Chain of Custody: Definition and Use in Compliance

What is Chain of Custody?

Chain of Custody is the documented, unbroken record of who controlled, transferred, or examined a piece of evidence from its point of origin through to its final use in a regulatory proceeding or court of law. Every step in that sequence is logged, timestamped, and attributable to a specific person or system.

In financial crime compliance, the evidence is rarely physical. It's a transaction export, a Suspicious Activity Report (SAR) filing package, a screenshot from a digital wallet, or a customer identification document set. What matters is that each item can be shown to be authentic, unaltered, and accessed only by authorized parties since the moment it was generated.

The concept comes from criminal law. Courts required proof that physical evidence hadn't been tampered with between collection and trial. A gap in documentation was enough to exclude the item entirely. Financial regulators imported this logic into AML/CFT record-keeping frameworks.

The result is that compliance teams carry two responsibilities: retaining records for the required period, and retaining them in a way that proves those records haven't been altered. This second responsibility is where many institutions fall short. Keeping records in an editable document management system is not chain of custody. Keeping them in an append-only, access-logged vault with cryptographic integrity checks is. Both approaches technically retain the files. Only one can defend them in an enforcement action.

Chain of custody is also directional. You need to show not just who accessed a record, but that they had authorization to do so, and that the access was logged at the time, not reconstructed from memory afterward. When regulators find gaps in documentation, they don't always assume wrongdoing. But they do assume the firm's controls failed, and that's enough for a finding.

The concept applies with equal force to AI-driven processes. If a model recommends a SAR filing or closes a transaction monitoring alert, the model version, input features, and output score are all part of the evidentiary record. Chain of custody for AI decisions is becoming an explicit regulatory expectation, particularly in the EU and UK.

How is Chain of Custody used in practice?

Day-to-day, chain of custody shows up in three places: investigation workflows, exam preparation, and cross-border information sharing.

In investigations, the chain starts the moment a case is opened. Every document added to the case file needs to be tracked: who added it, when, from what system, and whether the original was preserved. Good case management platforms enforce this through append-only logging and version control. If an analyst emails a spreadsheet to a colleague before uploading it to the case system, that handoff creates a gap that's difficult to close afterward. The fix is simple in principle and hard in practice: evidence moves through defined channels with automatic logging at every transfer point, and informal workarounds are a process failure, not a minor inconvenience.

SAR preparation requires its own chain. Once a SAR is submitted to FinCEN or a national FIU, the supporting evidence is frozen. No changes to the file are acceptable after submission. The standard control is a read-only archive or append-only vault. Auditors reviewing SAR files three years later expect to see exactly what analysts saw on the day they submitted.

Exam preparation is the stress test. When a regulator requests documentation of a customer relationship opened in 2020, the compliance team needs the original onboarding file, every subsequent review, and an audit trail showing who opened each document. If the log shows gaps, the examiner can't confirm the records weren't retroactively altered. Even if they weren't, that uncertainty is a finding.

Cross-border cases add one more layer. When a bank in the US receives intelligence from a correspondent in the UK under a 314(b) arrangement, the receipt and handling of that intelligence is itself subject to chain of custody. Who received it? How was it stored? Who accessed it and why? Those answers need to be in the record. We've seen banks lose enforcement credit for good-faith information sharing precisely because they couldn't demonstrate a clean handling chain for the intelligence they received.

Chain of Custody in regulatory context

Three regulatory frameworks create chain of custody obligations without using that exact phrase.

FATF Recommendation 11 requires financial institutions to maintain records of transactions for at least five years in a form sufficient to reconstruct individual transactions as evidence. "Sufficient to reconstruct as evidence" is the operative phrase. A record that can be retrieved but can't be proven unaltered doesn't satisfy the standard.

In the US, 31 CFR 1010.430 sets a five-year retention period for BSA-required records. OCC examination procedures for BSA/AML compliance explicitly evaluate whether retained records are complete, accurate, and accessible. Those three attributes are chain of custody in all but name.

The FCA's SYSC 9.1.1R requires firms to retain records in a durable, reproducible medium accessible for supervisory review. In enforcement cases, the FCA has drawn distinctions between firms that retained records and firms that retained records demonstrably unchanged. Only the second category passes muster.

