Skip to content
Compliance 19 min read ·

Record-Keeping Requirements Under the National Credit Act

Understand NCA record-keeping requirements for South African credit providers and debt counsellors, including what to retain, for how long, and why.

#record-keeping #NCA #compliance #south-africa #documentation #credit-providers

Record-keeping is one of the less glamorous aspects of credit compliance, but it is one of the most consequential. When the NCR audits your firm or when a consumer dispute arises, your ability to produce the right records quickly determines whether the outcome is routine or damaging. Many firms treat record-keeping as an afterthought — and pay for it when they cannot reconstruct what happened.

The National Credit Act requires credit providers and debt counsellors to maintain adequate records of all credit agreements, assessments, and related communications. These records must be kept in a manner that allows retrieval and verification, and they must be retained for prescribed periods. Yet many firms struggle to meet these obligations because records are scattered across systems, stored inconsistently, or lost entirely when staff leave or systems change. This article explains what record-keeping requirements apply under the National Credit Act, what retention periods you must meet, and how to build systems that make compliance a natural outcome of good operations rather than a reactive burden. For a broader overview of NCA compliance obligations, see our comprehensive guide to National Credit Act compliance.

What the NCA Requires

The National Credit Act mandates that credit providers and debt counsellors maintain adequate records of all credit agreements, assessments, and related communications. Section 61 establishes record-keeping obligations that apply throughout the credit lifecycle, from initial affordability assessments through ongoing account management and debt counselling processes. These obligations are not optional, and the National Credit Regulator expects to see complete, accessible records during audits.

The Act requires that records be kept in a manner that allows retrieval and verification. This means that records must be organised, searchable, and complete enough that an auditor or regulator can understand what happened, when it happened, and why particular decisions were made. Vague or incomplete records create compliance risk because they fail to demonstrate that proper processes were followed. The NCR expects to see consistent methodology, proper documentation, traceability of outcomes, and clear justification for every credit decision.

For credit providers, record-keeping obligations extend to every aspect of the credit relationship. Affordability assessments must be documented, showing what data was considered, how calculations were performed, and why the provider concluded that credit was affordable or unaffordable. Credit agreements must be retained with all supporting documentation, including pre-agreement statements, quotations, and disclosure documents. Ongoing account management records must show payment history, communications with consumers, and any changes to terms or conditions.

For debt counsellors, record-keeping requirements are equally comprehensive. Every case file must contain the initial assessment of over-indebtedness, credit bureau reports used, calculations of debt-to-income ratios, proposals sent to credit providers, responses received, and final agreements reached. The file must tell a complete story: how the counsellor assessed the situation, what they recommended, and how the matter was resolved. Incomplete or inconsistent documentation creates compliance risk and can lead to regulatory action.

The NCA does not prescribe a specific format for records, but it does require that records be complete and legible. Digital records are acceptable and increasingly expected, but they must be secured against loss, tampering, and unauthorised access. The key requirement is that records can be retrieved and verified when needed — whether for routine audits, consumer complaints, or regulatory investigations. Systems that centralise records, provide searchable access, and maintain comprehensive audit trails support this requirement more effectively than scattered files or manual filing systems.

Specific Retention Periods

The National Credit Act and related regulations specify retention periods for different types of credit records. These periods are not arbitrary — they reflect the need to maintain records long enough to support regulatory oversight, defend against complaints, and meet legal obligations while balancing data protection requirements under POPIA.

The Credit Bureau Regulations (Regulation 19) specify minimum retention periods for credit bureau data. Enquiry data — records of when credit reports were pulled — must be retained for at least one year. Payment profile information — data about payment behaviour and account performance — must be retained for at least five years. These are minimum periods, and credit professionals may need to retain data longer to meet other obligations or to defend against potential complaints or legal actions.

Credit agreements and supporting documents are typically retained for the life of the agreement plus a period after settlement. The exact period depends on the type of agreement and potential legal claims, but many firms retain these records for at least five years after the agreement is settled or terminated. This ensures that records are available if disputes arise or if regulators investigate historical practices. For agreements that may be subject to reckless lending allegations, longer retention may be prudent.

Affordability assessment records must be retained for the same period as the credit agreements they supported. If an agreement is retained for five years after settlement, the assessment that led to that agreement should also be retained for the same period. This creates a complete record that shows what data was considered, how the assessment was conducted, and why the provider concluded that credit was affordable. Without the assessment records, it becomes difficult to defend decisions made years earlier.

