Insurance Audit Trail Retention Requirements UK: Complete Guide

Few topics generate more confusion inside UK insurance compliance teams than data retention. Ask three compliance officers how long you need to keep claims records and you will likely get three different answers — all of them partially correct. The honest reality is that retention requirements in UK insurance are not a single number. They vary by regulator, by product line, by the nature of the data, and by the specific circumstances of each claim. Getting them wrong in either direction carries serious consequences: delete records too early and you face regulatory sanction and litigation exposure; keep personal data indefinitely without justification and you risk GDPR enforcement action.

This guide sets out the full picture for UK insurance professionals — FCA minimums, GDPR obligations, line-specific requirements, and the practical systems you need to manage retention at scale.

Why Retention Periods Matter More Than Ever

The consequences of inadequate retention policies have sharpened considerably since the FCA intensified its supervisory focus on Consumer Duty in 2024 and 2025. Regulators now expect firms not merely to have treated customers fairly at the point of a transaction but to be able to demonstrate it years after the event. That demonstration almost always depends on records.

The exposure runs in multiple directions simultaneously:

• Regulatory requests. The FCA can issue a Section 165 notice requiring a firm to produce records relating to a specific customer, a class of business, or a period of time. Firms that cannot comply because records have been destroyed face enforcement action independent of whatever underlying matter triggered the request.
• Litigation exposure. Civil claims against insurers routinely involve events that occurred years before proceedings were issued. A liability claim may be brought years after the triggering incident. A professional indemnity claim may surface long after the advice was given. Without contemporaneous records, defence becomes substantially harder.
• ICO investigation. Conversely, keeping records for longer than necessary without a documented lawful basis exposes firms to Information Commissioner's Office scrutiny under UK GDPR. The ICO has issued fines to financial services firms for retaining personal data beyond stated retention periods.
• Platform migration gaps. Many firms discover their retention problem not during an audit but when they migrate to a new claims system and realise that historical records were not migrated or were migrated in a format that cannot be retrieved or authenticated.

FCA Minimum Retention Requirements

The FCA does not publish a single unified retention schedule for insurance firms. Requirements are spread across the Conduct of Business Sourcebook (COBS), the Insurance Conduct of Business Sourcebook (ICOBS), the Senior Management Arrangements, Systems and Controls sourcebook (SYSC), and various supervisory statements. Key minimums include:

ICOBS and COBS Core Requirements

For most insurance business, ICOBS requires records of customer transactions to be kept for a minimum of three years from the date the record was created. However, this is a floor, not a ceiling, and it applies specifically to the transactional record — not necessarily the full claims file. COBS 9.5 imposes a five-year minimum for records relating to personal recommendations on investment products, which applies where insurance products have an investment component (for example, investment-linked life policies or with-profits bonds).

Communications Records

SYSC 9.1 requires that records sufficient to evidence the firm's compliance obligations are kept for at least five years. In practice, the FCA's Supervision Division expects firms to retain customer communications — including phone recordings under MiFID II/MIFIR where applicable — for five years. Many compliance advisors recommend treating six years as the working minimum for all insurance-related communications, aligning with the Limitation Act 1980 limitation period for simple contract claims.

The Six-Year Benchmark

While not universally mandated by FCA rules, the six-year standard has become the de facto industry benchmark for most general insurance records. The reasoning is straightforward: a customer who disputes a claim decision has six years from the date of the decision to bring a civil claim. If your records do not cover that window, your ability to defend that claim is materially compromised. Most insurers, MGAs, and brokers therefore treat six years as their baseline for general insurance records, applying longer periods where regulation or litigation risk demands it.

For a broader overview of how UK regulatory requirements affect your operations, see our guidance on UK insurance compliance.

The GDPR Tension: Keeping Everything vs. Data Minimisation

UK GDPR creates a structural tension that every insurance compliance team must navigate. On one side sit the regulatory and litigation-driven imperatives to retain records for extended periods. On the other side sit two of UK GDPR's core principles: data minimisation (Article 5(1)(c)) and storage limitation (Article 5(1)(e)). The storage limitation principle specifically requires that personal data is "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."

Reconciling the Conflict

The ICO's guidance on retention in regulated industries is clear that regulatory obligations can constitute a lawful basis for retaining data beyond what might otherwise be considered "necessary." The mechanism is the purpose limitation doctrine: if your original purpose for processing customer data was to administer an insurance policy and handle associated claims, that purpose extends — under the lawful basis of legal obligation and legitimate interests — to retaining records sufficient to meet regulatory requirements and defend legal claims.

The practical requirement is documentation. You cannot simply retain everything indefinitely and invoke GDPR compliance as an afterthought. Your Record of Processing Activities (RoPA) must document:

• The categories of personal data you hold
• The specific retention period for each category
• The lawful basis for that retention period
• The process for deletion at the end of the retention period

Where a customer exercises their right to erasure under Article 17, insurers are entitled to refuse where retention is necessary for the establishment, exercise, or defence of legal claims (Article 17(3)(e)). This is a genuine exception — not an unlimited one — and the burden falls on the firm to demonstrate that the specific data in question is necessary for that purpose.

