Pre-2023 Act: hurdles for firms wanting to share information
Firms have previously been unable to quickly share information with each other about economic crime concerns and have been concerned that doing so would result in liability for confidentiality breaches. A business in the Anti-Money Laundering (AML) regulated sector was only able to disclose information to another person or business if certain conditions were met[1], including that it must have:
- Notified the National Crime Agency (NCA); and
- Received a sharing request from the NCA or the person receiving the information.
This “super SAR” mechanism prevents firms from voluntarily and quickly sharing relevant data with another firm. Firms therefore usually only had access to their own information, making the detection or investigation of economic crime difficult, or at least slow. This affected investigations of specific transactions, criminal activity across firms, and new account applications from criminals who were exited by other firms for economic crime reasons.
Making information sharing easier
Under the Act, a firm in the AML regulated sector can share information with another firm for the purposes of preventing, detecting and investigating economic crime (including offences such as attempt or conspiracy), without involvement from law enforcement or a request from the recipient firm.
So long as certain conditions are met, the sharing and recipient firms are protected from certain civil claims by the relevant customer or any other party.
There are two options:
- Direct sharing of information with another firm in the AML regulated sector (section 188).
- Indirect sharing of information via a third-party intermediary (section 189).
There is no definition of the 'customer information' that can be shared or received, but the sharing firm must believe that it is the type of information that will or may assist the recipient firm in deciding:
- Whether it is appropriate to apply due diligence measures and, if so, their nature or extent;
- Whether and how to carry out identity verification; and/or
- Whether it is appropriate to terminate or decline a customer relationship, decline or restrict access to a product/service, or decline to carry out a transaction.
Option 1: direct information sharing
Under section 188 of the Act, a firm in the regulated sector (A) is able to share information about a customer with another firm (B), either through direct communication methods or a third party-platform/mechanism, if:
- B has explicitly requested information from A (which is referred to as the ‘request condition’). An example in the Government guidance was that a firm may lack information on a customer (such as a customer with a dormant account) and therefore request further information from another firm involved in a transaction in order to determine the appropriate extent of due diligence.
- A has decided – or would have decided if a customer remained onboarded – to take safeguarding action against the customer, eg termination of a customer relationship or refusal of, or restriction of access to elements of, a product/service) as a result of economic crime concerns and wishes to voluntarily warn B about that customer. This is referred to as the ‘warning condition’.
A firm is however only free to proactively volunteer information if the above ‘warning condition’ is met, and otherwise a firm that proactively volunteers information will not be protected against a claim for breach of confidence or other civil liability. The Government considers this criterion to be key in protecting customers from unfair exclusion from services or products and in ensuring that information is not shared for “inappropriate reasons”, so firms should ensure that they properly consider the customer relationship through appropriate governance channels and fully document their decisions prior to proactively volunteering information. By doing so, firms will be better prepared to answer any future questions from regulators or customers and to evidence that this criterion was met.
Option 2: indirect information sharing
A firm may wish to proactively share information about a customer that is relevant to preventing, detecting or investigating economic crime, but it may not be possible to identify another firm for whom that information would be useful. For example, where a bank exits a customer relationship due to economic crime concerns, it is not necessarily able to identify banks to which the customer will apply in the future.
Section 189 of the Act provides for a smaller subset of firms to undertake indirect sharing through a third-party intermediary if the above ‘warning condition’ is met, ie the sharing firm has, or would have decided to, take safeguarding action).
Indirect sharing can take place between businesses in the financial sector (deposit-taking bodies, electronic money institutions and payment institutions), crypto asset exchanges and custodian wallet providers, large law firms, large accountancy firms, large insolvency practitioners, large auditors and large tax advisers. “Large” firms are those with revenues between GBP 36m and GBP 1bn.
Recent Government guidance states that the third-party intermediary may also provide their own analysis of customer information and enriched data sources to firms.
Mechanisms for firms to share information
There are no specific technological requirements for information sharing, and recent Government guidance stresses that it is not prescribing the most appropriate solutions for either direct or indirect sharing. However, it noted that firms with significant technological capabilities may want to use more advanced mechanisms for direct sharing and it encourage the use of application programming interfaces (APIs). The Government also suggests the use of pilot exercises for new direct and indirect sharing technologies, in order to identify their risks and benefits.
Firms remain subject to existing obligations
These new measures are only applicable within the UK and firms may need to impose strict handling conditions on the sharing of information. A firm also still needs to keep in mind its existing obligations when it either shares or receives information. These obligations include:
- Data protection: A business’s existing obligations under UK GDPR in relation to data accuracy, integrity, purpose, storage and accountability continue to apply. This is the case regardless of how firms share the information, so firms should remain mindful of security protocols and UK GDPR compliance when using a third-party platform/product. Recent Government guidance encourages firms to undertake regular assurance reviews and risk assessments to ensure that customer information being shared meets the above ‘warning condition’ or ‘request condition’ and complies with the UK GDPR.
- Customer rights: When receiving information, a firm may wish to consider whether to restrict or exclude a customer, but it must still consider its obligations under the Equality Act 2010 and the FCA’s Principles for Businesses, including the obligation to treat customers fairly. The Act does not impact a customer’s right to a Basic Bank Account (subject to existing carve-outs). Recent Government guidance encourages sharing and recipient firms to keep an audit trail in which they appropriately document all information shared and any key decision-making. Firms should include the factors that were taken into account for such decisions. If customers believe that the result of the information sharing is unfair, they have an appeals mechanism, so recipient firms are encouraged by the Government to first make clear that they are the appropriate entity for complaints and to clearly signpost their internal complaints process.
- Reporting: Use of either form of information sharing is on a voluntary basis and does not replace firms’ existing suspicious activity reporting obligations. In addition, where a firm chooses to share customer information under the new measures after submitting a suspicious activity report, it needs to be careful not to indicate this to the recipient firm. Firms can of course choose to submit a ‘Super SAR’ if undertaking a joint disclosure report.
Further guidance and regulatory expectations
Economic crime remains a key focus of regulatory enforcement with potentially time-intensive investigations, significant penalties and reputational damage. It is therefore easy to see how rapid information sharing can benefit firms. In addition, firms may benefit from increased efficiency during their onboarding, due diligence and remediation processes.
The new provisions came into force on 15 January 2024. It however remains unclear whether the measures, which take place on an entirely voluntary basis, are a sufficient catalyst for information sharing within the industry. Many firms may only be willing to bear the cost, effort and risk of this information sharing if they consider their efforts to be sufficiently reciprocated. Recent Government guidance suggests the development of single point of contact (SPOC) lists, partly to provide a list of regulated firms that are willing to engage in the use of these provisions.
Firms will need to stay aware of any changes to the measures or further guidance as, for example, the Home Office is encouraging the publication of sector-specific advice going forward. Firms should now also track any future regulatory expectations about these voluntary measures, as it will be interesting to see whether regulatory expectations develop in respect of the amount and nature of information sharing, as well as the resulting steps by recipient firms, and whether firms may start to receive some supervisory queries on this topic.
[1] Section 11, Criminal Finances Act 2017