Case Explained: Data sharing under ECCTA: A potentially powerful but underused tool in the fight against economic crime – Legal Perspective

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced voluntary information sharing provisions designed to encourage AML regulated firms¹ to share customer information with one another for the purposes of preventing, detecting, or investigating economic crime. Economic crime, for these purposes, covers a broad range of offending, including money laundering, terrorist financing, bribery, sanctions evasion, tax evasion, market abuse, and fraud, as well as attempts and conspiracies to commit such offences. 

What the provisions do

To give regulated firms the confidence and ability to share information, the provisions disapply both obligations of confidentiality and civil liability when a firm uses the new information sharing gateways. In practical terms, this means that a regulated firm sharing customer information with another regulated firm under these provisions would have a defence to a breach of confidence claim or other civil action from the customer concerned. 

There are two sharing mechanisms. 

1. The first is a direct sharing gateway, available to all AML regulated firms. Under this mechanism, firms may share information peer-to-peer or via third-party technological platforms.
2. The second is an indirect sharing gateway, available to a more limited set of firms, including deposit-taking bodies, electronic money institutions, payment institutions and cryptoasset providers, as well as large law firms², accountancy firms, insolvency practitioners, auditors and tax advisers. This mechanism operates through a third-party intermediary. 

The provisions are built around two conditions. 

1. The Warning Condition applies where a firm has taken, or would have taken, safeguarding action against a customer due to concerns about economic crime risk. Safeguarding action includes terminating a business relationship, refusing a product or service, or restricting access to a product or service. In practice, this is a proactive gateway: it enables a firm that has offboarded or restricted a customer to warn another regulated firm that may be dealing with the same individual.
2. The Request Condition applies where one regulated firm (the “requesting firm”) believes another regulated firm holds information about one of the requesting firm’s customers that would assist the requesting firm in carrying out relevant actions, such as conducting due diligence, verifying an individual’s identity, or deciding whether to terminate or restrict services.

A firm may use the direct sharing gateway under either condition, but the indirect sharing gateway is available only under the Warning Condition.

It is important to note certain practical parameters. The provisions apply domestically only and do not provide protections in respect of sharing legally privileged information. Existing reporting obligations to law enforcement, such as those relating to money laundering and terrorist financing suspicions, continue to apply. The UK GDPR is not disapplied, and as a matter of best practice, firms should maintain a full audit trail of all information shared.

Underused but straightforward

This is perhaps unsurprising, given the novelty of the framework and a longstanding culture of caution in the regulated sector around sharing customer information, owing to concerns about confidentiality, data protection risk, and potential civil liability. 

For those who have not yet voluntarily opted to share data, the provisions under ECCTA do not provide any particular impetus or incentive to do so. To encourage wider use of these measures and the advantages that they bring (especially in relation to prevention of economic crime and improved safeguards for potential victims), Parliament or relevant authorities and trade bodies may need to consider offering further incentives and/or marketing campaigns. 

In practice, the mechanics of sharing information under these provisions should be relatively straightforward. An AML regulated firm that meets one of the two conditions can share relevant customer information with another AML regulated firm, provided it does so in a proportionate and documented manner. 

In terms of best practice, firms should consider putting a data protection impact assessment in place ahead of any sharing and establish internal processes for managing data sharing under the provisions (such as setting up an information sharing template to make it easier for employees to utilise the information sharing mechanisms). Finding the right contact at a receiving firm should not be treated as a barrier; the MLRO or equivalent at most regulated firms can often be identified through publicly available sources or professional networks. 

The need for champions and the Home Office call for evidence

If the new ECCTA provisions are to fulfil their potential, they will need to be championed actively across the regulated sector. This requires a shift in culture: firms need to move from the traditional approach of caution to one of confident, responsible use of the tools Parliament has provided. This means building awareness internally, training relevant staff, and embedding data sharing under ECCTA into existing financial crime frameworks as a routine capability rather than an exceptional measure.

On 9 March 2026, the Home Office published a call for evidence on economic crime information sharing³, seeking views from across the public and private sectors on how data and information is currently shared for the purposes of detecting, preventing, investigating, or disrupting economic crime. The call for evidence focuses on identifying legal, operational, and cultural barriers to effective data sharing. Notably, the Home Office has acknowledged that, while the ECCTA provisions hold “immense potential” for private-to-private sharing, anecdotal feedback suggests that use of the direct sharing power is only gradually increasing and that use of the indirect sharing power remains low. 

This is a clear signal from Government that it hopes to see more information sharing and is keen to encourage greater levels of engagement with the new provisions. The call for evidence, which is open until 18 May 2026, represents an opportunity for firms to shape the future direction of the regime and to contribute to a more confident, effective approach to data sharing across the regulated sector. We would encourage firms to engage with the consultation process and, in the meantime, to consider how they can start making practical use of the ECCTA data sharing provisions now.