Guidance

Guidance on the information sharing measures in the Economic Crime and Corporate Transparency Act 2023

Updated 3 October 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/information-sharing-measures-in-the-economic-crime-and-corporate-transparency-act/guidance-on-the-information-sharing-measures-in-the-economic-crime-and-corporate-transparency-act-2023

Introduction

1. The purpose of this guidance is to support  anti-money laundering regulated firms (“AML regulated firm”), within Schedule 9 of the Proceeds of Crime Act 2002 (POCA), to utilise the new information sharing provisions introduced by sections 188 and 189 of the Economic Crime and Corporate Transparency Act (ECCTA) 2023 (“measures”). These measures came into force on the 15th of January 2024, meaning AML regulated firms can now share information under these new measures.

2. These measures have been put in place to provide greater clarity and comfort to AML regulated firms to share relevant customer information for the purposes of preventing, detecting or investigating economic crime, either directly between each other or indirectly through a third-party intermediary. These new measures are voluntary.

3. This guidance will provide AML regulated firms with information on: the policy intent for the measures; how AML regulated firms can ensure that they are protected by the measures when undertaking direct and indirect sharing; handling conditions for sharing and receiving information and undertaking law enforcement reporting; UK General Data Protection Regulation (“UK GDPR”) compliance and maintaining effective customer complaint processes.

4. AML regulated firms, statutory supervisors, professional body supervisors, and trade bodies are advised to consider how they can apply the overarching principles in this guidance to develop a consistent approach to sharing within their wider sector.

Policy intent

5. Private sector bodies do not need statutory authority to share information, though, when sharing personal data, they do need a lawful basis for doing so under the UK GDPR.

6. However, the Government recognised that prior to ECCTA, AML regulated firms wanting to share customer information for the purposes of preventing, detecting or investigating economic crime were concerned that in doing so they might be liable for possible breaches of confidentiality and civil liability.

7. To ensure that information is appropriately shared in as many cases as possible, the Government has introduced these measures to disapply both obligations of confidentiality and civil liability for AML regulated firms, who are already identified as having specialist economic crime and AML responsibilities, when they share customer information with one another, directly or indirectly through a third-party intermediary. The measures do not enable the disclosure of privileged information or information that could contravene UK GDPR.

8. AML regulated firms using the measures to share information directly or indirectly will gain a network view of the economic crime risk linked to their services, products and platforms. AML regulated firms will therefore have a greater ability to take upstream preventative action and disrupt illicit activity and can engage other AML regulated firms to take similar action.

9. If a wide range of AML regulated firms across sectors utilise these measures, they will have richer information sources when undertaking their reporting obligations. This will increase the effectiveness and accuracy of suspicious activity reporting and fraud reporting.

Overview of the measures

Direct and indirect sharing

10. These measures will allow for the disapplication of confidentiality and civil liability for direct sharing of customer information, for the purposes of preventing, detecting or investigating economic crime, between AML regulated firms.

11. The measures also allow for the indirect sharing of customer information through a third-party intermediary between:

  • businesses in the regulated sector (deposit taking bodies, electronic money institutions, payment institutions, cryptoasset exchange providers and custodian wallet providers)
  • large or very large law firms
  • large or very large accountancy firms
  • large or very large insolvency practitioners
  • large or very large auditors, and
  • large or very large tax advisers

12. Where the measures only apply to ‘large’ or ‘very large’ businesses, ‘large’ and ’very large’ are defined using the definitions in sections 55 to 57 of the Finance Act 2022.

13. ‘Economic crime’ in this context is defined in schedule 11 of ECCTA and includes money laundering, terrorist financing, bribery, sanctions evasion, tax evasion, market abuse and fraud. It also includes inchoate offences such as attempt or conspiracy.

14. In practical terms, the direct sharing measures enable AML regulated firms to share customer information with each other (i.e. on a peer-to-peer basis) with confidentiality and civil liability disapplied. AML regulated firms may choose to undertake this through direct communication methods, or through a technological platform or mechanism designed by a third party.

