数据保留指南起草

Financial Data Retention Guidelines

1. Purpose and Scope

• Purpose: Establish organization-wide rules for retaining, protecting, and disposing of financial data to meet legal, regulatory, tax, audit, and business requirements.
• Scope: Applies to all financial data and records across systems and repositories (ERP, GL, AP/AR, treasury, payroll, tax, banking, trading, procurement, spreadsheets, emails/messages, backups, and archives), regardless of format or location.

2. Governance Principles

• Lawful basis and storage limitation: Retain only for as long as required by law, regulation, tax, audit, litigation, or a documented business need; then dispose securely and verifiably.
• Accountability and traceability: Map each record category to a named Data Owner, a retention period, a destruction method, and controlling regulations.
• Consistency with privacy: Align with GDPR or applicable privacy regimes’ storage limitation and data minimization principles.
• Defensible disposition: Apply legal holds to suspend deletion during investigations or litigation; record holds and release events.
• Integrity and accessibility: Preserve readability, authenticity, and integrity (e.g., checksums, tamper-evident storage where required) for the full retention period.

3. Roles and Responsibilities

• Data Owner (e.g., Controller, CFO function): Approves retention periods, exceptions, and destruction; ensures business compliance.
• Records Management: Maintains the retention schedule, ensures implementation across repositories, and audits compliance.
• Legal/Compliance: Interprets regulatory requirements, manages legal holds, approves jurisdictional variations.
• Information Security: Enforces secure storage, access controls, encryption, and secure disposal.
• Data Stewards: Classify records, apply metadata/policies, monitor data quality and completeness of record sets.
• IT/Platform Owners: Implement technical retention, immutability where required, backup/archival controls, and deletion workflows.

4. Classification of Financial Records (examples)

• Core accounting: General ledger, journals, trial balances, period close artifacts, financial statements and supporting schedules.
• AP/AR and revenue: Invoices, credit/debit memos, cash receipts, customer billing, collections evidence.
• Banking and treasury: Bank statements, reconciliations, wire/SWIFT confirmations, investment and debt instruments.
• Tax: Corporate returns and workpapers, VAT/GST data, payroll tax, transfer pricing, fixed asset tax basis.
• Payroll and compensation: Payroll registers, timesheets, benefits and equity compensation records.
• Procurement and contracts: Supplier contracts, POs, SOWs, contract amendments, acceptance/inspection records.
• Fixed assets: Asset master, acquisition/disposition documents, depreciation schedules.
• Audit: Internal and external audit workpapers, SOX control evidence, management representation letters.
• Risk and compliance: KYC/AML records, sanctions screening evidence, transaction monitoring alerts and dispositions.
• Trading and investment (if applicable): Order and trade blotters, confirmations, research and communications related to trades.
• Payments and card data: Cardholder data (tokenized where possible), settlement and chargeback records.
• Corporate and “permanent file”: Articles of incorporation, bylaws, equity issuances, merger and acquisition agreements.

5. Baseline Retention Schedule (global starting point; tighten per jurisdiction) Note: Final periods must be validated by Legal for each jurisdiction. “+” means “after the cited trigger.”

