Data as a Critical Business and Compliance Asset

Consumer Protection and Data Retention

📅 April 15, 2026

Data is an increasingly critical asset. It has a key role in due diligence, identifying and taking action against illicit finance, and identifying fraud, as well as for commercial decisions and business success. Conversely, inadequate protection of personal data can make individuals vulnerable to identity theft and other fraud, and misuse of personal information can damage the reputation of companies and lead to regulatory and legal consequences too.

Data retention is also a regulatory requirement in specific contexts, such as the United States Bank Secrecy Act (BSA), which mandates keeping records relating to customer accounts and compliance for a minimum of five years.

What is Personal Information?

The definition of personally identifiable information varies by jurisdiction. Generally, it refers to any information that identifies an individual or can be linked to an individual. It includes both direct and indirect identifiers. Companies may collect personal information from customers, employees, vendors and suppliers, to name just a few examples.

Examples of personal information include:

Personal identifiers such as full name, phone number, address, and date of birth
Government identifiers such as social security number or equivalent, passport or license number, or tax identification number
Financial information such as bank routing and account number, wallet addresses, evidence of income, or evidence of assets
Data collected through automated processes such as IP addresses, device IDs, and geolocation data

Sensitive personal information refers to information where unauthorized use or disclosure places the individual at significant risk of harm such as discrimination. Examples include: genetic, health and biometric data; racial or ethnic origin; sexual orientation and personal life data.

Not all data is “personally identifiable”. Examples of non-personal data include:

Aggregated or statistical data, meaning information which has been compiled from multiple sources and summarized to avoid revealing individual details. Examples include regional sales figures or aggregated statistics on the use of products/services.
Anonymized data, meaning information where personal identifiers have been removed. Examples include partially/fully masked IP addresses and survey responses with names and contact details removed.
Commercial information, which may be commercially sensitive and subject to contractual protections but is not personal data. Examples include non-published revenue projections or a list of corporate clients.

Key Data Protection Regulations

Some jurisdictions provide more extensive consumer data privacy protection than others.

European Union’s General Data Protection Regulation (GDPR)

Organizations are required to comply with GDPR if they are collecting data on individuals in the EU (wherever the organization is located) or if they are established in the EU (regardless of where the data is processed).

The GDPR sets out seven data principles which are best practices for managing personal data. These are:

Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose Limitation: Data must be used for its original, stated purpose, unless permission is requested and provided for other uses.
Data Minimization: Data collection and processing must be limited to what is necessary for the specified purpose.
Data Accuracy: Data must be kept accurate and up to date.
Storage Limitation: Data must only be retained for as long as necessary and must be disposed of securely when no longer needed.
Integrity and Confidentiality: Data must be protected from loss, misuse, and unauthorized activities such as unauthorized access, disclosure, alteration, or destruction.
Accountability: Organizations must be able to demonstrate that they fulfil these principles, for example they must keep individuals informed about how their personal data is collected, used, and protected, and their rights to access, correct, or delete their data.

California Consumer Privacy Act (CCPA)

Data privacy in the United States is governed by a patchwork of federal and state laws. Some of the most stringent protections are imposed by the California Consumer Privacy Act. These impose similar requirements to GDPR. The CCPA was extended in 2023 by the California Privacy Rights Act (CPRA).

Bank Secrecy Act (BSA)

The Bank Secrecy Act (BSA) applies specific data retention requirements to compliance records including filings such as SARs and CTRs, as well as records that document the institution’s compliance program. Records must be maintained for a minimum of five years. Records may be maintained in many forms provided they are accessible in a reasonable period of time.

While BSA requirements are separate from data privacy requirements, there are intersections between them since BSA records may include personal information.

Other Jurisdictions

Other jurisdictions globally, such as Dubai and Singapore, also establish data privacy regimes.

Permitted Uses of Customer Data

Organizations are responsible for communicating to individuals how their data will be used and obtaining consent for these uses.

