Client Alert 14 Jul. 2026

FinCEN’s updated information sharing rules and the growing complexity of international AML compliance

AML Information Sharing – US & EU Update on Regulatory Developments

On June 12, 2026, the U.S. Financial Crimes Enforcement Network (FinCEN) issued a landmark update to the operational guidance on Section 314(b) of the USA PATRIOT Act – the voluntary mechanism allowing financial institutions to share information with one another in the fight against money laundering, fraud, and financial crime. As Secretary of the Treasury Scott Bessent put it, financial institutions “need the tools to act quickly and share information that can help stop fraud before it spreads.” This alert sets out the principal features of the updated framework, places them in the context of parallel regulatory developments in Europe, and highlights the legal consequences of non-compliance.

The US framework: Section 314(b) and the June 2026 update

Section 314(b) provides a voluntary, safe-harbor mechanism allowing financial institutions – and associations of financial institutions – to share information about suspicious customers, transactions, and activities without incurring liability for such sharing, subject to compliance with applicable notice, verification, and data security requirements. Participation requires only registration with FinCEN through its online portal. The June 2026 update brings three headline clarifications about the programme’s operational scope, taking the form of a revised fact sheet and an interpretative guidance document issued by FinCEN.

  • Real-time sharing is now explicitly permitted. Financial institutions may share information as a suspicious transaction is occurring, not merely after the fact – a significant move toward a preventive, real-time model of financial crime detection.
  • Fraud is explicitly in scope. Activities suspected of involving fraud qualify as shareable “specified unlawful activities” (“SUAs”) for money laundering purposes. Institutions do not need to identify specific criminal proceeds: the mere suspicion of fraud is sufficient to trigger the safe harbor.
  • No restrictions on information type or sharing method. Virtually any relevant data may be shared – transaction records, IP addresses, device identifiers, transaction monitoring alerts, account-level decisions – whether in writing, verbally, or via electronic platforms, on a bilateral basis or within broader groups of institutions. Joint Suspicious Activity Reports (“SARs”) are also explicitly facilitated, enabling institutions to pool their findings in a single coordinated filing.

The June 2026 update has also attracted the support of the principal federal banking regulators. On July 9, 2026, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) issued guidance encouraging financial institutions to participate in the 314(b) programme and to avail themselves of the expanded safe harbor for fraud-related information sharing. Both agencies underscored the programme’s role in strengthening institutions’ ability to identify criminal activity and protect clients in real time. The Bank Policy Institute (BPI) welcomed the guidance and called on the other financial regulators to issue equivalent encouragement, as well as on Congress to further expand statutory safe harbors for fraud information sharing between banks and across sectors.

The EU AML Information Sharing: a parallel but distinct model

The Section 314(b) update does not occur in isolation. Across the Atlantic, Regulation (EU) 2024/1624 (the “AMLR”), fully applicable from July 10, 2027, will introduce a structurally comparable instrument: partnerships for information sharing under Article 75 AMLR (the “Partnership for Information Sharing”), enabling direct, peer-to-peer exchange of information between obliged entities, including on a cross-border basis.

The reporting obligations arising from the activities of a Partnership for Information Sharing are governed by Article 69 AMLR, which establishes a structured and tiered regime for the submission of suspicious transaction reports (STRs) to the competent Financial Intelligence Unit (“FIU”). While the framework encompasses distinct scenarios, the two aspects of greatest operational significance for institutions participating in a Partnership for Information Sharing are the single-report mechanism and the cross-border reporting obligation.

The single-report mechanism: the central operational mechanism introduced by Article 69(8) AMLR allows obliged entities that identified the suspicious transaction to designate one among them to submit a single report to the FIU on behalf of the group, in lieu of multiple parallel filings. This mechanism is available where the activities of a Partnership for Information Sharing give rise to knowledge, suspicion, or reasonable grounds to suspect that funds are the proceeds of criminal activity or are related to terrorist financing. Designation is voluntary: the entities may elect to use it, but are not required to do so. Where a designation is made, the single report must ensure full transparency to the FIU as to the identity of each participant, notwithstanding the consolidation of the filing.

Cross-border reporting obligations: where the participating obliged entities are established in more than one Member State, the single-report mechanism does not permit centralisation of all filings in a single jurisdiction. Instead, the report must be submitted to each relevant FIU: the participating entities must ensure that a report is filed by an obliged entity established within the territory of each Member State in which a competent FIU operates.

