Missing feedback loop in the AML regime

One theme keeps coming up: A structural gap in the feedback loop between FIUs, law enforcement and obliged entities - this might quietly undermine AML effectiveness.

Many of you know that I am currently preparing a Darte Session focused on how to make the Financial Action Task Force (FATF) AML regime more effective while also enhancing privacy protection for society at large. 

Talking to the private sector - financial institutions and CASPs - two pain points are raised again and again:

🟠 No meaningful feedback from FIUs on quality, usefulness, and outcomes of suspicious transaction reports (STRs/SARs).

🟠 Chilled cooperation and information sharing within the private sector, largely due to real or perceived GDPR constraints.

In the last two weeks, I had the chance to ask directly why there is almost no feedback from authorities to reporting entities:

👉 First, during an OSCE organized study visit of a Moldova delegation I had the pleasure to support as Virtual Asset Expert with the ECB, BaFin and the German FIU.

👉 Second, at the10th anniversary event of the ACAMS Germany Chapter at the Italian Embassy in Berlin.

Berlin Senior Public Prosecutor Marion Schwenk gave a very candid answer: Authorities may hesitate to share feedback because anything sent back to the private sector might leak. This concern is understandable while an investigation is ongoing. But it does not explain the lack of structured feedback once cases are closed, archived, or have resulted in criminal proceedings that are public by nature.

The message this sends is problematic: it reinforces the impression that public authorities do not see the private sector as being on the same side in the fight against financial crime, but rather as part of the problem. Without feedback, firms cannot calibrate their detection models, reduce low‑value “defensive” STRs and even straight false positives, or learn what actually helped an investigation in practice.

Treating at least those institutions that consistently “play by the rules” as partners - and not merely as risk factors - could significantly increase the effectiveness of the shared fight against financial crime.

Interestingly, AMLA Chair Bruna Szego stressed that the new AML Regulation will require FIUs to provide feedback to reporting entities. Potentially transformative! 

A few additional thoughts and references:

1️⃣ The feedback loop is already in the FATF rulebook. FATF Recommendation (

https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf) 34 expects competent authorities to provide guidance and feedback to obliged entities, including on STR quality and typologies. In other words, the idea that FIUs should “talk back” to reporting entities is not radical – it is part of the standard that many systems simply under‑deliver on.

2️⃣ No feedback = more noise and more risk. Research on STR systems suggests that when institutions do not know what actually leads to action, they tend to file defensively: more reports, lower average quality, and a higher noise‑to‑signal ratio. That is bad for FIUs, bad for law enforcement, and bad for civil liberties because it encourages broad data collection without clear added value.

3️⃣ GDPR is often used as a conversation‑stopper – but there are workable models. Across Europe and beyond, we see carefully structured public‑private partnerships and specific legal gateways that enable responsible data sharing for economic crime prevention, while remaining within data protection law. The UK’s recent reforms around economic crime information sharing are one example that explicitly seeks to align AML and privacy interests rather than pitch them against each other (see 

https://www.gov.uk/government/calls-for-evidence/economic-crime-information-sharing/economic-crime-information-sharing-accessible).

4️⃣ Where structured PPPs exist, feedback is not theoretical. Case studies of AML public‑private partnerships show that when FIUs and law enforcement share typologies, case studies and sometimes even selected operational intelligence, participating institutions report sharper detection and fewer false positives. This is exactly the kind of practice the new EU framework could scale if designed and implemented well.

5️⃣ Feedback can actually be privacy‑enhancing. Some recent policy work argues that better feedback allows obliged entities to retire unproductive rules, reduce unnecessary data processing and focus on truly risky behaviour – which is a win for both effectiveness and data protection. Aligning AML/CFT and GDPR priorities is not just possible, it is necessary for a coherent and proportionate regime.

Looking forward to learning from the experiences of practitioners in different jurisdictions – especially where FIUs or PPPs do provide useful feedback and what made it work in practice.