Logo and page links

Main menu

Information sharing to strengthen anti-money laundering efforts

In this sandbox project, Eika Gruppen and KPMG explored the legal scope for increased and more effective data sharing between banks as a means of combating economic crime. The project concludes that the current regulatory framework provides some, but limited, scope for data sharing.

Illustration: banknotes on a clothesline
Illustration: banknotes on a clothesline

About the project

Eika Gruppen AS consists of almost 50 local savings banks of various sizes in Norway. The group is an alliance owned by the banks, providing a range of shared services for its members.

Eika Gruppen AS wishes to explore the possibilities for greater collaboration across the alliance. This will improve efficiency in their operations and better enable them to fulfil their mission of combating economic crime.

In this sandbox project, the organisation, together with KPMG, has been under the guidance of the Data Protection Authority and the Financial Supervisory Authority. The aim was to identify legal limitations, assess the scope for data sharing and explore practical solutions that could strengthen the banks’ anti–money laundering efforts.

The final report, prepared by Eika and KPMG, summarises the assessments made in the project. The assessments are based on the guidance provided by the Data Protection Authority and Finanstilsynet through their collaboration in the regulatory sandbox.

The need for regulatory amendments was also discussed. The Data Protection Authority used the experience from the project as a basis for providing input to the Ministry of Finance’s consultation on amendments to the Financial Institutions Act. The Financial Supervisory Authority also used the experience from the project in its consultation draft.

Summary of the project's discussions and findings

We summarise some of the participants’ findings from the sandbox below, which we believe may be highly relevant for similar organisations. The report provides the context for the assessments, and we therefore recommend reading it in its entirety.

In the project, the participants explored the possibilities for data sharing under current law at various stages of anti–money laundering work. Such work includes customer assessment, the detection phase and the investigation phase.

  • Restrictions on sharing personal data concerning a customer relationship between banks are primarily governed by the confidentiality obligation under the Financial Institutions Act and the disclosure prohibition under the Anti-Money Laundering Act. Where the sharing of personal data is prohibited due to a confidentiality obligation, it cannot be permitted under the data protection regulations either. Therefore, actors must identify one or more exceptions to the confidentiality obligation or disclosure prohibition before assessing whether the data sharing complies with the data protection regulations. The discussions in this sandbox project have primarily focused on the scope of the exceptions in these legal provisions.
  • Data sharing for the purpose of assessing customers: In this context, assessing a customer refers to evaluating the risk they pose. This assessment can take place both when establishing a customer relationship and during the course of the relationship. During the project, the participants explored the possibility of sharing information about already identified suspicion of money laundering or other economic crime between banks in the alliance, for use in customer assessments.
    • The participants concluded that the scope for sharing data for customer assessments is limited under the current regulations in the Financial Institutions Act and anti-money laundering legislation.
    • Under the current legal framework, data sharing is primarily permitted in cases of suspected fraud.
  • Data sharing during the detection phase: The detection phase is the period before a red flag is raised regarding a customer, and before the investigation obligation under the anti-money laundering regulations comes into effect. The participants wished to explore the possibilities under current law for sharing data that may not be associated with suspicion in an individual bank, but could collectively signal suspicion.
    • The participants concluded that there are very limited options for sharing data to flag potential suspicions, i.e. before any suspicion has been formally established. Sharing such data would generally not meet the necessity requirement under either the Anti-Money Laundering Act or the Financial Institutions Act
  • Data sharing during the investigation phase: By the investigation phase, we mean the period after a red flag has been raised regarding a customer. The participants wanted to explore how investigators in Eika Gruppen or an individual alliance bank could incorporate data from other banks in the alliance when it is relevant for further investigations in their own bank.
      • The participants concluded that the Anti-Money Laundering Act provides scope to exchange necessary information during this phase.
  • The participants highlighted that they expect the amendments to Section 16-2 of the Financial Institutions Act, which were under consultation in autumn 2025, to provide greater scope for data sharing. This will be particularly relevant during the detection phase.

We emphasise that it is important for payment service providers to consistently and continuously assess the principle of data minimisation. This ensures that they only share and process information that is essential for the prevention, investigation or exposure of payment fraud.

The final report has been prepared by the sandbox participant – Eika Gruppen and KPMG. The legal assessments in the report have been made by the companies, under the guidance of the Data Protection Authority and the Financial Supervisory Authority.

The final report is only avaible in Norwegian. Go to the article.