Document Retention & Compliance – United States (US)

In the United States, document retention rules are not governed by a single authority.
Instead, responsibility is distributed across federal agencies, state laws, and industry regulators, depending on document type, business activity, and sector.

Internal Revenue Service (IRS) — Tax & Financial Records

The Internal Revenue Service (IRS) oversees retention requirements for federal tax records, including:

Accounting records
Income and expense documentation
Payroll tax records
Supporting documents for tax returns

In general, businesses are expected to retain tax records for at least 3 to 7 years, depending on the circumstances, with longer periods recommended where underreporting or disputes may arise. The IRS may examine records during audits or investigations.

➡️ See IRS guidance on recordkeeping:

Federal Trade Commission (FTC) — Privacy & Consumer Data

The Federal Trade Commission (FTC) enforces federal consumer protection and data privacy requirements.

The FTC expects organisations to:

Retain personal data only as long as necessary
Protect consumer information from unauthorised access
Dispose of sensitive information securely

While the U.S. does not have a single GDPR-style law, data retention and disposal are central to privacy enforcement actions.

➡️ See FTC guidance on safeguarding consumer information:

Securities and Exchange Commission (SEC) — Financial & Corporate Records

For publicly traded companies and regulated financial entities, the U.S. Securities and Exchange Commission (SEC) sets explicit retention requirements for:

Financial statements
Transaction records
Broker-dealer and investment adviser records
Communications and disclosures

Retention periods can range from 3 to 7 years or longer, depending on record type and regulation.

➡️ See SEC recordkeeping rules:

Department of Labor (DOL) — Employment & Payroll Records

The U.S. Department of Labor (DOL) oversees record retention related to employment, including:

Payroll records
Wage and hour documentation
Benefits and leave records
Workplace safety documentation

Typical retention periods range from 2 to 3 years, though longer retention may be required under specific employment or benefits laws.

➡️ See DOL recordkeeping requirements:

National Archives and Records Administration (NARA) — Public Sector Records

For federal agencies and government bodies, the National Archives and Records Administration (NARA) sets mandatory retention and disposal schedules.

While NARA directly governs public sector records, its guidance is often used as a best-practice reference for structured records management.

➡️ See NARA records management guidance:

Common US Document Retention Periods (Indicative Guidance)

Table with US Common Document Retention Periods

Beyond Retention Periods: What US Organisations must also consider

Document retention periods alone do not ensure compliance in the United States. Regulators, auditors, and courts expect organisations to manage records in a way that preserves their integrity, evidential value, and lawful handling throughout the entire document lifecycle.

Retention defines how long documents are kept. Compliance depends on how those documents are managed while they are retained, particularly when they may be subject to audits, investigations, or litigation.

Information Integrity and Evidential Value (US Context)

In the United States, documents are routinely relied upon as evidence during tax audits, employment disputes, contractual claims, regulatory examinations, and civil litigation. For a document to carry evidential weight, organisations must be able to demonstrate that it is:

Accurate and complete
Protected from unauthorised alteration
Linked to a clear source and business purpose
Controlled through defined access and versioning
Supported by audit trails where appropriate

A document that has been retained for the correct period but cannot be shown to be authentic or reliable may be challenged, excluded, or given reduced weight in legal or regulatory proceedings.

Retention must be balanced with US Privacy and Discovery Obligations

Unlike the UK and EU, the United States does not have a single, unified data protection law. Instead, retention decisions must balance privacy requirements, regulatory obligations, and litigation discovery rules.

Organisations must be able to justify:

Why a document is retained
How long it is retained for
Whether it may be subject to legal hold
When it can be lawfully disposed of

Over-retention increases exposure during audits, regulatory reviews, and electronic discovery. At the same time, premature deletion can create serious legal risk if documents are required for investigations or litigation.

Demonstrating Compliance in Practice

US regulators, courts, and enforcement bodies do not assess compliance based on intent alone. Organisations are expected to demonstrate control through evidence, which may include:

Documented retention and legal hold policies
Clear ownership and accountability for records
Role-based access controls
Audit trails showing access, modification, and disposal
Consistent and defensible disposal practices

Where controls cannot be demonstrated, organisations may be exposed to regulatory penalties, adverse legal findings, or sanctions during litigation.

Why this matters

In the United States, document retention obligations are rarely governed by a single authority. Organisations must satisfy overlapping requirements arising from tax law, employment law, financial regulation, privacy rules, and litigation discovery obligations.

A structured approach to document management and records management helps organisations apply retention rules consistently, preserve evidential value, respond effectively to audits and discovery requests, and reduce compliance and litigation risk across all applicable obligations.

Document Retention & Compliance – United States (US)

Internal Revenue Service (IRS) — Tax & Financial Records

Federal Trade Commission (FTC) — Privacy & Consumer Data

Securities and Exchange Commission (SEC) — Financial & Corporate Records

Department of Labor (DOL) — Employment & Payroll Records

National Archives and Records Administration (NARA) — Public Sector Records

Common US Document Retention Periods (Indicative Guidance)

Beyond Retention Periods: What US Organisations must also consider

​

Document retention periods alone do not ensure compliance in the United States. Regulators, auditors, and courts expect organisations to manage records in a way that preserves their integrity, evidential value, and lawful handling throughout the entire document lifecycle.

Retention defines how long documents are kept. Compliance depends on how those documents are managed while they are retained, particularly when they may be subject to audits, investigations, or litigation.

​

Information Integrity and Evidential Value (US Context)

​

In the United States, documents are routinely relied upon as evidence during tax audits, employment disputes, contractual claims, regulatory examinations, and civil litigation. For a document to carry evidential weight, organisations must be able to demonstrate that it is:

Accurate and complete

Protected from unauthorised alteration

Linked to a clear source and business purpose

Controlled through defined access and versioning

Supported by audit trails where appropriate

A document that has been retained for the correct period but cannot be shown to be authentic or reliable may be challenged, excluded, or given reduced weight in legal or regulatory proceedings.

​

Retention must be balanced with US Privacy and Discovery Obligations

Unlike the UK and EU, the United States does not have a single, unified data protection law. Instead, retention decisions must balance privacy requirements, regulatory obligations, and litigation discovery rules.

​

Organisations must be able to justify:

Why a document is retained

How long it is retained for

Whether it may be subject to legal hold

When it can be lawfully disposed of

Over-retention increases exposure during audits, regulatory reviews, and electronic discovery. At the same time, premature deletion can create serious legal risk if documents are required for investigations or litigation.

​

Demonstrating Compliance in Practice

US regulators, courts, and enforcement bodies do not assess compliance based on intent alone. Organisations are expected to demonstrate control through evidence, which may include:

Documented retention and legal hold policies

Clear ownership and accountability for records

Role-based access controls

Audit trails showing access, modification, and disposal

Consistent and defensible disposal practices

Where controls cannot be demonstrated, organisations may be exposed to regulatory penalties, adverse legal findings, or sanctions during litigation.

​

Why this matters

In the United States, document retention obligations are rarely governed by a single authority. Organisations must satisfy overlapping requirements arising from tax law, employment law, financial regulation, privacy rules, and litigation discovery obligations.

​

A structured approach to document management and records management helps organisations apply retention rules consistently, preserve evidential value, respond effectively to audits and discovery requests, and reduce compliance and litigation risk across all applicable obligations.