Where AMLR Collides With GDPR: The Compliance Collision Map Every Fintech Needs

Every fintech compliance team eventually hears some version of the same myth: "AML always overrides privacy". It is wrong, and it is the single most expensive misconception in European fintech compliance. AMLR and GDPR are co-equal Union law. Neither defeats the other. They collide — and the collisions are predictable.

There are exactly six surfaces where the friction shows up in day-to-day fintech operations: CDD retention, beneficial-ownership disclosure, transaction-monitoring profiling, third-country transfers, SAR record-keeping, and marketing reuse of KYC data. Each surface has a defined regulatory tension and a workable operational resolution.

The fintechs that lose money on this are the ones that bolt AML controls on top of an existing GDPR programme — or vice versa. The fintechs that win build a single "AMLR-Primary, GDPR-Compliant" architecture. This article is the collision map and the resolution pattern.

The GDPR¹^[1] is a Regulation — directly applicable in every Member State. The AMLR — Regulation (EU) 2024/1624 — is also directly applicable. They have identical legal rank. Neither is lex superior to the other.

What GDPR does is recognise — explicitly, in Article 6(1)(c) — that processing necessary to comply with a legal obligation is lawful. The AMLR²^[2] supplies that legal obligation. So far, so coherent. The collision starts when AMLR is silent on a question that GDPR is loud about — proportionality, minimisation, purpose limitation, automated decisioning, and cross-border transfer mechanics.

AMLR tells you what to collect. GDPR tells you how, why, for how long, and to whom you can disclose it. The EDPB, EBA, and AMLA — the new EU Anti-Money Laundering Authority — all proceed from the same premise: the obligation under AMLR is a lawful basis; everything else under GDPR still applies.

Across ten years of EDPB opinions, DPA fines, and EBA Q&As, the same six surfaces recur. They are the only places where a properly designed fintech compliance programme should expect collision risk. Everything else is a problem of execution.

Surface 1: CDD retention period. Surface 2: Beneficial-ownership disclosure. Surface 3: Transaction-monitoring profiling. Surface 4: Third-country transfers. Surface 5: SAR record-keeping and subject-access. Surface 6: Marketing reuse of KYC data. The remainder of this article works through each.

AMLR Article 77 requires obliged entities to retain CDD documents and transaction records for five years after the end of the business relationship or the date of an occasional transaction. Member States can extend this to a maximum of ten years where the national assessment justifies it. GDPR Article 5(1)(e) — storage limitation — says personal data should be kept no longer than necessary for the purposes for which they are processed.

The collision is sharper than it looks. Five years is a minimum under AMLR, not a default ceiling. Fintechs routinely keep CDD data "in case the regulator asks" — indefinitely, across operational, backup, and analytics systems. That is unlawful processing the moment the AMLR obligation expires.

The resolution: a documented retention triage. For every CDD dataset, identify the AMLR-mandated retention window, the additional retention period justified by Member State extension or live SAR exposure, and the deletion / pseudonymisation event that fires automatically at the end. Backups must be in scope. Analytics warehouses must be in scope. Indefinite retention "to be safe" is the opposite of safe.

In November 2022, the Grand Chamber of the Court of Justice handed down Joined Cases C-37/20 and C-601/20³^[3] — and struck down unconditional public access to central UBO registers as a disproportionate interference with Articles 7 and 8 of the Charter. The 5AMLD provision permitting general public access was invalid.

AMLR responded by recalibrating. Under Articles 12–14 AMLR and the accompanying AMLD6 framework, obliged entities and competent authorities retain full access to the centralised registers, and persons demonstrating a "legitimate interest" — journalists, civil society, academics — can apply for access. General public access is gone.

The collision for a fintech is twofold. First, the fintech is itself an obliged entity with full register access — but the access creates a GDPR processing event every time. Second, the fintech often receives UBO declarations from corporate clients that include personal data well in excess of what AMLR mandates: home addresses, family relationships, photocopies of children's passports collected to evidence "family wealth."

The resolution: data minimisation at intake. The UBO disclosure form should request the AMLR-mandated minimum and no more. Where a higher-risk dossier justifies broader collection, the additional data fields must be tagged with a documented EDD trigger and a separate retention clock.