Two further scenarios complete the framework. First, where the participating entities elect not to avail themselves of the single-report mechanism – whether because no designation is made or the entities prefer individual filings – each entity submitting its own report must include a reference to the fact that the suspicion arose from the activities of a Partnership for Information Sharing. Second, pursuant to Article 69(9) AMLR, all obliged entities participating in a partnership that has submitted reports under Article 69(8) AMLR must retain a copy of those reports in accordance with the document retention obligations set out in Article 77 AMLR.

The development of the EU AML framework has not, however, proceeded without friction. The intersection of AML requirements with EU data protection law – in particular the General Data Protection Regulation (the “GDPR”) – has presented a recurring and material challenge to the full implementation of AML measures across the Union. A notable illustration is the judgment of the Court of Justice of the European Union of 22 November 2022 (Joined Cases C-37/20 and C-601/20), which invalidated the provision of the Fifth Anti-Money Laundering Directive requiring unconditional public access to beneficial ownership registers, on the grounds that it constituted an unjustified interference with the fundamental rights to privacy and data protection. As a direct consequence, the implementation of beneficial ownership transparency across the EU was significantly delayed and recalibrated. The same structural tension between effective AML cooperation and the protection of personal data arises in the context of the Partnership for Information Sharing: the mandatory data protection impact assessment prior to the sharing activity, and the required involvement of data protection authorities in the supervisory verification process, both reflect the imperative to reconcile financial crime prevention with fundamental rights. It is precisely this complexity that has prompted AMLA and the European Data Protection Board (“EDPB”) to adopt a coordinated approach.

A significant development in this regard arose on July 1, 2026. The EDPB and AMLA announced that they will jointly develop Guidelines on the Partnership for Information Sharing. The initiative reflects the recognition that AML information sharing necessarily involves the processing of personal data, and that the intersection of the AMLR and the GDPR requires dedicated regulatory guidance to be workable in practice. A stakeholder event is planned for later in 2026 to gather early input on the key elements requiring clarification, followed by a public consultation on the draft Guidelines in the first half of 2027 – just months before the AMLR becomes fully applicable. For institutions planning ahead, this means that the detailed operational framework governing how the Partnership for Information Sharing may lawfully function will not be fully settled until after the consultation process has concluded. Early monitoring of the Guidelines development process is therefore strongly advisable for any institution considering participation.

EU and US Compared: Five Key Structural Differences

Both the US and EU frameworks have moved to facilitate structured information sharing between financial institutions as a tool for addressing financial crime. The implementation models differ in several significant respects that institutions operating across both jurisdictions should bear in mind:

  • Prior supervisory notification required. Under Article 75(2) AMLR, institutions must notify their supervisory authority before commencing partnership activities; supervisory verification – which may involve data protection authorities – must be completed prior to the commencement of any sharing activities.
    Under Section 314(b), participation requires submission of a notice to FinCEN through its online Financial Industry Portal, together with verification that any counterparty institution has filed an equivalent notice – a considerably lighter procedural threshold, with no prior supervisory approval required.
  • No explicit peer-to-peer liability safe harbor. Article 72 AMLR protects disclosures made to the FIU but does not extend an equivalent affirmative safe-harbor to direct sharing between institutions within a partnership under Article 75.
    Section 314(b), by contrast, provides an express safe harbor covering liability for sharing between participating institutions directly.
  • Exhaustive categories of shareable data. Article 75(3) AMLR restricts sharing to a closed statutory list (customer identification data, transaction data, risk factors, and analyses). Section 314(b) does not impose comparable restriction on data type or format.
  • FIU consent required to share suspicion data. Under Article 75(4)(k) AMLR, disseminating information on suspicious transactions within a partnership requires prior authorisation from the FIU to which the relevant report was submitted. Section 314(b) does not impose a comparable prior-authorization requirement.
  • No real-time sharing provision. The AMLR does not expressly provide for information exchange as a transaction is occurring. 
    Section 314(b), by contrast, expressly authorises real-time sharing: institutions may exchange data as a suspicious activity is occurring – reflecting the preventive, operational focus that is the centrepiece of the June 2026 FinCEN update.


As both frameworks continue to evolve – the AMLR is subject to progressive implementation through 2027 and beyond – institutions subject to AML obligations in both jurisdictions shall comply with two materially distinct regimes. Coordinated, ongoing monitoring of regulatory developments across both systems will therefore be essential to ensure continued compliance.

