Statement on the joint controllership arrangement between the FSMA and the EBA with regard to the 'EuReCa' Central Database for the reporting of AML/CFT weakness

What is EuReCA?

EuReCA is the central database of the European Banking Authority (EBA) designed to strengthen the fight against money laundering and -terrorist financing (AML/CFT). EuReCA was established pursuant to Article 9a (1) and (3) of Regulation (EU) No 1093/2010 of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority). EuReCA contains information on “material weaknesses”, i.e. serious deficiencies by financial institution to comply with AML/CFT requirements that expose them to money laundering and terrorist financing (ML/TF) risks. It also contains information on the measures supervisors imposed to remedy those deficiencies.

The EBA cooperates with national authorities within the EU, among which the Financial Services and Markets Authority (FSMA), for the purpose of managing EuReCA.

What are the respective data protection responsibilities of the EBA and of the FSMA in relation to EuReCA?

As far as data protection is concerned, the respective obligations of the EBA and of the FSMA are as follows: 

  • the EBA is responsible for the compliance with its data protection obligations when it processes personal data to analyze the information provided by Reporting Authorities (including the FSMA) via EuReCA and to operate, store and maintain this database and its supporting infrastructure. For further information on EuReCA, please consult the applicable privacy policy of the EBA (available on its website).
  • as a Reporting Authority (as defined in Commission Delegated Regulation (EU) 2024/595 of 9 November 2023), the FSMA has the legal obligation and responsibility to provide the EBA, via EuReCA, with certain information regarding  AML/CFT material weaknesses and related measures taken (including registering data in the database, responding to EBA’s requests, updating data, etc.). Moreover, the FSMA may receive certain information contained in EuReCA and supplied by other Reporting Authorities, as provided to the FSMA at its own request or shared by the EBA on its own initiative. 

In this context, and as part of its public-interest tasks, the FSMA may, as data controller, where applicable, have to process a limited amount of personal data (“the data”) about individuals under its supervision (persons carrying out their activity as natural persons, members of the management body or key function holders in a financial sector operator), as well as about customers and beneficial owners. In particular, the processed data contains identification data (surname, first name, date of birth, nationality, ECB number, country of residence), professional data, financial data and judicial data in relation to material weaknesses and AML/CFT measures. For more information on how the FSMA processes data in the exercise of its public-interest tasks, please consult the FSMA's privacy policy  (including the sections “What are your rights and how can you exercise them?” and “How can you contact us?”). 

What does the Joint Controllership Arrangement between the EBA and the FSMA stipulate?

The EBA and the FSMA have further formalized their respective obligations with regard to the use of the EuReCA central database by entering into a Joint Controllership Arrangement (JCA) setting out their respective data protection responsibilities when transferring data between them, to or from the EuReCA database. The main terms (“essence”) of the arrangement are the following: 

  • Mutual assistance. The EBA and the FSMA must provide each other with reasonable assistance in complying with their respective obligations pursuant to the applicable data protection legislation, notably with regard to requests from data subjects exercising their rights under the GDPR and to personal data breaches. 
  • Data subject requests. In particular, any data subject request relating to data contained in the EuReCA database and filed with the FSMA shall be systematically forwarded by the FSMA to the EBA. In such a case, the EBA shall (where necessary) process that request with the assistance of the FSMA (insofar as the FSMA has reported to the EBA the personal data to which the request refers), and with any other authority that has received some or all of that personal data from the EuReCA database. In any event, the party which initially received the data subject request shall be responsible for replying to the data subject (on the basis of the analysis and the information communicated by the EBA). 
  • Data quality. Furthermore, the EBA shall ask all Reporting Authorities, among which the FSMA, to review on an annual basis all personal data they have registered in EuReCA, in order to ensure that these data remain relevant, accurate and up-to-date, and to consider whether they should be deleted.
  • Data breaches. Finally, the FSMA and the EBA must also cooperate in the event of a data breach affecting the EuReCA database: the FSMA must notify the EBA and (where required) the relevant data protection authorities and data subjects of any personal data breach it has become aware of.

Finally, the EuReCA database is stored and managed by the EBA within the European Economic Area.


For any question regarding the JCA, please consult the EBA website or send an email to the DPO of the FSMA at the following address:

 This statement was last updated on 26 April 2024.