Debt counselling documentation has its own retention requirements. Form 17.2 applications, proposals sent to credit providers, court orders, and related correspondence must be retained for at least five years after the case is closed. This ensures that debt counsellors can demonstrate that proper processes were followed, that proposals were reasonable, and that agreements were reached fairly. The NCR expects to see complete case files during audits, and missing documentation creates compliance risk.

The Protection of Personal Information Act creates a tension with these retention requirements. POPIA requires that personal information not be kept longer than necessary for the purpose for which it was collected. This means that credit professionals cannot retain data indefinitely simply because it might be useful — they must balance NCA retention requirements with POPIA’s limitation principle. The resolution is to establish clear retention policies that specify how long different types of data will be retained, when data will be deleted, and what exceptions apply. These policies should be documented, communicated to staff, and implemented systematically.

What Records Must Be Kept

Credit providers and debt counsellors must maintain comprehensive records that document every material aspect of credit relationships and assessments. The specific records required depend on the role and the type of activity, but certain categories are universal. Understanding what must be kept helps firms identify gaps in their current record-keeping practices and build systems that ensure completeness.

Credit bureau reports pulled for assessments are fundamental records. Every time a report is requested from Experian, Datanamix, TransUnion, or another bureau, that pull should be recorded with a timestamp and attributed to a specific operator. The report itself should be preserved as it existed at the time of the pull, not replaced with a later version. This creates a historical record of what data was available when assessments were conducted, which is essential when defending decisions made months or years earlier. The audit trail must show which reports were pulled, when they were pulled, who pulled them, and for which application or case.

Affordability assessment calculations must be documented completely. This includes the income figures used, how they were verified, the existing debt obligations identified, the expense estimates applied, and the debt-to-income ratios calculated. If internal scoring models or decision rules were used, those should be documented as well. The calculations should be reproducible — an auditor should be able to follow the methodology and reach the same numbers. This transparency supports both compliance and internal quality control.

Decision documentation must explain why particular outcomes were reached. Whether an application was approved, declined, or referred, the rationale should be documented and tied to the specific bureau report and calculations used. Generic statements such as “consumer meets criteria” are insufficient. The rationale should explain what factors were considered, how they were weighted, and why the particular outcome was reached. If credit was granted despite concerns, or if it was declined despite some positive factors, that reasoning should be explicit.

Credit agreements and supporting documents form another critical category. Pre-agreement statements, quotations, disclosure documents, signed agreements, and any amendments or variations must be retained. These documents show what information was provided to consumers, what terms were agreed, and how the relationship was structured. When disputes arise about terms, costs, or disclosure, these records are essential for demonstrating compliance.

Correspondence with consumers must be retained. This includes application forms, emails, letters, phone call notes, and any other communications that relate to credit relationships or assessments. These records help demonstrate that consumers were informed about decisions, that their questions were answered, and that proper communication occurred. When complaints arise, correspondence records help show what information was shared and when.

For debt counsellors, additional documentation is required. Form 17.2 applications must be retained, along with the initial assessment of over-indebtedness, credit bureau reports used in that assessment, calculations of debt-to-income ratios, proposals sent to credit providers, responses received from providers, court orders, and final agreements. The case file must tell a complete story: how the counsellor assessed the situation, what they recommended, how providers responded, and how the matter was resolved. Incomplete files create compliance risk.

Communications with credit providers are also essential for debt counsellors. When proposals are sent, responses received, negotiations conducted, or agreements reached, these communications must be documented and retained. The NCR expects to see evidence that debt counsellors communicated effectively with providers, provided necessary information, and responded to queries promptly. Poor communication can delay resolutions and create grounds for complaints.

Format and Accessibility

The National Credit Act requires that records be kept in a manner that allows retrieval and verification, but it does not prescribe a specific format. This flexibility allows firms to choose storage methods that suit their operations, but it also creates responsibility to ensure that chosen methods meet the core requirements: records must be complete, legible, accessible, and secure.

Digital records are acceptable and increasingly expected. The NCR recognises that modern credit operations rely on digital systems, and digital storage can actually improve accessibility and security when implemented properly. However, digital records must be secured against loss, tampering, and unauthorised access. This means implementing encryption at rest, access controls, backup systems, and audit logs that track who accessed what information and when.

Records must be retrievable when needed. This means that storage systems must support search and filtering capabilities that allow staff to locate specific records quickly. When an audit is announced or a consumer complaint arises, firms must be able to produce relevant records without days of manual searching. Systems that centralise records, provide searchable access, and link related documents support this requirement more effectively than scattered files or manual filing systems.

