Insurance Record Retention Requirements: Everything Brokers Need to Know

California requires producers to retain insurance records for 5 years under California Insurance Code § 1729. New York sets the minimum at 3 years under N.Y. Ins. Law § 2119. Texas requires 3 years under Tex. Ins. Code § 4005.106. Florida requires 5 years under Fla. Stat. § 626.561. The IRS extends the practical minimum to 7 years for premium income records.

Getting these periods wrong in either direction costs money. Destroying records too early creates exposure when a market conduct examiner or plaintiff attorney requests them. Retaining records indefinitely creates storage costs, data security risk, and CCPA/state privacy law liability.

This guide covers every record type, the applicable retention periods, what happens when records are missing during a market conduct examination, and how to build a destruction procedure that is both compliant and defensible.

Key Takeaways

• California and Florida require 5-year retention under state insurance codes. New York and Texas require 3 years. Check every state where you hold a license.
• The IRS requires 7-year retention of income-related records, which in practice extends the floor for premium income records beyond state insurance law minimums.
• Missing records during a market conduct examination constitute a standalone violation - the examiner does not need to find substantive errors in the underlying transactions.
• Electronic records are acceptable in all 50 states if they meet imaging and authentication requirements under each state's version of the Uniform Electronic Transactions Act (UETA).
• CCPA (California Civil Code § 1798.100) and equivalent state laws require documented destruction schedules for personal data - indefinite retention is a privacy compliance risk.
• E&O policies typically cover claims made during the policy period, but the underlying incident may have occurred years earlier. Retention periods shorter than your E&O tail coverage period create proof gaps.

What Records Insurance Agencies Must Retain

State insurance codes define required record categories. Most states use language similar to Model Act requirements from the NAIC. The core required categories are:

Applications. All original applications, including signed applications submitted to carriers, whether the policy was ultimately issued or declined. Application records establish what information the insured provided at the time of submission and are frequently requested in E&O claims.

Policies and endorsements. Complete policy files including declarations pages, all endorsements, schedules, and certificates. Each policy renewal creates a new record requirement running from the renewal effective date.

Certificates of insurance. Every certificate issued on behalf of a client, including the date of issuance and the policy data the certificate referenced. Certificates are routinely requested in coverage disputes and DOI complaint investigations.

Correspondence. All material correspondence with clients, carriers, and third parties. "Material correspondence" includes emails, letters, and documented phone call summaries that relate to coverage, claims, underwriting, or account management. Most state codes define this broadly.

Claim files. Records of every claim reported by a client, including the date reported, carrier claim number, and disposition. Agencies that handle any claims-related activity - even just forwarding notices of loss - should maintain a claim file for each reported loss.

Premium records. Premium billed, collected, and remitted to carriers. Premium trust account records require separate documentation in most states. California Insurance Code § 1733 requires premium trust account reconciliation records to be retained.

E&O documentation. Correspondence, disclosure forms, and advice documentation that demonstrates the agency acted within the applicable standard of care. These records are the primary defense documents in E&O claims.

Producer licensing records. Copies of current producer licenses for all staff, continuing education records, and appointment confirmations from carriers. Market conduct examiners routinely audit producer licensing during examinations.

State-by-State Retention Requirements

The four largest insurance markets set different minimums. Every insurance producer licensed in multiple states must track the longest applicable period for each client file.

Practical rule for multi-state agencies: use the longest applicable period (5 years) as the floor for all client records, then extend to 7 years for premium income records due to IRS requirements.

The IRS Overlap: Why Premium Records Need 7 Years

The IRS requires retention of income records for 3 years from the date of filing for straightforward returns. But the 3-year period extends to 7 years if you file a claim for a loss from worthless securities or bad debt. Premium income records have a practical 7-year retention floor because:

• Carrier audits of commission statements frequently look back 4-6 years for error corrections
• State insurance department premium tax audits (separate from income tax) typically look back 4-6 years
• E&O claims often arise from transactions 3-5 years old, with the claim itself filed years later

The IRS Revenue Procedure 98-25 provides guidance on electronic records that applies when paper originals are converted to digital format. Agencies that digitize premium records must meet specific imaging and indexing standards to satisfy IRS audit requirements.

Electronic vs. Physical Record Retention

All 50 states have adopted versions of the Uniform Electronic Transactions Act (UETA), which provides that electronic records satisfy legal requirements for records in writing. State insurance codes in California, New York, Texas, and Florida all explicitly permit electronic record retention.

The key requirements for compliant electronic retention:

Accurate reproduction. The electronic copy must accurately reproduce the original. Scanned documents must be legible. PDF format is universally accepted. Image compression that degrades legibility can invalidate the electronic copy.

