Guidance on the information sharing measures in the Economic Crime and Corporate Transparency Act 2023
Published 4 October 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/information-sharing-measures-in-the-economic-crime-and-corporate-transparency-act/guidance-on-the-information-sharing-measures-in-the-economic-crime-and-corporate-transparency-act-2023
Introduction
1. The purpose of this guidance is to support anti-money laundering (AML) regulated firms, within Schedule 9 of the Proceeds of Crime Act 2002 (POCA), to utilise the new information sharing provisions introduced by the Economic Crime and Corporate Transparency (ECCT) Act 2023. These measures came into force on 15 January 2024, meaning firms can now share under these new provisions.
2. These measures have been put in place to provide greater clarity and comfort to regulated firms to share relevant customer information, either directly or indirectly through a third-party intermediary. These new measures are voluntary.
3. This guidance will provide regulated firms with information on: the policy intent for the measures, how regulated firms can ensure that they are protected by the provisions when undertaking direct and indirect sharing, handling conditions for sharing and receiving information and undertaking law enforcement reporting, UK General Data Protection Regulation (GDPR) compliance and maintaining effective customer complaint processes.
4. Regulated firms, statutory and non-statutory PBSs, and trade bodies are advised to consider how they can apply the overarching principles in this guidance to develop a consistent approach to sharing within their wider sector.
Policy intent
5. Private sector bodies do not need statutory authority to share information, though, when sharing personal data, they do need a lawful basis for this under UK GDPR.
6. However, the government recognised that prior to the ECCT Act, AML regulated firms wanting to share customer information on economic crime were concerned that in doing so they might be liable for possible breaches of confidentiality.
7. To ensure that information is shared in as many cases as possible, the government has introduced these new information sharing measures to disapply civil liability for regulated firms, who are already identified as having specialist economic crime responsibilities, when they share customer information with one another.
8. Through regulated firms using the measures to share information, they will gain a network view of the economic crime risk linked to their services and platforms. Firms will therefore have a greater ability to take upstream preventative action and disrupt illicit activity.
9. If a wide range of firms across sectors utilise these measures, regulated firms will have richer information sources when undertaking their reporting obligations. This will increase the accuracy of suspicious activity and fraud reporting.
Overview of the provisions
Direct and indirect sharing
10. These provisions will allow for the disapplication of civil liability for direct sharing of customer information, for the purposes of investigating, detecting, and preventing economic crime, between all businesses in the anti-money laundering regulated sector.
11. The provisions also allow for indirect sharing of customer information through a third-party intermediary between businesses in the financial sector (deposit taking bodies, electronic money institutions and payment institutions), crypto asset exchanges and custodian wallet providers, large law firms, large accountancy firms, large insolvency practitioners, large auditors, and large tax advisers.
12. Large firms are defined, in line with the UK Economic Crime Levy legislation, as those having revenues of between £36 million and £1 billion.
13. ‘Economic crime’ in this context includes money laundering, terrorist financing, bribery, sanctions evasion, tax evasion, market abuse and fraud. It also includes inchoate offences such as attempt or conspiracy.
14. In practical terms, the direct sharing provisions enable regulated firms to share customer information with each other with civil liability disapplied on a peer-to-peer basis. Regulated firms may choose to undertake this through direct communication methods, or through a technological platform or mechanism designed by a third party.
15. Regulated firms who are also in scope of the indirect sharing provisions can share both on a peer-to-peer basis and through a third-party intermediary. Third-party intermediaries may include existing or new sector specific and cross sector economic crime consortia. These intermediary organisations may be able to provide analysis on the customer information being shared, to provide regulated firms with enriched data sources.
16. The types of regulated firms that can share indirectly through a third-party intermediary are a smaller sub-set of the wider regulated sector. This will avoid an additional burden on other regulated businesses that would be unable to take on this potential cost and additional data protection responsibilities.
17. The government encourages the use of both direct and indirect sharing under the new provisions to prevent, investigate and detect economic crime.
Request and warning conditions
18. Regulated firms must ensure that they abide by the request or warning conditions when using these new measures to share customer information. The request and warning conditions apply independently for firms wanting to share directly.
19. Under the warning condition, it is a requirement that the firm sharing customer information to another AML regulated firm has decided to take safeguarding action against the customer or would have done so had the customer remained onboarded.
