Andres Knobel ■ FATF beneficial ownership report reveals cutting-edge verification processes, hesitates to endorse public registries
Coauthors: Andres Knobel, Markus Meinzer and Moran Harari
The Financial Action Task Force (FATF) which evaluates countries on their compliance with its anti-money laundering recommendations recently published a report on best practices of beneficial ownership for legal persons, leaving trusts aside. The report contains interesting examples of countries doing exactly what our paper on beneficial ownership verification proposed, but misses the point on the issue of beneficial ownership registries, let alone public ones. While the paper proposes many measures that we agree are useful and necessary, it fails to endorse the most critical of measures: public beneficial ownership registries.
Recommendation 24 (not 10)
While many FATF recommendations refer to beneficial ownership information such as Recommendation 10 on customer due diligence by financial institutions, this new FATF paper on best practices (as well as most of our papers on beneficial ownership) focuses on FATF Recommendation 24. This recommendation is about making sure authorities’ have access to accurate beneficial ownership information. If you want to see how the measures proposed here relate to Recommendation 10, scroll down to the bottom of the blog post.*
The multi-pronged approach
The FATF Recommendation 24 and the OECD’s Global Forum allow countries to choose at least one of the three following approaches to ensure timely access to accurate beneficial ownership information: the registry approach (eg a beneficial ownership register), the company approach (the legal person collects beneficial ownership and makes it available to authorities on request), and the existing information approach (use any beneficial ownership information available with banks, corporate service providers, tax authorities, land registries, etc).
The FATF paper on best practices describes the challenges faced when implementing each of the approaches without endorsing any specific one as the best one. To us, this is like if a teacher gave two students the same grade on a test because they both answered the same number of questions, regardless of whether they answered the questions correctly.
In reality, the three approaches were never on equal footing because the company approach is a pre-requisite for the other two.
The company should always be required to identify its own beneficial owners and only then it can report this data to a registry (registry approach) or to a bank or corporate service provider (existing information approach) – or keep it to itself (just company approach).
To illustrate, let’s play out a scenario where a company would not be required to identify its own beneficial owners:
Company A walks into a bank to open an account.
Bank teller: “Hello Company A, please tell me who your beneficial owners are.”
Company A: “I don’t know (and I don’t need to know).”
Bank teller: “Oh, sorry to bother you.” Then, asking in every direction: “People of the world, are any of you the beneficial owners of Company A? In such case, please identify yourself.”
While this imaginary dialogue would never take place, Germany implicitly requires this by waiving the company’s obligation to identify its beneficial owners, when a German company is owned by at least two layers of foreign entities.
The new FATF paper now proposes the “multi-pronged approach” to ensure beneficial ownership transparency. In other words, it suggests implementing more than one approach out of the three possible ones because this has proven to be more effective compared to choosing just one of the three. We discuss the pros and cons of each approach below. However, from our perspective choosing a combination of any two out of three approaches is not good enough. We believe the company approach and registry approach must always be implemented together as a first step. This would constitute the bare minimum requirement. The existing information approach should only ever be implemented as a second step to cross-check, complement and verify the information retrieved by the first step.
The company approach
We consider the company approach to be a pre-requisite for any of the other approaches because the company is in the best position to identify its own beneficial owners, and maybe the only actor capable of doing so. However, relying on the company itself as the only source for authorities to access accurate and timely beneficial ownership information is risky, to say the least. A company investigated for money laundering may never reveal the beneficial ownership data when requested by authorities (especially if they have no presence in the country nor local natural persons who are liable for not complying with the law). In addition, even if we assumed all companies to be honest, ensuring access to beneficial ownership information on any company would mean supervising every local company at their office and checking that they do have beneficial ownership data. This could include millions of companies. The alternatives, sample audits or harsh sanctions for non-compliance, can only get so far. While these alternatives may encourage companies to comply, authorities wouldn’t be able to know for sure that they are complying, unless they checked each and every one of them.
The existing information approach
The existing information approach seems comprehensive, because it may cover anything: banks, lawyers, tax authorities, real estate registries, commercial databases – anyone who may have beneficial ownership information on a company. But, and this is a big but, it relies on information actually existing.
Local banks may be required to obtain beneficial ownership information from companies, but first a company must have engaged with a bank, eg opened a bank account. Otherwise, the bank will have no beneficial ownership information on that company.
Tax authorities may be required to obtain beneficial ownership information from companies, but first a company must be considered tax resident in the country (depending on local tax laws) and actually filing the necessary returns with tax authorities Otherwise, tax authorities will have no beneficial ownership information.
In other words, the existing information approach is like a country trying to identify its citizens solely on circumstantial identities: a credit card, a driver’s license, a library card, a student id, etc. The country would be able to confidently identify a person who has all those documents, but what if the person does not have a credit card or driver’s license, and is not a student at any school? There would be no data on the person at all for the country to identify them by.
