Contents

You’re compliant… or you’re not!
Compliance is moving back up the corporate priority list
Multifaceted evidence
The challenge of managing data sources
But where is the compliance data?
Data: The Ultimate Arbiter of Compliance
From “Good Faith” to “Data-Driven Proof”
Data as Evidence: The Five Prerequisites

Data: Essential Regulatory Evidence 

All regulations require the organizations and individuals concerned to be able to provide tangible evidence of compliance. This is precisely what distinguishes actual compliance with requirements from a mere declaration of compliance. In many fields, this emphasis on evidence is already deeply ingrained, particularly in law enforcement and the judicial system where it is defined as “ that which serves to establish that something is true, to prove the reality of a situation." In law, evidence refers to any element that establishes the reality of a fact, a situation, or an obligation, and demonstrates its accuracy objectively. 

We’re compliant… or we’re not! 

Compliance does not tolerate approximation. Regulators—whether the ACPR, the AMF, or the FATF’s international standards—do not evaluate intentions, but rather demonstrable performance requirements. Evidence is a decisive factor here: it is binary by nature—either it exists or it does not. In this context, an organization cannot claim “partial” or “full” compliance without verifiable evidence to support it. 

Compliance is rising in the list of corporate priorities 

In fact, this principle is becoming less and less acceptable. According to a study by PWC on the priorities of the finance departments of French companies, regulatory compliance has risen from sixth place in 2024 to fourth place in 2026. “ Further illustrating the growing pressure stemming from regulatory complexity and the risk of penalties, compliance has emerged as the top priority, cited by 76% of companies ,” the study’s authors emphasize. It is a matter of “ pmaintain, or even increase, the resources dedicated to necessary transformation or compliance projects, in an environment where costs are constrained to remain stable or even decrease. ”  

Multifaceted evidence 

Evidence, as a demonstrable result, is based on data. In the context of AML-CFT compliance, this data takes many forms. Regulated entities must therefore be able to produce various categories of information and supporting documentation to demonstrate the effectiveness and robustness of their control mechanisms. 

– The evidence identification 

The basics of AML-CFT, including the KYC (Know Your Customer) approach! The organization must prove that it knows exactly who it is dealing with. For individuals, this generally includes a physical or digital copy of an official ID document as well as a recent proof of address (less than three months old). For businesses, the required documents include, in particular, an up-to-date Kbis extract, the current articles of incorporation, and the identification of Beneficial Owners—a central component of the anti-money laundering and counter-terrorism financing framework. 

– Risk analysis documentation 

The regulator does not merely require the collection of data, but also proof that the data has been properly analyzed. This specifically involves a risk classification, through a written document explaining why a customer is classified as “low,” “moderate,” or “high” risk, based on their country of origin, industry, or status as a Politically Exposed Person (PEP).  

– Evidence of due diligence (audit trail) 

In the event of an audit, the company must be able to reconstruct the history of the checks performed on a transaction. For any unusual transaction (large amount, complex structure, etc.), it must provide the supporting documents requested from the customer: invoices, real estate sales deeds, transfer agreements, proof of income (inheritance, casino winnings, etc.). Similarly, evidence must be provided that the detection system functioned properly, including alerts triggered by algorithms and the conclusions of the human analyst who decided to dismiss the alert or convert it into a suspicious activity report. 

– Proof of reporting (Tracfin) 

If a suspicion persists, the ultimate proof of compliance is the submission of a suspicious activity report (SAR). When a suspicious transaction has been identified but cleared, the company must be able to provide the analysis file explaining why the suspicion was cleared. 

– Evidence of governance and conservation 

All records must be retained for several years (generally five years) after the end of the business relationship or the completion of the transaction. Similarly, it must be possible to demonstrate that the AML-CFT framework AML-CFT tested and updated regularly. In the event of an audit, failure to produce this evidence is penalized as severely as money laundering itself, as it prevents the regulator from tracing criminal networks. 

The Challenge of Managing Data Sources 

In reality, collecting, centralizing, storing, and accessing data presents significant challenges. One of the long-standing issues—particularly in the fields of accounting, sales, and marketing—is ensuring that the data accurately reflects reality. This is the concept of SSOT (or Single Source of Truth), a practice that involves gathering all of a company’s data in a single location or within a single process.  This is difficult for several reasons: first, because much of the data is unstructured, making it relatively difficult to collect and analyze. Overall, unstructured data accounts for 80 to 90% of the data created by companies.  Second, because data management often relies on organizational silos (business units, multiple processes, legal entities, etc.) that do not communicate seamlessly. This is especially true when data is stored in Excel files and scattered throughout the organization, with no overall view.  Finally, because the culture of treating data as a central element of evidence is not always as widespread as it should be. And as the scope of compliance expands, with the strengthening of AML-CFT regulations, these challenges are becoming more pronounced.  

