The UK is clearly on roll in terms of new legislation to tackle economic crime, whether fraud and scams, terrorist financing or money laundering. Another new bill, the Economic Crime and Corporate Transparency Bill, is aimed at helping reduce economic crimes, i.e., fraud and money laundering, is passing through the legislative process now. 

Whilst in the UK there is already some data sharing between banks currently, which is mainly on the fraud side, the same is not the case for money laundering (AML). Financial institutions have been calling out for new legislation that would support them to share more data and intelligence, as part of their efforts to help detect and prevent fraud and money laundering, as sharing data for AML purposes is more difficult. This should be set to change with the Economic Crime and Corporate Transparency Bill. 

Whilst GDPR and other UK laws do support sharing for the detection and prevention of financial crime, it is unclear how in practice, financial services firms would not open themselves up to liability for breach of confidentiality if a customer sued them.  

Privacy Policies and terms & conditions mean customers do give permission for some sharing, but usually where a fact can be shared such as using forged documents or fraudulently mis-representing information, such as inflated income. However, this doesn’t really hold for ‘suspicions’ in AML. 

This is because it is hard to prove money laundering in most cases. Often with fraud it is much clearer that something has happened and sharing facts is less of an issue. 

What is proposed in the new bill? 

There are a number of elements to the bill, but here I’ll focus on the data sharing elements. At a high level it allows two key areas: 

• Direct data sharing between regulated entities, e.g. Bank A can share with Bank B 
• Indirect Data sharing between regulated entities, with a non-regulated actor in the middle e.g. Bank A to CYBERA to Banks B, C & D 

The bill then provides regulated institutions a protections from: 

• Breach of any obligation of confidence 
• Any civil liability to the person to whom the disclosed information relates 

Specifically for direct data sharing, there are requirements that restrict when these protections can be gained, but a high level they will be applicable if: 

• Both entities are regulated institutions & 
• The data (disclosure) is about a customer or former customer & 

• The sharing entity believes sharing the data will, or may help the receiving entity in is relevant actions & either 
• The receiving entity has requested the data & has reason to believe the sharing entity has such data that will help it in its relevant actions 
• Or the sharing entity has taken its safeguarding actions and is warning the receiving entity about them 

Safeguarding Actions are how the bank is managing their economic crime risks, such that may decide to: 

1. Terminate a business relationship with the customer,  

2. Refuse the customer a product or service, or  

3. Restrict the customer’s access to elements of a product or service which are available to other customers 

Relevant Actions are similar covering: 

• Type and level of due diligence 
• Identifying and verifying identities 
• Safeguarding actions above, plus declining/refusing a transaction 

The GDPR still applies to personal data in all cases. 

For indirect instances it is similar to the above, however some specific differences: 

Sharing entity in the regulated sector as— 

1. A deposit-taking body,  

2. An electronic money institution,  

3. A payment institution,  

4. A cryptoasset exchange provider, or  

5. A custodian wallet provider, or with certain POCA regulated profession in some cases 

The data (disclosure) is about a customer or former customer.

The sharing entity has: 

• Terminated a business relationship with the customer,  
• Refused the customer a product or service, or  

• Restricted the customer’s access to elements of a product or service which are available to other customers 

The sharing entity shares it with a third party (that it has a contractual agreement with) and that they share it with other regulated entities and it will or may help them in their relevant actions. 

In both cases this also supports sharing to relevant law enforcement on a similar basis. 

In this case all three entities are protected (subject to the restrictions and GDPR).  

Why does this matter? 

Where financial services firms are allowed to share their suspicions with each other, along with relevant data on suspect transactions, a clearer picture can be put together than would otherwise be the case. 

  

This extra intelligence will help to: 

  

• Reduce false positives, i.e. clear up some suspicions to show a reasonable explanation 
• Make it clearer the entities that are undertaking illegal activity and should have further investigations  

• Provide Financial Intelligence Units (FIUs) and the UKs NCA/NFIB and other law enforcement agencies with tangible intelligence for disruption activity. 
• Improve speed of law enforcement operations and provide a greater chance of asset seizures 

Disruption and asset seizures are important as they remove funds from organised criminals and can increase repatriation of funds to victims of fraud and scams.  

The UK is not the only country where there is increased focus on data sharing. The EU has proposed some limited fraud data sharing (article 83) as part of its forthcoming Payment Services Regulation (PSR), an update to PSD2 and Brazil has brought in legislation to support similar data sharing that goes live later in the year. 

CYBERA was set up to promote data sharing between entities to reduce the impacts of scams on victims and help disrupt cyber criminals. We are, therefore, very pleased with this proposed improvement to data sharing and looking forward to supporting firms to do this safely and securely.