Even if every company did engage with either a local bank, notary, tax authority, land registry or any entity required to collect beneficial ownership information, a second problem remains: enforcement would still require checking hundreds to thousands of banks, lawyers, notaries or registries that may or may not have beneficial ownership information. Sample audits or sanctions would again create incentives, but they would not rule out the possibility of non-compliance.
Lastly, private actors that hold beneficial ownership information could tip off their clients about authorities asking for their information, which could affect investigations.
The registry approach
The registry approach is the only way to ensure that beneficial ownership information has been collected (and registered). The registry would hold information on all companies that were incorporated in the country, and could simply check whether they filed beneficial ownership information or not. For a well-functioning beneficial ownership registry, sample tests may not be necessary: the registry, especially if it has digital records, would be able to look at every local company (even if there are millions of them) and check if they have filed beneficial ownership information or not. There would be only one place to go instead of hundreds to millions and if information is digitalised it would take a few seconds to bulk check if any company is missing their beneficial ownership form.
From our perspective, the registry approach doesn’t necessarily require the commercial registry to be the body that holds beneficial ownership information. Any authority would do: tax authorities, central bank, etc, as long as each and every company has to file beneficial ownership information with that registering authority. In other words, the registry approach assumes that an authority holds information on all companies. Instead, if filing beneficial ownership with an authority were optional, conditional or circumstantial, we wouldn’t consider a country to be implementing the registry approach. At best, it would be implementing the existing information approach. What differentiates both approaches is not only whether an authority or a private party holds the information, but also making sure that information on all entities is available with the authority – not just on those companies that circumstantially had to file information. You could think of the registry approach as the ‘leave no one behind’ approach.
Nevertheless, if beneficial ownership information is held by the commercial registry, it is much more likely that the information could be made publicly accessible than if it were held by tax authorities or the central bank.
On a separate note, verification of information is of course not ensured by just having a registry, although once verification procedures are implemented by the registry, it is much easier to check if they actually took place. In contrast, if banks, companies or other data holders are required to not only collect but also verify beneficial ownership information, authorities would still have to do checks to ensure that both the collection and verification took place.
The ideal approach
While the FATF paper identifies the structural problems of each approach (eg companies’ lack of incentives to identify their beneficial owners), it still allows countries to choose any approach. In our view, the ideal solution is the FATF establishing the three approaches as successive building blocks to ensuring authorities’ access to beneficial ownership information.
In essence, the most fundamental component (in bold in the figure above) is the registry approach, with the company approach (the company identifying its beneficial owners) as a pre-requisite. If all beneficial ownership information is contained in one central registry, it’s possible to easily access it whenever needed, and to verify compliance and the accuracy of registered information, even before the information is needed (before it’s too late). This also helps foreign authorities access and verify information, who would otherwise have to spend time in justifying a request for information and wait until it is received, if ever at all.
The existing information approach definitely adds value, but it should only be the cherry on top. Banks, corporate service providers, notaries and even other authorities dealing directly with the company should be able to obtain information from the beneficial ownership registry while having the obligation to report any discrepancy (eg “John doesn’t appear as the beneficial owner in the Registry but he is the one who manages the bank account and withdraws money, so he should be included”).
The law could also require engaging with a bank, notary or a corporate service provider in order to incorporate a company (the dotted arrow in the figure above) to add an extra layer of verification and control of beneficial ownership information. However, a country choosing only the “company + existing information approach” as a way to ensure authorities’ access to beneficial ownership information (without the registry approach) would be missing out. First, it would depend on the company actually engaging with a local bank, notary or service provider for these to hold beneficial ownership information. Otherwise, no one in the country would know who the beneficial owners are. Second, it makes enforcement much more difficult and costlier: supervisors would have to check every single notary, bank or corporate service provider to make sure that they are doing their job right.
The registry approach should thus be promoted as the best approach (considering the company approach as a pre-requisite). The FATF already requires countries to have registries providing basic company information (company name, address, etc). Upgrading the registries to also collect beneficial ownership information is much more cost-efficient in the long-run than having to supervise the hundreds to thousands of banks, notaries, lawyers and corporate service providers.
The FATF – in our view – fails to endorse public beneficial ownership registries as the best strategy to ensure beneficial ownership transparency, and it even seems to undermine them:
For example, an openly and publicly accessible central registry does not necessarily mean that the information is accurate and up-to-date. (page 22)
This statement is true, but also misleading. Establishing an under-resourced registry that is unable to run any checks or verification and rather acts as a repository of information could end up being of little value. But the same applies to any measure that a government could implement. If you do something wrong, or only half-way, of course it will not be effective. The point is which approach (or combination of approaches) is better, if done properly. For example, we published a checklist for any country willing to implement a beneficial ownership registry. More fundamentally perhaps, the FATF fails to take into account the pressures arising from public scrutiny of the data. The use (or abuse) of low level staff (natural persons) as “premium” nominee shareholders and directors whose identities are effectively stolen or hijacked by superiors in hierarchical law firms (as happened in case of the Panama Papers), could be detected more easily if public scrutiny allowed questioning the veracity of a person – not least from within the firms, but also from any business partner and journalist.
