This website requires Javascript for some parts to function propertly. Your experience may vary.

Rethinking preventive compliance screening – in a demanding legal environment | Hengeler Mueller News

Argus Eyes – The Blog on Internal Investigations, Crisis Management and Compliance

7 July 2026

Rethinking preventive compliance screening – in a demanding legal environment

Preventive compliance screening is an established part of compliance organisations in the financial sector due to regulatory requirements. However, it is also used in the real economy, for example for sanctions list screening and fraud detection. The rationale is clear: only by systematically identifying risks at an early stage can organisations prevent breaches before they occur. This applies even more in the current environment of ever-increasing requirements for corporate compliance. AI-powered tools open new possibilities here for preventing or detecting compliance breaches. Companies that recognise this opportunity early on and use it not only ensure regulatory certainty but also gain a genuine competitive advantage.

What AI-powered compliance screening can achieve

The key advantage of AI-powered compliance screening lies in its ability to analyse large and heterogeneous datasets automatically, in a risk-oriented and context-based manner. Traditional screening approaches rely on search terms and rigid sets of rules – AI systems, by contrast, capture the contextual content and thereby also identify issues that would have gone undetected in a conventional search-term analysis. At the same time, the rate of false positives is reduced, which significantly increases the efficiency of the entire review process.

The potential areas of application for compliance screening are diverse and can be divided into internal and external corporate scenarios: Internally, preventive compliance screening can, for example, detect at an early stage the unintended leakage of trade secrets, indicators of corruption, cartel agreements, sanctions breaches or insider trading – and does so in a risk-based manner, i.e. focusing on particularly exposed departments and functions or products carrying a high level of risk. Externally, AI-supported compliance screening is particularly suitable for due diligence on business partners, suppliers or M&A targets, for sanctions and PEP screenings, and for reputation and adverse media analyses.

Furthermore, screening can provide a measurable assessment of the effectiveness of the existing compliance management system, thereby making it easier to demonstrate to regulatory authorities that the compliance organisation is functioning effectively.

Required expertise

Effective and legally compliant AI-based compliance screening requires more than simply using an AI tool. Translating compliance knowledge into suitable screening workflows requires close collaboration between compliance experts and IT specialists. Only such a combined team can define the relevant screening scenarios and translate them into bespoke workflows tailored to the company’s specific risk profile, data landscape and industry context.

Methodological quality is crucial here: functionally narrow prompts ensure that the AI remains strictly bound to the intended purpose of preventive compliance screening. Random hits and incidental findings can be effectively minimised through careful data pre-filtering, precise definition of purpose and structured output formats. Humans must always remain in control – both in the design and review of workflows and in the assessment of AI results (“human-in-the-loop”).

Our firm’s proprietary AI solution, HM Argus, offers added value in this regard. The platform was developed specifically for the risk-based analysis of large datasets in a compliance and investigations context, and combines semantic document classification, scoring analyses (with relevance assessments) and context-based search in a single integrated solution. HM Argus also enables greater control over data security and processing procedures, integrates seamlessly into existing IT infrastructures and is continuously adapted to the specific needs of our clients. Furthermore, the use of a proprietary tool establishes a robust basis of trust with regulatory authorities, as the methodology can be fully documented and traced.

Preventive AI screening takes place within a demanding legal framework: In particular, when it comes to the preventive monitoring of employees’ communications, there are no specific grounds for suspicion, meaning that stricter data protection and employment law requirements apply, which should be considered at an early stage. Under data protection law, any processing of personal data requires a sound legal basis in accordance with the GDPR. Depending on the jurisdiction, national regulations may impose further requirements in addition to the GDPR.

Preventive monitoring of communications may be justified based on overriding legitimate interests. An employer is likely to have a legitimate interest in preventing and detecting criminal offences (such as the disclosure of trade secrets, insider dealing or corruption) and, for example, in preventing the unintended leakage of sensitive operational and business information, simply by virtue of its general (and, where applicable, specific regulatory) duties of conduct and organisation, as well as the duty of its management to act lawfully.

According to the case law of the Federal Labour Court, preventive compliance measures may be proportionate and permissible if they are carried out in accordance with abstract criteria and do not place any particular employee under suspicion. Furthermore, they must be transparent (i.e. not covert), carried out on a random basis, temporary (i.e. not permanent) and without performance monitoring. Conversely, preventive measures must not be designed in such a way as to create psychological pressure to conform and perform which, when viewed objectively, significantly restricts the freedom of those affected to plan and organise their actions of their own volition.

Against this background, it is even more important to strictly observe the principle of data minimisation, i.e. to process only as much data as is necessary to achieve the intended purpose. This can be ensured, for example, through risk-based use cases, narrowly defined prompts and a step-by-step approach (e.g. second-level deep dive, need-to-know principle). Equally important is communication with employees about the use of tools and their specific purposes.

The EU AI Act sets out additional requirements which must be carefully assessed on a case-by-case basis. Preventive compliance screenings, if designed appropriately, are unlikely to be classified as high-risk AI systems, if personnel decisions are made exclusively by humans and there is no profiling, real-time monitoring or performance monitoring. However, audit-compliant documentation and AI governance are essential in any case.

Finally, co-determination rights may be affected when AI-supported screening measures are implemented within a company. This legal framework is not an obstacle to such processes, but rather a mandate to shape them. Those who take it into account from the outset and document it properly will create a robust foundation for the use of AI. Against this backdrop, the involvement of specialist external advisers should be considered at an early stage.

Rethinking compliance screening

Compliance screening has long been a discipline of checklists and search terms – effective when dealing with the familiar, but blind to the unexpected. This is precisely where the transformative power of AI lies: it recognises not only what you are looking for, but also what you are not looking for at that moment. AI-powered screening works across languages, is context-sensitive and scales effortlessly across millions of data points – capabilities that no manual process can even come close to matching. The aim is compliance screening that is not only more time- and cost-efficient but also reaches a new level of quality.