AMLR Article 50 endorses automated transaction-monitoring systems as standard practice. The EBA Guidelines on customer due diligence⁴^[4] go further, explicitly contemplating the use of machine-learning models for risk classification. GDPR Article 22(1) says a data subject has the right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects.

"Account frozen pending SAR review" is a legal effect. "De-risked and offboarded" is a legal effect. "Onboarding refused" is a legal effect. Every operational decision a fintech makes off the back of its transaction monitoring system touches Article 22.

The resolution is the meaningful human review architecture. The automated system can triage, prioritise, surface, and recommend. A trained MLRO-supervised analyst must conduct the actual decision and document the reasoning. The audit trail must show who reviewed, when, what they considered, and why they concluded — not just "system flagged, account closed."

The DPIA for the transaction-monitoring system must specifically address discrimination risk, explainability, and the human-in-the-loop control. CNIL, the Spanish AEPD, and BfDI have all signalled active interest in this surface in 2025 enforcement priorities.

AMLR contemplates group-wide CDD information sharing. Group AML policies are written so that a CDD file collected in Lithuania is accessible to the parent's compliance function in London, the operations centre in Mumbai, and the second-line review team in Singapore. That is a textbook GDPR Chapter V scenario.

After Schrems II, every transfer to a non-adequate jurisdiction requires an appropriate transfer mechanism — standard contractual clauses, binding corporate rules, or a Commission adequacy decision — plus a transfer impact assessment.

AMLR is silent on the mechanism. It assumes the transfer is lawful from an AML standpoint. The GDPR layer is non-optional — and AMLR's existence does not satisfy it. The Article 49 derogations — including "important reasons of public interest" — are explicitly interpreted narrowly by EDPB and are not a general permit for routine group AML transfers.

The resolution is mechanical: identify every third-country recipient of CDD data, document the transfer mechanism, conduct a TIA per destination, and add supplementary measures — encryption-in-transit, encryption-at-rest with EEA-held keys, pseudonymisation — where the destination's law presents access risk.

A SAR — Suspicious Activity Report — sits at the most sensitive corner of the collision map. AMLR Articles 50–57 require the SAR to be kept confidential. Tipping off the customer is criminal. GDPR Articles 15–22 give the same customer rights of access, rectification, erasure, and objection.

GDPR Article 23 supplies the bridge. Member States may restrict the scope of certain data-subject rights where necessary to safeguard the prevention, investigation, and prosecution of criminal offences — exactly the policy aim of the 6AMLD⁵^[5] criminalisation framework. National AML statutes uniformly invoke this derogation. The fintech can lawfully refuse a subject-access request that would reveal the existence of a SAR.

But — and this is where firms get caught — the refusal must be documented internally. Every SAR-linked access refusal must record the statutory basis, the date, the reviewing officer, and the reasoning. The DPA's right to inspect that record is not displaced by the AML confidentiality regime — the DPA can review the existence of the refusal even where it cannot review the contents of the SAR itself.

This is the surface that catches the most fintechs and produces the largest DPA fines. The growth team wants to use the income data, address data, and behavioural data collected during KYC to segment marketing campaigns. "We already have it," the argument runs, "so why not use it?"

Because GDPR Article 5(1)(b) — purpose limitation — forbids it absent fresh lawful basis. The EDPB Guidelines 06/2020⁶^[6] on the interplay between PSD2 and GDPR — which apply by analogy to AMLR-derived data — are unambiguous: data collected to comply with a financial regulation cannot be reused for incompatible secondary purposes without separate consent.

The resolution: a strict data segregation between the AML data lake and the marketing data lake. Where the growth team needs an attribute that originated in KYC — say, country of residence — it must be either re-collected with consent or sourced from a marketing-purpose-compatible system. Engineering teams hate this. DPAs love it.

The pattern reads cleanly. CASPs and MSBs carry the heaviest collision load — they touch every surface. EMIs and neobanks carry the heaviest marketing-reuse risk because they have the richest behavioural datasets. Payment institutions are the lightest-touch profile.

A coherent fintech compliance programme treats AMLR as the primary obligation framework and GDPR as the operating constraint. The four steps:

1. 1

   Lawful basis cascade — for every processing activity, identify whether the AMLR obligation is the primary lawful basis (Article 6(1)(c)), or whether consent, contract, or legitimate interest is the correct basis. Never collapse them.

