[pledess]

How is data related to Bank Secrecy Act requirements (or similar requirements in a non-U.S. jurisdiction) stored? For example, a U.S. bank must contact regulators about a cash payment of more than $10,000. The payment itself is not information that must be kept secret from the customer, e.g., the bank can share information with the customer about the specific amount, date, etc. However, the act of reporting to regulators cannot be shared with the customer. The question is, from an IT perspective, is the act of reporting part of a "customer data structure"? Is it possible for IT staff to do simple database queries such as "date_that_customer_began < 2022-01-01 and large_cash_payments > 0"? Or is Bank Secrecy Act reporting data segregated into separate database tables or even separate IT systems?

[mr_inspector]

Also very interesting to consider!

Why do you think it matters if the information is stored in completely different IT systems.

[pledess]

It possibly matters because (at least in the U.S.) this specific data element has substantially different legal obligations than anything else that might be placed into a customer data structure: https://www.govinfo.gov/content/pkg/CFR-2012-title12-vol1/xm...

"(i) General rule. No national bank, and no director, officer, employee, or agent of a national bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any national bank, and any director, officer, employee, or agent of any national bank that is subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, ..."

A bank might not want to aggregate data, within one IT system, if part of the data has the very unusual property that a subpoena must be declined.