Guidewire compliance archive for the full P&C retention stack: 50 state insurance commissioners, NAIC Model Audit Rule, HIPAA workers-comp, GDPR, SOX, reinsurance treaty audit horizons. Per-jurisdiction retention enforcement, chain-of-custody, exam-response packs ready.
P&C insurance retention obligations are not one rule — they're a stack of overlapping rules from state commissioners, NAIC, HIPAA, GDPR, SOX, reinsurance treaties and litigation tolling. Every record has to satisfy ALL of them simultaneously.
Start with state insurance commissioners. Every state has its own retention rule: New York Reg 152 says 6 years post-policy-end. California CCR Title 10 §2695.4 says 5 years. Texas 28 TAC §21.203 says 10 years on both policy and claim files. Florida FL Statute 626.748 says 5 years post-claim-closure. Pennsylvania, Illinois, Michigan, Ohio, New Jersey, Georgia, Massachusetts and 40+ other states each have their own variants. A multi-state P&C insurer therefore runs 50+ retention clocks simultaneously, each tied to the state where the policy was issued and the loss occurred.
Add the federal layer. NAIC Model Audit Rule (MAR) requires 7-year audit trail of financial records including statutory filings, Schedule P loss reserves and the SAO actuarial opinion. HIPAA covers workers-comp medical records with indefinite retention obligations for some categories and minimum-necessary access controls throughout. GDPR covers EU policyholders (a real concern for global P&C carriers) with 6-year typical retention plus data-subject-access rights. SOX adds 7-year retention of financial records.
Add reinsurance. Treaty reinsurers (Munich Re, Swiss Re, Hannover Re and dozens of others) routinely audit ceded premium and recovery history on 10-30+ year horizons, especially for long-tail liability lines. Facultative placements and captive reviews follow the same audit pattern. Add litigation: an adverse claim outcome triggers legal hold that extends retention indefinitely until the hold is released. State statute-of-limitations on the underlying loss event practically extends retention further.
The Syntra ETL guidewire compliance archive captures every record and every attachment, tags each with applicable state(s), runs per-jurisdiction retention clocks independently, enforces HIPAA / GDPR / SIU / legal-hold RBAC, and emits immutable chain-of-custody evidence. Every audit, exam and discovery request resolves against the same archive — not a manual reconstruction project.
What the platform ships pre-built. Built specifically for the overlapping P&C retention stack.
50-state retention rules baked in. Every record tagged with applicable state(s) and clock-start date. Per-jurisdiction enforcement — records can't be deleted until every applicable clock has expired.
7-year financial trail for statutory filings, Schedule P substantiation, Schedule F reinsurance trail, SAO actuarial opinion supporting detail — queryable from the archive.
HIPAA-trained role flags gate medical-record access. Every retrieval logged for chain-of-custody. Breach-response queries (who accessed what when) return in seconds.
Role-based access for EU-protected data, data-subject-access response packs ready, right-to-erasure handled within applicable insurance-retention exceptions.
10-30+ year ceded premium and recovery history per treaty per layer, with cross-references to source policies and claims for full audit drill-down.
Legal-hold flagging extends retention past standard clocks. State SOL profiles applied to claims for proactive litigation-readiness review and tolling-event tracking.
A repeatable workflow that captures the full P&C retention stack with per-jurisdiction enforcement.
Inventory policies and claims by state of issue and state of loss occurrence. Map applicable state retention rules, NAIC MAR scope, HIPAA workers-comp scope, GDPR EU policyholder scope, reinsurance treaty horizons, active litigation/SOL profiles.
Cloud bucket setup under customer-owned encryption keys. Storage-tier strategy (warm/cold/archive). Partition scheme (state / LOB / fiscal year). RBAC roles for HIPAA, GDPR, SIU, legal hold. Retention engine configuration.
Extract every policy, claim, reserve, payment, recovery, reinsurance cession and attachment from Guidewire via CDA / Cloud API / on-prem JDBC. Hash-signed Parquet staged with applicable-state tags and clock-start dates.
Record counts vs source InsuranceSuite per state per LOB, sum totals (premium, paid-loss, ceded), attachment counts and hash signatures verified. Sign-off pack signed by statutory accounting, actuarial, compliance and reinsurance leads.
Per-state retention clocks activated. NAIC MAR trail validated. HIPAA / GDPR / SIU / legal-hold RBAC enabled. SOL tolling profiles applied. First exam-response pack rehearsed end-to-end.
Scheduled incremental archive of newly-closed policies and claims. Every read access logged. Periodic audit walkthrough confirms retention compliance. Exam, audit and discovery requests resolved from the archive.
Auditors want math they can verify. The archive emits multiple layers of immutable evidence.
Every record hash-signed at extraction. Hashes preserved through archive lifecycle. Auditors can verify integrity independently against original Guidewire source via signed manifest.
Every applicable state retention clock with clock-start date, expected clock-end date and current status. Per-jurisdiction enforcement verifiable per record.
Every query and every retrieval logged immutably with user identity / timestamp / data classification / returned record count. Queryable by compliance for HIPAA / GDPR / SOX / SIU audit.
Random-sample policy/claim retrieval for state-commissioner data calls, packaged with structured data + attachments + access log as signed evidence bundle for examiner delivery.
Legal-hold events logged with start, status and release. State SOL profiles applied to claims with tolling-event tracking. Litigation-readiness reports queryable on demand.
