With the introduction of GDPR there has been many Credit Unions raising questions as to how long documents should be kept. The general requirement under GDPR is that you should not keep personal data longer than you require.
Before you go on a mass deletion spree though you need to consider a range of factors. So for example when a member leaves you cant just delete all their records. Transactions with the member will form part of your financial records and there are legal requirements over keeping details of financial transactions. In addition, the money laundering checks the member has undergone need to be kept for a set period under money laundering legislation.
Some of the legal requirements that apply (not a complete list):
- Money laundering documents- click here to see the requirements for keeping money laundering identification checks.
- Records of financial transactions requirements for HMRC- HMRC will require you to maintain records of all transactions including individual share and loan transactions. For details on their retention requirements click here. It should be remembered that some documents such as insurance sometimes have longer retention periods.
- Mortgage documents- For Credit Unions providing mortgages there are requirements from the FCA on record keeping which can be found here.
- Investment decisions- Under the revised PRA rulebook Credit Unions need to keep details of investment decisions for at least the last five years from the date of the investment. Click here for more details.
In addition, there can be legitimate interests or another appropriate basis for keeping a document. It is therefore important that Credit Unions thoroughly review all the documents they hold and have a set policy/procedure for how long these documents are held. Not all documents will need to be kept for the same period of time. For example does the length of time you need to keep a loan application need to be the same as the final loan agreement? In some cases it may be appropriate to obtain legal advice or guidance from your trade body on the retention periods.
It is also important to have a practical retention procedure that covers how documents will be deleted. With the volume of documents that Credit Unions produce it is important that the practicalities of destroying old documents is fully considered.