The Ultimate Beneficial Owner (UBO) owns or controls a business or legal entity. Understanding who UBOs are and the risks they pose can help financial institutions achieve regulatory compliance and enhanced security.
Jurisdictions differ on UBO definitions and requirements, but it’s critical that financial institutions verify company details, understand corporate structures and identify the UBO for due diligence and complying with Anti-Money Laundering (AML) and Know Your Customer (KYC) laws.
EU UBO requirements
EU financial institutions doing business with commercial clients must identify UBOs. The EU’s 4th AML Directive (4AMLD) was the first to require UBO identification, and different member states have since passed enabling laws to enforce reporting requirements. For example, Sweden has legislation that requires notifying the Swedish Companies Registration Office of beneficial owners.
The Swedish legislation:
- Covers Swedish companies, companies operating in Sweden and people who administer trusts and other similar legal structures
- Defines a beneficial owner as anyone who controls the company directly or through agreements, has more than a 25% ownership stake or has the power to control at least half the board
- Requires that any beneficial ownership change be reported as soon as the entity becomes aware of the change
While each EU member state has specific legislation, the laws must conform to the 4AMLD. The 5th AML Directive added requirements for member states to set up publicly available registers for companies, trusts and other legal arrangements.
The deadline for those registers was Jan. 10, 2020. But, according to BLOCKINT, a Netherlands-based international intelligence and investigative consultancy service, “not all of the registers in the EU member states are publicly accessible yet” and there are “several problems with quality and completeness of the UBO registers.”
Under the EU’s 6th AML Directive, employees and officials of organizations — and entities working on behalf of those organizations — can now be held criminally liable.
U.S. UBO requirements
In the U.S., similar beneficial ownership disclosures are a part of the Financial Crimes Enforcement Network (FinCEN) Customer Due Diligence final rule, which took effect May 11, 2018.
“The CDD Rule outlines explicit customer due diligence requirements and imposes a new requirement for these financial institutions to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions,” according to FinCEN’s rule guidance.
Financial institutions, according to the rule, refers to banks, broker-dealers, mutual funds, futures commission merchants and commodity brokers. A legal entity customer can be corporations, limited liability companies, limited or general partnerships, business trusts and similar entities. The rule defines beneficial owners as people who own 25% or more of the legal entity and those who can significantly control, manage or direct the entity.
Under the Corporate Transparency Act, U.S. companies will have to report to FinCEN the UBO’s full legal name, birth date, current residence or business address, and identifying number from a passport, driver’s license or other state-issued ID.
FinCEN has not yet released the proposed effective date.
International UBO standards
Other countries have international agreements that call for beneficial ownership disclosures. In 2003, the Financial Action Task Force (FATF) set beneficial ownership standards, and in 2012, 198 jurisdictions agreed to stronger FATF standards.
Two years later, a policy declaration at the G20 Brisbane Summit emphasized UBO transparency.
“Countries should ensure that competent authorities (including law enforcement and prosecutorial authorities, supervisory authorities, tax authorities and financial intelligence units) have timely access to adequate, accurate and current information regarding the beneficial ownership of legal persons,” according to the declaration.
But a 2016 FATF report found that only two of the G20 had achieved substantial effectiveness in establishing beneficial ownership requirements. The FATF, though, recognizes the complexity in implementing effective beneficial ownership transparency rules. Technologies and procedures that speed the process and improve accuracy can offer a path forward.
The FATF report, regulatory changes in Europe and the U.S., and major corruption scandals such as the Pandora Papers have pressured other G20 countries to establish effective beneficial ownership disclosure systems.
Legitimate governments do not want to be seen as soft on corruption. Whether it’s to collect more tax revenue, prevent terrorist financing, improve transparency or stop the flow of illegal funds, countries are trending toward requiring beneficial ownership due diligence.
Establishing UBO due diligence
There are four main steps that can help organizations create effective UBO programs.
1) Receive company vitals
Collect and verify an accurate company record such as identification number, company name, address, status or key management personnel, depending on jurisdictional requirements and the organization’s fraud prevention standards. Input that information into workflows.
2) Analyze ownership structure and percentages
Determine who has an ownership stake, either through direct ownership or through another party.
3) Identify beneficial owners
Calculate the total ownership stake, or management control, of any person and determine if it crosses the threshold for UBO reporting.
