Information sharing by regulated firms

On 4 October 2024, the Department for Business & Trade published guidance (the Guidance) on the information sharing measures in the Economic Crime and Corporate Transparency Act 2023 (ECCTA).

The purpose of the Guidance is to support firms operating in the “regulated sector” within Schedule 9 of the Proceeds of Crime Act 2002 (POCA), to utilise the new information sharing provisions introduced by sections 188 to 193 of ECCTA (which came into force on 15 January 2024, via the Economic Crime and Corporate Transparency Act 2023 (Commencement No. 1) Regulations 2023).

The government recognised that prior to ECCTA, firms operating in the regulated sector that sought to share customer information on economic crime were concerned that in doing so they might be liable for possible breaches of confidentiality. ECCTA introduces two routes for information sharing – direct sharing of information with another firm in the regulated sector (section 188) and indirect sharing of information via a third-party intermediary (section 189).

  • Direct information sharing – to ensure that information is shared in as many cases as possible, section 188 of ECCTA disapplies civil liability for regulated firms, who are already identified as having specialist economic crime responsibilities, when they directly share customer information for the purpose of preventing, detecting and investigating economic crime. To benefit from the ECCTA protections a firm in the regulated sector (A) sharing information with another firm (B) must satisfy one of the following two conditions:
    • i) B has explicitly requested information from A (the ‘request condition’); or
    • ii) A has decided, or would have decided if a customer remained onboarded, to take safeguarding action against the customer (i.e. terminating a business relationship with the customer, refusing the customer a product or service, or restricting the customer’s access to elements of a product or service made available to other customers) (the ‘warning condition’).
  • Indirect information sharing – section 189 also allows for indirect sharing of customer information through a third-party intermediary between businesses in the financial sector (deposit taking bodies, electronic money institutions and payment institutions), crypto asset exchanges and custodian wallet providers, large law firms, large accountancy firms, large insolvency practitioners, large auditors, and large tax advisers.

Paragraph 47 of the Guidance states that when relying on the information-sharing provisions in ECCTA, firms need to be mindful of their obligations to report knowledge or suspicion of money laundering and/or terrorist financing to the National Crime Agency (NCA) through Suspicious Activity Reports (SARs) under POCA:

  • Where regulated firms choose to share customer information after submitting a SAR, they will need to make sure that they do not indicate this to the receiving organisation.
  • However, firms are advised to share information on submitting SARs when they are undertaking a joint disclosure report, often referred to as a ‘Super SAR’ (as set out in section 339ZB of POCA and section 21CA of the Terrorism Act 2000). Where firms do share information under the Super SAR measures to produce a joint disclosure report, the report must contain declaration of approval by the nominated officers of those entities that agree to be part of the joint disclosure report (with nominated officer name and contact details).

When disclosing information, firms should also consider their broader obligations under POCA, for example in relation to tipping off and the offence of prejudicing investigations, as this may influence how (and whether) they decide to share information as a practical matter.

Paragraphs 53-56 of the Guidance, provide some further insight on the UK GDPR compliance angle, stating that:

  • In most cases, customer information will contain personal identifiable data, which will need to be treated with significant care. Any customer information being shared must meet the warning and request conditions in ECCTA (referred to above) and adhere to the UK GDPR, which requires that information collected for a specified purpose is not processed for other purposes.
  • Under the UK GDPR, an organisation can use personal information for a new purpose, only if that purpose is compatible with the original specified purpose or in other limited circumstances. If a regulated firm were to share data for commercial purposes and not in line with these considerations, it could be subject to enforcement action by the Information Commissioners Office.

The information-sharing measures are voluntary, and it remains to be seen to what extent they will be used, particularly given the potential data protection complexities.

Information-sharing powers for authorities

Companies House

Under section 94 of ECCTA, Companies House is empowered to proactively disclose information to certain persons or bodies (e.g. government bodies, law enforcement bodies and insolvency practitioners) for purposes connected with the exercise of its functions, provided it does so within the confines of existing data protection legislation and obtains HMRC authorisation where relevant.

The draft Information Sharing (Disclosure by the Registrar) Regulations 2024 provide a mechanism for when Companies House can share targeted information with insolvency practitioners and those involved in insolvency proceedings. 

The Serious Fraud office (SFO)

Section 211 of ECCTA has also reformed and extended the SFO’s pre-investigative powers under Section 2A of the Criminal Justice Act 1987. The former Section 2A powers permitted the SFO to compel individuals and companies to provide information at a pre-investigation phase in suspected cases of international bribery and corruption where there were “reasonable grounds to suspect” that a crime had taken place. ECCTA has now extended this to all potential SFO cases so that these powers may be used in cases such as suspected fraud or domestic bribery or corruption, which were previously excluded. In particular, under Section 3(5) of the Criminal Justice Act 1987, the SFO has an existing power to share information it obtains using its compulsory powers with other agencies and can therefore share information it has obtained under its newly extended section 2A powers even if the receiving agencies do not possess equivalent pre-investigative powers. Our assumption is that these powers could be used in conjunction with any enforcement or investigations in relation to the Failure to Prevent Fraud offence under ECCTA.