A client calls to say they’re moving their assets to another advisor. You wish them well, maybe send a final invoice, and close out their folder. Done, right?

Not quite. That moment - the one most firms treat as an administrative footnote - is actually one of the highest-compliance-risk events in your client lifecycle. And most boutique financial firms have no documented process for handling it.

The Problem: Onboarding Gets the Playbook, Offboarding Gets Nothing

Ask any registered investment advisor (RIA) or independent financial planner how they bring on a new client, and you’ll hear a detailed answer. KYC documentation, investment policy statements, signed agreements, portal access setup - there’s a system.

Ask the same firm what happens to that client’s data when the relationship ends, and the answer usually sounds like: “We delete the folder and archive what we need to keep.”

That’s not a compliance process. That’s a guess.

The problem runs deeper than one deleted folder. Over the course of a typical client relationship, your firm accumulates a significant amount of sensitive information - tax returns, estate planning documents, account statements, email correspondence, financial plans, beneficiary designations, and notes from every review meeting. That data lives in multiple places: your CRM, a cloud document portal, a financial planning platform, shared drives, and quite possibly an inbox or two.

When a client departs, all of those data locations need to be addressed. Access needs to be revoked. Retention timelines need to be applied. Destruction needs to be documented. And in some cases, clients have the right to receive a copy of their own records before you delete anything.

Most firms skip every one of these steps. That’s the gap.

Why This Matters for Financial Advisory Firms

Financial advisors aren’t operating in a compliance vacuum when a client walks out the door. Several regulatory frameworks have direct things to say about what you’re required to do - or prohibited from doing - with a former client’s personal financial information.

SEC Regulation S-P (the Securities and Exchange Commission’s privacy rule) requires firms to have written policies and procedures governing the protection and disposal of customer records and information. The 2024 amendments to Reg S-P strengthened these requirements significantly, including new obligations around incident response and expanded coverage of customer information. The rule applies to broker-dealers, investment companies, and SEC-registered investment advisers alike.

FINRA Rule 4370 and associated recordkeeping rules require broker-dealers to maintain certain business continuity and records management practices - which extends to how customer records are handled when a client relationship terminates.

State privacy laws add another layer. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents the right to request deletion of their personal information. For a Bay Area financial advisory firm, that’s not a hypothetical - it’s something a departing client can actually invoke. Other states including Colorado, Virginia, and Connecticut have enacted similar frameworks.

Fail to handle this correctly, and you’re looking at regulatory examination findings, potential fines, and reputational exposure that small firms can’t absorb easily.

How to Build a Defensible Client Offboarding Process

The goal isn’t bureaucracy. It’s a repeatable workflow that protects your firm and treats the departing client’s data with the same seriousness you gave it on day one.

Start with a data inventory. Before you can offboard a client’s data properly, you need to know where it lives. For most boutique firms, that means at minimum: your CRM (Redtail, Wealthbox, Salesforce, etc.), a document management or portal system (Orion, eMoney, Box, ShareFile), financial planning software (MoneyGuidePro, RightCapital, ePlanning), shared network drives or cloud storage, and email archives.

Walk through each system for every departing client. Don’t assume the folder you deleted on the shared drive is the only copy.

Apply retention schedules by data type. This is where “just delete it” breaks down. Not everything can be deleted at departure - and some things must be deleted or destroyed within a specific timeframe.

  • Books and records under SEC Rule 17a-4: Five years minimum for most correspondence and account records, first two years in an easily accessible location.
  • FINRA recordkeeping requirements: Vary by record type; some extend to six years.
  • Tax-related documents: Often retained seven years to align with IRS audit windows.
  • Financial planning documents: No universal federal mandate, but state regulations and firm E&O insurance policies often drive seven-year minimums.

Consult your compliance consultant or broker-dealer to finalize the schedule for your specific business model.

Revoke access - all of it. This step is the one most commonly skipped. Access revocation means more than closing the client’s portal login. It means:

  • Removing their permissions in shared folder structures
  • Disabling any direct integrations or linked accounts in planning tools
  • Checking your CRM to ensure no active workflows, reminders, or marketing sequences still reference them
  • Confirming that third-party data aggregators (Plaid, Yodlee, etc.) no longer have authorization to pull their account data

Set a 48-hour window as your standard for completing access revocation after a client departure is confirmed.

Document the destruction. When it’s time to delete or destroy records at the end of their retention period, document that it happened. A simple log entry - what was destroyed, when, by whom, and by what method - is usually sufficient. For paper records, that means a certificate of destruction from a shredding service.

Build the one-page checklist. Take the above steps and turn them into a literal checkbox document. One row per system, one column for “access revoked,” one for “retention period noted,” one for “scheduled destruction date.” File it in the client’s departing record. Your next regulatory examination will thank you.

What to Look for in an IT Partner

Your IT provider should be a meaningful part of this process - not just the people you call when the printer breaks.

When evaluating whether your current or prospective managed IT services partner can support client offboarding compliance, ask:

  • Can they produce an inventory of every system that holds client data, including cloud applications?
  • Do they have a process for revoking user and client access across all integrated platforms simultaneously, not just Active Directory?
  • Can they support documented, auditable data destruction workflows - not just deletion, but verified destruction with a paper trail?
  • Do they understand the recordkeeping obligations that apply to RIAs and broker-dealers, or will you have to explain it every time?
  • Have they worked with financial advisory firms specifically, or do they primarily serve general business clients?

The answers will tell you quickly whether your IT partner sees compliance as part of their job or yours alone.

The Bottom Line

Client offboarding is a compliance event, not just an administrative one. SEC Regulation S-P, FINRA recordkeeping rules, and state privacy laws all create real obligations around how you handle a departing client’s data. A one-page checklist - built around a complete data inventory, differentiated retention schedules, thorough access revocation, and documented destruction - is all it takes to move from guessing to governing.


Frequently Asked Questions

How long does an RIA have to keep records after a client relationship ends?

SEC Rule 17a-4 requires most client-related records to be retained for at least five years, with the first two years in an easily accessible location. Some FINRA rules extend specific record types to six years. Firms should also factor in state law requirements and their own E&O insurance policy terms, which often push retention to seven years for financial planning documents.

Can a former client request that a financial advisor delete their personal information?

Under the CCPA as amended by the CPRA, California residents can request deletion of their personal information. However, financial firms can decline deletion requests for records they’re legally required to retain under federal securities law - the right to delete doesn’t override federal recordkeeping mandates. Firms should have a written process for evaluating and responding to these requests.

What does SEC Regulation S-P require when a client relationship ends?

Regulation S-P requires SEC-registered investment advisers to maintain written policies and procedures for the protection and proper disposal of customer records and information. This includes ensuring that nonpublic personal information is safeguarded and that disposal methods - whether physical or electronic - prevent unauthorized access. The 2024 amendments expanded these obligations and added incident response requirements.

What’s the risk of not having a documented client data offboarding process?

The risks are regulatory, legal, and operational. Regulators can cite you for failing to maintain adequate policies and procedures around customer data - even if no breach occurred. A former client who discovers their data was mishandled could file a complaint or civil claim. And operationally, data left in active systems after a client departs creates unnecessary exposure if a breach or unauthorized access happens down the line.

If you’re working through client data offboarding compliance at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.