Case Study 17.1: Maya's AML vs. GDPR Dilemma — The Subject Access Request from a Suspicious Customer

Overview

Institution: Verdant Bank Ltd — a UK-regulated challenger bank with approximately 340,000 retail customers and 12,000 small business customers. FCA authorised and PRA regulated.

Principal: Maya Osei, 32, Chief Compliance Officer. Two years in post. Background in financial crime compliance at a major high street bank before joining Verdant at launch.

Situation: A retail customer exercises their GDPR right of access under Article 15 while simultaneously being the subject of an active Suspicious Activity Report filed by Verdant's financial crime team with the National Crime Agency.

Regulatory frameworks in tension: UK GDPR (right of access, Article 15) vs. Proceeds of Crime Act 2002 (tipping-off prohibition, section 333A) vs. Money Laundering Regulations 2017 (AML data retention, regulation 40).

Period: Autumn 2025.

Setting the Scene

Verdant Bank had been running for four years and had grown faster than almost any challenger bank in its cohort. Its app was clean, its rates were competitive, and its compliance function — Maya's compliance function — had been built properly from the start.

Maya had made sure of that. She had arrived from a large institution where the compliance team was so large it had its own org chart. Verdant was different: lean, fast, with ten people in the compliance team covering a regulatory surface area that would have occupied fifty at a legacy bank. She had built a culture of precision. She did not tolerate "probably fine" as a compliance answer. Probably fine was how banks ended up on the front page of the Financial Times.

Which was why, when the email landed at 9:47 on a Tuesday in September 2025, she read it twice before forwarding it to legal.

The email was a Subject Access Request — a SAR. It was from a customer. It was sent to Verdant's official data subject rights address, correctly formatted, with the customer's full name, account number, and a request for "all personal data that Verdant Bank holds about me, including account data, communications, and any risk assessments."

The request was routine. Verdant received between forty and sixty DSARs per month. Its process was solid: automated acknowledgement, identity verification, thirty-day clock, data assembly from across the relevant systems, quality review, redaction where necessary, dispatch.

But when Maya ran the name against the flagged accounts register — a check she had instituted after joining, requiring every DSAR to be cross-referenced against pending financial crime matters — she stopped.

D.K. was on the list.

Three weeks earlier, Verdant's transaction monitoring system had flagged a pattern in D.K.'s account: a series of structured cash deposits just below the Suspicious Activity Report threshold, combined with rapid onward transfers to three different overseas accounts, two of which appeared in the Dow Jones Risk & Compliance database as associated with a fraud network. The financial crime team had reviewed the pattern, consulted an experienced AML analyst, and filed a Suspicious Activity Report with the National Crime Agency on 12 August. They had received the NCA's consent to continue processing D.K.'s transactions while the investigation continued.

D.K. did not know any of this. D.K. also did not know that telling him — in any way, directly or indirectly — that a SAR had been filed was a criminal offence.

And now D.K. was asking for everything Verdant held about him.

The Legal Framework: Four Competing Obligations

Obligation 1: The Right of Access (UK GDPR Article 15)

Article 15 of the UK GDPR gives every data subject the right to obtain confirmation of whether the controller is processing personal data concerning them and, if so, to receive a copy of that data together with specified supplementary information. The controller must respond without undue delay and within one month of receipt. The right is real, enforceable, and backed by ICO enforcement powers including fines of up to £17.5 million for serious infringements.

D.K. had exercised this right. Verdant had an obligation to respond.

Obligation 2: The Tipping-Off Prohibition (POCA 2002, Section 333A)

Section 333A of the Proceeds of Crime Act 2002 makes it a criminal offence for a person in the regulated sector to disclose to another person information that is likely to prejudice a money laundering investigation, where the person knows or suspects that a money laundering investigation is being conducted, and the information on which the disclosure is based came to the person in the course of a business in the regulated sector.

The maximum penalty is five years' imprisonment, a fine, or both.

If Verdant told D.K. that an AML SAR had been filed in relation to his account — even implicitly, by declining to provide SAR-related records and explaining why — this could constitute tipping off. D.K., alerted to the investigation, might take steps to move funds, destroy evidence, or alert others under investigation.

Obligation 3: The AML Data Retention Obligation (MLR 2017, Regulation 40)

Regulation 40 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires firms to retain customer due diligence (CDD) records and transaction records for a minimum of five years beginning with the date on which the business relationship ends (or the date of the transaction, for occasional transactions). These records cannot be erased upon customer request. They must be retained.

Obligation 4: The DPA 2018 Schedule 2 Exemption (Paragraph 14)

The Data Protection Act 2018 provides the national implementing provisions for the UK GDPR. Schedule 2, paragraph 14, provides an exemption from the data subject rights provisions (including the right of access) to the extent that compliance would be likely to prejudice: - The prevention or detection of crime - The apprehension or prosecution of offenders - The assessment or collection of any tax or duty

This is the statutory mechanism that resolves the tension. It is not a general opt-out from the access right; it applies specifically and only to the extent that providing access would prejudice the relevant law enforcement purpose.

