Art. 47 FIU.net | Anti-money laundering authority regulation (AMLAR) | AML

This article establishes the Authority as the body responsible for hosting, managing, and developing FIU.net — the secure information-sharing network used by Financial Intelligence Units.

It covers the full operational responsibility of the Authority over the platform, from ensuring its continuous and secure functioning, to upgrading its capabilities based on FIU needs, to putting in place security, business continuity, and disaster recovery plans.

The article also grants the Authority the power to contract third-party service providers and assigns the General Board in FIU composition the power to suspend access to FIU.net where security or independence concerns arise.

Important points:

The Authority is responsible for all aspects of FIU.net operations, including hosting, maintenance, development, security of personal data, testing, training, and ensuring adequate financial resources for the platform.
The Authority may enter into legally binding contracts with third-party service providers, but only after conducting audits of their security standards.
The General Board in FIU composition may suspend access to FIU.net for an FIU, a third-country counterpart, or a Union body — but only by unanimous vote, excluding the head of the FIU whose access is in question.

1. The Authority shall ensure adequate, uninterrupted and secure hosting of FIU.net, and ensure the management, maintenance and development of FIU.net. Taking into account the needs of FIUs, the Authority shall ensure that the most advanced and secure technology available is used for FIU.net, subject to a cost-benefit analysis.
1. The Authority shall ensure uninterrupted functioning of FIU.net and keep it up-to-date. Where necessary to support or strengthen the exchange of information and cooperation between FIUs and based on the needs of FIUs, the Authority shall design and implement, or otherwise make available, upgraded or additional functionalities of FIU.net.
1. The Authority shall also be responsible for the following tasks relating to FIU.net:
  1. implement appropriate technical and organisational measures to ensure a level of security that protects personal data;
  2. plan, coordinate, manage and support any testing activities;
  3. ensure adequate financial resources;
  4. provide training on the technical use of FIU.net by end-users.
1. For the purposes of carrying out the tasks referred to in paragraphs 1, 2 and 3, the Authority shall be empowered to conclude or enter into legally binding contracts or agreements with third-party service providers, after appropriate audits of their security standards.
1. The Authority shall adopt and implement the measures necessary for the fulfilment of the tasks referred to in this Article, including a security plan, a business continuity plan and a disaster recovery plan for FIU.net.
1. The General Board in FIU composition, acting unanimously, may decide to suspend the access of an FIU, its counterpart in a third country, or a Union body, office or agency, to FIU.net where it has grounds to believe that such access would jeopardise the implementation of Chapter III of Directive (EU) 2024/1640 and the security and confidentiality of the information held by FIUs and exchanged through the FIU.net system, including where there are concerns in relation to an FIU’s lack of independence and autonomy.
2. Where the General Board in FIU composition adopts a decision suspending the access of an FIU to FIU.net, the General Board shall act unanimously by vote of all members of the General Board in FIU composition, except the head of the FIU in question.
3. The General Board in FIU composition shall define the criteria for the suspension of access to FIU.net and adopt rules of procedure for such suspension.