Multiple regulations mandate long-term document retention for financial services firms. This guide explains which regulations apply, what the requirements are, and how to implement compliant retention policies.
The seven-year retention period has become the de facto standard for financial services document retention in the UK, though no single regulation mandates exactly seven years for all document types. The figure emerges from the intersection of several overlapping requirements, and firms adopt it as a practical baseline that satisfies most obligations with a reasonable margin.
Understanding where the number comes from is essential for building a compliant retention policy — because in some cases, seven years is not enough, and in others, retaining documents for too long creates its own regulatory exposure under data protection law.
FCA Handbook (SYSC 9). The FCA requires firms to keep orderly records of their business sufficient to enable the FCA to monitor compliance. While SYSC does not specify a universal retention period, it requires records to be retained for as long as is relevant for the purposes for which they were made. For many regulated activities, firms interpret this as the duration of the client relationship plus a post-relationship buffer.
Ratifio's standard retention period is 2,555 days — seven years — satisfying FCA, MiFID II, and HMRC requirements without requiring enterprise plan upgrades or custom negotiations.
Learn about Ratifio's retention capabilities →MiFID II (Article 16(6)). Investment firms must retain records of all services, activities, and transactions sufficient to enable the FCA to fulfil its supervisory tasks. The minimum retention period is five years, with the possibility of extension to seven years at the FCA's request. Most firms default to seven years to avoid the risk of a shorter retention being challenged.
Solvency II (Article 45). Insurers must maintain adequate records of their risk management system, including all significant decisions and their rationale. While Solvency II does not specify a numeric retention period, the PRA expects records to be available for supervisory review for a period consistent with the nature of the obligations — typically interpreted as the policy duration plus six years.
HMRC requirements. Companies must retain financial records for at least six years from the end of the relevant accounting period. For self-assessment, individuals must retain records for at least five years after the 31 January submission deadline. The six-year HMRC requirement, combined with the potential for retrospective FCA inquiries, contributes to the seven-year convention.
Ratifio stores both signed documents and complete audit trails on immutable storage for the full retention period. Automated retention management handles review triggers and audit-logged purge events at expiry.
Explore retention management features →Limitation Act 1980. The standard limitation period for contract and tort claims is six years from the date of the cause of action. For claims involving latent damage, the period can extend. Retaining signed documents for seven years covers the standard limitation period plus a margin for late-filed claims.
Not all documents carry the same retention obligation. A compliant policy differentiates by document type:
Retention is not merely about duration. The manner in which documents are stored must also satisfy regulatory expectations:
Integrity. Stored documents must be demonstrably unaltered from their original state. For electronically signed documents, this means retaining both the signed PDF and the associated audit trail, including the original document hash. If a document is challenged years later, the firm must be able to prove it has not been modified.
Accessibility. Records must be retrievable promptly. The FCA does not define "promptly," but supervisory practice suggests that records should be producible within days, not weeks. Archival storage that requires engineering intervention to retrieve does not meet this standard.
Confidentiality. Access to retained documents must be controlled. Role-based access with audit logging of who accessed what and when provides both security and evidence of access controls.
Durability. Documents must survive hardware failures, software upgrades, and organisational changes. Cloud storage with cross-region replication and versioning provides durability that on-premise storage typically cannot match.
The retention obligation is not satisfied by storing a document. It is satisfied by storing a document in a manner that preserves its evidential value for the entire retention period.
The UK GDPR's data minimisation principle (Article 5(1)(c)) creates a tension with long-term retention. Firms must not retain personal data for longer than necessary for the purposes for which it was collected. A blanket "retain everything for seven years" policy may not satisfy the ICO if challenged.
The resolution is a documented retention policy that specifies the legal basis for retention by document type. Where a regulatory obligation mandates retention, Article 6(1)(c) (legal obligation) provides the lawful basis. Where retention is for legitimate business interests (such as limitation period defence), Article 6(1)(f) applies, and a balancing test should be documented.
Practically, this means your retention policy should include automated triggers for review or deletion at the end of the retention period, with documented justification for any continued retention beyond the standard period.
For firms building or reviewing their document retention framework, the following checklist provides a practical starting point:
Seven-year retention is a sensible default for most financial services document types, but it is not a universal answer. A compliant retention policy is specific to document type, grounded in identified regulatory obligations, and balanced against data protection requirements. The cost of getting this wrong is not abstract — it is the moment a regulator asks for a document and you cannot produce it, or the moment the ICO asks why you still hold personal data with no legal basis for retention.
Ratifio retains documents and complete audit trails for the full regulatory period on immutable storage. Configurable retention, automated lifecycle management, and compliant disposal — included on every plan.
Dr. Ward spent 12 years at the Financial Conduct Authority before joining Ratifio. She advises regulated firms on digital compliance and writes extensively about the intersection of technology and financial regulation.
Encryption is fundamental to document signing security, but not all encryption implementations are e...
The insurance sector faces specific regulatory requirements for electronic signatures, from Solvency...
Government organisations must meet specific digital standards when implementing electronic document ...