2023 年《经济犯罪和企业透明度法案》中关于信息共享措施的指南
已发布 4 十月 2024
介绍
1. 本指南的目的是根据 2002 年《犯罪收益法》(POCA) 附表 9 支持受反洗钱 (AML) 监管的公司利用 2023 年《经济犯罪和企业透明度 (ECCT) 法案》引入的新信息共享规定。这些措施于 2024 年 1 月 15 日生效,这意味着公司现在可以根据这些新规定进行分享。
2. 这些措施的实施是为了让受监管的公司能够更清晰、更舒适地通过第三方中介直接或间接共享相关客户信息。这些新措施是自愿的。
3. 本指南将向受监管公司提供以下信息:这些措施的政策意图、受监管公司如何确保它们在进行直接和间接共享时受到条款的保护、处理共享和接收信息以及执行执法报告的条件、英国通用数据保护条例 (GDPR) 合规性以及维护有效的客户投诉流程。
4. 建议受监管的公司、法定和非法定 PBS 以及贸易机构考虑如何应用本指南中的总体原则,以制定一致的方法在其更广泛的部门内共享。
策略意向
5. 私营部门机构不需要法定授权即可共享信息,但是,根据英国 GDPR,在共享个人数据时,它们确实需要合法依据。
6. 然而,政府认识到,在 ECCT 法案之前,受反洗钱监管的公司希望分享有关经济犯罪的客户信息,他们担心这样做可能会对可能违反保密规定负责。
7. 为了确保在尽可能多的情况下共享信息,政府出台了这些新的信息共享措施,以免除已确定具有专业经济犯罪责任的受监管公司在相互共享客户信息时承担的民事责任。
8. 通过受监管的公司使用这些措施来共享信息,他们将获得与其服务和平台相关的经济犯罪风险的网络视图。因此,公司将有更强的能力采取上游预防措施并打击非法活动。
9. 如果各行各业的广泛公司都使用这些措施,那么受监管的公司在履行其报告义务时将拥有更丰富的信息来源。这将提高可疑活动和欺诈报告的准确性。
条款概述
直接和间接共享
10. 这些条款将允许为调查、侦查和预防经济犯罪,在反洗钱受监管部门的所有企业之间不适用直接共享客户信息的民事责任。
11. 这些条款还允许金融部门的企业(接受存款机构、电子货币机构和支付机构)、加密资产交易所和托管钱包提供商、大型律师事务所、大型会计师事务所、大型破产从业者、大型审计师和大型税务顾问之间通过第三方中介间接共享客户信息。
12. 根据英国经济犯罪税立法,大公司被定义为收入在 3600 万英镑至 10 亿英镑之间的公司。
13. 这里的“经济犯罪”包括洗钱、恐怖主义融资、贿赂、逃避制裁、逃税、市场滥用和欺诈。它还包括未遂或串谋等初期罪行。
14. 实际上,直接共享条款使受监管公司能够相互共享客户信息,而民事责任不受点对点的约束。受监管的公司可以选择通过直接通信方式或通过第三方设计的技术平台或机制来执行此操作。
15. Regulated firms who are also in scope of the indirect sharing provisions can share both on a peer-to-peer basis and through a third-party intermediary. Third-party intermediaries may include existing or new sector specific and cross sector economic crime consortia. These intermediary organisations may be able to provide analysis on the customer information being shared, to provide regulated firms with enriched data sources.
16. The types of regulated firms that can share indirectly through a third-party intermediary are a smaller sub-set of the wider regulated sector. This will avoid an additional burden on other regulated businesses that would be unable to take on this potential cost and additional data protection responsibilities.
17. The government encourages the use of both direct and indirect sharing under the new provisions to prevent, investigate and detect economic crime.
Request and warning conditions
18. Regulated firms must ensure that they abide by the request or warning conditions when using these new measures to share customer information. The request and warning conditions apply independently for firms wanting to share directly.
19. Under the warning condition, it is a requirement that the firm sharing customer information to another AML regulated firm has decided to take safeguarding action against the customer or would have done so had the customer remained onboarded.
20. Safeguarding action means terminating a business relationship with the customer, refusing the customer a product or service, or restricting the customer’s access to elements of a product or service made available to other customers. A business relationship in this context means one that arises out of the firm’s business and is expected to have an element of duration.
