Record Retention as Risk Management

  • Greg Wilsonby Greg Wilson, Esq., Vice President & Senior Counsel, Bankers Advisory, Inc.*, March 4, 2013

    Related Topics: mortgage compliance, RESPA, TILA, CFPB


    Proper record retention mitigates operational and compliance risk presented to any institution conducting business in this ever-changing regulatory environment. A well-established record retention program maintains records in an appropriate manner and for an appropriate duration thereby ensuring compliance, and providing for easier substantiation of compliance to auditors and examiners. In addition, when records are kept up to date and in known locations it becomes less burdensome for employees at an institution to access and utilize these records in the performance of their duties.

    Approaches to record retention vary based on the size of the institution and the resources available for the creation and maintenance of a record retention program. Larger companies may utilize software or third party solutions for record retention, while smaller companies may opt for a home-grown or simplified approach. The point is that a record retention program, like any risk management system, should be commensurate to the size and business model of the institution. Whatever approach is taken by the institution, there are three major issues to be considered when determining how to retain records and for what duration.

    First of all, the institution needs to identify its compliance obligations for retaining records.  For example, the institution should consider how long it must keep certain documents to satisfy applicable regulations and/or regulators. Secondly, the institution should consider its legal obligations and potential for future litigation, most notably contract durations and statutes of limitations, to protect the interests of the institution. Finally, the institution should consider whether the documents serve a business purpose beyond the duration of the aforementioned retention periods thus justifying additional costs of retention.

    Identifying the applicable statutory or regulatory prescribed retention periods that affect your institution’s business is the first step in establishing a record retention program. In the mortgage industry, companies face many different retention periods related to the creation of a residential mortgage loan.  For example, consider Table 1 below:

    Table 1

    CFPB Regulation

    Typical Retention Period

    Regulation B,  Equal Credit Opportunity

    25 Months

    Regulation C,  Home Mortgage Disclosure

    3 Years

    Regulation P,  Privacy of Consumer Financial Information

    Varies by State

    Regulation X,  Real Estate Settlement Procedures Act (RESPA)

    3 Years

    Regulation Z, Truth in Lending Act (TILA)

    2 Years

    From just a sampling of regulations from the Consumer Finance Protection Bureau, there are several different retention periods for documents that are all created from a single business activity and housed within one physical or electronic file.  As a matter of course destroying or losing loan files, or the documents within a loan file, prior to the culmination of the regulatory required retention period, will likely result in compliance violations during the institution’s next examination. These violations often materialize themselves as monetary penalties for each occurrence, which, in aggregation due to a lacking record retention program, can mount up to thousands of dollars. Properly identifying the regulatory required retention periods for records mitigates against the inappropriate destruction or loss of such records and becoming actual losses to an institution.

    In addition to identifying the de minimis retention period for a document via statute or regulation, an institution should consider its regulatory examination schedule. Again, consider Table 1 (above). Not all institutions subject to these regulations are examined every two years. An institution that destroys its records prior to examination will be unable to prove compliance with any related obligations at the next examination. For example, destroying TIL disclosures automatically two years after the transaction but prior to the next examination will create unnecessary compliance risks to the institution.  Therefore, any retention period which is less than the time between examinations should be adjusted to ensure proper retention of documents to substantiate compliance. This first item of identifying the relevant statutes and regulations that affect your institution is time consuming and resource intensive, but, when completed properly, it creates a solid cornerstone for your record retention program.

    Beyond compliance obligations, institutions must maintain records in accordance with any outstanding contracts and in consideration of potential litigation. Regulations creating a private right of action for violations may have statutes of limitations that exceed their prescribed record retention durations. For example, Truth in Lending regulations may, in the case of an extended right to rescission, create a private right of action extending to three years beyond the date the loan is disbursed, compared to the regulatory record retention period of two years. Determining the possible statutes of limitations for your records should be done with the advice of qualified legal counsel as there are significant repercussions for failing to have the proper records available for litigation. In addition to considering potential litigation, records may be the subject of future and ongoing litigation and thus on what is known as a “record hold,” an ordered prohibition on their destruction for the duration of the litigation. A proper record retention program will flag such records to avoid any possible spoliation of evidence and the resulting negative consequences.

    Finally, but no less importantly, a business should consider how long it actually uses a document when establishing its record retention period. The retention of documents, either physically or electronically, costs money, storing and accessing records consumes employee time, and the presence of out of date documents (such as procedures or out of date client contact information) creates unnecessary operational risk for an institution. A record’s usefulness to the institution may outlast its regulatory and legal retention periods, or the record may not even have a regulatory or legal retention period attached to it. In its determination of business obligation retention, the institution should weigh the utility of the records against the costs and risks of maintaining records beyond any prescribed periods.

    After identifying an institution’s compliance, legal, and business obligations for each record, an institution is ready to determine the duration and methods of retention for their records. Conservative approaches will often require a length of time beyond the longest retention period of the three obligations, thereby ensuring documents will be available as needed. However, there are risks posed by the prolonged retention of sensitive documents that should be weighed.  Ultimately, determining a record retention period is a fine balance between all three obligations that should be carefully considered by qualified individuals prior to implementation of any record retention program.

    As simple as it seems to retain records, the issue of retaining them in a secure yet accessible manner for the appropriate amount of time is a daunting task for institutions of every size and nature. To further complicate matters, in addition to the requirements to retain business related records, mortgage lenders need to consider records created and retained to support compliance with operational and public welfare laws, such as the Occupational Safety and Health Act.

    Remember, the creation and maintenance of your record retention program is an important task that requires an investment of resources and support from senior management, but when done properly, it ensures compliance and achieves efficiencies throughout your organization. 

    Adobe PDF PDF version »

    *Greg Wilson serves as Bankers Advisory’s Client Relationship Manager and oversees regulatory compliance consulting services. He was a compliance analyst at the Federal Home Loan Bank of Boston and examiner for the Massachusetts Division of Banks. Greg is a graduate of the Isenberg School of Management at the University of Massachusetts, Amherst. He received his Juris Doctor at Suffolk University Law School and is admitted to the Massachusetts Bar. Greg can be reached at

    Bankers Advisory authors state compliance matrices, policy manual templates and compliance commentaries exclusively for AllRegs.

    Bankers Advisory

    Disclaimer: The information presented in this article represents the opinion of the author and not that of AllRegs. This article is not meant to be nor should it be construed as advice of legal counsel. The applicability of the information contained herein will vary based on the nature of each lending institution's business, under what law it was created, and its loan products and procedures. Readers are strongly urged to consult with their legal counsel and/or contact local counsel as appropriate in the various states and jurisdictions to determine the applicability of the materials contained herein to the specific facts and circumstances of each organization's programs and products and to identify other law applicable to its business operations. The information contained herein was not reviewed or approved by counsel in the respective jurisdictions.