Record Retention-Someone Please Give Me Some Guidelines!

Financial institutions and other organizations are right in the middle of one of the highest risk areas imaginable…..Record Retention. Depending on the type of organization, risk mitigation varies and, when you stop to think about it, financial institutions may face the greatest challenge when managing record retention risks because nearly every document a financial institution touches contains sensitive customer information.

We have entered into an age where not only paper documents require retention, but so does the content of social media ( texts; instant messaging; electronic mail (email) messages (and their attachments); web site contents; etc.). Record retention has come a long way since the first records were preserved on a basalt slab (the Rosetta stone was carved by the Egyptians in 193 B.C. and contains three different types of script: hieroglyphs; Demotic; and Greek), or has it? The Egyptians had it fairly easy when you stop to consider all of the government regulations and compliance requirements surrounding record retention in our time.

In today’s world, most information received and/or created, is done so electronically. Remember when records were kept on paper and it seemed as though paper would overtake all aspects of our lives? Well, get ready for data documentation in electronic format.

Companies, including financial institutions, have for the most part kept up with the changes and most, if not all organizations use an electronic format to save data. Records are easily stored in electronic form and this method of storage allows for easy retrieval and reduces the need for large amounts of secured “brick and mortar” storage space.  Electronic records can be stored indefinitely and for much less expense.  While record retention and records management can be quite a challenge for a business, particularly a financial institution, a risk based approach is probably the best bet. An effective risk assessment gives a company insight on which steps to take to build and maintain a strong, secure, effective records management program.

Record Retention and Records Management

The legal definition of record retention refers to the storage of records no longer active. There are various types of records kept by various individuals and businesses. Records are normally retained in document form and the Internal Revenue Service (“IRS”), other government entities, and all fifty states have specific retention schedule requirements depending on the content of the document, the type of company, and for records created for certain specific purposes (the IRS retention period is three (3) years or until the statute of limitations on an IRS audit expires).

An integral part of records management is an organization’s “Record Retention Policy.”  Retaining records (all or some) and the method for retaining the records is vital when establishing an effective record retention program. Different entities have different record retention methods dictated by the record retention policy. Probably the most undesirable manner of keeping records in the financial world is the “junk drawer” approach where business records are stored away in some obscure file cabinet or drawer with no clue as to the value of the documents being saved and no management for how long they will be saved. This type of record retention is very risky and the haphazard system would very likely have a negative impact when examiners come to call.  A well developed, organized record retention program reflects orderly administration and strong internal controls.

What is a Record?

The Federal Government defines “Record” as a special subset of “information” deemed to have business value to an organization and warranting special attention concerning retention, accessibility and retrieval. This declaration of value can be by operation of law or by specific classification by the organization. Designating certain documents or information as “records” can also help an organization compile and preserve its “institutional memory.”

Records are typically placed into four categories : 1) titles or shares which secure property; 2) documents recording crucial events such as a business’s incorporation; 3) records used for assessing operations; and 4) records which are collected and retained in compliance with government regulations. The Federal Government and the United States Code have this to say about records:  Records includes all books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the Government or because of the informational value of data in them. (44 U.S.C. Chapter 33 § 3301)  This definition highlights that any sorting process should:

  1. Look at content regardless of form (electronic or paper).
  2. Focus on the operational activities of the organization.
  3. Involve a policy level decision by the organization as to what has sufficient value to be designated as a “record.”
  4. Recognize that while the decision-making process has many variables, it should focus on providing access to information that has some continuing value.

Content of Records

Some information has value or significance only for short periods. For example, certain event announcements (e.g., that lunch is served) or statements concerning the availability or unavailability of services (e.g., that servers will be down for maintenance briefly) has no long-term value and normally can and should be discarded. This is just as true in the digital world as it is in the paper-driven world, when unimportant papers are routinely discarded at the end of the day. This subset of information is generally not classified as a “record,” but it does have value to the organization for some unspecified and perhaps uncertain period of time. In the electronic world, it is difficult, if not impossible, to classify large amounts of this type of electronic information for retention under any traditional records management scheme, both because of its nature and its volume. Some business entities may find this type of “non-record” information is the majority of the electronic information owned by the organization. However; other entities may find most of the electronic information they keep is a “record” and must be retained.

The first step in the record retention process is to define, or classify “record.” The definition should be clearly outlined in policy, and best practice mandates a detailed process explaining how your business will manage the program. As the author researched record retention, the lack of standardized processes and/or guidelines became very obvious. Each state has record retention requirements of its own, some of which are very detailed and others that are quite vague.  In addition to federal regulations such as the Sarbanes-Oxley (“SOX”) Act, companies need to be certain to consider specific state laws. While SOX does not apply to all financial institutions, Sarbanes-Oxley forbids document destruction once the government has made an inquiry into a criminal offense for businesses, organizations, nonprofits, and individuals. SOX Section 1102 makes tampering with documents illegal and a compliant document management system and program must provide permanent, non-modifiable documents to insure authenticity.

Despite the seeming abundance of resources on record retention, there does not seem to be a uniformly recognized single standard regarding how to manage electronic information and records. A review of various policies and procedures makes it clear that each entity has different and varied needs when it comes to record retention and must focus on its own particular operational and business needs for retaining information and records. As with anything else in the banking world, risk mitigation should be at the forefront of deciding how your company will manage information and records management. Your program, at a minimum, should be based on: your mission; resources; needs; legal responsibilities; and risk assessment, and should be reviewed periodically and adjusted accordingly.

Each organization may want to consider the following when building an effective records management program:

Potential Consequences of Inadequately Managing Information and Records in the Electronic Age

Potential risks to consider if electronic information and records are not managed effectively include, but may not be limited to:

The consequences of failing to manage records effectively could range from:

The key management challenge is to identify the risk and implement an appropriate electronic records management program to mitigate those risks and protect the company from legal dangers and reputational damage.

Electronic Mail, Blog Content, Social Networking, Text Messages

While there are no general requirements that a company must retain all information created or received in the ordinary course of business, it is important to remember a company’s technology and information created with that technology are not the property of the individual, but are considered assets of the company and should be managed accordingly.  An organization’s policy should set forth a process used to identify what should be retained and establish parameters to be used when selecting the most appropriate media for retention.

The U. S. General Services Organization (www.gsa/gov) offers specifications for users of the government email systems in that electronic mail messages meet the definition of Federal records (and attachments thereto) and they are to be recorded  (retained) after they have been copied to an electronic recordkeeping system, paper, or microform for recordkeeping purposes. The message is then to be deleted from the e-mail system. (N1-GRS-95-2 item 14)

NOTE: Along with the message text, the recordkeeping system must capture the names of the sender and recipients and date (transmission data for recordkeeping purposes) and any receipt data when required. (N1-GRS-95-2 item 14 Note)

Retention requirements for blogs and other forms of Social Media have not been specified; however, certain regulations have specific retention requirements that would apply as Social Media (including blogs) is considered to be a form of advertising and/or marketing and should be treated accordingly. Social Media content must meet certain regulatory and disclosure requirements (depending on the subject), and email messages must meet formatting and content standards required by the Federal Trade Commission (‘FTC”) and must be handled in accordance with the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act and the rules of the Federal Communications Commission(“FCC”) . Text messages are covered by the Telephone Consumer Protection Act (“TCPA”) and applicable FCC rules as well. All rules and/or regulations should be considered when developing an effective record retention program and should include Social Media.

For a comprehensive review of your record retention policies, procedures, and program please contact

Please wait...

Subscribe to our Technical Publication!

Want to be notified when Compass is published? Enter your email address and name below and sign up to our mailing list!
Please wait...

Download the PDF File