The exemption requires a subjective judgment: would providing this specific information be likely to prejudice this specific investigation?

Maya's Analysis

Maya sat with her head of legal, Kofi Asante-Addo, for two hours on the afternoon that the flagged cross-reference came through. They worked through it methodically, because methodical was the only way to work through something with criminal sanctions on one side and a regulatory fine on the other.

"First question," Maya said. "Is D.K. entitled to a response at all?"

"Yes," Kofi said immediately. "The right of access isn't optional. We can't just not respond because the customer is under investigation."

"So we respond. Second question: what do we provide?"

This was where it got complicated.

The data Verdant held on D.K. fell into several categories:

Category A — Core account data: Account agreement, personal details (name, address, DOB, National Insurance number), account number, sort code. No AML investigation connection. This was clearly disclosable.

Category B — Transaction history: Three years of transactions. The transactions were the basis of the SAR investigation, but the transaction records themselves were ordinary banking records. D.K. presumably knew what transactions he had made — they were his transactions. Providing transaction records did not reveal the investigation.

Category C — Risk monitoring flags and alerts: Verdant's transaction monitoring system had generated alerts on D.K.'s account. These alerts were the internal process records showing how the financial crime team had identified the suspicious pattern. Providing these records would reveal that D.K. had been flagged — and would reveal the specific indicators the system had used, effectively mapping Verdant's detection capabilities for D.K.'s potential future use.

Category D — The SAR itself: The text of the Suspicious Activity Report submitted to the NCA, the internal case file, the analyst's notes, the NCA consent to continue processing. Providing any of this would tip D.K. off directly.

Category E — Standard marketing and operational data: Email preferences, marketing consent records, app usage statistics, customer service call summaries (excluding financial crime calls). Standard data, disclosable.

"The answer writes itself," Kofi said after they had mapped it out. "A and E and B — standard account data — we provide. C and D we withhold under Schedule 2 paragraph 14. We tell him we're withholding some information under the DPA exemption for crime prevention. We don't explain what that information is. We don't tell him why specifically. We just cite the provision."

"Will he push back?" Maya asked.

"Almost certainly. He'll complain to the ICO. And the ICO will contact us. At which point we explain in confidence — to the ICO, not to D.K. — that an active financial crime investigation is in progress and that the AML SAR data is exempt. The ICO's guidance on this is clear: supervisory authorities can be informed of the basis for refusal even where the data subject cannot be."

"And the investigation?"

"We flag to the financial crime team that the DSAR has been received. That's relevant information for their risk assessment of D.K.'s conduct — filing a DSAR during an active investigation is not, in itself, suspicious, but it's material information for the case file."

The Response Process

Day 1 (1 September 2025): DSAR received. Automated acknowledgement sent to D.K. confirming receipt and the one-month response deadline (1 October 2025). Maya personally takes ownership of the request given the AML connection.

Day 2: Identity verification completed using D.K.'s online banking credentials (government ID verification on file from onboarding).

Day 2: Cross-reference with AML case file confirmed. Financial crime team notified of DSAR receipt. Internal legal review commenced.

Day 9 (9 September): Legal review complete. Determination: provide Category A, B (transaction records), and E data; withhold Category C and D data under DPA 2018 Schedule 2 paragraph 14. Schedule 2 paragraph 14 exemption documented in the case file with specific analysis of why disclosure would be likely to prejudice the ongoing financial crime investigation.

Day 10: Data assembly begins. Verdant's DSAR management platform (integrated with its core banking system) is used to extract: - Account agreement and personal details - Full transaction history (three years) - Email and marketing preferences - App usage summary - Customer service call summaries (excluding any calls involving financial crime discussions)

Day 14: Quality review of assembled data. One redaction required: a customer service call recording in which a Verdant agent had briefly mentioned "fraud monitoring" in a generic context. Redacted as potentially suggestive. Internal note: "Redaction applied on precautionary basis to prevent any implicit reference to monitoring status."

Day 17: Response package prepared. Data provided in machine-readable format (CSV for transaction data, PDF for documents). Cover letter drafted.

Day 18 (18 September): Response dispatched to D.K. by secure electronic delivery within the online banking portal.

The Response Letter

The letter read, in relevant part:

Dear Mr [K.],

Thank you for your Subject Access Request received on 1 September 2025. We have completed our review of your request and are providing the following personal data that Verdant Bank holds in relation to your account.

Information provided: Please find enclosed your account details, full transaction history, communications preferences, and a summary of your digital banking activity with Verdant Bank.

Information not provided: Following a review of your request, Verdant Bank has determined that certain information is exempt from disclosure under Schedule 2, paragraph 14 of the Data Protection Act 2018. This exemption applies where disclosure would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. We are unable to provide further details about the specific nature of the information withheld, as to do so would itself engage the exemption.

Your rights: If you believe that Verdant Bank has not handled your request appropriately, you may complain to the Information Commissioner's Office at ico.org.uk. If you make a complaint to the ICO, we will cooperate fully with the ICO's investigation, including providing information to the ICO that we are unable to provide directly to you.

