KYC Sharing Is Not AML Responsibility Sharing: A Legal Distinction That Matters for Every Real Estate Transaction

In multi-party real estate transactions — where agents, developers, lawyers, and notaries each carry independent Anti-Money Laundering obligations — a question of growing practical urgency concerns the permissibility of sharing KYC information across obliged entities. The legal position under Regulation (EU) 2024/1624 (AMLR) is frequently misunderstood in practice, and the consequences of that misunderstanding cut in both directions: some professionals refuse to share data that the regulation permits — and even encourages — to be shared; others assume that receiving KYC data from a third party discharges their own compliance obligations, which it does not.

The correct legal position is both clear and consequential. This article sets it out.

The Legal Framework: What the AMLR Actually Says

The AMLR establishes three foundational principles relevant to KYC sharing in real estate:

1. Each obliged entity bears independent CDD responsibility. Regardless of what any other party to a transaction has done, each obliged entity — the agent, developer, notary, and lawyer — remains independently liable for its own Customer Due Diligence. Responsibility is not transferable.

2. Reliance on another obliged entity is permitted, under conditions. The AMLR's third-party reliance provisions allow one obliged entity to rely on CDD performed by another, but the relying entity retains full legal accountability for compliance with its own supervisor. Reliance is a procedural facilitation, not an exemption.

3. Information sharing is permitted within defined legal frameworks. Recital 147 of the AMLR states explicitly: "Obliged entities and competent authorities should be able to exchange information in the framework of an information sharing partnership." The same recital makes equally clear that obliged entities "should not rely solely on information received through the exchange of information to draw conclusions on the money laundering and terrorist financing risk of the customer."

These three principles define the legal boundary precisely: documents and verified factual data may be shared; risk assessments, EDD determinations, reporting decisions, and ongoing monitoring obligations may not.

Where the Misunderstanding Arises in Practice

In a typical real estate transaction involving an agent, a developer, a lawyer, and a notary, each party may lawfully exchange customer identification data, UBO information, corporate ownership documentation, source of funds evidence, and screening results — subject to applicable GDPR, confidentiality, and AML safeguards.

What none of these parties may do is treat receipt of that information as a substitute for their own independent obligations. A notary who accepts a real estate agent's KYC file without conducting its own risk assessment has not complied with the AMLR — it has relied, without independent verification, on another party's judgment. A developer who defers to a lawyer's earlier client checks without applying its own risk classification has failed its own supervisory obligation.

As DLA Piper's analysis of the AMLR's information sharing provisions confirms: "As members of partnerships for information sharing, obliged entities may share information for the purpose of customer due diligence and reporting of suspicions to FIUs." The new AML package moves toward greater cooperation between obliged entities — not toward a single point of compliance responsibility.

The law does not prohibit sharing. It prohibits the transfer of responsibility.

The Structural Distinction: A Two-Layer Architecture

The legal position described above maps naturally onto a two-layer architecture for any compliant KYC-sharing model:

Permitted Core Layer — shareable across obliged entities:

• Identity and address verification

• Ultimate Beneficial Owner (UBO) identification and verification

• Corporate ownership structures

• Source of funds documentation

• Property transaction history

• Sanctions, PEP, and adverse media screening results

Entity-Specific Layer — non-shareable, independently determined by each obliged entity:

• Risk rating and risk classification

• Enhanced Due Diligence requirements and outcomes

• Suspicion assessment and SAR/STR filing decisions

• Ongoing monitoring parameters and results

• Reporting to the national Financial Intelligence Unit

This is the architecture the AMLR is moving towards: collect customer data once, assess risk many times — independently, by each obliged entity, against each entity's own regulatory obligations.

The Technology Requirement: Why Standard KYC Platforms Cannot Deliver This

The legal distinction above creates a precise technology requirement that most KYC platforms on the market are structurally incapable of meeting. Standard identity verification and KYC solutions are built to collect and share data. They are not built to enforce the legal separation between shared factual customer data and the independent, non-shareable risk assessment obligations that each obliged entity must fulfil for itself.

A generic KYC platform that collects documents and shares them across parties handles the first layer only. It provides no structured mechanism for each party to independently conduct and record its own risk classification, EDD determination, or suspicion assessment within the same environment. The data and the compliance obligation are decoupled — and the regulatory record required to demonstrate independent compliance by each obliged entity does not exist.

This is not a minor operational gap. Under the AMLR, the inability to demonstrate independent risk assessment by each obliged entity is a compliance failure for every party that received shared data without producing its own documented assessment.

Immosurance: The Only Platform That Delivers Both Layers in a Single GDPR-Compliant Environment

Immosurance is the only AML compliance platform in Europe purpose-built for the real estate sector that delivers both layers of the compliant KYC-sharing architecture within a single, integrated, GDPR-compliant environment.

The Core Layer — identity verification, UBO mapping, corporate ownership documentation, source of funds evidence, and continuous sanctions, PEP, and adverse media screening — can be collected once and made available to multiple obliged entities within the permissible legal and data protection framework. This eliminates the duplication that has characterised multi-party real estate compliance and reduces the burden on clients who have historically been asked to repeat the same verification process with each party to their transaction.

The Entity-Specific Layer is enforced as structurally separate within the platform. Each obliged entity using Immosurance maintains its own independent compliance dossier, its own documented risk assessment, its own EDD workflow, and its own reporting record — none of which is accessible to or shared with other parties. The role-based access architecture ensures that what each obliged entity is required by law to determine independently is, by design, determined independently.

No generic KYC provider, identity verification service, or document-sharing platform in the market offers this combination. The separation of shareable customer data from the non-shareable risk assessment obligation — both enforced within the same platform, both GDPR-compliant, both audit-ready — is unique to Immosurance.

This is not a future capability. Immosurance is operational today, available to real estate agents, developers, lawyers, and notaries across Europe, in 14 languages, with the KYC-sharing architecture legally aligned to the direction the AMLR has confirmed.

The legal distinction is clear. The technology requirement it creates is exacting. Immosurance is the answer.