An exclusive article by Fred Kahn

Financial institutions worldwide are now facing one of the toughest operational frictions in the AML landscape: balancing politically exposed person (PEP) monitoring obligations with restrictive data protection laws. As cross-border data flows expand, the legal boundaries set by the General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), and similar frameworks are tightening around the way financial institutions collect, process, and share PEP-related information. This complex intersection between compliance and privacy is reshaping global AML practices, forcing institutions to rethink how they monitor risk, document consent, and manage data transfers across jurisdictions.

Data Privacy vs Compliance in PEP Monitoring

PEP monitoring has always required enhanced scrutiny due to the inherent risk of corruption, bribery, and state-linked financial abuse. Financial institutions are required to identify and continuously monitor individuals who hold prominent public functions or have close associations with them. This includes verifying identities, establishing sources of wealth, and conducting ongoing transaction monitoring.

Yet the operational core of this obligation—gathering and sharing personal data—now clashes with privacy regimes designed to protect that very data. Under GDPR, any processing of personal data must meet conditions of legality, necessity, and proportionality. Transferring such data beyond the European Economic Area (EEA) requires either an adequacy decision or the implementation of safeguards like Standard Contractual Clauses (SCCs). Under LGPD, similar constraints apply: cross-border data transfers are only permitted if the recipient country offers equivalent protection or if contractual clauses ensure compliance.

This creates an immediate conflict. When a European bank or its branch in Brazil screens a global client for PEP status, the resulting information may need to be shared with parent entities, counterparties, or third-party screening vendors outside the EEA or Brazil. Without an adequate transfer mechanism, that exchange can technically breach privacy laws, even if the purpose is fully legitimate under AML obligations.

Supervisory authorities have acknowledged this tension. FATF has long encouraged cross-border collaboration in PEP screening, but data regulators increasingly remind institutions that “legitimate interest” is not a universal justification. Each transfer must be demonstrably necessary, proportionate, and subject to documented safeguards. The message is clear: compliance cannot justify indiscriminate sharing of personal information.

Recent Enforcement and Regulatory Pronouncements

Recent enforcement cases illustrate how seriously regulators are treating the issue of personal data transfers. In the European Union, data protection authorities have repeatedly fined multinational corporations for sending personal data to non-EEA jurisdictions without adequate safeguards. While most of these fines targeted technology firms, the underlying principles directly affect the financial sector, particularly when handling PEP and beneficial ownership data.

A defining example came with a record fine exceeding one billion euros against a global social media platform for transferring EU personal data to the United States without sufficient safeguards. Though unrelated to AML, the precedent demonstrates the scale of penalties institutions may face for similar cross-border data breaches. Financial institutions that share PEP data across regions—especially when using centralized databases or third-party screening vendors—operate under the same legal risk.

In Brazil, the national data protection authority (ANPD) has been steadily increasing its enforcement power under LGPD. The 2024 rules on international transfers now require entities to formalize Standard Contractual Clauses or Binding Corporate Rules before transmitting personal data abroad. Brazilian subsidiaries of multinational banks must therefore conduct new compliance assessments before sharing PEP-related data with their head offices in Europe or North America.

Meanwhile, European supervisory bodies such as the European Data Protection Supervisor (EDPS) and national data protection authorities have issued opinions emphasizing that transfers of personal data for purposes like AML must remain proportionate and safeguarded. They caution against blanket information-sharing systems that fail to differentiate between high-risk and low-risk profiles or that retain personal data indefinitely.

As AML authorities simultaneously demand more transparency around PEPs, beneficial ownership, and high-risk clients, compliance teams find themselves under opposing pressures—one pushing for more information sharing, the other restricting it. This is particularly acute for global banking groups operating across Europe, Latin America, and Asia, where divergent privacy laws can halt information flows essential to AML oversight.

The Compliance Dilemma of Cross-Border PEP Information

Balancing data privacy and AML compliance requires operational precision. Financial institutions must ensure that their AML objectives—especially PEP identification—are pursued in a legally defensible manner. That begins with understanding where conflicts typically arise.

First, processing personal data for AML purposes must have a clear legal basis. Under both GDPR and LGPD, compliance with a legal obligation is a valid basis, but this does not automatically cover every transfer. Institutions must demonstrate necessity, proportionality, and purpose limitation. The fact that AML rules require identifying PEPs does not permit sharing unrelated personal details or exporting entire data sets to foreign affiliates.

Second, international transfers of PEP-related information must rely on a legally recognized mechanism. For EU-based institutions, adequacy decisions or SCCs are standard solutions. Under LGPD, equivalent mechanisms now exist but require approval from ANPD. Without such frameworks, even routine PEP verification using non-domestic data providers may constitute an unlawful transfer.

