Evidence Integrity Statement (For Auditors)

Last Updated: 11 March 2026 | Version 1.0

This document is intended for independent AML/CTF auditors (e.g., conducting Part 8.6 reviews) or AUSTRAC compliance officers assessing a Firm's use of the Sentine platform. It explains the technical mechanisms Sentine uses to guarantee that verification records have not been altered after the fact.

1. The Challenge of Digital Evidence

In an AML/CTF context, a Reporting Entity must be able to prove that they verified a customer's identity at a specific point in time, and that the evidence relied upon (e.g., a scanned passport, a PEP screening result) has not been tampered with since that verification occurred.

Sentine addresses this through Cryptographic Hashing and Immutable Audit Logs.

2. What is Cryptographic Hashing? (Plain English Summary)

Think of a cryptographic hash as a unique digital fingerprint for a file.

  • When an AML/CTF verification workflow is completed in Sentine, all the collected documents, screening results, and risk assessments are bundled into a single PDF document called an Evidence Pack.
  • Sentine runs this finalised Evidence Pack through a mathematical algorithm called SHA-256.
  • The algorithm produces a unique 64-character string of letters and numbers (the "Hash").
  • Crucially: Even the tiniest change to the Evidence Pack — such as altering a single pixel on a scanned ID or changing a date from "2024" to "2025" — would completely alter the resulting Hash.

3. How We Guarantee Non-Repudiation

  1. The Hash is Logged: The moment the Evidence Pack is created, its unique SHA-256 hash is permanently recorded in Sentine's central database alongside the timestamp of creation and the identity of the user who performed the verification.
  2. The Document is Locked: The Evidence Pack PDF itself becomes read-only within the platform.
  3. Verification: If an auditor downloads an Evidence Pack 5 years later, they can independently run that PDF file through any standard SHA-256 hashing tool (freely available online or built into modern operating systems).
  4. The Proof: If the hash generated by the auditor exactly matches the hash originally recorded in Sentine's database, the auditor has mathematical certainty that the document is identical to the one created at the time of verification, proving Non-Repudiation.

4. Immutable Audit Logging

Complementing the Evidence Packs, Sentine maintains an overarching "Append-Only" event stream for every matter.

  • Append-Only means that new events (e.g., "User [Jane Doe] assigned Risk Rating [High] at [2:04 PM]") can only be added to the end of the log.
  • Existing events can never be edited or deleted, not even by users with the "AMLCO" role, and not even by Sentine engineers.
  • This creates an unbroken, tamper-evident chain of custody for all actions taken regarding a specific customer.

5. Summary for Independent Reviewers

When reviewing a Firm utilising Sentine, you can rely on the digital Evidence Packs generated by the platform as faithful, unaltered representations of the verification procedures conducted at the recorded timestamp. The cryptographic hashing ensures that post-hoc falsification of records is virtually impossible within the system.