21. Under the request condition, one firm can request customer information from another firm on the basis that they believe that the organisation sharing holds information, relating to a customer, that will or may assist the requesting firm in carrying out relevant actions.
22. Relevant actions refer to a firm deciding whether it is appropriate to apply due diligence, undertaking effective measures for verifying the identity of the customer or determining whether it is appropriate to terminate an existing business relationship with a customer. This list is non-exhaustive, and a full list of relevant actions is set out in section 191(a) to (c) of the act.
23. The warning and request conditions involve requirements relating to both the sending and receiving firms, and it is not the case that the warning condition only relates to the sender and the request condition only relates to the receiver.
24. In practical terms, the warning condition involves a firm sharing information with another firm about a customer without having been prompted by that other firm. The request condition concerns a firm providing information, in response to a specific request from another firm about a customer.
25. Firms are likely to use the request condition to ask for information from another firm, that they believe will assist them with identifying the risk of a former or existing customer committing or having committed an economic crime offence while using their service.
26. The request condition is only available for direct sharing, unlike the warning condition which applies to both direct and indirect sharing. The request condition may be used for example, when a firm has a lack of information on a customer (for example, they have a dormant account with a provider), so they might reach out to another firm involved in a transaction to request further information to decide the extent of due diligence to undertake.
27. It is important to note that when firms use the measures to share indirectly, through a third-party intermediary, they should only be relying on the warning condition to receive the protections and not the request condition.
28. In practice, this would mean that applicable firms would only be able to upload customer information on an individual onto a third party sharing database, if they had decided to take safeguarding action.
29. It would be an inappropriate use of the request condition for one firm to request to gain information on a customer from multiple other firms, purely on the basis that they all upload information onto a third party database. Where firms do use the request condition, they are advised to do this specifically through direct sharing.
30. The warning condition is an important safeguard to the legislation that will ensure that information is not shared for inappropriate reasons under the measures. Any disclosure of customer information for purposes other than those specified in the act would not receive civil liability protections under the measures.
Additional handling conditions
31. Section 188 of the act notes that the protections on civil liability are applied to regulated firms who are sending and receiving information about current or past customers when the firms are carrying on business in the regulated sector.
32. Information may be shared by a firm on multiple occasions with different regulated firms, independently of one another, provided they meet the conditions of the legislation.
33. These new measures are domestic in their application. In practice, this means that the disapplication of civil liability in the legislation is limited to UK-based information sharing, and this would not apply to sharing outside of this jurisdiction.
34. Regulated firms are therefore advised to include strict handling conditions on information when it is being shared either directly or indirectly under the new measures.
Practical considerations for regulated firms
Sector-led approach
35. The Public Private Steering Group which brings together key economic crime representatives from law enforcement, government and the private sector agreed that for industry to utilise these new measures, there would need to be a sector led approach supported by overarching government guidance.
36. Given this, the Home Office encourages statutory and non-statutory PBSs and trade bodies to use this overarching guidance to publish their own sector specific advice to reflect the nuances in different sectors’ business models. The Home Office will work with statutory and non-statutory PBSs and trade bodies to assist them with this.
Technical mechanisms for sharing
37. The government is not specifying which technological solutions are most appropriate to enact these measures for both direct and indirect sharing.
38. Where regulated firms wish to procure third party platforms or products to enable direct or in-direct sharing, it is strongly advised that they choose services that have clear security protocols, transparent governance arrangements and compliance with the UK GDPR.
39. Regulated firms with significant technological capability may use more advanced mechanisms for direct sharing, including for example, application programming interfaces (API). The government encourages the use of APIs for private-to-private sharing, in line with UK GDPR, to increase efficiencies across the system.
40. Regulated firms may want to undertake pilot exercises, with support from statutory and non-statutory PBSs and trade bodies, when using new technology for direct and in-direct sharing. This will assist businesses in understanding the risks and benefits of these mechanisms, before possibly expanding their use.
41. Statutory and non-statutory PBSs, trade bodies and individual regulated firms may also want to develop single point of contact (SPOC) lists within and across sectors, where these do not already exist.