Customer Due Diligence (CDD) files are the most frequently scrutinized in exams. A regulator asking how a high-risk customer was onboarded expects the original identification documents, the risk assessment, the approver sign-off, and a log of subsequent reviews. If any link in that sequence is missing, the finding is a failure of record management, regardless of whether the underlying decisions were sound.

Enforcement cases illustrate the stakes clearly. In January 2021, FinCEN assessed a $390 million penalty against Capital One, citing among other failures a systematic pattern of inadequate record-keeping for SARs and Currency Transaction Reports over a multi-year period. The core problem was that the records couldn't be produced in a format demonstrating their completeness and integrity, not that the records didn't exist at all.

The EU's Sixth Anti-Money Laundering Directive (2018) extended chain of custody expectations to digital evidence and made compliance officers personally liable for failures in record management. That's a material shift. The Money Laundering Reporting Officer now carries personal exposure if the firm's documentation framework fails.

Common challenges and how to address them

Three problems come up consistently.

The first is siloed evidence. A typical mid-size bank might run a transaction monitoring platform, a case management tool, a document repository, and email, all contributing evidence to a single investigation. If those systems don't write to a shared, immutable log, there's no unified chain of custody. An analyst who emails a document to a colleague before uploading it to the case system has created a gap that's nearly impossible to close after the fact. The fix is architectural: evidence moves through defined channels, with automatic logging at every transfer point.

The second is access creep. Chain of custody logs are only useful if they distinguish authorized access from unauthorized. Broad read permissions, common in compliance teams where everyone theoretically needs access, flood access logs with routine lookups indistinguishable from problematic access. Role-based permissions with required justification fields solve this. Every access event gets tagged with a purpose, making the log meaningful rather than simply voluminous.

The third is post-hoc annotation. After a SAR draws regulatory scrutiny, it's tempting to add context to the investigation file. Analysts often do this with good intentions, wanting to clarify their reasoning. Any addition to a frozen file breaks the chain. The correct approach is a new, dated entry linked to the original, so the annotation is preserved with its own timestamp and author record rather than merged into the underlying evidence.

WORM Storage (Write Once Read Many) addresses the first two problems at the storage layer. It prevents overwriting and deletion by design, so a file preserved in a WORM-compliant system on day one is provably identical to the file retrieved three years later. This doesn't replace good process, but it does provide a technical floor below which the chain can't break. For firms running AI-driven investigation workflows, the same principle applies to model logs: the version, inputs, and outputs for each AI decision need to be written to immutable storage at the time of the decision, not regenerated on request.

Related terms and concepts

Chain of custody overlaps with several concepts compliance teams use day-to-day, and the distinctions between them matter.

Audit trail is the closest parallel. An audit trail records every action taken within a system: logins, views, edits, exports. Chain of custody goes a step further by tracking the evidence object itself across systems and handoffs, not just the actions within one platform. An audit trail tells you who opened a file. Chain of custody tells you that file is the same file that was opened, unmodified, from the day it was created. The two are complementary rather than redundant, and a robust compliance program needs both.

WORM storage is the technical enforcement mechanism. Where an audit trail tells you who accessed a file, WORM storage tells you the file hasn't changed. Together, they provide both a behavioral record and an integrity guarantee.

Data lineage addresses origin and transformation of data as it moves through analytical pipelines. Data lineage answers "where did this number come from?" Chain of custody answers "has this document been altered since it was created?" They ask different questions and are usually managed by different teams, but in AI-driven compliance workflows, they converge: the lineage of a model input is part of the chain of custody for the decision it produced.

Explainability becomes a chain of custody issue when AI systems participate in investigation workflows. If an AI agent recommends filing a Suspicious Activity Report (SAR), the chain of custody for that recommendation includes the model version, the input features, and the output score. Regulators in the EU and UK are increasingly treating AI decision logs as evidence subject to the same retention and integrity standards as human investigator notes.

Case management is the operational container where chain of custody is built and maintained in practice. A well-designed case management platform enforces access controls, logs every interaction, prevents modifications to locked files, and writes an append-only record of every document that enters and exits a case. That's chain of custody in operational form, even if the platform doesn't describe itself that way. Choosing a case management system that meets these standards is one of the highest-leverage decisions a compliance function makes.