OnComply
Back to Blog
ComplianceMarch 8, 2026·4 min read

How Long Should You Retain Vendor Compliance Documents?

Retention requirements for W-9s, COIs, contracts, ACH authorizations, and other vendor documents — by document type and legal framework.

Document retention is not a glamorous topic, but it is a practical necessity. Keeping documents longer than required wastes storage and increases privacy liability. Destroying documents too early eliminates evidence you may need for a dispute or an audit.

This guide covers how long to retain the key vendor compliance documents and the legal frameworks that drive those requirements.

W-9 and 1099 Tax Documents

Retention period: 7 years minimum.

The IRS can audit returns for three years for ordinary errors, six years if there is a substantial understatement of income (more than 25%), and indefinitely for fraud. The safe harbor for tax records is seven years from the date of filing.

W-9s feed into 1099 filings. Keep the W-9 for at least seven years after the last 1099 filed using that taxpayer information.

Also retain:

  • 1099-NEC copies filed with the IRS
  • Evidence of TIN matching requests
  • Any backup withholding records

Certificates of Insurance

Retention period: Duration of vendor relationship plus 7 years.

The reason for the extended retention is the long-tail nature of insurance claims. A general liability claim arising from work performed five years ago may surface after the vendor relationship ended and after the specific COI expired. You need to be able to show that the vendor had coverage at the time of the work.

For construction work, retain COIs for the duration of the applicable statute of limitations for construction defects — which in some states is 10 years or more. Consult with legal counsel for high-risk construction projects.

Vendor Contracts

Retention period: Duration of contract plus the applicable statute of limitations for contract disputes.

Most states have a 3–6 year statute of limitations for breach of contract claims. Some states have longer periods for written contracts. A practical general rule: retain contracts for 7 years after the contract ends.

For contracts involving real property, intellectual property, or ongoing obligations (like licensing agreements or ongoing service commitments), the retention period may be indefinite or tied to the term of the underlying obligation.

ACH Authorization Forms

NACHA requirement: Duration of authorization plus 2 years.

NACHA requires you to retain ACH authorization records for two years after the authorization is revoked or the authorization is no longer in use. Given the potential for disputes, keeping them for 5–7 years is reasonable.

Also retain records of any changes to banking information — when the change was made, by whom, and the new authorization form.

Professional and Business License Records

Retention period: Duration of vendor relationship plus 3 years.

License records are primarily relevant if a dispute arises about whether the vendor was properly licensed to perform the work they performed. The statute of limitations for most relevant disputes is 2–4 years, so 3 years post-relationship is a reasonable floor.

For construction and professional services, consider longer retention — claims can arise years after work is completed.

Employment and Independent Contractor Records

IRS requirement: 4 years for employment tax records.

State unemployment and workers' comp records: Varies by state, 5–7 years is typical.

For independent contractor records specifically, retain all documentation of the classification decision, the IC agreement, evidence of the independent nature of the relationship, and payment records for at least 4 years. Worker misclassification audits often look back 3–5 years.

Building a Retention Policy

A document retention policy accomplishes two things: it ensures you keep what you need, and it provides legal cover for destroying what you do not.

A company that retains documents indefinitely can be compelled to produce years of historical records in litigation. Systematic, policy-driven destruction of documents after their retention period ends is legally defensible. Ad hoc destruction of documents when litigation is threatened (or after the retention period if you had reason to anticipate litigation) is not.

Elements of a practical retention policy:

  1. Document categories and their retention periods, aligned to legal requirements
  2. Responsible parties for each category
  3. Destruction procedures — how documents are destroyed at the end of the retention period (and how electronic records are deleted)
  4. Litigation hold procedures — how the normal destruction schedule is paused when litigation or regulatory investigation is reasonably anticipated

Review your retention policy annually or whenever the legal landscape in your industry changes.

All posts
Start Free TrialBook Demo
W-9 CollectionCOI TrackingACH AuthorizationDocument Fill & SignAutomated ValidationRenewal RemindersCan-Work / Can-Pay ControlsVendor PortalCompliance DashboardWebhook IntegrationsEligibility APIAudit-Ready ExportsLicense TrackingGrace Period ManagementCustom FormsW-9 CollectionCOI TrackingACH AuthorizationDocument Fill & SignAutomated ValidationRenewal RemindersCan-Work / Can-Pay ControlsVendor PortalCompliance DashboardWebhook IntegrationsEligibility APIAudit-Ready ExportsLicense TrackingGrace Period ManagementCustom Forms