It will come as no surprise to learn that financial institutions are one of the most complex business types when it comes to record-keeping requirements. Operating in one of the most heavily regulated industries, with multiple state and federal agencies setting guidelines and laws that govern how records are handled, banking is a minefield of potential compliance issues.
Banks and lenders have to deal with all of the usual records and pieces of data that come with running almost any business, as well as the personal and financial information of their clients, all of which are highly sensitive. Naturally, these intersect to make for a particularly fraught records management landscape, one which can result in businesses running into hefty fines if not properly navigated.
However, with a good understanding of the financial regulations that affect your business, and a robust records management system in place, the financial industry can be navigated as smoothly as any other. While it is not possible to cover all the various regulations and record retention guidelines at the state and federal levels in one article, we will examine some of the more common problem areas that we have encountered with our clients when it comes to record and data retention policies for financial institutions.
How Long Do Banks Have to Keep Records?
The most common question that we come across appears to be a simple one on its surface: how long do banks have to keep records? Unfortunately, the reality is much more complicated, as it so often is. The answer to this question is not one-size-fits-all. When it comes to record-keeping for banks and other financial institutions, the key variables that determine the life cycle of a record are:
Type of Record
Naturally, the type of record in question will be a major factor in determining how long a record must be retained. Records that are only pertinent to the internal operations of the business, such as HR policies, tend to have shorter schedules. For financial records, the schedules tend to be longer. When in doubt, five years is a good baseline for banks. Most of the records covered by FDIC regulation must be retained for five years from the point of creation.
- Checking or Savings Account - 5 Years after the account is closed
- Suspicious Behavior - 5 years after the incident was first reported/identified
- Funds Transfers - 5 years (for amounts over $3000)
- Emails - 5 years
Federal Regulations Affecting the Record
The next variable is federal regulation. If the document or record is governed by any federal regulation, then that takes precedent, unless any state regulation requires that the record be maintained for a longer period. This means that, once you have determined the record type, the next step is understanding which financial regulations apply to it, if any.
Regulations of the State in which the Business Operates
Finally, you will need to ensure that your record disposition schedule is aligned with any state and local regulations for the area your bank or financial institution operates within. This is where things become particularly complex. Breaking down bank record retention policies by state won’t be possible here. It is best to carefully examine your state’s local laws, as each state handles things slightly differently.
Common Financial Regulations
Financial institutions must grapple with a number of different regulations that govern both how they operate as financial institutions and how they operate as businesses and employers. On top of that, they must navigate these at both the state and federal levels. While it’s not possible to delve into all of the regulations that affect any given bank or lending institution’s data retention policies, there are some common regulations that affect the data retention for all financial institutions.
Many financial regulations are governed by more than one agency, and most are enforced by the Office of the Comptroller of the Currency (OCC). However, these regulations can be broadly broken down by the agencies that enacted them and/or provide guidance on them to banks and lenders:
Federal Reserve Board (FRB) Record Retention Guidelines
The FRB’s record retention guidelines are described below.
Electronic Funds Transfer Act
The Electronic Funds Transfer Act is designed to protect customers when engaging in electronic transfers of funds which, in this day and age, is almost all of them. When it comes to records retention, the most important aspect is the disclosures required by Regulation E. records of the correct disclosures being made must be kept for 2 years. Failure to meet compliance for Regulation E can be very costly, so ensuring compliance upfront is well worth it.
Equal Credit Opportunity Act
Otherwise known as Regulation B, the Equal Credit Opportunity Act of 1974 ensures that financial institutions cannot discriminate in their against any loan or credit applicants based on their race, gender, religion, or any other superficial descriptors. To ensure compliance, records of loan applications must be kept for 25 months after the decision is made.
Regulation D (Reserve Requirements of Depository Institutions)
In short, Regulation D ensures that banks and other depository institutions have enough cash on-hand to meet the withdrawal needs of their customers. It does this by limiting the number of withdrawals that customers can make from designated ‘savings accounts’ each month. Records of withdrawal transactions on savings accounts must be retained for five years after the date of the transaction (or after the account is closed).
Federal Deposit Insurance Corporation (FDIC) Record Retention Guidelines
The FDIC’s guidelines for record retention have several components, as outlined below.
Federal Deposit Insurance Act
The Federal Deposit Insurance Act is the act that founded the FDIC. Created in response to the over-leveraged banks and lenders that caused the Great Depression, the act requires banks and lenders to maintain deposit insurance for all of their accounts. The amount started at $5,000 per account in 1934 and has since been raised to $250,000 today. The act requires records of deposit insurance to be maintained for six years after an account is closed.
Bank Secrecy Act
The Bank Secrecy Act is aimed at preventing criminal organizations from using banks and other financial institutions to hide, move, or launder money. The regulation requires that all banks and lenders maintain records of any “suspicious” transactions greater than $10,000 for five years from the date of the transaction. The definition of what constitutes a suspicious transaction is somewhat vague, so it is safest to maintain records of all transactions that meet the threshold.
Truth in Lending/Savings Act
These are really two separate pieces of regulation that function in similar ways with identical data retention requirements. The Truth in Lending Act (TILA) and Truth in Savings Act (TISA) are both in place to protect consumers against predatory lending or banking practices and to ensure that they are able to make informed decisions about their lending or savings options. Both require disclosures of interest rates, how calculations are made, any penalties, and other key information to consumers. Records of disclosures for both must be maintained for 2 years from the point of disclosure.
Subpoena Record Retention
Maintaining proper record retention policies and schedules is not only vital to protecting your institution against being fined for regulatory non-compliance (although that should be the driving motivator). Beyond ensuring that evidence of compliance is retained for the correct amount of time, retention and disposition schedules for banks and lenders also protect against keeping data for too long.
This may seem like a non-problem, but it can be just as costly as not keeping records for long enough. Ignoring the obvious operational efficiency drain that mountains of records can have on a business, records that are retained past their date of disposition can also have financial and legal implications. Some records containing confidential information, if not disposed of in an effective and timely manner, can result in fines. And, in the unfortunate case of any litigation by a regulatory agency, records that have been stored unnecessarily will still be subject to any subpoenas, resulting in much longer and expensive periods of discovery.
In this article, we have attempted to highlight some of the key areas of compliance for financial institutions when it comes to data retention and record management. However, it should be abundantly clear that banks and lenders are subject to a dizzying array of complex pieces of legislation, all of which pack significant fines if not properly adhered to and documented.
Therefore, properly investigating all of them in a single article is not possible.
Ideally, any financial institution will have a legal and compliance department that makes it their business to be fully informed of all the record retention requirements that they must meet. However, even for teams of dedicated professionals, staying within the bounds of compliance with so many overlapping agencies and pieces of legislation can be close to impossible.
Thankfully, automated records and data management software can take the guesswork and human error out of the picture entirely. By investing now in a robust records management solution, financial institutions can avoid paying the price for non-compliance further down the road, all while freeing up resources to focus on the more important things.