Schedule P loss reserve trail, Schedule F reinsurance trail, SAO actuarial opinion supporting detail — all queryable from the archive for NAIC MAR examiner drill-down.
Guidewire compliance archive is a retention-policy-managed archive of Guidewire InsuranceSuite policy, billing and claims data that satisfies the full stack of P&C insurance regulatory retention obligations. Those obligations are stacked: state insurance commissioner rules (5-30+ years, every state different), NAIC Model Audit Rule (7-year financial trail), HIPAA (workers-comp medical records, indefinite for protected records), GDPR (EU policyholder data, 6-year typical), SOX (7-year financial records), reinsurance treaty audit horizons (10-30+ years for long-tail liability), and state statute-of-limitations on claims (which can extend the practical retention horizon further). Syntra ETL's guidewire compliance archive captures every record and every attachment with per-jurisdiction retention enforcement, chain-of-custody logging and queryable evidence packs for examiners and auditors.
All 50 states plus DC, plus US territories with insurance regulators. Examples of the common ones: New York Reg 152 requires 6 years post-policy-end for most lines plus longer for workers comp. California CCR Title 10 §2695.4 requires 5 years for most lines. Texas 28 TAC §21.203 requires 10 years on both policy and claim files. Florida FL Statute 626.748 requires 5 years post-claim-closure. Pennsylvania, Illinois, Michigan, Ohio and other large-population states each have their own variants. Workers comp lines add HIPAA-grade medical-record retention. Long-tail liability (asbestos, environmental, professional liability) practically extends retention 30+ years because the statute of limitations on the underlying loss event hasn't expired. The compliance archive tags every record with its applicable state(s) and runs the retention clocks independently.
The NAIC Model Audit Rule (MAR) requires P&C insurers to maintain a 7-year audit trail of financial records supporting statutory filings including the annual statement, Schedule P loss reserves, Schedule F reinsurance and the SAO actuarial opinion. The guidewire compliance archive captures the full chain: premium ledger from PolicyCenter, paid-loss ledger from ClaimCenter, ceded premium and recovery from reinsurance integrations, plus every reserve change (case + IBNR) underpinning Schedule P. Every record is hash-signed and timestamped. When the NAIC MAR examiner traces a Schedule P number back through the supporting detail, the chain resolves in queries against the archive — not a manual reconstruction.
Yes. Workers-comp claims routinely contain HIPAA-protected medical information: treatment notes, IME (independent medical examination) reports, prescription history, surgical records, return-to-work assessments, disability ratings. HIPAA requires minimum-necessary access, role-based access control, chain-of-custody on every access, and breach-response capabilities. The guidewire compliance archive enforces all of these at the query level: HIPAA-protected medical records are gated by HIPAA-trained role flags, every retrieval is logged immutably with user identity / timestamp / business purpose, and breach-response queries (e.g., 'who accessed this claimant's medical records in the last 6 months?') return in seconds. The same controls apply to GDPR-protected EU policyholder data.
Reinsurance audits — from treaty reinsurers like Munich Re or Swiss Re, facultative placements, or captive reviews — typically run on 10-30+ year audit horizons for long-tail liability lines. The audit requires ceded premium and recovery history per treaty per layer, plus traceability from a ceded premium amount back to the source policy and from a ceded recovery back to the source claim. The compliance archive preserves the full reinsurance chain: treaty definitions, layer attachments, facultative placements, cession history, recovery history, bordereaux extracts, plus the cross-references to source policies and claims. Reinsurance audit response time drops from quarter-long reconstruction projects to single-day query packs.
Multiple evidence layers. Every record carries a hash signature, source-system identifier and extraction timestamp — immutable proof of capture. Every state retention clock-start date is recorded so per-jurisdiction enforcement is verifiable. Every read access is logged immutably with user identity / timestamp / query parameters / returned record count / data classification. Sign-off packs for the initial archive build and ongoing incremental archive captures are signed by statutory accounting, actuarial, claims, compliance and reinsurance leads. Exam-response packs bundle the requested records plus attachments plus the access log as a signed evidence bundle. Auditors get math they can verify — not vendor claims they have to trust.
Yes. Legal hold and litigation discovery are critical for P&C insurers because adverse claim outcomes routinely trigger litigation, and litigation extends retention obligations beyond standard state-commissioner rules. The compliance archive supports legal-hold flagging at the policy, claim and attachment level — flagged data is preserved past its standard retention clock until the legal hold is released. Discovery queries (e.g., 'all documents touching this claim and this opposing party across the case timeline') return packaged evidence bundles with full chain-of-custody for the litigation file. Bates numbering and discovery-export formats are supported for opposing counsel delivery.
State statute-of-limitations (SOL) on the underlying loss event practically extends compliance retention horizons. A New York property claim closed in 2020 might face SOL tolling that keeps it auditable until 2026 or beyond. A Texas workers-comp claim might face indefinite SOL on certain medical conditions. The compliance archive tags every claim with its applicable state SOL profile and applies tolling rules where applicable, ensuring records aren't deleted while litigation risk remains. Compliance teams can query 'all claims still within SOL window for state X' and 'all claims with active tolling events' for proactive litigation-readiness reviews.
Book a 30-minute working session. We'll inventory your retention exposure across 50 state commissioners + NAIC MAR + HIPAA + GDPR + SOX + reinsurance + litigation, walk through the per-jurisdiction retention engine, and quote a compliance-grade archive that satisfies every overlapping rule.