The Proposed Anti-Money Laundering Authority (AMLA) and the Future of FIU Collaboration in Europe

What data protection tells us about the next phase of AML/CFT

The European Commission’s 2021 AML/CFT package aims to rewrite how the EU prevents money laundering and terrorist financing. Central to that package is the proposed Anti‑Money Laundering Authority (AMLA), a Union body charged with strengthening supervision, improving consistency across member states, and supporting cross‑border operational cooperation. For financial crime practitioners, compliance teams and investigators the two most consequential shifts are the greater ambition for joint FIU activity across borders and the decision to assign long‑term hosting, management and development of FIU.net to a Union body. Both moves promise better cross‑border intelligence flows – but they also push data protection to the center of the debate. This article explains how AMLA’s operational role interacts with EU data‑protection rules, why the nature of national FIUs matters, and what practical tensions will need to be resolved if AMLA is to enable effective, rights‑compliant FIU collaboration.

EU data protection instruments that shape FIU activity

Three bodies of EU secondary law govern personal‑data processing relevant to AML/CFT work: the General Data Protection Regulation (GDPR), the Law Enforcement Directive (LED), and the EU’s own data‑protection regulation for Union institutions (EUDPR). Each has different scope and consequences.

The GDPR applies directly to most private obliged entities and to administrative data processing that does not fall under the LED’s law‑enforcement remit. The LED governs processing by “competent authorities” for prevention, investigation, detection or prosecution of criminal offences; it affords law‑enforcement actors specific flexibilities tailored to those tasks. The EUDPR applies to Union bodies and is the primary text for any data processing by AMLA once it is established.

Which of these regimes applies to a given FIU interaction depends on two interlocking facts: the legal nature and competences of the FIU involved and the purpose of the processing. That determination matters because it affects which rules on lawfulness, purpose limitation, necessity, proportionality, data retention and cross‑border transfers apply – and whether additional safeguards and oversight are required.

Why the nature of the FIU changes the legal picture

Across EU member states FIUs have different legal characters. Some are administrative units (reporting to ministries, central banks or supervisors), some are embedded in law‑enforcement or prosecutorial structures, and others are hybrids. That variety is not academic: it determines what data FIUs may lawfully hold and share, which legal framework (GDPR or LED) governs exchanges, and whether an administrative FIU may receive law‑enforcement data that only LED‑competent authorities are permitted to process.

The consequences are concrete. An administrative FIU often lacks statutory powers to freeze assets or access operational law‑enforcement databases; it may also be limited to processing suspicious‑transaction reports and basic financial information. A law‑enforcement FIU can typically access investigative material and criminal‑justice records. Yet the EU reform package extends access rights and encourages joint analyses across FIUs. If an administrative FIU is suddenly asked to handle or receive law‑enforcement data, conflicts with necessity, proportionality and purpose‑limitation principles may arise. Several thorny questions follow: which FIUs can exchange which kinds of records, under what legal basis, and with what oversight?

Bastian Schwind-Wagner _Follow

"The proposed AMLA can strengthen cross‑border FIU cooperation only if data protection is integrated into its operational design from the start. Clear allocation of controller/processor roles, privacy‑preserving technical measures for FIU.net, and documented necessity and proportionality assessments are essential to maintain both effectiveness and compliance.

Without these safeguards, administrative FIUs risk receiving law‑enforcement data they are not authorised to process, and cross‑border transfers may expose personal data to insufficient protections. Coordinated oversight with the EDPS, transparent retention rules and enforceable safeguards for third‑country agreements will be decisive to ensure rights‑compliant intelligence sharing."

AMLA’s proposed roles that trigger data‑protection friction

The AMLA Regulation envisages concrete operational roles that interact with personal data in multiple ways:

• hosting, managing and developing FIU.net, the EU network that supports FIU-to‑FIU information exchange;
• assisting and facilitating joint analyses and joint analysis teams for cross‑border suspicious‑transaction and suspicious‑activity cases;
• enabling administrative agreements and operational cooperation with third‑country FIU counterparts and other authorities;
• issuing guidance, recommendations and technical standards that will influence how data is handled.

Any Union body that handles or enables exchanges of personal data must comply with the EUDPR. The AMLA will therefore need a careful, documented legal architecture for each processing activity: identifying legal bases, assigning controller/processor roles, setting retention and access limits, and establishing redress and audit mechanisms.

FIU.net hosting: centralised administration, decentralised storage, or hybrid?

FIU.net was built as a decentralised network in which FIUs retain control of their own data; it supports case exchanges, cross‑border reporting, and an anonymous cross‑match feature (Ma3Tch) that identifies matching leads without disclosing underlying personal data until authorised. The system was embedded into Europol in 2016 to increase operational synergy. That raised data‑protection concerns: the EDPS found Europol lacked an adequate legal basis for acting as long‑term technical administrator of FIU.net and temporarily suspended some processing arrangements pending a transfer to a more appropriate host.