Records must be verifiable, meaning that auditors must be able to confirm that records are authentic, complete, and contemporaneous. Notes written weeks or months after a decision was made are less credible than documentation created at the time. Digital systems that timestamp actions, attribute them to specific operators, and prevent retroactive modification create stronger verification than manual records that can be altered or backdated.

The format must ensure that records remain legible over time. Digital records stored in standard formats such as PDF, structured data formats, or database records typically meet this requirement, but firms must ensure that storage systems remain accessible as technology evolves. Proprietary formats that require specific software may become inaccessible if that software is discontinued, creating long-term risk.

Access controls are essential for both security and compliance. Not every staff member needs access to all records, and role-based access controls ensure that sensitive information is only accessible to those who need it for their roles. This supports both POPIA compliance and NCR expectations for proper data governance. Access should be logged as part of the audit trail, showing who accessed what information and when.

Backup and disaster recovery systems ensure that records are not lost due to system failures, natural disasters, or cyberattacks. The NCA does not excuse record-keeping failures because of technical problems — firms are responsible for ensuring that records are preserved even when primary systems fail. Regular backups, tested recovery procedures, and secure off-site storage support this requirement.

The Problem With Scattered Records

Many credit firms struggle with record-keeping because records are scattered across multiple systems, stored inconsistently, or managed through ad hoc processes. This fragmentation creates significant compliance risk and operational inefficiency. Understanding where these problems arise helps firms identify what needs to change.

PDF reports downloaded to shared drives create the first problem: there is no automatic link between the report and the application it informed. When a credit officer pulls a report from a bureau portal, downloads it as a PDF, and saves it to a folder, the system does not know which application this report relates to. Later, when documentation is needed for an audit or complaint, staff must search through folders, match filenames to applications, and hope that the correct report version is still available. This process is error-prone and time-consuming, and it creates gaps in the audit trail.

Emails in individual inboxes create another gap. When assessors make decisions and communicate them via email threads, those decisions are not linked to the bureau reports or calculations that informed them. The decision exists in one system, the report exists in another, and the connection must be reconstructed manually. Email threads can be deleted, forwarded incorrectly, or lost entirely, making it impossible to show what decision was made and why. When staff leave the organisation, their email accounts may be deleted, taking institutional knowledge with them.

Notes in spreadsheets create similar problems. When assessment calculations or decision notes are maintained in Excel files or Google Sheets, they exist separately from bureau reports and application records. The link between data, calculations, and decisions must be maintained manually, and it often breaks down. Spreadsheets can be modified retroactively, making it difficult to verify when notes were created or whether they reflect contemporaneous thinking. Version control is poor, and multiple versions may exist without clear indication of which is authoritative.

Decisions communicated verbally create the most serious gap. When assessors make decisions in meetings or phone calls without documenting them properly, there is no record of what was decided or why. Later, when documentation is needed, staff must rely on memory or reconstruct decisions based on incomplete information. This creates compliance risk because auditors cannot verify that proper processes were followed or that decisions were justified.

When records are scattered across systems and people, retrieval is slow, completeness is uncertain, and audit readiness is low. Staff turnover compounds the problem — when a key person leaves, institutional knowledge goes with them. Files may exist in their personal email accounts, on their laptops, or in their memory. The organisation loses the ability to reconstruct what happened, creating significant compliance and operational risk.

The cost of this fragmentation becomes apparent when audits occur or complaints arise. Staff spend days searching through multiple systems, matching documents to applications, locating decision notes, and piecing together what happened. This reactive approach increases stress, consumes significant time and resources, and often fails to produce complete records. Even when records are eventually assembled, gaps and inconsistencies may remain, creating ongoing compliance risk.

Building a Record-Keeping System That Works

The solution to scattered records is to build record-keeping into the assessment process itself, not treat it as a separate administrative task. When every bureau pull, every calculation, and every decision is recorded automatically in a centralised system, records become a natural output of operations rather than a burden that requires extra effort.

Centralised storage linked to assessments and decisions creates the foundation. Every bureau pull should be stored in the same system where assessments are conducted and decisions are recorded. This creates automatic links between data, calculations, and outcomes. When an auditor asks to see the assessment for a particular application, the complete file is available in one place: the bureau report, the calculations, the decision rationale, and all related documentation. There is no need to search through multiple systems or reconstruct connections manually.

Automated timestamping ensures that every action is recorded with when it occurred. When a bureau report is pulled, the system records the timestamp automatically. When an assessment is completed, the system records when it was finished. When a decision is made, the system records when it was finalised. This creates a chronological record that shows the sequence of events, which is essential for demonstrating that proper processes were followed and that decisions were made based on available data.

