What does AMLR Article 75 mean for CASPs?

Crypto-asset service providers (CASPs) already fall under the EU's anti-money-laundering rules. From 10 July 2027, a new rule lets them share information with other institutions to fight money laundering: Article 75 of the EU's Anti-Money Laundering Regulation (Regulation (EU) 2024/1624, known as AMLR). It opens a way for a CASP to cooperate inside an approved partnership, but within narrow limits. Several of the practical details are still being worked out.
What is AMLR Article 75?
Article 75 of the AMLR sets up a legal framework for what it calls "partnerships for information sharing." Inside such a partnership, obliged entities may exchange information with each other where this is strictly necessary to meet their anti-money laundering and counter-terrorist-financing obligations, in particular customer due diligence under Chapter III of the AMLR and the reporting of suspicions under Article 69.
The aim is collective intelligence. A single firm sees only its own slice of a customer's activity. A network of firms, sharing within clear rules, can spot laundering patterns that no member could see alone. The regulation pairs that ambition with safeguards for privacy and data protection.
Are crypto-asset service providers covered?
Yes, and in fact they already carry AML obligations now. CASPs are subject to the same core requirements and supervision as credit and financial institutions. The Travel Rule, under the Transfer of Funds Regulation, Regulation (EU) 2023/1113, has applied to crypto transfers since 30 December 2024. So a CASP reading this is almost certainly already meeting customer due diligence, suspicious-transaction reporting to the Financial Intelligence Unit (FIU), and Travel Rule duties today.
What changes on 10 July 2027 is that CASPs become obliged entities under the AMLR specifically, the new single rulebook that replaces the patchwork of national rules. Article 75 is part of that rulebook. Because its partnerships are open to obliged entities, a CASP can take part once the AMLR applies to it. Partnerships may also include FIUs and competent authorities where relevant, though bringing a public authority into a partnership does not give it information-sharing powers it would not otherwise have.
What can be shared, and what cannot?
Less than many firms assume. Sharing is permitted only where it is strictly necessary for the customer due diligence and suspicious-transaction obligations above, and it is aimed at higher-risk situations, not routine sharing about ordinary customers.
In practice, members may share information about customers who are linked to a higher risk of money laundering or terrorist financing, who fall within specific higher-risk situations defined in the AMLR, or where the firm needs more information to decide whether a higher risk is present. Information about lower-risk customers is not freely shareable.
Two limits matter in particular. First, there is a wall around the data: information obtained through a partnership may not, in principle, be passed on outside that partnership. Second, the partnership must protect what it holds with technical and organisational measures, including pseudonymisation, so that customer data is not exposed more widely than the purpose requires.
What must a CASP do to take part?
Joining is voluntary, is not automatic, and cannot be done quietly between firms. Before any sharing begins, a CASP that wants to participate must notify its supervisory authority. The supervisor, in consultation with the data protection authority and, where relevant, the FIU, verifies that the partnership has proper compliance mechanisms in place and that a data protection impact assessment has been carried out. Only after that verification can the partnership begin operating.
There is internal groundwork too. Under Article 9 of the AMLR, a participant must set out, within its own internal policies and procedures and before it joins, how it will share information, what limits apply, and who is responsible for what. And responsibility for compliance stays with each participant. The partnership does not absorb the legal risk that sits with the individual firm.
How does Article 75 fit with existing rules?
A CASP already shares information in several ways, and Article 75 adds a layer the existing ones do not cover.
The Travel Rule, under the Transfer of Funds Regulation, attaches sender and recipient details to each crypto transfer. It is transaction-bound and automatic. Reporting suspicions to the FIU runs in one direction, from the CASP to a public authority, when something looks suspicious.
What neither of those does is let institutions build a shared picture of risk between themselves. The Travel Rule moves data with a transaction; FIU reporting moves it to the state. Article 75 is the first EU-wide framework that lets obliged entities exchange risk information with each other, inside an approved partnership, to see patterns that no single firm can see alone. It fills the gap the other two leave open.
What is not yet settled?
A good deal. Article 75 sets the frame, but much of the operational detail is still being written, and a CASP planning around it should treat the current picture as provisional.
Article 75 does not contain its own mandate for dedicated technical standards on partnerships. Instead, the practical "how" is expected to come largely through AMLA's guidance and through the workshops it is running with the private sector during 2026, rather than through partnership-specific rules. The broader AML technical standards AMLA does have in consultation, on customer due diligence and group-wide requirements, are not partnership-specific. So a CASP should expect the detail to firm up gradually through guidance, not to find it fully spelled out today.
The boundaries of sharing within a corporate group are openly debated. It is not yet clear whether information obtained through a partnership may be shared further within a participant's own group, and the European Banking Authority's advice has so far left this unresolved. For a CASP that sits inside a larger group structure, this is a live and material question.
And the framework is untested. Article 75 does not apply until 10 July 2027, no partnership has yet been approved, and how supervisors will interpret and authorise them in practice is unknown. Much will depend on how willing supervisory authorities prove to be in supporting partnerships at all.
When does it apply, and what should CASPs do now?
Article 75 applies from 10 July 2027, the date the AMLR takes effect. But the preparation is a 2026 task. The governance, contracts, and data-protection groundwork a partnership needs cannot be assembled overnight, and through 2026 AMLA is running workshops with the private sector to help these partnerships form.
For a CASP, the sensible steps now are to decide whether partnership participation fits its risk picture, to map what customer information it holds and where, to prepare the internal policies Article 9 will require, and to be ready for the data-protection and supervisory checks that come before any sharing can start.
The legal framework sets out what is allowed. The harder part is operational: sharing the right information, with the right safeguards, and keeping a clear record of what was shared, with whom, and why.
---
Need a better way to share data with law enforcement? Reqport replaces manual, unverified workflows for handling law enforcement data requests. It is a purpose-built portal where every request is verified, structured and resolved with less manual work: read more.
---
This article is for informational purposes and does not constitute legal advice. The rules and their technical standards are still developing. For how they apply to your specific situation, consult qualified legal counsel.

Reqport
Reqport is a platform for handling law enforcement and other authority data requests.
LinkedInRelated articles

Can the police request data from companies?
The police can ask a company for data, but a request isn't an order. When you have to comply, when you may share voluntarily, and how to stay within the GDPR.

Asset freezing and confiscation: how governments secure assets held by companies
What are asset freezing and confiscation, and what can government authorities do? Under new EU rules, property can be confiscated even without a conviction. A guide for companies.

What is the e-Evidence Regulation?
The EU e-Evidence Regulation lets authorities in one EU country demand user data directly from providers in another. What it requires, who is in scope, and the 18 August 2026 deadline