2025 Financial Services State of Data Sanitization Report

Outside healthcare, no other industry handles more sensitive, high-value data, making financial services a chief attack target with heavy data security and governance burdens.

Legally mandated KYC (“Know Your Customer”) and AML (anti-money laundering) policies, for example, require collecting and retaining data for fixed timeframes. Yet getting rid of that data when retention requirements expire is critical to protecting business and client data.

That’s why data regulations often include data destruction and minimization requirements.

These requirements can come from

• General regulations like GDPR
• Global financial services standards such as the Payment Card Industry Data Security Standard (PCI DSS)
• A range of regional legislation such as the Fair and Accurate Credit Transactions Act (FACTA) in the U.S. and regulations from the Center for Financial Industry Information Systems (FISC) in Japan
  

In addition to limiting data in active environments, removing sensitive data from retired data center servers and employee devices at data disposition is also crucial—but even the data sanitization standards that provide guidance on data removal from end-of-life data storage media are changing.

Add in AI, new sustainability regulations, and advancing data storage technologies, and data governance grows more complex.

Based on responses from 250 IT and sustainability leaders, this report unpacks how some of the world’s largest financial services organizations are navigating EOL data management pressures amid ongoing technology and industry evolution.

While fintechs and insurtechs once set the technology adoption pace, traditional incumbents have caught up—leveraging mobile offerings, cloud, biometrics, and blockchain.

This focus on innovation explains why this sector embraced AI slightly ahead of other regulated enterprises we surveyed. For financial service providers, AI is no longer experimental—it is deployed with serious intent and investment.

So how is AI affecting data management in this sector?

Financial services providers report that AI is helping tackle the problem of ROT—redundant, obsolete, or trivial—data. ROT data inflates storage costs, complicates compliance, and enlarges data attack surfaces, making ROT a prime target for data sanitization.

The good news? More than half of financial services respondents are using AI to more clearly define data retention and sanitization policies—and nearly half have seen AI reduce the amount of ROT data being collected and stored.

But AI implementation doesn’t come without challenges. Around a quarter of providers found AI made it more difficult to achieve regulatory compliance, while nearly 30% reported increased ROT collection.

Given that these providers already have a heavy security and compliance burden, sector IT leaders must weigh whether AI reduces or exacerbates compliance and data risk, including data leaks and breaches.

Eighty-six percent of survey respondents, both broadly and within financial services,
reported their organization had suffered a data breach in the last three years through
ransomware, phishing, stolen credentials, and other deliberate, malicious acts.
Eighty-two percent (82%) of all financial services respondents had been breached in
the past year, slightly higher than the average (80%) across all industries surveyed.

For those organizations holding on to more data than necessary, both risk and liability can increase as more data is accessed by threat actors. More than a third (37%) of those breached experienced customer loss, along with hits to customer revenue (40%) and share prices (36%). Fines, operational downtime, ransoms, and legal costs also added to the impact.

Yet data risk extends beyond direct attacks.

Accidental data leaks caused by human error or process failures are almost as common. Such leaks are slightly more common in the financial sector than elsewhere.

Data leakage and breach causes can overlap, depending on how data access was initiated and how data was affected. For example, hardware might be stolen for device value alone, but it might also be targeted for the data it stores.

Forty-three percent of respondents cited improper network configurations as components behind data leaks in the previous year, and 20% cited user error. However, data leakage can also stem from hardware in insecure environments. Our survey showed 43% of financial services breaches or leaks were attributed to stolen devices. Lost devices (27%) and redeployed assets (19%) with data intact were also contributors.

Security discussions often focus on endpoint protection, patching, and intrusion detection. Yet unintentional exposure is nearly as common. In either case, minimizing no-longer-needed data within networks and on insecure devices is central to risk management.

Data sanitization can occur with three methods:

Active data environments

Sanitization isn’t just an asset end-of-life issue. Targeted data erasure supports data minimization and limits sprawling data surfaces vulnerable to attack or leakage. Classifying data by sensitivity, type, or regulatory requirement helps organizations more effectively manage retention and destruction requirements.

Yet here, the sector shows a major weakness: only 21% of financial services data is formally classified—making timely and compliant destruction difficult.

IT assets

A focus on data security must also apply when used storage devices leave secure environments, whether for repairs or retirement. Nearly 20% of financial services organizations reported leaks from redeployed devices, signaling reliance on inadequate destruction and a lack of data removal verification.

