Wft files at financial advisers: 5 years and then?
Financial advisers, mortgage advisers and investment service providers work with client files full of personal data, income data, asset positions and identity documents. The Dutch Financial Supervision Act (Wft) and its underlying rules require careful file-building and retention. But keeping is not an end in itself: as soon as the statutory period has expired, retention itself becomes a GDPR risk. This article lays the periods side by side and describes the moment when the file may leave.
Why the Wft retention obligation exists
The Wft and the Decree on Conduct of Business Supervision of Financial Undertakings (BGfo) prescribe that an adviser builds an underpinned client profile (suitability, knowledge and experience, risk appetite) and records the advice in a traceable manner. That file-building must be such that the AFM can reconstruct afterwards which advice was given and on what grounds. That is why the retention period in practice runs at least five years from the end of the client relationship or from the last advice.
Interaction with the Wwft
Financial advisers who fall under the Wwft must keep client due diligence and transaction data for five years after the end of services. That period does not automatically run in parallel with the Wft period for advice files, but in practice many firms use one retention period as the denominator for the entire file. See also our in-depth explanation in Wwft: 5 years client due diligence.
Seven-year tax retention obligation
Administrative documents with a tax component (invoices, general ledger, hours, cost substantiation of the firm itself) fall under the seven-year tax retention obligation. For real estate even ten years. Client files sometimes contain documents falling under both Wft and tax retention. Split where possible: personal data fall under the Wft period, invoicing under seven years.
GDPR storage limitation
Article 5(1)(e) GDPR prescribes that personal data not be kept longer than necessary. As soon as a statutory period expires, the basis for further retention disappears, unless another basis remains (for example an ongoing dispute). Keeping ‘just in case’ is not a basis. It is an infringement.
A firm that keeps all client files for ten or fifteen years in the attic because nobody knows when what may go, runs a data-breach risk and a GDPR enforcement risk every day.
A workable period matrix
- Wft advice file (knowledge, experience, profile, advice): 5 years after end of relationship.
- Wwft identification and transaction investigation: 5 years after end of services.
- Tax-administrative documents: 7 years.
- Correspondence without advice value: as short as practical, maximum 5 years.
- Copy of ID: only when strictly necessary. Otherwise do not keep.
Destruction in practice
A client file often consists of paper (intake forms, signed advice reports) and digital components (PDFs, email correspondence, scans). Paper may not simply go in the waste paper. DIN 66399 P-5 is the accepted standard for confidential financial data. Digital copies require H-4 or E-4 destruction of the media themselves (SSDs, hard drives, USB sticks).
Mobile approach at the office
For advisory firms in Amsterdam-Noord, DeSnipperaar comes with a mobile shredder to your site. The files do not leave the premises intact. The adviser or compliance officer watches through the side window. Afterwards you receive a certificate per job that you can attach to your processing register. No contract, no minimum, no subscription. A clean-up round once a year or quarterly is often enough.
Annual clean-up of Wft files?
We drive past your office, destroy the expired files on the spot and immediately deliver a certificate. No subscription, no minimum.
Request a quoteRegister the destruction
Processing within the meaning of the GDPR also includes erasure and destruction. Record in the processing register which categories of files are destroyed when, on what basis and via which processor. The destruction certificate is your evidence afterwards.
Relevant sector page
More practical information specifically for advisers, mortgage offices and investment firms under MiFID II can be found on our sector page Financial advisers & banks.
Ready to put the archive in order? Request a non-binding quote. We come round, watch and advise plainly on what does and does not need to fall under the destruction standard.