10 July 2027 — AMLR Article 75 becomes enforceable. Institutions building governance now will be ready.

Guidance · AMLR Article 75

Intelligence sharing for AML: a practical guide

AMLR Article 75 makes financial crime intelligence sharing a structured supervisory expectation. Built on five years of running live networks, this guide translates the regulation and distils our operational experience.

Get the guide
Taavi Tamkivi Taavi Tamkivi Co-founder & CEO · Foreword
Diana Karyan Diana Karyan Legal Counsel · Sections 3–10
Applies from10 July 2027
JurisdictionEU · EEA · Cross-border
Based on5 years live · 100+ institutions
Also coversGDPR · Tipping-off · Banking secrecy

Inside this guidance

01 · Foreword 02 · Executive summary 03 · The legal foundation 04 · Guiding principles 05 · When & why to collaborate 06 · Deciding to share 07 · Technology & controls 08 · What can be shared 09 · Request standards 10 · Unjustified requests

Foreword

The shift from optional to expected

Taavi Tamkivi Taavi Tamkivi Co-founder & CEO, Salv

Anyone reading this will know that financial crime moves faster than the controls most teams have in place to catch it. Most fincrime teams still work in silos. Not by choice. Because collaboration is operationally and technically complex, and most of us are stretched thin already. We built Salv Bridge to fix that.

We have been building cross-border intelligence sharing networks and stress-testing them against the regulatory standards they must meet. Today, Salv Bridge connects more than 100 financial institutions across the EU and UK, running live exchanges every day. In one market, the median fraud response time has dropped to 14 minutes. Across the same network, participating banks have prevented an estimated €3 million in customer losses.

14 min Median fraud response time in one market on the Salv Bridge network
€3M+ Estimated customer losses prevented across the network
100+ Financial institutions connected across EU and UK

The shift this guide covers, from optional collaboration to a structured supervisory expectation under the EU Anti-Money Laundering Regulation (AMLR) Article 75, is both operational and legal. The institutions reading it will need to act on both fronts. The direction of regulatory travel is clear. Regulators will ask: show us exactly how you share intelligence.

AMLR Article 75 is the legislative answer to a question many AML teams have been carrying for years: when can we share what we know with another obliged entity, and on what basis? The framework is clear in direction. It is, in places, still being clarified in practice, particularly on cross-border supervisory notification, on the precise contours of "strictly necessary", and on how tipping-off prohibition interacts with platform-mediated exchange.

Two practical points sit at the centre of this guidance. The first is that banking secrecy obligations in the EU markets are no longer the obstacle they were assumed to be: the statutory carve-outs that always existed are now squarely engaged by Article 75 once a partnership is properly constituted. The second is that anchoring the arrangement within an Article 75 partnership substantially strengthens the GDPR position. The processing remains under Article 6(1)(f) — Article 75 authorises partnership-based sharing but does not compel participation, so Article 6(1)(c) is not available — but the EU legislator's express recognition of the partnership framework does much of the heavy lifting on the necessity and balancing prongs of the legitimate-interests assessment that institutions otherwise carry alone.

This is the working document we use with the institutions joining Salv Bridge, formed over five years of operation. Where the rules are still evolving, we have flagged it. Where they are settled, we have said so plainly. For PSPs whose remit also covers fraud-specific obligations under PSR Article 83a, our companion guide treats that framework in the same depth. If you have questions, or want us to sense-check your approach, get in touch.


Executive summary

Points of attention for institutions, based on our experience

01

Intelligence sharing is now a supervisory expectation

AMLR Article 75 establishes the framework for obliged entities. Informal cooperation will not meet supervisory expectations from July 2027.


02

AMLR and GDPR converge on every exchange

AMLR Article 75 authorises the partnership framework; GDPR supplies the lawful basis (Article 6(1)(f), reinforced by Article 75) and the data protection constraints that operate alongside. Both regimes must be satisfied for an exchange to be lawful — and their interaction is not yet fully harmonised.


03

More data sharing is not better

Article 75 is anchored in the strictly necessary standard. Scalable solutions depend on standardisation and clear suspicion thresholds, not volume.


04

Consortium models are structurally necessary

Consortium-based models are structurally necessary, not just efficient. Only coordinated approaches deliver consistent rules, shared governance, and scalable network effects.


05

Early-stage sharing remains a grey area

Article 75 is clear once suspicion is established. Pre-suspicion collaboration is less defined and requires careful structuring.


06

Tipping-off risk is two-sided

AMLR binds receiving institutions as well as requesting ones. The analysis must be applied at the point of acting on incoming intelligence — not assumed away by platform design.


07

Data sharing is becoming core to risk management

Beyond detection, it supports offboarding decisions, enhanced due diligence, and the evidentiary record supervisors expect on examination.


08

The framework is directionally clear, operationally evolving

Institutions that establish well-governed, adaptable frameworks now will be best positioned to comply as standards mature.


Section 03

What AMLR Article 75 actually establishes

Diana Karyan Diana Karyan Legal Counsel, Salv

The AMLR, specifically Article 75, establishes the conditions under which obliged entities may share information within formal partnerships for the prevention, detection, and investigation of money laundering, its predicate offences (which include certain frauds), and terrorist financing. It sets out requirements around necessity, data minimisation, supervisory notification, and governance.

Non-participation is increasingly treated as a gap finding rather than a neutral position.

Supervisory expectations are hardening in parallel. Regulatory authorities in multiple EU jurisdictions have begun asking, in the course of routine AML examinations, whether institutions have implemented structured intelligence sharing arrangements. Institutions that cannot demonstrate a formalised, auditable sharing capability will find that position progressively harder to defend.