Placing FIU.net within AMLA offers advantages: coherent EU oversight, a single point to develop secure shared services, and harmonised operational standards. But it also raises specific risks:

• centralising the infrastructure can create a single point that sees or routes sensitive personal data unless architecture and access rules strictly limit AMLA’s access to the minimum necessary;
• differences in FIU legal types mean some FIUs should not hold or receive certain law‑enforcement records; AMLA must respect these limits when enabling searches, matches or data routing;
• anonymous matching services must remain genuinely privacy‑preserving: failure to maintain robust minimisation and cryptographic protections will undermine both legality and operational reliability.

Operational controls, cryptographic pseudonymisation for matching, strict role‑based access, and comprehensive logging and oversight are preconditions if AMLA is to host FIU.net without breaching data‑protection norms.

Joint analyses, controller responsibilities and access rules

The package formalises joint analysis teams for cross‑border suspicious cases, with AMLA assisting in setting them up and providing a secure channel for communication. Practically this arrangement raises immediate controller/processor questions. Who determines the purposes and means of processing in a joint analysis: the national FIUs that contribute data, or AMLA as host and facilitator? If AMLA defines purposes or processes data to a substantial degree, it may be a controller under the EUDPR and must carry corresponding responsibilities (lawfulness, DPIAs, records of processing, cooperation with the EDPS).

Even where AMLA remains a technical host, the Authority will need clear contractual and operational agreements that:

• define who decides the analytic scope and how access to contributors’ raw data is authorised;
• provide guarantees that administrative FIUs are not given operational law‑enforcement data they are not permitted to process;
• require joint analyses to document legal bases and proportionality assessments for each data element shared;
• establish cut‑offs, minimisation and retention rules tied to the original lawful purpose.

Cross‑border transfers and third countries: legal safeguards are essential

AMLA is empowered to help conclude administrative agreements with third‑country authorities. Under the EUDPR, transfers to third countries require an adequacy decision or, absent that, appropriate safeguards such as binding legal instruments or contractual clauses. In practice AMLA will need to coordinate closely with the European Data Protection Supervisor when developing mechanisms with non‑EU partners. Where third‑country partners lack equivalent protections, AMLA and national supervisors must assess whether the transfer is genuinely necessary and proportionate for AML/CFT objectives and build enforceable safeguards – technical, legal and organisational – before any exchange takes place.

Practical steps that will reduce conflict and preserve operational value

If AMLA is to strengthen cross‑border FIU cooperation without breaching fundamental rights, the following pragmatic priorities should guide implementation:

• map FIUs’ legal status and competences. AMLA must maintain and publish an authoritative, up‑to‑date register of which FIUs are administrative, law‑enforcement or hybrid and what categories of data each may lawfully process and receive;
• adopt privacy‑by‑design for FIU.net. The hosting model must limit AMLA’s access to metadata needed for system health and deny routine access to personal data unless narrowly authorised; cryptographic matching and secure multi‑party computation techniques should be used to preserve functionality while minimising disclosure;
• clarify controller/processor roles for joint analyses. Standard operating procedures and written agreements must spell out who decides purposes and means; where AMLA acts as controller it must carry the full suite of EUDPR obligations; where it is a processor, strict contractual constraints are required;
• require documented necessity and proportionality assessments for each cross‑border data exchange or joint analysis, with DPIAs and EDPS consultation where significant privacy risks exist;
• harmonise retention and deletion rules. Joint analyses must not create ad‑hoc retention creep; data access windows and deletion triggers tied to the original lawful purpose should be mandatory;
• build transparent audit, oversight and redress. FIUs, supervising authorities and the EDPS must be able to audit AMLA‑hosted processes and give affected data subjects meaningful redress options;
• set stringent rules for third‑country agreements. Any administrative agreement with non‑EU partners must include enforceable safeguards, oversight mechanisms and technical protections, and AMLA should co‑ordinate closely with the EDPS and Commission on equivalence assessments.

Conclusion: better cooperation only if rights are baked in

AMLA has the potential to materially improve cross‑border FIU cooperation, reduce friction in information exchange and professionalise joint analysis of transnational financial crime. Those gains will not be realised if data‑protection constraints are treated as obstacles to be worked around. Instead, AMLA should treat data protection as an enabling design principle: map FIU competences, adopt privacy‑preserving technical architecture for FIU.net, adopt clear legal roles for joint analysis workflows, and build strong oversight with the EDPS. Doing so will protect fundamental rights while improving the quality and reliability of financial‑crime intelligence – exactly the twin goals that a modern European AML/CFT framework should pursue.

Dive deeper

• Research ¦ Kosta, E. (2025). The proposed anti-money laundering authority and the future of FIU collaboration in Europe. In M. Bergström, & V. Mitsilegas (Eds.), EU law in the digital age (Vol. 19, pp. 123-136). (Swedish Studies in European Law; Vol. 19). Hart Publishing. https://doi.org/10.5040/9781509981212.ch-008 ¦ Link ¦ licensed under the following terms, with no changes made: CC BY-NC-ND 4.0