Two years after the European Court of Justice’s (ECJ) ruling to revoke public access to National Beneficial Ownership Registers (NBORs), the regulatory landscape for anti-money laundering (AML) and counter-terrorist financing (CTF) has changed dramatically. The ECJ ruling standardized the EU’s definition of beneficial ownership, determined who has access to the NBORs, and introduced tougher punishments for offenders, among other things.
Moody’s Head of Industry Practice Group, Financial Crime Compliance & Third-Party Risk, Europe, Africa & Americas, Ted Datta, hosted a webinar to share his insights on what led to the ruling; what’s changed since it happened; how the ruling has affected the definitions and tests of beneficial ownership, and ownership and control; the importance of entity verification in customer due diligence; and what else may be in store over the next few years.
Following his presentation, Ted hosted a discussion about the current legislative landscape and how its evolution can be managed with a panel comprising:
Below you will find a summary of the panel discussion.
Ted Datta: It would be great to get your commentary Alexandre on how you see the test of “control,” and how that applies across the compliance landscape.
Alexandre Taymans: The past few years have been very active from a policy perspective when it comes to beneficial ownership.
The determination of “control” in the context of beneficial ownership is a question that we often discuss with regulators in the context of the technical assistance provided by the EU AML/CFT Global Facility (Global Facility). And our position, confirmed by the EU Single rule book, is that control of ownership and control through other means should be looked at equally - not consequently, but at the same time. The clarification in the EU’s AML directive is very much welcomed in that regards.
We have seen some difficulties in jurisdictions that come from the fact that we are in the context of the FATF Recommendation 10, which relates to the customer due diligence (CDD) that obliged entities need to implement. The interpretative note to this recommendation mentions a three-tiered cascade approach to identifying beneficial ownership with a condition attached to part of the “control through other means” test. We have seen regulators and financial institutions not paying enough attention to “control through other means,” and stopping or being limited at the first test, which is control through ownership, and then jumping too quickly to the senior management of the entity if they cannot find anyone who has control through ownership.
The first audience poll question asked, “Which best describes your determination of control in the context of beneficial ownership?” The majority of respondents – 69% – consider control and share ownership equally in determining beneficial ownership. The remaining 31% either give control less consideration than ownership or don’t consider control at all.
Ted: One of the other big updates in terms of the NBORs and the EU is turning them into more of a reliable source, which is partly driven by requirements to start verifying the data that’s stored in them. That happens at different stages and with different approaches in each registry.
Ljubinka – perhaps you could share a view on what’s happening there, and how registers are approaching that verification process.
Ljubinka Slaveska: We have to remember this is a revolutionary change. To implement this in practice requires some change management on the registers’ side. So, we are talking about operating procedures, staffing and so on, but we are also seeing an active exploration of the potential to leverage technology and even machine learning on the side of the registers to support the change.
Verification is no easy task, especially now, when you define these components that include formal and informal arrangements. There is a lot of room here for a dialog between the obliged entities and the registers, because the obliged entities have been doing this for years.
One important thing to note is that the directive provides for a risk-based approach to the registers as well. So, it’s definitely something to follow, especially in how we tie this into the entire context of reliance on beneficial owner registries.
Ted: Do you expect any more changes related to beneficial ownership? There is a 25% threshold and a 15% threshold in high-risk sectors to be considered a beneficial owner do you have a view, Alexandre, about how that might play out in practice?
Alexandre: There are several provisions of the EU Single rule book that will need to be further detailed in level-two measures, through implementing or delegated acts. Not so much on the definition, but certainly on lowering the threshold where criteria will be defined by the European Commission. There is also a level-two measure on the interconnection of the registers and the Beneficial Ownership Registers Interconnection System (BORIS) as well, which will be of great interest to obliged entities. Legitimate interest will also be subject to a level-two measure. So quite some activity there to look at that will impact the operationalization of the provisions. We might also expect further guidance from the AMLA on CDD and implementation of those requirements by obliged entities.
We’re looking at between one to four years, depending on the timeline for the publication of these level-two measures.
Ted: What’s the status of BORIS, Ljubinka?
Ljubinka: The legislative package mandates that data on beneficial owners is made available through BORIS. What we need to monitor, especially in use cases particular to obliged entities and with large financial institutions, is whether BORIS will evolve into serving the use case of machine readable data that would enable acting on the data in a more streamlined and effective way to feed into automation programs a lot of financial institutions are currently running?
