Harnessing AI for AML/CFT: Legal grounds for training AI on personal data for AML/CFT under EU data protection law

AI systems can assist in fulfilling AML/CFT obligations within the revised EU AML framework. To function accurately, these AI-enhanced AML systems require extensive training on datasets, including personal data. This paper examines the legal grounds under the General Data Protection Regulation (GDPR) for processing such data, with a focus on compliance with legal obligations [Article 6(1)(c) GDPR] and legitimate interest [Article 6(1)(f) GDPR]. The paper argues that, while legal obligation may not provide a sufficient basis due to the lack of explicit mandates requiring AI use, legitimate interest presents a viable alternative, dependent on a rigorous test. By scrutinising the necessity of balancing financial institutions’ need for AI-enhanced AML/CFT tools with EU data protection law, this paper underscores the significance of safeguards to mitigate risks associated with such tools, including bias, transparency shortcomings, and challenges in exercising data subject rights.