1. Purpose
The purpose of this policy is to establish a standardized framework for the retention, storage, protection, and disposal of records within Bayarcash. This ensures that all records are managed in compliance with legal, regulatory, and business requirements, while supporting operational efficiency and data privacy.
2. Scope
This policy applies to:
- All employees, contractors, and third-party vendors handling Bayarcash information.
- All physical and electronic records created, received, or maintained by Bayarcash.
- All business units, including operations, finance, compliance, customer support, and IT.
3. Policy Statement
Bayarcash is committed to:
- Retaining records for the minimum period required by law, regulation, or business needs.
- Protecting records against unauthorized access, alteration, or destruction.
- Ensuring secure and permanent disposal of records once retention periods expire.
- Maintaining confidentiality and integrity of customer and company data at all times.
4. Definitions
- Record: Any document or data (physical or digital) created or received in the course of business.
- Retention Period: The legally or operationally required time a record must be kept.
- Disposal: The secure destruction or deletion of a record once it is no longer needed.
- Archival: The transfer of inactive records to long-term storage for retention or compliance purposes.
5. Roles & Responsibilities
5.1 Management
- Approve retention schedules and oversee compliance.
- Ensure departments adhere to the policy.
5.2 Records Management Officer / Compliance Team
- Maintain the records retention schedule.
- Conduct periodic reviews and audits.
- Coordinate secure disposal and destruction of expired records.
5.3 Department Heads
- Identify and classify records within their departments.
- Ensure timely transfer of inactive records to secure storage.
5.4 Employees
- Handle records responsibly in accordance with this policy.
- Protect sensitive or confidential data at all times.
6. Record Classification & Retention Periods
| Record Type | Examples | Retention Period | Responsible Department |
|---|---|---|---|
| Financial Records | Invoices, receipts, bank statements, ledgers | 7 years | Finance |
| Customer Records | KYC data, transaction history, account details | 7 years after account closure | Operations / Compliance |
| Employee Records | Contracts, payroll, performance reviews | 6 years after employment ends | HR |
| Legal & Compliance Records | Audit reports, licenses, compliance filings | 10 years | Legal / Compliance |
| IT & Security Logs | System logs, access logs, incident reports | 1-3 years | IT / Security |
| Marketing Records | Campaigns, customer communications | 3 years | Marketing |
| Vendor & Partner Records | Contracts, SLAs, invoices | 6 years after termination | Procurement |
| Corporate Governance Records | Board minutes, policies, strategic documents | Permanent | Executive Office |
Note: Retention periods may vary depending on jurisdictional laws, regulatory mandates (e.g., AML, GDPR, PCI DSS), or contractual obligations.
7. Record Storage & Protection
- Records must be stored securely - either in approved physical archives or encrypted digital systems.
- Access is limited to authorized personnel only, based on the Access Control & User Management Policy.
- Digital records should be backed up regularly and stored in compliance with Bayarcash’s Business Continuity Plan & Disaster Recovery Policy.
8. Record Disposal
- Upon expiration of the retention period, records shall be securely disposed of as follows:
- Physical Records: Shredded or incinerated by an approved vendor.
- Digital Records: Securely deleted using approved data-wiping or encryption overwriting tools.
- Disposal actions must be logged and approved by the Compliance or Records Management Team.
9. Legal Holds
- If a record is subject to litigation, investigation, or audit, it must not be deleted - regardless of its retention period.
- The Compliance Team will issue a Legal Hold Notice and suspend destruction until the hold is lifted.
10. Training & Awareness
- Employees handling records must complete training on record management, data protection, and information security annually.
- Regular reminders will be issued to reinforce correct procedures for retention and disposal.
11. Policy Compliance & Audit
- Regular audits will be conducted to ensure adherence to retention schedules and secure disposal processes.
- Non-compliance may result in disciplinary action, up to and including termination.
12. Policy Review
- This policy will be reviewed annually, or sooner if there are changes to legal, regulatory, or business requirements.
- Updates must be approved by the Head of Compliance and Executive Management.