Information sharing measures under ECCTA
Updated guidance on the information sharing measures set out in sections 188 and 189 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) has recently been published by the Home Office, HM Treasury, the Ministry of Justice, Companies House, the Serious Fraud Office and the Department for Business and Trade.
These voluntary information sharing measures aim to provide greater clarity and comfort to AML regulated firms (as defined under schedule 9 of the Proceeds of Crime Act 2002 (POCA) ) to share relevant customer information for the purposes of preventing, detecting or investigating economic crime (which in this context includes, amongst other offences, money laundering, terrorist financing, bribery, sanctions evasion, tax evasion, market abuse and fraud).
The updated guidance provides further information on:
- The policy intent for the measures
- How AML regulated firms can ensure they are protected when undertaking direct and indirect sharing
- Handling conditions for sharing and receiving information and undertaking law enforcement reporting
- Compliance with UK General Data Protection Regulation (UK GDPR)
- Maintaining effective customer complaint processes.
Policy intent
The information-sharing measures introduced by ECCTA disapply confidentiality and civil liability obligations for AML regulated firms when sharing customer information with one another within the UK, directly or indirectly through a third-party intermediary.
While firms must continue to comply with UK GDPR, wider adoption of these measures is expected to provide access to richer information sources, enhancing the accuracy and effectiveness of reporting.
Overview of the measures
Direct and indirect sharing
The measures permit both direct sharing of information between AML regulated firms (e.g. through direct communication methods or third-party technological platforms / mechanisms) and indirect sharing via third-party intermediaries. Indirect sharing can only occur however between:
- Businesses in the regulated sector (including deposit taking bodies, electronic money institutions, payment institutions, cryptoasset exchange providers and custodian wallet providers)
- Large or very large (each as defined in sections 55 to 57 of the Finance Act 2022) law firms, accountancy firms, insolvency practitioners, auditors, and tax advisers.
Request and warning conditions for direct sharing
AML regulated firms must meet one of two conditions when disclosing information:
- The warning condition: where the sharing firm must have decided to take safeguarding action against the customer due to concerns about economic crime risks (or would have done had the customer remained onboarded). Safeguarding actions include terminating business relationships, refusing services, or restricting access to services.
- The request condition: where the requesting firm must believe that the responding firm holds information relating to the requesting firm’s customer, and the disclosure of that information will or may assist the requesting firm in carrying out relevant actions.
For indirect sharing, AML regulated firms should only rely on the warning condition. This is to ensure that information is not shared for inappropriate reasons.
Practical considerations for firms
The guidance outlines several practical steps for AML regulated firms to consider when implementing the measures:
- Sector-led approach: Statutory and professional body supervisors and trade bodies are encouraged to develop sector-specific guidance to support consistent application of the measures and address the nuances of different business models.
- Technical mechanisms: Where third party platforms or products are used, services that have clear security protocols, transparent governance arrangements and act in compliance with the UK GDPR should be chosen. The use of APIs to increase efficiencies and pilot exercises for testing new technology is encouraged.
- Cross-Sector collaboration: Sharing information across industries is supported to tackle economic crime that spans multiple sectors. The guidance expects AML regulated firms to align their understanding of economic crime typologies.
- Application to dual-activity firms: Where an AML regulated firm carries out a combination of AML regulated and non-AML regulated activity, the measures should be read as applying to all relevant customer information in those accounts or wallets.
Law enforcement reporting
AML regulated firms are reminded of their obligations to report suspicions of money laundering or terrorist financing to the National Crime Agency through Suspicious Activity Reports (SARs). They should also consider making referrals to Action Fraud or other relevant agencies.
AML regulated firms are also encouraged to share information under the new measures in line with reporting obligations and their own risk-based approach and obligations relating to SAR confidentiality.
UK GDPR compliance
While the measures provide legal protection for sharing information, AML regulated firms must still comply with UK GDPR. This includes ensuring that:
- Personal data is shared for a new purpose, only if that purpose is compatible with the original specified purpose (or in other limited circumstances).
- Data is accurate, adequate, relevant, and limited to what is necessary.
Customer redress
AML regulated firms are encouraged to keep audit trails of all information shared and to record key decision points. This will help AML regulated firms and the Financial Ombudsman Service (in the financial sector) to assist customers with possible complaints and redress.
Conclusion
By enabling AML regulated firms to share customer information with greater confidence, the information measures introduced by ECCTA aim to enhance collaboration and improve the detection and prevention of economic crime.
For further advice on implementing the information-sharing measures under ECCTA, please get in touch with a member of the Financial Services and Fraud teams. Alternatively, please get in touch with Gena Ritchie or Ben Hay.