Aligning the EU’s AML/CFT and GDPR priorities to ensure an effective and coherent anti- financial crime framework - open letter
Open letter to mrs. Bruna Szego, Chair of the Anti-Money Laundering Authority (Download full PDF version at the bottom):
Date: 4 March 2026
To: Mrs. Bruna Szego, Chair, Anti-Money Laundering Authority
Aligning the EU’s AML/CFT and GDPR priorities to ensure an effective and coherent anti- financial crime framework
Introduction
The Global Coalition to Fight Financial Crime (GCFFC) is a European-based NGO dedicated to improving the effectiveness of the fight against financial crime through collaboration, shared expertise, and practical policy engagement. Bringing together global public authorities, law enforcement, Financial Intelligence Units (FIUs), regulators, financial institutions, technology providers, and civil society, the GCFFC actively supports coordinated, outcomes-focused responses to the cross-border and evolving nature of illicit finance.
The GCFFC’s objectives align closely with those of the European Union, including the ambition to strengthen supervisory convergence, reduce fragmentation, and enhance cooperation across the Anti- Money Laundering/ Countering the Financing of Terrorism (AML/CFT) framework. A central pillar of the GCFFC’s work is the promotion of structured public-private partnerships that enable trusted information sharing and joint problem-solving, in support of EU efforts to build a more effective, risk-based, and resilient system for preventing and combating financial crime.
As supervisory responsibilities transitioned to the Anti-Money Laundering Authority (AMLA) on 31 December 2025, this document sets out the GCFFC’s preliminary observations and recommendations on AMLA’s strategic objectives within its 2026–2028 Single Programming Document (SPD). The GCFFC fully supports AMLA’s mandate and ambitions, however, there is an urgent need for greater supervisory convergence between European Data Protection Board (EDPB), AMLA and other relevant authorities to ensure legal certainty on data processing, information sharing, international cooperation and other critical provisions to ensure a consistent application of European Union’s (EU) financial crime framework and General Data Protection Regulation (GDPR) implementation.
Opening Remarks
The GCFFC welcomes AMLA’s 2026–2028 SPD and the progress it represents toward a more coherent and risk-based supervisory architecture across the EU. AMLA’s establishment marks a significant milestone in strengthening the Union’s response to money laundering and terrorist financing, and in enhancing trust and resilience in the financial system.
The SPD provides a clear, forward-looking roadmap to modernise AML/CFT supervision, with strong emphasis on emerging threats, supervisory convergence, and international cooperation. We particularly welcome the focus on building more effective mechanisms to anticipate, detect, and mitigate financial crime risks as they evolve.
Financial crime—such as money laundering, fraud, corruption, human trafficking, terrorist financing, and environmental offenses—threatens society and financial system integrity. Given AMLA’s supervisory mandate, there is an urgent need to engage with public and private stakeholders to address potential inconsistencies between AML and GDPR requirements. Without this, regulatory gaps may allow criminals to exploit GDPR provisions and pose risks to organisations and civil society across the Union. The international dimension is equally worth noting given the impact on the $1.8 quadrillion cross-border payment flows in 20233 which routinely involves sanctions screening and fraud detection while data privacy laws lack sufficient legal grounds for data processing.
Executive Summary of Recommendations
1. Establish Clear and Consistent Legal Bases for AML Data Processing
Legal certainty is paramount regarding lawful bases for AML/CFT processing under the GDPR. The EDPB acknowledge AML/CFT as a task carried out in the public interest yet remain cautious about broad or undefined data-sharing practices. Key actions include:
Clarifying when processing relies on legal obligation (Article 6(1)(c)) versus legitimate interests (Article 6(1)(f)), particularly in relation to global sanctions and non-EU requirements.
Defining conditions for processing criminal offence data under Article 10 GDPR.
Ensuring AML legislation and supervisory guidance explicitly recognise these bases to avoid divergent national interpretations.
Providing clarity for service-providers who support obliged entities to meet their global AML/CFT obligations, including know-your-customer and sanctions-screening requirements.
