You're asking clients to connect their bank. Here's how we protect that.
Olimey handles identity documents and bank-source transaction data. This page sets out exactly where that data goes, who processes it, and the controls around it — in plain terms your MLRO can take to a partner.
Encrypted in transit & at rest
All data is encrypted with TLS in transit and AES-256 at rest. Access is least-privilege and logged.
UK/EEA data residency
Client data is processed and stored in-region, under UK GDPR, with data-processing terms available on request.
Human-in-the-loop
No report is finalised without human sign-off. Your conveyancers clear straightforward matters; only higher-risk cases or potential SARs reach your MLRO. The judgement, and the accountability, stay with your firm.
Regulated providers. Connected directly.
We don't ask clients to email statements or photograph documents into an inbox. Identity and banking data are captured at source through regulated, FCA-authorised providers.
FCA-authorised open banking
FCA-authorisedThe client authorises a read-only connection to their bank through an authorised open-banking provider. Olimey receives categorised transactions, never sees login credentials, and cannot move money.
FCA-authorised identity
IdentityIdentity is verified by a regulated, FCA-authorised provider using a document check and a biometric liveness check.
Olimey runs on Supabase infrastructure, which is independently certified to SOC 2 Type II and ISO 27001. Olimey itself is not independently certified yet; our own information-security programme follows these frameworks. All data is processed within the UK/EEA. Our full subprocessor list and data-processing terms are available from our DPO at dpo@olimey.ai.
From client device to locked record.
Collected at source
Identity and banking data are captured at source through FCA-authorised providers over encrypted connections — never re-keyed, never emailed.
Processed in-region
Analysis runs within the UK/EEA under UK GDPR. Access is least-privilege, time-bound, and fully logged.
Signed & locked
On sign-off, the report and its evidence become an immutable record, retained for six years by default.
Retained or erased
Retention follows your firm's policy and statutory minimums. Erasure requests are handled under UK GDPR.
Designed around the rules you answer to.
Olimey is built to support — not satisfy on your behalf — your obligations under the UK AML regime. Your firm remains the regulated entity; we give you a defensible file.
- MLR 2017. Customer due diligence, ongoing monitoring and record-keeping supported by structured evidence.
- LSAG guidance. Source of Wealth and Source of Funds aligned to the legal-sector approach.
- UK GDPR. Lawful basis, data minimisation, residency and subject rights built into the workflow.
- Audit trail. Immutable, time-stamped, exportable — built for SRA/CLC and HMRC inspection.
Security FAQ
Does Olimey store bank login credentials?
Where is client data stored?
Who can see a client's file?
What happens to data after sign-off?
Does Olimey make the AML decision?
Need our security pack for due diligence?
Create your free account to get started, or contact our DPO at dpo@olimey.ai for data-processing terms, subprocessor details and our retention policy.