Understanding a customer’s ownership structure and identifying their Ultimate Beneficial Owner (UBO) has long been one of the pillars to preventing money laundering and terrorist financing globally. The consequences of poor governance, controls and practices in this area were highlighted in several examples over recent years 1, resulting in large scale investigations, fines, loss of license and criminal prosecutions for the firms involved in facilitating criminal activities. Yet despite efforts around the globe to enhance transparency of UBOs, several challenges remain for firms in managing their risks including the adequacy of public registers and ensuring compliance with identification and verification of UBOs requirements.
Reliability challenges of UBO Registers
To increase the transparency of beneficial ownership, the European Union’s (EU) Fourth Anti-Money Laundering Directive (MLD4) introduced an obligation on EU member states to create central registers of beneficial owners. Many countries outside of the EU have also implemented a central register in order to demonstrate commitment to the Financial Action Task Force (FATF) Recommendations 2012 for International Standards Combatting Money-Laundering and the Financing of Terrorism and Proliferation. Whist it is clear that this increase in transparency can alleviate some of the challenges financial institutions face in their attempts to identify the UBOs, the reliability of these public registers and the information stored on them is yet to be determined.
In October 2019, the FATF published a report Best Practices on Beneficial Ownership for Legal Persons which analyzed common weaknesses and challenges associated with the implementation of UBO registers across several countries. This report also highlighted that at the time of publication, only 11 out 25 countries achieved a ‘Largely Compliant’ rating against the ‘Transparency and beneficial ownership of legal persons’ requirement. The report also set out some challenges related to the reliability of UBO registers, including that:
- The registry acts only as a depository of documents, rather than verifying and monitoring submitted information;
- The registry’s performance may not be supervised;
- There may be no cross-checking with other sources (e.g. tax identification); or
- The registry may only hold information on immediate ownership, rather than ultimate.
Varying Country Approaches to Beneficial Ownership Transparency
Below we provide some examples showing the differences in company and UBO registers across several countries. These variances in approach may affect the extent to which financial institutions can rely on the registers when conducting Know Your Customer (KYC) due diligence on its customers:
- Company Information Discrepancies in the United Kingdom
In May 2019, the international non-governmental organization Global Witness published a report highlighting risks of accidental or deliberate misuse of filing exemptions, companies potentially controlled by nominees, and companies naming another foreign company as their ultimate owner which was unlikely to be listed on a stock exchange. This emphasized the need for stronger measures in validating the information on the Companies House register. From January 2020, all obliged entities, as defined in the applicable regulations, must report discrepancies in their beneficial ownership to Companies House. Given the findings by Global Witness, firms should exercise caution in relying on the Companies House register for purposes other than validating if a customer is duly registered. The money laundering regulations prohibit the use of a UBO register as a sole source of UBO verification.
- UBO Database Cross-checks Applied in Belgium, Denmark, Austria, the Netherlands and Hong Kong
These registers automatically cross-check the information on individuals, including the UBO, against other national databases, including the address registers and the national identification registers, using the individual’s name, address and date of birth. This additional control gives certainty that the individuals listed on the registers are real persons. In Hong Kong the information provided to the Companies Registry are subject to checking and verification, including regular site inspections to check if significant controllers’ registers are properly kept. The information is checked against other available sources on a risk-based approach.
- UBO Verification Conducted During Company Incorporation Process in Denmark, Italy, Israel, Guernsey and Japan
In these countries, most applications to form a company are accepted from notaries, lawyers, auditors or banks, subject to AML obligations. This ensures that the due diligence, including identification and verification of the UBO, has been completed prior to registration of a company. This approach can provide some level of assurance over the accuracy of information for newly incorporated companies. However, the longer the time from application to incorporation presents more risk for firms in relying on the initial accuracy. In Guernsey, only licensed trust and corporate service providers who are subject to full AML/CFT and prudential supervision by the Guernsey Financial Services Commission can incorporate legal persons and are required to identify and verify the beneficial owners of all structures for who they act.
- ‘Red Flag’ Functionality in Austria and Sweden
These registers use a ‘red flag’ system to indicate that a discrepancy report on the UBO was filed by a financial institution or that the register itself has reasons to believe that the information is not correct. This could help firms identify potentially higher-risk customers, apply targeted enhanced due diligence (EDD) measures and increases operational efficiency of the process.