2. Enable Proportionate and Safeguarded Information Sharing
Effective AML/CFT efforts rely on responsible information sharing, but this remains one of the most sensitive areas under the GDPR. To ensure lawful, proportionate, and risk-based sharing, key actions include:
Define clear conditions, safeguards, and limitations for sharing data between private entities, FIUs, and supervisors.
Establish proportionality requirements, supported by appropriate governance and oversight mechanisms.
3. Align Data Minimisation, Purpose Limitation, and Retention Requirements
AML/CFT obligations must be reconciled with GDPR principles to ensure effective controls while respecting data-privacy rights. Priorities include:
Collecting data necessary for proper Customer Due Diligence (CDD), monitoring, and suspicious activity reporting.
Preventing use of AML data for incompatible purposes.
Harmonising retention periods and clarifying erasure restrictions where AML laws require ongoing recordkeeping.
4. Enhance Supervisory Coordination and Issue Harmonised EU Guidance
Fragmented interpretations of GDPR in the AML context undermine supervisory consistency and AML/CFT effectiveness. Priorities include:
Develop joint or coordinated guidance between AMLA, the EDPB, and national authorities.
Align supervisory expectations across Member States and international best-practices.
Prevent regulatory gaps that may be exploited by criminals citing data-protection barriers.
Effectiveness and Considerations for the Single Programming Document
The GCFFC advocates for a more effective global anti-financial crime system. Despite extensive investment, less than 1% of global illicit flows are seized or frozen—a statistic long recognised by practitioners. The EU’s renewed focus on effectiveness is consistent with international best-practices approaches, including Financial Action Taskforce’s (FATF) reformed Mutual Evaluation Methodology, to move beyond the false dichotomy between risk-based and rules-based approaches and toward an outcomes-focused model.
Intersections with other regulatory regimes—such as the Payment Services Directive (PSD2), the Digital Operational Resilience Act (DORA), Cross-Border Payments Regulation (CBPR), global (e.g. non-EU) financial crime (including sanctions) requirements, and GDPR—require coordinated and coherent interpretation. AMLA’s SPD sets out three core objectives that should align with the following goals:
Complete the Single Rulebook to ensure regulatory convergence across the EU.
Develop harmonised supervisory practices across financial and non-financial sectors.
Strengthen FIU cooperation, joint analysis, and engagement with law enforcement.
These objectives are consistent with the GCFFC’s mission to promote structured, trusted, and proportionate partnerships for information sharing (PFIS) and to strengthen financial intelligence exchange. Reducing low-value reporting, enabling joint analysis, and supporting intelligence-led investigations are critical to improving outcomes.
To be effective, the risk-based approach must be informed by shared typologies, emerging threats, and cross-border risks. Aligning supervisory expectations across Member States and with data-protection requirements is rightfully necessary to prevent criminals from exploiting regulatory fragmentation.
AMLA’s 2026 Annual Work Programme reinforces these priorities. The GCFFC offers the following thematic observations:
I. Unified Regulatory Framework for the Private Sector: Developing consistent guidance and technical standards will require ongoing input from both AML/CFT and data-protection authorities. The EDPB has emphasised the importance of its involvement in shaping RTS, guidelines, and recommendations to clarify the interaction of AML and GDPR requirements. AML regimes require the processing of special categories of personal-data, including detailed beneficial-ownership, transaction, and customer-profile information. This can conflict with GDPR-style expectations of data minimisation and purpose limitation.
One such example is the Payments Services (PSD2) as there is ‘a lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common Secure Communication.’ Policy fragmentation is a considerable risk if national DPAs interpret these provisions differently which can have unintended consequences across the Union.
The EDPB further notes that the processing of personal data relating to criminal convictions and offences may take place only where such processing is expressly authorised under Union or Member State law. This means that this authorisation does not extend automatically to non-EU legal requirements unless these have been incorporated into EU or EEA domestic legislation.
In addition, the EDPB maintains that any comprehensive register of criminal convictions must remain under the exclusive control of an official authority. However, given the inherently cross-border nature of anti-financial-crime obligations, and the extensive duties imposed on obliged entities to detect, prevent, and report illicit activity, these positions do not fully reflect the operational reality in which the private sector plays a central and indispensable role in supporting competent authorities in the fight against financial crime.