4) Conduct AML/KYC checks
Perform AML/KYC procedures, including UBO screening on everyone identified as a UBO.
Four steps might not seem too difficult, but without a proper system, UBO checks can be costly and time-consuming. Manually checking multiple registrars, importing data, tracking records and performing complex reviews can delay onboarding and monitoring, introduce human error and redirect important staff time to data entry.
Automating the business verification workflow, including AML/KYC checks, as much as possible can help organizations achieve UBO compliance today and prepare for new regulations on the horizon.
This post was originally published Oct. 5, 2017, and updated to reflect the latest industry news, trends and insights.
The Customer Identification Program (CIP) requirements that govern financial institutions target money laundering, terrorism funding, corruption and other criminal activities but also present challenges for organizations. Under a CIP, which is required through the USA PATRIOT Act, entities must have “reasonable” procedures to gather and maintain customer identity information and run watchlist checks on them.
The Financial Crimes Enforcement Network (FinCEN) has stated CIP requirements should apply to all banks, regardless of whether they are federally regulated.
But those requirements raise questions: What do regulators consider reasonable? How can a financial institution integrate a CIP efficiently and cohesively? Can organizations achieve compliance and fraud mitigation while delivering efficient customer onboarding?
The customer identification process
The minimum identity requirements to open an individual financial account in the U.S. are name, birth date, address and an identification number, such as Social Security or Individual Taxpayer Identification.
Gathering that information at account opening is sufficient, but organizations must verify the account holder’s identity “within a reasonable time.” Procedures for identity verification include documents, such as a driver’s license, or nondocumentary methods, such as through credit bureaus and government databases.
Those procedures are at a CIP’s core, and organizations, as they do with other Anti-Money Laundering (AML) compliance requirements, can ensure compliance by codifying the policies. The exact policies depend on the organization’s risk-based approach and may include:
- The types of accounts offered
- The methods of opening accounts
- The types of identifying information available
- The organization’s size, location and customer base, including the types of products and services used by customers in different locations
The identity verification procedures must be robust enough to verify the identity of each customer to an extent that is “reasonable and practicable.”
The case for digital identity verification
Traditionally, financial institutions would examine unexpired government-issued identification documents such as a driver’s license or passport. However, best practices call for providing more than one document to offset the risks of counterfeit or fraudulently obtained identification.
Financial institutions can conduct that process online to meet consumer expectations for convenience and immediacy in a digital age. Digital identity verification through nondocumentary methods can provide strong risk mitigation and deliver fast onboarding. One method involves “independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source.”
There are other nondocumentary methods, such as contacting a customer, checking references with other financial institutions or obtaining a financial statement. However, those processes don’t often offer the speed, convenience and reliability of digital identity verification.
Financial institutions can also combine documentary and nondocumentary methods. One increasingly popular method is to use on-demand ID document verification combined with digital identity verification to cross-check ID documents electronically with the identity information to further reduce fraud risk.
Other CIP requirements
While obtaining and verifying the identity of each customer is core to the CIP, there are other requirements, including record retention, sanction checking and providing proper notice to customers about document collection and identification processes.
The CIP must also contain procedures to handle various edge cases, such as when a person doesn’t have an identity document, when a document type is unknown to the financial institution or when a customer can’t visit a branch.
Regulations require the financial institution’s CIP also incorporate procedures to manage situations when the risk level is higher than usual. Those procedures can answer questions such as: What happens when the institution can’t verify a person’s identity? When is it appropriate to prevent account opening? When is it OK to open the account but require more information? When should an organization close an account or file a suspicious activity report?
While a CIP is mandatory, organizations can rely on another qualified financial institution as the program provider. The qualified entity must be regulated and have an AML program, and the reliance must meet CIP standards.
Identity information must be maintained for five years past the customer’s relationship with the financial institution. That includes a description and expiration date of any document used to verify identity, including its identification number and the issuance date and location.
Financial institutions must also check identities against domestic and international AML, counter-terrorist financing and sanctions watchlists.
The CIP also applies to corporations, partnerships and trusts. In those cases, the procedures relate to verifying a business entity. The existence of the business entity can be established by calling upon certified articles of incorporation, a government-issued business license, a partnership agreement or a trust instrument.
Business verification is also possible through nondocumentary methods. Similar to digital identity verification, real-time identification and verification of company records through official registers enables quick business onboarding.
