Compliance is made up of many key functions, each of which vary in importance. But two areas that are often underdiscussed—perhaps due to a perceived lack of glamour—are maintenance and record-keeping.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

Stringent maintenance and record-keeping measures are part of the foundations of an effective compliance and risk management framework, so their neglect is as puzzling as it is unwise.

Though new and emerging technologies have helped compliance evolve, it can be all too easy to overlook the basics. Regtech’s contribution to compliance understandably garners attention, but it is often forgotten that maintenance and record-keeping have long been central to a robust compliance framework. Both play crucial roles in ensuring firms remain compliant with regulations and avoid regulatory sanction while helping put customers’ best interests at the center of policy-making.


Maintenance is a broad term covering a range of different activities. Just as one should maintain a car so it doesn’t breakdown or machinery so it continues to work in the way intended, so it is vital to incorporate maintenance into an effective risk and compliance program. Below are some examples of areas that should be the focus of regular maintenance.

Products: Firms should aim to provide customer-centric products that meet the needs, interests, objectives, and expectations of consumers. A key element of the product lifecycle is product maintenance. Once a product is built and put to market, it is vital it is regularly maintained. Just because a product is fit for purpose at the time of its introduction does not mean it is always going to remain so.

Conducting regular product reviews and maintenance throughout the product lifecycle helps to ensure the product still operates as intended. Failure to conduct appropriate product maintenance can lead to products becoming outdated and vulnerable to risk, as well as offering a poor service to customers.

Policies/procedures: Regularly reviewing and maintaining policies and procedures enables firms to keep up to date with the latest regulations, changes in technology, and best practice across the industry. Firms within high-risk or highly regulated sectors, such as banking, financial technology, healthcare/pharmaceuticals, gambling, and oil and gas, should place particular emphasis on regular policy reviews.

Policies and procedures should be living documents, whereby the core elements often stay the same but the operations adapt according to industry and regulatory developments. Given the sheer volume of tasks a compliance department must oversee, it is easy to see policy and procedural reviews as a reactive activity; however, it is far wiser to practice proactive maintenance so as to avoid issues before they become a problem.

Training: Compliance changes quickly, so it is imperative staff training is regularly maintained. Training—whether mandatory; company-wide; or more specialized targeting a specific team, function, or department—should be regularly reviewed to ensure employees are meeting their legal requirements. Failure to maintain staff training can result in employees following incorrect procedures, not being aware of potential threats or risks, or offering poor customer service, all of which can lead to potential regulatory sanctions or reputational harm.

It is not just the content of the training but the design of the training itself that is important. We all know training is sometimes considered a tick-box exercise, with employees not always fully engaged. Regularly reviewing the way training is delivered helps keep engagement levels high and improves information retention. E-learning, in particular, has emerged as a popular way of disseminating training content, thanks to its interactive nature.


Maintenance and record-keeping go hand in hand. Certain data must obviously be recorded and stored safely and securely, but when a policy has been reviewed or maintained or an investigation has taken place, it is important to keep a record of what has been done and why.

Compliance and risk management today is incredibly complex, and scrutiny from regulators, customers, shareholders, and other stakeholders has never been greater. To avoid potential regulatory enforcement action, firms must adopt an effective record-keeping process to ensure data and information is stored safely and kept up to date.

A robust record-keeping program involves the entire company. From entry level through to senior management and board level, all employees must be aware of their organization’s record-keeping policies, in addition to acknowledging why storing data in a safe and reliable manner is vital.

For compliance officers, it is their responsibility to ensure their firm’s record management policies are adhered to and that the policies fall in line with any record retention schedules, as required by law.

Like maintenance, record-keeping is a broad field. Some key considerations include:

  • Employee training records to ensure they have passed all necessary training modules;
  • Customer identification records;
  • Compliance investigation logs;
  • Disclosures to law enforcement/government agencies;
  • Audit results and any follow-up actions;
  • Policies and procedures, including a record of any amendments made;
  • Reports from the whistleblowing hotline; and
  • Documents evidencing any amendments to the compliance program.

To effectively maintain records, a record-keeping or record management system should be established. The purpose of a record management system is to store and track compliance-related documents, policies, and procedures. An effective system will help ensure regulatory mandates are met, any documentary evidence is easily available, and exposure to risk is reduced.

Key takeaways

  1. Don’t ignore the basics­: In a world where technological advancements are changing the way we approach compliance, don’t overlook core compliance issues like ongoing maintenance and record-keeping.
  2. Establish a robust maintenance schedule, determining what needs to be reviewed and when.
  3. Develop a record-keeping program that ascertains record retention schedules, what is required by law, the records that are to be established, and how often they are to be reviewed.
  4. Establish a link between the maintenance schedule and record-keeping program, ensuring records are updated once a review has taken place. This should include what has been reviewed, what the findings were, any next steps, etc.
  5. Make sure all records are updated as per local and global requirements.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.