Regulatory enquiries about records management do not arrive with much warning.
They arrive as a letter, or a supervisory visit notification, or a request embedded in a broader thematic review that the FCA is conducting across the sector. The timeframe for response is defined. The scope of what needs to be produced is specific. And the standard against which the response will be evaluated is the FCA’s assessment of what a well-run firm in this sector should be able to demonstrate, not what your firm has historically been able to manage.
For most regulated financial institutions with significant physical archives, the honest answer to the question “are we ready for a records management enquiry” is: it depends.
It depends on which records are requested. If the request touches the well-organised portion of the digital environment, the response is manageable. If it touches the physical archive, the response becomes an exercise in managed uncertainty — the acquired books, the legacy records, the historical claims files that predate the current document management system. The records probably exist. Finding them, producing them accurately, and demonstrating that they have been managed in accordance with the firm’s stated policies within the timeframe specified is a different question.
“Probably exists” is not the answer the FCA is looking for.
What the FCA actually requires
The FCA’s record-keeping requirements for regulated financial institutions are specific, comprehensive, and not negotiable. Understanding them precisely is important, because the gap between what most physical archives can demonstrate and what the FCA requires is larger than most compliance functions have fully assessed.
The FCA requires firms to retain records for defined periods from the date of the relevant activity. For most insurance and long-term savings products, those periods extend for years or decades. In some cases matching or exceeding the fifty-year retention requirements that characterise the most legacy-heavy institutional archives. The record has to exist for the full retention period. That is the minimum requirement.
But existence is not the only requirement. The FCA also requires that records can be reproduced in a form that allows for examination and audit. A physical record that exists but cannot be located within a reasonable timeframe does not meet that requirement. A scanned document stored as an unindexed image file that cannot be searched at the level of its content does not meet it either. The record has to be accessible — accurately, quickly, in a form that demonstrates it has been managed correctly throughout its retention period.
The FCA requires firms to be able to demonstrate that their record-keeping arrangements are adequate: that the systems and processes in place ensure the right records are retained, that they are protected from loss or corruption, that access is appropriately controlled, and that retention periods are being applied correctly. A physical archive with no automated retention management, no access controls, and no systematic audit trail cannot demonstrate adequacy in these terms.
The FCA requires firms to be able to respond to Subject Access Requests under GDPR — producing all personal data held about a specific individual accurately and completely within thirty days. For organisations with physical archives containing decades of customer records, the ability to identify all relevant records, confirm their completeness, and produce them within the statutory timeframe is a material operational challenge. For organisations with governed digital environments, it is a process that takes hours.
The specific exposures that physical archives create
The gap between what the FCA requires and what a physical archive can demonstrate creates specific regulatory exposures that compliance functions in regulated financial institutions should be mapping. And that CFOs should be aware of as a financial risk rather than purely a compliance consideration.
The first exposure is the inability to produce records on request within the required timeframe. This is the most immediate and visible risk. The regulatory request that cannot be fully satisfied because the relevant records are in physical storage with slow retrieval times, or because they have been misfiled, or because they were created under a filing convention that nobody currently in the organisation understands. The consequence of failing to produce records on request ranges from formal censure to financial penalty depending on the severity and the context.
The second exposure is the inability to demonstrate retention compliance. The FCA does not just want to see that records exist. It wants to see evidence that retention policies have been applied correctly. That records required to be kept have been kept, and that records required to be destroyed at the end of their retention period have been destroyed. A physical archive with no systematic retention management cannot demonstrate either of these things. Records that should have been destroyed may still be present. Records that should have been retained may have been lost. The absence of a systematic approach to retention is itself a compliance gap, regardless of whether any specific record is actually missing.
The third exposure is personal data risk. Physical archives containing decades of customer records are, in GDPR terms, a collection of personal data that is being processed and retained. The lawful basis for that processing has to exist and be demonstrable. The retention period has to be justified. The security arrangements have to be adequate — physical security, access controls, protection against loss or damage. And the ability to respond to Subject Access Requests, erasure requests, and data portability requests depends on being able to identify, locate, and produce personal data accurately and completely. Physical archives with no systematic organisation or metadata cannot support these requirements at the standard GDPR requires.
The fourth exposure is the cumulative risk of a regulatory finding during a period of heightened supervisory scrutiny. The FCA’s approach to supervision of regulated financial institutions has become more granular and more demanding over the last decade. The thematic reviews that examine records management practices across the sector are not theoretical; they have produced findings, requirements for remediation, and in some cases financial penalties. The organisation that is found to have inadequate records management during one of these reviews is not just managing a compliance gap. It is managing a regulatory relationship that has been damaged. And the cost of rebuilding that relationship, in management time, in legal support, and in the operational disruption of a remediation programme conducted under regulatory scrutiny, is substantially higher than the cost of addressing the underlying problem proactively.