It’s important to note that under the Customer Due Diligence Final Rule, collecting, maintaining and reporting beneficial ownership information is now required for financial institutions, which “must identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted).”
Under the Corporate Transparency Act, U.S. companies must report their Ultimate Beneficial Owner (UBO) information to FinCEN. Any new incorporation or significant UBO change must be reported, and any company formed before the effective date of the act will have two years to report.
A CIP is a necessary element of AML and Know Your Customer (KYC) regulations. Beyond that, it’s part of an effective risk-mitigation strategy. Ensuring your CIP is strong, up to date and complete is fundamental to running a successful financial institution.
This post was originally published on Feb. 5, 2019, and updated to reflect the latest industry news, trends and insights.
Two legislative acts in the European Union hold the potential to significantly change the operations of digital marketplaces, which are critical to providing shared spaces for users to interact and transact.
The Digital Services Act (DSA) will require that digital platforms fairly and effectively oversee their communities. The Digital Markets Act (DMA) provides additional regulations for companies considered marketplace gatekeepers, such as Amazon, Apple, Google, Meta and Microsoft.
The acts are expected to be applicable in 2024, even sooner for designated large platforms. Generally, the goals of the acts are to create safer digital spaces that protect users’ rights and to establish level playing fields for innovation, growth and competitiveness.
The DSA in detail
The DSA applies to all organizations that offer digital services, but it focuses on those that operate as online intermediaries or platforms. In that context, digital services include social networks, sharing platforms and other person-to-person systems where an organization facilitates interactions.
Some of the DSA’s fundamental principles are:
- Fairness, transparency and accountability for content moderation processes
- Notice-and-action procedures for illegal content
- Rules for online advertising
- Receiving, storing, verifying and publishing information on traders using the services
The DSA accounts for the size of the organization and the risk it poses, and then it tiers requirements accordingly. Large online platforms have higher accountability standards, including appropriate risk management tools and transparent algorithmic processes.
“Europe is the first continent in the world to undertake a comprehensive reform of our digital space,” said EU Commissioner for Internal Market Thierry Breton during a Jan. 19, 2022, speech. “With the DSA and the DMA, we are about to reorganize the digital space in our internal market, both for societal and economic reasons. A new framework that can become a reference for democracies worldwide.”
Digital services organizations operating in the EU can start examining their operations to understand and implement procedures that will help ensure compliance with the DSA when it comes into full effect.
Know your vendors
To enable a trustworthy, safe and more transparent online environment, the DSA requires that traders be traceable. Under Article 22, Traceability of traders, online platforms need anyone selling or promoting goods or services to provide:
- Name, address, telephone number and email address
- Identity documentation
- Bank account details (for a person)
- Registration number (for a business)
Traders also must self-certify that they offer only products or services that comply with applicable laws.
The online platform needs to make reasonable efforts to confirm the reliability of trader information. If it’s inaccurate or incomplete, the platform must gather the correct information or stop the trader from participating in the system. The platform can use official online databases or trustworthy supporting documents. They may also use other reliable sources to comply.
The DSA also requires online advertising transparency. Every ad must display the sponsoring person or organization.
Know Your Business solutions
For many platforms, gathering and verifying all user identity data is standard practice. Getting real names helps create a safer and more trustworthy platform. Other social media platforms thrive on anonymity. While that won’t necessarily go away, marketplaces in the EU will need to identify users who sell or promote products or services.
Creating and successfully operating systems that gather and check business identity, especially at scale, can be complex and time-consuming. Different formats, widely varying inputted information and multiple registries across the EU can create bottlenecks and multiple rechecks. Keeping accurate track and reconciling all the information adds another layer of complexity.
The need to check a person’s identity creates additional complications. Privacy considerations under the General Data Protection Regulation have strict procedures for handling personally identifiable information.
For those reasons, many marketplaces look to identity solution providers to speed up the process, ensure compliance and help build trust. Those marketplaces, particularly with DSA and DMA on the horizon, can benefit from business verification and identity verification services and deep experience in the European market.
Digital platforms are facing increased regulatory scrutiny across the globe. DSA and DMA might not be the last regulations establishing standards for marketplaces and communities. Organizations that effectively integrate and adapt to new rules can be better suited to improve operations, build trust in their platforms and grow their business.