Examples of the way personal information may be used include:

During due diligence to identify and verify the identity of a customer
To provide services, such as a financial institution using a wallet address provided by a customer to send or receive funds in accordance with customer instructions, or using bank details provided by an employee for their payroll
To detect and prevent fraud, along with fulfilling legal and regulatory obligations such as filing Suspicious Activity Reports (SARs) or Currency Transaction Reports (CTRs)
For research, development, or marketing – provided the customer has consented

Data must not be shared with third parties without the individual’s consent.

Example: Amazon Fined for GDPR Violations

Amazon was fined €746 million ($888 million) in 2021 by Luxembourg’s National Commission for Data Protection for violating GDPR rules. The fine was issued because Amazon processed customer data for targeted advertising without obtaining proper user consent.

In addition to the fine, one of the largest imposed on a tech company, Amazon was required to revise its data and consent policies.

Consumer Rights and Protections

While each regulatory regime is different, consumer rights often include rights to:

Request a copy of the information held about them
Request inaccuracies to be corrected, which an organization must do promptly
Object to use of data, for example to “opt out” of marketing
Request deletion of their data

Elements of a Data Protection Program

Data protection programs usually include several elements:

Organizational teams to identify and assess the applicable regulatory requirements
Policies and procedures to set out the requirements applicable within that institution, such as retention and disposal requirements
Technical security measures such as encryption, usernames and passwords, and role-based restrictions, to ensure data is adequately protected
Reporting lines and email addresses for consumers, staff, and other stakeholders to raise questions or make requests

Morgan Stanley Fined for Improper IT Infrastructure Disposal

Morgan Stanley was fined $60 million by the U.S. Office of the Comptroller of the Currency in 2020 after failing to properly dispose of IT infrastructure. The firm had hired a third-party vendor to decommission two data centers but did not verify proper data deletion, leading to unprotected customer data being left on servers and hardware after they were sold to a recycler.

In addition to the regulatory penalty, a class action lawsuit was brought against Morgan Stanley by individuals whose data had been compromised.

Data Analytics for Enhanced Oversight

DNFBPs, such as professionals in the real estate sector, are particularly prone to corruption because the sector is often exploited by illicit actors to launder ill-gotten gains due to the stable nature of real estate assets and the substantial sums involved. Furthermore, although DNFBPs operate under stringent regulatory frameworks intended to prevent financial crimes, these can be circumvented through sophisticated schemes or the exploitation of regulatory loopholes. these can be circumvented through sophisticated schemes or the exploitation of regulatory loopholes.

Data analytics is increasingly vital in the fight against corruption, particularly within designated DNFBPs. This technology enables the examination of vast amounts of financial data to detect patterns and anomalies indicative of corrupt practices. DNFBPs that proactively implement measures to detect and prevent illicit activities can protect themselves and significantly reduce the likelihood of becoming targets of investigations.

Identification of Anomalies in Financial Flows

In sectors like real estate, where large transactions frequently occur, data analytics plays a crucial role in identifying discrepancies in financial flows. For example, data analytics can highlight inconsistencies in property prices that deviate significantly from market norms, which may suggest under-the-table dealings or money-laundering activities. Similarly, in law firms and accountancies, data analytics can detect irregularities in client accounts or financial statements, pinpointing unusual transaction patterns that warrant further investigation.

Risk Assessments of Clients and Transactions Based on Historical Data

Data analytics also facilitates comprehensive risk assessments by utilizing historical data to profile and evaluate clients and transactions. This process includes analyzing past behavior patterns of clients and the typical transactional frameworks within specific industries to assess the risk levels of new transactions. High-risk transactions or clients can be flagged automatically for additional scrutiny or for the implementation of more stringent controls. This proactive approach helps DNFBPs comply with regulatory requirements and maintain a proactive stance against potential corruption.

Anti-Money Laundering in the UK Real Estate Sector

In the UK, several real estate firms use data analytics to comply with AML regulations. By using their computer systems to analyze transaction data and client profiles, these companies can identify high-risk transactions and clients, flagging those that may involve proceeds from corruption. This approach has helped ensure regulatory compliance and maintain the integrity of the real estate market.

