Why M&A audit trails must be immutable: the technical and legal case

SHA-256 hash chains, WORM storage, and why append-only logs are now expected by regulators in contested M&A proceedings.

The legal case for immutable audit trails

Regulators in the US, UK, EU, and Kenya are treating the quality of deal audit trails as evidence of the adequacy of compliance governance at the time of acquisition. A mutable log — one that could have been edited — is not acceptable evidence of what decisions were made and when.

The SEC's Rule 17a-4 requires broker-dealers to preserve records in a non-rewriteable, non-erasable format. FinCEN's record-keeping requirements under 31 CFR § 1020.410 specify that records must be preserved in a manner accessible to examiners. FCA Handbook requirements for approved persons include maintaining records of decisions and the basis for them.

SHA-256 hash chains: how they work

A SHA-256 hash chain works by including the hash of the previous entry in each new entry. To alter any historical entry, you must recalculate every subsequent hash — which is computationally detectable. Any verification check of the chain will identify the tampered entry and the exact point of tampering.

DealSafi implements this with AWS S3 Object Lock in WORM compliance mode. Each audit entry is written with a retention lock preventing deletion or modification by any user, including system administrators. The lock period is set to seven years, consistent with FinCEN's record retention requirements.

WORM storage requirements by regulator

The override problem

The most legally significant events in a deal audit trail are the exceptions — every override of a compliance guardrail, every exception granted, every decision to proceed despite an open blocker. DealSafi requires 2-person authorisation for every override, logs the justification and the secondary authoriser to the immutable chain, and distributes notification to all counsel. The override cannot be deleted or edited by any user at any access level.