The importance of maintenance and record-keeping

Written by Jon Prentice on Monday May 30, 2022

Compliance is made up of many key functions, each of which vary in importance. But two areas that are often underdiscussed – perhaps due to a perceived lack of glamour – are maintenance and record-keeping. Stringent maintenance and record-keeping measures are part of the foundations of an effective compliance and risk management framework, so their neglect is as puzzling as it is unwise.

Though new and emerging technologies have helped compliance evolve, it can be all too easy to overlook the basics. RegTech’s contribution to compliance understandably garners attention, but it is often forgotten that maintenance and record-keeping have long been central to a robust compliance framework; both play crucial roles in ensuring that firms remain compliant with regulations and avoid regulatory sanction, whilst helping put customers’ best interests at the centre of policy making.



Maintenance is a broad term covering a range of different activities. Just as one should maintain a car so that it doesn’t breakdown, or machinery so that it continues to work in the way intended, so it is also vital to incorporate maintenance into an effective GRC programme. Below are some examples of areas that should be the focus of regular maintenance.


Firms should aim to provide customer-centric products that meet the needs, interests, objectives and expectations of consumers, and a key element of the product lifecycle is product maintenance. Once a product is built and put to market, it is vital that it is regularly maintained, and just because a product is fit for purpose at the time of its introduction, that does not mean it is always going to remain so.

Conducting regular product reviews and maintenance throughout the product lifecycle helps to ensure that the product still operates as intended.

In some jurisdictions, regulators and firms are co-responsible for design, distribution and maintenance of financial products through the product lifecycle.[1]

Failure to conduct appropriate product maintenance can lead to products becoming outdated and vulnerable to risk, as well as offering a poor service to customers.


Regularly reviewing and maintaining policies and procedures enables firms to keep up to date with the latest regulations, changes in technology and best practice across the industry. Firms within high-risk or highly regulated sectors, like banking, financial technology, healthcare/pharmaceuticals, gambling, and oil and gas, should place particular emphasis on regular policy reviews.

Moreover, policies and procedures should be living documents, whereby the core elements often stay the same, but the operations adapt according to industry and regulatory developments.[2] Given the sheer volume of tasks that a compliance department must oversee, it is easy to see policy and procedural reviews as a reactive activity, however, it is far wiser to practice proactive maintenance, so as to avoid issues before they become a problem.


Compliance changes quickly, and so it is imperative that staff training is regularly maintained. Training – whether mandatory, company-wide or more specialised targeting a specific team, function or department – should be regularly reviewed to ensure that employees are meeting their legal requirements. Failure to maintain staff training can result in employees following incorrect procedures, not being aware of potential threats or risks, or offering poor customer service, all of which can lead to potential regulatory sanctions or reputational harm.

It is not just the content of the training, but the design of the training itself, that is important. We all know that training is sometimes considered a tick-box exercise, with employees not always fully engaged. Regularly reviewing the way that training is delivered helps keep engagement levels high and improves information retention. E-learning, in particular, has emerged as a popular way of disseminating training content, thanks to its interactive nature.



Maintenance and record-keeping go hand in hand. Certain data must obviously be recorded and stored safely and securely, but when a policy has been reviewed or maintained, or an investigation has taken place, it is important to keep a record of what has been done and why. Compliance and risk management is today incredibly complex, and scrutiny from regulators, customers, shareholders and other stakeholders has never been greater. So, to avoid potential regulatory enforcement action, firms must adopt an effective record-keeping process to ensure data and information is stored safely and kept up to date.

A robust record-keeping programme involves the entire company. From entry level through to senior management and board level, all employees must be aware of their organisation’s record-keeping policies, in addition to acknowledging why storing data in a safe and reliable manner is vital.

For compliance officers, it is their responsibility to ensure that their firm’s record management policies are adhered to and that the policies fall in line with any record retention schedules, as required by law.

Like maintenance, record-keeping is a broad field. Some key considerations include:

  • employee training records to ensure that they have passed all necessary training modules
  • customer identification records
  • compliance investigation logs
  • disclosures to law enforcement/government agencies
  • audit results and any follow up actions
  • policies and procedures, including a record of any amendments made
  • reports from the whistle-blowing hotline, and
  • documents evidencing any amendments to the compliance programme.[3]

In order to effectively maintain records, a record-keeping or record management system should be established. The purpose of a record management system is to store and track compliance-related documents, policies and procedures. An effective system will help ensure that regulatory mandates are met, any documentary evidence is easily available and exposure to risk is reduced.


Key takeaways

  1. Don’t ignore the basics ­­– in a world where technological advancements are changing the way we approach compliance, don’t overlook core compliance issues like ongoing maintenance and record-keeping.
  2. Establish a robust maintenance schedule, determining what needs to be reviewed and when.
  3. Develop a record-keeping programme that ascertains record retention schedules, what is required by law, the records that are to be established and how often they are to be reviewed.
  4. Establish a link between the maintenance schedule and record-keeping programme, ensuring that records are updated once a review has taken place. This should include what has been reviewed, what the findings were, any next steps, etc.
  5. Make sure all records are updated as per local and global requirements.

You may also like:

[1] FinCoNet, ‘Financial Product Governance and Culture’, June 2021: – accessed April 2022

[2] PowerDMS, ‘Why it is important to review policies and procedures’, 22 December 2020:,with%20the%20industry's%20best%20practices – accessed April 2022

[3] Richard P. Kusserow, ‘Effective Compliance Records Management Program’, February 2020: – accessed April 2022


Please leave a comment

You can leave the name empty should you wish to remain Anonymous.

You are replying to post:



Email *

Comment *

Search posts

View posts by Author