Fredrik Forslund, VP & GM, International, Blancco explains why secure, standards-based data sanitisation is critical for financial compliance, cyber resilience and trust.
The financial sector is one of the most highly regulated industries – and for good reason.
Banks, insurers and payment providers safeguard some of the world’s most sensitive assets: Customer accounts, investments and Personally Identifiable Information (PII).
With that responsibility comes a complex web of global compliance obligations spanning privacy, data protection and cybersecurity.
Despite stringent oversight, regulations typically don’t require financial institutions to adopt specific technical standards for cybersecurity or data sanitisation.
Instead, regulated organisations must demonstrate the use of recognised best practices.
This flexibility can leave room for interpretation and the potential for gaps that put compliance, data security and the trust underpinning global digital finance, at risk.
Globally, financial institutions face overlapping mandates.
In the U.S., the Gramm-Leach-Bliley Act (GLBA) and state-level privacy laws like the California Consumer Privacy Act (CCPA) shape how institutions collect and store consumer data.
The EU’s General Data Protection Regulation (GDPR) and Payment Services Directive 2 (PSD2) impose strict rules on data minimisation, cross-border transfers and consent management.
The Payment Card Industry Data Security Standard (PCI DSS) protects cardholder data by mandating specific data retention and destruction policies.
With compliance requirements growing more complex by the day and compliance teams already stretched thin, there are still gaps and blind spots putting customer and corporate data at risk.
The last stage of data lifecycle management or the secure disposition of data, is one of the most consistently overlooked areas, even though it represents a growing source of risk according to findings in Blancco’s 2025 Financial Services State of Data Sanitization Report.
Based on a global survey of IT decision makers at financial services organisations with more than 5,000 employees, the report found that 82% of financial services organisations have suffered a data breach via cyberattack or a data leak due to an unintentional exposure of sensitive data in the past year.
The impact of a data breach or leak goes beyond the potential for non-compliance: 35% of those who had experienced a breach incurred customer loss, along with impacts to customer revenue (40%) and share prices (36%).
Financial institutions excel at collecting, analysing and retaining data, particularly for legally mandated functions such as Know Your Customer (KYC) and anti-money laundering (AML) compliance.
These regulations require customer data to be held for fixed timeframes, often five to seven years depending on jurisdiction.
However, once those retention periods expire, the responsibility doesn’t end.
Outdated customer files, redundant backups and decommissioned storage devices quickly turn from assets into liabilities if not securely erased.
Holding on to unnecessary data increases the risk of breaches and non-compliance and may violate data minimisation requirements found in laws such as the GDPR and emerging privacy acts in India, Brazil and South Korea.
Regulators are increasingly linking data minimisation with cyber resilience and for good reason: If sensitive data no longer exists, it can’t be stolen or leaked.
Secure data sanitisation, the permanent, verifiable and auditable removal of information from storage media, is a critical part of that resilience.
While data privacy laws dictate what must be deleted and when, data sanitisation standards define how to delete it securely and permanently across diverse enterprise devices. Frameworks such as NIST SP 800-88 from the U.S.
National Institute of Standards and Technology and IEEE 2883 from the Institute of Electrical and Electronics Engineers provide clear, tested methods for ensuring that data cannot be recovered once removed.
Yet, adherence to these leading standards remains surprisingly low in the financial services sector.
In our 2025 survey, only 21% of survey respondents reported being required to follow NIST SP 800-88 and an even smaller share – just 19% – currently employ IEEE 2883.
This slow adoption may reflect outdated internal policies rather than a lack of awareness or poor practice, but it still leaves significant gaps in protection.
Despite the industry’s overall maturity in compliance and technology, there is ample room to strengthen data lifecycle management by embracing modern sanitisation standards.
Doing so demonstrates due diligence, supports audit readiness and aligns with broader cybersecurity frameworks such as the NIST Cybersecurity Framework (CSF) and ISO/IEC 27001.
Most importantly, it safeguards brand reputation and consumer trust, which, once lost in a breach or by compliance failure, can take years to rebuild.
The volume of data that financial institutions handle is growing exponentially as services digitise and the adoption of AI increases.
Each new system, drive and backup represents potential exposure unless managed within a full IT asset and data lifecycle policy that includes certified sanitisation.
Voluntary adoption of data sanitisation standards best practices is no longer just an IT decision – it’s a business continuity imperative.
For global financial institutions, this is the next frontier of operational resilience.
