Policy paper

Factsheet: information sharing measures

Updated 26 October 2023

What is the government doing and why?

The Economic Crime and Corporate Transparency Bill (‘the bill’) aims to strengthen the UK’s fight against economic crime and support efforts to tackle terrorist financing, while safeguarding the UK’s reputation as a place where legitimate business can thrive.

The bill creates new provisions in the Proceeds of Crime Act 2002 (POCA) to enable sharing of information between certain businesses for the purposes of preventing, detecting and investigating economic crime.

Large amounts of financial data flow through the UK every hour. While most of this data relates to legitimate activity, a small proportion involves criminal activity.

At present, businesses are unable to rapidly share information between themselves when they have concerns about economic crime. This makes it difficult to detect criminal networks operating across different businesses and it means that criminals who have been identified and exited by one business, can easily open a new account elsewhere.

What is the current situation?

Businesses in the anti-money laundering (AML) regulated sector (such as banks, law firms and accountants) are constrained in their ability to share information with each other. This has three main consequences:

1. First, a bank, for example, querying a particular transaction can only see its own data in relation to that transaction. It is unable to request further information from the other bank involved in the transaction to clarify relevant details. In the absence of confirmatory information, the bank may either end up under-reporting (not submitting a suspicious activity report, or SAR, where the transaction is in fact suspicious) or over-reporting (submitting a SAR when in fact none was necessary).

2. Second, in only having access to its own data, a business is unable to spot criminal activity occurring across businesses. This is despite the fact that economic crimes such as money laundering take place across multiple bank accounts hosted by separate banks.

3. Third, a bank who restricts access to its products, or terminates a relationship with a customer, due to economic crime concerns, is unable to share that information with other businesses, This means that a customer whose account is terminated with a bank for economic crime reasons can easily open up an account with a new provider, without the new provider being aware of the original bank’s concerns.

What will the clauses in the bill do to help?

The provisions will make it easier for relevant businesses to share customer information with each other for the purposes of preventing, investigating and detecting economic crime by disapplying civil liability for breaches of confidentiality where information is shared for this purpose.

The clauses will allow:

• direct sharing between two businesses in the AML regulated sector
• indirect sharing through a third-party intermediary for businesses in the financial sector (deposit taking bodies, electronic money institutions and payment institutions) cryptoasset exchanges and custodian wallet providers, large law firms, large accountancy firms, large insolvency practitioners, large auditors and large tax advisers

This will apply, for example, in cases where a business has information about a customer that is relevant to preventing, detecting or investigating economic crime, but does not know whom the information would assist, either now or in the future. This might occur where a bank decides to terminate a relationship with a customer due to economic crime concerns and wants to ensure that any future bank that the individual might apply to, is aware of their decision.

Economic crime in this context includes: money laundering, terrorist financing, bribery, sanctions evasion, tax evasion, market abuse and fraud. The provisions include the power for the Secretary of State to amend the offences covered so that law enforcement and businesses can be responsive to changes in the nature and patterns of economic crime in the future.

Any disclosure of customer information for purposes other than those specified in the clause e.g. for commercial purposes would not qualify for the disapplication of confidentiality meaning the business could still be sued by the customer.

What safeguards are in place to prevent individuals being wrongly excluded from products or services?

The clauses permit businesses to share information, providing them with more data with which to make risk based decisions. They do not provide businesses new powers to make decisions to restrict or exclude customers. In taking a decision whether to restrict access to one of its products or terminate a relationship with a customer, a business will still have to abide by its existing legal obligations, including ensuring that a decision is free from bias, and any unlawful discrimination under the 2010 Equalities Act.

Where a customer has had their account terminated by a bank, they will still have the right to access a basic bank account, (as established in the payment accounts rgulations 2015), unless their account has been used for criminal activity, or maintaining their account would breach other legal obligations such as the money laundering regulations. This means that affected individuals will continue to be able to access basic account services.

An important safeguard is that before information about a customer is shared proactively, the sharer must have decided to take action against the customer itself, (or would have were they still its customer). As a result, no customer will have their information proactively shared unless their existing provider has already decided to take action against them. We therefore do not foresee a significant increase in the number of new individuals being de-banked or denied products or services. Rather, people who are already de-banked by their existing provider will likely find themselves shut out from more businesses across the system.