Consequences of Inadequate Data Protection

Non-compliance can have financial, legal, regulatory, reputational, and commercial implications.

Regulatory penalties include:

GDPR: Fines of up to Euro 20 million (USD 22 million) or 4% of global revenue
CCPA: Fines of up to $7,500 per intentional violation and $2,500 per unintentional violation

Legal action may be taken including lawsuits from affected individuals seeking damages for identity theft or fraud.

Reputational damage may result from adverse publicity associated with data leaks, security breaches, regulatory penalties, and legal action. This may affect the perception of the organization, resulting in loss of clients and difficulty attracting and retaining staff.

Capital One Fined for Data Breach

Capital One was fined $80 million in 2019 by the Office of the Comptroller of the Currency and agreed to a $190 million class-action settlement, after 100 million U.S. and 6 million Canadian customers’ financial data was compromised.

The breach was caused by a misconfigured firewall in a cloud environment, which allowed a former AWS engineer to access Social Security Numbers, bank account details, and credit scores. The breach went undetected for four months, amplifying the damage.

Consumers entrust organizations with their data and rely on them to process, retain, and dispose of it appropriately and securely. Data retention also fulfils a critical role in ensuring institutions fulfil their counter illicit finance responsibilities – and have the records to demonstrate their compliance to regulators. Both are essential not just to remain compliant, but also for consumer trust and commercial success.

Effective Data Protection Starts with Employee Education

Educate staff on data protection and retention standards and requirements with a tailored e-learning course.

Whether looking to revamp an annual compliance course or to develop a new instructor-led program covering emerging threats, IFI can design, develop and deliver training tailored to your organization’s unique needs.

Explore Training Services

Recommended Blogs

Understanding the FATF: A Guide for Private Sector Stakeholders

April 8, 2026

The FATF standards, known as the 40 Recommendations, have become more expansive, detailed, and stringent over time, requiring more of both public and private sector institutions.

March 2026 Monthly Sanctions and Export Controls Report

April 2, 2026

Explore this month’s Sanctions and Export Controls Update, highlighting IFI’s take on key developments from March 2026.

From The Night Agent to the Real World

March 31, 2026

In the Netflix show The Night Agent, a suspicious financial trail quickly escalates into a national security investigation. While dramatized, the premise is real. This article explores how transaction monitoring detects these signals and why financial institutions play a critical role in identifying and escalating suspicious activity.

The Travel Rule Playbook

March 25, 2026

The Travel Rule was established by the FATF to help prevent bad actors from moving illicit funds undetected. The scope has expanded to include VASPs and digital assets transactions. Explore best practices for compliance and implementation strategies in this article.

Professional Crypto Laundering

March 18, 2026

The indictment of Venezuelan national Jorge Figueira in 2026 reveals a highly advanced professional laundering network using cash, crypto, OTC brokerages registered in the UK and U.S., and shell companies with accounts at regulated financial institutions. This article assesses the methodology used, red flags, and actions for financial institutions.

KYC Is Not Just Onboarding, It’s a Living Risk Assessment

March 11, 2026

When customer profiles become outdated or incomplete, the controls that rely on them, including transaction monitoring and investigations, begin to weaken. This article explores why effective KYC programs must extend beyond onboarding and how stronger customer due diligence supports more accurate risk assessments and more effective financial crime controls.

Compliance Training as a Strategic Control

March 5, 2026

When training reflects how an institution actually operates, its value extends beyond compliance. This article examines the business case for custom compliance training and why it plays a critical role in managing risk and protecting institutional credibility.

February 2026 Monthly Sanctions and Export Controls Report

March 3, 2026

Explore this month’s Sanctions and Export Controls Update, highlighting IFI’s take on key developments from February 2026.

What Effective Compliance Training Looks Like

February 25, 2026

Custom compliance training is often misunderstood as light tailoring. This article explains what real customization looks like in practice, from risk-aligned content and role-specific learning to training built around real decisions, controls, and regulatory expectations.