Banking Exchange Magazine Logo

Keep proper records for posterity, or suffer posteriorly

Increasingly regulators seems to be biting banks for record retention errors

Keep proper records for posterity, or suffer posteriorly

Just about every regulation has a record retention component.

Sometimes the regulation requires the retention of specific documents for a specific period of time, like adverse action notices under Regulation B (for 25 months) or HUD-1 Settlement Statements (for 5 years) following settlement under the Real Estate Settlement Procedures Act.

Sometimes a regulation requires maintenance of more generic "evidence of compliance" with the regulation, such as Regulation E (2 years from date the disclosures are required or action is required to be taken).

Some laws, regulations, or regulatory guidance may not have specific record retention provisions. However, there is an expectation that records be maintained at least through one examination cycle (however long that may be) so that an institution can prove compliance to the examiners at the next compliance examination.

Keeping to the requirements

You may be thinking... we've got the Records Retention Schedule for our bank that meets all the regulatory and state law requirements, so we're good to go.

Maybe that's not enough.

Recently, I've been hearing a few stories from banks around the country about examinations that ran into surprising record retention snags.

Whereas in the past, if a loan was selected as part of a sample of files for a HMDA data validation, for example, and the file could not be located for the examiners during their visit, a different loan was substituted.

This time, the inability to come up with the loan file during the examiners' visit was cited as a record retention violation.

Several other banks have told me that record retention was a more prominent element of some of the regulatory examination reviews than in previous years.

Some regulations such as Regulation Z provide comforting commentary that electronic recordkeeping can be used in place of traditional paper copies of records required to be retained.

If a bank is relying on electronic recordkeeping to satisfy regulatory retention requirements, there may not be the risk of lost paper files that go missing because they are hidden in a lender's desk drawer. However, there are other risks that are computer-related, and we all know what those can be.

Even a computer malfunction doesn't necessarily eliminate the potential for record retention violations. Regulations such as Regulation B provide that creditors may use a computerized or mechanized system for record retention if the system can regenerate all of the pertinent information "in a timely manner for examination" or other purposes.

Banks need to be maintaining a records management system that ensures that required records are available in a timely manner for examinations and examiners and in a format that is accessible. And, by association, that would also hold true for audits and auditors. Records may be safely stored away in a computer system or in a secure off-site facility, but if they can't be readily located or retrieved, they aren't going to do you much good when you need them.

Now is the time to get it right

It wouldn't hurt to review your records retention program as a whole (in addition to the individual steps in your regulation monitoring process) by:

1. Reviewing the regulatory record retention provisions that affect your organization (including state law).

Make sure you haven't missed any.

2. Review and update your organization's Record Retention Schedule.

Or create one, if you don't already have one.

3. Verify the location(s) of various records

Basement? Offsite storage facility? Unlocked file cabinets in the empty office down the hall?

4. Test the accessibility of the records.


Request specific records from the storage facility and see if you actually can get them and how quickly.

5. If your records retention management system is managed by someone in your institution, have a conversation with that person.

Ask about these issues

If you've heard about similar experiences with records retention issues in connection with exams or audits, we'd like to have you share them with us in the comments box below, or send me an email at the address in my author's bio.


Nancy Derr-Castiglione

"Lucy and Nancy’s Common Sense Compliance” is blogged by both Lucy Griffin and Nancy Derr-Castiglione, both Banking Exchange contributing editors on compliance. Nancy, a Certified Regulatory Compliance Manager, is owner of D-C Compliance Services, an independent regulatory compliance consulting services business that has provided expertise in compliance training, monitoring, risk assessment, and policies and procedures to financial institutions since 2002. Previously, Nancy held compliance positions with Bank One Corporation and with United Banks of Colorado. In addition to serving as a Contributing Editor of Banking Exchange, Nancy has served on the ABA Compliance Executive Committee; National and Graduate Compliance Schools board; conference planning committees, and the Editorial Advisory Board for the ABA Bank Compliance magazine. She can be reached at [email protected]

back to top


About Us

Connect With Us



How to get the most out of Data and AI
with Ravi Loganathan from Sardine
and President of Sonar


In this webinar we will cover:


This webinar is brought to you by:

SardineBanking Exchange