GDPR vs AML/CFT: how to articulate both in a KYC framework
The dual legal framework imposed on every AML/CFT obliged entity
The KYC framework (customer identity verification) of a regulated institution obeys not one regime but two superimposed legal frameworks, each with its own logic and dedicated supervisor.
On one side, GDPR (the EU personal data regulation, EU 2016/679) sets out structuring principles: lawfulness (article 6), minimization (article 5.1.c), accuracy (article 5.1.d), storage limitation (article 5.1.e), confidentiality (article 5.1.f) and the ban on sensitive data save for exceptions (article 9). The CNIL (Commission nationale de l'informatique et des libertés, the French data protection authority) sanctions breaches up to €20 million or 4% of global turnover (GDPR article 83).
On the other, AML/CFT (anti-money-laundering and counter-financing of terrorism) rests on articles L.561-5 to L.561-36 of the French Monetary and Financial Code, transposing the European anti-money-laundering directives. It requires in-depth knowledge of the client: identification, identification of the beneficial owner, continuous monitoring, suspicious activity reporting to Tracfin (the French financial intelligence unit). The ACPR (Autorité de contrôle prudentiel et de résolution, the French prudential supervisor for banks and insurance) sanctions up to €100 million or 10% of turnover (article L.612-2-2 of the Monetary and Financial Code).
These two frameworks do not oppose each other in theory — they are complementary. On the ground, the trade-off is permanent.
::: callout-info In brief
- GDPR framework: minimization, storage limitation, legal basis, data subject rights
- AML/CFT framework: due diligence, minimum 5-year retention, secrecy of suspicious activity reporting
- Sanctions: CNIL (4% global turnover) and ACPR (€100M or 10% turnover), cumulative
- 2027 regulation: the AMLR regulation (EU 2024/1624) tightens collection without loosening minimization
:::
Concrete tensions between GDPR minimization and AML/CFT due diligence
Four tensions recur in every ACPR and CNIL inspection observed since 2024.
AML/CFT requires reliable supporting documents: official ID, proof of address, Kbis extract for legal entities, income proof for enhanced due diligence. GDPR requires data to be "adequate, relevant and limited to what is necessary". The practical rule is to distinguish three due diligence levels (simplified, standard, enhanced) and align the volume of data collected with the actual risk level of the client. Collecting income proof for a payment account with a €50 monthly cap is both an AML/CFT excess (vigilance disproportionate to the risk) and a GDPR excess (collection that is not necessary).
GDPR article 9 in principle prohibits the processing of sensitive data (racial origin, opinions, biometric data, etc.). The biometrics used for identity verification (facial recognition, fingerprint) fall in this scope. The applicable exception is article 9.2.g: "necessary for reasons of substantial public interest". AML/CFT obligations fall into this category, but proportionality must be demonstrated. The CNIL's constant position since its guidelines: biometrics are only admissible if no less intrusive means can achieve the same level of guarantee.
Article L.561-19 of the Monetary and Financial Code formally prohibits an obliged entity from informing the client that a suspicious activity report has been filed about them. Yet GDPR articles 13 and 14 require prior information of the data subject about the purposes of processing. Reconciliation comes through a generic mention in the privacy policy ("your data may be processed as part of our anti-money-laundering obligations") without dropping to the level of a specific declaration. The directive has settled the question in favor of AML/CFT secrecy.
The data subject rights set out in GDPR articles 15 to 22 collide with the 5-year retention imposed by L.561-25. The right to erasure (GDPR article 17) is explicitly limited when a legal obligation requires retention. The right to object does not apply either to AML/CFT processing, since GDPR article 6.1.c (legal obligation) prevails over the right to object. This articulation must be documented in the website privacy policy and in KYC information notices.
"Everything can be forged, except real life." The GDPR/AML trade-off rests on this philosophy: collect strictly what proves the real existence and activity of the client, no more, no less.
Five practical rules to reconcile both frameworks
Correct articulation comes down to five operational rules that every compliant KYC framework must respect.
The risk-based approach is imposed both by the EBA (European Banking Authority, ML/TF Risk Factors guidelines revised in 2024) and by GDPR through minimization. Three due diligence levels must be formalized: simplified for low-risk clients, standard for the majority, enhanced for politically exposed persons or high-risk jurisdictions. Each level corresponds to a minimum data set, validated by the DPO (data protection officer) and the head of compliance.
The processing register (GDPR article 30) must explicitly mention the legal obligation (GDPR article 6.1.c) as the legal basis for KYC processing, by reference to articles L.561-5 and following of the Monetary and Financial Code. Legitimate interest (article 6.1.f) can complement it for continuous monitoring, but consent (article 6.1.a) is to be avoided: it is revocable, which would render the framework inoperative.
The 5 years after the end of the business relationship rule is a legal AML/CFT minimum, not a maximum. A compliant policy distinguishes:
- 5 years: standard duration for most identification data
- Up to 8 years: if a Tracfin investigation is in progress (article L.561-25 CMF)
- 10 years: for evidence transmitted with a suspicious activity report
- Immediate deletion: for surplus data collected outside the AML/CFT scope
::: callout-info Key figures for KYC retention
- 5 years: minimum duration post-relationship (L.561-25 CMF)
- 8 years: if Tracfin investigation (article L.561-25 CMF, last paragraph)
- 10 years: evidence transmitted with suspicious activity report
- 4% global turnover: maximum CNIL sanction (GDPR article 83)
- €100M or 10% turnover: maximum ACPR sanction (article L.612-2-2 CMF)
:::
GDPR requires security of processing (article 32). AML/CFT requires traceability of consultations as part of internal control. A single measure covers both: log every access to a KYC file, with the agent's identity, timestamp and reason. ACPR inspections in 2024-2025 identified the absence of logging as a recurring breach in published sanctions.
