Information sharing in the regulated sector: reducing or increasing risk?

On 4 October 2024, the Government issued Guidance on the information sharing provisions in s.188 of the Economic Crime and Corporate Transparency Act 2023 ("ECCTA"). The purpose of s.188 is to, "disapply civil liability for direct sharing of customer information, for the purposes of investigating, detecting, and preventing economic crime, between all businesses in the anti-money laundering regulated sector."

Civil liability to the customer, for example, for breach of contract, is disapplied when information is shared on the terms set out by section 188. In addition, the FCA has "strongly encouraged" firms to "participate in information sharing initiatives".

Despite this clear steer from the regulator, and the Guidance issued on 4 October 2024 on the provision (the "Guidance"), risks remain for regulated firms seeking to use s.188 for its intended purpose.

This note identifies some of the risks that will need to be considered when a firm is considering relying on s.188 to share information in an economic crime context.

Civil liability to the customer

Section 188(2) disapplies civil liability in a specified and narrow way:

(2) The protections are that, subject to subsection (11), the disclosure does not —

a) give rise to a breach of any obligation of confidence owed by A, or

b) give rise to any civil liability, on the part of A, to the person to whom the disclosed information relates.

Section 118(2)(b) is not a general release from liability, but a protection from civil liability to the person to whom the disclosed information relates – typically the customer.

How the protection operates

There are several elements or hurdles in s.188 that must be met or satisfied, before a firm can be satisfied that s.188 is engaged, and the specified protection from civil liability engaged.

In the following we will refer to the entity sharing information as "A", and the entity receiving information as "B".

• Both A and B must carry on businesses in the regulated sector. A must also be able to identify B.
• The information must relate to a customer or former customer of A.
• Either the 'Request' or 'Warning' Condition must be met:
   
  
  • Request Condition: this is where B explicitly requests the information from A, and at the time the request is made, B must have reason to believe that A holds information relating to the customer, disclosure of which will or may assist B in carrying out B's Relevant Actions; (defined below) or
  • Warning Condition: this is where A has taken 'Safeguarding Action' (defined to include terminating a business relationship) against the customer (or would have done so if the customer remained a customer of A) due to concerns regarding potential economic crime and seeks to voluntarily warn B about the customer.
• A must be satisfied that the disclosure will or may assist B in carrying out B's Relevant Actions, and it must not be a disclosure of legally privileged information.

What can be shared?

Customer information is not defined in s.188 (or elsewhere in ECCTA). Section 188 says only that the information that can be shared, "will or may assist B in carrying out relevant actions of B".

"Relevant actions" is defined in s.191 with reference to a firm's decision making in relation to the nature and extent of customer due diligence and the termination or restriction of business relationships.

The Guidance does not go further in indicating the categories or types of information that can or might be shared under s.188.

The intention in remaining silent on this question was likely to avoid creating a closed list, which might restrict information sharing. However, without a definition or steer, firms are left to determine what information will be appropriate to share or request, with a mind to obligations under data privacy and competition law.

Data Privacy

Section 188(11) is clear that the protection from liability does obviate a firm's UK GDPR obligations. The October 2024 Guidance states that, "when sharing personal data, [Firms] do need a lawful basis for this under UK GDPR."

Lawful basis for sharing under s.188 might be "legitimate interest". This basis must apply in addition to the "preventing and detecting unlawful acts" condition, where the data relates to criminal offences. However, this hurdle will need to be crossed and an assessment made that the lawful basis has been considered and determined. An appropriate policy document should also be maintained. Data privacy principles, including accuracy, data minimisation and security, continue to apply. A firm must not process (here, disclose) any more personal data than is strictly necessary for the discharge of the relevant lawful purpose. A firm must also ensure that the transmission of personal data is secure.

