GDPR & AML: Why Financial Services must align KYC, CDD, and data protection

Financial services are under pressure. Digital onboarding, AI-powered due diligence, and growing data volumes are redefining customer verification — exposing firms to new regulatory risks. 

As Know Your Customer (KYC), Customer Due Diligence (CDD), and Anti-Money Laundering (AML) processes evolve, firms operating in the UK face mounting pressure to ensure data governance keeps pace.  

The Financial Conduct Authority (FCA) and Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) are jointly calling for closer collaboration between financial and privacy teams, making it clear that Anti-Money Laundering (AML) and UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (UK GDPR) obligations can no longer be managed in isolation. 

For start-ups and scaling FinTechs, early alignment delivers clear advantages, from investor confidence and audit readiness to reduced regulatory friction and stronger customer trust. 

This blog explores how organisations can align their practices under the AML and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. frameworks, where firms most often stumble, and why specialist Data Protection Officers (DPOs) are essential to keeping KYC, CDD, and data protection in step.

For simplicity, we use ‘GDPR’ here to mean the UK General Data Protection Regulation (UK GDPR), which is the version that applies to financial services operating in the UK.

• Why GDPR and AML alignment matters 
• Common GDPR mistakes in KYC processes 
• The benefits of aligning AML and data protection 
• How DPOs balance competing duties 
• Why Finance start-ups need specialist DPOs 
• The FCA’s Consumer Duty 

Why GDPR and AML alignment matters

KYC, CDD, and AML processes are essential for preventing money laundering, terrorist financing, and fraud. But few organisations manage them as a single, connected framework — and that’s where most compliance blind spots emerge. When treated as one continuous processA series of actions or steps taken in order to achieve a particular end., these frameworks deliver far more than regulatory protection, forming the basis of secure, compliant and trustworthy financial services. 

However, this integration also amplifies data protection responsibilities. The deeper your insight into customer behaviour, the greater your duty to manage that data lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations., transparently, and proportionately. For that reason, data protection shouldn’t be a separate consideration but a core part of getting AML compliance right. 

By aligning AML and GDPR requirements, firms can ensure that personal dataInformation which relates to an identified or identifiable natural person. collected for financial crime prevention is used lawfully, fairly, and proportionately. This reduces operational risk, strengthens transparency, and builds customer trust in how their financial information is managed.  

DUAA alignment

The Data Use and Access Act (DUAA) 2025 will also reshape how data is managed across the UK’s Finance sector. 

The Act introduces new frameworks for Open Finance and digital verification services (DVS), recognised legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. for certain processing types, and increased penalties under the Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR). It also empowers the government to direct the FCA to require firms to participate in prescribed data sharing arrangements, designed to boost competition and innovation. 

Early alignment with the DUAA will be key to ensuring AML and data protection frameworks evolve together.  

Common GDPR mistakes in KYC processes

Despite their shared objectives, KYC, CDD and GDPR frameworks are still too often managed in silos. This creates duplication, inconsistency, and regulatory exposure. 

Common pitfalls include: 

• Over-collection of personal data during onboarding and verification processes 
• Excessive retentionIn data protection terms, a defined period of time for which information assets are to be kept., where firms keep data ‘just in case’ instead of applying defined retention schedules 
• Repurposing KYC data for unrelated activities, such as analytics or marketing, breaching purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected. principles 
• Lack of Data Protection Impact Assessments (DPIAs) for high-risk processing, leaving privacy risks unassessed and undocumented 

When these issues go unchecked, firms face dual regulatory penalties: from the FCA for failing to maintain robust AML controls, and from the ICO for breaching fundamental GDPR principles such as lawfulness, data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing., and storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed.. In 2023 alone, regulators worldwide issued over £5 billion in fines for AML and data protection failings. Alignment between these frameworks is no longer optional but essential. 

The benefits of aligning AML and data protection

Aligning KYC, CDD, and data protection frameworks is not just about avoiding enforcement — it’s about building more resilient, efficient, and transparent operations. Alignment creates stronger governance and trust, providing key differentiators for firms seeking to scale, attract investment, or demonstrate long-term sustainability. 

Organisations that embed Privacy by Design into AML processes can: 

• Simplify compliance by using consistent controls across both regulatory regimes 
• Enhance audit readiness and demonstrate accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. to the FCA and ICO 
• Strengthen customer confidence through clearer, more transparent communication about data use 
• Enable innovation by ensuring new technologies and AI-driven tools are deployed within compliant governance frameworks 

How DPOs balance competing duties

Data Protection Officers (DPOs) working in the Financial Services sector must interpret how AML and GDPR obligations interact, ensuring compliance teams meet financial crime obligations without breaching privacy rights.  

