Ultimate Beneficial Ownership (UBO) in AML
The legislation and regulations that pertain to Ultimate Beneficial Ownership (UBO) verification are highly complex and challenging to navigate. The EU’s Fourth Anti-Money Laundering Directive states that holding more than 25% of the shares, interest or being a beneficiary of at least 25% of the legal entity’s capital gains gives individuals UBO status. This status requires verification as per the KYC onboarding and remediation process.
What Is Ultimate Beneficial Ownership?
A UBO is the person that is the ultimate beneficiary of a given financial transaction. The definition of a UBO varies between jurisdictions, but in general, a UBO is an individual who holds 25% of the capital or voting rights of the underlying entity. UBO may not be immediately identifiable. Criminals may conceal their identities or obscure them within corporate infrastructure or ghost firms, false entities created to avoid the detection of a connection to a criminal party.
The Financial Action Task Force (FATF) describes a UBO as “the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.”
Under that definition, financial firms should consider any of the following individuals as UBOs:
- Persons with power of attorney
- Corporate directors/nominee directors appointed to conceal true ownership
- Persons with guardianship of minors
- Persons that own 25% of share capital exercise 25% of voting rights or benefit from at least 25% of an entity’s capital
- Shareholders (including the holders of bearer shares)
4AMLD also requires that senior management officials are treated as beneficial owners if this criterion cannot be determined. As a UBO, ownership information must be updated, verified and made accessible to obligated entities and authorities with a proven legitimate interest, including journalists and NGOs. UBO verification is designed to prevent financial manipulation, money laundering, terrorist funding and other financial crimes that may be disguised as legal entities. UBO checks are necessary for banks, brokers, securities dealers, commodities, blockchains, digital lenders and currency exchange officers, as well as other parties. UBOs must comply with AML and CTF sanctions and regulations and meet the tax compliance legislation and standards.
Why Is UBO Relevant In AML?
While the AML’s Fourth Directive sets out the requirements regarding UBOs (including the requirement that companies must hold adequate, current and factual information about their beneficial owners), there is a Fifth Directive that places great emphasis on transparency and ultimate beneficial ownership. Under this directive, EU member states must create and maintain interconnected and publicly available UBO registries as well as separate UBO registries for bank accounts (which are only accessible by authorities). This directive also introduces dissuasive measures and/or sanctions for those failing to comply with requirements related to UBO verification and governance. To comply, companies must secure access to complete and reliable UBO data and the ability to unravel complex corporate structures, a task that is often easier said than done. Moreover, the availability of accurate and reliable UBO is merely the first step of financial due diligence. Finance professionals must also be equipped to make the best use of the information. Without the proper procedures and controls, firms risk facilitating criminal activities and exposing themselves to penalties.
The consequences of failing to identify UBOs can lead to the onboarding of PEPs (politically exposed persons) or sanctioned individuals involved in money laundering or tax evasion. Firms may even miss entire clusters and links within complex ownership structures, as was the case with the Troika Laundromat.
Customer data must be actively monitored, updated, and remediated to avoid missing frequent changes in ownership or controls and consequent implications.
What Are the Difficulties?
Financial services firms are increasingly giving UBO-related controls greater attention and priority. However, few firms have the necessary controls and processes in place to successfully mitigate the risks associated with UBOs across all areas of their business and customer portfolios. Collecting and assessing (as well as maintaining) ownership and control structure data is complex and requires significant resources, often hampered by legacy systems. Privately-owned businesses can have numerous linked entities in their ownership/control structures, leading to a deluge of data points that need to be captured and assessed correctly and strenuously to avoid generating a huge volume of false positives.
While governments around the EU have assisted firms with their efforts, businesses are left with the heavy lifting. Most EU member states have created central registers of beneficial owners in recent years, alleviating the challenges that financial institutions may face in their efforts to identify UBOs in order to conduct screening, but the reliability of these registers has not yet been determined. As of 2019, only 11 out of 25 countries were given a “Largely Compliant” rating by the FATF in their Best Practices on Beneficial Ownership for Legal Persons report. It’s also important to bear in mind that the registry merely acts as a depository of documents; registries do not verify or monitor the information submitted or cross-check its information against other sources, and its performance is not supervised. Many registers only hold information on immediate ownership, not ultimate ownership, and cannot be seen as an ultimate source of truth.
Ownership structures are complex, and changes may happen in multiple layers and stages, making them difficult to track. Percentage changes may go over or under the risk threshold and go unnoticed or undetected. Add to this the fact that an increasing number of requirements are added to the “check and validate” lists, making it even more difficult to remain up-to-date and compliant.
How To Address UBOs In Your Business
In light of these challenges, businesses must systemize and continually assess their monitoring and due diligence efforts. Automation can reduce exposure to risk and “right-size” monitoring efforts to only check customers with frequent changes or specific information that has changed (instead of a full file review).
To mitigate risks, companies need a vigorous, auditable process that identifies who exercises ultimate control over and stands to benefit from corporate transactions, including:
- Collecting identifying information about all customers during onboarding, including the names and addresses of company directors;
- Identifying shell companies through AML transaction monitoring to spot unusual transaction patterns or transactions with high-risk countries;
- Sanctions screening to determine whether sanctioned customers are using shell companies to access financial services.
- PEP (Politically Exposed Persons) screening to determine whether or not PEPs are attempting to conceal their identities behind a corporation;
- Media monitoring to determine whether or not adverse news stories exist about their customers (pertaining to money laundering and other offenses).
Once a deal is transacted, UBO information should be continually updated to reflect any changes in the ownership structure following or resulting from the transaction. Ongoing maintenance can be a significant burden for large companies, but it cannot be overlooked and should form part of ongoing due diligence.
Conclusion
Determining the ultimate ownership and verifying the identity behind non-personal customers is a critical part of crime risk management and prevention. It also leads to informed client acceptance decisions, places the focus on continuous monitoring and protects firms against reputational damage and possible regulatory intervention.
While the landscape is complex and identifying UBOs is difficult, a combination of tools, processes and internal policies can ease the pain points experienced with legacy systems and manual intervention.