But where is the compliance data? 

This data management issue is also reflected in CSR-related compliance requirements. A study by Tennaxia, Bpifrance, and LCL, published in late 2024, indicates that more than one-third of the companies surveyed (36%) do not yet know how to locate all the data necessary for their ESG reporting. This difficulty stems in particular from the fragmentation of information, which is often stored in Excel files, even though it is essential for meeting reporting obligations.  Similarly, a study by Mimecast in 2026 reveals thatnearly 91% of organizations struggle to manage the governance and compliance of their data. At the same time, 59% of companies doubt their “ ability to quickly identify the information needed to meet regulatory or legal obligations. Against a backdrop of increasingly stringent legislation, this lack of visibility is a veritable time bomb for their security and legal liability ,” warn the study’s authors.  Added to this is a still-widespread lack of knowledge (and preparedness) regarding regulations, for example in the area of security: a survey by Ipsos for Okta showed that, in 2024, 26% of decision-makers claim to have no knowledge at all of the principles of the DORA regulation, the Digital Operational Resilience Directive. This is despite the media hype of the past two years and the fact that system security is a regulatory requirement! 

Data: The Ultimate Arbiter of Compliance 

It is in the area of AML-CFT data, as evidence, truly demonstrates its full potential. Money laundering relies on mechanisms of concealment, fragmentation, and reintegration of financial flows. To address this, data must meet three essential criteria in order to be considered conclusive: 

– Completeness 

"Know Your Customer" is no longer a stack of paper files, but a relationship graph. The data must verify the identity of the UBO (Ultimate Beneficial Owner). Without careful management of this data, the company risks a break in the chain of evidence. 

– Transaction granularity 

To detect a weak signal (such as a smurfing or money laundering through fragmentation), it is necessary to be able to isolate each individual transaction data point. 

– Temporality 

Regulatory evidence must be historical. The data must make it possible to reconstruct a scenario at a given point in time, proving that the decisions made at that time were based on the information available. 

From “good faith” to “data-driven evidence” 

A company can only demonstrate the absence of money laundering by establishing either that it has identified potential anomalies or that it has implemented systems capable of detecting them effectively. In this context, data is the concrete manifestation of due diligence. A well-structured data management system significantly enhances the auditability of controls by reducing human variability and standardizing decisions. Augmented intelligence can help improve the detection of anomalies in large volumes of data, complementing rule-based approaches.  Structuring data thus enables the creation of traceability that can be leveraged during audits: a log of actions, alerts, and decisions, designed to guarantee their integrity and allow for their reconstruction after the fact. It is this body of operational evidence that demonstrates to the regulator that the required controls have indeed been carried out.  

Data as Evidence: The Five Prerequisites  

– Ensure quality  

Incorrect data (a misspelled name, an incomplete address, etc.) is not just a technical error; it is a compliance violation. In the eyes of the law, poor-quality data is inadmissible evidence, leaving the institution vulnerable to financial penalties.  

– Collect and consolidate  

The main risk for an organization is data fragmentation. If payment data, customer data, and risk records do not communicate with one another, the “evidence” becomes incomplete and therefore invalid. 

– Retain evidence data 

Due to regulatory requirements, it is necessary to retain evidence and, therefore, have an effective (and auditable) storage process and tools in place. 

– Access data  

In the event of an audit, companies need quick access to evidence, which is difficult if it is scattered across multiple systems, departments, or geographic locations.  These challenges, which may seem insurmountable, actually have concrete solutions thanks to offerings from RegTech providers—including AP Solutions IO—based on automation, augmented intelligence, and decision traceability. In this context, data is no longer merely a byproduct of compliance systems: it becomes the very embodiment of regulatory evidence. Mastering one’s data thus amounts to documenting one’s compliance capabilities and operational robustness.  In the age of digital finance, does failing to control one’s compliance data amount to accepting one’s own condemnation in advance? To return to the analogy with the legal world, compliance data (provided, of course, that it is reliable…), the applications that manage it, and the information system that drives it are the primary exculpatory evidence for companies subject to AML-CFT  

Dominique Baumier
Sales and Marketing Manager – Compliance Specialist