When EU legislators signed off on the Anti-Money-Laundering Regulation (AMLR) and Directive 6 (AMLD6) last year, the headline was clear:
“tear down the silos and let financial-crime data flow.”
The fine print—Article 75—goes even further, allowing (and sometimes obliging) banks, PSPs, crypto venues, casinos, and even luxury goods dealers to swap customer-level intelligence in private-to-private partnerships. The package is already in force (as of 10 July 2024) and will become fully applicable from 10 July 2027, according to Finnius Advocaten.
Great news for investigators. A nightmare for privacy officers.
Below, we unpack the new rule set, the GDPR paradox it creates, and how Wodan AI’s encrypted-in-use platform, Dropnir, enables you to comply with both without ever decrypting your data.
What changed?
| AMLR | AMLD6 | |
| Legal form | Regulation (direct effect) | Directive (transpose) |
| Key date | In force Jul 10, 2024 → applies Jul 10, 2027 | Same |
| Headlines | Single EU rule-book, € 10k cash cap, Article 75 information-sharing partnerships | Harmonised offences & penalties |
A political deal was struck on January 18, 2024, by Finnius Advocaten.
Article 75 in one paragraph
“Members of partnerships for information sharing may share information where strictly necessary to meet their AML/CFT duties.” Better Regulation
- What’s shareable? Customer identifiers, transaction metadata, risk scores, and alert reasons.
- With whom? Any obligated entity, including national FIUs, across borders.
- Guard-rails? DPIA, supervisory notification, civil liability safe harbour.
The Privacy Paradox
| AMLR wants… | GDPR insists on… |
| Broad datasets & five-year retention | Data minimisation & “erase when no longer necessary” |
| No customer consent (tipping-off risk) | Valid lawful basis & transparency |
| Cross-border pooling | Purpose limitation & transfer safeguards |
Practitioners are already referring to this as the GDPR-AML dilemma: two EU flagships pulling in opposite directions. Mondaq.
Why PETs beat “trust me” NDAs
Stopping money-laundering networks means correlating patterns across institutions—but nobody wants another central data lake. Privacy-Enhancing Technologies (PETs)—federated queries, fully homomorphic encryption (FHE), secure enclaves—let firms compute on each other’s data without copying or decrypting it. Regulators from Singapore’s COSMIC to the US Patriot Act utilities have endorsed the approach; Article 75 now gives the EU a legal footing to do the same, according to William Fry.
Where Wodan AI fits
Dropnir: encrypted-in-use by design
Our containerised API layer keeps both the request and the response encrypted during processing. Peers only ever see ciphertext; Wodan AI never sees anything. Wodan AI – Secure AI.
Getting ready for 2027: a four step playbook
- Stand up a sandbox
Spin up Dropnir and load hashed customer keys + minimal features to pass the “strict necessity” test. - Run a joint DPIA
Map Article 75 controls line-by-line to GDPR Art 35 before you share a single byte. - Federate, don’t replicate
Keep computations where the data already lives; pay only for the queries you run. - Log everything: If you can’t prove why, when, and what you shared, expect fines.
Key take-aways
- Timeline: Rules are live now; mandatory from July 10, 2027.
- Opportunity: Private-private sharing to unmask mule networks.
- Risk: GDPR conflict on minimisation, consent, and retention.
- Fix: End-to-end encrypted federated analytics with Wodan AI Dropnir.
Ready to pilot a secure Article 75 partnership?
Book a 30-minute demo and discover how Dropnir keeps your AML models effective and your customer data secure and protected.
Any questions? Contact us
