The Economic Crime and Corporate Transparency Act 2023 (ECCTA) has gradually introduced some of the most significant changes to the UK financial crime landscape in decades.
With many aware of the significant expansions to corporate criminal liability (we have published extensive resources on these changes), a key change fewer may have noticed will be the provisions relating to extended customer information sharing (sections 188 and 189, ECCTA). These changes, known as the ‘information sharing provisions’, came into force in January 2024 and apply to anti-money laundering (AML) regulated firms.
- The information sharing provisions allow AML-regulated firms to share customer information (directly with each other, or via a third-party intermediary) for the purpose of preventing, detecting, or investigating economic crime.
- Simultaneously, they remove certain legal risks (e.g. confidentiality/civil liability) that previously impeded information sharing.
On 3 October 2025, the Home Office, HM Treasury, the Ministry of Justice, Companies House, the Serious Fraud Office and the Department for Business and Trade published updated joint guidance on the new measures to guide AML-regulated firms in using the new information-sharing provisions.
Key takeaways from the guidance
- Use of the measures is voluntary: firms do not have to share information, but can choose to do so with minimised risk.
- The protections do not override GDPR: firms must still comply with data protection requirements (lawful basis, purpose limitation, data minimisation, etc.)
- The measures only apply to UK-based information sharing: they do not extend confidentiality/liability disapplication for overseas disclosures.
- Most AML-regulated firms (within schedule 9 of the Proceeds of Crime Act 2002) can share with each other directly (peer-to-peer) under the measures.
- Only a narrower subset of firms (e.g. large or very large law firms, accountancy firms, insolvency practitioners, etc.) may share via a third-party intermediary.
- To gain legal protection, firms must satisfy certain conditions:
- Warning condition: the firm sharing information must have decided to take safeguarding action against the customer (e.g. terminating the relationship, restricting services) because of concerns regarding economic crime risk.
- Request condition: the requesting firm must believe that the responding firm holds information relating to the requesting firm’s customer. Additionally, they must believe the disclosure of that information will or may assist the requesting firm in carrying out relevant actions (contained in section 191 of ECCTA: actions taken for the purposes of preventing, detecting, investigating economic crime).
What actions can regulated firms take?
- Maintain logs/audit trails of what was shared, with whom, under what decision and condition.
- Firms should set up internal governance controls (e.g. consider a single point of contact to verify that recipient firms are legitimate AML-regulated firms, and information is being shared with the correct recipients.
- Risk assessments: Firms should assess the risks (data protection, reputational, misuse) and carry out periodic reviews of the information sharing processes.
- Cross-sector sharing: Economic crime actors will often undertake their activities across industries. The guidance openly supports and encourages cross-sector sharing, with regulated firms encouraged to work together to understand similarities in typologies between industries.
- There is no prescribed or recommended technology, although the guidance acknowledges that this should be considered. Firms may use secure platforms or bespoke sharing/storage systems, but must ensure strong security, governance arrangements, and act in compliance with GDPR.
- Suspicious Activity Reporting: If a SAR has been filed before information sharing, firms must be extra careful to ensure they do not inadvertently tip off or prejudice investigations.
How can we help?
Our Business Crime and Investigations team comprises former Serious Fraud Office investigators and prosecutors. They use their significant experience in law enforcement and in private practice to inform the advice they provide to corporates and directors. Our team can help you navigate the complex corporate and financial crime landscape, future-proof your business, and mitigate against both corporate and personal liability risk through effective compliance.
We have particular expertise in AML and Suspicious Activity Reports, as well as in assisting businesses in their economic crime risk assessment exercises and ensuring robust compliance across the board.
