Chain of Custody: Definition and Use in Compliance

What is Chain of Custody?

Chain of custody is the documented, unbroken record of who collected, stored, transferred, and analyzed a piece of evidence. In financial crime compliance, it establishes that transaction data, account records, and investigation files presented to regulators or courts have not been altered since they were first collected.

The concept matters most when detection leads to prosecution. A bank's transaction monitoring system flags a pattern. An analyst escalates it to a case. The Money Laundering Reporting Officer (MLRO) files a Suspicious Activity Report (SAR). Law enforcement opens an investigation. At each handoff, the chain of custody must hold. If defense counsel can show that records were accessed without logging, or transferred without documentation, they can argue the evidence was tampered with or corrupted after the fact.

Courts apply this standard consistently. In United States v. Lott (6th Circuit, 2002), the court established that authentication requires evidence of who collected the data and how it was handled, not just the data itself. Financial institutions producing records in response to subpoenas face exactly the same burden.

The chain applies to physical documents and digital records equally. For digital assets, custody documentation typically involves forensic hash verification, access logs, and timestamped audit entries. A SHA-256 hash computed at collection time and verified at production gives a court a mathematically verifiable proof that no bits changed between those two points.

One important distinction: chain of custody covers the journey of evidence. Data quality and completeness are separate problems. A perfectly preserved chain doesn't fix corrupt source data; it only proves the data wasn't changed after collection. Both issues need fixing, and they're fixed differently.

Most compliance teams think about this retrospectively, after a regulator requests records. The more defensible approach is building custody documentation into the investigation workflow from the start, when it's cheap and systematic rather than expensive and reconstructed under pressure.

How is Chain of Custody Used in Practice?

The daily mechanics of chain of custody are straightforward. The failure mode is cultural, not technical.

When a compliance analyst opens a case in response to an alert, the case management system timestamps the creation, the assigned analyst, and the source alert ID. Every subsequent action inside the case, pulling a statement, querying a third-party database, adding a note, attaching a document, is logged with user ID and timestamp. When the analyst escalates or closes the case, that transition creates its own record. Teams using shared logins break this chain immediately: there's no way to attribute any individual action to any individual person.

For SAR filings, the custody record extends beyond the SAR itself. The data used to write the narrative must be traceable: which transactions were pulled, from which systems, on which dates, by whom. If law enforcement subpoenas the underlying records two years after filing, the bank needs to produce the full evidence package, not reconstruct it.

Enhanced Due Diligence (EDD) files for high-risk clients present a longer-horizon challenge. Documentation on a Politically Exposed Person (PEP) or high-risk corporate entity accumulates over years. A regulator examining the file needs to see who collected each document, when, and whether it came from a credible source. A document labeled "passport copy" with no log of how it was obtained is a custody gap. It doesn't prove the passport is fake; it means the institution can't prove it wasn't modified.

The practical tools are well established: write-protected archive storage, database query logs with user attribution, version-controlled document repositories, and case platforms that timestamp every event. Some institutions apply cryptographic hashes to key records at ingestion and store the hash separately. Any subsequent alteration produces a detectable mismatch.

The discipline is straightforward. It's not the infrastructure that fails; it's the habit of treating record-keeping as overhead rather than as the foundation of a defensible investigation.

Chain of Custody in Regulatory Context

Regulators don't use the phrase "chain of custody" as often as courts do, but the underlying requirement is embedded in several major frameworks, and enforcement patterns make the expectation clear.

FATF Recommendation 11 requires financial institutions to maintain comprehensive records of transactions and customer identification data for at least five years, in a form that can be retrieved and used as evidence in financial crime investigations. The phrase "used as evidence" carries real weight. Records that exist but can't be authenticated because their handling was undocumented don't satisfy the standard. The full FATF Recommendations text is the authoritative international reference.

The US Bank Secrecy Act and FinCEN's implementing regulations under 31 CFR Part 1020 require banks to maintain wire transfer records, currency transaction documentation, and customer identification in retrievable formats. FinCEN examination manuals address whether records are "accurate, complete, and accessible," and accessibility explicitly includes producing records in a form that courts will accept.

