Two supervisors, one rulebook

For the first time, the European Data Protection Board and the newly operational Anti-Money Laundering Authority are writing a single set of rules together. Their 1 July 2026 announcement commits both bodies to Joint Guidelines on how firms can pool intelligence to fight money laundering and terrorist financing while still respecting the General Data Protection Regulation. A joint drafting team drawn from both authorities will lead the work, and the two supervisors say they will contribute as equals.

The significance for owners and operators is structural. Until now, a bank that wanted to share suspicious-activity signals with a peer faced two supervisors who could reach different conclusions about the same transfer. One coordinated text removes that fork in the road. It is the clearest signal yet that Brussels intends to run financial-crime supervision and data protection as one joined-up regime rather than two agencies talking past each other.

What Article 75 actually permits

The legal engine is Article 75 of the AML Regulation. It authorises obliged entities - banks, payment firms, crypto-asset providers, and other regulated professionals - to exchange information with each other and with public authorities where doing so serves the fight against financial crime. That is a meaningful widening of the channels through which customer data can lawfully move between competitors.

The catch is that every such exchange is also a processing of personal data, and therefore lives under the GDPR. The Joint Guidelines exist to resolve that tension: to spell out how a sharing partnership can be built so that it is defensible under both regimes at once. Owners should read this as the compliance blueprint that will define what a legally clean information-sharing partnership looks like across the bloc.

The 10 July 2027 clock

The information-sharing mechanism under the AML Regulation becomes effective on 10 July 2027. That is not a soft target. Banks and financial institutions that intend to use the new sharing powers - or that will be asked by partners to receive shared data - need governance, contracts, and data-protection assessments in place before that date.

The sequencing is tight. The regulators plan to hold a stakeholder event later in 2026 to surface the points that most need clarifying, then open a public consultation on the draft Guidelines in the first half of 2027. That leaves a narrow window between final text and the go-live date, so firms cannot wait for the finished Guidelines before starting design work.

The owner's move

The practical instruction for boards is to treat this as a joint AML-and-privacy programme, not a single-desk compliance chore. Legal, financial-crime, and data-protection functions that have historically run separately now need to answer to one coordinated standard, which means they should be planning together now rather than reconciling positions after the Guidelines land.

There is also a strategic upside. Firms that engage with the stakeholder event and the 2027 consultation get to shape the rulebook they will live under, and early movers can turn a clean sharing framework into a competitive edge in trust and speed. The cost of waiting is a scramble in the second half of 2027 against a deadline that will not move.