When using personal/transaction data for AML and fraud monitoring, how do you reconcile it with GDPR's lawful-basis and data-minimization requirements?
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
There's a real tension: effective monitoring wants lots of data, GDPR wants minimal, purpose-limited processing. You reconcile it by identifying the correct lawful basis — usually 'legal obligation' (AML/CTF laws require monitoring) and/or 'legitimate interests' for fraud prevention, not consent (which a customer could withdraw). Then apply the GDPR principles within that: purpose limitation (use the data only for the stated compliance purpose, not marketing), data minimization (collect/retain only what's needed for the obligation), storage limitation (retain for the legally mandated AML record-keeping period, then delete), accuracy, and security. Document it in records of processing and, where monitoring is large-scale or uses profiling/AI, a Data Protection Impact Assessment. Where automated decisions significantly affect individuals, respect Article 22 safeguards (human review). The principle: the compliance obligation provides the lawful basis, but you still must minimize, limit purpose, secure, and time-box the data.
WHAT INTERVIEWERS LISTEN FOR
- ✓Lawful basis: legal obligation / legitimate interests, not consent
- ✓Apply purpose limitation and data minimization within that basis
- ✓Retain for mandated AML period then delete; secure the data
- ✓DPIA for large-scale/profiling; Article 22 safeguards for automated decisions
COMMON MISTAKES
- ✗Relying on consent as the basis for AML monitoring
- ✗Ignoring minimization/retention limits
- ✗No DPIA for large-scale profiling
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- Explain GDPR’s key principles.
- Explain the structure of MaRisk.
- Explain double materiality.
- What is the primary difference between model validation and model monitoring under SR 11-7?
- Walk me through IFRS 9 expected credit loss staging and what triggers a move from Stage 1 to Stage 2.
- What is individual senior-manager accountability (e.g., UK SMCR), and how does it change conduct risk management?