While anti-money laundering provisions, in general, have found their way into the statute books of virtually all EU member states, central registers are taking off slowly - mainly because of the fundamental debate they introduce on the relationship between an aim for ’total transparency’ and the human right to privacy.
The EU Directive 2015/849 (the ’4th AML Directive’) established that all member states should create a central register of beneficial owners of corporate entities and trusts. The Directive should have come into force by July 2017 but, as is well known, it is not yet fully in force in several member states.
While the general anti-money laundering provisions have found their way into the statute books of virtually all EU member states, central registers are taking off slowly, mainly because of a fundamental debate they introduce on the relationship between an aim for ’total transparency’ and the human right to privacy.
Nevertheless, Directive 2018/843843, which is also known as ’the 5th AML Directive’, was published in the Official Journal of the European Union on 19 July 2018 with a view to amending the 4th AML Directive in this respect.
The 4th AML Directive provided that access to the registers of beneficial owners of companies would be granted only “to any person or organisation that can demonstrate a legitimate interest”[i] while the information on the beneficial owners of trusts would be available only to the competent authorities and to financial intermediaries or members of regulated professions performing customer due diligence. The 5th AML Directive provides a further expansion of public access. Information on the beneficial owners of corporate entities will be accessible to “any member of the general public”[ii] while the “legitimate interest test” will continue to apply in relation to trusts. Competent authorities and financial intermediaries performing customer due diligence will have unlimited access in any case.
Some implementations of the 4th AML Directive
The system in place in France under the 4th AML Directive provides an adequate balance between transparency and the protection of privacy[iii]. A member of the public can access the information on the beneficial owners of a company only if an application to this effect is accepted by the commercial judge of the district where the company has its registered office. The judge must hear all the concerned parties which, in principle, must also include the relevant beneficial owners, and his ordinance may be appealed.
Similar provisions exist in relation to the beneficial ownership registers of Austrian and Maltese companies[iv], where the control of the “legitimate interest” test is not made by the judiciary, as in France, but by an administrative authority in charge of the register. In both cases access is granted only to persons or legal entities who can prove a concrete interest in the fight against money laundering as well as an effective track record of activities in this field. Furthermore, the applicants must also prove the actual contribution to the fight against money laundering and terrorist financing which would result from their access to the beneficial ownership information of a certain entity.
A few member states, such as Portugal, have implemented the 4th AML Directive in a way which anticipates the 5th. The Portuguese central register of beneficial owners came into force in November 2017 and provided for the information on corporate entities as well as Madeiran trusts to be publicly available[v].
Some other member states, such as Belgium, Luxembourg, and the Netherlands, have not implemented central beneficial ownership registers under the 4th AML Directive but are enacting publicly available ones within the time-frame for the 5th Directive to come into force. In Belgium, the Royal Decree on the Operating Procedures of the UBO Register was promulgated on 28 August 2018 and came into force on 31 October of the same year. The beneficial ownership information of companies will be publicly available while that of Belgian foundations will be subject to the “legitimate interest test”. In Luxembourg, the Law of 15 January 2019 created a register of beneficial owners of companies. It is due to come into force on the t first day of the second month after its publication, i.e. 1 March, and Luxembourg companies will have six months to file the required information into the register which will be accessible to the general public. On 20 April 2018, the Dutch government addressed a communication to the Parliament committing to submit a bill in the early months of 2019.
In some member states, such as Italy and Cyprus, a beneficial ownership register was created by the law implementing the 4th AML Directive but the implementing regulations have not yet been issued[vi]. They are likely to comply with the 5th AML Directive and to grant public access to the beneficial ownership registers of companies.
Public access, human rights, and the GDPR
There is a justified suspicion that unrestricted public access to beneficial ownership information is a violation of the right to respect for private and family life under Article 7 of the EU Charter of Fundamental Rights, Article 8 of which provides also that “everyone has the right to the protection of personal data concerning him or her”.
The European Data Protection Supervisor (EDPS), in its opinion 1/2017, had expressed some concerns about the draft 5th AML Directive. In particular, the Executive Summary plainly stated: “We see, in the way such solution is implemented, a lack of proportionality, with significant and unnecessary risk for the individual rights to privacy and data protection”.
Unfortunately, this opinion was disregarded by the European Parliament when the 5th AML Directive was voted.
Furthermore, public access to beneficial ownership registers appears to be directly in breach of some relevant provisions of Regulation 2016/679, the General Data Protection Regulation (GDPR), which came into force across the European Union on 25 May 2018.
Article 5 of the GDPR provides some basic principles for the processing of personal data. These include “purpose limitation” i.e. “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”[vii].
For GDPR purposes the data subjects’’ are primarily the beneficial owners of companies, whose personal information will be published in the register. The ‘’data controllers’’ are the authorities managing the registers, or the ministries having such activities in their remit.
To the extent that any member of the public can access the information contained in the beneficial ownership register of companies, the ‘’data controllers’’ cannot guarantee to the data subjects’’ that the information will be used exclusively for the purposes for which it was collected and made public i.e. the fight against money laundering and terrorist financing.
It should also be recollected that Article 13(3) of the GDPR further provides that: “Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information”.
Again, this will be impossible to the extent that beneficial ownership information will be available to any members of the public, who may use it for the purposes of fighting against money laundering but also for more nefarious purposes, such as identity theft, intimidation, or blackmail.
The UK is the only jurisdiction in the world where a fully public register of “Persons with Significant Control” over companies (the “PSC Register”) went live as early as April 2016. There is anecdotal evidence in the UK showing that criminals who intend to conceal their illegal dealings behind a company will not provide the required information[viii]. On the other hand, law abiding citizens, who would have lawful personal or professional reasons not to have their beneficial interests disclosed to the public, are going to be unduly exposed to the access of criminals, blackmailers, or curious neighbours.
The “legitimate interest” test, which was at the basis of the 4th AML Directive, represented an adequate balance between the purpose of increased transparency of corporate interests and the protection of private information for ordinary honest citizens.
Unrestricted access to beneficial ownership information by the general public is a clear violation of the fundamental right to privacy under the EU Charter of Fundamental Rights and more specifically of some express provisions of the GDPR.
Given the huge size of the penalties for data breaches under the GDPR, the authorities in charge of the beneficial ownership registers and the ministers controlling them should expect some substantial claims in the near future. A return to the “legitimate interest test” would be an appropriate way to mitigate that risk as well as to protect the human right to privacy.
Paolo Panico Paolo Panico is an Avocat à la Cour in Luxembourg and a solicitor in Scotland. He is also Chairman of Private Trustees SA, a regulated corporate service provider in Luxembourg. Paolo is Deputy Chairman of the STEP Benelux branch and Chairman of the STEP Europe Region.His publications include: Private Foundations. Law and Practice (Oxford University Press, 2014), and International Trust Laws, 2d edition (OUP, 2017).