Customer information sharing in the Economic Crime and Corporate Transparency Act 2023: key points for firms

Current hurdles for firms wanting to share information

Firms have been unable to quickly share information with each other about economic crime concerns. A business in the Anti-Money Laundering (AML) regulated sector can only disclose information to another person or business if certain conditions are met¹, including that it must have:·

• notified the National Crime Agency (NCA); and
• received a sharing request from the NCA or the person receiving the information.

This “super SAR” mechanism prevents firms from voluntarily and quickly sharing relevant data with another firm. Firms therefore usually only have access to their own information, making the detection or investigation of economic crime difficult, or at least slow.  This affects investigations of specific transactions, criminal activity across firms, and new account applications from criminals who were exited by other firms for economic crime reasons.

Making information sharing easier

Under the Act, a firm can share information with another firm for the purposes of preventing, detecting and investigating economic crime, without involvement from law enforcement or a request from the recipient firm. So long as certain conditions are met, the sharing and recipient firms are protected from certain civil claims by the relevant customer or any other party.

A relevant business will have two options:

• Direct sharing of information with another firm in the AML regulated sector (s188).
• Indirect sharing of information via a third-party intermediary (s189).

There is no definition of the 'customer information' that can be shared or received, but the Government's Impact Assessment² indicates that it must be the type of information that would, or may, assist the recipient firm in deciding:

• whether the veracity of documents should be doubted (such as identity verification);
• whether due diligence is required in relation to an existing customer;
• whether a particular case or customer carries a high risk of economic crime; and/or
• the extent of the measures that should be taken to manage or mitigate that risk.

Option 1: how direct information sharing will work

 Under section 188 of the Act a firm in the regulated sector (A) will be able to share information about a customer with another firm (B) if either:

• B has explicitly requested information from A; or
• A has taken action against the customer (such as termination of an account) as a result of economic crime concerns and wishes to voluntarily warn B about that customer.

A firm is however only free to volunteer information about a customer proactively when it has committed to taking safeguarding action against that customer themselves (or would have done if they were still a customer). If this criterion is not met, a firm will not be protected against a claim for breach of confidence or other civil liability. The Government considers this criterion to be key in protecting customers from unfair exclusion from services or products, so firms should ensure that they properly consider the customer relationship through appropriate governance channels and fully document their decisions prior to proactively volunteering information. By doing so, firms will be better prepared to answer any future questions from regulators or customers and to evidence that this criterion was met.

Option 2: indirect information sharing via a third-party intermediary 

A firm may wish to share information about a customer that is relevant to preventing, detecting or investigating economic crime, but it may not be possible to identify another firm to which that information would be useful. For example, where a bank exits a customer relationship due to economic crime concerns, it will not necessarily be able to identify any banks to which the customer will apply in the future.

Section 189 of the Act provides for indirect sharing through a third-party intermediary. The Government stressed that it will have no involvement in devising the actual machinery of such sharing, although the Act envisages a user-pays subscription model similar to Cifas’s National Fraud Database.

The Government emphasised in its January 2023 Impact Assessment that a “privately funded third-party platform […] will take time to reach the estimated level of utilisation”, but an industry pilot scheme is already underway to explore appetite amongst firms and test the viability of a platform. The pilot scheme is reported to involve various banks as well as the NCA, and a second pilot is expected to involve further banks, the Home Office, and UK Finance.

Firms remain subject to existing obligations

A firm will still need to keep in mind its existing obligations when it either shares or receives information. These obligations include:

• Data protection: A business’s existing obligations under UK GDPR in relation to data accuracy, integrity, purpose, storage and accountability will continue to apply.
• Customer rights: When receiving information, a firm may wish to consider whether to restrict or exclude a customer, but it must still consider its obligations under the Equality Act 2010 and the FCA’s Principles for Businesses, including the obligation to treat customers fairly. The Act does not impact a customer’s right to a Basic Bank Account (subject to existing carve-outs). Firms should ensure that they appropriately document any decision-making and the factors that were taken into account. Firms should also be aware that, if customers believe that the result of the information sharing is unfair, they will have an appeals mechanism – the same process that is used for existing fraud information sharing.
• Reporting: Use of either form of information sharing will be on a voluntary basis and does not replace firms’ existing suspicious activity reporting obligations.

Timeline and regulatory expectations

Economic crime remains a key focus of regulatory enforcement with potentially time-intensive investigations, significant penalties and reputational damage. It is therefore easy to see how rapid information sharing could benefit firms. In addition, firms may benefit from increased efficiency during their onboarding, due diligence and remediation processes.

The proposed provisions should act as a catalyst for information sharing within the industry, but it is unclear whether they will be sufficient. Many firms may only be willing to bear the cost, effort and risk of this information sharing if they consider their efforts to be sufficiently reciprocated.

These new provisions come into force on 15 January 2024. Once in force, firms should track any future regulatory expectations. Information sharing is currently intended to take place on an entirely voluntary basis, with it being pitched as a tool to help firms who choose to share data with each other. It will be interesting to see whether regulatory expectations will develop in respect of the amount and nature of information sharing, as well as the resulting steps by recipient firms, and whether firms may start to receive some supervisory queries on this topic.

With thanks to Emma Wilson for assistance with the drafting of this blog post.