Mortgage advisers: destroying client files
A mortgage adviser manages one of the most sensitive files there is: income and employer data, bank statements, a credit check, a copy of the identity document and sometimes health data from the underwriting of a term life insurance. Several retention periods apply to these files at once, from the conduct-of-business rules, the anti-money-laundering rules and the tax retention obligation. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the advice file you keep under the conduct-of-business rules for about five years, the client due diligence under the anti-money-laundering rules five years after the relationship ends, and the administration under the tax seven years. Health data you treat separately and shred finely. What may go disappears confidentially and with a certificate.
Three periods at once
The biggest misconception is assuming a mortgage file has a single retention period. In reality three frameworks apply at once. The conduct-of-business rules require you to keep the advice file and the substantiation of the duty of care, in practice about five years after the advice. The anti-money-laundering rules oblige you to keep client due diligence for five years after the relationship ends. And the tax retention obligation covers the administration for seven years. These periods count from different moments and apply to different parts.
So split the file into parts with their own end date, just as with a personnel file. That way you keep the client due diligence for its five years, the advice for its period and the administration for its seven, without keeping everything the same length.
Retention periods by part
The period differs per part. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the advice or the end of the relationship.
| Part | Starting point | Period |
|---|---|---|
| Administration and invoicing | Tax retention obligation | 7 years |
| Advice file and substantiation | Conduct-of-business duty of care | approx. 5 years after advice |
| Client due diligence | Anti-money-laundering | 5 years after relationship ends |
| Copy of identity document | As limited as possible | only as long as needed |
| Health and underwriting data | Special-category data | destroy finely |
| Drafts and working copies | No retention obligation | clear out at once |
Use this as a guideline, not a final legal ruling. When in doubt about a specific file, consult your compliance adviser. The conduct-of-business side is in conduct-of-business files kept for 5 years and the anti-money-laundering side in the AML five-year client due diligence.
Income, credit-check and payment data
A mortgage file contains a client's complete financial picture: pay slips, annual statements, bank statements, a credit check and data on existing debts. That is highly sensitive information, because it reveals everything about someone's financial situation. Do not keep this data longer than the conduct-of-business and anti-money-laundering periods require, and clear it out afterwards. An old mortgage file on the street is a serious data breach that hits your client's wallet directly.
Be restrained with the copy of the identity document too. Do not keep it longer than necessary and keep it recognisably separate, so you can destroy it specifically. The bank statements you no longer need you clear out confidentially, as also applies to destroying bank statements in general.
Health and underwriting data separately
A mortgage often comes with a term life insurance, and that may require medical underwriting. The health data that arises there is special-category personal data with stricter rules. Keep it recognisably separate from the rest of the file, allow it only to those who need it and destroy it at a fine level once its purpose has been served. That way you avoid the whole file inheriting the sensitivity of this part.
How to handle it in 6 steps
- Split the file into administration, advice file, client due diligence and health data.
- Note the period per part, counted from advice, relationship or financial year.
- Treat health and underwriting data separately and at a fine destruction level.
- Be restrained with the copy ID and keep it separate.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Mortgage files are destroyed confidentially at a fine level, because they contain income, credit-check, identity and sometimes health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old advice computer or backup with client files belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and the regulator that you acted carefully. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Mortgage files to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at a fine DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping a file on a single period. Conduct-of-business, anti-money-laundering and tax have different end dates.
- Destroying too early. The client due diligence only counts from the end of the relationship.
- Not treating health data separately. Underwriting data needs a fine level.
- Throwing away unshredded. A mortgage file on the street is a serious data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a mortgage adviser keep a client file?
The advice file you keep under the conduct-of-business rules for about five years after the advice. The client due diligence under the anti-money-laundering rules you keep five years after the relationship ends. The administration falls under the seven-year tax retention obligation. So each part has its own period.
Do the conduct-of-business and anti-money-laundering periods both apply?
Yes. The conduct-of-business rules cover the advice and the duty of care, the anti-money-laundering rules cover client due diligence. Both have a period of about five years, but count from a different moment. So split the file into parts with their own end date.
Are health and underwriting data special-category data?
Yes. Health data from medical underwriting for a term life insurance is special-category personal data. Treat it separately and destroy it at a fine level as soon as it is no longer needed.
How do I destroy mortgage files in line with the GDPR?
Confidentially and at a fine level, with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A mortgage adviser works with a client's complete financial and sometimes medical picture, under three periods at once. Keep the administration seven years, the advice file about five years and the client due diligence five years after the relationship ends. Treat health and underwriting data separately and be restrained with the copy ID. What may go you have destroyed confidentially at a fine level, with a certificate as proof. That way you keep nothing too long and nothing too short, and stand with proof in hand in an audit.
Read also: recruitment agencies: destroying candidate profiles, market research agencies: destroying respondent data, printers: destroying variable data and the GDPR retention periods cheatsheet.
Have mortgage files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.
Also relevant: Credit intermediaries: destroying client files.