Records Retention: How Long Do You Keep Vendor Documents?

Many of us have a tradition of spring cleaning every year by removing clutter from our homes – both physical and digital - that has built up. In most cases, determining how long to keep personal documents is difficult enough, but it can be even more challenging for organizations with exponentially more data to keep. Requirements around records retention are a common concern among vendor risk management professionals, so let's go through the basics.

General Regulatory Guidelines

Consider all the vendor information an organization needs to collect and store. The number of contracts, due diligence and risk assessments increases quickly when you have hundreds or even thousands of vendors. So, how long do you need to keep these documents? A typical retention period for many regulated industries is six years, as stated by the National Archives and Records Administration.

Exact retention periods will depend on the following factors:

• Geographic location: Various local, state and federal laws determine how long vendor records must be retained. Furthermore, retention requirements will differ by country, with some being more stringent than others.
• File type: All vendor records aren’t created equally and therefore don’t need to be stored for the same amount of time. For example, expired vendor contracts are usually required to be retained for several years. Other documents, such as due diligence materials, should be retained for a shorter period of at least three years. You should be aware that auditors or examiners may request a copy of your previous vendor risk management process documents to assess its strength or to see what improvements have been made.
• Industry: Financial institutions, healthcare providers, federal contractors, etc. will each have their own data retention guidelines.

Here are a few examples of specific regulatory requirements:

• Sarbanes-Oxley Act: "We are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements."
• PCI DSS Software Security Framework: "All Assessment Results and Related Materials must be made available to PCI SSC upon request for a minimum of three (3) years after completion of the applicable SSF Assessment."
• Bank Secrecy Act: "In general, the BSA requires that a bank maintain most records for at least five years. These records can be maintained in many forms including original, microfilm, electronic, copy, or a reproduction."

6 Tips for Successful Vendor Records Retention

Retaining records can be a demanding task, but one that's necessary to maintain regulatory compliance and ensure that your organization's data remains easily accessible.

These tips will help make the process more efficient:

1. Create a vendor record and information management (RIM) policy: If your organization doesn't already have a general RIM policy, it’s a good idea to implement one. A well-defined vendor RIM policy should include details on the organization’s information categories and the required length of time to retain them. This retention schedule should consider all regulatory requirements. It's also essential to establish who should access specific data and the disposal method.
2. Determine business requirements: Developing an RIM policy and process involves more than just complying with regulations. The organization's business requirements must also be considered. Some data may need to be retained for longer than is required by law due to operational requirements.
3. Be sure to account for records subject to a legal hold: If the organization is involved in litigation, the retention process will likely have to be paused so the subpoenaed data won't be deleted once its retention period is over.
4. Ensure there is board and senior management oversight: As with any other crucial vendor risk management activity, the board and senior management should approve your organization's vendor records retention strategy.
5. Collaborate with your IT team: Your IT team should generally establish technical controls over your vendor data. They have the tools to ensure that the policy and procedures are followed.
6. Consider the risks of over-retention: While it may be tempting to keep everything forever "just in case," retaining too much data for too long can have negative consequences. Storing old and obsolete data can be expensive. And the organization may not have the legal right to store some data beyond a specific period.

Always make sure to review regulatory requirements and any state and federal laws. Also, don’t forget to consult with your organization's legal and compliance teams. With a good vendor record retention policy in place, your organization doesn't have to be buried under mountains of vendor data and records.