Refurbishing and reusing data storage devices supports both budgetary and sustainability goals, but without certified sanitization aligned with an accepted industry standard, redeployment invites unauthorized data exposure. Yet with data technologies changing rapidly, sanitization standards themselves are changing.

Adherence to the leading standards—namely from the U.S. National Institute of Standards and Technology (NIST) and the Institute of Electrical and Electronics Engineers (IEEE)—appears low in the financial services sector.

This likely reflects a lag in updating internal policies rather than poor practice.

With its focus on modern data storage technologies, IEEE 2883 adoption remains limited but is expected to accelerate as data storage needs evolve and NIST SP 800-88 Rev. 2 (released September 2025) reinforces its use.

Despite financial institutions’ focus on compliance and technology advancement, the sector has room to grow in adopting more modern and more effective sanitization standards.

New compliance requirements are often industry specific, such as PCI DSS updates. Some requirements affect only a subset of the sector; for example, those regulated by the U.S. Securities and Exchange Commission (SEC). Still other requirements apply broadly to consumer data, with plenty of new or updated state, regional, and national data laws either passing or newly in effect in 2024.

Increased data threats were the second-biggest factor driving change. For surveyed industries at large, data threats came in seventh, below sustainability goals, AI adoption, and cloud migration. Given the high value and sensitivity of financial data, it’s unsurprising that IT leaders in this sector are prioritizing changes to management practices to reduce exposure.

IoT and AI adoption, cloud migration, and new storage technologies also impacted EOL strategies, reflecting a sector embracing new technologies to stay competitive.

While sustainability regulations such as the Corporate Sustainability Reporting Directive (CSRD) also affect EOL data management, broader sustainability and net-zero goals were less of a priority for financial institutions than for enterprises overall.

However, this can be complex for financial institutions. There are requirements to hold certain types of data longer for compliance reasons, such as for anti-money laundering purposes. Some records, for example those related to pension transfers, may have to be retained indefinitely.

Financial service providers are less proactive than other sectors in removing ROT data, but lead peers in defining and communicating sanitization policies (59% vs 55%).

Data sanitization policies are vital in ensuring that best practice is followed across the whole business. Finding ROT data is just part of the puzzle; certifiably destroying it so it cannot be recovered is vital.

Some of this may be down to following U.S. NSA/CSS standards that demand the destruction of a device rather than erasure. However, because functional devices can be refurbished securely, revised policies would cut down on waste, increase efficiency, and even provide options for improved chain-of-custody safeguards for additional risk reduction.

But the type of software-based data destruction matters.

A quarter of laptops and a fifth of data center drives are refurbished without certified erasure. This puts financial services organizations that rely on noncertified methods such as free software tools, reformatting, or consumer-level software at great risk. In fact, when it came to listing causes of breaches and leaks, this sector cited redeployed, data-bearing assets as being involved 19% of the time.

Like physical destruction, the most stringent erasure methods within NIST SP 800-88 and IEEE 2883 leave data recovery infeasible, even with state-of-the-art techniques. This creates room for securely supporting environmental goals and extracting greater value and longevity from IT assets.

Lesser methods, such as freeware, consumer-level software, reformatting, and often, in-house tools, fall short here. They typically also fail at establishing a proper audit trail, often required for compliance purposes.

As discussed above, slightly less than half of providers say they destroy data once it becomes ROT. This combination of retained ROT data and lack of certified erasure point to vulnerabilities in end-of-life data management, and unnecessary data risks.

Nearly every financial services provider has suffered a breach or leak in recent years, yet only one in five has fully classified its data, and adoption of modern sanitization standards remains low. Meanwhile, nearly half of functional devices are destroyed unnecessarily—adding costs, waste, and avoidable risk.

But there are encouraging signals. Sector leaders are among the earliest adopters of AI for data management, using it to shrink ROT data and sharpen retention policies. They are ahead of peers in developing and communicating sanitization policies, and many already have the compliance structures needed to enforce best practice. The sector also shows readiness to evolve as new standards like IEEE 2883 become embedded, offering the chance to reduce reliance on physical destruction and support sustainability goals.

What emerges is a picture of both strain and possibility.

Compliance demands will not ease, and data volumes will only grow, but financial institutions that move beyond regulatory minimums can reduce exposure, reclaim value from hardware, and strengthen trust with customers.

In a landscape where breaches are inevitable and regulations ever more complex, the opportunity lies in transforming data disposal from a cost center into a strategic advantage—anchored in certified sanitization, proactive data minimization, and a commitment to security and sustainability.

Case Study

This multinational bank turned to scalable data erasure for reduced risk, increased compliance, and greater security.

Read their story