On the bright side, the FATF acknowledge a positive trend towards public beneficial ownership registries, which also helps foreign investigations:
The trend of openly accessible information on beneficial ownership is on the rise among countries. (page 74),
…it is also understood that countries have encountered difficulties in getting information on beneficial ownership that is not publicly available. (page 70)
The FATF paper does have some interesting pieces of information as described below.
Switzerland applying the “every shareholder is a beneficial owner” (no threshold approach) to domiciliary entities
The FATF paper describes that financial intermediaries in Switzerland are required to obtain information from all individuals without applying the 25% threshold of capital or voting rights when dealing with domiciliary entities (companies as entities such as legal entities, trusts or foundations, that do not have any operational activity):
A written declaration will be required from the domiciliary concerning its beneficial owners. (Art. 4 para. 2 of the Federal Act on Combating Money Laundering Act and Terrorist Financing). The threshold of 25% of the capital or voting rights in the legal entity does not apply to such type of entities. This means that all beneficial owners must be identified, regardless of the amount of their participation in the company (page 55)
Countries implementing automated verification, red-flagging and appropriate sanctions
The FATF paper mentions many strategies to verify beneficial ownership information based on some countries’ experiences. These include automated cross-checks against other government databases to determine the accuracy of information, and using data mining to establish patterns and red-flag suspicious cases. These suggestions and examples are exactly what our paper on beneficial ownership verification proposed back in early 2019 (as well as our paper’s previous version from 2017).
In addition, whenever inaccurate or incomplete information was detected, our paper proposed not allowing an entity to be incorporated, or winding it up if already existed, or at least marking it with a warning for anyone to be aware of the risk. The FATF paper describes that some countries are doing precisely this. Below are some extracts from countries.
Austria requires different measures to verify beneficial ownership information, including automated real time cross-checks against government databases, automated sanctions in case information is missing, adding a public remark to warn users that a company has potentially incomplete or wrong information and a system of risk points for non-resident beneficial owners based on their country of residence’s risk, resulting in further investigation by Austrian authorities:
Legal entities, which report beneficial owners with foreign citizenship or place of residence, or ultimate legal entities with a registered address in a foreign country will receive a certain number of risk points based on the ISO Code of the foreign country. Thus, those legal entities will be more likely be in the risk category high or very high, resulting in a greater chance that the BO Registry Authority will request documentation on beneficial ownership and will carry out an off-site analyses of beneficial ownership. (…)
Through an automated alignment with other registers, it is ensured that beneficial owners and legal entities can only be reported if their data is also contained in other public registers. If, for example, a person with a main residence address in Austria is entered as a beneficial owner, there is a real time check with the Central Residence Register in the background if the entered person has a valid main residence in Austria. (…)
By setting a remark the legal entity will automatically be notified about the remark (without identifying the obliged entity that set the remark) and informed that the reported beneficial owners could not be verified and that the legal entity therefore has to examine its report. The remark is only removed if the legal entity then files a new report. However, the remark will still be visible in the historical data. Consequently, a remark will be visible in all excerpts from the BO Register. In addition, the BO Registry Authority is monitoring the list of all remarks set in the register and may request documentation on beneficial ownership if a remark is not resolved by a correct report.
Implementation of automated coercive penalties. If a report is not filed within the deadline – either within the initial reporting period or within 28 days of newly established legal entities – then the competent tax office will automatically send a reminder letter with the threat of a coercive penalty of € 1 000 to the legal entity. (pages 41, 46, 52, 57)
Denmark also has automated cross-checks, including validation checks (eg to prevent dead people from being registered). If beneficial ownership information is not checked, a company will not be able to incorporate:
The CVR automatically checks information that is filed (which must be done electronically), and will cross-check this information with various governmental registers, the CPR number – Civil registration number / CVR number – Unique identification number for legal entities and other details such as address (Danish Address Register – DAR) and dates. Furthermore, business rules are set up in the system to avoid impossible situations ex. registration of a deceased person, and as the Business Register entails information about legal entities, certain information about the entity is prefilled in order to ease the registration and to avoid mistakes. These automated checks are then followed by more detailed manual checks in suspicious cases. The system is also designed to use large datasets and with machine learning to better identify potential risks (….)