Subject Access Requests During Retention Periods

One frequently overlooked implication: if you retain data for six or ten years, you remain obligated to respond to Subject Access Requests for that data throughout the retention period. A customer who made a claim seven years ago can still request their data if you retain it for regulatory reasons. Your SAR response process must be capable of searching and compiling historical claims data efficiently — yet another reason why searchable, structured audit records matter.

Retention Requirements by Insurance Line

The variation in retention requirements across product lines is significant. Applying a blanket policy risks both over-retention (GDPR exposure) and under-retention (regulatory and litigation risk) depending on the line. Below are the key categories.

Motor and Property (Short-Tail Lines)

Motor and property insurance are generally considered short-tail lines — the damage is known quickly, and limitation periods for claims are well-defined. The standard six-year retention period from claim closure or policy expiry (whichever is later) is typically sufficient for most purposes. However, claims involving personal injury (for example, a motor accident with bodily injury) should be treated under the liability schedule below, as personal injury claims have different limitation periods.

Liability, Casualty, and Professional Indemnity (Long-Tail Lines)

Long-tail lines present a fundamentally different retention challenge. A public liability claim for a commercial property incident might not be notified to insurers until three or four years after the triggering event. A professional indemnity claim may arise from advice given a decade earlier. The principle of "long-tail" risk is that the insurer's exposure is not bounded by the policy year.

For liability and professional indemnity lines, the recommended minimum retention period is ten years from claim closure — or beyond the applicable limitation period, whichever is longer. For claims notified late (close to the six-year limitation period), the retention clock runs from the date of notification, not the date of the underlying incident, meaning some claims files will need to be retained for up to twelve or fifteen years in total from first incident.

Employer's Liability: The 40-Year Rule

Employer's liability insurance is subject to one of the most demanding retention requirements in UK insurance: the Employers' Liability (Compulsory Insurance) Act 1969, reinforced by subsequent regulations, effectively requires that EL records be retained for a minimum of 40 years. The driver is industrial disease claims — asbestosis, mesothelioma, occupational deafness, vibration white finger — where symptoms may not manifest until decades after exposure, and where the relevant insurer at the time of exposure must be identified.

The Employers' Liability Tracing Office (ELTO) database exists precisely because records were historically lost or destroyed, leaving disease claimants unable to trace the insurer that was on risk when exposure occurred. Firms writing EL must maintain records capable of identifying the policy, the employer, and the periods of cover for the full 40-year period.

Life Insurance

Life insurance records should be retained for the full policy term plus a minimum of six years following the end of the policy (whether by maturity, death claim settlement, or surrender). For whole-of-life policies, this means the record obligation can extend for very long periods indeed. Death benefit claims in particular must be retained to enable the firm to respond to estate queries, court proceedings, or regulatory requests that may arise years after settlement.

Health Insurance and Workers' Compensation

Health-related claims involve special category personal data under UK GDPR (Article 9), requiring a specific lawful basis for processing beyond the standard Article 6 conditions. The retention of medical records associated with health insurance or workers' compensation claims must follow the NHS Records Management Code of Practice as a benchmark — typically a minimum of eight years from the last entry for adult patients, longer for certain categories. Any firm processing health data within claims should have an explicit data protection impact assessment (DPIA) in place, documented and reviewed annually.

Claims Involving Minors

One of the most commonly overlooked retention complications arises when a claim involves a minor — a child injured in a road traffic accident, for example, or a minor who is a beneficiary under a policy. The Limitation Act 1980 creates a specific rule for minors: the limitation period does not begin to run until the claimant reaches the age of 18. This means that a child injured at age five has until their 24th birthday to bring a claim.

The practical retention implication is significant: any claim file touching a minor must be retained until at least three years after the minor's 18th birthday (to account for the standard three-year personal injury limitation period), and in practice until the minor's 21st birthday at minimum. For serious injuries — particularly those involving brain injury or conditions that affect mental capacity — there may be no limitation period at all under the Limitation Act, and records should be retained indefinitely or until legal advice confirms the exposure has expired.

This is not an academic point. Firms that apply a blanket six-year deletion policy without flagging claims involving minors are systematically destroying records they are legally required to retain.

Practical Implementation: Building a Compliant Retention Architecture

Knowing what you must retain is only half the problem. The other half is building systems that enforce retention reliably, cost-effectively, and in a way that supports retrieval when needed.

Tiered Storage Strategy

Most organisations benefit from a tiered approach that balances accessibility against cost:

1. Hot storage (0–2 years). Active and recently closed claims should remain in your primary claims management system, fully indexed and instantly searchable. This covers the period of highest activity — appeals, queries, ongoing litigation.
2. Warm storage (2–6 years). Closed claims move to near-line storage, accessible within minutes rather than seconds. Full text search should still be available. These records are the most likely to be needed for FCA requests and litigation.
3. Cold storage (6+ years). Long-tail and EL records transition to low-cost cloud archiving. Retrieval may take hours, but the data must be intact, unaltered, and retrievable in a format that can be authenticated.