15. AML regulated firms who are also in scope of the indirect sharing measures can share both on a peer-to-peer basis and through a third-party intermediary. Third party intermediaries may include existing or new sector specific and cross-sector economic crime consortia. These intermediary organisations may be able to provide analysis on the customer information being shared in order to provide AML regulated firms with enriched data.

16. The types of AML regulated firms that can share indirectly through a third-party intermediary are a smaller sub-set of the wider AML regulated sector. This is to avoid an additional burden on other AML regulated businesses that would be unable to take on this potential cost and additional data protection responsibilities. The Secretary of State can make regulations bringing additional businesses within scope of the direct or indirect sharing provisions.

17. The Government encourages the use of both direct and indirect sharing under the new measures for the purposes of preventing, detecting or investigating economic crime.

Request and warning conditions for direct sharing

18. AML regulated firms must ensure that they meet the requirements of either the warning or request conditions when disclosing information in accordance with  the direct sharing measures. The warning and request conditions apply independently for AML regulated firms wanting to share directly.

19. In relation to the warning condition, it is a requirement that the AML regulated firm sharing customer information with another AML regulated firm has decided to take safeguarding action against the customer due to the concerns about risks of economic crime or would have done so had the customer remained onboarded.

20. Safeguarding action includes the actions of terminating a business relationship with the  customer, refusing the customer a product or service, or restricting the customer’s access to elements of a product or service made available to other customers.  A business relationship in this context means a business, professional or commercial relationship between an AML regulated firm and a customer or client which (a) arises out of the business of the AML regulated firm, and (b) has, or is expected by the AML regulated firm (at the time when contact is established) to have, an element of duration.

21. In relation to the request condition, the requesting AML regulated firm must believe that the responding AML regulated firm holds information relating to the requesting AML regulated firm’s  customer, and the disclosure of that information will or may assist the requesting AML regulated firm in carrying out relevant actions.

22. Relevant actions are those described in s.191 of ECCTA for the purposes of preventing, detecting or investigating economic crime in relation to a customer (or proposed customer) and include: determining appropriate customer due diligence or similar measures; carrying out identification, verification and other customer due diligence measures; or determining  whether it is appropriate to terminate, decline, or restrict provision of products, services or transactions.

23. The warning and request conditions involve requirements relating to both the sending and receiving AML regulated firms, and it is not the case that the warning condition only relates to the sender and the request condition only relates to the receiver.

24. In practical terms, the warning condition involves an AML regulated firm sharing information with another AML regulated firm about a customer (or former customer) without having been prompted by that other AML regulated firm. The request condition concerns an AML regulated firm providing information, in response to a specific request from another AML regulated firm about a customer (or proposed customer).

25. Similarly, in practical terms, AML regulated firms are likely to use the request condition to ask for information from another AML regulated firm that they believe will assist them in identifying the risk of a former or existing customer of the requested AML regulated firm committing or having committed an economic crime offence while using their products or services. The request condition would be used, for example, when an AML regulated firm has a lack of information on a customer (e.g. they have a dormant account with a provider), so they might reach out to another AML regulated firm involved in a transaction to request further information to decide the extent of due diligence to undertake.

Conditions for indirect sharing

26. It is important to note that when AML regulated firms use the measures to share indirectly, i.e. through a third-party intermediary, they should only be relying on the warning condition as set out in section 189(1)(c) to receive the protections and not the request condition. In practice, this would mean that AML regulated firms who can rely on the indirect sharing measures would only be able to upload customer information about a particular current customer onto a third-party sharing database if they had decided to take safeguarding action.

27. The warning condition is an important safeguard in ECCTA that will ensure information is not shared for inappropriate reasons under the measures. Any disclosure of customer information for purposes other than those specified in ECCTA would not receive confidentiality and civil liability protections under the measures.