Another pathway toward regulatory convergence lies in developing common standards and codes of conduct for service providers supporting obliged entities, with due regard for the distinct operational characteristics of this sector. The EU framework already acknowledges that obliged entities rely on external screening and risk-intelligence services to meet CDD, ongoing-monitoring and sanctions-screening obligations—treating these as “processes or arrangements that contribute to the performance” of statutory AML/CFT duties (AMLR/AMLD VI). In parallel, the EDPB’s 2026–2027 Work Programme creates a dedicated roadmap item on “work on the interplay between data protection and AML/CFT requirements,” signalling the need for coordinated, cross-regulatory clarity on lawful bases, proportionality and safeguards. This is particularly relevant for service providers who have been designated under DORA. Together, these instruments provide the legal and policy mandate for AMLA to act.
Key Differences Summarised
Dimension
AMLA Unified Framework (Private Sector)
Data-Protection Board (GDPR-type) Concerns
Regulatory Objective
Detect/prevent money laundering & terrorist financing; maximise transparency.
Protect fundamental rights to privacy & data protection; minimise unnecessary processing.
Data Approach
Data collection (CDD, beneficial ownership, transaction data).
Reliance on service-providers
Data minimisation (“only what is necessary”), concern about excessive data collection.
Information Sharing
Extensive public-private sharing; interoperability with FIUs; broad institutional access.
Risk of over-exposure, weak governance, and lack of individual transparency.
Retention Rules
Long retention periods mandated for AML supervision and investigations.
GDPR requires timely deletion; long retention seen as disproportionate.
Transparency to Data Subjects
Often limited due to AML exemptions and no ‘tipping-off’ provisions.
GDPR emphasises transparency, access rights, objection rights.
Risk Focus
Systemic financial-crime risk.
Individual privacy and data-security risk.
II. Partnerships for Information Sharing (PFIS): Article 75 of the AML Regulation, which becomes applicable in July 2027, empowers AMLA to facilitate information-sharing partnerships, including cross-border models. Such partnerships enhance risk detection, typology development, early warning mechanisms, and systemic resilience.
However, significant concerns remain from data-protection authorities regarding necessity, proportionality, and the role of private entities in activities traditionally reserved for public authorities. A structured working group—including AMLA, data-protection authorities, industry experts, and law-enforcement representatives—should be established to define a European information sharing framework that is both operationally effective and appropriate for the region. Common types of international PFIS frameworks for the working group to consider include the following:
Common Partnership Models
Details
Strategic Intelligence
Emerging typologies and threat trends
Sector-wide findings from law enforcement actions
Risk assessments and behavioural patterns
Thematic analysis (e.g. human trafficking, environmental crime, fraud)
Operational Intelligence
Indicators of compromise (IOCs)
Suspicious transactions patterns
High-risk networks or typologies
Specific case-based information leading to active investigations
Technical Enhancements
Data-quality standards
Shared analytics methods
Collaborative red flags
Some of the key benefits that PFIS’ are meant to address include the following:
Stakeholder
Benefits
Law Enforcement and FIUs
Access to richer financial data
Faster case development
Improved ability to detect complex, layered networks
Better prioritisation of threats
Obliged Entities
More precise risk identification
Enhanced ability to disrupt criminal activity
Reduced false positives in monitoring
Stronger regulatory confidence and alignment
Society
Greater disruption of organised crime
Protection of victims (e.g. fraud)
Increased integrity of the financial system
The GCFFC maintains that PFIS’ are critical to strengthening the global response to financial crime because they fuse government intelligence with private-sector data to dramatically improve the detection of illicit activity, enabling faster, more accurate identification of suspicious behaviour. By facilitating real-time, two-way information sharing, PFISs help authorities and financial institutions respond more swiftly to emerging threats such as cyber-enabled laundering and crypto-related risks. They also address longstanding effectiveness gaps in the AML/CFT system by enabling more actionable intelligence, improving investigative outcomes, and enhancing sector-wide understanding of risk.
