Article 75 AMLR – Exchange of information in the framework of partnerships for information sharing
1. Members of partnerships for information sharing may share information among each other where strictly necessary for the purposes of complying with the obligations under Chapter III and Article 69 and in accordance with fundamental rights and judicial procedural safeguards.
2. Obliged entities intending to participate in a partnership for information sharing shall notify their respective supervisory authorities which shall, where relevant in consultation with each other and with the authorities in charge of verifying compliance with Regulation (EU) 2016/679, verify that the partnership for information sharing has mechanisms in place to ensure compliance with this Article and that the data protection impact assessment referred to in paragraph 4, point (h), has been carried out. The verification shall take place prior to the beginning of the activities of the partnership for information sharing. Where relevant, the supervisory authorities shall also consult the FIUs.
Responsibility for compliance with requirements under Union or national law shall remain with the participants in the partnership for information sharing.
3. Information exchanged in the framework of a partnership for information sharing shall be limited to:
| (a) | information on the customer, including any information obtained in the course of identifying and verifying the identity of the customer and, where relevant, the beneficial owner of the customer; |
| (b) | information on the purpose and intended nature of the business relationship or occasional transaction between the customer and the obliged entity, as well as, where applicable, the source of wealth and source of funds of the customer; |
| (c) | information on customer transactions; |
| (d) | information on higher and lower risk factors associated with the customer; |
| (e) | the obliged entity’s analysis of the risks associated with the customer pursuant to Article 20(2); |
| (f) | information held by the obliged entity pursuant to Article 77(1); |
| (g) | information on suspicions pursuant to Article 69. |
The information referred to in the first subparagraph shall only be exchanged to the extent that it is necessary for the purposes of carrying out the activities of the partnership for information sharing.
4. The following conditions shall apply to the sharing of information within the context of a partnership for information sharing:
| (a) | obliged entities shall record all instances of information sharing within the partnership; |
| (b) | obliged entities shall not rely solely on the information received in the context of the partnership to comply with the requirements of this Regulation; |
| (c) | obliged entities shall not draw conclusions or take decisions that have an impact on the business relationship with the customer or on the performance of occasional transactions for the customer on the basis of information received from other participants in the partnership for information sharing without having assessed that information; any information received in the context of the partnership that is used in an assessment resulting in a decision to refuse or terminate a business relationship or to carry out an occasional transaction shall be included in the records kept pursuant to Article 21(3), and that record shall contain reference to the fact that the information originated from a partnership for information sharing; |
| (d) | obliged entities shall carry out their own assessment of transactions involving customers in order to assess which ones may be related to money laundering or terrorist financing or involve proceeds of criminal activity; |
| (e) | obliged entities shall implement appropriate technical and organisational measures, including measures to allows pseudonymisation, to ensure a level of security and confidentiality proportionate to the nature and extent of the information exchanged; |
| (f) | the sharing of information shall be carried out only in relation to customers:(i)whose behaviour or transaction activities are associated with a higher risk of money laundering, its predicate offences or terrorist financing, as identified pursuant to the risk assessment at Union level and the national risk assessment carried out in accordance with Articles 7 and 8 of Directive (EU) 2024/1640;(ii)who fall under any of the situations referred to in Articles 29, 30, 31 and 36 to 46 of this Regulation; or(iii)for whom the obliged entities need to collect additional information in order to determine whether they are associated with a higher level of risk of money laundering, its predicate offences or terrorist financing; |
| (g) | information generated through the use of artificial intelligence, machine learning technologies or algorithms may only be shared where those processes were subject to adequate human oversight; |
| (h) | a data protection impact assessment referred to in Article 35 of Regulation (EU) 2016/679 shall be carried out prior to the processing of any personal data; |
| (i) | the competent authorities that are members of a partnership for information sharing shall only obtain, provide and exchange information to the extent that this is necessary for the performance of their tasks under relevant Union or national law; |
| (j) | where competent authorities referred to in Article 2(1), point (44)(c), of this Regulation participate in a partnership for information sharing, they shall only obtain, provide or exchange personal data and operational information in accordance with national law transposing Directive (EU) 2016/680 of the European Parliament and of the Council (44) and with the applicable provisions of national criminal procedural law, including prior judicial authorisation or any other national procedural safeguard as required; |
| (k) | the exchange of information on suspicious transactions pursuant to paragraph 3, point (g), of this Article shall only take place where the FIU to which the suspicious transaction report was submitted pursuant to Articles 69 or 70 has agreed with such disclosure. |
5. Information received in the context of a partnership for information sharing shall not be further transmitted, except where:
| (a) | the information is provided to another obliged entity pursuant to Article 49(1); |
| (b) | the information is to be included in a report submitted to the FIU or provided in response to a FIU request pursuant to Article 69(1); |
| (c) | the information is provided to AMLA pursuant to Article 93 of Regulation (EU) 2024/1620; |
| (d) | the information is requested by law enforcement or judicial authorities, subject to any prior authorisations or other procedural guarantees as required under the national law. |
6. Obliged entities that participate in partnerships for information sharing shall define policies and procedures for the sharing of information in their internal policies and procedures established pursuant to Article 9. Such policies and procedures shall:
| (a) | specify the assessment to be carried out to determine the extent of information to be shared, and where relevant for the nature of the information or the applicable judicial safeguards, provide for differentiated or limited access to information for members of the partnership; |
| (b) | describe the roles and responsibilities of the parties to the partnership for information-sharing; |
| (c) | identify the risk assessments that the obliged entity will take into account to determine situations of higher risk in which information can be shared. |
The internal policies and procedures referred to in the first subparagraph shall be drawn up prior to the participation in a partnership for information sharing.
7. Where supervisory authorities deem it necessary, obliged entities participating in a partnership for information sharing shall commission an independent audit of the functioning of that partnership and shall share the results with the supervisory authorities.