Document Retention Policies Post-Pandemic- Is it Time to Rethink Yours?

"As a former SEC prosecutor, books and records cases were tempting because they were seen as easier to prosecute, as they did not require proof of wrongful intent, or even negligence.” As some other commentators have noted, DOL has moved into a more enforcement forward stance of late.

As many firms moved back to in-person or mostly in-person work environments in the Summer of 2022, many managers and executives have policies on their mind. They may feel like drafts of HR policies freeload in the passenger seat of their cars or tuck themselves into the open pockets of their bags on the still not crowded subways. While work from home and new guidelines about remote work may be top of mind, so too should your company’s document retention policy. Most companies only consider a document retention policy on advice from their legal counsel or their accountant. But plan sponsors may want to pay attention to document or record retention policies now.

One commentator noted that “that the failure to adequately safeguard confidential personal information has already been the subject of several recent SEC Risk Alerts, it is probable this will inspire examinations, investigations, and enforcement actions.”[1] And while plan sponsors may not be subject to SEC investigations, EBSA may take cues for investigations from SEC and FINRA. That same commentator noted that records retention was often an easy area to litigate. “As a former SEC prosecutor, books and records cases were tempting because they were seen as easier to prosecute, as they did not require proof of wrongful intent, or even negligence. Often, in complex cases, books and records violations present the easy way out to pursue liability when more complicated claims fail.” As some other commentators have noted, DOL has moved into a more enforcement-forward stance of late.

As always, discuss any change to information management and client records with your legal counsel. Here are a few things to consider asking your counsel, especially if you are continuing to work in a remote or hybrid work environment.

DEFINITION: A document retention policy sets out your company’s process of retaining records (including electronic ones) that includes methods to store, archive and retain documents and any drafts or discussion around them. The term document is usually used interchangeably with the term record. Those terms are often defined “electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation.”[2] That includes spreadsheets, but also data compilations and other records that could require special software, like computer assisted drawing (CAD) programs to read.

HOW: Document retention necessarily involves cyber security as well. How you store data is nearly as important has how long you store data. Any electronic solution to retaining data needs to answer not only the ease of access but also privacy concerns as well. Your document retention policy should include a system for retention that allows same-day retrieval for documents needed for plan participants as well as any potential regulator investigation (such as by EBSA). For some plan providers, relying on an enterprise cloud solution may resolve many issues. As we said an article on ERISA and Enterprise Clouds: “It is widely accepted that [privacy] regulations and public cloud computing don’t mix. Enterprise computing really is private, in the sense that the hardware, storage and network are dedicated to a single client or company. Because of that limitation, privacy is greatly enhanced.”[3] The right cloud computing solution may also help plan sponsors meet disaster recovery protocols required by regulators.

HOW LONG: The key to most document retention policies involves time. Different kinds of documents may need to be retained for different lengths of time. Your policy should allow you to meet multiple regulators requirements via the same system. For example, the SEC requires a 7 year hold for investment advisory documents whereas FINRA and others require a 6 year hold. Potential litigation requires a hold until the litigation, and any appeals thereof, requires an indefinite hold on all documents and their metadata. ERISA requires that copies of your 5500, and documents related to it, should be kept for six (6) years. So too for non-discrimination testing and test results, financial reports, bond information and corporate tax records.  

EMAIL: Your current document retention policy may not necessarily consider your email retention policies. Many IT departments have their company systems, like Outlook, set to delete or dispose of emails older than a certain amount, like 6 months. But this ignores that an email is a document that needs to be retained. Employees working from home may have less than laudable wireless connections, meaning, they may email documents to themselves to work on “offline” getting around any hiccups caused by the interaction of a VPN and a wireless system. Does this mean your email retention policy should change? And if so, should it change for all employees or just for those involved in plan sponsor activities?

AUDIT TRAIL: Some experts suggest having a fiduciary audit trial so you can log and track all interactions among those in your organization who have ERISA-defined fiduciary responsibilities – like members of the board, your designated fiduciary and others. Should your document retention policy address those individuals and their home computers as well? For some attorneys, a litigation hold would. A litigation hold is a requirement that when litigation is “imminent” all copies of litigation-related documents must be preserved, no matter on what device they are currently stored. That includes texts, emails and chats. And unfortunately, it also includes within -ap chats, such as productivity aps like Slack and CRMs like Salesforce. You may decide that your document retention policy should provide for an audit trail that also includes within-ap discussions.

As FutureVault, a records retention vendor for RIAs and investment managers says “at the end of the day, the best tool for your organization is one that’s both easy to use and reliable for you, your administrators, your advisors, and your clients.”[4]


[1] https://news.bloomberglaw.com/securities-law/insight-books-and-records-obligations-during-a-pandemic

[2] https://www.law.cornell.edu/rules/frcp/rule_34

[3] https://www.bcgbenefits.com/blog/erisa-and-enterprise-clouds

[4] https://www.futurevault.com/blog/document-retention-101-why-every-firm-needs-a-document-retention-policy


These articles are prepared for general purposes and are not intended to provide advice or encourage specific behavior. Before taking any action, Advisors and Plan Sponsors should consult with their compliance, finance and legal teams.

Back to Blog

Latest Entries

Need a Proposal?

Before leaping into the unknown, we recommend a thorough examination of your plan. Because we are experts in the field, we know the marketplace and know what your existing vendor is capable of offering.  Through this examination, we can help you optimize the service you receive.

get xpress proposal