"Shared" is a loaded word when it comes to compliance documentation. Banks are, understandably, cautious about anything that sounds like it hands data to a third party. The distinction that matters in practice is between a platform that stores documents on a bank's behalf, under that bank's control, and one that pools data into a common asset nobody fully owns. Only the first model is workable for regulated institutions.

Repository, not pool

In a well-designed exchange, a client bank uploads its own supporting documents into a private repository — free, secure, and under its own control. Nothing moves out of that repository automatically. The bank decides which relationship bank, if any, is granted access to which documents. A third party operating the platform never becomes a party to the exchange; it hosts the mechanism, not the decision.

This distinction matters because it preserves something regulators and internal legal teams both care about: a clear, unambiguous chain of ownership. The document was produced by the client bank, stored by the client bank, and shared at the client bank's discretion. Nothing in that chain changes just because the exchange happens electronically instead of by email attachment.

A shared exchange should change how documents move. It should never change who owns them.

Why the audit trail is the other half of ownership

Ownership without a record of what happened to the data is a weak claim. If a client bank can't show, months or years later, exactly which relationship bank had access to a given document and when, "we control our data" becomes difficult to demonstrate under examination. This is where the audit trail stops being a nice-to-have and becomes the practical evidence of ownership.

A useful audit trail, at minimum, records:

  • Which document version was uploaded, and when
  • Which relationship bank was granted access, and when access was granted or revoked
  • Whether the document was part of a scheduled review or a Trigger Review Event
  • The full relationship history between the two banks, for as long as the relationship exists

Critically, this record needs to be visible to both sides — not just retained internally by the platform operator. A two-sided audit trail lets the client bank prove what it shared and when, and lets the requesting bank prove it acted on current, authorised information. Either party can produce the same history independently if a regulator asks for it.

Consistency makes the trail meaningful

An audit trail is only as useful as the data feeding it is consistent. When every counterparty is filling in the same structured questionnaire — the approach discussed in our article on standardising KYC exchange — the resulting trail is comparable across relationships rather than a patchwork of differently-shaped records.

Encryption is necessary, but it isn't the whole answer

SSL encryption over HTTPS protects data in transit and at rest against interception — that's table stakes for any platform handling sensitive financial documentation, and it's worth confirming for any exchange under consideration. But encryption answers a different question than ownership does. It protects against unauthorised access; it says nothing about who is authorised, or how that authorisation is recorded. Both controls need to be in place, and neither substitutes for the other.

What to check before trusting a shared exchange with KYC data

For an institution evaluating a KYC platform, three questions tend to separate genuine repository models from data-pooling arrangements dressed up as one: Does the client bank retain sole control over who sees its documents? Is there a permanent, two-sided record of every access grant and document exchange? And is that record available to the client bank independently, without needing to request it from the platform operator? If the answer to all three is yes, the ownership question has a real answer — not just a marketing one.