One of the lessons learned from the Financial Services Royal Commission is the importance of record retention and the ability to find information.
In his Interim Report in respect of the responses to his requests for information the Commissioner observed:
“CBA and NAB found it difficult to comply with the requests that I made. Each explained the difficulty by pointing to the need to assemble information from many separate sources. NAB said that… it had examined ‘NAB’s significant litigation reports, reported Australian court judgments, NAB’s breach registers and underlying reports to ASIC, APRA and AUSTRAC, adverse FOS determinations relating to “systemic issues”, significant breaches of the Code of Banking Practice reported in NAB’s Annual Statements of Compliance, and reports to the Australian Information Commissioner’. NAB said that to provide details of misconduct that had occurred over the preceding five years it would have to look at, among other things, the Annual Compliance Statements it had made under the Code of Banking Practice (which recorded 1,914 breaches of the Code in the last five full financial years), 300 events reported as significant breaches to ASIC or APRA occurring during that period, 370 FOS determinations, 375 determinations by the Credit and Investments Ombudsman, 246 significant litigation matters and five different databases recording customer complaints.
Taken together, the course of events and the explanations proffered can lead only to the conclusion that neither CBA nor NAB could readily identify how, or to what extent, the entity as a whole was failing to comply with the law. And if that is right, neither the senior management nor the board of the entity could be given any single coherent picture of the nature or extent of failures of compliance; they could be given only a disjointed series of bits of information framed by reference to particular events.”
Our record retention checklist for financial services providers (updated to 2021), but identifying records to be retained is only the beginning.
Every business should have a document (record) retention (and destruction) policy: identify specific categories of documents and then particular types of documents which must be retained and the term for which they must be retained.
What policy will you adopt for records not subject to specific regulation (eg emails)? Is there a designated time after which they will be destroyed? What criteria were used in selecting that time period?
In what form can documents be retained?
Whilst the various Acts prescribe the types of documents that must be retained and the period of retention, they are generally technology-neutral in terms of the method of retention. Original hard copy documents need not be retained if they are kept electronically in a form that is readily accessible. The electronic copy must be secure and must be convertible into hard copy.
A black and white hard-copy version of a colour record will be acceptable if colour is not an important aspect of a document.
If you have an electronic archiving system you will need to make sure you have an IT Governance policy which deals with security, privacy, business continuity, processes and outsourcing.
Are the electronic copies unique, identifiable and unalterable? Can you prove they are tamper-proof?
Have you recorded the process by which information is copied, stored, recorded and reproduced?
Are they searchable across the business?
As the Royal Commission showed, you may need to access documents as diverse as Board and committee minutes, internal reports, internal emails, customer files, complaints and external reports.
Do you have a system for retaining and accessing that information?