Article 35a
Exchange of information between authorities and with other entities
1.
The Authority and the European Central Bank as referred to in Article 4, point (2)(i), shall share, on a regular or case-by-case basis, information that they obtained from financial institutions or the other authorities when carrying out their duties and that stems from the application and implementation of Union law, with the other authorities upon request, provided that the requesting authority is entitled to obtain that information from financial institutions or the other authorities pursuant to Union law.
2.
The Authority and the European Central Bank as referred to in Article 4, point (2)(i), shall request information from any of the other authorities that have obtained that information, instead of requesting it directly from financial institutions, provided that the Authority or the European Central Bank, as applicable, is entitled to obtain that information pursuant to Union law.
The first subparagraph of this paragraph shall be without prejudice to the powers of the Authority or the European Central Bank as referred to in Article 4, point (2)(i), to obtain the requested information from financial institutions where the other authority is unable to share the information, where urgent action is needed or where obtaining the information directly from financial institutions is necessary for the performance of the Authority’s or the European Central Bank’s tasks pursuant to Union law.
3.
A request to exchange information pursuant to paragraph 1 of this Article shall indicate the legal basis under Union law that entitles the requesting authority to obtain the information from financial institutions or the other authorities.
The requesting authority, the Authority and the European Central Bank as referred to in Article 4, point (2)(i), shall be subject to the obligations of professional secrecy and data protection laid down in Articles 70 and 71 of this Regulation, in Article 27 of Regulation (EU) No 1024/2013 and in sectoral legislation which apply to the sharing of information between the financial institution and the requesting authority, and between the financial institution and the Authority and the European Central Bank as referred to in Article 4, point (2)(i).
4.
Where either the Authority or the European Central Bank as referred to in Article 4, point (2)(i), exchanges information pursuant to paragraph 1 of this Article, it shall, without undue delay, inform each authority from which it obtained the information or each financial institution, if the information was obtained from financial institutions directly, about the exchange. In the case of recurring or periodic exchanges of information, the Authority or the European Central Bank as referred to in Article 4, point (2)(i), shall be obliged to inform the financial institution or the authority from which it obtained the information only once.
5.
By way of derogation from paragraph 4 of this Article, the Authority and the European Central Bank as referred to in Article 4, point (2)(i), shall not be obliged to inform the authority or the financial institution, as applicable, about the exchange of information where either of the following conditions is met:
(a)
the information has been anonymised in such a manner that it no longer relates to any identified or identifiable natural person and that the financial institution or other legal entities are no longer identifiable; or
(b)
the information has been modified, aggregated or treated by any other method of disclosure control to protect confidential information, including trade secrets, and to protect personal data through appropriate technical and organisational measures in accordance with Regulations (EU) 2016/679 ( 26 ) and (EU) 2018/1725 ( 27 ) of the European Parliament and of the Council.
6.
By way of derogation from paragraph 4 of this Article, the Authority and the European Central Bank as referred to in Article 4, point (2)(i), shall not inform the financial institution about the exchange of information if they determine, or are informed by the requesting authority, that doing so could compromise supervisory or resolution proceedings, actions or investigations.
7.
Paragraphs 1 to 6 of this Article shall also apply to information that the Authority and the European Central Bank as referred to in Article 4, point (2)(i), have received from a financial institution or the other authorities and upon which they have subsequently performed quality checks or which they have otherwise processed.
8.
To facilitate exchanges of information as referred to in paragraphs 1 to 7 of this Article, the Authority and the European Central Bank as referred to in Article 4, point (2)(i),and the other authorities may enter into memoranda of understanding regarding the arrangements for such exchanges. The memoranda of understanding may also specify arrangements for the sharing of resources for the collection and processing of shared information. The Commission may, after consulting the Authority and the European Central Bank as referred to in Article 4, point (2)(i), and the other authorities, develop guidance on the main elements of such memoranda of understanding.
9.
Paragraphs 1 to 8 of this Article shall be without prejudice to the protection of intellectual property rights and shall not prevent or restrict the exchange of information between the Authority or the European Central Bank as referred to in Article 4, point (2)(i), and the other authorities in accordance with other provisions of this Regulation or with other Union legislation.
In the event of a conflict between this Article and other provisions of this Regulation or other Union legislation that govern the exchange of information between the Authority or the European Central Bank as referred to in Article 4, point (2)(i), and the other authorities, such other provisions shall prevail.
10.
The Authority, the European Central Bank as referred to in Article 4, point (2)(i), and the competent authorities may, at their own discretion, grant access to information obtained when carrying out their duties for re-use by financial institutions, researchers and other entities that have a legitimate interest in that information for research and innovation purposes, provided that the Authority, the European Central Bank as referred to in Article 4, paragraph 2, point (i), or the competent authority granting the access, has ensured that all of the following conditions have been complied with:
(a)
the necessary measures have been taken to anonymise the information in a manner that prevents individual financial institutions, entities, data subjects and, where it is the Authority or the European Central Bank which grants access to the information, Member States from being identified;
(b)
the information has been modified, aggregated or treated by any other method of disclosure control to protect confidential information, including trade secrets or content covered by intellectual property rights.
Information received from any authority shall be shared pursuant to the first subparagraph only with the consent of the authority that initially obtained that information.
11.
By 11 November 2027, the Authority and the European Central Bank as referred to in Article 4, point (2)(i), shall, in close cooperation with competent authorities, report to the Commission on all legal obstacles in sectoral legislation that prevent them, in any way, from exchanging information with the other authorities or with other entities. The report may also address non-material, obsolete, duplicative or otherwise irrelevant reporting requirements. It may also include suggestions for improving consistency between reporting requirements for financial and non-financial entities. The report shall be updated on a regular basis, where necessary.
Taking into account the report referred to in the first subparagraph, the protection of intellectual property rights and the obligations of professional secrecy and data protection, the Commission shall, where appropriate, submit to the European Parliament and to the Council a legislative proposal to remove such legal obstacles in sectoral legislation, to foster the exchange of information between authorities and with other entities.
12.
For the purposes of this Article, Article 35(4) and Article 70(3), “other authorities” means any of the following authorities:
(a)
the ESRB;
(b)
the European Supervisory Authority (European Insurance and Occupational Pensions Authority);
(c)
the European Supervisory Authority (European Securities and Markets Authority);
(d)
competent authorities, as defined in Article 4, point (2) of this Regulation;
(e)
(f)
(g)
the authorities composing the Single supervisory mechanism, as defined in Article 2, point (9), of Regulation (EU) No 1024/2013;
(h)
the Single Resolution Board (SRB), as established by Regulation (EU) No 806/2014;
(i)
resolution authorities, such as those referred to in Article 3(3) of Directive 2014/59/EU;
(j)
(k)
financial supervisors, as defined in Article 2, second subparagraph, point (1), of Directive (EU) 2024/1640 of the European Parliament and Council ( 29 ).
For the purposes of this Article, “financial institution” means financial institution as defined in Article 2, point (a), of Regulation (EU) No 1092/2010.
By way of derogation from the first subparagraph of this paragraph, where paragraphs 1 and 2 of this Article apply to the European Central Bank, as referred to in Article 4, point (2)(i), of this Regulation, “other authorities” means any of the authorities listed in the first subparagraph of this paragraph, except for national competent authorities that form part of the Single supervisory mechanism.
( 26 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).
( 27 ) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).
( 28 ) Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L, 2024/1620, 19.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1620/oj).
( 29 ) Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849 (OJ L, 2024/1640, 19.6.2024, ELI: http://data.europa.eu/eli/dir/2024/1640/oj).