Breaking The Silo: What ECCTA’s Information-Sharing Gateway Means for Security Leaders

Opinion

Written by

Photo of Ruth Paley

Ruth Paley

Partner, Michelman Robinson

For CIOs and CISOs, economic crime is increasingly a technology problem. Fraud and financial crime campaigns now often resemble coordinated cyber operations: distributed, adaptive and deliberately structured to exploit the gaps between institutions

The historic constraint has not been capability within firms, but rather visibility across them.

The Economic Crime and Corporate Transparency Act 2023 (ECCTA), and in particular its information-sharing gateway under sections 188–189, aims squarely at that gap.

For security leaders, it introduces something more consequential than mere tinkering: a framework for controlled data exchange between institutions.

With the focus shifting away from the question of whether firms can share information – they can now do so with confidence - the issue becomes how to do so in a way that strengthens detection and integrates with existing security architecture.

From Isolated Signals to Shared Intelligence

Firms typically receive only fragmented signals. A suspicious login, unusual payment behavior or abnormal device use may be explainable in isolation where there’s no all-seeing vantage point. Criminals rely on that fragmentation, distributing activity across multiple institutions so that no single firm has the full picture.

ECCTA enables those fragments to be connected. It allows regulated firms to share customer information where the purpose is preventing, detecting or investigating economic crime. This purpose limitation is important – it confirms this isn’t about open-ended data sharing, but rather provides a targeted mechanism designed to support specific outcomes.

For CIOs, this is an important development. Internal data can now form part of a broader intelligence layer given that information which seemingly appears low-risk in isolation may become highly significant when combined with data from another firm.

A Legal Enabler with Architectural Consequences

The gateway provides statutory protection against breaches of confidentiality where sharing is within scope, thereby reducing a major barrier which has historically made firms cautious.

The legislation supports both direct sharing and indirect sharing via third parties which in turn opens the door to platform-based models and structured data exchange. The impact of this on system design is material.

From a technology perspective, this should drive several priorities:

  • Interoperability: Data must be structured and usable across institutions, not buried in narratives or lengthy prose formats
  • Speed: Intelligence often has a short shelf life, particularly where preventative action is needed
  • Control and audit: Access, permissions and logging must be robust and capable of objective justification  
  • Integration: Shared data should feed directly into other systems where it may impact decisions on onboarding, retention, customer monitoring or interactions and/or exit

ECCTA is therefore not just a legal gateway, but a prompt to firms to think about cross-institution data flows as part of core security infrastructure.

Governance and Data Protection

ECCTA operates within, not outside, UK GDPR and so it’s important to keep in mind the principles of purpose and proportionality. Data shared must be relevant to a defined economic crime objective.

In practice, firms will need clear criteria for when sharing is appropriate, data minimization to avoid over-disclosure, defined processes for handling and retention for received data and Data Protection Impact Assessments covering these processes

Recent clarification around legitimate interests as a lawful basis for crime-related processing is helpful, but governance remains central to maintaining both compliance and trust.

Operational Models

Although often framed as an Anti-Money Laundering (AML) tool, effective use of the gateway is also reliant on technology and security teams. Three models have emerged so far:

  • Case-driven exchange, where firms share targeted information linked to specific investigations
  • Event-driven alerts, where structured warnings trigger review or intervention by other institutions
  • Platform-mediated sharing, where third parties can enable exchange at scale

In each case, CIOs and CISOs are critical to ensuring secure design, resilience and effective integration.

Security Considerations

Expanding data sharing creates a larger and more valuable attack surface, meaning that sensitive information moving between institutions can become a target in its own right.

Key considerations include:

  • Encryption (both when static and in transit)
  • Strong authentication and access controls
  • Segmentation of shared data environments
  • Monitoring of the sharing infrastructure itself
  • Robust third-party risk management

There is also a risk of overload. Poorly targeted sharing can generate volume rather than genuine insight, and increase the chance that it may overwhelm detection systems. In this way, the effectiveness of the gateway will depend on the quality and relevance of information exchanged.

Towards a Networked Defense Model

Early experience suggests that information sharing can materially improve outcomes. In particular, firms are finding that patterns which were previously invisible become clear when data is combined, enabling earlier intervention and more effective disruption.

For security leaders, the direction is towards a more networked defense model. Instead of operating as islands, firms can contribute to and benefit from shared intelligence across the system.

Many see this as mirroring developments in cyber threat intelligence, where structured information sharing is now an established part of defense strategy. ECCTA introduces a similar dynamic into the financial crime context.

Making it Work

The organizations that will benefit most are those that treat ECCTA as an operational capability, not just a legal option. That means:

  • Embedding sharing triggers into detection and investigation workflows
  • Developing standardised templates and data formats
  • Training relevant teams beyond compliance functions
  • Piloting with trusted counterparties before scaling up

The gateway is also UK-specific and sits alongside existing tools such as subject access requests (SARs) and law enforcement powers. It complements rather than replaces them.

A Shift in Mindset

ECCTA does not mandate sharing, but rather enables it, meaning that the real shift is cultural and operational. This new ability to connect signals across institutions may prove to be one of the most important advances in the UK’s response to economic crime.

For CIOs and CISOs, this is an opportunity to rethink how data is used in tackling economic crime, with the focus moving from optimizing internal detection to contributing to a broader intelligence ecosystem.

You may also like

  1. CISA 2015 Receives Extension, Offering Brief Relief for Cyber Information Sharing

    News

  2. ICO Urges More Data Sharing to Tackle Fraud Epidemic

    News

  3. Information and Data Sharing Crucial in #COVID19 Efforts

    News

  4. Manufacturing Cybersecurity - the Brexit Lookout

    Opinion

  5. Information Sharing: Better Together

    Magazine Feature

What’s Hot on Infosecurity Magazine?