Records Destruction and Data Retention Policy
Summary
This template is a records destruction and data retention policy and is intended for use by regulated financial institutions in connection with data maintenance, information destruction, and protection of sensitive customer information. This template includes practical guidance and drafting notes. The Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801, et seq.) (GLBA), the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. §§ 1681, et seq.) (FACT Act), and other laws and regulations govern the handling and disposal of personally identifiable information (PII) and confidential customer information. Failure to properly safeguard such information can create considerable risks for customers and expose depository institutions to significant liability. State and federal statutes and regulations contain record retention requirements. Accordingly, separate restrictions may apply to certain institutions, such as the Bank Secrecy Act (31 U.S.C. §§ 5311, et seq.) and recordkeeping regulations promulgated by each of the federal prudential banking agencies. Data and records retention are paramount to consumer confidence and are related to other operating areas of an institution. Consequently, you should ensure that other program areas implement appropriate policies and procedures that complement this policy. For a full listing of key materials necessary to develop consumer-related bank policies and procedures central to regulated depository institution operations, see Developing Bank Policies and Procedures Resource Kit. For a full listing of key content covering fundamental financial services regulation related topics, see Financial Services Regulations Fundamentals Resource Kit. See also Developing Bank Policies and Procedures Resource Kit; Workplace Internal Data Security Best Practices Resource Kit; and Financial Services Regulations Fundamentals Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For more information, see Financial Services Regulation Resource Kit. For further information on data privacy, see Data Protection and Privacy in International Jurisdictions. For information on drafting privacy policies, see Privacy Policies: Drafting a Policy. For a full listing of data security content that applies to federal government agencies, see Data Security & Privacy for Government Agencies Resource Kit. To compare state laws on financial institutions, see the Financial Institution Regulation topic in the Financial Service Regulation State Law Comparison Tool. For more information on data and records destruction, see Bank Internal Audit: Guide to Reg. Compliance § 9.35; Risk Assessments for Financial Institutions § 13.07; and Trust Services Audit Manual § 8.06. For information on bankers' acceptances policy, see Bank Internal Audit: Guide to Reg. Compliance § 6.25. See Electronic Banking Compliance § 2A.03 for implementation considerations of electronic record retention systems.