An example is the EU’s Payment Services Regulation (PSR). A central feature of the PSR is a new legal requirement for payment service providers (PSPs) to share fraud-related information. This represents a fundamental shift in how the EU expects industry to address payment fraud collectively. While the PSR does not explicitly contradict the GDPR, its mandatory fraud-data sharing obligations, enhanced monitoring requirements, and expanded data-exchange frameworks create significant practical and legal tensions with GDPR principles on consent, purpose limitation, and data minimisation. This means that PSPs face a complex compliance landscape where obligations under the PSR may only be fulfilled if extensive GDPR safeguards are implemented—and in some scenarios, the two regimes may pull in opposite directions.
In relation to information sharing, the EDPB has explicitly stated that ‘the lack of studies attesting to the effectiveness of these provisions, leads the EDPB to consider that the envisaged measures are not proportionate to the aims pursued.’ This observation underscores the opportunity for further engagement with DPAs regarding the benefits of these PFIS frameworks, including the following evidence themes:
Evidence theme
What the evidence shows (headline)
Example PFIS(s) /
Jurisdiction
Indicative outputs / metrics
typically cited
Why this is evidence of greater
effectiveness
Source(s) to cite
Higher-quality intelligence & more actionable SARs
PFIS engagement enhances the relevance, specificity, and timeliness of reporting and intelligence sharing.
Multi-country (good practice)
Better-targeted SARs; richer contextual information; improved typology alignment
Actionable intelligence, not just volume, is a leading indicator for investigations and disruption outcomes.
FATF – Private Sector Information Sharing (2017); FATF –
Crowdsourcing the Transformation of AML/CFT (2023)
Faster identification of networks across institutions
PFISs enable detection of multi-bank networks that no single firm can see.
UK JMLIT;
FinCEN Exchange (US)
Cross-bank linkage of accounts/entiti es; rapid dissemination of network indicators
Network detection is central to disrupting organised crime, sanctions evasion, and laundering chains.
UK Home Office
/ HM Treasury – JMLIT public updates and impact statements; FinCEN –
FinCEN Exchange public statements/briefin gs
Operational disruption outcomes (arrests/seizures/ disruptions)
PFISs are associated with concrete law- enforcement outcomes such as arrests, seizures, and disruption activity.
UK JMLIT; AUSTRAC
Fintel Alliance
Public case studies citing arrests, restraint/confis cation, takedowns, identification of offenders
These are direct “outcome” measures beyond compliance process metrics.
Home Office / NCA – JMLIT
communications and annual updates; AUSTRAC –
Annual Report/Annual Review and Fintel Alliance updates
Improved typologies and sector-wide control uplift
PFISs generate typologies that are rapidly embedded into controls and transaction monitoring.
MAS ACIP
(Singapore); JMLIT (UK)
Typology papers; red- flag libraries; guidance to frontline teams; control enhancements referenced in supervisory messaging
Demonstrates system-wide prevention effects—not only investigation support.
Monetary Authority of Singapore (MAS) – ACIP typology publications/updat es; FATF – PFIS /
information sharing reports (2017, 2023)
Better prioritisation & resource allocation (public sector)
PFISs help law enforcement/FIUs prioritise cases with highest harm/impact.
Multi-country
Targeted tasking; improved triage; better conversion of intelligence into cases
Better prioritisation increases impact with limited resources.
FATF –
PFIS/info-sharing reports; Egmont Group – FIU information sharing principles/operati
onal guidance
Reduced duplication and improved feedback loops
PFISs reduce repeated requests and create structured feedback that improves reporting quality over time.
UK JMLIT;
Australia Fintel Alliance
Regular feedback sessions; joint analytics; common typology refresh cycles
Feedback loops are evidence of learning systems, improving performance and consistency.
FATF –
effectiveness and private sector engagement materials; AUSTRAC –
Fintel Alliance descriptions and annual reviews
Enhanced detection of priority harms (fraud, trafficking, child exploitation)
PFISs have been used to focus on specific crime types with measurable disruption/case outcomes.
AUSTRAC
Fintel Alliance; FinCEN Exchange
Thematic projects on scams/mules, exploitation financing; identification of new
suspects/targets
Shows PFISs can be directed at societal harms with operational results.