Regulation (EU) 2024/1624 (AMLR, the future European anti-money-laundering regulation), directly applicable on July 10, 2027, broadens the list of data collected under due diligence. The EDPB (European Data Protection Board) position is a reminder that these extensions must remain proportional. Compliance departments have until end of 2026 to adapt their data mapping, processing register and information notices.
Sector use cases
Articulation takes different concrete forms by sector.
Account opening triggers the broadest collection: ID, proof of address, income proof for premium accounts, bank details (RIB) for anti-fraud. The ACPR position published in its 2025 annual AML/CFT report noted that online banks had an abandonment rate of 25% at the KYC step, brought down to around 5% with a properly integrated eIDV (electronic identity verification) framework. GDPR compliance comes through minimization at the risk level, automatic deletion of abandoned files (unless suspicion), and an optional biometrics journey when transactional data is sufficient to reach the eIDAS substantial assurance level.
The insurance sector combines AML/CFT and anti-fraud. Medical supporting documents fall under GDPR article 9 (health data) and must never be retained beyond the contract underwriting period. CNIL's constant position: health data are not within the AML/CFT scope, their processing is governed by other legal bases.
Crypto-asset service providers, now subject to CASP authorization (Crypto-Asset Service Provider) under MiCA (Markets in Crypto-Assets), must apply the TFR (Travel Rule, EU Regulation 2023/1113) above €1,000. Data travels with the transaction. GDPR reconciliation comes through end-to-end encryption of inter-platform transmissions and separate consent for transfers outside the EU.
The beneficial ownership register (RBE in France) and the €10,000 cash threshold harmonized by AMLR require documented due diligence. GDPR forces every person identified as a beneficial owner to be informed, which often constitutes a first notification for the data subject.
Cumulative sanctions: what recent decisions say
The ACPR and CNIL coordinate their procedures as soon as one breach falls under both regimes. Observed practices:
| Type of breach | Primary regulator | Maximum sanction | Possible cumulation |
|---|---|---|---|
| Excessive retention (>5 years without AML/CFT justification) | CNIL | 4% global turnover | Yes (ACPR if documentation gap) |
| Insufficient due diligence | ACPR | €100M or 10% turnover | Yes (CNIL if information gap) |
| Missing processing register | CNIL | 4% global turnover | Limited |
| Unjustified biometric data | CNIL + ACPR | Capped cumulation | Yes |
| Insufficient client information | CNIL | 4% global turnover | Limited |
The sanctions published by the CNIL in 2024 and 2025 in the banking sector systematically dealt with excessive retention and the lack of clearly defined purpose. The ACPR sanctioned in parallel the failure of the monitoring framework without direct intersection with GDPR processing.
::: callout-info The 4 red zones identified by 2024-2025 inspections
- Retention: files kept beyond what AML/CFT strictly requires
- Justification: no documented risk analysis per client
- Information: privacy policy does not mention AML/CFT
- Logging: access to KYC files not traced
:::
How Euroleads articulates GDPR and AML/CFT in its eIDV frameworks
Our eIDV approach (electronic identity verification) rests on a simple principle: prove the real existence of a client through the convergence of transactional, government and telecom data. We verify identity without asking for an avalanche of supporting documents. This approach is compliant by design with both frameworks:
- GDPR: no mandatory biometrics, hence no sensitive data. No storage of supporting documents, hence minimization. 5 million verifications per month without building a centralized identity library.
- AML/CFT: eIDAS substantial assurance level reached without excessive collection. Convergence of 4,000 sources of worldwide data across 197 countries, compliant with ACPR and FATF requirements.
Documented ROI on online banks reaches 220:1 with abandonment cut from 25% to 5%, while strictly respecting the minimization imposed by GDPR.
::: cta Is your KYC framework compliant with the dual framework? Free audit in 5 days. Discuss your project :::
Frequently asked questions about GDPR/AML articulation
Do you need client consent for KYC processing? No. The legal basis is the legal obligation (GDPR article 6.1.c), which dispenses with consent. Asking for consent would be legally incorrect, since it could be withdrawn.
How long should a KYC file be kept after closure? 5 years minimum from the end of the business relationship (article L.561-25 CMF). Up to 8 years in the event of an ongoing Tracfin investigation. Beyond that, deletion is required by GDPR.
Can a KYC file be transferred to a subprocessor outside the EU? Yes, under strict conditions: the Commission's standard contractual clauses (SCCs), a data protection impact assessment, and client information. CNIL position since the Schrems II ruling: maximum vigilance on transfers to the United States.
Which eIDAS level for which risk? Low level for very low-risk services; substantial for the majority of banking and fintech accounts; high for the most sensitive regulated services (crypto CASPs, investment operations).
Where to find official references? CNIL (www.cnil.fr) for GDPR and guidelines, ACPR (acpr.banque-france.fr) for prudential expectations, Tracfin (tracfin.finances.gouv.fr) for suspicious activity reports, EUR-Lex for regulations 2024/1624 (AMLR) and 2024/1640 (AMLD6, the 6th Anti-Money Laundering Directive), EDPB for transverse opinions.
In summary: articulation in four principles
Map KYC processing, qualify the legal basis, log accesses, delete what exceeds the legal obligation. These four verbs structure a framework compatible with both regulators. Competition is no longer played out only on the acceptance rate of new clients: it is now played out on the quality of articulation between regulatory compliance and user experience. A smooth KYC journey is also a minimalist one in data collection. If you would like to confront your current setup with this dual framework, we can discuss it together.
To go further, consult our KYC/eIDV compliance pillar for France, our KYC pillar, our eIDV pillar, our article how to implement a KYC framework and our comparison KYC vs eIDV. For a direct conversation, contact our experts.