20. Safeguarding action means terminating a business relationship with the customer, refusing the customer a product or service, or restricting the customer’s access to elements of a product or service made available to other customers. A business relationship in this context means one that arises out of the firm’s business and is expected to have an element of duration.
21. Under the request condition, one firm can request customer information from another firm on the basis that they believe that the organisation sharing holds information, relating to a customer, that will or may assist the requesting firm in carrying out relevant actions.
22. Relevant actions refer to a firm deciding whether it is appropriate to apply due diligence, undertaking effective measures for verifying the identity of the customer or determining whether it is appropriate to terminate an existing business relationship with a customer. This list is non-exhaustive, and a full list of relevant actions is set out in section 191(a) to (c) of the act.
23. The warning and request conditions involve requirements relating to both the sending and receiving firms, and it is not the case that the warning condition only relates to the sender and the request condition only relates to the receiver.
24. In practical terms, the warning condition involves a firm sharing information with another firm about a customer without having been prompted by that other firm. The request condition concerns a firm providing information, in response to a specific request from another firm about a customer.
25. Firms are likely to use the request condition to ask for information from another firm, that they believe will assist them with identifying the risk of a former or existing customer committing or having committed an economic crime offence while using their service.
26. The request condition is only available for direct sharing, unlike the warning condition which applies to both direct and indirect sharing. The request condition may be used for example, when a firm has a lack of information on a customer (for example, they have a dormant account with a provider), so they might reach out to another firm involved in a transaction to request further information to decide the extent of due diligence to undertake.
27. It is important to note that when firms use the measures to share indirectly, through a third-party intermediary, they should only be relying on the warning condition to receive the protections and not the request condition.
28. In practice, this would mean that applicable firms would only be able to upload customer information on an individual onto a third party sharing database, if they had decided to take safeguarding action.
29. It would be an inappropriate use of the request condition for one firm to request to gain information on a customer from multiple other firms, purely on the basis that they all upload information onto a third party database. Where firms do use the request condition, they are advised to do this specifically through direct sharing.
30. The warning condition is an important safeguard to the legislation that will ensure that information is not shared for inappropriate reasons under the measures. Any disclosure of customer information for purposes other than those specified in the act would not receive civil liability protections under the measures.
Additional handling conditions
31. Section 188 of the act notes that the protections on civil liability are applied to regulated firms who are sending and receiving information about current or past customers when the firms are carrying on business in the regulated sector.
32. Information may be shared by a firm on multiple occasions with different regulated firms, independently of one another, provided they meet the conditions of the legislation.
33. These new measures are domestic in their application. In practice, this means that the disapplication of civil liability in the legislation is limited to UK-based information sharing, and this would not apply to sharing outside of this jurisdiction.
34. Regulated firms are therefore advised to include strict handling conditions on information when it is being shared either directly or indirectly under the new measures.
Practical considerations for regulated firms
Sector-led approach
35. The Public Private Steering Group which brings together key economic crime representatives from law enforcement, government and the private sector agreed that for industry to utilise these new measures, there would need to be a sector led approach supported by overarching government guidance.
36. Given this, the Home Office encourages statutory and non-statutory PBSs and trade bodies to use this overarching guidance to publish their own sector specific advice to reflect the nuances in different sectors’ business models. The Home Office will work with statutory and non-statutory PBSs and trade bodies to assist them with this.
Technical mechanisms for sharing
37. The government is not specifying which technological solutions are most appropriate to enact these measures for both direct and indirect sharing.
38. Where regulated firms wish to procure third party platforms or products to enable direct or in-direct sharing, it is strongly advised that they choose services that have clear security protocols, transparent governance arrangements and compliance with the UK GDPR.
39. Regulated firms with significant technological capability may use more advanced mechanisms for direct sharing, including for example, application programming interfaces (API). The government encourages the use of APIs for private-to-private sharing, in line with UK GDPR, to increase efficiencies across the system.
40. Regulated firms may want to undertake pilot exercises, with support from statutory and non-statutory PBSs and trade bodies, when using new technology for direct and in-direct sharing. This will assist businesses in understanding the risks and benefits of these mechanisms, before possibly expanding their use.
41. Statutory and non-statutory PBSs, trade bodies and individual regulated firms may also want to develop single point of contact (SPOC) lists within and across sectors, where these do not already exist.
