Guidance · AMLR Article 75
Intelligence sharing for AML: a practical guide
AMLR Article 75 makes financial crime intelligence sharing a structured supervisory expectation. Built on five years of running live networks, this guide translates the regulation and distils our operational experience.
Get the guideInside this guidance
Foreword
The shift from optional to expected
Anyone reading this will know that financial crime moves faster than the controls most teams have in place to catch it. Most fincrime teams still work in silos. Not by choice. Because collaboration is operationally and technically complex, and most of us are stretched thin already. We built Salv Bridge to fix that.
We have been building cross-border intelligence sharing networks and stress-testing them against the regulatory standards they must meet. Today, Salv Bridge connects more than 100 financial institutions across the EU and UK, running live exchanges every day. In one market, the median fraud response time has dropped to 14 minutes. Across the same network, participating banks have prevented an estimated €3 million in customer losses.
The shift this guide covers, from optional collaboration to a structured supervisory expectation under the EU Anti-Money Laundering Regulation (AMLR) Article 75, is both operational and legal. The institutions reading it will need to act on both fronts. The direction of regulatory travel is clear. Regulators will ask: show us exactly how you share intelligence.
AMLR Article 75 is the legislative answer to a question many AML teams have been carrying for years: when can we share what we know with another obliged entity, and on what basis? The framework is clear in direction. It is, in places, still being clarified in practice, particularly on cross-border supervisory notification, on the precise contours of "strictly necessary", and on how tipping-off prohibition interacts with platform-mediated exchange.
Two practical points sit at the centre of this guidance. The first is that banking secrecy obligations in the EU markets are no longer the obstacle they were assumed to be: the statutory carve-outs that always existed are now squarely engaged by Article 75 once a partnership is properly constituted. The second is that anchoring the arrangement within an Article 75 partnership substantially strengthens the GDPR position. The processing remains under Article 6(1)(f) — Article 75 authorises partnership-based sharing but does not compel participation, so Article 6(1)(c) is not available — but the EU legislator's express recognition of the partnership framework does much of the heavy lifting on the necessity and balancing prongs of the legitimate-interests assessment that institutions otherwise carry alone.
This is the working document we use with the institutions joining Salv Bridge, formed over five years of operation. Where the rules are still evolving, we have flagged it. Where they are settled, we have said so plainly. For PSPs whose remit also covers fraud-specific obligations under PSR Article 83a, our companion guide treats that framework in the same depth. If you have questions, or want us to sense-check your approach, get in touch.
Executive summary
Points of attention for institutions, based on our experience
Intelligence sharing is now a supervisory expectation
AMLR Article 75 establishes the framework for obliged entities. Informal cooperation will not meet supervisory expectations from July 2027.
AMLR and GDPR converge on every exchange
AMLR Article 75 authorises the partnership framework; GDPR supplies the lawful basis (Article 6(1)(f), reinforced by Article 75) and the data protection constraints that operate alongside. Both regimes must be satisfied for an exchange to be lawful — and their interaction is not yet fully harmonised.
More data sharing is not better
Article 75 is anchored in the strictly necessary standard. Scalable solutions depend on standardisation and clear suspicion thresholds, not volume.
Consortium models are structurally necessary
Consortium-based models are structurally necessary, not just efficient. Only coordinated approaches deliver consistent rules, shared governance, and scalable network effects.
Early-stage sharing remains a grey area
Article 75 is clear once suspicion is established. Pre-suspicion collaboration is less defined and requires careful structuring.
Tipping-off risk is two-sided
AMLR binds receiving institutions as well as requesting ones. The analysis must be applied at the point of acting on incoming intelligence — not assumed away by platform design.
Data sharing is becoming core to risk management
Beyond detection, it supports offboarding decisions, enhanced due diligence, and the evidentiary record supervisors expect on examination.
The framework is directionally clear, operationally evolving
Institutions that establish well-governed, adaptable frameworks now will be best positioned to comply as standards mature.
Section 03
What AMLR Article 75 actually establishes
The AMLR, specifically Article 75, establishes the conditions under which obliged entities may share information within formal partnerships for the prevention, detection, and investigation of money laundering, its predicate offences (which include certain frauds), and terrorist financing. It sets out requirements around necessity, data minimisation, supervisory notification, and governance.
Non-participation is increasingly treated as a gap finding rather than a neutral position.
Supervisory expectations are hardening in parallel. Regulatory authorities in multiple EU jurisdictions have begun asking, in the course of routine AML examinations, whether institutions have implemented structured intelligence sharing arrangements. Institutions that cannot demonstrate a formalised, auditable sharing capability will find that position progressively harder to defend.
AMLR Article 75 and PSR Article 83a — complementary, not sequential
The AMLR sits alongside the EU Payment Services Regulation (PSR), specifically Article 83a, which addresses a different and narrower perimeter: mandatory participation in formalised fraud-specific intelligence sharing arrangements for PSPs. The two regimes are complementary rather than sequential — AMLR Article 75 authorises broader AML/CTF partnership sharing on a permissive basis; PSR Article 83a imposes a narrower fraud-specific duty.