Third, retention and minimization principles are often overlooked. AML frameworks typically require institutions to retain records for a minimum of five years following the end of a business relationship. Data protection regimes, by contrast, emphasize deleting personal information as soon as it is no longer necessary. Institutions must reconcile these timelines by ensuring documented retention policies explicitly cite AML regulatory obligations as justification.

Fourth, vendor and third-party risk is increasingly critical. Many institutions rely on commercial databases for PEP identification, often hosted in multiple jurisdictions. If these vendors store or process data in non-compliant countries, the financial institution remains liable for privacy violations. Vendor due diligence must therefore extend beyond AML performance metrics to include comprehensive privacy and data-transfer assessments.

Finally, there is a confidentiality paradox. AML laws typically prohibit disclosing the fact that a customer is under enhanced scrutiny, while privacy regimes often grant individuals the right to access and rectify personal data held about them. Financial institutions must navigate this contradiction carefully, ensuring that data-subject requests do not inadvertently compromise ongoing AML monitoring or suspicious activity reviews.

Strategic Frameworks for Managing the Conflict

Institutions can manage the growing friction between AML requirements and data-privacy rules by adopting an integrated compliance strategy built around governance, documentation, and proportionality.

1. Establish joint AML–Data Protection governance.
Creating a joint oversight committee that includes AML, data protection, and legal teams ensures that PEP-related data transfers are assessed holistically. This cross-functional approach helps document legal bases, minimize duplication, and ensure every transfer serves a defined compliance purpose.

2. Maintain a detailed data-transfer register.
Every cross-border PEP data exchange should be logged, specifying its purpose, destination, transfer mechanism, and retention schedule. This register becomes an essential control point for both AML and privacy audits.

3. Adopt Standard Contractual Clauses and Binding Corporate Rules.
Implementing SCCs under GDPR or their LGPD counterparts provides a defensible legal framework for transfers. These clauses should explicitly reference AML compliance obligations as the legitimate processing purpose, ensuring transparency and legal coherence.

4. Limit data to what is strictly necessary.
Screening systems should restrict data fields to essential information such as the PEP’s name, public function, date of birth, and country of exposure. Any additional data, such as family details or wealth indicators, should only be processed when directly relevant to AML risk evaluation.

5. Strengthen vendor due diligence.
All external providers handling PEP data must undergo privacy-compliance assessments. This includes verifying where data is stored, how it is transmitted, and whether privacy certifications or adequacy mechanisms are in place. Contracts should clearly state data-handling expectations aligned with both AML and privacy laws.

6. Regularly review retention and deletion policies.
Institutions should maintain dual retention schedules that reconcile AML record-keeping requirements with privacy obligations. When data exceeds AML retention limits, anonymization or secure deletion should follow promptly.

7. Conduct privacy impact assessments on AML processes.
Before deploying new PEP databases or outsourcing screening, conduct Data Protection Impact Assessments (DPIAs) to evaluate cross-border risks and justify necessity. This proactive documentation often proves decisive during regulatory reviews.

8. Train compliance and data officers jointly.
Both AML and privacy teams must understand each other’s frameworks. Regular joint training fosters awareness of overlapping obligations, particularly around lawful basis documentation and transfer restrictions.

Through these measures, institutions can defend their AML practices without breaching data-privacy standards. The goal is not to choose between privacy and compliance, but to build interoperability between both regimes.

Aligning Privacy and AML Goals for the Future

The path forward lies in integration, not compromise. Financial institutions must design compliance architectures that inherently respect privacy principles while achieving AML objectives. This requires consistent collaboration between regulatory compliance and privacy functions, robust documentation, and the strategic use of technology that allows for selective data disclosure, encryption, and jurisdictional segregation.

As privacy regulators expand their reach and AML authorities tighten beneficial ownership and PEP expectations, the balance will only become more delicate. The next generation of compliance frameworks must recognize that privacy is not a competing interest but a prerequisite for sustainable, legitimate AML operations. Those that master this integration will not only avoid fines but will demonstrate a new model of responsible risk governance in global finance.

---

Related Links

• General Data Protection Regulation (GDPR) official text – European Commission
• Lei Geral de Proteção de Dados (LGPD) – ANPD official site
• Council of Europe Convention 108+ on Data Protection and AML
• European Data Protection Supervisor (EDPS) Opinions and Guidelines
• Financial Action Task Force (FATF) Guidance on Private Sector Information Sharing

Other FinCrime Central Articles About PEP Management

• The Hidden Operational Cost of PEP List Failures
• Summertime Series #9: PEPS, High-Profile Scandals and Evolving AML Controls
• PEP Screening in a Sanctions-Driven World: New Pressures and Best Practices

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.