MiFID 2 has a retention period of 5 years but that's from the customer relationship ceasing. GDPR states that you should retain data no longer than is necessary, however, in line with the money laundering regulations, any KYC documentation needs to be retained for 5 years post the customer relationship ceasing.

This essentially means that the data has to be held for 5 years after the customer’s account with the firm is closed and not just 5 years from when the customer makes the deletion request to the firm. GDPR allows for the money laundering regulations to take precedence here.