AML/CFT information sharing: EDPB and AMLA to issue joint guidelines
The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.
Excerpt: On 1 July 2026, the EDPB and AMLA announced joint guidelines on “partnerships for information sharing” under AMLR Article 75, applicable from 10 July 2027. The aim is a GDPR‑compatible framework for AML/CFT data sharing.
Key facts
On 1 July 2026, the European Data Protection Board (EDPB) and the new Anti‑Money Laundering Authority (AMLA) announced they will develop joint guidelines to govern “partnerships for information sharing” between obliged entities (banks, investment firms, insurers, etc.) for anti‑money laundering and counter‑terrorist financing (AML/CFT). The new sharing possibility created by Regulation (EU) 2024/1624 (the “AMLR”) will apply from 10 July 2027, with a public consultation on the draft guidelines in H1 2027. The objective is to clarify how to share relevant data to detect financial crime while complying with the GDPR.
Legal framework and basis
- AMLR — Article 75. It establishes a legal framework for “partnerships for information sharing” between obliged entities, subject to safeguards. Entities must notify their supervisory authority; authorities (in consultation where appropriate with the data protection authority) verify compliance mechanisms, including a prior DPIA. The text allows, under strict conditions, the processing of special categories of data where necessary to prevent and combat money laundering and terrorist financing.
- GDPR interplay. The EDPB/AMLA guidelines will address the link with GDPR (legal bases, minimisation, retention, data subject rights). In practice, Articles 5(1)(a)-(c), 6(1)(c)/(e) and 9(2)(g) will be used as appropriate, with necessity and proportionality documented in the DPIA required by AMLR Article 75(4)(h). See our overview of the GDPR principles and alignment.
- Timeline and governance. The Article 75 sharing capability applies from 10 July 2027; a draft of the joint guidelines will be released for public consultation in H1 2027.
What this means for Luxembourg entities
For financial institutions and other obliged entities in Luxembourg (banks, investment firms, payment institutions, asset managers, insurers), this announcement triggers an AML/CFT data‑governance workstream that should start now. By 10 July 2027, groups and sector consortia may set up or join information‑sharing partnerships, but only if:
- a DPIA documents data flows and risks;
- internal policies/procedures precisely define purposes, roles, legal bases, “strict necessity” criteria, retention periods, and data subject rights handling;
- the competent supervisory authority is notified, and GDPR compliance is checked with the data protection authority (in Luxembourg: CNPD), with attention to GDPR compliance in Luxembourg.
The EDPB/AMLA announcement signals forthcoming interpretative guidance, giving Compliance/Risk and DPO teams a safer basis to calibrate lawfulness and minimisation of exchanges (including sensitive data where strictly necessary). For cross‑border groups (Luxembourg/Belgium/France/Germany), it eases the setup of common frameworks and harmonised internal controls, while requiring solid legal, technical and contractual preparation. Boards should approve the sharing policy and ensure alignment with existing setups (transaction monitoring, alerting, FIU filings, evidential retention) without purpose creep.
Practical actions this week
- Map AML/CFT information‑sharing use cases: risk typologies, data categories (including potentially sensitive), envisaged recipients, and list current gaps vs Article 75 (notification, access control, traceability).
- Launch the “partnership DPIA”: define purposes, legal basis/bases, strict necessity criteria, minimisation, retention, technical DPIAs (pseudonymisation/encryption), logging of consultations/exchanges; plan a DPO review and Compliance sign‑off.
- Prepare governance and agreements: internal policy draft, contractual clauses among partners (GDPR roles, AMLR Art. 75(4) responsibilities), data subject rights procedure, incident response plan, and notification pack for authorities ready by Q4‑2026; set a checkpoint in January 2027 to integrate the EDPB/AMLA draft as soon as it is published. Where relevant, consider a Luxembourg‑based DPO to coordinate locally.
Sources
- EDPB and AMLA to develop Joint Guidelines on partnerships for information sharing
- Regulation (EU) 2024/1624 — AMLR, Article 75: Exchange of information in the framework of partnerships for information sharing
To discuss your needs or request support, reach out via our contact page.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →