AML and Data Protection: Are We Crossing the Line?
The Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework plays a central role in safeguarding the integrity and stability of the EU financial system. Under AML Regulation 2024/1624, obliged entities listed in Article 3(3) are required to implement robust compliance measures designed to detect suspicious activities and prevent financial crime.
These obligations include customer due diligence (CDD), identification, and verification procedures. In practice, this requires the collection, processing, and retention of customers’ personal data. Article 22 of AML Regulation 2024/1624 specifies the minimum data set required for customer identification, while Article 77 imposes a five-year data retention period following the termination of the business relationship, subject to extension where necessary for investigations or legal proceedings.
CDD measures require obliged entities to identify, verify, assess, and monitor customers and related persons. At a minimum, this includes collecting personal data such as full name, date and place of birth, nationality or statelessness, national identification number (where applicable), residential address, and tax identification number. These data qualify as personal data under EU law and are protected by the EU Charter of Fundamental Rights (CFR) and the General Data Protection Regulation (GDPR).
A legal tension arises where AML/CFT compliance obligations intersect with fundamental rights to data protection. Where collection, processing, retention, or automated decision-making methods — particularly in AI-driven CDD systems — exceed what is necessary and proportionate, there is a significant risk of infringing the fundamental rights of data subjects.
Obliged entities must therefore ensure that AML/CFT compliance measures remain strictly limited to what is legally required, as measures that go beyond what is necessity may expose them to regulatory risks under EU data protection laws.
A precise and proportionate compliance strategy is essential.
For further information or tailored advice on AML compliance measures and data protection obligations, please contact our team.
