The Department for Business and Trade has published guidance on the information sharing measures under the ECCTA 2023 for use by AML regulated firms. The guidance aims to help firms ensure that when they share information they are protected by the ECCTA and will not commit breaches of confidentiality. The guidance has been developed so that some of it applies only to large firms to avoid a disproportionate regulatory burden on smaller ones.
The key guidance is that firms must ensure they abide by the “request or warning” conditions when sharing information.
- the warning condition means the firm sharing information must have decided to take safeguarding action against the customer (that is terminating, suspending or refusing a product or service), or would have done so had the customer remained onboarded;
- the request condition means that the requesting firm must believe the organisation it asks to share hols information that will or may assist the requester in carrying out relevant actions such as deciding whether it is appropriate to apply certain diligence measures or terminate a relationship.
Different requirements will apply if firms share information indirectly through a third party sharing database.
Additional guidance relates to GDPR compliance and ensuring that where firms share information after making a SAR they do not disclose the fact of the SAR. Finally, the guidance notes that firms must make it clear who a customer can complain to, and treat the customer appropriately throughout their complaint journey.