New information sharing guidance aims to tackle UK money laundering

The Economic Crime and Corporate Transparency Act 2023

Prior to the ECCTA, AML regulated firms wanting to share customer information on economic crime could be liable for possible breaches of confidentiality. Regulated firms using these measures will have greater clarity when sharing information and will gain a network view of the economic crime risk linked to their services and platforms.

Firms will therefore have a greater ability to take upstream preventative action and disrupt illicit activity, provided they remain GDPR complaint.

New Guidance

In October the UK government  issued guidance on the information sharing measures set out in the ECCTA to support anti-money laundering regulated firms within Schedule 9 of the Proceeds of Crime Act 2002 (POCA). 

The guidance seeks to “provide greater clarity and comfort to regulated firms to share relevant customer information”, which can be done directly or via a third-party intermediary. All such sharing is voluntary.

These provisions apply to all large, regulated firms, i.e. firms with a turnover between £36 million and £1 billion. The government’s aim is to increase information sharing between firms, by removing the civil liability for regulated firms who share customer information with each other. Understandably, firms were previously concerned about possible breaches of confidentiality prior to ECCTA.

While this risk has now been removed, firms still need to be mindful of their UK GDPR obligations and how they deal with complaints and redress. 

Key Considerations

Below are four key areas for firms considering whether to share information, and if so, how to share and with whom.

UK GDPR Compliance

While civil liability for confidentiality breaches has been removed, customer information will likely include personal identifiable data and will therefore  need to be treated with “significant care” to avoid enforcement action by the Information Commissioners Office (ICO).

Regular risk assessments, data protection impact assessments, and assurance reviews before and during the use of sharing mechanisms will help businesses to remain aware of the risks and enable them to respond appropriately to any which materialise.

Under UK GDPR, an organisation can only use personal information for a new purpose if that purpose is compatible with the original specified purpose or in other limited circumstances. 

CyXcel is experienced in assessing UK GDPR compliance and advising on data protection impact assessments, supporting clients to ensure that any customer data processing is fair and proportionate, and meets the ICO’s requirements, avoiding the risk of regulatory action. 

Technical Mechanisms for Sharing

It will be down to individual firms to decide on the ‘most appropriate’ technological solutions for direct and indirect information sharing. Firms must carefully assess their proposed business partners, particularly when sharing information via a third-party intermediary. 

Businesses’ should only use intermediaries which are compliant with UK GDPR to avoid regulatory action, fines as well as negative press. When considering partnerships, the location of the data as well as its storage and access restrictions should be key questions to help ascertain suitability. 

CyXcel’s experts are well placed to support the assessment and evaluation of suitable intermediaries, helping businesses manage risk and achieve compliance.

Handling Complaints and Redress

Dealing with complaints and requests for redress is particularly sensitive when information may have been shared between several parties. Firms should consider maintaining a clear point of contact for any concerned parties, ensuring they meet any sector-specific obligations, such as the Financial Conduct Authority’s consumer duty guidance. 

Any firms covered by the Financial Ombudsman Service (FOS) ought to pay particular attention to this point, as the FOS takes a dim view of firms which do not signpost their complaints process clearly. It is also important in maintaining business relationships with information sharing parties to ensure that any complaints are properly directed so that they may be resolved swiftly and efficiently by the relevant party. 

Cross-Sector Considerations

The guidance emphasises the wide range of industries affected by economic crime actors and the importance of sharing information across sectors to support effective reporting. Statutory and non-statutory Professional Bodies Supervision Team, trade bodies and regulated firms are encouraged to work together to understand touch points for information sharing. 

It should be noted that ECCTA contains a power for the Secretary of State to amend the economic crime offences covered by the information-sharing measures, which means that there can be a dynamic response to changes in patterns of economic crime in the future.

[Photo credit: Ed Robertson on Unsplash]