ACAMS Today, March-May 2025 | Page 52

EUROPE EXPRESS

The AI Act ’ s provisions become applicable over the subsequent six to 36 months . Prohibitions take effect six months after entry into force , codes of conduct after nine months , general-purpose AI rules including governance after 12 months and obligations for high-risk systems after 36 months . 11

The European Commission ’ s new AI Office , which will be responsible for enforcing and overseeing the new rules for general-purpose AI systems , should ensure that service providers fulfil their responsibilities and assist users in implementing these systems . Under sectorial legislation , financial institutions ( Fis ) remain ultimately responsible for the tools and services they outsource . The oversight framework set out in the Digital Operational Resilience Act for so-called “ critical third-party service providers ” could be useful here . 12

One of the key aspects relevant to the adoption of AI tools , besides the risks outlined in Graphic 1 above , are considerations linked to data privacy . Under the General Data Protection Regulation ( GDPR ), 13 organizations must establish a legal basis for processing personal data . This conflicts with AML regulations that require the sharing of personal data and information and raises the need for adequate governance providing for the lawful transfer of data to be embedded in AML / CTF compliance programs .

GDPR requires organizations to ensure the legality , fairness and transparency of data processing , impacting the way AML / CTF risk compliance is managed . AML / CTF professionals must take data protection and privacy measures into consideration at all times when building their complianceprograms . The seven principles of GDPR 14 are set out in Graphic 2 below .

Graphic 2 : AML / CTF in the context of GDPR and AI governance

REGULATION GOVERNANCE

Source : Jennifer Hanley-Giersch and the General Data Protection Regulation 15 ; Visualization by : Jennifer Hanley-Giersch

52 acamstoday . org