The Sixth Anti-Money Laundering Directive (6AMLD) extended record-keeping obligations across EU member states to support criminal proceedings arising from money laundering predicate offenses. Member states must ensure financial institutions can support prosecutions with traceable records.

For AI-driven detection systems, the custody challenge is newer and less settled. When an autonomous system generates an alert that leads to a SAR filing, regulators want to see the full decision trail: what data was ingested, what model version ran, what thresholds triggered the output, and who reviewed it. The explainability of the AI decision is part of the custody record.

The FCA has been explicit on this point. Its Financial Crime Guide and multi-firm reviews of transaction monitoring systems both address the expectation that firms can explain, reconstruct, and document AI-driven decisions to the same standard as manual analyst decisions. Custody extends to model inputs, model version, and decision output, alongside the resulting case file. Firms that can produce only the case file, but not the model decision trail behind it, have a custody gap regulators will pursue.

Common Challenges and How to Address Them

The most common failure is fragmented tooling. An analyst pulls transaction data from a core banking system, exports it to a spreadsheet, adds notes in an email thread, then pastes conclusions into a case management system. At each transfer, the connection between source data and final conclusion weakens. By the time the case reaches a regulator or prosecutor, reconstructing the original data trail is difficult or impossible.

Siloed systems are the structural cause. Core banking, sanctions screening, customer due diligence (CDD) platforms, and case management tools rarely share a common audit log. Each system maintains its own records, and the handoffs between them go undocumented.

Three approaches address most custody gaps:

1. Source attribution at ingestion. Every piece of data entering a case should carry metadata: source system, extraction timestamp, extracting user ID. Modern case platforms can enforce this automatically at ingestion, rather than relying on analysts to add it manually.

2. Immutable storage for investigation records. Records identified as evidence should be written to tamper-evident storage with cryptographic verification. WORM storage is the established standard; cloud object locks with legal hold settings provide an equivalent.

3. Automated audit trails. Every read, write, and transfer of investigation records should be logged without requiring analyst action. Systems that depend on manual documentation will have gaps, because people forget, especially under workload pressure.

Access control is a fourth issue. If ten analysts can open a case file without individual log entries, defense counsel can argue any of them could have altered the record. Role-based access with individual user attribution is the minimum required standard.

The most practical discipline is running periodic mock productions before a real request arrives. Simulate a regulatory document request or subpoena, try to produce the full evidence package, and identify the gaps while there's time to close them. Institutions that discover custody problems during actual enforcement actions have no good options left.

Related Terms and Concepts

Chain of custody intersects with several adjacent concepts that compliance teams sometimes treat as interchangeable. The distinctions matter in enforcement contexts.

An audit trail records system events broadly: logins, configuration changes, queries, data modifications. Chain of custody is a purposeful subset with legal accountability attached. It tracks the handling of evidence in an investigation context specifically. Every custody record should appear in the audit trail, but the audit trail contains far more than investigation records. Producing an audit trail in response to a subpoena is not the same as producing a custody record.

Data lineage documents how data transforms as it moves through processing pipelines. It answers: where did this value come from, what transformations were applied, and what is its current form? Chain of custody uses lineage information but adds accountability: not just what happened to data, but who was responsible for it at each stage and under what authority they acted.

WORM storage is the technical implementation most commonly used to enforce custody integrity at the storage layer. Write Once Read Many architecture prevents modification of stored records. It doesn't replace custody documentation; it's one implementation component that makes documentation credible.

Model validation and model monitoring are directly relevant for AI-generated evidence. If a detection model produced the alert that started an investigation, regulators expect documentation of the model's version, training data provenance, and validation status at the time the decision was made. Without this, the model's output has no provable custody record behind it.

Finally, custody intersects with data residency requirements. Cross-border investigations frequently involve records stored across multiple jurisdictions, each with different retention and production rules. GDPR's data transfer restrictions can create genuine conflicts with US discovery obligations. Institutions operating across borders need a legal framework for producing custody records in each jurisdiction without violating the laws of the others. This is a real operational problem, not a theoretical one. Several major enforcement actions have stalled because institutions couldn't produce records from EU subsidiaries without triggering GDPR liability.

Getting these distinctions right before enforcement arrives is the entire point.