The EDPB AMLA guidelines: what they mean for AML information sharing and UK firms

In short: The EDPB AMLA guidelines will set out how AML information sharing partnerships work under GDPR once Article 75 of the EU AML Regulation takes effect on 10 July 2027. The EDPB and AMLA announced the joint drafting project on 1 July 2026, with a draft consultation due in the first half of 2027. UK groups with EU AML entities need to prepare now.
A bank or payment firm that spots a money laundering pattern often cannot tell a rival firm what it has found, even where sharing that detail would help both shut down the same fraud faster. The EU is opening a formal route around that constraint. From 10 July 2027, Article 75 of the EU AML Regulation lets firms in the regulated sector form AML information sharing partnerships. The European Data Protection Board and the EU Anti-Money Laundering Authority will jointly write the Guidelines that make those partnerships work under GDPR, a project the two regulators committed to on 1 July 2026. UK groups with EU banking, payments or e-money entities are the parties first affected.
The EDPB AMLA guidelines: why two EU bodies are writing joint guidance on Article 75
Article 75 sits in Chapter VI of Regulation (EU) 2024/1624, the EU AML Regulation (AMLR), and lets AML-regulated firms, and the public authorities that supervise them, exchange customer due diligence information, transaction detail and internal risk assessments through a formally constituted “partnership for information sharing”. The European Data Protection Board (EDPB) coordinates EU and EEA data protection supervisory authorities (the UK’s ICO sits outside that structure since Brexit and applies UK GDPR separately); the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), seated in Frankfurt am Main under Regulation (EU) 2024/1620, took up most of its tasks on 1 July 2025 and is due to take on direct supervision of the highest-risk firms by 2028. On 1 July 2026 the two bodies announced a joint drafting team to produce the EDPB AMLA guidelines on how a partnership is actually built: notification to the firm’s national supervisor, verification that a data protection impact assessment (DPIA) has been carried out (with data protection authorities consulted where relevant), and technical safeguards including measures to allow pseudonymisation.
The information-sharing possibility itself starts on 10 July 2027 for most obliged entities, and from 10 July 2029 for the small group named in Article 3(3)(n) and (o) of the AMLR. The Guidelines are the regulator-level detail on how a partnership complies with data protection law, not a new legal power in themselves. Article 75 already gives the power; the Guidelines address the practical question every compliance team asks next, which is what a partnership has to look like to survive a data protection authority’s scrutiny. The EDPB and AMLA plan a public consultation on the draft text in the first half of 2027, shortly before Article 75 takes effect.
AML information sharing: how the EU partnership model compares with the UK’s gateway
UK firms do not start this analysis from zero. The UK built its own version of this gateway years before the AMLR existed, in a different shape and through different instruments. Section 339ZB of the Proceeds of Crime Act 2002, inserted by the Criminal Finances Act 2017, lets a UK regulated-sector firm disclose information to another on request, notified to the National Crime Agency under section 339ZC. Section 339ZF, inserted by the same 2017 Act, protects a good-faith section 339ZB disclosure from any breach of confidence. The Economic Crime and Corporate Transparency Act 2023, sections 188 and 189, in force since 15 January 2024, added a second, broader gateway: it disapplies confidentiality and civil liability for direct and indirect disclosures a firm makes about a customer when it decides, on economic crime grounds, to end or restrict that customer’s access to a product. Neither gateway is unconditional: both ECCTA sections state expressly, at ss.188(11) and 189(10), that nothing in them authorises a disclosure that would contravene data protection law, or removes civil liability arising under it.