At the European level, supervisors and policymakers are converging on a "hub and spoke" or "network of networks" model, with a European layer interlinking national or bank-consortia data sharing setups. Each existing and newly developed national or regional arrangement is expected to contribute to that landscape.
TIMELINE
AMLR entered into force on 9 July 2024. Article 75 applies from 10 July 2027. References in this guidance to obligations and powers under Article 75 are forward-looking; institutions building governance now will be in position to operate compliantly from that date.
Section 04
Five guiding principles
Article 75 does not tell institutions how to share intelligence well. It tells them when they may do so, within what kind of partnership, and subject to what governance. These are the principles that make the difference between an arrangement that satisfies Article 75 in form and one that holds up under examination.
Suspicion as the gate, not the consequence
Compliant sharing is anchored to a specific case in which there is objectively justified suspicion of money laundering, terrorist financing, or a predicate offence. The suspicion is the gate through which the request passes — it is not generated by the request itself. Enough means: articulable, ex ante, in a request another institution could not reasonably read as fishing.
Proportionality applied at the point of submission
Each request must be limited to the data strictly necessary for the specific purpose at hand — defined before the request is sent, not justified after. The analyst must answer two questions on the face of the request: why this category of data, and why this scope rather than a narrower subset.
A reciprocal duty to act
A partnership in which only some members respond is not a functioning partnership. Each institution commits to responding to valid requests within agreed timelines. The reciprocal duty is not yet statutory — AMLR does not specify response deadlines — but it is the structural condition on which every participant's value depends.
Security by design, enforced at the platform layer
Pseudonymisation, activity recording, role-based access, and information minimisation are not aspirations to be relied on through user discipline. They are characteristics of the system through which sharing takes place, enforced by architecture rather than by user restraint.
Auditability that produces evidence, not just records
The functional test: can the institution produce, at short notice and without a third-party supplier's cooperation, a complete record of every request sent, every response received, and every necessity assessment made?
Section 05
When and why to collaborate
Financial crime is not contained within a single institution. Organised criminal networks move funds across banks, EMIs, PSPs, and CASPs before any one institution can respond. No single institution has the full picture from its own transaction data alone. AMLR Article 75 provides the operative framework for obliged entities to address this through formalised sharing arrangements. Structured intelligence sharing allows institutions to confirm or rule out suspicions faster, identify cross-institution patterns, and act before funds are moved beyond recovery. The obstacles today are no longer legal or technical — they are governance-related.
Why intelligence sharing is best organised at consortium level
Consortium-based approaches — motivated by a bank regulator, central bank or bank association, and operated by appropriate multi-bank, joint-venture or similar setups — provide structural governance advantages that bilateral arrangements cannot replicate: network effects that increase detection value with each additional participant; standardisation of data formats and definitions; legal efficiency through shared DPIAs and partnership agreements that substantially reduce the compliance lift on each individual participant; and cost efficiency through shared infrastructure. An institution that participates in a consortium-level arrangement — with its DPIA, partnership agreement, and supervisory notification all in order — is in a materially stronger position under regulatory examination than one relying on a series of bilateral arrangements stitched together.
THE ESTONIAN MODEL — BANKING SECRECY RESOLVED
Two statutes produce a closed legal route. The Credit Institutions Act §88(1) establishes the general banking-secrecy regime; the exception in §88(5¹)(3) authorises disclosure to another obliged entity to the extent necessary for AML purposes. The Money Laundering and Terrorist Financing Prevention Act §51(5) authorises credit and financial institutions to exchange information about high-risk customers and suspected criminal activity. Read together, the AML statute authorises the sharing; the Credit Institutions Act carves it out of the banking secrecy prohibition by reference to that same authorisation — the framework Salv Bridge has operated within since 2020. AMLR Article 75, from 10 July 2027, adds a Union-level basis running alongside national carve-outs. The historical position that banking secrecy precluded participation was defensible at the time. It is no longer correct.
Patterns that will not meet supervisory expectations
- Bulk data sharing — sharing large datasets without linkage to specific cases or articulated suspicion. Directly inconsistent with the strict-necessity standard and GDPR Article 5(1)(c).
- No audit trail — insufficient documentation of what was shared, when, by whom, and on what basis. Under Article 75, supervisors may commission independent audits.
- Informal collaboration channels — email-based intelligence exchange is not a compliant alternative. It is precisely the practice Article 75 is designed to replace.
- No clear suspicion threshold — the absence of defined criteria for what constitutes objectively justified suspicion is both a legal and an operational failure. Consortium-level agreement on a sufficient suspicion standard, documented in shared SOPs and consistently applied across participants, is what supervisors expect.
The full guidance document tells you what to do next
Fill in the form and someone from our team will be in touch. We'll talk through where you are, what to do next, and then send you the full guide.