Artificial intelligence can detect irregularities in accounting and procurement before they cause damage. But how do companies reconcile compliance duties with data protection and employee rights?
From Reaction to Prevention
For a long time, compliance meant uncovering rule violations after they had already occurred. Internal auditors reviewed samples, external auditors analysed annual accounts, and when fraud was discovered, the damage was usually already done. This reactive model is reaching its limits in the face of growing data volumes and increasingly sophisticated fraud methods.
Predictive Compliance reverses this approach: instead of documenting past violations, artificial intelligence identifies patterns and anomalies in real time – and provides warnings before damage occurs. The technology analyses transaction data, procurement processes, travel expense reports, and communication patterns to detect suspicious deviations from normal behaviour. For companies, this opens up enormous opportunities – but at the same time raises complex legal questions.
How Does AI-Powered Fraud Detection Work?
Anomaly Detection in Transaction Data
The core of modern fraud detection systems is anomaly detection. An AI model first learns the normal transaction patterns of a company – typical transfer amounts, timings, recipients, and approval chains. Every transaction that significantly deviates from this pattern is flagged as potentially suspicious.
Typical areas of application include:
- Accounting: Duplicate invoices, unusual rounding amounts, payments just below approval thresholds (so-called threshold splitting)
- Procurement: Conspicuous supplier concentrations, contracts awarded to shell companies, systematic avoidance of tendering requirements
- Travel and expenses: Implausible receipt patterns, inflated entertainment costs, temporal inconsistencies
- Payment transactions: Transfers to unknown accounts in high-risk jurisdictions, unusual payment times
Network Analysis and Relationship Detection
Advanced systems go beyond analysing individual transactions and create relationship networks. They identify, for example, whether an employee in the purchasing department has family or business connections with a frequently commissioned supplier – a classic corruption pattern.
Natural Language Processing for Communication Analysis
Some systems deploy Natural Language Processing (NLP) to analyse communication patterns. Emails, chat histories, and internal notes are screened for suspicious wording – such as instructions to bypass the usual chain of command or unusual confidentiality notices. This analysis is technically powerful but particularly sensitive from a data protection perspective.
Legal Framework: Duty and Limitation in One
Compliance Duties as Legal Basis
Companies are legally required to implement appropriate compliance measures. For the financial sector, specific requirements arise from the Minimum Requirements for Risk Management (MaRisk) issued by BaFin (the German Federal Financial Supervisory Authority). The Anti-Money Laundering Act (Geldwäschegesetz, GwG) obliges numerous industries to exercise due diligence, conduct risk analyses, and establish internal safeguards.
The IDW PS 980, as a recognised auditing standard, defines the principles for proper auditing of compliance management systems. It requires, among other things, an adequate monitoring and improvement system – a requirement that can be fulfilled particularly efficiently through AI-powered tools.
Anti-Money Laundering Under the GwG
The GwG obliges obligated entities within the meaning of § 2 GwG – including credit institutions, insurance companies, lawyers, tax advisers, and auditors – to comprehensive due diligence duties. These include:
- Know Your Customer (KYC): Identification and verification of business partners
- Transaction monitoring: Ongoing monitoring of business relationships
- Suspicious activity reports: Reporting obligation to the Financial Intelligence Unit (FIU) when money laundering is suspected
AI systems can fulfil these duties significantly more efficiently than manual processes. They detect typical money laundering patterns – such as smurfing (splitting large amounts into many small transactions), layering (obfuscation through complex transaction chains), or unusual cash intensities – in real time and across large data volumes.
GDPR: The Data Protection Boundary
The use of AI for compliance monitoring inevitably touches upon the personal data of employees. The General Data Protection Regulation (GDPR, known in German as Datenschutz-Grundverordnung, DSGVO) sets clear limits.
Art. 6 GDPR requires a legal basis for every data processing operation. For compliance monitoring, the primary bases are:
- Art. 6(1)(c) GDPR: Compliance with a legal obligation (e.g. GwG duties)
- Art. 6(1)(f) GDPR: Legitimate interests of the controller (fraud prevention), provided these outweigh the interests of the data subjects
Art. 22 GDPR is particularly relevant: data subjects have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning them. An AI system that automatically classifies an employee as suspicious and triggers consequences must therefore always include a human review step.
