AI in KYC/AML: Balancing Efficiency and Regulatory Responsibility

By Piotr Putyra, Managing Partner, Barrister, Dudkowiak & Putyra

Financial institutions across the European Union are increasingly deploying artificial intelligence to strengthen their Know Your Customer (KYC) and Anti-Money Laundering (AML) frameworks. From automated identity verification and transaction monitoring to sanctions screening and suspicious activity reporting, AI tools promise to reduce false positives, accelerate onboarding, and free compliance teams to focus on genuinely high-risk cases. Yet this technological shift does not occur in a regulatory vacuum. EU financial entities must navigate a convergence of overlapping legal frameworks that impose strict conditions on how AI may be used in compliance operations.

The new EU AML package, anchored by the Anti-Money Laundering Regulation (AMLR) and the establishment of the Anti-Money Laundering Authority (AMLA), represents a paradigm shift. AMLA, now operational in Frankfurt, will directly supervise selected high-risk cross-border financial institutions beginning in 2028, enforcing a single rulebook across all 27 Member States. The AMLR, applicable from July 2027, replaces the previous patchwork of national transpositions with one uniform set of requirements for customer due diligence (CDD), beneficial ownership transparency, and risk profiling. Importantly, the framework encourages technology-driven compliance and the adoption of perpetual KYC processes, where institutions continuously monitor customer risk profiles rather than relying on static periodic reviews. For AI-powered compliance tools, this means that the regulatory environment is not merely permissive but actively anticipates the use of advanced technology, provided it operates within clearly defined boundaries.

Simultaneously, the EU Artificial Intelligence Act introduces an entirely new compliance layer. The AI Act, which entered into force on 1 August 2024, classifies AI systems used in credit scoring, fraud detection, AML risk profiling, and automated decision-making that affects access to financial services as high-risk. Full compliance obligations for these high-risk systems apply from August 2026, requiring financial entities to implement robust risk management systems, ensure human oversight, maintain transparency and auditability, use high-quality training data free from bias, and conduct ongoing post-deployment monitoring. Providers and deployers alike bear accountability: even where AI solutions are procured from third-party vendors, the deploying institution retains full responsibility for governance, oversight, and regulatory compliance. This dual accountability model underscores the importance of thorough vendor due diligence and contractual clarity when outsourcing AI capabilities.

The General Data Protection Regulation (GDPR) further constrains AI deployment in KYC/AML. Article 22 GDPR limits automated decision-making based on personal data, granting individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Financial institutions must therefore ensure that AI-driven compliance decisions incorporate meaningful human intervention. Moreover, GDPR’s requirements for data minimisation, purpose limitation, and lawful processing apply to all personal data collected during onboarding and ongoing monitoring, creating a tension between the expansive data demands of advanced AI models and the principle of proportionality. Institutions should also remain attentive to forthcoming guidance from national data protection authorities, which are expected to issue sector-specific interpretations as AI adoption in financial services accelerates.

The practical challenge for EU financial entities lies in reconciling these overlapping obligations. An AI system that effectively detects suspicious transactions may rely on opaque machine learning models that fail the AI Act’s explainability requirements. A perpetual KYC engine that continuously aggregates customer data may conflict with GDPR’s data minimisation principle. A fully automated onboarding process may satisfy AMLA’s efficiency expectations while breaching Article 22 GDPR if it lacks genuine human oversight. Navigating these intersections requires a compliance-by-design approach: embedding legal requirements into the architecture of AI systems from the outset, rather than treating regulatory compliance as a post-hoc addition. In practice, this means involving legal, compliance, and data protection teams from the earliest stages of AI system procurement and development.

Financial institutions that invest early in integrated compliance infrastructure - conducting gap analyses, establishing AI governance frameworks, and aligning internal policies with the forthcoming Regulatory Technical Standards, will be better positioned to meet the converging deadlines of 2026 and 2027. Cross-functional collaboration between compliance officers, data protection teams, IT architects, and senior management will be essential to ensure that AI systems are not only effective but also legally defensible. Industry bodies and regulators have signalled a willingness to engage with the sector on best practices, and institutions that participate actively in these consultations will gain valuable early insight into supervisory expectations. Those that treat AI adoption as purely a technological exercise, divorced from its legal implications, risk enforcement action, reputational harm, and the erosion of the very trust that KYC and AML frameworks are designed to protect.