Data Retention and Deletion: Increasing Regulatory Expectations

Regulators have heightened rulemaking and enforcement to strengthen recordkeeping, data retention, and data deletion requirements

October 2022

KPMG Insights: Regulators are increasingly scrutinizing data retention and recordkeeping laws, including collection, storage, retention, and disposal practices.  This scrutiny falls under existing data retention, privacy and risk management regulations and guidance—and regulatory expectations are quickly being established via supervision and enforcement. In anticipation of heightened regulatory attention, companies should review their electronic communications policies, practices, and communications as well as their data retention and deletion policies and practices across legacy and multi-platform systems and unstructured data repositories. 


Regulators have heightened their attention and enforcement on data privacy and security, including issues related to recordkeeping, data retention, and data deletion. Recent actions include:

1.    SEC: An SEC final rule that “modernizes” electronic recordkeeping requirements for broker-dealers and security-based swap entities.

2.    Enforcement: Enforcement actions against various firms, including:

  • Data retention failures related to requirements to maintain and preserve business communications due to the use of unauthorized communication channels and methods.
  • Failure to protect customers’ personal identifying information (PII), including to prevent unauthorized access or use in connection with its disposal.

3.    New Regulations: New laws and rulemakings (at the state and federal levels) intended to place limits on minimizing the data that are collected and retained, including the duration of the retention period, and mandating deletion.

 

1.   SEC Modernization of Electronic Recordkeeping Requirements 

The SEC issued a final rule to “modernize” electronic recordkeeping requirements for broker-dealers and security-based swap entities to:

  • Add an audit-trail alternative to the existing requirement that broker-dealers preserve electronic records in a non-rewriteable, non-erasable format, on the condition that the broker-dealer’s system preserves electronic records in a manner that permits the recreation of original records if altered, over-written, or erased.
  • Expand the applicability of the rule requirements to nonbank security-based swap dealers (SBSDs) and major security-based swap participants (MSBSPs).
  • Require the hiring of a third party with the ability to access a firm’s electronic records and provide them to securities regulators if the firm fails or is unable to do so, with an alternative that a designated executive officer of the firm can undertake this responsibility.
  • Add an alternative approach to the third-party requirement to accommodate the practice of using a recordkeeping service, including a cloud service provider, for this purpose.
     

2.    Enforcement Actions.

Multiple enforcement actions have been issued relative to the storage, retention, and disposal of both customer and company data. Public enforcements include:

  • Recordkeeping Failures.  The SEC and CFTC each settled actions against multiple firms, including broker-dealers, investment advisers, swap dealers, and futures commission merchants for failure to maintain, preserve, and produce required records of electronic communications.

In particular, the agencies found that the firms’ employees conducted business communications through unauthorized channels and on personal devices, and also that these communications were not maintained or preserved. The agencies further cited the firms for related supervisory failures. The federal securities laws and the Commodity Exchange Act require the creation and retention of records for reasons of investor protection and public interest.

  • Customer Information Safeguards Failure.  The SEC settled charges against a large broker-dealer and investment adviser in connection with alleged failures to protect customers’ PII in connection with the disposal of decommissioned devices and other information technology assets that contained customer data, including PII.

In particular, the SEC found the firm violated both its Safeguards Rule and Disposal Rule under Regulation S-P, which require, respectively, “written policies and procedures to address administrative, technical, and physical safeguards reasonably designed for the protection of customer records and information,” and, at the time of their disposal, reasonable measures to protect against unauthorized access to, or use of, the data.
 

3.    New Regulations

FTC. In December 2021, the FTC published a final rule amending its Standards for Safeguarding Customer Information (Safeguards Rule), which are applicable to financial institutions under the FTC’s jurisdiction. The rule amendments became effective in January 2022 and include provisions related to data retention and disposal. In particular, the rule now states covered financial institutions must:

  • Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
  • Periodically review their data retention policy to minimize the unnecessary retention of data.

In August 2022, the FTC published an advanced notice of proposed rulemaking (ANPR) seeking public comment on commercial surveillance and data security practices, including those that relate to the FTC’s Safeguards Rule. Among other things, the ANPR poses multiple questions on the collection, use, and retention of consumer data including whether:

  • Companies should be limited to collect, retain, use, or transfer consumer data only to the extent necessary to deliver the specific service that a given individual consumer explicitly seeks or those that are compatible with that specific service.
  • New trade regulation rules should be imposed to restrict the period of time that companies collect or retain consumer data, irrespective of the different purposes to which it puts that data.
  • Companies should be required to certify that their commercial surveillance practices meet clear standards concerning collection, use, retention, transfer, or monetization of consumer data.

CPRA. The California Privacy Rights Act (CPRA), which was enacted in 2020 and becomes fully effective in January 2023, establishes limitations on data collection and retention. More specifically:

  • A business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
  • A business shall not retain a consumer’s personal information or sensitive personal information… longer than is reasonably necessary for that disclosed purpose [for which it was collected].

Contact us

Amy S. Matsuo

Amy S. Matsuo

Regulatory and ESG Insights Leader, KPMG US

+1 919-664-7100
Steven Stein

Steven Stein

Principal, Cyber Security Services, KPMG US

+1 312-665-3181
Michael Sullivan

Michael Sullivan

Principal, Advisory, FS Regulatory & Compliance Risk, KPMG US

+1 703-286-8000