CICC Bylaw 6.3 in 2 minutes — what your file retention policy needs to actually say

CICC Bylaw 6.3 is the rule that governs how Canadian Regulated Immigration Consultants handle records. If you've skimmed it, you know the seven-year retention requirement. If you haven't, this post is the distilled version — and the honest account of how AnyImmi enforces it so you don't have to think about it every time your assistant “cleans up” a case folder.

What Bylaw 6.3 actually says

The rule, stripped to its operational core:

• A record of every client matter must be maintained.
• That record must include: retainer agreement, correspondence, forms submitted to IRCC, invoices, trust transactions, and any advice given.
• Records must be kept for a minimum of 7 years from the date the matter closes. Trust records are 10 years.
• Records must be produced on request by the CICC, by the client, or by a successor practitioner.
• The practitioner is personally responsible for the records — even if the firm dissolves, even if the cloud provider changes hands.

The three failure modes we see

In the firms we've audited, 6.3 breaches almost always come from one of three places:

1. Records exist, but nobody can find them

A former paralegal had folders named by their own convention. Two tools ago, cases were stored in a now-decommissioned Dropbox. The retainer PDF was emailed but never saved. When a complaint lands in 2028 for work done in 2021, the records are technically “on a hard drive in a closet”, which is not the answer you want to give a CICC investigator.

2. Records were edited after the fact

This is the one that causes complaints to escalate. A client disputes what was said. Staff opens the notes in the CRM and “clarifies” what happened. The timestamp now shows the update, but the CRM happily overwrote the original text. If the CICC pulls the audit log, it will see the edit — and at that point, the dispute is about the edit, not the original advice.

3. Trust records got dropped into operating

The bookkeeper used the wrong bank account for a month. The reconciliation caught it. The corrective entries are in the GL. But the trust register doesn't match the bank for that month, and nobody documented why. In an investigation, the gap becomes the story.

How AnyImmi enforces 6.3 at the database layer

We designed the 7-year retention and audit log to not depend on staff discipline. Here are the specifics:

• The audit log is append-only. A Postgres constraint denies UPDATE and DELETE on the audit_log table. Even a database administrator with the wrong role cannot tamper with it silently. Partitioned by month for query performance, 7-year minimum retention, 10-year retention for trust-related events.
• Notes and activities are revision-tracked. When staff edit a case note, the previous version is preserved with the edit timestamp, the editor, and the reason field (if provided). No silent overwrites.
• Trust transactions are immutable. Once a trust ledger entry posts, it can only be reversed with a new entry, not edited. The reconciliation always reflects real movement.
• File deletions are soft. A document “deleted” from the case UI moves to a tombstone table with a 7-year TTL. If someone accidentally removes a retainer, the original is still retrievable.
• Export is first-class. You can download a full case bundle — documents, notes, emails, forms, billing, audit log — as a ZIP on demand. Cancel your account tomorrow, and the same export is the handover package to a successor RCIC.

What you still have to do

The platform can enforce storage. It cannot enforce practice hygiene. The two things we still ask every customer to commit to:

• Log advice in the case notes. Verbal advice given on a phone call should have a brief written record in the case. AnyImmi doesn't record calls — you decide what gets written down. If advice was given and nothing was logged, the platform cannot prove it.
• Keep the retainer current. If scope changes mid-matter, a fresh retainer or an amendment is required. AnyImmi will remind you via the case Reminders tab if you add a billable service that sits outside the current retainer scope.

What this means on day-to-day practice

Bylaw 6.3 should not be something you think about every week. The point of a purpose-built CRM is that compliance is a property of the system, not a task on your list. Retainer signed before work starts, trust transactions immutable, audit log append-only, exports on demand — those properties are either true or they aren't. On AnyImmi they are.

If you want a longer walkthrough, book a trust-focused demo — we'll run through the reconciliation + audit log in detail with your operations lead.