Looking ahead, the Guidance notes that, "the Data Protection and Digital Information Bill ("DPDI") will aim to amend the UK GDPR to establish the prevention of fraud as a legitimate interest for sharing information. Regulated firms are advised to consider this legislation, in line with using these new measures." The DPDI has just been superseded by a new Data Use and Access Bill, which if enacted would designate the detection, prevention or investigation of crime as a recognised legitimate interest, in a similar way to the DPDI.

Criminal law

Section 188 disapplies civil but not criminal liabilities. It follows that the risk of "tipping off" (s.333A POCA) might still be engaged.

The Guidance reiterates this: "Where regulated firms choose to share customer information after submitting a SAR, they will need to make sure that they do not indicate this [the fact that a SAR has been made] to the receiving organisation."

An exchange of information or dialogue commenced on one footing, and for one purpose, can all to easily evolve outside of its initial purpose. Rigor must be applied to ensure that any exchange does not stray into territory for which s.188 offers no protection.

Competition law

The protection from civil liability in s.188(2) relates to liability to the customer. It is not a release from civil or regulatory liabilities.

Competition authorities tend to view any interaction between (actual or potential) competitors – in particular, exchanges of competitively information (e.g. non-public current/future price, volumes, production cost, sales, capacity, marketing/business plans, customers, terms and conditions, technologies, innovations, etc.) ("CSI"). The main concern is that such exchanges of CSI can be used to the strategic commercial advantage of either competitor, increase transparency, lessen competition and potentially lead to coordination in the relevant market.

However, not all exchanges of information between competitors will necessarily give rise to a competition risk if there is a pro-competitive justification for the exchange. For instance, where the s.188 dialogue is used for legitimate information exchange to better understand and determine at a high level if any customers present economic crime threats, this should be defensible from a competition law perspective – and especially if the safeguards indicated below are in place. Whereas were a s.188 dialogue used as a guise for an anticompetitive purpose, namely for competitors to collectively refuse to supply a customer without objective justification, this would give rise to increased risk. Each situation needs to be assessed on a case-by-case basis.

In respect of any s.188 dialogue involving competitors, it would be prudent to put in place the following steps to mitigate against any competition risk:

• Any oral conversation must be planned in advance, with an agenda, involve a limited group of individuals and kept strictly within the parameters envisioned by s.188.
• To the extent possible, parties should keep discussions general as to the creditworthiness of any particular customer or potential economic crime threat risk a customer poses. More detailed and specific conversations about particular customers (e.g. current/future credit terms), will be more risky.
• Should discussions stray beyond what is permitted/required for any s.188 dialogue, you should withdraw immediately and request that any departure is reflected in the minutes of any such discussion and submit any minutes to the Legal Team. A good note should be taken and stored always of the s.188 dialogue explicitly indicating the purpose of the conversation and pro-competitive nature of such discussion (i.e. to identify any potential economic crime threats).
• Questions or discussion as to actions or strategies that will be taken vis-à-vis any specific individual customer(s) should be avoided.
• Anyone within an organisation who might be involved in a dialogue of this nature should be aware of these principles and reminded before they attend any such discussions of their AML and competition law responsibilities. It may be worth considering adding them to your AML/competition law compliance policy.

Consumer duty and customer redress

The growing body of consumer rights, including the right to a basic bank account and rights under the consumer duty, are not disapplied by s.188 and must be borne in mind by firms utilising s.188. Complaints to regulators and the Financial Ombudsman (the FOS) remain possible, even where a firm has placed reliance on s.188.

The Guidance encourages "both receiving and sending regulated firms … to keep an audit trail of all information shared for assurance purposes and to record key decision points. The maintenance of these records will help regulated firms and (in the financial sector) the FOS, to assist customers with possible complaints and redress."

Conclusions

Section 188 is a potentially valuable tool in the effort to combat economic crime. It is clear the FCA will expect to see firms at least considering using it. However, the provision is not a blanket disapplication of legal risk. Care must be taken before reliance is placed on s.188 to engage in the sort of information sharing that the provision is intended to promote.