A company is subject to AML obligations.
Good.
Does that mean it can search absolutely everything about a client?
AML and KYC are often treated like a magic sentence:
We have to check the client.
But checking a client does not mean collecting everything that can be found.
Search engines. Social networks. Public registers. Sanctions lists. Media articles. Old posts. Photos. Comments. AI tools for risk scoring.
And suddenly the company is not only doing KYC.
It is doing digital detective work.
The question is simple:
Where is the line between required due diligence and disproportionate surveillance of a person?
What AML asks
AML asks important and legitimate questions:
- Do you know your customer?
- Can you identify the beneficial owner?
- Do you understand the purpose of the business relationship?
- Can you assess the risk?
- Are you monitoring suspicious transactions?
These are real obligations. They exist for a reason.
But they still need boundaries.
What GDPR asks
GDPR asks a different set of questions:
- What is the legal basis?
- Is the data proportionate?
- Is it necessary?
- Do you know where it came from?
- How long do you keep it?
- Are you using profiling?
That means AML does not automatically override every privacy principle. A compliance obligation is not a permission to collect without limits.
The company still needs to understand what data it processes, why it processes it and whether the processing is proportionate to the actual risk.
What AI adds
AI adds another uncomfortable question:
Can the company explain why a client was marked as risky?
If an external tool scans the internet and generates a risk score, it is not enough to say:
The system evaluated it this way.
That answer may be convenient, but it is not governance.
A risk score without explainability can become a black box. A black box used in KYC can quickly become opaque profiling.
And opaque profiling is exactly where legal, operational and reputational problems start.
KYC without rules becomes profiling
KYC without clear rules can become uncontrolled profiling.
AML obligations are not a blank cheque for unlimited data collection.
If a company uses an external KYC or screening tool, it should be able to answer basic questions:
- What sources does the tool use?
- Does it use social media?
- Does it use AI scoring?
- Can the result be explained?
- How are false positives handled?
- Who performs the human review?
- Where is the data stored?
- How long is it retained?
- Has the supplier been assessed?
- Does the company have an audit trail?
These are not theoretical details. They decide whether the process is controlled or whether the company is simply outsourcing risk to a tool it does not fully understand.
The opposite risk
The biggest AML/KYC risk today is not only that a company fails to check the client.
There is also the opposite risk:
that the company checks the client so aggressively and so automatically that it creates a new legal and reputational problem for itself.
That problem may not appear during onboarding. It may appear later, when the client asks what data was used, why a decision was made, or why an AI-based tool classified them as risky.
The principle
KYC should mean:
Know Your Customer.
It should not mean:
Know Everything Forever.
And it definitely should not mean:
Let AI Decide Without Evidence.
AML, GDPR and AI governance need to meet in the same process. Otherwise, customer due diligence can become something very different from what it was supposed to be.