| Feature | What the UK regime requires | What the EU AMLR Article 75 partnership requires |
|---|---|---|
| Legal gateway | POCA ss.339ZB-339ZC (2017): firm discloses to another regulated firm on request, notified to the NCA. | AMLR Article 75: a constituted partnership among regulated entities and public authorities, notified to the supervisor. |
| Civil liability protection | POCA s.339ZF (2017) and ECCTA 2023 ss.188-189 (from 2024) disapply confidentiality and civil liability for AML disclosures, but not for any breach of data protection law. | Each member stays individually responsible for AML/CFT compliance; the Guidelines will set the supporting safeguards. |
| Data protection gate | ICO data sharing code and fraud guidance sit alongside POCA as good practice, not as a precondition in the gateway itself. | A DPIA is a precondition, verified by the supervisor before the partnership starts, consulting data protection authorities where relevant. |
| Scope of shareable data | SAR-related and general regulated-sector customer information, across POCA Schedule 9 businesses. | Customer due diligence data, beneficial ownership, transactions and risk assessments, for higher-risk customers. |
| Effective date | In force since 2017 (s.339ZB) and 2024 (ECCTA ss.188-189). | From 10 July 2027; Guidelines out for consultation in H1 2027. |
Compliance and operational implications for UK firms
For AML information sharing, the rule binds AML-regulated entities established in the EU first: credit institutions, payment institutions, e-money institutions and crypto-asset service providers, including the EU subsidiaries and branches many UK banking and payments groups now operate. From 10 July 2027 those entities can join or form an Article 75 partnership once their national supervisor has verified the required DPIA. UK group data protection officers and money laundering reporting officers sit one tier down: they own the governance behind that verification, and need the finished Guidelines, not just Article 75 itself, to design a partnership that passes supervisory scrutiny.
UK correspondent banks and payment firms that receive information from an EU partnership face a second, indirect exposure. That receipt is an international transfer of personal data out of the EU under EU GDPR, and the UK adequacy decision, renewed by the European Commission to run to 27 December 2031, is what keeps that transfer lawful without extra safeguards. UK-only firms with no EU AML footprint face no direct obligation under Article 75, but the Guidelines still matter to them as a design template: they show how a G7 data protection regulator expects a bank-to-bank information-sharing partnership to be built, safeguarded and supervised.
Cost and timeline sit ahead of the 10 July 2027 start date. A partnership cannot begin before its supervisor has verified the DPIA, so the assessment, governance documents and technical safeguards need to be substantially built before the Guidelines are finalised, working from the draft text once the H1 2027 consultation opens. Building to a lower standard risks two separate findings: an AML supervisory finding that the partnership was not properly verified, and a GDPR enforcement finding if the DPIA or its safeguards prove inadequate. Our data governance advice page covers the wider question of building compliant processing frameworks around a new statutory gateway.
Viewpoint
The UK solved a version of this problem before the EU did. Sections 339ZB and 339ZF of the Proceeds of Crime Act 2002 (2017) and the Economic Crime and Corporate Transparency Act 2023 (from 15 January 2024) already let regulated firms share money laundering information without the confidentiality and civil liability risk that used to prevent sharing, subject in both cases to a carve-out for data protection law. What the UK regime lacks is a data protection precondition built into the statutory gateway itself: the ICO’s data sharing code of practice sits alongside POCA, not inside it. Article 75 builds that precondition into the partnership from the start, through the mandatory DPIA the supervisor verifies before launch. UK groups with EU entities build to that higher bar as a direct consequence. For UK-only firms, the Guidelines matter for what they say about proportionate safeguards for smaller participants, the same question any future UK move toward a DPIA-style gate on the s.339ZB model would have to answer. The EDPB’s parallel joint-guidance project with the European Commission on competition law and data protection points the same way: UK groups with EU entities will meet a joint-regulator bar on every new statutory gateway touching personal data.
UK financial crime enforcement in 2026 already reaches beyond the customer to the bank or payment intermediary that processes a transaction. Article 75 partnerships point the same way: firms that share more information detect more, before enforcement becomes the issue.
Bratby Law advises banks, payment firms and e-money institutions with EU entities on structuring AML information-sharing arrangements alongside UK GDPR and EU GDPR obligations. For advice on preparing for Article 75 partnerships, contact Rob Bratby at Bratby Law.
