RECORD RETENTION GOTCHAS
Banks have clear, careful procedures for retention of various types of bank records. A number of laws, like Bank Secrecy Act/Anti-Money Laundering rules, have explicit time frames spelled out. Recently, the Dodd Frank Act extended the retention period for certain records relating to residential mortgages from two years to three (for loan originator comp and ability to repay evidence) and five years (for closing disclosure and transfer notices). Other laws are broader. For example, certain flood disaster documents (hazard determination form and consumer notices) should be kept for the life of the loan. However, even with specific retention periods in various laws and rules, there are still a number of thorny issues. Here are some questions that have been raised by community bankers.
What constitutes a “record”? For some rules, it is easy to determine that “record” is referencing a document that made certain required disclosures. However, Regulation E requires retention of evidence of compliance—including compliance with error resolution. The consumer may give oral notice of an error. A bank may require written confirmation provided it complies with the regs. So, if the bank records the conversations that its Consumer Service Representatives (CSRs) have with consumers, is that a “record” that should be retained? Reg E doesn’t define the term “record.” The prudent approach is to retain the CSR recording for two years.
On the other hand, Regulation B, which requires retention of consumer applications for 25 months, specifically refers to “written or recorded information.” Thus, if a bank is taking mortgage applications over the phone and recording them, it should keep those recordings for 25 months.
Texas law includes chapter 72 of the Business and Commerce Code, which deals with retention/disposal of business records. This law defines business record very broadly to include not only words but also “sounds” recorded in the operation of a business by a variety of means including mechanical or electronic recording. It permits destruction of business records—required to be retained by STATE LAW–at any time after the third anniversary of the date the record was created. It doesn’t directly apply to financial institutions, but it does provide a defensible position for destroying records after three years if there is no law that requires their retention. It also gives us one of the few clear definitions of the term “business record.”
Must the bank record CSR conversations with customers? The various rules do not appear to require such recording. By contrast, there are several securities laws that DO require recording customer interaction.
Wouldn’t recording violate Texas wiretap law? No, so long as one party to the conversation consents to the recording. However, a better practice is for the CSR to tell the other party that the call will be recorded for quality control purposes.
What about electronic/digital documents? That one is easier. After passage of the E-SIGN Act, it is clear that electronic records are considered to be “writings” and can be used as evidence in litigation. The Federal Reserve wrestled with how to deal with electronic records after passage of the Act. At first, it proposed very prescriptive amendments to the consumer regulations. These were pulled down before finalization. Ultimately, the Fed provided guidance that simply said comply with E-SIGN when making and retaining records.
What about email? Essentially, this is just a delivery method that has largely replaced snail mail. Look at the purpose of the email and its attachments (if any). Profile your email and retain it in accordance with the applicable laws and regulations.
Should we make our life easier and just keep all emails indefinitely? NO! And the same is true for other records. Follow the applicable schedule. If your bank were to be sued, it could be subpoenaed for certain records. If you have old ones that should have been destroyed, you will still need to produce them. This can be expensive—and sometimes fatal to your position.
If the bank were sued, why couldn’t we just follow our schedule and destroy stale records? If you do, then the party suing you could make a claim of “spoliation.” The court would then rule that any destroyed records will be presumed to be adverse to the bank since you can’t produce them. In the event of litigation, the bank should always put a “preservation” rule in place. Your attorney should clearly advise you that all departments in the bank that have pertinent records should be informed of the litigation and should stop even the normal record destruction processes. Again, this would apply to pertinent emails and recordings.
So, any other rules regarding destruction? Yes, the bank should have clear procedures in place for destroying records in a safe and secure method. This was especially brought home in the GLBA rules regarding safeguarding consumer records. Employees should never toss documents with customer nonpublic information on them into a trash can. Rather, they should go into a locked shred bin. Remember that vendors who have consumer nonpublic personal information should similarly have procedures in place to not only protect the records but also destroy them in a safe and secure manner.
Conclusion. Be sure that your bank has clear record retention and destruction procedures in place. Review them for the “gotchas” that I have described!.
Authored by: Karen Neeley
Reprinted with permission from The Texas Independent Banker