§ 26 BDSG: Employee Data Protection
§ 26 of the Federal Data Protection Act (BDSG) permits the processing of employees' personal data where this is necessary for the execution of the employment relationship or for the detection of criminal offences, provided there is a fact-based suspicion. Blanket, suspicionless monitoring of all employees would, conversely, be disproportionate and unlawful.
Practical consequence: AI-powered compliance systems must be configured to initially operate at an aggregated, anonymised level. Only when a statistically significant suspicion exists may the analysis be drilled down to the individual level – and even then only with the involvement of the compliance department and, where applicable, the works council.
Whistleblower Protection Under the HinSchG
The Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG), in force since July 2023, requires companies with 50 or more employees to establish internal reporting channels. Whistleblowers who report misconduct are protected against retaliation.
AI-powered fraud detection and whistleblower systems complement each other: while AI detects systematic patterns, whistleblowers provide contextual information that an algorithm cannot capture – such as knowledge of informal arrangements or personal motives. An integrated approach combining both channels significantly increases detection rates.
It is important to note that where an AI system identifies an employee as suspicious, this must not result in retaliation as long as the suspicion has not been confirmed through human review. The threshold for initiating employment law measures must be clearly defined and documented.
Implementation in Practice
Phase 1: Risk Analysis and Scoping
Every implementation begins with a thorough risk analysis: which fraud scenarios are particularly relevant for your company? Where are the greatest value leakage risks? Which data sources are available? The results determine the scope and focus of the system.
Phase 2: Data Protection Impact Assessment
Before deploying an AI-powered compliance system, a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR is mandatory. This must evaluate in particular:
- Which personal data is being processed?
- On what legal basis does the processing take place?
- How is the principle of data minimisation implemented?
- What protective measures are in place?
- How is transparency towards affected employees ensured?
Phase 3: Works Council Involvement
In companies with co-determination obligations, the works council has a co-determination right when introducing technical facilities capable of monitoring employee behaviour and performance (§ 87(1) No. 6 of the Works Constitution Act, BetrVG). A works agreement governing the purpose, scope, access rights, and deletion periods of the AI system is strongly recommended.
Phase 4: Technical Implementation
The following principles should apply during technical implementation:
- Privacy by Design: Data protection is built into the system architecture from the outset
- Explainability: The system must be able to make transparent why a transaction was flagged as suspicious
- Human in the Loop: Every machine-generated suspicion report is reviewed by a human compliance officer
- Audit Trail: All system decisions are logged in an audit-proof manner
Phase 5: Ongoing Operations and Improvement
A predictive compliance system is not a one-off project but a continuous process. Regular reviews include:
- Calibration of detection models (optimising the false-positive rate)
- Training compliance staff in handling AI-generated suspicion reports
- Documentation of all measures for external auditing under IDW PS 980
- Updates in response to changed regulatory requirements
The AI Act as a New Framework
The EU Artificial Intelligence Act (AI Act), which becomes fully applicable from August 2026, classifies AI systems by risk level. Compliance monitoring systems that influence decisions about employees are expected to be classified as high-risk AI. This brings additional requirements:
- Transparency obligations towards affected persons
- Quality requirements for training data
- Human oversight of system outputs
- Documentation and registration duties
Companies beginning implementation now should already take these requirements into account.
Conclusion: Seize Opportunities, Respect Boundaries
Predictive Compliance offers companies the ability to detect fraud and regulatory violations significantly earlier and avoid considerable damage. The technology is mature, the areas of application are diverse. Yet deployment is not straightforward: GDPR, BDSG, HinSchG, and the AI Act set a tight legal framework that must be carefully observed. Those who maintain the balance between compliance duty and personal privacy gain a powerful instrument – those who ignore it risk not only fines but also the trust of their own employees.
At compleneo, we support you in the legally compliant implementation of AI-powered compliance systems – from risk analysis through data protection impact assessments to works agreements. Get in touch with us.
