What customer records must a bank or broker retain under GLBA and FINRA, and how does that conflict with deletion requests?
Financial institutions sit at the intersection of two competing forces: privacy laws that ask them to limit and dispose of personal data, and financial-services regulations that require them to keep detailed customer records for years. Understanding which duty wins, and when, is essential for any records or information-governance program in this sector.
What banks and brokers must retain
The Gramm-Leach-Bliley Act (GLBA) is primarily a privacy and data-security law. It governs how institutions collect, protect, and share nonpublic personal information, and it requires safeguards and, eventually, secure disposal. It does not, however, license indefinite retention.
The recordkeeping obligations come mostly from securities and banking rules. For broker-dealers, FINRA rules and the underlying Securities Exchange Act recordkeeping requirements compel firms to retain a wide range of records, often including:
- Account opening and customer identification records
- Order tickets, trade confirmations, and account statements
- Customer correspondence and certain business communications
- Suitability, supervision, and compliance documentation
Many of these records carry multi-year retention periods, and some must be preserved for a set number of years after an account closes. Banks face parallel obligations under banking regulations and anti-money-laundering rules such as the Bank Secrecy Act.
Why deletion requests conflict
Privacy frameworks and state privacy laws increasingly give consumers a right to request deletion of their personal information. But these rights are not absolute. They almost always include an exception for data the organization must keep to comply with a legal obligation.
That exception is exactly where financial recordkeeping lives. When a customer asks a bank or broker to delete their data, records the firm is legally required to retain generally fall outside the deletion right for the duration of the mandated retention period.
How to reconcile the two
A defensible approach treats retention and privacy as one governance discipline rather than opposing camps:
- Map each record category to its controlling legal authority and retention period.
- Honor deletion requests only for data not subject to a retention or legal-hold obligation.
- Document the basis for any refusal so the decision is auditable.
- Dispose of the data securely once the retention clock expires and no legal hold applies.
For more on balancing these duties, see the privacy and PII topic hub. Building these rules into a written schedule, informed by recognized privacy and retention guidance, lets institutions satisfy regulators and respect consumer rights without choosing one over the other.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- The Sedona Conference publications — The Sedona Conference
How to cite this page
APA
RM University Editorial. (2026). What customer records must a bank or broker retain under GLBA and FINRA, and how does that conflict with deletion requests?. Records Management University. https://www.recordsmgmt.org/questions/bank-broker-retain-records-glba-finra-vs-deletion-requests/
MLA
RM University Editorial. "What customer records must a bank or broker retain under GLBA and FINRA, and how does that conflict with deletion requests?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/bank-broker-retain-records-glba-finra-vs-deletion-requests/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?