Blogs

Organizations often make the mistake of telling internal stakeholders that they need to follow all legal requirements for retention – rather than telling them that they must follow the organization’s retention schedule, which includes – but is not solely built upon – regulatory mandates. This is as true in the ERM environment as much as in the paper-based one.  

The Retention Schedule, of course, takes into account applicable regulatory requirements. Final retention periods in the schedule, however, may be longer than any regulatory retention requirements because they are based on many factors (depending upon the records and function). The set of factors determining retention typically includes (but may not be limited to):

• Legal/regulatory mandates (minimum retention periods prescribed by law)
• The longest requirement for records included in that record series. The legal retention requirement for some of the documents in a records series may be shorter than the requirement for the record series in which it resides.
• Business requirements (e.g., superior customer service). Additionally, some records may actually have no legally specified retention requirement, or it may specify retention but not a time period (e.g., OCC).
• Alignment with the retention of other/similar records. For example, in financial services certain records that are required to be kept for broker dealers and investment advisors for different periods, may be kept for the longer of the requirements.  
• Industry practice
• Records management best practice (i.e., that followed by many firms, cross-industry)
• Risk considerations (market, legal, reputational, operational and other risks)
• Secondary/additional value of the information (e.g., use of business unit information for additional marketing purposes)
• Statutes of limitation considerations (related to potential law suits; if records may be needed for litigation, regulatory investigation or audit).

In some well known court cases, the courts (per several attorneys and judges with experience in RM cases have asked if a particular organization has a retention schedule and if that schedule has been and is followed in the normal course of business. It is generally understood that the retention schedule should be designed to take laws and regulations into account, but that other factors (see above) are also factored into retention periods. Companies that don’t follow their own retention policies have been variously accused of negligence and malfeasance (e.g., intentionally selectively retaining and destroying documents). It’s considered important to abide by the retention schedule. Additionally, following the retention schedule enables a company to demonstrate consistent practice.

Lines of businesses must, therefore, comply with the retention schedule – not merely the minimum retention period prescribed by law.

A good internal message to therefore give to internal stakeholders would include the following key concepts:

• Records in all media (e.g., paper, electronic) must be retained and disposed per the organization’s Retention Schedule which is based upon multi-faceted requirements for specific records, including but not limited to legal requirements.
• The schedule is approved by the Records Management  Steering Committee (fill in the blank in your organization), which includes representatives from Legal, Compliance, Risk, Finance (including Tax), Information Security, etc. to ensure that all requirements are met when retention periods are established.
• The schedule is a dynamic document that is reviewed and updated periodically and on an as needed basis to ensure that all current requirements will be met.   

Best regards,

Susan

The opinions expressed here represent my own and not those of Bank of America (BAC) or AIIM