Credit intermediaries: destroying client files
A credit intermediary processes particularly sensitive data: credit applications, proof of income, bank statements, a credit check and the outcome of the client investigation. Part falls under the Wft file with its own retention period, part under the Wwft, part under the tax retention obligation and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially with a certificate.
The quick answer: you keep the Wft file for at least five years, the Wwft client investigation likewise five years and the administration seven years. Single income proofs, copies and check printouts you keep no longer than necessary for the application and its settlement. What may go disappears confidentially and with a certificate as proof.
Three frameworks: Wft, Wwft and GDPR
At a credit intermediary three regimes run together. The Financial Supervision Act (Wft) requires a file on your advice and mediation, with a retention period of at least five years. The Anti-Money-Laundering Act (Wwft) requires client investigation and the retention of that record, also five years. Alongside these the GDPR applies, which requires not keeping personal data longer than necessary. The Wft and the Wwft set the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.
So treat the file data per type. A proof of income or bank statement has a different status than the record of your advice or the result of the credit check. If you make that distinction, you keep exactly what you must and clear out the rest on time. The ground for keeping is set out in Wft files kept for 5 years.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the Wft and Wwft period from the end of the service or the relationship.
| Part | Starting point | Period |
|---|---|---|
| Wft file advice and mediation | Financial Supervision Act | at least 5 years |
| Wwft client investigation | Anti-money-laundering act | 5 years |
| Administration and invoicing | Tax retention obligation | 7 years |
| Income proofs and bank statements | As limited as possible | only what is needed |
| Credit check and payment data | Purpose-bound | as briefly as possible |
| Rejected application without agreement | No ongoing ground | clear out soon after rejection |
Use this as a guideline, not a substitute for your own supervisory and tax obligations. When in doubt, consult your compliance function or privacy adviser. A broader overview by document type is in the GDPR retention periods cheatsheet.
Credit applications and income data
For a responsible credit application you assess the client's financial situation. You gather proof of income, employer statements, bank statements and sometimes data on fixed costs or other loans. That is a mountain of sensitive information you need for the advice, but do not have to keep forever. The Wft file requires a record of your advice and its substantiation, not necessarily every single printout you saw along the way.
So distinguish between the file documents that substantiate your advice and the single source files you used only during the assessment. The substantiation belongs in the file for the Wft period. Single copies of bank statements you no longer need you clear out confidentially. How you handle bank statements is set out in shredding bank statements.
Credit check and payment data
A credit application involves a check with the national credit register. The printout of that check and the client's payment data are sensitive and purpose-bound. You use them to assess the application and do not keep them longer than needed for that. The outcome that substantiates your advice belongs in the Wft file. The single check printout and payment data that serve no purpose afterwards disappear confidentially.
That way you avoid building an archive of payment and debt information you no longer actually need. With this category a data breach is especially painful, because it touches directly on someone's financial position. So always treat these documents as confidential, on the way to destruction too.
Wwft client investigation
The Wwft requires client investigation and the retention of that record for five years after the end of the relationship or the transaction. This concerns the identification and verification of the client, the record of the risk profile and any reports. This period stands apart from the Wft file, but in practice it often runs in step with the seven tax years and with the five Wft years. The background and the overlap are set out in Wwft: keeping client investigation for 5 years.
Clearing out after rejection or completion
Not every application leads to a credit. If an application is rejected or the client withdraws, there is no ongoing agreement to justify keeping the data. In that case do not keep everything automatically. Keep only what is needed to substantiate the rejection and to meet your supervisory and Wwft obligations. The single income and payment data that serve no purpose afterwards you clear out confidentially. The same approach applies to a repaid loan. After the end of the service the Wft and Wwft periods lapse and the rest disappears. The approach is comparable to that of mortgage advisers destroying client files.
How to handle it in 6 steps
- Split the data into Wft file, Wwft record, administration and single source files.
- Limit income and payment data to what your advice and check really substantiate.
- Keep the Wft and Wwft file for at least five years after the service.
- Clear out rejected applications once there is no agreement and no ground left.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
A credit intermediary's client files are destroyed confidentially, because they contain identity, income, payment and debt information. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old work computer, backup or external drive with credit files belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and your supervisor that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Client files to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping all single source files. Only the substantiation belongs in the Wft file.
- Keeping rejected applications forever. Without an agreement the purpose lapses quickly.
- Treating credit check printouts and payment data as ordinary paper. Those need extra care.
- Throwing away unshredded. A credit file on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must a credit intermediary keep the Wft file?
You keep the Wft file for at least five years, counted from the end of the service. The administration and invoicing fall under the seven-year tax retention obligation. Other data you keep no longer than necessary for the application and its settlement.
What do I do with the data after a rejected credit application?
Do not keep everything automatically. Without an agreement and without a legal ground the purpose lapses quickly. Keep only what is needed to substantiate the rejection and clear out the rest confidentially.
How long do I keep the Wwft client investigation?
The Wwft prescribes a retention period of five years after the end of the relationship or the transaction. That stands apart from the Wft file, but in practice it often runs in step with the tax period.
How do I destroy client files in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A credit intermediary works with identity, income, payment and debt information of every client, between the Wft, the Wwft and the GDPR. Keep the Wft file and the Wwft client investigation for at least five years, keep the administration seven years and be restrained with single income and payment data. Rejected applications you clear out soon after the rejection. What may go you have destroyed confidentially with a certificate as proof. That way you meet all three frameworks and protect your clients' data.
Read also: tax advisers: destroying client files, payroll bureaus: destroying wage data, insurance brokers: destroying client files and the GDPR retention periods cheatsheet.
Have client files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.