A PYMNTS Company

Gatekeeper Professions Struggle to Reconcile Data-Protection Obligations With Expanding AML Demands

By  |  December 2, 2025

Gatekeeper professions such as lawyers, accountants, real estate agents, and trust and company service providers, sit at the increasingly fraught intersection of two powerful and often conflicting regulatory regimes: anti-money laundering (AML) rules and modern data-protection frameworks such as the EU General Data Protection Regulation (GDPR). As financial crime risks increase and privacy expectations harden, these professionals face mounting difficulty in meeting parallel obligations that in practice can be incompatible.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    AML frameworks require extensive and proactive data collection, monitoring, and sharing. Professionals must identify and verify clients, conduct risk assessments, maintain transaction records, and, when necessary, file suspicious matter reports with regulatory authorities, often without alerting the client. At the same time, data-protection laws restrict personal-data collection to what is strictly necessary, limit processing to explicit original purposes, grant individuals rights to access or erase their data, and impose heightened duties to secure sensitive information. When these requirements collide, gatekeepers risk either regulatory non-compliance or client-rights infringements.

    The first major friction point is data collection and retention. AML laws require firms to collect extensive personal and financial data, such as identity documents, proof of address, bank information and risk-assessment materials, and retain that data, typically for at least five years. In contrast, GDPR rests on strict data-minimization and storage-limitation principles. According to a report published in November by Arctic Intelligence, professionals often find themselves compelled to store sensitive data longer or at broader scope than privacy law would ordinarily permit.

    The report recommends a risk-based approach to data. Gatekeepers should tailor data gathering to the risk profile of each client, collecting only what is required for due diligence and limit documentation requests only to higher-risk categories such as politically exposed persons or clients from high-risk jurisdictions.

    A second conflict arises from purpose limitation and data sharing. AML rules require gatekeepers to share data with regulators or law-enforcement agencies when suspicious activity occurs. Because such sharing often is not disclosed to the client it cuts against privacy regimes that restrict data use to pre-defined purposes.

    Read more: UK Seeks Public Input on Major Overhaul of Non-Compete Rules

    Arctic recommend data be securely archived, subject to access controls, and deleted promptly once retention obligations lapse. Gatekeepers should document how retention periods are calculated and ensure technical safeguards prevent premature deletion that could violate AML rules.

    A third area of tension concerns clients’ rights, particularly the GDPR’s rights of access, and erasure. Clients may request deletion of data in circumstances where AML laws require continued retention or seek detailed information about processing activities that cannot be disclosed because suspicious-activity reporting rules prohibits “tipping off.”

    Per Arctic, privacy notices should explain why data is collected, how it is used, the legal bases for processing, and when AML laws override consent. Clear, upfront disclosures reduce conflict later and help clients understand why erasure or objection rights may be restricted.

    As financial-crime regulations intensify and data-protection laws expand worldwide, gatekeeper professions must navigate increasingly narrow space between privacy rights and security regulations. The report makes clear those conflicts are not going away anytime soon.