“tear down the silos and let financial-crime data flow.”

The fine print—Article 75—goes even further, allowing (and sometimes obliging) banks, PSPs, crypto venues, casinos, and even luxury goods dealers to swap customer-level intelligence in private-to-private partnerships. The package is already in force (as of 10 July 2024) and will become fully applicable from 10 July 2027, according to Finnius Advocaten.

Great news for investigators. A nightmare for privacy officers.

Below, we unpack the new rule set, the GDPR paradox it creates, and how Wodan AI’s encrypted-in-use platform, Dropnir, enables you to comply with both without ever decrypting your data.

What changed?

A political deal was struck on January 18, 2024, by Finnius Advocaten.

Article 75 in one paragraph

“Members of partnerships for information sharing may share information where strictly necessary to meet their AML/CFT duties.” Better Regulation

• What’s shareable? Customer identifiers, transaction metadata, risk scores, and alert reasons.
• With whom? Any obligated entity, including national FIUs, across borders.
• Guard-rails? DPIA, supervisory notification, civil liability safe harbour.

The Privacy Paradox

Practitioners are already referring to this as the GDPR-AML dilemma: two EU flagships pulling in opposite directions. Mondaq.

Why PETs beat “trust me” NDAs

Stopping money-laundering networks means correlating patterns across institutions—but nobody wants another central data lake. Privacy-Enhancing Technologies (PETs)—federated queries, fully homomorphic encryption (FHE), secure enclaves—let firms compute on each other’s data without copying or decrypting it. Regulators from Singapore’s COSMIC to the US Patriot Act utilities have endorsed the approach; Article 75 now gives the EU a legal footing to do the same, according to William Fry.

Where Wodan AI fits

Dropnir: encrypted-in-use by design

Our containerised API layer keeps both the request and the response encrypted during processing. Peers only ever see ciphertext; Wodan AI never sees anything. Wodan AI – Secure AI.

Getting ready for 2027: a four step playbook

1. Stand up a sandbox
   Spin up Dropnir and load hashed customer keys + minimal features to pass the “strict necessity” test.
2. Run a joint DPIA
   Map Article 75 controls line-by-line to GDPR Art 35 before you share a single byte.
3. Federate, don’t replicate
   Keep computations where the data already lives; pay only for the queries you run.
4. Log everything: If you can’t prove why, when, and what you shared, expect fines.

Key take-aways

• Timeline: Rules are live now; mandatory from July 10, 2027.
• Opportunity: Private-private sharing to unmask mule networks.
• Risk: GDPR conflict on minimisation, consent, and retention.
• Fix: End-to-end encrypted federated analytics with Wodan AI Dropnir.

Ready to pilot a secure Article 75 partnership?

Book a 30-minute demo and discover how Dropnir keeps your AML models effective and your customer data secure and protected.

Any questions? Contact us

The post Privacy paradox in AML regulation: Share data while not exposing PII appeared first on Wodan AI - Zero Trust AI.