Law enforcement requests: a guide for financial firms

Authorities across the EU regularly ask regulated financial firms to hand over customer data: police and prosecutors, tax and customs authorities, financial supervisors, and sometimes authorities abroad. A firm has to comply with the lawful ones. But the data it holds is personal data, and disclosing it is regulated by the GDPR. So the firm has two duties at once: respond to the request, and protect the data while doing so.
What obliges a financial firm to respond?
The duty does not come from one law, and it does not come from one authority. A regulated financial firm can be required to provide customer information to several different authorities, each acting under its own legal basis.
The most familiar route is criminal procedure: police, prosecutors, and courts have powers under national law to require a firm to produce customer information for an investigation or proceeding.
But they are not the only ones. The Financial Intelligence Units can request information under anti-money-laundering law, typically within tight deadlines. From 10 July 2027, the EU's Anti-Money Laundering Regulation (Regulation (EU) 2024/1624) will further harmonise and tighten how those requests work across member states. Tax authorities, financial supervisors, customs, and security or intelligence services may have powers of their own. Exactly which authority can compel what, and on what basis, is largely a question of national law, so it differs from one member state to the next.
What they share is that a valid request creates an obligation to comply. Banking secrecy and customer confidentiality do not override it; they give way to a lawful request.
One recent instrument is worth flagging, because firms sometimes assume it applies to them. The e-Evidence Regulation creates direct, cross-border data-production duties, but it targets online and communication service providers, not financial firms. Requests to financial firms still travel the routes above: criminal procedure and AML law at national level, and judicial cooperation across borders.
Does the firm have to comply with every request?
No. The obligation attaches to lawful requests, not to any message that arrives claiming authority. A request must have a valid legal basis behind it, and the firm is expected to check that it does before disclosing anything.
This is not a neutral choice: disclosing customer data without a proper basis is itself a breach of the GDPR. An informal approach, a request that exceeds the authority's powers, or one the firm cannot authenticate creates no obligation to hand data over, and acting on it can create liability.
What does the GDPR require when disclosing customer data?
Disclosing personal data to an authority is processing under the GDPR, so the firm, as controller, has to meet the GDPR's requirements even while complying with a lawful order. Four points carry most of the weight.
A lawful basis is needed for the disclosure. Where a binding legal obligation requires the firm to disclose, the basis is Article 6(1)(c) of the GDPR, processing necessary for compliance with a legal obligation. That obligation has to be grounded in EU or national law under Article 6(3); the request alone is not the basis, the law behind it is.
Only what is covered may be disclosed. The data-minimisation principle in Article 5(1)(c) means the firm discloses what the request actually requires, and no more. Handing over a broader set of data than the request covers is a breach, even when the request itself is valid.
The disclosure has to be documented. Under the accountability principle in Article 5(2), the firm must be able to demonstrate that it acted lawfully: what was disclosed, to whom, on what legal basis, and when.
The request has to be authenticated. The GDPR's security obligations (Article 5(1)(f) and Article 32) require protection against unauthorised disclosure. Releasing customer data to someone impersonating an authority is a data breach. So confirming the request is genuine before acting is part of the firm's GDPR duties, not an optional extra.
Can the firm tell the customer?
Often it cannot, and this is a place where two GDPR duties pull against each other. Under Articles 13 and 14, a controller normally has to be transparent with data subjects about how their data is used. But Article 23 allows EU or national law to restrict that transparency, where necessary and proportionate. One of the permitted grounds is protecting the prevention, investigation, and prosecution of criminal offences. The data subject's right to be told that a restriction applies at all can itself be limited, where informing them would defeat the restriction's purpose.
In practice this means the order or request may itself carry confidentiality conditions, or national rules on investigation secrecy may bar the firm from telling the customer while a case is live. So the firm has to work out, for each request, whether it is permitted to inform the customer or required to stay silent. Getting this wrong in either direction, informing when it must not or staying silent when it should inform, is a compliance failure.
How do cross-border requests reach a firm?
A request that starts in another country does not usually arrive from the foreign authority directly. It comes through the firm's own national authority, so by the time the firm sees it, a cross-border request looks like a domestic one.
Within the EU, the route is the European Investigation Order (EIO), under Directive 2014/41/EU. A judicial authority in one member state issues an EIO to have evidence gathered in another, and the measures it can cover include information on bank accounts and financial operations. It works on mutual recognition: the executing authority in the country where the data sits is in principle obliged to recognise and carry it out, under its own national law and within set deadlines. The EIO replaced the older mutual legal assistance instruments between participating states. Denmark and Ireland are outside it.
With countries outside the EU, and with Denmark and Ireland, cooperation runs instead through mutual legal assistance (MLA), based on treaties and conventions. The mechanics differ, but the principle holds: the request travels authority to authority, and the firm is instructed by its own national authority.
In practice, the formal channel is not the only one. For some providers, especially online platforms and crypto exchanges, authorities often make direct requests that the provider answers voluntarily, usually for basic subscriber data rather than the full picture. This has long sat in a legal grey area, common in practice but resting on no clear legal basis. It is more established among service-type firms than among traditional banks, which tend to require the formal route. And it is more defensible within the EU than for a direct request from outside it, where the transfer rules in the next section apply.
What if an authority outside the EU contacts the firm directly?
This is where firms most often go wrong. A request that comes straight from a non-EU authority, bypassing the channels above, does not have automatic legal force in the EU. Under Article 48 of the GDPR, a judgment or decision from a third-country authority requiring a firm to disclose personal data can only be recognised or enforced if it is based on an international agreement, such as a mutual legal assistance treaty, in force between that country and the EU or a member state.
A request from a foreign authority is not, by itself, a basis to disclose. And because sending the data abroad is a transfer of personal data outside the EU, the firm needs both a lawful basis under Article 6 and a valid ground for transfer under Chapter V. The European Data Protection Board's guidance is blunt: absent an applicable international agreement, an EU firm should generally decline a direct request from a third-country authority and point it to the mutual legal assistance channel. Handing data straight to a foreign authority because it asked can itself be an unlawful transfer.
What does good handling look like in practice?
The legal picture is demanding, but the day-to-day failures are usually operational. Handling an authority request well comes down to a few things, most of which the GDPR already requires.
Confirm the request is genuine and has a lawful basis before acting on it. Disclose only what the request covers, not the wider account. Decide, for that specific request, whether the customer may be told or must not be. And keep a clear record of what was disclosed, to whom, on what basis, and when, so that if a supervisor or court asks later, the answer is a clean record rather than a reconstruction from inboxes and memory.
Done over email and shared spreadsheets, this is slow and hard to prove. The obligations do not change with volume, but the difficulty of meeting them consistently does.
---
Reqport replaces manual, unverified workflows for handling authority requests with a purpose-built portal. Each request is verified, structured into a trackable case, and recorded with a full audit trail, so a firm can show exactly what it disclosed, to whom, and on what basis. See how Reqport works.
---
This article is for informational purposes only and does not constitute legal advice. Many of the obligations described are implemented through national law, which varies by member state. For how they apply to your specific situation, consult qualified legal counsel.

Reqport
Reqport is a platform for handling law enforcement and other authority data requests.
LinkedIn