Skip to content
Lending Agent Oversight

SYSC 9 (record-keeping)

SYSC 9.1.1R requires firms to maintain orderly records sufficient to enable the FCA to monitor compliance and to enable customer redress. For a principal firm, this rule applies across all supervisory activity over its AR network. The product treats SYSC 9 as the spine of the audit model.

The retention floor

Section titled “The retention floor”

The headline SYSC 9 retention period is six years. The rule is more nuanced in practice:

  • The general SYSC 9 floor is at least five years for MiFID business [checked 2026-05-08, FCA Handbook SYSC 9.1.1AR (common platform firms) requires retention of records relating to MiFID business for at least five years; Global Relay GRIP summary at grip.globalrelay.com/rules/fca-sysc-9-1/ confirms the rule designation and the five-year period, with the FCA reserving the right to extend to seven], with the five-year window running from the end of the customer relationship rather than the date the record was made.
  • Sector-specific overlays in COBS, MCOB, and DISP push the floor higher in some cases.
  • The product applies a six-year default for in-scope records, which satisfies the longest commonly applicable floor across the relevant sourcebooks. Where MiFID business is in scope, the five-year MiFID floor running from end of relationship is honoured separately and may extend retention beyond six years from the record date.

The retention floor is encoded in the product’s purge policy: no in-scope record is hard-deleted until both the six-year floor and any applicable MiFID extension have elapsed.

The product’s audit-chain spine

Section titled “The product’s audit-chain spine”

Every supervisory action emits an AuditEvent. The shape of the event:

export interface AuditEvent {
  id: Ulid; tenantId: Ulid; at: IsoTimestamp;
  actorUserId: Ulid | null; actorRole: Role;
  action: string;                       // e.g. "breach.notify-fca"
  subjectType: "ar" | "breach" | "review" | "annual-review" | "mi-return" | "tenant" | "user";
  subjectId: Ulid;
  ip: string | null; userAgent: string | null;
  prevHash: string;                     // SHA-256 of prior event for tamper evidence
  hash: string;
}

The fields earn their place in the schema by contributing to the SYSC 9 evidentiary requirement:

  • actorUserId and actorRole answer “who did it”.
  • action and subjectType + subjectId answer “what was done, to what”.
  • at answers “when”.
  • ip and userAgent provide environmental attestation.
  • prevHash and hash form a tamper-evident chain. The hash of every event includes the previous event’s hash, so any retroactive edit to an earlier event invalidates every subsequent hash.

The hash chain is the product’s answer to the question “could a record have been changed after the fact”. A regulator can verify the chain end-to-end by recomputing hashes from the genesis event forward.

Operational interpretation of “adequate”

Section titled “Operational interpretation of “adequate””

SYSC 9 says records must be “sufficient” to enable monitoring and redress. The product’s operational interpretation is stricter: a regulator could reconstruct the full supervisory history of any AR over the retention window without recourse to email or unstructured sources.

The records the product holds are listed on the SUP 12 page (the SUP 12.9 section). The rule that all of them carry an AuditEvent for every state transition lives here, in SYSC 9. The two rules together mean that the existence of a record is not enough; the history of every change to that record is also retained.

Tension with UK GDPR storage limitation

Section titled “Tension with UK GDPR storage limitation”

UK GDPR Article 5(1)(e) requires personal data to be kept in a form that permits identification of data subjects for no longer than necessary. SYSC 9 sets a floor; UK GDPR sets a ceiling, framed as a minimum-necessary principle.

The tension is resolved in favour of the regulatory floor for in-scope records. The reasoning:

  • SYSC 9 retention is a regulatory obligation, which provides a lawful basis under UK GDPR Article 6(1)(c) for the processing.
  • The retention is necessary, not disproportionate, because the FCA can require records up to six years after the record was made.
  • Data minimisation is applied at the field level rather than the record level. Free-text fields are scrubbed of personal data that is not necessary for the supervisory purpose; structured fields are retained.

The privacy chapter cross-references SYSC 9 against UK GDPR storage limitation in detail. The summary position: the retention period is regulatory, the lawful basis is regulatory obligation, and the data-minimisation discipline applies at the field level inside the retained record.

Section titled “Cross-links”
  • SUP 12 for the substantive AR records list (SUP 12.9).
  • Audit-as-evidence for the design philosophy and the replayability story.
  • DISP 1 for complaint records, which carry their own retention overlay.