Managing AML Challenges Under GDPR


With GDPR in effect, financial institutions in the EU and beyond must manage their AML compliance obligations in a new data protection regime.

What is GDPR?

The General Data Protection Regulation (GDPR) was implemented on May 25th 2018, transforming the way organizations within the EU handle the personal data of their customers and clients. GDPR creates, clarifies, and harmonizes data security legislation across all EU member-states – but also affects organizations from outside territories wishing to do businesses within the bloc.

Practically, GDPR limits the ways in which businesses can collect, use, and store the personal data of their customers and clients – it also creates consequences for institutions with AML obligations.


Since Anti-money Laundering (AML) efforts require an intense focus on personal data, the restrictions introduced by GDPR may represent a challenge for financial institutions. More specifically, the legal scope of GDPR may clash with the way institutions identify customers during their due diligence procedures and how they manage their risk thereafter.

As a financial institution, delivering GDPR compliance while managing your AML obligations is an important priority – especially since GDPR compliance penalties can reach up to €20 million (or 4% of global revenue). With the stakes so high, it’s worth exploring the points at which the two legislative frameworks clash and how any regulatory friction may be resolved.

Lawful Basis

Article 6 of GDPR requires data controllers to establish a legal basis for collecting and processing personal data – including data required for AML purposes. For institutions with AML obligations, the most relevant justifications provided by Article 6 are:

  • Article 6(c) – which allows for the processing of personal data “for compliance with a legal obligation to which the controller is subject” – typically, AML laws or sanctions.
  • Article 6(f) – which allows for data processing for “legitimate interests”, justifiable on a case-by-case basis.

ComplyAdvantage justifies its data processing activities under Article 6(f)  – since that data is necessary to serve our clients’ legitimate interests in delivering AML and sanctions compliance.

The Right to be Forgotten

One of the most significant aspects of the GDPR is Article 17, which introduces the “right to be forgotten”.  That right allows data subjects to request the deletion of their personal data under certain circumstances. This rule may be in contention with AML law, which requires data to be held long after a business relationship has ended.

Under GDPR Article 17(3)(b), however, legal requirements take precedence over the right to be forgotten. From an AML perspective, the EU’s 4th Anti- Money Laundering Directive (4AMLD) introduced the requirement that both customer due diligence and transaction records be retained for 5 years after the end of the customer relationship. In this context, the right to be forgotten would only be enforceable after this period had ended.

Appointing Processors

Article 28 of GDPR states that data controllers must appoint data processors, like ComplyAdvantage, who can offer and demonstrate “sufficient guarantees” of GDPR compliance. That being the case, it may be necessary to include GDPR compliance requirements – and the right to audit them – in contracts with third-parties. Similarly, the transmission of data between controllers and third-party processors must also be secure and in compliance with relevant GDPR rules.

Since ComplyAdvantage processes personal data for each of our clients for AML purposes, our GDPR compliance guarantees are set out, as standard, in our terms of service agreements.

How Does ComplyAdvantage Deliver GDPR Compliance?

As a data processor, ComplyAdvantage offers clients complete clarity over the protections we put in place to safeguard personal data. Our stringent data security policies enable our clients to remain GDPR compliant, while safely performing every necessary AML check. Our Information security protections include:

  • Data encryption during transit and at rest
  • An AWS hosted infrastructure globally renowned for information security
  • ISO27001 certification – an Information Security Management System certified to ISO27001 across all our systems and locations by the British Standards Institute – the gold standard Information Security protocol

We understand that our clients need to ensure that their customers are not laundering money or involved in financing terrorism and this must take priority over certain data security concerns. Even under the GDPR regime, that need entitles you to store personal information and keep an audit trail of checks and processes. Both AML and data protection laws are constantly evolving and in the wake of new legislation, such as the Fifth Anti-Money Laundering Directive (5AMLD), your compliance solution must allow you to adapt to new legal measures introduced to address the changing strategies of financial crime.

With those factors in mind, your GDPR anti-money laundering solution should, above all other concerns keep personal information safe – a goal which converges with the wider objectives of the data protection landscape.

Get Started Now

Learn How Our Solutions Will Help You Remain Compliant With The Most Up-To-Date AML Regulations.



Share your thoughts and start a conversation.

Leave a Reply

Related articles:

anti money laundering guidance
May 7, 2014

Anti-Money Laundering Guidance

Anti-Money Laundering Guidance Various government agencies and interest groups publish information regarding anti-money laundering. Australia:…
Read More
July 1, 2014


Why is Dodd-Frank important? The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly referred to as…
Read More
European Market Infrastructure Regulation
July 1, 2014

European Market Infrastructure Regulation

An Overview of the European Market Infrastructure Regulation (EMIR) The European Market Infrastructure Regulation, otherwise…
Read More
July 1, 2014

The Foreign Account Tax Compliance Act (FATCA)

The Effects Of FATCA On Foreign Accounts The Foreign Account Tax Compliance Act, otherwise known…
Read More
EU flag among the grey sky
July 1, 2014


Markets in Financial Instruments Directive (MiFID) The Markets in Financial Instruments Directive (MiFID) was created…
Read More
July 2, 2014


How MiFID II has affected the European investment market One of the most influential laws…
Read More
anti money laundering policies
July 4, 2014

Anti-Money Laundering Policies

The importance of anti-money laundering policies With financial crime more prevalent than ever, it is…
Read More
May 25, 2016

The Fourth Anti-Money Laundering Directive (4AMLD)

What is 4AMLD and What Does it Mean for Regulated Industries? The European Union Fourth…
Read More
cryptocurrency regulations around the world
July 4, 2018

Crypto Regulations Around The World

Crypto Regulations Around The World Learn how different nations approach coin and exchange regulation and…
Read More
September 6, 2018

The 5th EU Anti-Money Laundering Directive (5AMLD)

5AMLD - 5th EU Anti-Money Laundering Directive The Fifth Money Laundering Directive (5MLD) will come…
Read More
FATF Recommendations
June 18, 2019

FATF Recommendations

FATF Recommendations: What You Need To Know The Financial Action Task Force (FATF) an international, intergovernmental…
Read More
June 25, 2019

The Payment Services Directive 2

PSD2: What It Is And Why It Matters PSD2 has already had a significant impact on…
Read More

To make sure you get a great experience on our website, we use cookies. To confirm you consent to this, please click below. Read more about our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.