Version control prevents records from being lost or overwritten. When bureau reports are updated or when assessment notes are revised, the system preserves historical versions. This ensures that auditors can see what data was available at the time decisions were made, even if that data has since changed. Version control also prevents accidental deletion or modification, creating stronger verification than systems where records can be altered retroactively.

Search and retrieval capabilities allow staff to locate specific records quickly. When an audit is announced or a consumer complaint arises, firms can search by application number, consumer name, date range, or other criteria to find relevant records immediately. This eliminates the days of manual searching that characterise reactive record-keeping approaches. Search capabilities should extend across all record types: bureau reports, assessments, decisions, agreements, and correspondence.

This approach is not about creating more paperwork — it is about making records a natural output of the assessment process. When assessors pull bureau reports through a system that automatically stores them, when they perform calculations in that same system, and when they record decisions in that system, the records exist without requiring separate administrative work. Compliance becomes operational rather than administrative, reducing both effort and risk.

The practical benefit is reduced stress and improved audit readiness. When audits occur, firms can produce coherent records quickly instead of scrambling to assemble files. When complaints arise, they can show exactly what data was considered and how decisions were reached. When policies change, they can update processes systematically rather than hoping that everyone remembers the new requirements. Record-keeping becomes a by-product of good operations rather than a separate burden.

Intersection With POPIA

The Protection of Personal Information Act creates a tension with NCA record-keeping requirements. POPIA requires that personal information not be kept longer than necessary for the purpose for which it was collected, while the NCA and Credit Bureau Regulations specify minimum retention periods. Credit professionals must balance these requirements: retaining data long enough to meet regulatory obligations while not keeping it longer than necessary.

The resolution is to establish clear retention policies that specify how long different types of data will be retained, when data will be deleted, and what exceptions apply. These policies should be documented, communicated to staff, and implemented systematically. Retention periods should align with regulatory requirements: Credit Bureau Regulations specify minimum periods for bureau data, NCA requirements specify periods for agreements and assessments, and POPIA requires that data not be kept longer than necessary.

For credit bureau enquiry data, the Credit Bureau Regulations require retention for at least one year. For payment profile information, retention is required for at least five years. Credit agreements and supporting assessments should typically be retained for the life of the agreement plus a period after settlement — often five years — to support potential disputes or regulatory investigations. Debt counselling documentation should be retained for at least five years after case closure.

However, retaining data indefinitely violates POPIA’s requirement that data not be kept longer than necessary. Once retention periods have expired and there is no ongoing legal or regulatory need to retain data, it should be securely deleted. This requires systems that can identify expired data, flag it for deletion, and securely remove it from all systems including backups. Manual deletion processes are error-prone and often result in either premature deletion or indefinite retention.

Document your retention policy clearly. The policy should specify retention periods for each type of record, the rationale for those periods, exceptions that may apply, and procedures for secure deletion. This documentation helps demonstrate to regulators that you have considered POPIA requirements and have implemented a defensible approach to data retention. When the Information Regulator asks about retention practices, you can show that you have a clear policy and that it is being followed.

The intersection of NCA and POPIA obligations means that credit professionals cannot simply retain all data indefinitely “just in case” — they must have defensible retention policies that balance regulatory requirements with data protection principles. Systems that automatically manage retention periods, flag expired data for deletion, and maintain audit logs of deletion activities support this balance more effectively than manual processes that rely on staff remembering when to delete data.

For more detailed guidance on POPIA compliance when handling credit data, including security requirements, data processing agreements, and cross-border transfer rules, see our comprehensive guide.

Simplify Your Record-Keeping

The National Credit Act requires credit providers and debt counsellors to maintain adequate records of all credit agreements, assessments, and related communications. These records must be kept in a manner that allows retrieval and verification, and they must be retained for prescribed periods. Yet many firms struggle to meet these obligations because records are scattered across systems, stored inconsistently, or lost entirely when staff leave or systems change.

Building record-keeping into your assessment process turns compliance from a reactive burden into a natural outcome of good operations. When every bureau pull, every calculation, and every decision is recorded automatically in a centralised system, records become a by-product of operations rather than a separate administrative task. This systematic approach reduces effort, eliminates gaps, and produces regulator-ready records that support both compliance and defensible decision-making.

Get in touch to book a demo and see how centralised, searchable records and automated documentation support your NCA record-keeping obligations.