AUSTRAC –
annual reviews/case studies; FinCEN – Exchange communications and threat- focused releases
Cross-sector collaboration expands visibility (beyond banks)
Adding telecoms/tech platforms improves ability to stop digital fraud and mule recruitment.
Various national models
Joint disruption campaigns; improved intelligence on mule recruitment/infr astructure
Financial crime is increasingly digital; cross- sector PFISs expand coverage of the ecosystem.
FATF – digital identity/technolog y and PFIS discussions; National fraud strategies / FIU programmes
Improved consistency of regulatory interpretation
PFISs can align industry understanding of red flags and supervisory expectations.
MAS ACIP; UK PFIS
ecosystem
Shared guidance; common typologies; supervisory endorsement
Consistency improves control effectiveness across the system and reduces “weak links”.
MAS – ACIP
publications; FATF – guidance on private sector engagement and effectiveness
Enabling conditions: legal clarity and safe harbours correlate with stronger participation
Where law/legal gateways are clearer, PFISs are more operational and scalable.
Multi-country
More frequent operational exchanges; clearer governance; higher participation
Participation and operational sharing are prerequisites for measurable impact.
FATF – 2017
info-sharing report; National legislation/guidan ce around information sharing
Measured improvements in analytical capability
PFISs develop shared analytics approaches, including privacy- preserving approaches in some models.
Netherlands TMNL-style models (hybrid PFIS/utility); FIU-industry initiatives
Joint analytics; improved pattern recognition; shared indicator sets
Improved analytics increases true positives and reduces noise, enhancing
effectiveness.
FATF – 2023
crowdsourcing/inn ovation report; National PFIS/utility descriptions
International recognition as good practice
PFISs repeatedly referenced by standard setters and peer jurisdictions as
effective models.
UK JMLIT; AUSTRAC
Fintel; US Exchange; SG ACIP
Included in best-practice case studies
Standard-setter endorsement is evidence of observed success
and replicability.
FATF – 2017 info sharing report; FATF – 2023
crowdsourcing report
III. Building an AML/CFT Community: The GCFFC was established on the principle that effective financial-crime prevention depends on strong collaboration across both the public and private sectors. AMLA’s intention to create a “forum for sharing experiences, best practices, and challenges in implementing the EU AML/CFT framework” reflects the same foundational approach and marks animportant—and necessary—step toward a more coordinated European system. When appropriate, the EDPB should also be part of this community, given the areas where further clarification and regulatory alignment are required. Ensuring alignment between AMLA’s rules and EU data-protection law is overdue; incorporating the EDPB into AMLA’s community would help ensure that harmonised AML standards are developed in parallel with harmonised data-protection implementation.
IV. Policy on Supervisory Convergence: Why AML/CFT supervisory convergence must extend to DPAs — and how the FATF’s revised effectiveness methodology raises the stakes:
The strategic case as AMLA is building a single EU AML/CFT system that is inherently “data-driven”: AMLA’s SPD makes clear that the EU’s new AML/CFT architecture is moving toward EU-wide risk frameworks, digital infrastructures and an integrated data ecosystem to support both supervision and FIU cooperation. In parallel, AMLA is explicitly prioritising supervisory convergence—including common methodologies, standards and approaches that will apply across Member States and underpin direct and indirect supervision. Because AML/CFT supervision is operationalised through the collection, sharing and analysis of large volumes of personal and transactional data, data-protection compliance is not an adjacent issue—it is a system dependency. As AMLA and national supervisors push toward common data points, shared risk models and cross-border supervisory coordination, DPAs and the EDPB should be consulted related to how data is governed, safeguarded and used.
The EDPB has already flagged AML/CFT data-sharing risks as potentially unlawful or disproportionate: The EDPB has publicly warned EU legislators that certain AML/CFT provisions allowing private entities to share personal data (including CDD data and suspicious-transaction information) could trigger very large-scale processing and may fail tests of lawfulness, necessity and proportionality, with insufficient safeguards.11 The EDPB further cautioned about significant real-world harms, including blacklisting and exclusion from financial services, if the rules enable expansive sharing without tight controls. These concerns go to the heart of AMLA’s “supervisory convergence” agenda: if AML supervisors converge on expansive operational data-sharing practices that DPAs later view as disproportionate, Europe risks creating a system that is fragmented and less legally stable. The outcome can be regulatory friction, inconsistent national implementation and legal challenge risk—all of which reduce AML/CFT effectiveness.
