UK Government’s statement on cross-border information-sharing

Compliance data sharing is an area of continuing focus for the UK Government, which published its Government statement on cross-border information-sharing within corporate groups in May 2020. In keeping with Reg 20(5) of the Money Laundering Regulations 2017, which requires parent companies or entities to "ensure that information relevant to the prevention of [money laundering and terrorist financing (ML/TF)] is shared as appropriate between members of its group", the Government's statement stresses that
"[i]nformation-sharing on a group-wide basis is a useful tool to prevent, recognise, investigate and report specific cases of ML/TF" but that this needs to be done consistently and in compliance with local law requirements. The statement also endorsed the Financial Action Task Force's (FATF) 2017 guidance on private sector information-sharing (the FATF Guidance). A financial or corporate group means a parent entity and all of its branches and majority owned subsidiaries, over which the parent exercises control¹. With this in mind, the Government's statement extends to standards applied to entities both in the UK and abroad, as long as they are consistent with local laws.

The Government's stated purpose for intra-group information-sharing is very much in line with the purposes set out in the FATF Guidance (summarised below). Information-sharing aids regulated entities to carry out customer due diligence and identify and report suspicious activities which may include a number of a financial group's entities, across multiple jurisdictions. Information-sharing may also extend "to the fact of a [suspicious activity report (SAR)] having been filed, and a SAR itself, as permitted for credit and financial institutions by Section 333B of the Proceeds of Crime Act." However, information-sharing should not delay the filing of any SAR which may be required. Where a particular country's laws place restrictions on disclosures relating to SARs to another entity in a foreign jurisdiction, local laws in the country where the SAR is filed/contemplated must be observed. This may mean that the entity receiving the information may be limited in how it can use or further disclose that information.

The FATF Guidance intends the following outcomes from intra-group information-sharing:

• Global risk assessment: financial institutions should carry out risk assessments on each group entity to identify the ML/TF risk arising from customers, products, geographical profile, operations or transaction types.

• Effective mitigation of customer, product, services and geographical risk: identifying specific risks and how they manifest could help groups devise enhanced due diligence procedures.

• Consistent application of controls: if the home country of a parent entity requires stricter standards than a subsidiary's or branch's host country, the latter should ensure that they meet the home country's standards, as a minimum. If this is not the case, regulators are encouraged to implement supervisory measures until remedial action is taken by relevant financial groups.

• Common approach by financial conglomerates having multiple businesses: even where financial groups carry out multiple businesses, such as banking, insurance and securities, they should be in a position to share information effectively about customers and clients. "While some adjustments may be needed due to different AML/CFT requirements for each sector, sharing of information would enable a comprehensive risk management approach on a consolidated basis."²

The FATF Guidance also emphasises the importance of information-sharing outside of corporate groups, with reference to relationships between correspondent banks, wire or money transfer services, third party reliance and regulatory supervision. The Criminal Finances Act 2017 introduced new provisions into the Proceeds of Crime Act 2002 and Terrorism Act 2000 to facilitate the voluntary sharing of information between different institutions within the regulated sector³. Such sharing may be instigated by a regulated institution or by the National Crime Agency and is intended in circumstances where there is a suspicion that a person is engaged in ML/TF. These provisions acknowledge the broader point that external information-sharing is critical to the health of compliance functions across organisations and helps strengthen markets generally.

The Government's statement of course reiterates that personal data from the UK should only be shared in a way that is consistent with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The transfer of personal data from one organisation (to which the GDPR applies) to another (to which the GDPR does not apply), even within the same financial group, is a restricted transfer. Restricted transfers may only be made in specific circumstances:

• Adequacy decision: the EU Commission has made, and continues to make, decisions as to whether the legal frameworks protecting personal data in non-GDPR countries are adequate. If so, a restricted transfer may be made to that country, as long as the rest of GDPR is complied with.

• Appropriate safeguards: if there is no adequacy decision, then there should be appropriate safeguards in place, as are listed in GDPR. These include (but are not limited to) a (i) legally binding and enforceable instrument between two public bodies, (ii) binding corporate rules, which take the form of internal codes of conduct operating within multinational groups, which applies to restricted transfers of personal data from the group's EEA entities to non-EEA group entities, and (iii) standard/model data protection clauses adopted by the EU Commission between the data exporter and importer, each of which must protect personal data to the standard required by GDPR.

• Exception: if neither of the above apply, Article 49 GDPR sets out eight specific exceptions to the rule against restricted transfers, which include (i) consent from the concerned individual and (ii) the restricted transfer is a one-off and is in the data exporter's compelling legitimate interests.

The Government guidance refers readers to the Information Commissioner's Office guidance on international transfers for further guidance.

¹ The FATF Guidance, paragraphs 25 and 27.
² The FATF Guidance, paragraph 40.
³ Proceeds of Crime Act 2002, sections 339ZB – 339ZG; Terrorism Act 2000, sections 21CA – 21CF.