March 27, 2014
Credit Union Management magazine’s Web-only “On Compliance” column runs the fourth Thursday of the month.
A major stumbling block to effective record retention is getting a firm grip on which records a credit union should keep and which ones are safe to destroy. Whenever I’m asked about the “rules” for how long to retain various credit union records, I’m reminded of a scene in the first “Pirates of the Caribbean” movie.
It involves a negotiation between Elizabeth Swann played by Keira Knightley and the pirate captain Barbossa played by Geoffrey Rush. When the negotiation doesn’t quite go according to Elizabeth’s plan, she appeals to Barbossa’s allegiance to the “code of the order” of the pirate brethren, to which Barbossa replies, “the code is more what you’d call ‘guidelines’ than actual rules.”
When it comes to regulations, which typically spell out in great detail what a financial institution can and can’t do, there is a surprising amount of vagueness concerning how long to retain those records called for in the regulations themselves.
For some records, the regulations are specific (for example, 25 months in the case of adverse action notices, according to Regulation B: ECOA section 202.12). Some institutions may elect to keep them for the maximum period of time within which the consumer can bring a claim under the Equal Credit Opportunity Act or the Fair Credit Reporting Act, which is five years. However, the real challenges arise when dealing with the "gray areas," regulations where the specific record retention requirements aren't spelled out in black and white, but may be implied.
For such records as copies of advertisements that display either the Fair Housing logotype or the equal housing disclosure, there may not be record-retention requirements, however “guidelines” tend to emerge, sometimes through industry best practices, sometimes through regulatory guidance (which may call upon institutions to maintain “evidence of compliance”), and sometimes through deduction based on practice and experience.
For example, in the case of the Fair Housing logotype, while there may not be record retention requirements for advertisements placed by the credit union in the Fair Housing Act, it stands to reason that it would be worthwhile to retain copies of all advertisements until the conclusion of the next compliance examination so you have something to provide examiners. Indeed, examiners expect to see a copy of all advertising since the last examination. But that is the common practice, not a requirement of law.
Over the years, we’ve taken to compiling a list of record retention rules and guidelines. While it doesn’t take into account various record retention requirements that may be imposed by the various states, it can provide a useful starting point for “knowing when to say when.” The list, which can be requested by contacting us at firstname.lastname@example.org, takes into account the latest mortgage and mortgage servicing rules.
I periodically hear of what I call “the hoarder approach,” where institutions elect to just keep everything for X number of years. Sometimes X = 6 years, other times, X = 7 or 10 years.
The challenge with this approach is that this area of compliance is not called “record storage” but “record retention.” Retention is more than storage. It involves keeping things in a way that allows you to find it when you need it.
I’ve known financial institutions that stored records for many years in large rooms filled with boxes, but finding anything in particular would require hours. This can create anxiety and considerable expense in an examination or remediation situation.
In addition to burying the institution in documentation and the extra expense associated with the hoarder approach, the larger concern is the exposure to litigation risks and the violation of privacy rights. Most records a credit union retains contain sensitive information, so the stakes are high.
For most institutions, the road to manageable record retention begins with a detailed record retention policy, which includes the schedule, the roles and responsibilities, destruction procedures, and a schedule for updates to the policy.
Though the prospects of creating such a detailed policy can seem daunting, it can pay huge dividends year over year for financial institutions in reduced storage costs and liabilities. And who couldn’t use that in 2014?