42. These SPOC lists will provide two key purposes. The first is to provide authentication to regulated firms that information is being shared with the correct recipients. The second is that they will include lists of regulated firms willing to engage in the use of the provisions, given that they are voluntary. It is an individual firm’s responsibility to verify that the organisation they are sharing information with are legitimate.
43. In all cases, regulated firms will need to ensure that they share any information securely. The ICO provides guidance on information security that businesses may find helpful. [footnote 1]
Cross-sector sharing
44. Economic crime actors will often undertake their illicit activities across industries. The government therefore supports cross-sector sharing under these new measures, including via direct and indirect sharing mechanisms.
45. Statutory and non-statutory PBSs, trade bodies and regulated firms in different sectors are advised to work together to understand the touch points for information sharing to occur between industries. Regulated firms are also advised to ensure typologies of economic crime on customer behaviour are aligned, where possible, when sharing between sectors.
46. The act includes a power for the Secretary of State to amend the economic crime offences covered by the measures, so that law enforcement and businesses can be responsive to future changes in the patterns of economic crime.
Law enforcement reporting, UK GDPR compliance and customer redress
Law enforcement reporting
47. Regulated firms should be mindful of their obligations to report knowledge or suspicion of money laundering and/or terrorist financing to the National Crime Agency (NCA) through Suspicious Activity Reports (SARs) under POCA. They should also consider appropriate fraud referrals to Action Fraud and other relevant agencies, when using the new measures.
48. Where regulated firms choose to share customer information after submitting a SAR, they will need to make sure that they do not indicate this to the receiving organisation.
49. However, firms are advised to share information on submitting SARs when they are undertaking a joint disclosure report, often referred to as a ‘Super SAR’, as set out in section 339ZB of POCA and section 21CA of the Terrorism Act 2000.
50. Where firms do share information under the Super SAR measures to produce a joint disclosure report, the report must contain declaration of approval by the nominated officers of those entities that agree to be part of the joint disclosure report (with nominated officer name and contact details). Further details for firms on submitting a joint disclosure report under this legislation can be found in this Home Office Circular. [footnote 2]
51. The government is advocating for regulated firms to share information under the new measures in line with reporting obligations and their own risk-based approach. Further information on maintaining the confidentiality and sensitivity of SARs can be found in the Home Office Circular.
52. Regulated firms in the financial sector currently share sensitive information such as SARs with the Financial Ombudsman Service (FOS) under the Joint Money Laundering Steering Group Guidance (JMLSG). Firms are encouraged to continue sharing this information with the FOS where appropriate, while using these new provisions.
UK GDPR compliance
53. Customer information will differ across regulated firms and will in most cases contain personal identifiable data, which will need to be treated with significant care. If a regulated firm were to share data for commercial purposes, they could be subject to enforcement action by the Information Commissioners Office (ICO).
54. Businesses would benefit from undertaking regular assurance reviews and risk assessments before and after sharing mechanisms have gone live.
55. This is to ensure that the customer information being shared meets the warning and request conditions in the legislation and adheres to the UK GDPR, which requires that information collected for a specified purpose is not processed for other purposes.
56. Under the UK GDPR, an organisation can use personal information for a new purpose, only if that purpose is compatible with the original specified purpose or in other limited circumstances.
57. Information must also be accurate, as well as adequate, relevant, and limited to what is necessary [footnote 3]. The ICO’s data sharing code helps business share data in a fair, safe and transparent way [footnote 4] .
58. The Data Protection and Digital Information Bill (DPDI) will aim to amend the UK GDPR to establish the prevention of fraud as a legitimate interest for sharing information. Regulated firms are advised to consider this legislation, in line with using these new measures.
Customer redress
59. Both receiving and sending regulated firms are encouraged to keep an audit trail of all information shared for assurance purposes and to record key decision points. The maintenance of these records will help regulated firms and (in the financial sector) the FOS, to assist customers with possible complaints and redress.
60. Where appropriate, regulated firms who receive information being shared will need to make it clear that they are the appropriate entity to complain to, to avoid the customer having to make several complaints to several businesses.
61. Regulated firms are advised to clearly signpost their internal process for complaints and treat the consumer appropriately during their complaint journey, when using these new measures.
62. These new measures are not designed to provide sectors with additional powers to exclude customers inappropriately. They should be utilised by regulated firms to assist with their risk based decision making.