- Denmark and Austria Apply Additional Vetting Checks for UBOs Based or Residing Foreign Jurisdictions
Registers in these countries employ enhanced measures for beneficial owners based or residing in foreign jurisdictions, whereby they may request additional documents (e.g. copies of passports) or inspect a company to validate the information provided to the register. Whilst such practice can certainly enhance the accuracy of filings, the user of the register will not know which entries were subject to the enhanced measures, hence some risk for firms in relying on these registers remain.
- Verification of UBO Records in Jersey
The Companies Registry vets UBO records against sanctions lists, regulatory decisions and adverse media, using various sources including commercial databases, internal intelligence/enforcement database and open source internet searches. Similar to the example above and unlike the ‘red flag’ practices of Austria and Sweden, users of the Jersey register have no access to the outcomes of the vetting, which reduces its use for due diligence purposes.
Managing Risks Related to Reliance on UBO Registers
To assist firms with managing the risks of relying on company and UBO registers, we set out below five areas of good practice:
- Assessment of jurisdiction risk when dealing with corporate customers, firms should consider the level of transparency of beneficial ownership and effectiveness of UBO registers in the jurisdiction of incorporation. For companies incorporated in countries with a high level of secrecy (e.g. as identified in the Financial Secrecy Index) or low level of compliance with FATF Recommendation 24, firms should apply more extensive EDD measures to examine company formation documents, ownership structures and UBO information. This will provide a more effective framework for identifying risks and focusing due diligence processes on the areas of the highest risk.
- Identification and verification of the UBO should not rely exclusively on the information in the UBO register. Regulation 28.9 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the MLD4 (Art. 30.8) prohibit such reliance. On a risk-based approach, firms should use a variety of sources to validate ownership structure and ultimate ownership; for example, for high-risk customers firms should examine formation documents, filing history, ownership changes and share registers. Similarly, for high-risk customers firms should employ more extensive requirements to verify the identity of the UBOs; for example, by requiring a face to face meeting, additional evidence confirming name, address, date of birth, or even establishing source of wealth and its plausibility. Firms should also consider their obligations under Regulation 30A of the MLR 2017 and report any discrepancies in beneficial ownership it discovers during the due diligence process.
- Record keeping procedures should ensure that where there are difficulties in identifying the UBO(s), firms can adequately demonstrate that their actions taken exhausted all possible means. Firms should also demonstrate that any additional actions taken, for example verifying the identity of the senior person responsible for managing the corporate customer, are sufficient to manage the risks relevant to the relationship. Where the risks are too high according to the firm’s risk appetite statement, the firm should not enter into a business relationship with the customer.
- Ongoing due diligence and monitoring of business relationships should consider changes in ownership. Continuous monitoring of changes made to the company and UBO registers, examining financial statements or (where available) subscription to alerts from a UBO register will enhance a firm’s ability to detect ownership changes, keep KYC information up to date and respond to any increases in the risk of a relationship.
- Training should be provided to employees responsible for completing due diligence, including compliance staff and relationship managers. This will enable employees to understand the transparency and limitations of the UBO registers and apply additional due diligence measures where appropriate, reducing the money laundering risks to the firm.
How We Can Help
Duff & Phelps’ global team of experts advises on the full range of financial crime issues including AML, CFT and sanctions. Our work has enabled clients to minimize risk and improve their financial crime framework in line with their business model, regulatory expectations and industry best practice. Find out more by clicking here.
This material was prepared with the assistance of Julius Kania, Vice President in Duff & Phelps’ Compliance and Regulatory Consulting practice.
1 Examples include: The Russian (https://www.reportingproject.net/therussianlaundromat/) and the Azerbaijani Laundromats (https://www.occrp.org/en/azerbaijanilaundromat/), Danske Bank’s investigation (https://danskebank.com/-/media/danske-bank-com/file-cloud/2018/9/report-on-the-non-resident-portfolio-at-danske-banks-estonian-branch.pdf?rev=56b16dfddae94480bb8cdcaebeaddc9b&hash=B7D825F2639326A3BBBC7D524C5E341E) and more recently, the investigation into Swedbank (https://internetbank.swedbank.se/ConditionsEarchive/download?bankid=1111&id=WEBDOC-PRODE57526786).