Unjustified discrimination against a customer on the basis of a protected characteristic remains unlawful. Firms regulated by the Financial Conduct Authority (FCA) e.g. banks and other businesses in the financial sector, have additional obligations to treat customers fairly under the FCA’s Regulatory Principles, principles which are regulated by the Financial Ombudsman Service (FOS).

What forms of redress are available to individuals whose data is shared and they believe the result of the sharing is unfair, for example if they are denied a service?

The redress procedure will depend on the sector involved. A customer in the financial sector who believes that they have unfairly been denied a product or service should use the existing process for appealing account closures under the FOS. A detailed explanation of this is available on the FOS website and involves:

• Step 1 - A complaint directly to the business: In the first instance the customer should try and resolve their complaint directly with the business. Where this does not lead to a successful resolution the customer should proceed to Step 2
• Step 2 - Receiving a final response letter from the business. The customer should ask the business for a final response letter before pursuing a formal complaint with the FOS. Where a business refuses to provide a final response letter, a complaint can still be pursued via the FOS
• Step 3 - Submit a formal complaint to the FOS. Once a complaint has been submitted the FOS will pursue an investigation on behalf of the customer

In all cases – other than those where an individual’s account has been used for criminal activity or maintaining the account breach other legal obligations such as the money laundering regulations – an individual will still have a right to a basic bank account which provides limited banking features.

The protections and appeals mechanisms outlined above are the same as those currently in place for the National Fraud Database (CIFAS) where customer information is already shared between businesses for the purposes of preventing and detecting fraud.

How will you prevent misuse of data being shared, such as for use for commercial purposes?

Using personal data in this way would be unlawful. Any business subject to the provision in the bill, must, when sharing customer information, continue to adhere to the requirements of the UK GDPR which requires that information collected for a specified purpose is not processed for other purposes.

A business in breach of this principle will be subject to enforcement action by the Information Commissioner’s Office, the maximum penalty being £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

What safeguards exist for someone who believes the information held against them is incorrect?

Under UK GDPR a business must ensure that every reasonable step is taken to ensure personal data is accurate and kept up to date.

Associated with the duty on businesses is the individual “right to rectification” – the right for individuals to have inaccurate personal data rectified or completed if it is incomplete. An individual can make a request to a business for rectification verbally or in writing.

Where an individual is not satisfied that their right to rectification has been actioned by the business – or has any other complaints related to the use of their data – they can pursue their case via the Information Commissioner’s Office (ICO).

Why have you not specified how sharing via a third-party intermediary would work?

The legislation is designed to enable easier information sharing between private sector businesses, the mechanisms for which should be led by the sector itself. The manner and form by which that information is shared may vary.

It is not for the government to specify in legislation which technological solutions are most appropriate.

Will businesses have to share information?

Use of the provisions will be entirely voluntary and does not replace SARs reporting obligations.

Facts and figures

Money laundering is estimated to cost the UK economy more than £100 billion each year.

Independent analysis of the information sharing proposals has estimated that they could prevent around 4,500 crimes every year. This could vary from multi-million pound money laundering schemes to people losing their entire life savings.

Information sharing that currently takes place using the National Fraud Database (CIFAS) is estimated to have saved businesses over £1bn in prevented fraudulent activity in 2020.

Scale of mule activity: UK banks identified more than 50,000 suspected ‘money mules’ in 2021, a 24% increase on the previous year. Criminals recruit the public, including exploiting children, to form networks of mule accounts to move money taken from fraud victims and other criminal funds.

Similar proposals that allow businesses to share information are either in place or underway in Holland, the US and Singapore. As a global financial centre, it is important that the UK remains at the forefront of financial technology.

Between April 2021 and January 2022, the Financial Ombudsman Service resolved around 3,500 complaints related to account terminations. In 33% of cases, the complaint was upheld in favour of consumers.

The maximum penalty for infringement of GDPR data protection principles or the rights of an individual by a company is £17.5 million or 4% of annual global turnover - whichever is greater.

The ICO issued over £42 million in fines for GDPR infringements between 2020-21.