28. It would be an inappropriate use of the request condition for one AML regulated firm to request information on a customer from multiple other AML regulated firms purely on the basis that they all upload information onto a third-party database. AML regulated firms are advised to make requests to another AML regulated firm through direct sharing where, for example, they lack information on a specific matter.

Additional handling conditions

29. Sections 188 and 191 of the ECCTA notes that the protections on confidentiality and civil liability are applied to AML regulated firms who are sending and receiving information about current or past or proposed customers when the firms are carrying on business in the regulated sector.

30. Information may be shared by an AML regulated firm on multiple occasions with different AML regulated firms, independently of one another, provided they meet the ECCTA conditions.

31. These new measures are domestic in their application. In practice, this means that the disapplication of confidentiality and civil liability is limited to UK-based information sharing, and this would not apply to sharing outside of the UK.

32. AML regulated firms are therefore advised to include strict handling conditions on information when it is being shared either directly or indirectly under the new measures.

Practical considerations for AML regulated firms

Sector-led approach

33. The Public Private Steering Group which brings together key economic crime representatives from Law Enforcement, Government and the private sector agreed that for industry to utilise these new measures, there would need to be a sector led approach supported by overarching HMG guidance.

34. Given this context, the Home Office encourages statutory supervisors, professional body supervisors and trade bodies to use this overarching guidance to publish their own sector specific advice to reflect the nuances in different sectors’ business models. The Home Office will work with statutory supervisors, professional body supervisors and trade bodies to assist them with this.

Technical Mechanisms for Sharing

35. The Government is not specifying which technological solutions are most appropriate to enact these measures for both direct and indirect sharing.

36. Where AML regulated firms wish to procure third party platforms or products to enable direct or indirect sharing, it is strongly advised that they choose services that have clear security protocols, transparent governance arrangements and act in compliance with the UK GDPR.

37. AML regulated firms with significant technological capability may use more advanced mechanisms for direct sharing, including for example, Application Programming Interfaces (API). The Government encourages the use of APIs for private-to-private sharing between AML regulated firms, in line with UK GDPR, to increase efficiencies across the system.

38. AML regulated firms may want to undertake pilot exercises, with support from statutory supervisors, professional body supervisors and trade bodies, when using new technology for direct and indirect sharing. This will assist businesses in understanding the risks and benefits of these mechanisms, before expanding their use.

39. Statutory supervisors, professional body supervisors, trade bodies and individual AML regulated firms may also want to develop Single Point of Contact (SPOC) lists within and across sectors, where these do not already exist.

40. These SPOC lists will serve two key purposes. The first is to provide authentication to AML regulated firms that information is being shared with the correct recipients. The second is that they will include lists of AML regulated firms willing to engage in the use of the measures, given that they are voluntary. It is an individual AML regulated firm’s responsibility to verify that the other AML regulated firm they are sharing information with are legitimate.

41. In all cases, AML regulated firms will need to ensure that they share any information securely. The Information Commissioners Office (ICO) provides guidance on information security that businesses may find helpful [footnote 1].

Cross-Sector Sharing

42. Economic crime actors will often undertake their illicit activities across industries. The Government therefore supports cross-sector sharing under these new measures, including via direct and indirect sharing mechanisms.

43. Statutory supervisors, professional body supervisors, trade bodies and AML regulated firms in different sectors are encouraged to work together to understand the touch points for information sharing to occur between industries. AML regulated firms are also advised to ensure typologies of economic crime on customer behaviour are aligned, where possible, when sharing between sectors.

44. ECCTA also includes a power for the Secretary of State to amend the economic crime offences covered by the measures, so that law enforcement and businesses can be responsive to future changes in the patterns of economic crime.

