Regulatory Data Storage System Development

Development of Regulator Data Storage System

Regulatory data storage requirements are one of the most overlooked aspects of compliance. Typical issues: data stored without encryption, retention policy not formalized, unable to quickly provide needed data upon regulator request.

Storage Requirements

FATF R11: store KYC documents and transaction records for minimum 5 years (some jurisdictions require 7 or 10 years).

GDPR: data not longer than necessary (conflict with FATF — resolved through legal basis "legal obligation" for AML data).

MiCA / VASP licenses: complete audit trail of all decisions, including compliance decisions.

Storage Architecture

interface RegulatorDataStore {
  // KYC document storage
  storeKYCDocument(params: {
    userId: string;
    documentType: "PASSPORT" | "DRIVING_LICENSE" | "UTILITY_BILL" | "SELFIE" | "OTHER";
    fileContent: Buffer;
    mimeType: string;
    expiresAt?: Date; // document validity period
    retentionUntil: Date; // when can be deleted
  }): Promise<string>; // document ID
  
  // Compliance decision storage
  storeComplianceDecision(params: {
    userId: string;
    decisionType: "KYC_APPROVAL" | "KYC_REJECTION" | "RISK_UPGRADE" | "SAR_FILED" | "ACCOUNT_FROZEN";
    decision: "APPROVED" | "REJECTED" | "ESCALATED";
    rationale: string;
    decidedBy: string; // employee or system
    evidenceIds: string[]; // references to documents
  }): Promise<string>;
  
  // Regulatory data export
  generateRegulatoryExport(params: {
    userId?: string;
    dateRange?: { from: Date; to: Date };
    dataTypes: string[];
  }): Promise<RegulatorExport>;
}

Encryption at Rest

All KYC documents are stored encrypted. Key management is critical: if keys are lost, data is inaccessible; if compromised — violation.

class EncryptedDocumentStore {
  private readonly KMS_KEY_ID = process.env.AWS_KMS_KEY_ID;
  
  async store(userId: string, document: Buffer, metadata: DocumentMetadata): Promise<string> {
    // Generate data key via AWS KMS
    const { CiphertextBlob: encryptedDataKey, Plaintext: dataKey } = 
      await kms.generateDataKey({ KeyId: this.KMS_KEY_ID, KeySpec: "AES_256" }).promise();
    
    // Encrypt document with data key
    const iv = crypto.randomBytes(16);
    const cipher = crypto.createCipheriv("aes-256-gcm", dataKey, iv);
    const encryptedDoc = Buffer.concat([cipher.update(document), cipher.final()]);
    const authTag = cipher.getAuthTag();
    
    // Save encrypted document + encrypted data key
    const docId = crypto.randomUUID();
    await s3.putObject({
      Bucket: process.env.KYC_BUCKET,
      Key: `${userId}/${docId}`,
      Body: encryptedDoc,
      Metadata: {
        "encrypted-data-key": encryptedDataKey.toString("base64"),
        "iv": iv.toString("base64"),
        "auth-tag": authTag.toString("base64"),
        "user-id": userId,
        "document-type": metadata.documentType,
        "retention-until": metadata.retentionUntil.toISOString(),
      },
    }).promise();
    
    // Store encrypted data key in DB (not the data key itself!)
    await db.saveDocumentRecord(docId, userId, metadata, encryptedDataKey.toString("base64"));
    
    return docId;
  }
  
  async retrieve(docId: string): Promise<Buffer> {
    const record = await db.getDocumentRecord(docId);
    const s3Object = await s3.getObject({ Bucket: process.env.KYC_BUCKET, Key: `${record.userId}/${docId}` }).promise();
    
    // Decrypt data key via KMS
    const { Plaintext: dataKey } = await kms.decrypt({
      CiphertextBlob: Buffer.from(record.encryptedDataKey, "base64"),
    }).promise();
    
    const iv = Buffer.from(s3Object.Metadata!["iv"], "base64");
    const authTag = Buffer.from(s3Object.Metadata!["auth-tag"], "base64");
    
    const decipher = crypto.createDecipheriv("aes-256-gcm", dataKey, iv);
    decipher.setAuthTag(authTag);
    
    await db.logAccess(docId, "READ"); // audit trail
    
    return Buffer.concat([decipher.update(s3Object.Body as Buffer), decipher.final()]);
  }
}

Retention Policy Automation

// Daily check for expired data
@Cron("0 3 * * *")
async enforceRetentionPolicy() {
  // Find documents with expired retention
  const expiredDocs = await db.findExpiredDocuments();
  
  for (const doc of expiredDocs) {
    // Check for active legal holds (regulatory investigation, litigation)
    const hasLegalHold = await db.checkLegalHold(doc.userId);
    if (hasLegalHold) {
      await db.extendRetention(doc.id, doc.userId, "LEGAL_HOLD");
      continue;
    }
    
    // Secure deletion
    await s3.deleteObject({ Bucket: process.env.KYC_BUCKET, Key: `${doc.userId}/${doc.id}` }).promise();
    await db.markDocumentDeleted(doc.id, "RETENTION_EXPIRED");
    
    this.logger.log(`Deleted expired document ${doc.id} for user ${doc.userId}`);
  }
}

Regulator Request (Production Request)

async function handleRegulatorRequest(request: RegulatorRequest): Promise<ExportPackage> {
  const { userId, dateRange, requestedBy, legalBasis } = request;
  
  // Log request (audit trail)
  await db.logRegulatorRequest(request);
  
  const [kycDocs, transactions, amlDecisions, sars] = await Promise.all([
    docStore.getKYCDocuments(userId),
    db.getTransactions(userId, dateRange),
    db.getComplianceDecisions(userId),
    db.getSARs(userId),
  ]);
  
  // Package into zip with manifest
  const exportPackage = await createExportPackage({
    userId,
    requestedBy,
    exportedAt: new Date(),
    legalBasis,
    contents: { kycDocs, transactions, amlDecisions, sars },
  });
  
  await db.logDataExport(userId, request.id, exportPackage.manifest);
  return exportPackage;
}

Storage system with AES-256 encryption, KMS key management, retention policy, and regulator export — 2-3 weeks development.