• Core accounting books and records: 7 years after fiscal year end close.
• Financial statements and close packages: 7 years after issuance.
• AP/AR invoices and supporting evidence: 7 years after settlement or fiscal year end, whichever is later.
• Bank statements and reconciliations: 7 years after reconciliation completion.
• Expense reports and receipts: 7 years after reimbursement or fiscal year end.
• Fixed asset records: Life of asset + 7 years after disposal; retain tax basis support at least 7 years after disposal.
• Tax returns and supporting workpapers: 7 years after filing; retain “permanent” schedules (e.g., NOL carryforwards, basis support, entity elections) for the life of the item plus 7 years; corporate charters and similar governance records indefinitely.
• Payroll registers, wage and hour, and compensation records: 7 years after payment or employee termination (whichever is later), unless local law specifies longer/shorter.
• Contracts (customer and supplier): Contract term + 7 years; if claims-warranty periods exceed 7, retain through longest claim period + 2 years.
• Treasury, debt, leases, hedging documentation: Maturity/termination + 7 years. Keep hedge documentation through the statute of limitations for tax and financial reporting challenges.
• Audit workpapers (internal and external), SOX control evidence: 7 years after report issuance.
• KYC/AML customer due diligence: 5 years after account closure or end of business relationship; transactional AML records 5 years after transaction. Extend if local AML law requires (some allow/require up to 10 years).
• Trading and order records (if applicable): Keep in line with sector rules; as a baseline, 6 years for ledgers and 3–6 years for order/communications depending on regime. Confirm specific obligations (e.g., US SEA 17a-4/FINRA; EU MiFID II often 5 years, extendable to 7).
• Communications that substantively authorize, support, or evidence financial transactions (email, chat, voice): Align to the governing records period; where regulated (e.g., trading), follow the stricter sector rule.
• Payment card data (PCI DSS): Retain only the minimum necessary for business, legal, and settlement/chargeback needs; do not store sensitive authentication data after authorization; tokenize or truncate PAN; define short, documented purge intervals tied to dispute windows.
• System logs and approvals related to financial processing (e.g., journal approvals, segregation-of-duties evidence): 7 years after period close.

6. Jurisdictional and Sector Examples to Validate Against

• Tax and employment:
  • United States: IRS employment tax records generally at least 4 years after due date or payment; many organizations adopt 7 years.
  • United Kingdom: Companies Act/HMRC commonly 6 years; VAT records may vary.
  • EU: VAT/e-invoicing retention can range 6–10 years depending on country.
• AML/KYC:
  • US Bank Secrecy Act: Typically 5 years for CIP and certain transaction records.
  • EU AML directives: Generally 5 years after the end of the business relationship, with possible extensions.
• Securities/trading (if applicable):
  • US SEC/FINRA: Books and records retention varies (e.g., ledgers 6 years; many communications at least 3 years). Storage must meet technical requirements (tamper-evident/immutable or approved alternatives).
  • EU MiFID II: 5 years for records of services, activities, and communications related to transactions (extendable to 7 when directed by regulators).
• Audit:
  • Sarbanes-Oxley Section 802 (US): At least 7 years for audit workpapers and related documents.
• Privacy:
  • GDPR and equivalent: Enforce storage limitation and purpose limitation; document lawful basis and retention justification in the Records of Processing.

7. Triggers and Effective Dates

• Define a single, auditable trigger per record category (e.g., fiscal year end, settlement date, contract termination, account closure).
• Retention countdown begins at the approved trigger and pauses under legal hold.

8. Storage, Preservation, and Format

• Ensure integrity: Use tamper-evident or immutable storage where regulation requires (e.g., broker-dealer records).
• Maintain readability: Prefer non-proprietary or backward-compatible formats; perform format migration as needed; validate checksums for archives.
• Metadata: Capture record category, owner, trigger date, retention rule ID, legal hold status, and disposal eligibility date.

9. Legal Hold and Exceptions

• Legal/Compliance may place a hold on specific datasets or categories. Holds supersede retention periods until formally released.
• Document exceptions, rationale, authorizing party, scope, and expiry.

10. Disposal and Sanitization

• Perform destruction promptly after eligibility and hold checks.
• Methods: Cryptographic erase or secure wipe for electronic media; cross-cut shred or certified destruction for paper. Obtain certificates of destruction from vendors.
• Verify that backups, replicas, and search indexes are included in the destruction workflow or subject to equivalent retention logic.

11. Backups and Archives

• Backups are for disaster recovery and must not be used to extend retention. Align backup retention horizons with the longest operational recovery requirement, and ensure the ability to selectively expire data upon retention expiry or hold release.
• Archives holding records-of-evidence must comply with the retention schedule and preservation controls.

12. Cross-Border and Data Residency

• Map where financial data and archives are stored and accessed. Apply local retention mandates and data localization rules as required. If multiple jurisdictions apply, enforce the strictest applicable requirement unless prohibited.

13. Monitoring and Assurance

• Controls: Automated policy application in source systems and archives; quarterly sampling to test retention tagging, legal hold integrity, and timely disposal.
• Metrics: Percentage of records with valid policy tags; exceptions count and cycle time to remediation; on-time disposal rate; legal hold aging.
• Audit: Annual internal audit of retention controls and evidence; address findings via corrective actions.