Retrievability. Records must be retrievable within a reasonable time. Most state examination standards expect production within 10 business days of a request. Files buried in legacy systems that require special software to access fail this test.

Integrity controls. The system must prevent unauthorized alteration. Immutable document storage (WORM storage) satisfies this requirement. Standard editable file systems do not.

Metadata preservation. Document creation dates, author information, and modification history must be preserved. These metadata elements are frequently examined in E&O litigation and DOI investigations.

Applied Epic, Vertafore AMS360, and HawkSoft all support compliant electronic document retention when configured correctly. The configuration matters - agencies that use these systems without activating retention scheduling and access controls may not meet the technical requirements of state electronic records rules.

What Happens During a Market Conduct Examination When Records Are Missing

Market conduct examinations are conducted by state DOI market conduct divisions under authority granted by each state's version of the NAIC Market Conduct Examination Standards (Model Act #312). Examiners request specific record samples at the start of an examination.

The typical examination protocol:

1. The examination notice identifies the examination scope and record categories
2. The examiner requests a sample of transactions (typically 50-200 records, randomly selected)
3. The agency provides the requested records within 10 business days
4. The examiner evaluates the records against applicable statutes and the agency's filed procedures
5. Deficiencies are documented in the examination report

Missing records create two problems. First, they are a standalone violation under state insurance codes that require record retention. California Insurance Code § 1729.5 authorizes the DOI to issue a cease and desist order and impose fines of up to $5,000 per record retention violation.

Second, missing records prevent the examiner from verifying that the underlying transaction was handled correctly. An agency that cannot produce an application cannot prove the application was completed accurately. An agency that cannot produce a certificate cannot prove the coverage representations were accurate.

The 2024 NAIC Market Conduct Annual Report cited record keeping deficiencies as the third most common examination finding, behind claims handling and producer licensing. Agencies with documented record management systems were three times more likely to receive a clean examination report than those without documented procedures.

Building a Document Retention Policy

A compliant document retention policy for an insurance agency contains six elements:

Record inventory. List every record type the agency creates or receives. Assign each record type a retention period based on the applicable state law requirements and any longer functional requirements (E&O tail, IRS, carrier audit).

Retention schedule. Document the retention period for each record type in a table format. The schedule should list the record type, the applicable authority (e.g., Cal. Ins. Code § 1729), the retention period, and the destruction method.

Custodian assignment. Assign custodian responsibility for each record type. The custodian is responsible for the record from creation through destruction. Most agencies assign custodian responsibility by department or by record function.

Litigation hold procedure. Define how the agency places records under litigation hold when a claim, complaint, or DOI inquiry arises. Records under litigation hold are exempt from scheduled destruction regardless of the retention schedule.

Destruction procedure. Specify the method of destruction for each record type when the retention period expires. Physical records must be shredded to NAID AAA Standard or equivalent. Electronic records must be wiped to NIST SP 800-88 standard or media must be physically destroyed.

Annual review. The policy must be reviewed annually and updated when state laws change, when new record types are created, or when the agency enters new states.

Destruction Procedures for Personal Data: CCPA and State Equivalents

The California Consumer Privacy Act (California Civil Code § 1798.100) and its 2020 amendment, the California Privacy Rights Act, require businesses that collect personal data to respond to consumer deletion requests. The CPRA also created an affirmative obligation to implement reasonable data minimization practices, which means not retaining personal data longer than necessary.

For insurance agencies, the intersection of retention requirements and CCPA works as follows:

• Records within the required retention period cannot be deleted in response to a CCPA request, because retention is required by law (CPRA exempts records required by law from deletion obligations)
• Records past their required retention period should be destroyed according to the documented destruction schedule
• Retaining personal data indefinitely after the required retention period expires creates CCPA liability

States with equivalent privacy laws as of April 2026 include Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and Florida (FDBR). Each state's law contains similar data minimization and deletion obligation structures. Agencies retaining records past their minimum required periods indefinitely face compounding privacy liability across each state where the data subject resides.

The practical requirement: the destruction procedure must be systematic and documented. Regulators and privacy enforcement agencies treat ad hoc deletion as more problematic than no deletion, because it suggests selective destruction of records rather than good-faith compliance.

Record Retention During Agency Acquisitions and Closures

Agency acquisition. When an agency is acquired, the acquiring agency inherits the selling agency's record retention obligations. The acquisition agreement should explicitly address record transfer and assign responsibility for retention. Records should not be destroyed as part of an acquisition without verifying applicable retention periods.