WORM Storage and Immutability

Write Once Read Many (WORM) storage is the technical standard for audit records that must demonstrate they have not been altered since creation. WORM-compliant storage prevents any modification of a record after it has been written — satisfying both the FCA's expectation that audit records are reliable evidence and the requirement that records be authentic for litigation purposes. Cloud providers including AWS (S3 Object Lock), Azure (Immutable Blob Storage), and Google Cloud (Bucket Lock) offer WORM-compliant storage at low cost.

Audit Log Compression and Archiving

Detailed audit logs — every state change, every decision point, every user action — grow substantially in volume over time. Compression using standard formats (gzip, zstd) reduces storage costs without compromising data integrity, provided the compression format is documented and the decompression process is tested regularly. Logs should be archived in open, well-documented formats rather than proprietary ones that may become unreadable as software evolves.

Retention Schedules as Executable Rules

The biggest risk in retention management is relying on human processes to enforce deletion schedules. Claims that were supposed to be deleted three years ago — and were not — represent both a GDPR liability and a management overhead. Retention schedules must be implemented as executable rules within your claims platform, with automated archiving and deletion triggered by claim type, closure date, and any exception flags (such as minor involved, ongoing litigation hold, regulatory investigation).

Common Mistakes That Create Compliance Exposure

Based on typical compliance audit findings across UK insurance firms, the most frequent retention-related failures fall into predictable categories:

• Applying a single retention period across all claim types. A blanket six-year policy applied to EL claims is a serious regulatory breach. Retention schedules must be differentiated by product line.
• Deleting records within the minimum retention window. Storage cost pressures sometimes lead operations teams to delete records before the retention period has expired, without proper compliance sign-off. Automated deletion rules must include compliance-reviewed minimum thresholds that cannot be overridden without documented authorisation.
• Failing to retain records across platform migrations. When a firm migrates from one claims system to another, historical records must be migrated in full, in an authenticated format, and verified to be complete. Many firms discover gaps only when they need to retrieve a record and find it was never migrated. Due diligence for any platform migration must include a data migration audit.
• No exception handling for minors or ongoing litigation. Standard retention schedules must include a mechanism to apply extended holds where circumstances require it. Claims involving minors, claims under active litigation, and claims under regulatory investigation should all be flagged for manual review before any automated deletion process runs.
• Undocumented retention schedules. A retention policy that exists only in the head of the compliance director, or in a document that has not been reviewed since 2019, is not a compliance control. Retention schedules must be documented, reviewed annually, and mapped to the RoPA.
• No retrieval testing. Records that exist but cannot be retrieved in a usable format are functionally equivalent to records that do not exist. Firms should regularly test retrieval of archived records — including confirming that the records can be authenticated (for example, via hash verification) and presented in a format suitable for use in legal proceedings.

How Regure Handles Retention Requirements

Managing retention across multiple product lines, claim types, and regulatory requirements requires more than a spreadsheet retention schedule. It requires a claims platform that enforces retention rules programmatically, maintains immutable audit records across the full claim lifecycle, and supports retrieval of any record in an authenticated, tamper-evident format.

Regure's audit trail platform is built around this requirement. Every action taken on a claim — from first notification through settlement and final closure — is recorded in an immutable, timestamped log that cannot be modified after creation. Retention periods are configured at the claim type level, with exception flags for minors, ongoing litigation, regulatory holds, and EL-specific 40-year requirements. Automated archiving moves records through storage tiers according to defined schedules, and retrieval tools allow compliance teams to produce a complete, authenticated claim record on demand.

For firms subject to FCA supervision, this means being able to respond to a Section 165 notice within hours rather than days — producing a complete, auditable record of every decision made in relation to a claim, including which adjuster made each decision, when, and on what basis.

See our full guidance on UK compliance requirements for an overview of the regulatory landscape that drives these retention obligations.

Building a Defensible Retention Programme

The goal of a retention programme is not merely compliance — it is defensibility. When a regulator asks why you deleted a record, you need to be able to point to a documented policy, an approved retention schedule, a lawful basis under UK GDPR, and an automated process that enforced deletion at the right time and not before. When a claimant's solicitor demands the full claims file for a 2019 incident, you need to be able to produce it in minutes, not days.

Defensibility requires three things working together: clear policies that reflect the actual regulatory landscape; systems that enforce those policies without relying on human memory; and records that are authentic, searchable, and retrievable when needed. Most firms have the first in some form. Far fewer have the second and third operating reliably.

The question regulators and courts ask is not "did you have a retention policy?" but "can you produce the record?" A policy that cannot be demonstrated through actual records is, in regulatory terms, a policy that does not exist.

Ready to Build Compliant Audit Trails?

If your current claims platform cannot enforce differentiated retention schedules, produce authenticated records on demand, or demonstrate an immutable audit trail to an FCA examiner, now is the time to address it. The regulatory direction of travel — Consumer Duty, increased supervisory intensity, FCA data requests — is only moving in one direction.

Request a Regure demo to see how our audit trail and claims automation platform handles retention requirements across all UK insurance lines — from motor and property through to employer's liability and long-tail casualty.