the Art. 30 record of processing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/tofr/transfer-of-funds-regulation/chapter-v-information-data-protection-record-retention/article-26-record-retention.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.