The difference that a governed digital environment makes
The specific regulatory exposures created by physical archives are not inherent to the challenge of managing large volumes of historical records. They are a product of the format, and they are largely eliminated by the transition to a properly governed digital environment.
A governed digital archive changes the regulatory posture in every dimension that matters.
Retention is automated. Every document is classified at the point of ingestion, and the retention period for its document type is applied automatically. Documents that have reached the end of their retention period are flagged for review and disposal according to a defined process. The organisation can demonstrate, at any point, which records it holds, why it holds them, and when they will be disposed of. The FCA question about retention compliance is answered by a report rather than a manual audit.
Access is controlled and logged. Every access to every document is recorded — who accessed it, when, and for what purpose. The organisation can demonstrate that access to sensitive records is appropriately restricted and that its access controls are operating as designed. The GDPR requirement for appropriate security measures is met not by assertion but by evidence.
Records are produced accurately and completely. A Subject Access Request that might take weeks in a physical archive environment takes hours in a governed digital one. The search covers the full record (not just the portion that happens to be in the most accessible location) and the results are accurate and complete rather than dependent on the thoroughness of a manual search conducted under time pressure.
Audit trails are complete. Every document in the governed digital environment has a full history: when it was created, when it was accessed, when it was modified, by whom, and under what authority. The FCA’s requirement for records that can be examined and audited is met by default rather than through a retrospective reconstruction of what happened.
The regulatory conversation changes entirely. The organisation that can demonstrate a governed digital records environment is not managing a regulatory risk. It is demonstrating a regulatory strength.
The proactive case — addressing it before the letter arrives
The argument for addressing the archive before the regulatory request arrives rather than after is straightforward but worth stating explicitly.
Regulatory remediation conducted under supervisory scrutiny is significantly more expensive, more disruptive, and more reputationally damaging than the same remediation conducted proactively. The organisation that identifies and addresses its records management gap on its own timeline, before a regulatory finding makes the timeline external and constrained, retains control of the process, the pace, and the narrative.
The FCA has consistently indicated its preference for firms that identify and address compliance gaps proactively rather than waiting for supervisory intervention. The firm that can demonstrate it has assessed its records management position, identified the gaps, and implemented a structured remediation programme — with evidence of progress and a clear completion timeline — is in a materially different regulatory position from the firm that is discovered to have the same gaps during a supervisory visit.
The cost of proactive remediation is the cost of the digitisation programme. The storage saving, the compliance overhead reduction, and the operational efficiency improvement alongside the regulatory risk reduction. It is a programme with a positive return that also eliminates a regulatory liability.
The cost of reactive remediation is the cost of the digitisation programme (which has to happen anyway) plus the cost of the regulatory finding, the management time consumed by the supervisory process, the legal support required to navigate the enforcement dimension, and the reputational consequence of a compliance failure in the current regulatory environment.
The choice between those two outcomes is available right now. It is not available after the letter arrives.
How Dajon helps regulated financial institutions build the compliant foundation
At Dajon Data Management, we work with regulated financial institutions to build the records management foundation that regulatory requirements demand — and that the FCA, the Pensions Regulator, and GDPR compliance require for organisations with significant historical archives.
We design the governance framework around the specific regulatory requirements the organisation is subject to — the retention periods, the access controls, the audit trail requirements, the Subject Access Request capability that each regulatory regime demands. The digitisation programme is built to produce an environment that meets those requirements from the moment it is operational, rather than having to be retrofitted to compliance standards after the fact.
We execute the programme in phases that prioritise the highest-risk material first — the records most likely to be subject to regulatory request, the customer data most likely to be the subject of Subject Access Requests, the historical files most likely to be relevant to a claims dispute or a coverage question. The regulatory posture improves progressively rather than waiting for the full programme to complete.
And we provide the documentation — the programme design, the methodology, the quality assurance framework, the governance structure — that the firm can present to its regulator as evidence of a systematic and well-governed approach to records management remediation.
The goal is not just a better archive. It is a regulatory conversation that the firm can have with confidence rather than managed uncertainty.
The letter that has not arrived yet
The FCA will ask about your records. The Pensions Regulator will examine your retention practices. A Subject Access Request will arrive from a customer whose data spans thirty years of physical files. A claims dispute will require the production of historical documentation within a timeframe that the current archive cannot reliably meet.
None of these is hypothetical. All of them are the routine experience of regulated financial institutions with large physical archives.
The question is not whether they will happen. The question is whether the organisation will be ready when they do, or whether it will be managing the consequences of not being ready at the moment when the cost of not being ready is highest.
The FCA is going to ask about your records. The organisations that are ready for that conversation are the ones that did not wait to be asked.
Dajon Data Management helps regulated financial institutions build records management environments that meet FCA, Pensions Regulator, and GDPR requirements. Start with the numbers at www.dajon.co.uk/storage-cost-calculator. Then call us — before the letter arrives.