Cross-border information sharing within corporate groups

Specifically, the Government’s guidance endorses previous recommendations made by the Financial Action Task Force (FATF) for private sector information sharing. FATF’s “Recommendation 18” on internal controls and foreign branches / subsidiaries gives two clear messages for financial institutions on the effectiveness of systems and controls for monitoring ML and TF, both of which are reflected in the guidance:

• It is best practice to have in place an appropriate and effective intra-group data sharing policy to allow group-level monitoring. This should specifically deal with information sharing for the purposes of customer due diligence (CDD), ML and TF.
• UK-based financial groups which are subject to the Money Laundering Regulations 2017 (MLRs) must ensure that their foreign branches and subsidiaries meet UK requirements, to the extent that local laws and regulations permit, as required by Regulation 20 of the MLRs. If the local jurisdiction is not an EEA State and does not permit the full application of the UK requirements (or equivalent to the MLR requirements), financial groups should apply appropriate additional measures to effectively handle the risks of ML and TF, and inform the FCA. We have previously seen the FCA take enforcement action against UK entities for ML issues in their overseas operations.

Protecting personal data

The new guidance does not of course affect obligations under data protection laws and businesses must ensure they comply with data protection laws when following the guidance.  Even where information is being transferred intra-group, it should only be shared with other group members in a way which is consistent with the GDPR and the DPA.  Cross-border data sharing can have specific implications. For example, when personal data is shared with group members that are outside of the coverage of GDPR, a “restricted transfer” is triggered meaning that the transfer must be protected in another way – for example by an “appropriate safeguard”, such as by binding corporate rules. Brexit makes this is a topical issue at present.  Whilst the UK ICO has published guidance on international data transfers, its public consultation on an updated version of the Data Sharing Code of Practice ended in September 2019 but the final code has not yet been released.

Suspicious Activity Reports

The UK Government hopes that the growth in compliant intra-group data sharing will allow financial institutions to file more detailed and appropriately timed Suspicious Activity Reports (SARs) on the basis of a customer’s transactions across the whole group rather than siloed information from individual branches or subsidiaries in multiple jurisdictions.

Sharing information – and then using it

It will be important for information that is shared across groups to be properly interrogated internally by the recipient entity.  The s330 POCA ‘failure to disclose’ offence is triggered when, inter alia, an entity (in the Regulated Sector) has reasonable grounds to know or suspect that another person is engaged in money laundering. This is an objective test of knowledge or suspicion.  It means that one group company could have ‘reasonable grounds’ from having received information from another group company, even if that information has not been properly analysed.  So, with the ability (and encouragement) to share data within a corporate group comes the responsibility to properly analyse it and make appropriate disclosures if necessary.

Despite the persistent hurdles created by historically inconsistent international data protection regimes, the key message from the Government’s guidance is that data sharing on a group-wide and cross-border basis remains the crucial means by which predominately UK-regulated financial groups can manage financial crime risk by recognising, investigating and reporting cases of ML and TF.