14. Implementation Steps

• Inventory and classify financial data by system and jurisdiction; map to categories above.
• Build a regulatory matrix for key jurisdictions and sector rules; set periods to the strictest applicable requirement per category.
• Configure system-enforced retention, legal hold, and disposal workflows; prevent user overrides.
• Migrate high-value records to compliant archives with required integrity controls.
• Train finance, legal, and IT stakeholders on responsibilities and procedures.
• Review and update the schedule at least annually or upon regulatory or business changes.

15. Summary Retention Defaults (use until superseded by jurisdiction-specific rules)

• Core accounting, banking, AP/AR, expense, close evidence, system approvals: 7 years.
• Audit workpapers and SOX evidence: 7 years.
• Tax returns and workpapers: 7 years after filing; permanent items retained for life of item + 7; governance records indefinitely.
• Payroll and compensation: 7 years after termination or payment (whichever is later), or per local law if longer.
• Contracts and procurement: Term + 7 years.
• Fixed assets: Life of asset + 7 years after disposal.
• KYC/AML: 5 years after relationship end or transaction; extend per local law.
• Trading and related communications (if applicable): Follow sector rules; commonly 3–6 years in the US, 5–7 in the EU.
• Payment card data: Minimum necessary only; purge promptly after settlement/chargeback windows; never store sensitive authentication data after authorization.

Note: These guidelines provide a defensible baseline. Final retention periods must be validated and approved by Legal for each jurisdiction, business line, and regulatory regime.

合同数据保留指南（数据治理）

目标

• 建立统一、可审计的合同数据保留规范，支持法律合规、诉讼防御、稽核需求与数据最小化原则。
• 明确数据分类、保留周期、触发条件、例外（法律保全）、角色职责与处置流程。

范围与定义

• 范围：所有与合同相关的数据与元数据，覆盖系统与非结构化载体。
• 数据类型（示例）：
  • 合同正本与附录、修订、变更单、SOW/PO/工单
  • 谈判材料与版本（草稿、红线、批注）、审批记录、签署审计日志
  • 履约与合规记录（绩效报告、通知函、违约/索赔、验收/里程碑）
  • 计费与付款记录、发票、对账
  • 供应商/客户尽调、KYC/AML资料
  • 与合同相关的通信（邮件、IM节选）、会议纪要
  • 合同索引与元数据（合同编号、相对方、开始/到期、条款摘要）

治理原则

• 合法性与必要性：仅在满足法律义务、业务需要或诉讼防御目的下保留；最小化个人信息。
• 存储期限限制：到期后及时删除或匿名化；保留时间须有书面依据。
• 完整性与可审计性：保留的是最终生效版本及关键履约与审批证据；变更可追溯。
• 一致性：跨系统采用同一保留规则（CLM、DMS、ERP、邮箱、备份、归档）。

保留周期与触发规则

• 计算方法（通用公式）：
  • 保留结束日 = 关系结束触发日 + max(诉讼时效, 监管/税务保留要求, 内部风险基线)
  • 关系结束触发日 = 合同到期或终止或最后一次业务互动结束（取实际发生的结束事件）
• 建议基线（需由法务/合规最终确认并贴合适用法域）：
  • 合同正本、修订/附录、签署审计日志：
    • 合同有效期内：持续保留
    • 合同结束后：至少保留至最长适用诉讼时效（常见区间为3–10年）；无确定法域时可采用7年基线
  • 履约与合规记录（通知、绩效、验收、违约/索赔证据）：合同结束后与正本同周期
  • 计费与付款记录、发票、对账：按财务/税务要求保留（常见为5–7年或更长，以当地税法为准）
  • KYC/AML资料：结束业务关系后至少5年（参考FATF建议），如当地法规要求更长则遵从更长
  • 谈判草稿与红线：
    • 已签署的合同：签署后保留1–2年用于争议背景佐证；到期后删除
    • 未签署/流标：流程结束后保留1–2年；到期后删除
  • 采购评估与投标文档：流程结束后3–7年（视审计与合规需求）
  • 与合同相关的通信记录：仅保留关键决策与正式通知；与正本同周期或更短，避免冗余
  • 合同索引与元数据：与正本同周期；可在到期后转为匿名化统计保留（如履约评分）

