Redacting Audit Reports and Investigation Files: Compliance

This guide is educational. It is not legal or compliance advice. Verify regulatory requirements with your compliance counsel, Chief Compliance Officer, or relevant regulator before acting.

A mid-size broker-dealer in Chicago receives a document request from the SEC as part of a routine examination. The compliance team has ten business days. The file set includes internal audit reports with client account numbers, an employment investigation file referencing terminated personnel, and a log that mentions a Suspicious Activity Report filed through FinCEN. The question isn't whether to redact - it's what to redact, what to log, and how to demonstrate that the process was consistent.

This guide covers the redaction requirements that apply across compliance function document types: audit reports, regulatory submissions, internal investigation files, and financial Suspicious Activity Reports. It is focused on process and defensibility.

Two types of SAR - understanding the difference

In US compliance contexts, "SAR" most commonly refers to a Suspicious Activity Report filed with FinCEN under the Bank Secrecy Act. But the abbreviation appears in data privacy contexts too, typically as a shorthand for consumer access requests. They are not the same thing.

A financial SAR is filed with FinCEN through the BSA E-Filing System when a financial institution detects a transaction that may involve money laundering, fraud, or other suspicious activity. Under 31 CFR Chapter X, covered financial institutions are required to file SARs for transactions meeting specified thresholds. Supporting documentation is retained by the filer for five years but is not attached to the SAR filing itself. The filing is made to FinCEN - not to the subject of the report.

A consumer access request - sometimes loosely called a "SAR" in CCPA or state privacy law contexts - is filed by an individual seeking access to personal information a business holds about them. These are entirely different in scope, recipient, and process. This guide covers financial SARs as compliance documents. Consumer access request workflows are covered in our disclosure guide.

Preparing audit reports for regulatory review

Internal audit reports submitted to the SEC, FINRA, OCC, or other regulators typically contain a mix of sensitive categories: client account data, employee conduct information, and assessments of control failures. Before producing them in response to a regulatory request, the compliance team needs to scope what can and cannot be withheld.

Categories that commonly require redaction before external sharing:

• Personal data of clients and employees not within the scope of the specific request
• Attorney-client privileged communications - advice sought from legal counsel for legal purposes
• Information about separate regulatory matters or pending investigations outside the requestor's jurisdiction
• Trade secrets and proprietary business methodologies where disclosure is not required

Each redaction decision should be logged: the document reference, the category of redacted content, and the legal basis. Many compliance teams maintain a privilege log as a separate schedule accompanying the production. Regulators have indicated they expect firms to identify withheld material and the basis for each withholding - silent redaction without explanation is generally not acceptable in an enforcement context.

Regulatory submissions and enforcement responses

When the SEC, FINRA, or a federal banking regulator requests documents under its examination or enforcement authority, firms are typically under a legal obligation to produce what is requested. Selective redaction without notice can itself be viewed as non-cooperation.

Common practice is to produce documents to the regulator while redacting material outside the specific request scope, and to identify all redacted passages explicitly in a covering schedule. Attorney-client privilege is the most defensible basis for withholding in this context, but privilege assertions are routinely challenged in regulatory proceedings. A privilege log that describes each withheld item, the nature of the communication, and the attorney involved - without disclosing the privileged content itself - is a defensible approach typically used in these situations.

Internal investigations and investigation files

Investigation files in US regulated firms often need to be shared across multiple audiences: the subject of the investigation (in some circumstances), outside counsel, the audit committee, or examiners. Each audience has different entitlements.

Before sharing any investigation file, work through three questions. Who is the recipient and what is their authority to receive this information? What categories of information are in the file - witness accounts, personnel records, account data, privileged legal advice? And what is the legal or regulatory basis for each redaction decision?

Witness identity in internal investigations is a consistent point of tension. The subject of an investigation may be entitled to the substance of findings while the identities of witnesses warrant protection, particularly where there are concerns about retaliation. State employment law and sector-specific guidance may apply. Specific requirements depend on your sector regulator and applicable rules.

RedactProof handles detection and permanent redaction in one browser-based workflow. Files are processed in your browser and never uploaded to servers.

Financial SARs: confidentiality and the tipping-off prohibition

Under the Bank Secrecy Act and FinCEN regulations, financial institutions are prohibited from disclosing a SAR or its contents to the subject of the report, or to most third parties. FinCEN's guidance on unauthorized disclosure of SARs confirms that unauthorized disclosure can result in criminal penalties. This prohibition has a direct impact on document redaction.

If a document bundle - an audit report, an investigation file, any record set - might be shared externally, any reference to the existence or content of a SAR filing must be reviewed carefully before production. In many cases, redacting the reference entirely is required. The basis is statutory, not discretionary. Supporting documentation retained in connection with a SAR filing should be stored separately with access controls appropriate to its sensitivity, since it too falls within the SAR confidentiality framework.

Building a redaction policy that holds up

Regulated firms - particularly those subject to SEC, FINRA, or OCC oversight - are increasingly expected to maintain written compliance procedures covering document handling, including redaction. A written policy is evidence that redaction decisions are made consistently rather than ad hoc.

A defensible redaction policy for a US compliance team typically covers:

• Scope - which document types and workflows the policy applies to
• Roles - who makes redaction decisions and who provides sign-off
• Categories - standard redaction categories with the legal basis for each (privilege, BSA confidentiality, client data, employee privacy)
• Method - requirement for permanent (pixel-burn) redaction rather than overlay methods
• Verification - steps to confirm redaction before production
• Logging - what is recorded, where it is stored, and retention period
• Review - how often the policy is reviewed in light of regulatory changes

We are working on a detailed policy template for compliance teams. When published, it will cover each of these elements with example language appropriate for financial services, legal, and professional services firms.

Tools and audit trails

For compliance teams, the tool question centers on evidence. You need to demonstrate to examiners, outside counsel, or in litigation that redaction was applied correctly, permanently, and at a documented point in time.

RedactProof processes documents in your browser - files are not uploaded to servers - and generates tamper-evident verification certificates with Ed25519 digital signatures. Each certificate records the document state at export and includes a QR code for offline verification. The Pro plan includes a full audit trail documenting every redaction decision, which supports a defensible compliance posture when production decisions are later reviewed.

For teams managing FOIA, CCPA, and other disclosure workflows, our guide to redacting documents for disclosure covers those processes in detail.