GDPR and AML: How Financial Firms Navigate Both Regulations
| Quick Answer | GDPR and AML obligations are not in conflict — they operate in parallel, with specific provisions in each framework designed to address their interaction. UK GDPR and its EU equivalent both include provisions that permit and in some cases require the processing of personal data for AML compliance purposes, including KYC, transaction monitoring, and SAR filing. The legal basis for most AML data processing is compliance with a legal obligation (Article 6(1)(c) UK GDPR) or the performance of a task in the public interest (Article 6(1)(e)). The tipping-off prohibition under POCA directly overrides the data subject access rights that would otherwise apply to SAR-related data. |
Financial firms operating in the UK and EU face a dual compliance obligation that creates apparent tension: GDPR requires data minimisation, purpose limitation, and transparency with data subjects about how their personal data is being used. AML law requires firms to collect extensive personal data, retain it for five years, conduct surveillance of customer transactions, and file reports about customers with law enforcement — without telling those customers.
In practice, this tension is largely resolved by specific carve-outs and provisions in both frameworks. But navigating it correctly — particularly around data subject access requests, data retention, and the tipping-off prohibition — requires a clear understanding of how the two regimes interact.
1. The Legal Basis for Processing AML Data Under GDPR
Every processing activity under GDPR requires a lawful basis. For AML-related data processing, the primary lawful bases are:
Article 6(1)(c) — Compliance with a Legal Obligation
AML data processing that is required by MLR 2017, POCA 2002, or equivalent legislation falls under the legal obligation lawful basis. This covers identity verification at onboarding, beneficial ownership identification, record-keeping of CDD documentation, and SAR filing. The legal obligation is MLR 2017 or POCA — not the firm's own choice to conduct AML checks.
Article 6(1)(f) — Legitimate Interests
Where AML processing goes beyond the minimum legal requirement — for example, additional fraud prevention checks or enhanced screening beyond what is strictly mandated — the legitimate interests basis may apply. This requires a documented legitimate interests assessment (LIA) that balances the firm's interests against the data subject's privacy rights.
Article 9 — Special Category Data
AML processing may involve special category data — particularly criminal records and convictions data collected through adverse media screening or PEP screening. Processing special category data requires an additional condition under Article 9 GDPR, typically the prevention or detection of crime condition, supported by a policy document where required by UK data protection law.
2. Transparency and Privacy Notices
GDPR requires firms to provide data subjects with clear information about how their personal data is being processed — including the purpose, the lawful basis, and the retention period. For AML processing, this presents a challenge: firms must tell customers that their data is being used for AML compliance purposes, but cannot tell them that a SAR has been filed or that they are under suspicion.
The solution is a well-drafted privacy notice that discloses, at a general level, that the firm processes personal data for financial crime prevention purposes, that this processing may include sharing data with law enforcement and regulatory authorities, and that certain data subject rights may be restricted where exercising them would prejudice the prevention or detection of crime. This disclosure satisfies the GDPR transparency requirement without triggering the tipping-off prohibition.
| IMPORTANT | The privacy notice must be provided at the time personal data is collected — typically at onboarding. For firms that process special category data (criminal records, adverse media), the notice must specifically disclose this and identify the Article 9 condition relied upon. A generic privacy notice that does not address AML processing is insufficient and creates both a GDPR compliance gap and an ICO enforcement risk. |
3. Data Subject Access Requests and the Crime Prevention Exemption
Under GDPR, data subjects have the right to request access to personal data held about them (Subject Access Request — SAR, confusingly using the same acronym as Suspicious Activity Report). For most data, firms must respond within one month. For AML-related data, this creates a direct conflict with the tipping-off prohibition: if a customer under suspicion submits an access request, responding fully would reveal the SAR filing.
UK data protection law — specifically the Data Protection Act 2018, Schedule 2, Part 1 — provides a crime prevention and detection exemption that allows firms to withhold personal data from a subject access request where disclosure would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes. This exemption applies directly to SAR-related data.
Firms must assess each access request individually — the exemption does not apply blanket to all AML-related data, only to the specific data whose disclosure would prejudice a law enforcement purpose. Where data is withheld, the firm must inform the data subject that data has been withheld (but not what data or why in detail) unless even this notification would prejudice the investigation.
4. Data Retention: AML vs GDPR Requirements
| Data Type | AML Retention Requirement | GDPR Requirement | Resolution |
|---|---|---|---|
| CDD documentation | 5 years from end of business relationship (MLR 2017, Reg. 40) | Data must not be kept longer than necessary for the purpose | The 5-year MLR requirement establishes the necessary retention period. Data should be deleted at 5 years unless other legal obligations require longer retention. |
| Transaction records | 5 years from the date of the transaction | Storage limitation principle applies | As above — the AML obligation justifies the retention period. Retention schedules should be documented and enforced. |
| SAR case files | 5 years from date of filing | Must be necessary and proportionate | POCA and NCA guidance support 5-year retention. The crime prevention purpose justifies this period. |
| PEP and adverse media screening results | Must be retained as part of CDD record | Special category data retention must be minimised | Retain results for the duration of the relationship plus 5 years. Document the Article 9 condition in the privacy notice and data processing records. |
5. Data Sharing Between Firms: GDPR and POCA Interaction
GDPR generally restricts sharing personal data with third parties without a lawful basis. AML obligations, however, sometimes require or permit sharing — for example, where two regulated firms share intelligence about suspicious activity connected to a common customer, or where a correspondent bank requires KYC information from a respondent bank.
POCA 2002 Section 337 provides a defence against the unauthorised disclosure provisions of UK data protection law for disclosures made in the context of an authorised disclosure (consent SAR) or for the purposes of a criminal investigation. This means that information sharing in the context of AML investigations — including sharing with the NCA, HMRC, or law enforcement — is lawful notwithstanding GDPR's general restrictions on sharing personal data.
For commercial intelligence sharing between regulated firms — where no formal criminal investigation context exists — firms must rely on either a data sharing agreement establishing legitimate interests or the crime prevention condition. The FCA has encouraged information sharing within the financial sector to improve collective financial crime intelligence, but firms must ensure their data sharing arrangements have a clear GDPR lawful basis and are documented appropriately.
6. Practical Implications for Compliance Technology
The intersection of GDPR and AML creates specific requirements for compliance technology platforms. The customer onboarding and compliance management systems used to collect, process, and store AML data must be designed with data protection by design and by default — a GDPR requirement under Article 25.
This means compliance platforms must support: documented retention schedules with automated deletion at the end of the retention period, access controls that limit data access to those with a need to know, audit trails that record who accessed what data and when, the ability to respond to subject access requests by identifying and extracting relevant data, and the ability to apply the crime prevention exemption to specific data fields without deleting the data itself.
Compliance Technology Built for GDPR and AML
One Constellation's platform is designed with data protection by design — supporting AML compliance while meeting GDPR data minimisation, retention, and access control requirements. Built for UK and EU regulated financial firms.