Application of measures when AML regulated firms undertake AML-regulated and non-AML regulated activity

45. Where an AML regulated firm undertakes a combination of AML regulated and non-AML regulated activity, such as a law firm that carries out financial or real property transactions as a portfolio of wider offerings to their clients, the measures should be read as applying to all relevant customer information in those accounts or wallets. This is to avoid any risk of advantage to customers using dual accounts or dual wallets. In accordance with the authorised disclosure provisions in POCA 2002 and permissive disclosure of information provisions in TACT 2000, knowledge or suspicion arising out of AML regulated or non-AML regulated activity would be shared with law enforcement through a Suspicious Activity Report (SAR) in the usual way.

Law enforcement reporting, UK GDPR compliance and customer redress

Law Enforcement Reporting

46. AML regulated firms should be mindful of their obligations to report knowledge or suspicion, and reasonable grounds to know or suspect, money laundering and/or terrorist financing to the National Crime Agency (NCA) through SARs under POCA 2002 or TACT 2000. They should also consider appropriate fraud referrals to Action Fraud and other relevant agencies, when using the new measures.

47. Where AML regulated firms choose to share customer information after submitting a SAR, they will need to make sure that they do not breach  provisions related to tipping-off and/or prejudicing investigations.

48. However, AML regulated firms are advised to share information on SARs submission when they are undertaking a joint disclosure report, often referred to as a Super SAR, as set out in section 339ZB of POCA and section 21CA of the Terrorism Act 2000.

49. Where AML regulated firms do share information under the Super SAR measures to produce a joint disclosure report, the report must contain declaration of approval by the Nominated Officers of those AML regulated firms that agree to be part of the joint disclosure report (with Nominated Officer name and contact details).

50. The Government encourages AML regulated firms to share information under the new measures in line with reporting obligations and their own risk-based approach and obligations relating to SARs confidentiality.

51. AML regulated firms in the financial sector currently share sensitive information such as SARs with the Financial Ombudsman Service (FOS) under the Joint Money Laundering Steering Group guidance (JMLSG). AML regulated firms are encouraged to continue sharing this information with the FOS where appropriate, while using these new measures.

UK GDPR compliance

52. Customer information will differ across AML regulated firms and will in most cases contain personal identifiable data, which will need to be treated with significant care. If an AML regulated firm were to share data for commercial purposes, they could be subject to enforcement action by the Information Commissioners Office (ICO).

53. AML regulated firms would benefit from undertaking regular assurance reviews and risk assessments before and after sharing mechanisms have gone live.

54. This is to ensure that the customer information being shared meets the warning and request conditions in ECCTA and adheres to the UK GDPR, which requires that information collected for a specified purpose is not processed for other purposes.

55. Under the UK GDPR, an AML regulated firm can use personal information for a new purpose, only if that purpose is compatible with the original specified purpose or in other limited circumstances.

56. Information must also be accurate, as well as adequate, relevant, and limited to what is necessary [footnote 2]. The ICO’s data sharing code helps AML regulated firms to share data in a fair, safe and transparent way [footnote 3]

57.  The Data (Use and Access) Act 2025 amends the UK GDPR to establish detecting, investigating or preventing crime and apprehending or prosecuting offenders as recognised legitimate interests for sharing information. The relevant provisions will come into force in 2026. This expands on the current legislation where the prevention of fraud is already listed as lawful basis for sharing special category data AML regulated firms are advised to consider this legislation, in line with using these new measures.

Customer redress

58. Both receiving and sending AML regulated firms are encouraged to keep an audit trail of all information shared for assurance purposes and to record key decision points. The maintenance of these records will help AML regulated firms and (in the financial sector) the FOS, to assist customers with possible complaints and redress.

59. Where appropriate, AML regulated firms who receive information being shared will need to make it clear that they are the appropriate entity to complain to.

60. AML regulated firms are advised to clearly signpost their internal process for complaints and treat the consumer appropriately during their complaint journey, when using these new measures

61. These new measures are not designed to provide sectors with additional powers to exclude customers inappropriately. They should be utilised by AML regulated firms to assist with their risk-based decision making.

  1. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/ 

  2. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/ 

  3. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/ 

Back to top