Gatekeeper professions, including lawyers, accountants, estate agents, and trust and company service providers, are increasingly caught between two powerful regulatory regimes: AML rules and data protection laws.
As financial crime risks escalate and digital processes accelerate across the global economy, these professionals must balance obligations to prevent illicit activity with strict requirements to protect client data, notably under the EU’s General Data Protection Regulation (GDPR), claims Arctic Intelligence.
The clash between collecting and sharing personal information for AML purposes and limiting data usage under privacy frameworks has created a compliance dilemma across multiple sectors.
AML regulations demand the collection, verification, and continuous monitoring of client information. These obligations include client due diligence, reporting suspicious activity, and maintaining detailed records of identity checks and risk assessments. International standards are largely shaped by the Financial Action Task Force (FATF), and requirements apply across major jurisdictions, including the EU, US and Australia. Meanwhile, data protection regimes such as GDPR, the California Consumer Privacy Act (CCPA), or Australia’s Privacy Act prioritise individuals’ rights over their personal data. Principles such as data minimisation, purpose limitation, and consent set limits on what can be collected and how long it can be stored.
This creates several areas of conflict. AML processes typically involve extensive retention of client information — sometimes for five years or more — whereas GDPR stresses only keeping data for as long as required for its original purpose. Reporting obligations also present friction. If a lawyer or accountant identifies suspicious behaviour, they may be required to file a suspicious matter report without a client’s knowledge. This may conflict with privacy expectations, particularly where clients request data deletion or exercise rights such as access, objection or the right to be forgotten.
Technology and policy strategies can help gatekeeper professions strike the right balance. A risk-based approach allows organisations to collect only what is strictly necessary, scaling checks appropriately for low- and high-risk clients. Clear data retention policies support compliance on both sides, specifying when data will be archived and how long it will be stored before secure deletion. Gatekeepers are also encouraged to maintain transparent communication with clients, explaining why data is collected, how long it may be retained, and when it may be shared with authorities.
In practice, professional firms must develop governance models that capture both data protection and AML responsibilities, supported by legal advice when rights and obligations conflict. As regulatory scrutiny increases, adopting privacy-by-design processes, engaging compliance expertise early, and continually updating internal procedures will be critical. Ultimately, gatekeepers are expected to help protect the integrity of the financial system while respecting rising expectations around personal data rights.
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
