September 15 • 2023

Economic Crime and Corporate Transparency Bill – Improved Regulatory Data Sharing in the UK 

Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.

The UK is clearly on roll in terms of new legislation to tackle economic crime, whether fraud and scams, terrorist financing or money laundering. Another new bill, the Economic Crime and Corporate Transparency Bill, is aimed at helping reduce economic crimes, i.e., fraud and money laundering, is passing through the legislative process now. 

Whilst in the UK there is already some data sharing between banks currently, which is mainly on the fraud side, the same is not the case for money laundering (AML). Financial institutions have been calling out for new legislation that would support them to share more data and intelligence, as part of their efforts to help detect and prevent fraud and money laundering, as sharing data for AML purposes is more difficult. This should be set to change with the Economic Crime and Corporate Transparency Bill

Whilst GDPR and other UK laws do support sharing for the detection and prevention of financial crime, it is unclear how in practice, financial services firms would not open themselves up to liability for breach of confidentiality if a customer sued them.  

Privacy Policies and terms & conditions mean customers do give permission for some sharing, but usually where a fact can be shared such as using forged documents or fraudulently mis-representing information, such as inflated income. However, this doesn’t really hold for ‘suspicions’ in AML. 

This is because it is hard to prove money laundering in most cases. Often with fraud it is much clearer that something has happened and sharing facts is less of an issue. 

What is proposed in the new bill? 

There are a number of elements to the bill, but here I’ll focus on the data sharing elements. At a high level it allows two key areas: 

The bill then provides regulated institutions a protections from: 

Specifically for direct data sharing, there are requirements that restrict when these protections can be gained, but a high level they will be applicable if: 

Safeguarding Actions are how the bank is managing their economic crime risks, such that may decide to: 

  1. Terminate a business relationship with the customer,  
  1. Refuse the customer a product or service, or  
  1. Restrict the customer’s access to elements of a product or service which are available to other customers 

Relevant Actions are similar covering: 

The GDPR still applies to personal data in all cases. 

For indirect instances it is similar to the above, however some specific differences: 

Sharing entity in the regulated sector as— 

  1. A deposit-taking body,  
  1. An electronic money institution,  
  1. A payment institution,  
  1. A cryptoasset exchange provider, or  
  1. A custodian wallet provider, or with certain POCA regulated profession in some cases 

The data (disclosure) is about a customer or former customer.

The sharing entity has: 

The sharing entity shares it with a third party (that it has a contractual agreement with) and that they share it with other regulated entities and it will or may help them in their relevant actions. 

In both cases this also supports sharing to relevant law enforcement on a similar basis. 

In this case all three entities are protected (subject to the restrictions and GDPR).  

Why does this matter? 

Where financial services firms are allowed to share their suspicions with each other, along with relevant data on suspect transactions, a clearer picture can be put together than would otherwise be the case. 

  

This extra intelligence will help to: 

  

Disruption and asset seizures are important as they remove funds from organised criminals and can increase repatriation of funds to victims of fraud and scams.  

The UK is not the only country where there is increased focus on data sharing. The EU has proposed some limited fraud data sharing (article 83) as part of its forthcoming Payment Services Regulation (PSR), an update to PSD2 and Brazil has brought in legislation to support similar data sharing that goes live later in the year. 

CYBERA was set up to promote data sharing between entities to reduce the impacts of scams on victims and help disrupt cyber criminals. We are, therefore, very pleased with this proposed improvement to data sharing and looking forward to supporting firms to do this safely and securely.