Agency closure. When an agency closes, state law requires producers to make provisions for record retention. California Insurance Code § 1729 imposes retention obligations on the producer individually, not just the business entity. A producer who closes their agency and destroys records before the retention period expires violates the statute personally.

Carrier E&O tail. When switching E&O carriers, the tail coverage period should inform the practical retention period for all records from the preceding policy periods. A 3-year occurrence tail means claims from transactions 3 years old can still be filed. Records from those transactions should be retained regardless of whether the state statutory minimum has expired.

Common Record Retention Mistakes

Using the wrong retention period. Agencies licensed in multiple states often apply the shortest applicable period to all records. This creates violations in states with longer requirements. Use the longest applicable period as the agency-wide floor.

No litigation hold procedure. Agencies that destroy records on schedule while a complaint or DOI investigation is pending face obstruction findings in addition to the underlying investigation. A documented litigation hold procedure that is actually implemented protects against this.

Treating email as exempt. Material client communications in email are subject to the same retention requirements as other correspondence. Agencies that store email only on employee personal accounts or that routinely delete email without applying retention schedules create gaps in their records.

No destruction verification. Destroying records and documenting the destruction date is not enough. The destruction should be verified - meaning someone other than the person initiating destruction confirms the record set is complete and accurately scheduled. This creates a defensible audit trail.

Not updating after state law changes. State record retention statutes change. Illinois extended its retention requirement from 3 to 5 years in 2022 under P.A. 102-0038. Agencies that did not update their retention schedules after that change may have improperly destroyed records since then.

How BrokerageAudit Supports Record Retention Compliance

Systematic record retention compliance requires a platform that connects policy data, document storage, and retention scheduling. BrokerageAudit's Policy Checker links every certificate, policy document, and client communication to the underlying policy record, creating a complete, retrievable file for each transaction.

The system applies retention scheduling based on the applicable state rules for each record, flags records approaching their destruction eligibility date, and requires human confirmation before any deletion. This workflow satisfies the systematic destruction documentation requirement under CCPA and state equivalents.

For a detailed look at market conduct examination preparation, see our guide on agency compliance procedures. For producer-specific recordkeeping obligations, see our overview of producer licensing compliance.

Explore Policy Checker

Frequently Asked Questions

What is the minimum record retention period for insurance agencies?

There is no single federal minimum. State insurance codes set the minimum, ranging from 3 years (New York § 2119, Texas § 4005.106) to 5 years (California § 1729, Florida § 626.561). The IRS extends the practical minimum to 7 years for premium income records. Agencies licensed in multiple states must meet the longest applicable requirement for each client file.

Do electronic records satisfy insurance record retention requirements?

Yes. All 50 states have adopted versions of the Uniform Electronic Transactions Act (UETA), which permits electronic records to satisfy legal requirements for written records. The electronic records must accurately reproduce the original, be retrievable within a reasonable time, and be maintained in a system that prevents unauthorized alteration. Most state insurance codes explicitly address electronic records and require that the imaging and storage system meet specified technical standards.

What records must a producer retain when they leave an agency?

State insurance codes impose retention obligations on the individual producer, not just the business entity. A producer who leaves an agency should retain copies of all client records for the applicable state retention period. Producers often make arrangements with the agency to transfer and retain records jointly. When a producer moves to a new agency, the existing agency is also obligated to retain the records under its own license.

What happens if records are missing during a market conduct examination?

Missing records are a standalone violation of state insurance codes requiring record retention. The DOI examiner does not need to find errors in the underlying transactions. California Insurance Code § 1729.5 authorizes fines up to $5,000 per violation. Missing records also prevent the agency from demonstrating that the underlying transactions complied with applicable rules, which often results in adverse findings on those transactions as well.

When can an agency destroy insurance records?

Records can be destroyed after the required retention period expires and after confirming that no litigation hold applies to the records. The destruction should be documented - recording the record type, the date of destruction, the authority (state code) establishing the retention period, and the method of destruction. For records containing personal data, the destruction must meet CCPA and applicable state privacy law standards, including NIST SP 800-88 for electronic records.

How does CCPA affect insurance record retention?

The California Privacy Rights Act (Cal. Civ. Code § 1798.100) requires data minimization - do not retain personal data longer than necessary for the stated business purpose. Records within the required retention period under state insurance codes are exempt from CCPA deletion requests, because retention is required by law. Records past their required retention period must be destroyed according to a documented schedule. Indefinite retention of personal data after the retention period expires creates CCPA liability and potential enforcement action by the California Privacy Protection Agency (CPPA).

---

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.

Automate your record retention before the next examination. BrokerageAudit's Policy Checker links every policy document to retention schedules, flags destruction eligibility dates, and creates the audit trail examiners expect to find. Explore Policy Checker