2. 2

   Retention triage — for every dataset, map the AMLR-mandated period, the Member State extension if any, the EDD-justified extension if any, and the automated deletion event. Apply to operational, backup, and analytics systems.

3. 3

   Transfer mechanism — for every third-country recipient, document the GDPR Chapter V mechanism, conduct the TIA, and add supplementary measures where the destination's surveillance regime creates residual risk.

4. 4

   Data-subject communication — the privacy notice must disclose AMLR processing, retention period, profiling, transfers, and the Article 23 derogation framework. Vague "we process for legal obligations" boilerplate is the surest indicator of an unprepared fintech.

Three DPA positions are worth knowing because they map directly onto the collision surfaces.

The BfDI — Germany's federal data-protection commissioner — has issued joint statements with BaFin reaffirming that AML obligations under the Geldwäschegesetz constitute a valid lawful basis but do not relieve the obliged entity of minimisation or retention discipline. Over-retention has been the most common enforcement trigger.

The CNIL has focused on the profiling surface. Multiple French fintechs have been pulled up on inadequate DPIAs for transaction-monitoring systems, with the CNIL singling out insufficient documentation of human review as a recurring deficiency.

The ICO — post-Brexit — has begun to diverge marginally on the marketing-reuse surface, accepting slightly broader "legitimate interest" tests than the EDPB position. For fintechs operating cross-border, the practical answer is to comply with the stricter EU standard everywhere; the marginal upside of UK-divergent processing is not worth the operational fragmentation.

No, and AML does not override GDPR. They are co-equal Union Regulations. AMLR supplies the lawful basis under GDPR Article 6(1)(c). GDPR still governs minimisation, retention, transfer mechanics, and automated decision-making on top. The myth that "AML wins" is the single most expensive misconception in European fintech compliance.

AMLR Article 77 requires a minimum of five years after the end of the business relationship. Member States may extend to a maximum of ten years where their national risk assessment justifies it. Beyond that, retention is unlawful unless a separate GDPR-recognised purpose applies — for example, ongoing litigation or a live SAR file. Indefinite retention "to be safe" is not safe.

Only via a recognised GDPR Chapter V transfer mechanism — standard contractual clauses, binding corporate rules, or a Commission adequacy decision — supplemented by a transfer impact assessment. AMLR's contemplation of group-wide sharing is not a transfer mechanism. Where the destination's surveillance regime creates residual risk, supplementary measures such as encryption with EEA-held keys are required.

Yes — Article 50 AMLR endorses it and the EBA Guidelines specifically contemplate machine-learning models. But GDPR Article 22 prevents decisions with legal effect being taken solely by the automated system. The compliant architecture lets the system triage and recommend; a trained analyst conducts the actual review and documents the reasoning. Account freezes and offboardings always need a documented human decision.

• AMLR Readiness Programme: 12-Month Roadmap — the operational sequencing of CDD, profiling, retention and DPIA work between now and the 2027 application date.

• Beneficial-Ownership Disclosure for Crypto Onboarding — what the UBO pack should and should not collect after C-37/20.

• The Five-Layer SOF Dossier — minimisation-aware source-of-funds evidence design for the AMLR era.

• AML Compliance for Crypto Under 6AMLD — the criminal-law dimension that drives the Article 23 GDPR derogation logic.

The pragmatic conclusion: most fintechs do not have a strategy problem on this terrain — they have an architecture problem. Compliance, legal, engineering, and data teams each hold one fragment of the picture, and the collision shows up at the seams. A six-surface map collapses those seams into a single shared artefact that all four teams can plan against. It is also the artefact every joint inspection — AMLA on one side, the national DPA on the other — will reach for in the first thirty minutes.

Document each surface. Map each dataset. Audit each transfer. Memorialise each refusal. The investment is unglamorous and the regulator-facing argument is irrefutable: "We followed AMLR. We respected GDPR. We documented the trade-offs. Here is the record." That is the posture that wins.

The fintechs that will survive the joint AMLA-EDPB inspection regime arriving in 2027 are not the ones that pick a side between AML and privacy. They are the ones that build one programme around six predictable collision surfaces and a single four-step resolution pattern. The collision map is fixed. The operational discipline is the variable. Now is the cheapest time to get it right.