例外与冻结（Legal Hold）

• 若发生或合理预期发生争议、调查、诉讼或审计，立即对相关数据实施法律保全冻结，暂停删除。
• 法律保全须有记录化指令与范围清单；解除后恢复正常保留与处置。

个人信息与隐私

• 合同含个人信息时遵守适用隐私法（如GDPR、PIPL、CPRA等）的存储期限限制与目的限制。
• 对于仅为识别用途的个人信息，到期前可进行去标识化或匿名化以支持分析。
• 数据主体权利请求（删除、更正、访问）：与合同合法义务和诉讼防御需要平衡；保留的合法依据需记录。

数据质量与元数据要求

• 最终生效版本唯一标识；版本控制与审批链完整可追溯。
• 强制元数据字段：合同编号、相对方、签署/生效/到期日期、业务所有者、系统位置、保留规则ID、法律保全状态。
• 履约与变更记录保持与合同关联；关联键一致。

系统与载体管理

• 涉及系统：CLM/合同库、DMS/文件管理、ERP/财务、电子签署、邮箱与协作工具、归档与备份。
• 统一实施保留标签与自动化删除（事件驱动：到期、终止、关系结束）。
• 备份策略：备份仅用于灾难恢复；采用不可检索的循环备份并在保留期到后按策略老化/覆盖。对归档介质制定到期处置流程。

处置与证明

• 处置方法：安全删除（含版本与副本）、加密擦除、介质销毁；适用信息安全标准。
• 处置证据：生成删除审计日志与处置证明（时间、范围、执行人、方法、例外说明）。
• 匿名化要求：数据不可逆重识别；保留统计与模型所需的聚合数据时验证风险。

角色与职责

• 数据所有者（法务/合同管理）：定义与批准保留规则；法律保全管理；法规监测与变更触发。
• 数据管理员/数据管家（合同运营/采购/销售运营）：分类与标记、元数据维护、执行保留策略。
• 合规/隐私：评估法规适用性、审计与合规报告；隐私影响评估。
• IT/信息安全：系统配置、自动化执行、备份与删除控制；处置证据管理。
• 记录管理/档案：保留计划治理、跨载体一致性检查、培训与抽样审计。

治理流程

• 制定与更新：每年至少一次回顾；因法规变化、业务模式调整或新法域进入时及时更新。
• 标准作业：入库时标记保留规则；事件触发（到期/终止）启动保留计时；到期前进行预审（含法律保全检查）；执行删除/匿名化；留存审计证据。
• 监控与度量：按季度报告保留合规率、逾期数据比例、法律保全数量与时长、删除执行及时率。

风险与本地化注意事项

• 诉讼时效、税务与监管保留期限因法域而异，须以目标国家/地区的现行法规为准；若跨境运营，采用“取最长”策略并进行分区存储。
• 关键合同（高金额、长期、公共部门、含知识产权/不动产）可设更长保留或永久保留至权利终止后再加诉讼时效。
• 与外包/云供应商签订数据处理协议（DPA/附加协议），明确保留与删除义务、法律保全支持、处置证明交付。

推荐默认保留基线（在无明确法规指引时，供起步使用，须经法务确认）

• 合同正本/修订/审计日志：合同结束后7年
• 履约与通知：合同结束后7年
• 财务票据与付款：遵循财务/税务政策，建议7年
• KYC/AML：关系结束后≥5年
• 谈判草稿与红线：签署后或流程结束后1–2年
• 采购评估与投标：流程结束后3–7年
• 通信记录（关键决策）：与合同正本同周期；非关键通信不长期保留

实施建议

• 在CLM/DMS中启用事件驱动的保留策略与法律保全模块；对非结构化数据实施内容发现与标签化。
• 建立合同数据目录与系统清单，控制副本扩散。
• 在政策中记录保留依据（法律条款、监管要求、业务需求），实现可解释性与审计可追溯。

注：以上为数据治理层面的通用指南。具体保留期限与适用性需由法务与合规依据所在法域的现行法律法规正式确认。