The current Dutch Anti-Money Laundering and Anti-Terrorist Financing Act will be replaced by a new European anti-money laundering framework (AMLR, AMLD6, and AMLAR), which is set to take full effect on 10 July 2027. In the run-up to this, the European Banking Authority (EBA) published a Final Response at the end of October 2025, providing technical advice on the sharing of AML data between entities within a group, such as international banking groups.
Although this advice does not contain binding Regulatory Technical Standards (RTS), it provides direction for future rules to be developed by AMLA and later adopted by the European Commission.
The objective of the advice is clear: to enable information sharing within groups so that money-laundering risks can be addressed more effectively. The intention is to achieve this in a clear, practicable, and rule-based way. At the same time, several key questions remain. This article sets out these points so institutions can prepare in time.
Sharing AML data within a group is essential to create a complete customer profile and to manage risks effectively. Without this level of exchange, red flags remain fragmented, resulting in weaker risk assessments and less effective transaction monitoring. Consolidating information makes patterns visible that would otherwise remain undetected and allows for more consistent application of policies. Data sharing also enables groups to provide faster and more complete responses to requests from regulatory authorities and FIUs.
We previously covered the opportunities data sharing brings in this article:
In its advice, the EBA states that future EU standards should define which information may be shared within a group (and partnerships), what constitutes acceptable use of that information, and how such information exchange should take place.
Access to group-wide information must not result in unjustified de-risking, whereby customers are automatically rejected based on the risk classifications of other entities.
While the EBA encourages broad information sharing within groups, this is still bound by legal restrictions. Article 75 AMLR stipulates that information obtained through a partnership, such as customer data, transactions and risk factors, may, in principle, not be shared further outside that partnership. The EBA considers that there may be room to share such data within a group, but this is not yet explicitly permitted and requires further analysis.
The EBA’s advice does not clarify whether an entity that participates in a partnership may share information obtained through that partnership with other entities in the group. At the same time, it is also unclear whether the parent company may share information from the group with other partners. On the one hand, the EBA emphasises the importance of comprehensive data sharing to obtain a complete risk picture; on the other hand, it is unclear how this aligns with the restrictions surrounding partnerships. This uncertainty directly impacts the practical design of policies.
Within a group, obliged entities may share information broadly, as they operate under the same AML/CTF framework. Article 28 goes even further and states that group entities must be able to exchange all information necessary for customer due diligence, including identity, beneficial ownership, and business relationships. The upcoming RTS will need to clarify whether this broad definition will remain in force or whether the scope will be narrowed to what Article 75 currently permits. That choice will ultimately determine how effective risk management can be at group level.
Article 16(3) AMLR states that group-wide procedures do not prevent non-obliged entities within the same group from providing information to obliged entities when necessary for AML compliance. However, it remains uncertain whether the reverse is also permitted: may obliged entities share information with non-obliged entities in return?
What is clear, however, is that a parent company automatically becomes an obliged entity itself once it has at least one obliged subsidiary. As a result, the parent company is, in any case, brought within the scope of the AMLR obligations. The impact of this can be significant, as described earlier (at present only available in Dutch):
Article 16 AMLR requires that one entity within the group be designated as responsible for group-level compliance. AMLA must set out, through RTS, how this parent company is to be identified. This entity will be responsible for implementing policies, controls and procedures across all parts of the group, including those outside the EU. Without such clarity, it becomes difficult to determine who is ultimately responsible for information sharing and regulatory compliance. This article ensures that there is a single central entity overseeing the entire group. AMLA is tasked with drafting rules (RTS) that determine how the parent company within a group is to be identified.
If Article 16(4) is given the same strict limitations as Article 75, data sharing within groups will become significantly more restricted. This may be understandable from a privacy perspective, but it limits the ability to build a complete customer profile – with all the associated risks. As a result, important indicators of money laundering or terrorist financing may be missed, especially when a customer has different risk levels across various parts of the group.
When a group is headquartered outside the EU but has at least two obliged subsidiaries within the EU, one EU entity must be designated as the parent company (Article 2(1)(42)(b) AMLR). This entity must:
In practice, this can be challenging. How can an EU entity effectively oversee activities outside the EU, where local legislation and privacy rules differ? In some cases, the designated entity carries legal responsibility but has limited influence over the global structure.
In cross-border data transfers (outside the EEA), the parent company must comply with the requirements of the GDPR. The RTS may specify that the transfer of personal data to third countries must be based on an adequacy decision or be subject to appropriate safeguards. Alternatively, personal data may be transferred to third countries or international organisations based on permitted derogations set out in the GDPR.
A number of uncertainties remain, including whether information obtained through partnerships may be shared further, and the extent of what constitutes “acceptable use.” In addition, privacy requirements must already be taken into account in cross-border data sharing.
Institutions can, however, already begin preparing by taking the following steps:
Both the Anti-Money Laundering Regulation (AMLR) and the sixth Anti-Money Laundering Directive (AMLD6) will largely take effect on 1 July 2027. Unlike the AMLR, which has direct effect, AMLD6 must still be transposed into national legislation. The new European supervisor, AMLA, began its operations on 1 July 2025.
Following the EBA’s advice, AMLA will draft an RTS, which will then be endorsed by the European Commission. The expectation is that this will happen before 10 July 2027, allowing the RTS to take effect alongside the AMLR.
We are closely monitoring these developments and will keep you updated through our website and monthly newsletter. You can subscribe to our newsletter here:
If you have any questions or would like to discuss how we can support you in preparing for these changes, please feel free to contact us.
