FCA Document Retention Requirements: A Comprehensive Guide

The Regulatory Foundation: SYSC 9 and Beyond

The Financial Conduct Authority's record-keeping requirements are not suggestions. They are enforceable obligations that carry real consequences when firms fall short. At the core of these obligations sits SYSC 9 of the FCA Handbook, which establishes the baseline expectation: a firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it.

What SYSC 9 does not do — and what catches many firms off guard — is prescribe a single, universal retention period. Instead, retention obligations are distributed across multiple sourcebooks, each tailored to the type of activity, the nature of the document, and the regulatory regime under which the firm operates. This fragmentation is by design, but it places the burden on each firm to map its document types to the correct retention requirements.

Retention Periods by Document Type

The most common question compliance teams ask is straightforward: how long must we keep this? The answer depends on the document category and the applicable regulatory framework.

• Transaction records (MiFID scope): A minimum of five years from the date of the transaction. This applies to order records, execution reports, and client confirmations. Firms operating under MiFID II should note that competent authorities may extend this to seven years upon request.
• Client agreements and suitability letters: At least five years from the end of the client relationship, not from the date of signing. This distinction is critical — a client agreement signed in 2020 for a relationship that ends in 2025 must be retained until at least 2030.
• KYC and AML documentation: Five years from the end of the business relationship or the date of an occasional transaction. The Money Laundering Regulations 2017 govern this, and there is no discretion to reduce the period.
• Complaints records: Three years from the date of receipt under DISP 1.9. However, firms subject to the Financial Ombudsman Service should consider retaining records for longer, as FOS referrals can occur up to six months after a final response.
• Financial promotions: One year from the date the promotion was last communicated. A short period, but one that is frequently overlooked during marketing campaign clean-ups.
• Board minutes and governance records: No specific FCA retention period, but best practice and Companies Act requirements suggest indefinite retention for material governance decisions.

The Gap Between Policy and Practice

Most firms have a document retention policy. Fewer have a document retention practice that matches it. The gap between the two is where regulatory risk accumulates.

Common failure patterns include the following:

• Retention clocks that start on the wrong date. As noted above, many retention periods run from the end of a relationship or the completion of a transaction, not from the document creation date. Firms that set a blanket "keep for 7 years from creation" policy may inadvertently delete documents before their retention obligation expires.
• No distinction between storage and retention. Storing a document in a shared drive is not the same as retaining it in compliance with regulatory obligations. Retention implies the document is protected from modification, deletion, and loss for the specified period. A folder on SharePoint does not inherently provide these guarantees.
• Inconsistent treatment of electronic signatures. When a document is signed electronically, the retention obligation extends to the signature metadata — the audit trail, consent records, IP addresses, and timestamps that evidence the validity of the signature. Retaining the signed PDF without the accompanying audit data is insufficient.
• Manual deletion processes. Firms that rely on manual review to delete documents at retention expiry introduce two risks: premature deletion (human error) and indefinite retention (the task is never completed). Both carry regulatory and data protection consequences.

Practical Implementation: Building a Compliant Framework

A compliant document retention framework requires four components working together.

First, a document classification scheme. Every document type the firm produces or receives must be mapped to a retention period, a regulatory source, and a retention start event. This mapping should be reviewed annually and updated when regulatory requirements change.

Second, immutable storage for the retention period. Documents subject to retention obligations should be stored in a system that prevents modification or deletion until the retention period expires. This is not a feature of most general-purpose document management systems. Purpose-built vault storage — where immutability is enforced at the infrastructure level — provides the assurance that regulators expect.

Third, complete audit trails. For electronically signed documents, the audit trail is part of the record. Retention of the signed document without its audit trail — including per-event evidence of viewing, consent, and signing — does not satisfy the requirement to maintain orderly records of services and transactions undertaken.

Fourth, automated retention management. When a retention period expires, the firm must have a defined process: archive, delete, or review. Automated systems that trigger these actions based on the retention clock reduce both the risk of premature deletion and the data protection risk of indefinite retention.

The Cost of Getting It Wrong

The FCA's enforcement record makes the consequences clear. Firms that cannot produce documents when requested face adverse inferences in enforcement proceedings. In practical terms, if your regulator asks for evidence of a client's informed consent from five years ago and you cannot produce it — with the full audit trail — the FCA is entitled to conclude that consent was not properly obtained.

Beyond enforcement, inadequate record-keeping undermines a firm's ability to defend itself in disputes, respond to complaints, and demonstrate compliance during supervisory visits. The cost of robust document retention is modest compared to the cost of a single enforcement action or lost dispute.

The question is not whether your firm retains documents. The question is whether your retention framework would survive regulatory scrutiny — today, and in five years' time when the documents are actually needed.

Firms that treat document retention as a compliance checkbox rather than operational infrastructure will continue to find themselves exposed. Those that invest in immutable storage, complete audit trails, and automated retention management build a foundation that serves them well beyond the next supervisory visit.