AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Explainer

AI in anti-money laundering and transaction monitoring

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

AI for anti-money laundering and transaction monitoring is not in Annex III of the AI Act, so usually not high-risk. The centre of gravity is the EU AML package and the GDPR. Watch the overlap with the fraud carve-out and bias in flagging suspicious transactions.

Short answer: AI for anti-money laundering (AML) and transaction monitoring does not appear in Annex III of the AI Act and is therefore as a rule not high-risk. The centre of gravity is the EU AML package and the GDPR. Even so, this is no free zone: the supervisory obligations under AML are strict, and bias in flagging suspicious transactions can wrongly affect customers.

Not in Annex III, but heavily regulated

The AI Act does not list AML or transaction-monitoring systems as high-risk. That does not make them unregulated: the legal duty to detect and report money laundering comes from AML law itself. AI is the means here, not the legal basis. The general AI Act provisions (such as transparency and the rules for general-purpose AI) continue to apply.

The EU AML package

The EU AML package adopted in 2024 bundles the rules into, among others, a directly applicable AML Regulation and establishes a European supervisor, the AMLA. Core requirements that touch AI monitoring:

  • Customer due diligence and ongoing monitoring: institutions must keep watching transactions for unusual patterns.
  • Reporting suspicious transactions: a signal from the system must lead to human assessment and, where needed, a report to the FIU.
  • Risk-based approach: the deployment of resources must be proportionate to the money-laundering risk.

AI helps to flag at scale, but the legal responsibility for the report and the assessment remains with the institution.

Overlap with the fraud carve-out and the GDPR

AML monitoring borders on fraud detection. To the extent a system detects financial fraud, it falls under the carve-out in AI financial fraud detection rather than the credit high-risk category. AML monitoring itself is in any case not in Annex III. In both cases the GDPR applies fully: legal basis, purpose limitation and transparency, with the note that AML reporting duties provide their own legal basis. Where an automated signal amounts to an intrusive decision (for example a freeze), GDPR Article 22 is engaged and human intervention is required.

What to do

  • Keep a human in the loop: have an analyst assess every AI signal before a report or measure.
  • Manage false positives and bias: monitor whether certain groups are flagged disproportionately often.
  • Secure the GDPR route: record legal basis, retention periods and data-subject rights, mindful of Article 22.
  • Document model choices: make detection logic explainable for AMLA and national supervisors.
  • Connect to your AI governance framework and monitor data quality continuously.

AML AI is not high-risk AI under the AI Act, but it sits under a strict regime of its own. The human decides on the report; the model provides the signal.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): risk-based classification; transaction monitoring/AML is not in Annex III.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): processing of personal data and automated decision-making in AML monitoring.

Share on LinkedIn

Read next

A

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

U

AI and non-discrimination: equal-treatment law alongside the AI Act

An AI system that treats people unequally is caught not only by the AI Act but also by existing equal-treatment law. The two regimes apply side by side โ€” and the ban on discrimination applies even where your AI system is not high-risk.

W

The AI Act for DPOs: where it meets the GDPR

The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.