Data Retention Policy
1. Purpose
This policy (Ref: COMP-DP-003) defines the Bank's standards for the retention and secure disposal of personal data and business records. It ensures compliance with the GDPR's storage limitation principle (Article 5(1)(e)), applicable financial services regulations, and the Bank's record-keeping obligations under AML, tax, and prudential legislation.
2. Scope
This policy applies to all data and records held by the Bank, whether in physical or electronic form, across all business lines, systems, and jurisdictions. It covers customer data, employee data, transaction records, communications, and operational documentation.
3. Core Principles
- Personal data must not be retained for longer than is necessary for the purposes for which it was collected.
- Where multiple retention requirements apply to the same data, the longest applicable period shall prevail.
- At the end of the retention period, data must be securely destroyed or anonymised unless a legal hold or regulatory requirement mandates continued retention.
- Retention schedules must be documented, regularly reviewed, and accessible to Data Owners.
4. Retention Schedule
The following table sets out the minimum retention periods for key categories of data. Business units must consult the full Retention Schedule (Annex A to this policy) for a comprehensive list.
| Data Category | Retention Period | Regulatory Basis |
|---|---|---|
| Customer identification and CDD records | 5 years after end of relationship | AMLD6, FATF Recommendation 11 |
| Transaction records | 5 years after execution of transaction | AMLD6, Payment Services Directive |
| SAR records and supporting documentation | 5 years after filing | AMLD6, Proceeds of Crime Act 2002 |
| Customer complaints | 5 years after resolution | FCA DISP rules |
| Loan and credit files | 6 years after maturity or discharge | Limitation Act 1980, CRD requirements |
| Employee personnel records | 7 years after termination of employment | Employment law, tax obligations |
| Tax records and reporting | 7 years after end of relevant tax year | National tax legislation, CRS/FATCA |
| Board and committee minutes | Permanent | Corporate governance requirements |
| Marketing consent records | 3 years after withdrawal of consent or last interaction | GDPR, ePrivacy Directive |
| CCTV footage | 30 days unless related to an incident | GDPR, proportionality principle |
| Email and electronic communications (regulatory) | 5 years from date of communication | MiFID II (Article 16(7)) |
5. Legal Holds
Where data is subject to a legal hold (e.g., litigation, regulatory investigation, or law enforcement request), the applicable retention period is suspended. The Legal Department must issue a written legal hold notice to all relevant Data Owners and the Data Protection Office. Data subject to a legal hold must not be deleted or modified until the hold is formally released in writing.
6. Secure Destruction
At the end of the retention period (and in the absence of a legal hold), data must be securely destroyed:
- Electronic data — Must be permanently deleted using approved data wiping tools that meet the NIST 800-88 standard. Certificates of destruction must be retained.
- Physical records — Must be cross-cut shredded by the Bank's approved secure destruction provider. Certificates of destruction must be retained.
- Backup media — Data on backup tapes and archives must be overwritten or destroyed in accordance with the IT Security Policy (IT-SEC-003).
7. Responsibilities
- Data Owners — Accountable for ensuring data within their domain is retained and disposed of in accordance with this policy.
- Data Protection Office — Maintains the Retention Schedule, provides guidance, and monitors compliance.
- IT Department — Implements technical controls for automated retention and deletion.
- Legal Department — Issues and manages legal holds.
8. Review
This policy is reviewed annually by the Data Protection Office. Next review: Q1 2027.