The cost of non-compliance

Participation in Section 314(b) is voluntary and carries no sanction for non-participation. Its value lies in its role as a compliance enabler: structured information sharing supports the more effective identification and assessment of suspicious activity, directly assisting institutions in meeting the mandatory obligation under the Bank Secrecy Act (“BSA”), 31 U.S.C. § 5318(g), to file Suspicious Activity Reports (SARs). It is this mandatory SAR obligation – not Section 314(b) itself – that carries severe legal consequences for non-compliance:

  • Civil penalties (31 U.S.C. § 5321). Willful violations of BSA requirements may result in substantial civil fines; negligent violations are also sanctionable, with heightened exposure for patterns of non-compliance.
  • Criminal liability (31 U.S.C. § 5322). Willful violations may result in criminal fines and imprisonment, with significantly enhanced exposure in aggravated cases involving concurrent federal offences or sustained patterns of illegal activity.
  • Personal liability under the AML Act 2020 (31 U.S.C. §§ 5322(e), 5321(g)). Individuals convicted of such violations may be required to disgorge profits derived from the violation; those found guilty of egregious violations are barred from serving on the board of any US financial institution for ten years.

Civil and criminal penalties are not mutually exclusive and may both be imposed concurrently for the same violation (31 U.S.C. § 5321(d)).

The EU enforcement landscape presents a more varied picture. Sanctions for breaches of the AMLR – including the mandatory reporting obligations under Chapter V – are governed not by the AMLR itself, but by Directive (EU) 2024/1640 (the “AMLD6”). Under Articles 53 and 55 AMLD6, Member States must ensure that obliged entities are subject to effective, proportionate, and dissuasive pecuniary sanctions for serious, repeated, or systematic breaches. Supervisors may also apply a range of administrative measures, including suspension or withdrawal of authorisation and temporary bans on managerial functions (Article 56 AMLD6).

However, an harmonization policy at EU level is underway. Under AMLD6, AMLA was required to prepare and publish its draft regulatory technical standards on sanctioning criteria and methodology – covering gravity indicators, criteria for setting penalty levels, and methodology for periodic penalty payments – together with guidelines on base amounts for pecuniary sanctions broken down by type of breach and category of obliged entity, and to submit the final report to the European Commission for adoption (Article 53(10) AMLD6). The final report has been published, laying the foundation for a consistent European AML enforcement regime; the draft RTS is being submitted to the European Commission for adoption and subsequent publication in the Official Journal of the EU. 

Furthermore, the European Commission was required to adopt delegated acts defining penalty categories and criteria for breaches of the beneficial ownership transparency requirements under Article 68(2) AMLR. The Commission announced in February 2026 its intention to adopt the delegated regulation in Q3 2026; however, as of July 10, 2026, the text has not yet been published.

Key dates & events

DateEvent
H1 2027Public consultation on draft EDPB/AMLA Joint Guidelines on partnerships for information sharing under Article 75 AMLR (to be published ahead of the July 2027 application date)
July 10, 2027
  • EU AML Regulation (Reg. 2024/1624) fully applicable
  • Deadline for Member States whose legal systems do not provide for administrative sanctions to communicate to the Commission the national law measures adopted to implement the AMLD6 sanctioning regime
October 10, 2027Deadline for Member States to notify the Commission and AMLA of their national arrangements for the imposition of pecuniary sanctions and application of administrative measures, including any procedures requiring recourse to judicial authorities

What you should do now

If your institution operates in the United States and has not yet registered under Section 314(b), the June 2026 update provides a compelling basis to assess whether participation in information sharing would strengthen your AML/CFT compliance framework. For EU-based institutions subject to AML/CFT reporting obligations under the AMLR, engaging with the evolving regulatory architecture now – including active monitoring of the EDPB/AMLA Joint Guidelines process and the AMLA supervisory framework – is essential to ensure readiness well ahead of the July 2027 application date. In both jurisdictions, timely and accurate SAR filing is a mandatory, non-delegable obligation. Institutions that have not yet assessed the adequacy of their reporting frameworks should do so without delay.
 

Related resources

client alert

FinCEN’s updated information sharing rules and the growing complexity of international AML compliance

Read

client alert

OFAC Launches Reconsideration Portal and Publishes New Guidance to Streamline Delisting Petitions

Read

news

SCOTUS Decision Upholding Birthright Citizenship Favors Amici Represented by Curtis Pro Bono

Read