If the BO information is not adequate when checked, the company will not be incorporated. If the BO information is checked in the following phase, the DBA has the legal basis to dissolve the company compulsorily (page 48)
The Netherlands has automated cross-checks against government databases, a risk system for further investigations and creates a network maps of relevant relationships that could be used for investigations:
The Scrutiny, Integrity and Screening Agency performs risks analysis by automatically scanning several closed and public sources on a daily basis, to look for any relevant financial or criminal records of directors, and the (legal) persons in their immediate surroundings. Data includes the Company Registry, Citizens Registry of the municipalities and the Central Insolvency Registry, as well as other public sources. In addition, data is obtained from the tax authorities, the Judicial Information Service, and the National Police Services Agency. If the computer system reveals a heightened risk, either immediately upon registration or later on, during the life span of the legal person, this dedicated Agency will carry out a more in-depth analysis. If the analysis confirms that there is indeed a heightened risk, a risk alert will be sent to a group of recipients, including law enforcement and supervisory authorities such as the Public Prosecution Service, the Police, the Tax Intelligence and Investigation Service, the Dutch Central Bank, the Netherlands Authority for the Financial Markets and the Tax and Customs Administration (.…)
The Scrutiny, Integrity and Screening Agency also provides ‘network maps’ for inter alia law enforcement and supervisory agencies. A network map plots the relevant relationships between a (legal) person of interest, and other persons or legal persons, including bankrupted or disincorporated legal persons. (page 50)
Other relevant cases of beneficial ownership verification include Belgium (page 47), Italy (page 34), Jersey (page 36), Spain (page 40) and Sweden (page 52).
Proposals on how to deal with foreign companies
The FATF paper also includes proposals on how to deal with beneficial ownership from foreign companies. While the paper doesn’t mention (our paper’s) proposals on an automated international cross-check of information using zero-knowledge proof tests (without needing to share the actual data with a foreign country, but only confirming information), it does present valuable options that require no international cooperation:
b) Rating jurisdictions’ level of co-operation – Rating jurisdictions based on the availability and extent of their co-operation. Impose defensive measures such as restriction of certain business activities accordingly.
c) Requiring re-registration with a local beneficial ownership.
d) Requiring re-approval by domestic national authorities based on detailed investigation of the relevant legal entities. (page 70)
Option b echoes our paper’s proposed quality limits (limiting the ownership chain of a local company by allowing it to include only foreign entities as long as they are from countries that have public legal and beneficial ownership information). Of course, the Financial Secrecy Index could be a basis and source of evidence to know whether a country’s entities should be blacklisted based on the country’s level of transparency and exchange of information.
Need to review data protection and privacy laws that affect access to information
Importantly, the FATF paper refers to the need to revisit data protection and privacy laws. While these are of course relevant, they should not be abused to prevent relevant authorities and stakeholders from accessing beneficial ownership information:
It is also expected that countries will take action to facilitate the timely sharing of basic and beneficial ownership information at the domestic and international level to address barriers to information-sharing (e.g. reviewing data protection and privacy laws). (page 72)
Allow searches by multiple fields (company name, beneficial owner name, etc)
Our 2017 guidance paper on a checklist for beneficial ownership registries specifies the importance of allowing information to be searched using different fields (company name, incorporation date, identity of owners, their residence, etc (page 5). The FATF paper also proposed this:
Information in the company register is generally recorded digitally and is preferably searchable. The search function supports searches by multiple fields. (page 73)
In conclusion, the FATF paper proposes many measures that we agree are useful and necessary. It also describes best cases available in several countries that could be followed by others. However, it fails to endorse registries of beneficial owners, let alone public ones, as the best approach.
* How does this blog post’s proposals relate to FATF Recommendation 10?
Another relevant FATF recommendation, which is related but not the focus of this paper, is Recommendation 10 on customer due diligence: how banks, and other obliged entities (eg lawyers, notaries, corporate service providers, etc) are supposed to obtain and verify information, including beneficial ownership information, provided by their customers. For example, when opening a bank account for a customer, banks and other obliged entities may use information from the commercial registry or beneficial ownership registry (green circle in the figure below), but they cannot rely exclusively on that information for their customer due diligence obligations. They must use other sources too, and follow other procedures (eg obtain identity documents, in-person meetings, etc) to comply with Recommendation 10’s procedures.
However, this blog post doesn’t apply to Recommendation 10, and none of its observations or proposals refer to changing Recommendation 10 in any way nor obliged entities’ customer due diligence obligations. This blog post focuses only on Recommendation 24 about ensuring access to beneficial ownership information by authorities (and ideally also by the public).
Pandora Papers and (South Dakota) trusts: Why do criminals and the rich like them so much?
Pandora Papers: law firms must disclose clients’ names (like they’ve started doing in the US of all places)
Isle of Man banking data leak reveals how sharing data can identify offshore strategies and improve beneficial ownership
Isle of Man banking leak: Analysing banking data to reveal offshore strategies
29 September 2021