FATF’s revised methodology makes “effectiveness” the headline test—Europe cannot afford supervisory fragmentation between AML and privacy regimes: FATF’s methodology (adopted 2022 and updated subsequently) assesses countries across two pillars: (i) technical compliance with the 40 Recommendations and (ii) effectiveness, judged through Immediate Outcomes (IO) focused on real-world results rather than rules on paper.
FATF also stresses that assessments must focus on a country’s major risks and context, with countries demonstrating that their framework protects the financial system from abuse in practice. This matters for Europe because an AML/CFT system that is not aligned with data-protection expectations can undermine multiple effectiveness outcomes. For example, if privacy risks force institutions or authorities to limit information flows ex post, if initiatives are struck down, or if public trust erodes and drives defensive de-risking, then the AML/CFT system becomes less effective, not more. FATF’s emphasis on outcomes means Europe will be judged by whether information-sharing and supervision work, not whether they are ambitious on paper. In the context of cross-border payments, the FATF notes that data privacy limits available information on sanctioned entities which ‘could cause difficulty in ascertaining whether a potential match arising from sanctions screening is true or not.’
Consequences for financial-crime threats in Europe if convergence fails
5. If AML/CFT supervisory convergence develops without parallel convergence with DPAs, several negative outcomes become likely:
a) Operational disruption and delays: data-sharing partnerships and cross-border analytics may be slowed by legal uncertainty and divergent national interpretations, directly weakening AMLA’s push toward an EU-wide data ecosystem and harmonised supervision.
b) Regulatory whiplash and litigation risk: initiatives may launch, then face DPA enforcement actions, court challenges, or political reversal due to proportionality concerns—especially where large-scale processing is involved.
c) De-risking and financial exclusion: poorly governed sharing can increase false positives and drive blanket exits from customer segments, consistent with the EDPB’s warning about exclusion and blacklisting impacts.
d) Criminal adaptation and displacement: criminals exploit seams—jurisdictional inconsistencies, supervisory confusion, and reduced quality of intelligence—exactly the vulnerabilities AMLA’s convergence agenda is intended to close.
e) Exposure to criminal sanctions: Under the EU Sanctions Criminalisation Directive14, breaches can expose organisations and individuals to severe penalties, including imprisonment and substantial fines (up to 5% of global turnover or €40 million for legal persons).
Each of these directly threatens the “effectiveness” that FATF evaluations now prioritise.
How Europe could be viewed as a “financial crime risk region” if it cannot reconcile AML effectiveness with data-protection governance
Internationally, a region’s perceived financial-crime risk is shaped not only by formal rules, but by whether those rules produce effective outcomes and credible enforcement. FATF’s approach is explicit: countries must demonstrate effectiveness across Immediate Outcomes and show the system works against the highest risks in context.
Conclusion
If Europe’s AML/CFT system becomes associated with fragmented implementation, legally contested data-sharing, and uneven supervisory practice, counterparties may view the EU as operationally complex and vulnerable to arbitrage—a place where criminals can exploit mismatches between privacy law interpretation and AML imperatives. The reputational impact can show up in tougher due diligence expectations by correspondents and counterparties, reduced confidence in cross-border intelligence sharing, and a narrative that Europe’s controls are “strong on paper but hard to execute.” FATF’s own materials underline that effectiveness assessments examine whether legal and institutional frameworks produce expected results—not simply whether they exist.
The Global Coalition to Fight Financial Crime stands ready to support AMLA in delivering its vital mandate. By bringing together a broad community of subject matter experts, the GCFFC and its members can offer practical insights and collaborative expertise to help strengthen AMLA’s work. We remain committed to constructive engagement and to contributing wherever our collective knowledge can add meaningful value to AMLA’s mission.
Che Sidanius Founder & Vice-Chair
Global Coalition to Fight Financial Crime