Yours sincerely, Verdant Bank Data Protection Team

The Aftermath

D.K. did not immediately complain. He acknowledged receipt of the DSAR response and appeared to review the provided materials.

Two weeks later — mid-October — the NCA investigation advanced. Working from the information in Verdant's SAR and corroborating information from a CIFAS fraud alert, the NCA issued a Production Order under the Proceeds of Crime Act requiring Verdant to produce further records directly to investigators.

The financial crime team cooperated fully. At no point was D.K. aware of the investigation until the NCA conducted its own approach.

Six months later — March 2026 — D.K. was arrested in connection with a wider fraud investigation involving multiple financial institutions. The case was built substantially on transaction records, including the records Verdant's financial crime team had identified.

Verdant's handling of the DSAR was later reviewed by the ICO as part of its routine monitoring of financial services data subject rights handling. The ICO's assessment: the partial refusal was appropriately applied, the DPA 2018 Schedule 2 paragraph 14 exemption was correctly invoked, and the response letter was a model of appropriate handling. The review was closed without further action.

Lessons and Analysis

1. The "SAR vs. SAR" Confusion Problem

In financial services, "SAR" means two different things: Subject Access Request (the GDPR data subject right) and Suspicious Activity Report (the AML filing). This terminological collision is not merely an inconvenience — it creates genuine risk in case management. Verdant's financial crime team initially misread the internal escalation note as concerning an AML SAR until the compliance team clarified. Maya subsequently amended the internal case management system to use "DSAR" (Data Subject Access Request) as the standard terminology for all data rights requests, reserving "SAR" exclusively for AML reports.

2. The Scope of the Schedule 2 Paragraph 14 Exemption

The exemption is specific, not general. It covers only information whose disclosure would be likely to prejudice the relevant law enforcement purpose. Maya's team correctly applied it to Category C and D data (the monitoring alerts and the SAR itself) but correctly provided Category B data (transaction records) even though those transactions were the subject of the investigation. D.K.'s own transaction history was not privileged by the investigation — it was his data, and the right of access applied to it.

This distinction matters enormously. A bank that reflexively withholds all data related to any flagged customer would be overusing the exemption. The ICO would scrutinise this, and a challenge by the data subject could succeed.

3. The "Implicit Tipping Off" Risk

The greater practical risk was not the direct provision of AML SAR records but the implicit signal that their withholding might send. If a response letter says "we are withholding some information under the crime prevention exemption" to a customer who has no knowledge of any investigation, the customer may be alerted that something is happening. This risk cannot be entirely eliminated — the ICO's guidance acknowledges it — but the response must not go further than the statutory language requires.

Verdant's response letter was carefully drafted to say nothing beyond what the exemption required: that some information is withheld, that the DPA 2018 Schedule 2 paragraph 14 exemption applies, and that the data subject can complain to the ICO. No language suggested the nature of the withheld information.

4. Process Design: The Cross-Reference Check

The single operational decision that made Verdant's handling of this situation tractable was Maya's prior investment in a cross-reference check between incoming DSARs and flagged accounts. Without that check, the DSAR could have been assigned to a member of the data rights team with no knowledge of the AML investigation, who would have assembled and dispatched the complete data package — including, potentially, Category C monitoring alerts — before anyone with financial crime knowledge reviewed it.

The cross-reference check added approximately fifteen minutes to the processing of each of the sixty-odd DSARs Verdant received each month. Maya considered it among the most valuable fifteen minutes her team spent.

5. Regulatory Coordination

The FCA's Financial Crime Guide and the ICO's guidance on data protection and crime both contemplate situations of this kind. They do not contradict each other. The FCA expects firms to comply with AML obligations including the tipping-off prohibition. The ICO provides the Schedule 2 paragraph 14 exemption for precisely this purpose. The two regulatory frameworks are designed to work together, not to conflict.

The resolution of the Maya scenario is not a creative workaround — it is the intended operation of the legal framework, applied precisely.

Discussion Questions

1. Maya's cross-reference check added minimal time per request but was critical in identifying this situation. What other cross-reference checks might a financial institution usefully build into its DSAR process?

2. If D.K. had complained to the ICO, what information would Verdant have been able to provide to the ICO that it could not provide to D.K. directly? How does this asymmetry protect both the investigation and the data subject's right to regulatory oversight?

3. Suppose the NCA investigation had concluded with no charges against D.K. and the SAR was closed. At that point, should Verdant have proactively re-contacted D.K. to offer him the data originally withheld? What considerations would apply?

4. Verdant's redaction of the customer service call recording that mentioned "fraud monitoring" was applied "on a precautionary basis." Was this the right call? Could a challenger to the redaction argue that generic references to fraud monitoring do not engage the tipping-off prohibition?

5. How should Verdant's RoPA entry for "AML transaction monitoring" describe the data subject rights position? What language should it include to document the potential application of the Schedule 2 paragraph 14 exemption?