42. These SPOC lists will provide two key purposes. The first is to provide authentication to regulated firms that information is being shared with the correct recipients. The second is that they will include lists of regulated firms willing to engage in the use of the provisions, given that they are voluntary. It is an individual firm’s responsibility to verify that the organisation they are sharing information with are legitimate.
43. In all cases, regulated firms will need to ensure that they share any information securely. The ICO provides guidance on information security that businesses may find helpful. [footnote 1]
Cross-sector sharing
44. Economic crime actors will often undertake their illicit activities across industries. The government therefore supports cross-sector sharing under these new measures, including via direct and indirect sharing mechanisms.
45. Statutory and non-statutory PBSs, trade bodies and regulated firms in different sectors are advised to work together to understand the touch points for information sharing to occur between industries. Regulated firms are also advised to ensure typologies of economic crime on customer behaviour are aligned, where possible, when sharing between sectors.
46. The act includes a power for the Secretary of State to amend the economic crime offences covered by the measures, so that law enforcement and businesses can be responsive to future changes in the patterns of economic crime.
Law enforcement reporting, UK GDPR compliance and customer redress
Law enforcement reporting
47. Regulated firms should be mindful of their obligations to report knowledge or suspicion of money laundering and/or terrorist financing to the National Crime Agency (NCA) through Suspicious Activity Reports (SARs) under POCA. They should also consider appropriate fraud referrals to Action Fraud and other relevant agencies, when using the new measures.
48. Where regulated firms choose to share customer information after submitting a SAR, they will need to make sure that they do not indicate this to the receiving organisation.
49. However, firms are advised to share information on submitting SARs when they are undertaking a joint disclosure report, often referred to as a ‘Super SAR’, as set out in section 339ZB of POCA and section 21CA of the Terrorism Act 2000.
50. Where firms do share information under the Super SAR measures to produce a joint disclosure report, the report must contain declaration of approval by the nominated officers of those entities that agree to be part of the joint disclosure report (with nominated officer name and contact details). Further details for firms on submitting a joint disclosure report under this legislation can be found in this Home Office Circular. [footnote 2]
51. The government is advocating for regulated firms to share information under the new measures in line with reporting obligations and their own risk-based approach. Further information on maintaining the confidentiality and sensitivity of SARs can be found in the Home Office Circular.
52. Regulated firms in the financial sector currently share sensitive information such as SARs with the Financial Ombudsman Service (FOS) under the Joint Money Laundering Steering Group Guidance (JMLSG). Firms are encouraged to continue sharing this information with the FOS where appropriate, while using these new provisions.
UK GDPR compliance
53. Customer information will differ across regulated firms and will in most cases contain personal identifiable data, which will need to be treated with significant care. If a regulated firm were to share data for commercial purposes, they could be subject to enforcement action by the Information Commissioners Office (ICO).
54. Businesses would benefit from undertaking regular assurance reviews and risk assessments before and after sharing mechanisms have gone live.
55. This is to ensure that the customer information being shared meets the warning and request conditions in the legislation and adheres to the UK GDPR, which requires that information collected for a specified purpose is not processed for other purposes.
56. Under the UK GDPR, an organisation can use personal information for a new purpose, only if that purpose is compatible with the original specified purpose or in other limited circumstances.
57. Information must also be accurate, as well as adequate, relevant, and limited to what is necessary [footnote 3]. The ICO’s data sharing code helps business share data in a fair, safe and transparent way [footnote 4] .
58. The Data Protection and Digital Information Bill (DPDI) will aim to amend the UK GDPR to establish the prevention of fraud as a legitimate interest for sharing information. Regulated firms are advised to consider this legislation, in line with using these new measures.
Customer redress
59. Both receiving and sending regulated firms are encouraged to keep an audit trail of all information shared for assurance purposes and to record key decision points. The maintenance of these records will help regulated firms and (in the financial sector) the FOS, to assist customers with possible complaints and redress.
60. Where appropriate, regulated firms who receive information being shared will need to make it clear that they are the appropriate entity to complain to, to avoid the customer having to make several complaints to several businesses.
61. Regulated firms are advised to clearly signpost their internal process for complaints and treat the consumer appropriately during their complaint journey, when using these new measures.
62. 这些新措施并非旨在赋予行业额外的权力,以不当地将客户排除在外。受监管公司应利用它们来协助他们做出基于风险的决策。