How to keep a tamper-evident audit trail without inventing one

What “tamper-evident” actually means

Append-only and tamper-evident sound similar; they are not. Append-only means new records cannot overwrite old ones at the storage layer. That is necessary but not sufficient. A database with INSERT-only permissions is append-only, but an examiner has no way to prove that a privileged user did not back-date or alter a record. Tamper-evident is stronger: any modification of a past record (even a single byte) is cryptographically detectable by anyone with the public key.

The bar comes from how compliance evidence is used. When an examiner subpoenas a customer's decision history from March 14, 2026, the question is not just “what did you say happened that day?” It is “can you prove this is what your system actually held on that day, unaltered?” A tamper-evident log answers that question. An append-only log only answers half of it.

The three mechanisms that satisfy the bar

Three cryptographic patterns, individually or in combination, produce a tamper-evident audit trail. Most production systems use all three.

• Hash chains. Each record contains the SHA-256 hash of the previous record. Modify any record retroactively and every hash from that point forward becomes invalid. Examiners verify by walking the chain. Implementations include AWS QLDB's journal, transparency logs (Certificate Transparency, Sigstore), and the per-Subject hash chains FinQub uses.
• Cryptographic signatures. Each record (or batch) is signed with a private key your service holds. The signature proves authenticity (this record was emitted by your service) and integrity (the bytes have not changed). The examiner verifies with the public key, which can be published or notarized. Common: HSM-backed signing for keys, RSA-PSS or Ed25519 for the algorithm.
• WORM storage (Write Once Read Many). Storage that physically prevents modification. AWS S3 Object Lock in compliance mode is the practical example: once a record is written with an Object Lock retention period, even AWS administrators cannot delete or modify it during the retention window. WORM is the substrate; hash chains and signatures are the math on top of it.

The combination an examiner most often sees in fintech compliance: WORM storage of the underlying records, hash chains across them per Subject, and signed batched exports when an exam packet is produced. Each layer reinforces the others.

What examiners actually check

Examiners do not look at the cryptography itself in most cases. They check three things that the cryptography makes provable:

• Completeness. Does the record contain every signal and every decision that touched the customer? Gaps in the record are the most common audit failure, and they happen when a vendor outputs land in a vendor console but never reach the consolidated record.
• Continuity. Does the record show an unbroken timeline from the customer's onboarding to today, with no missing periods? Gaps in the chain (rather than gaps in the data) suggest the system went down and the chain restarted without bridging.
• Provenance. Can the record show where each piece of evidence came from (which vendor, which API call, which list version) and that the issuer of that evidence has not been altered? This is what the cryptographic signatures answer.

When all three properties hold, an examiner can ask “what did you know on date X?” and get a single signed export that answers it. When any one of the three breaks, the answer becomes “here is what we currently think we knew on date X, reconstructed by hand.” That gap is what costs compliance teams weeks per exam.

Three failure modes that quietly break tamper-evidence

Most implementations get the cryptography right and the operational details wrong. Three patterns recur:

• Gaps in the chain. A record at time T+1 hashes the record at T+0. If the system loses a record between them (a queue drops, a write fails, a node reboots) the chain breaks, and every record from that point forward inherits a broken link. The fix is atomic appends, idempotent retries, and a separate continuous verifier that runs against the live chain, not just at export time.
• Key rotation without rollover. Signing keys must rotate (lifetime, compromise, policy). A naïve rotation invalidates everything signed by the old key, the moment the new key takes over. The correct pattern is to sign the rotation event itself with the outgoing key, so the chain of trust is unbroken across rotations. Few in-house implementations get this right on the first try.
• Clock drift and time without notarization. The timestamp on each record needs to be trustworthy on its own. A local clock that drifts (or worse, that can be set by an administrator) is not. The remedy is to anchor the chain to an external time source periodically: RFC 3161 timestamps, a public ledger, or a notary service. The cost is small; the audit improvement is large.

Reconstructing the chain across a vendor swap

The most common reason a real-world chain breaks is not the cryptography but a vendor migration. When you switch from one KYC vendor to another (Persona to Sumsub, for instance), the old vendor's console history stays in the old vendor. Whatever happens after the switch lives in the new vendor. The customer's compliance history becomes two disconnected logs, each tamper-evident inside itself, neither tamper-evident across the gap.

The fix is to put the chain on the record, not on the vendor. Every signal the old vendor produced lands on the customer record before the switch, with hashes forward. Every signal the new vendor produces lands on the same record after the switch, hashes continuing the chain. The chain survives because the chain was never tied to the vendor in the first place. See switching a KYC or KYB vendor without losing your audit history for the practical version.

Where the record sits in your stack

FinQub is the single source of truth for fintech risk decisions, with tamper-evidence built in. Every vendor signal that lands on a Subject is hashed into that Subject's chain. Every decision your rulebook or your analyst makes is hashed and signed. Exam packets are produced by walking the per-Subject chain and signing the export. The cryptography is invisible to your engineers and your analysts; only the examiner ever needs to see it, and when they do, the proof is in the export.

A checklist for tamper-evident readiness

• Append-only is not enough; require hash chains or signed exports on top.
• Verify the chain continuously, not just at export time. Most breaks show up between exams, not during them.
• Plan for key rotation before you launch. Use a key-rollover protocol that signs each rotation with the outgoing key.
• Anchor your clock externally. RFC 3161 timestamps or periodic notarization to a public ledger.
• Keep the chain on the record, not on any one vendor. Vendor swaps should not break the audit history (see vendor migration without losing history).
• Test an exam packet end-to-end with a simulated subpoena before you need to produce one for a real exam.

Frequently asked questions

Tamper-evidence is a property of the record, not of any one vendor. See how a point-in-time replay uses the chain, or book a short walkthrough below.