AMLA Says GDPR Will Not Block Intra-Group AML Sharing

The EU’s new anti-money laundering authority is facing pressure to settle a growing compliance question: can group companies share AML-relevant information without breaching GDPR? The short answer emerging from the debate is yes, because EU AML law is designed to require meaningful information exchange inside corporate groups, while privacy rules still apply through safeguards such as necessity, proportionality and purpose limitation.

The issue matters for banks, payment firms, crypto-asset businesses and other obliged entities operating across borders. These firms often need to compare customer files, ownership structures, transaction patterns and suspicious activity indicators across subsidiaries and branches in different countries to identify risk links that would be invisible in isolated local systems.

AMLA, the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism, has been created to coordinate national authorities and strengthen consistency across the bloc’s AML framework. Its role is becoming more important as firms seek practical guidance on how to reconcile the anti-financial crime obligations of the new EU AML package with the data protection limits imposed by GDPR.

Under Regulation (EU) 2024/1624, the EU’s new AML regulation, group-wide rules are central to the framework. The regulation says AML/CFT measures should be applied in a way that supports uniform policies and controls across groups, and it also states that financial activities or services provided by members of a group to other members of that group are not intended to be treated as ordinary customer-facing activity. It further points in the direction of mandatory group coordination by requiring common internal controls and risk-based procedures that reflect the size, nature and complexity of the business.

A key policy point in the regulation is that entities within a group should exchange information where that sharing is relevant for preventing money laundering and terrorist financing. Separate commentary on the new AMLR framework says the scope of mandatory exchange can include customer identity information, beneficial ownership structures, business relationship details and suspicion-related analysis, with the caveat that information must still be shared only as needed and with safeguards.

That is where GDPR enters the discussion. Privacy law does not prohibit AML processing outright; instead, it requires a lawful basis, clear limits on the use of data and a justified need for retention and sharing. In the AML context, legal-obligation processing can provide that basis, but firms still need to ensure the sharing is targeted, documented and limited to what is necessary for compliance purposes.

For the financial sector, the practical message is that GDPR is not a shield against AML coordination. Groups cannot simply refuse to share risk information with a parent company or a sister entity by citing privacy law if that information is needed for due diligence, transaction monitoring, suspicious activity assessment or group-wide risk management. At the same time, firms cannot treat AML as a blank cheque for unlimited data pooling, because GDPR still applies to how the information is collected, access-controlled, stored and reviewed.

The tension has become more visible as the EU prepares for a more centralized AML supervision model. AMLA’s website says it will coordinate national authorities and enhance cooperation among financial intelligence units, while its latest communications show the authority is already working on consultations and common technical standards for cooperation. That means the privacy-versus-AML debate is no longer theoretical; it is moving into the operational guidance firms will need to implement.

Industry and policy voices have warned that unresolved uncertainty could undermine the EU’s financial crime defenses. Recent commentary and advocacy have argued that conflicting interpretations of privacy rules may create compliance gaps that criminals could exploit, especially when firms hesitate to share information inside cross-border groups. The core concern is that fragmented information creates fragmented risk detection, weakening the overall effectiveness of AML controls.

The upcoming challenge for AMLA will be to translate the high-level rule into workable compliance guidance. Firms are likely to look for clearer direction on when intra-group sharing is allowed, what categories of AML data can be exchanged, how to document necessity and proportionality, and how to apply “need to know” restrictions within large financial groups. Such guidance would be especially important for multinational institutions that operate in jurisdictions with different supervisory expectations.

For now, the legal direction is clear enough for compliance teams to prepare. EU AML rules expect groups to share relevant information when it is needed to prevent money laundering and terrorist financing, while GDPR continues to govern how that information is handled. The practical task for firms is to build systems that support both obligations rather than treating them as mutually exclusive.