A knowledgeable DPO will ensure: 

• Appropriate lawful bases are identified and documented 
• Retention periods align with AML record-keeping requirements 
• Purpose limitation is maintained, so data collected for AML isn’t reused for unrelated commercial aims 

KYC and CDD processes often involve high-risk data operations, such as handling biometric data and analysing financial behaviour. Under Article 35 of the GDPR, these activities typically require a Data Protection Impact Assessment (DPIA). A DPO plays a pivotal role in guiding this process by identifying risks early, recommending proportionate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., and documenting how those risks are mitigated. 

Beyond meeting legal requirements, a well-executed DPIA also helps demonstrate accountability to both the FCA and the ICO, showing that the organisation understands and can justify its data handling decisions. 

Further information on DPIAs 

Why Finance start-ups need specialist DPOs

For Finance start-ups or fast-growing FinTechs, compliance complexity can escalate quickly. Each new KYC platform, payments integration, or analytics tool adds layers of personal data, vendor dependencies, and regulatory exposure. Without sector-specific expertise, governance can lag behind innovation.  

A generalist DPO may not have the depth of knowledge needed to: 

• Assess the data protection implications of AI-driven identity verification and biometric screening 
• Consider and understand the intricacies of increased reliance on AI-driven compliance solutions to compliance issues 
• Interpret AML reporting chains and associated retention or disclosure duties 
• Understand FCA expectations around transparency, governance, and consumer protection 

By contrast, a specialist financial-sector DPO can translate these overlapping obligations into proportionate, practical frameworks that evolve with the business. This ensures compliance supports, rather than slows innovation, helping firms earn investor confidence, achieve audit readiness, and maintain regulatory trust as they scale. 

The FCA’s Consumer Duty

The Consumer Duty, introduced in July 2023, marked a major step forward in how the Financial Conduct Authority (FCA) expects firms to treat customers. It requires them to act in good faith, avoid foreseeable harm, and deliver positive outcomes. 

For 2025–26, the FCA has confirmed that one of its key focus areas will be vulnerability and data protection, recognising the challenge firms face in balancing customer support with privacy obligations. 

This builds on growing collaboration between regulators. In their joint blog, Tech, Trust and Teamwork, the FCA and Information Commissioner’s Office (ICO) reinforced the importance of aligning financial and privacy compliance, with further joint guidance expected in early 2026. 

For firms, this signals a clear direction of travel — one where data protection, financial conduct, and ethical customer treatment are expected to work in harmony. 

Frequently asked questions 

Do AML obligations override GDPR?

No, both frameworks apply simultaneously. While Anti-Money Laundering (AML) laws provide a legal basis for processing customer data, firms operating in the UK must still meet the General Data Protection Regulation (GDPR) principles, including, fairness, transparency, and data minimisation. One does not exempt the other.

How long can we retain Know Your Customer data?

Anti-Money Laundering (AML) regulations typically require customer due diligence records to be kept for five years after a business relationship ends. However, data should not be retained longer than necessary for that purpose, and firms should have clear retention schedules to demonstrate compliance. 

When is a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) required for AML processes? 

It is required whenever Know Your Customer (KYC), Customer Due Diligence (CDD), or monitoring involves high-risk processing, such as automated decision-making, biometric identification, or large-scale transaction analysis. DPIAs help identify and mitigate privacy risks before they become compliance issues. 

What happens if AML and data protection obligations conflict?

Where tension exists, such as between record retention and data minimisation, firms should document their reasoning, including any legal obligations and risk assessments. Involving a specialist DPO ensures the balance is appropriately managed and defensible. 

Why do start-ups need a sector-specific DPO?

Financial Services operate under multiple overlapping regimes (Anti-Money Laundering, General Data Protection Regulation, Consumer Duty, and financial conduct rules). A specialist DPO understands how these intersect and can help start-ups design scalable governance frameworks that satisfy both regulatory and investor expectations.

The DPO Centre has extensive experience supporting organisations across Finance and Insurance, delivering tailored data protection solutions that align AML and GDPR compliance. Contact us today to find out how we can help your organisation. 

In case you missed it…

• GDPR compliance in white label banking
• Bank due diligence: Data protection checklist for providers
• Marketing to private individuals: What you need to know