AMLR Article 75 and PSR Article 83a — complementary, not sequential

The AMLR sits alongside the EU Payment Services Regulation (PSR), specifically Article 83a, which addresses a different and narrower perimeter: mandatory participation in formalised fraud-specific intelligence sharing arrangements for PSPs. The two regimes are complementary rather than sequential — AMLR Article 75 authorises broader AML/CTF partnership sharing on a permissive basis; PSR Article 83a imposes a narrower fraud-specific duty.

At the European level, supervisors and policymakers are converging on a "hub and spoke" or "network of networks" model, with a European layer interlinking national or bank-consortia data sharing setups. Each existing and newly developed national or regional arrangement is expected to contribute to that landscape.


TIMELINE

AMLR entered into force on 9 July 2024. Article 75 applies from 10 July 2027. References in this guidance to obligations and powers under Article 75 are forward-looking; institutions building governance now will be in position to operate compliantly from that date.


Section 04

Five guiding principles

Article 75 does not tell institutions how to share intelligence well. It tells them when they may do so, within what kind of partnership, and subject to what governance. These are the principles that make the difference between an arrangement that satisfies Article 75 in form and one that holds up under examination.

01

Suspicion as the gate, not the consequence

Compliant sharing is anchored to a specific case in which there is objectively justified suspicion of money laundering, terrorist financing, or a predicate offence. The suspicion is the gate through which the request passes — it is not generated by the request itself. Enough means: articulable, ex ante, in a request another institution could not reasonably read as fishing.


02

Proportionality applied at the point of submission

Each request must be limited to the data strictly necessary for the specific purpose at hand — defined before the request is sent, not justified after. The analyst must answer two questions on the face of the request: why this category of data, and why this scope rather than a narrower subset.


03

A reciprocal duty to act

A partnership in which only some members respond is not a functioning partnership. Each institution commits to responding to valid requests within agreed timelines. The reciprocal duty is not yet statutory — AMLR does not specify response deadlines — but it is the structural condition on which every participant's value depends.


04

Security by design, enforced at the platform layer

Pseudonymisation, activity recording, role-based access, and information minimisation are not aspirations to be relied on through user discipline. They are characteristics of the system through which sharing takes place, enforced by architecture rather than by user restraint.


05

Auditability that produces evidence, not just records

The functional test: can the institution produce, at short notice and without a third-party supplier's cooperation, a complete record of every request sent, every response received, and every necessity assessment made?


Section 05

When and why to collaborate

Financial crime is not contained within a single institution. Organised criminal networks move funds across banks, EMIs, PSPs, and CASPs before any one institution can respond. No single institution has the full picture from its own transaction data alone. AMLR Article 75 provides the operative framework for obliged entities to address this through formalised sharing arrangements. Structured intelligence sharing allows institutions to confirm or rule out suspicions faster, identify cross-institution patterns, and act before funds are moved beyond recovery. The obstacles today are no longer legal or technical — they are governance-related.

Why intelligence sharing is best organised at consortium level

Consortium-based approaches — motivated by a bank regulator, central bank or bank association, and operated by appropriate multi-bank, joint-venture or similar setups — provide structural governance advantages that bilateral arrangements cannot replicate: network effects that increase detection value with each additional participant; standardisation of data formats and definitions; legal efficiency through shared DPIAs and partnership agreements that substantially reduce the compliance lift on each individual participant; and cost efficiency through shared infrastructure. An institution that participates in a consortium-level arrangement — with its DPIA, partnership agreement, and supervisory notification all in order — is in a materially stronger position under regulatory examination than one relying on a series of bilateral arrangements stitched together.


THE ESTONIAN MODEL — BANKING SECRECY RESOLVED

Two statutes produce a closed legal route. The Credit Institutions Act §88(1) establishes the general banking-secrecy regime; the exception in §88(5¹)(3) authorises disclosure to another obliged entity to the extent necessary for AML purposes. The Money Laundering and Terrorist Financing Prevention Act §51(5) authorises credit and financial institutions to exchange information about high-risk customers and suspected criminal activity. Read together, the AML statute authorises the sharing; the Credit Institutions Act carves it out of the banking secrecy prohibition by reference to that same authorisation — the framework Salv Bridge has operated within since 2020. AMLR Article 75, from 10 July 2027, adds a Union-level basis running alongside national carve-outs. The historical position that banking secrecy precluded participation was defensible at the time. It is no longer correct.

Patterns that will not meet supervisory expectations

  • Bulk data sharing — sharing large datasets without linkage to specific cases or articulated suspicion. Directly inconsistent with the strict-necessity standard and GDPR Article 5(1)(c).
  • No audit trail — insufficient documentation of what was shared, when, by whom, and on what basis. Under Article 75, supervisors may commission independent audits.
  • Informal collaboration channels — email-based intelligence exchange is not a compliant alternative. It is precisely the practice Article 75 is designed to replace.
  • No clear suspicion threshold — the absence of defined criteria for what constitutes objectively justified suspicion is both a legal and an operational failure. Consortium-level agreement on a sufficient suspicion standard, documented in shared SOPs and consistently applied across participants, is what supervisors expect.

The full guidance document tells you what to do next

Fill in the form and someone from our team will be in touch. We'll talk through where you are, what to do next, and then send you the full guide.

ISO/IEC 27001 logo
Aicpa logo
GDPR compliant logo
OWASP logo

We build security to our products and organisation from the start. We use security best practices (incl. ISO 27001, CIS etc.) to ensure that our security management system meets the highest standards.

Salv has an ISO/IEC 27001: 2022 certificate, as well as ISAE 3000 compliant SOC 2 Type 2 report.