Effectively combating money laundering is one of the key challenges for the stability, integrity and reputation of the European financial system. Despite considerable investment in compliance frameworks and monitoring systems, financial institutions have thus far only to a limited extent been able to identify complex money laundering networks at an early stage. The reason for this is less a lack of data than its fragmentation along institutional and national borders. While criminal actors spread their activities across numerous banks, financial institutions are confined to a distinct insular view, which is further reinforced by data protection law, banking secrecy and regulatory requirements. This article describes this fundamental tension and shows how the data trustee EuroDaT opens up a technically and legally robust perspective for data protection-compliant, cross-bank information exchange with the safeAML use case.
1. Combating money laundering given the conflicting priorities of effectiveness and regulation
Regulatory requirements for financial institutions in the area of money laundering prevention (AML) have become increasingly stringent in recent years. National regulations such as the German Money Laundering Act (GwG) and European requirements oblige institutions to carry out risk-based customer checks, ongoing transaction monitoring and to submit suspicious activity reports to the Financial Intelligence Unit (FIU). At the same time, the General Data Protection Regulation, banking secrecy and regulatory requirements impose strict limits on the processing and disclosure of personal and transaction-related data.
In practice, this regulatory architecture leads to a structural limitation of the effectiveness of existing prevention mechanisms. Money laundering is typically not confined to individual institutions, but is rather perpetrated via complex transaction chains, ring bookings or layering structures involving several banks (see Figure 1). However, each institution only sees the transactions in which it itself is involved. The holistic analysis of financial flows – a core principle of modern AML initiatives – is therefore highly complex or even impossible in practice. As a result, there is an asymmetry of information in favor of criminal networks, while banks only have limited means of investigation despite the high regulatory burden.
2 EuroDaT: A data trustee as an infrastructure model within the regulatory framework
Against this backdrop, EuroDaT and its use case safeAML address a key gap in European data and financial market regulation. EuroDaT is a use case-agnostic infrastructure for secure, fiduciary transaction-based data exchange and joint data analysis. The operating company, EuroDaT GmbH, is a wholly-owned subsidiary of the State of Hesse and is deliberately designed to be neutral. This institutional anchoring corresponds to the guiding principle of the European Data Governance Act, which envisages data trustees as trustworthy data intermediaries.
The core of the model is the technical safeguarding of data sovereignty through EuroDaT’s transaction-based operating principle (see Figure 2). Data is not stored centrally on a permanent basis, but is only merged and processed in encrypted form in isolated, temporary processing environments on an ad hoc basis during dedicated data transactions. Neither the financial institutions nor EuroDaT have access to these processing environments, which are completely deleted once the respective transaction has been completed. This approach follows the “compliance by architecture” principle, according to which regulatory requirements are not only organizationally agreed, but also technically secured. This approach creates a trustworthy framework for cooperation, especially for highly regulated areas such as the financial sector.
3. SafeAML: Cross-bank analysis without data disclosure
The use case safeAML is the first dedicated operationalisation of the transaction-based data trustee model in the AML space. safeAML is not a central database, but a platform for event-driven requests for information between banks. The starting point is always an existing suspicious transaction that has been identified in the regular transaction monitoring of an institution. On this basis, safeAML checks whether the flagged transaction is part of a larger, cross-institutional network.
Via the EuroDaT infrastructure, the safeAML app automatically forwards corresponding requests to other participating institutions, which in turn search for connected transactions. In a protected processing environment, the responses are secured by format-preserving pseudonymization and encryption of the relevant account information and compiled into a cross-bank transaction graph. This makes complex patterns visible that would not be recognizable by individual institutions alone. Only the requesting bank receives the results, but account data that the requesting bank did not already know before the request remains masked. All data received by EuroDaT is deleted immediately after each transaction. The raw data remains with the providing institutions (for a more detailed description of the process, see Thomas 2025).
In regulatory terms, it is important to note that safeAML does not shift any obligations under AML legislation. The assessment of the facts and a possible suspicious activity report to the FIU remain entirely in the institutions’ responsibility. safeAML serves to enrich existing information and can therefore increase the quality of existing prevention processes without creating new data protection risks.
Conclusion
EuroDaT and its use case safeAML demonstrate that data protection, data sovereignty and effective anti-money laundering do not have to be mutually exclusive. A neutral, transaction-based trustee infrastructure enables efficient cross-bank analysis of suspicious financial flows within the existing legal framework for the first time, without requiring centralized data collection or uncontrollable data exchange. This addresses a structural limitation of the existing prevention architecture, which results from the isolated consideration of individual institutions.
At the same time, safeAML can be seen as a practical learning field for the further development of European anti-money laundering initiatives. With the new EU AML package, consisting of AML Regulation (EU) 2024/1624, AMLA Regulation (EU) 2024/1620, Money Transfers Regulation (EU) 2023/1113 and AML Directive (EU) 2024/1640 as well as the establishment of AMLA, the coordinated exchange of information between obliged entities is moving more into the focus of regulation. In this context, data trustee models such as EuroDaT can act as technical enablers translating regulatory objectives into operational processes without shifting existing responsibilities or supervisory competencies.
In this respect, the current pilot operation with Commerzbank, Deutsche Bank and N26 does not mark an end point, but an important intermediate step. The key success factor will be the extent to which the model can be scaled, the regulatory framework for data exchange is further developed and sufficient adoption is achieved among other financial institutions. If this is successful, transaction-based data trustee could become a key component of modern European AML initiatives and data regulation in the future.
Thomas, D. [2025]: SafeAML via EuroDaT: Vernetzung von Banken zur Effektivierung derGeldwäscheprävention, in: Geldwäsche & Recht 04/2025, S. 124-127