It's definitely a welcome development, although it is still a work in progress, and there is a way to go until it becomes fit for purpose.
Ted: On the topic of reliance, how do you think the majority of compliance professionals are using registers currently?
Ljubinka: I would hope registers are one of many sources and they report discrepancies. It will be very interesting to see how this notion of reliance on the registers evolves now with the new mandate for registers to verify data.
Verification is in effect done by obliged entities and investigative authorities thereafter, and there’s a high degree of reliance on this discrepancy-reporting mechanism. It used to be that registers outsourced verification to the obliged entities. Now we’ll hopefully have even better verification, but can we rely on the beneficial owner registers? Is there room to be cautious about overreliance on the beneficial owner register?
The second audience poll question was, “How are you using EU Beneficial Owner registers in your KYC/CDD identification and verification processes?” Slightly more than half of respondents – 52% – use the registers as one of many sources of information they use.
Ted: When we speak to compliance practitioners, there’s a challenge; there’s a slight ambiguity. We have to check beneficial owner registers, but we can’t completely rely on them. Do you see this verification and interconnectedness as opening that up? And how do you square that circle in terms of the challenge?
Alexandre: There is a virtuous circle that policymakers have designed, and the obligation for obliged entities to consult and report discrepancies is one of its key features. The idea for policymakers was to establish a tool that would be useful for obliged entities to support their CDD processes by reducing the administrative burden related to CDD in particular for low-risk entities. The counterparty to this is that they would then be expected to report discrepancies that they see based on the information that is available to them.
Obliged entities have access to more information than beneficial ownership registers have. It’s important that their feedback and input are reported through discrepancy notifications for beneficial ownership registers to assess the quality of the information they hold and better identify the areas they need to look at and investigate, in line with the FATF’s risk-based approach.
We see some promising results from that collaboration, and it’s a fundamental piece of the puzzle i.e., that obliged entities have access to beneficial ownership registers. Moving forward the focus will be to see how beneficial ownership registers act on discrepancies, see what comes out of this mechanism, and how positively it impacts the quality of the information held and the checks implemented by beneficial ownership registers.
Ted: There’s been some confusion for obliged entities. There are different member state provisions for connecting to NBOR. Is this country by country? How should obliged entities think about this? Do they need to do anything new to get access again?
Ljubinka: The EU AML package was introduced to strive for some consistency and harmonization across EU member states. The access issue has remained in the directive, which means it requires transposition, and therefore interpretation by the different member states.
Obliged entities have both the obligation to check the registers and the right to do it. So, access rights of the obliged entities have not been jeopardized, but we need to look at this in conjunction with, “is this requirement that the beneficial ownership registers make the data available in machine-readable format?” I don’t think this should be understated.
This is in part an acknowledgement by legislators that the registries’ user persona has changed. There aren’t that many people left clicking and ordering reports on single entities, but rather this data is supposed to feed into systems as just one of many inputs - one of the big pieces of the puzzle to be acted upon and consumed and cross-checked with other information. The data being available in a machine-readable format would make that possible. On the issue of access, we still see a variety of approaches across member states, but expect a level of harmonization in the next couple of years based on the directive. We still have registers that are publicly accessible, so nothing changed there. Yet on the other side of the spectrum, they will have to align with the sixth AML directive.
One of the changes introduced with the new AML package is that obliged entities from outside the EU are explicitly deemed to have a legitimate interest if they are accessing data on their EU-based clients.
The third poll asked, “What best describes the scale of change needed in your KYC/CDD processes in response to the new EU AML landscape?” Half of respondents indicated that they need to make minor changes to their processes, with 45% responding that they need to make substantive changes. The remaining 5% was split between those that won’t change their processes (3%) and those that need to make major changes (2%).
Ted: When looking at the new AML landscape, it’s complex and somewhat ambiguous. What perspective would you give for a data-management strategy?
Hemal Shah: Navigating ambiguous regulations often requires robust, adaptable, forward-looking data-management strategies. First and foremost is to understand the regulatory expectations and identify and analyze requirements from applicable regulations. People need to stay up to date on the interpretations and create a centralized regulatory intelligence repository that will track changes and implications.
Going back to basics in terms of data-management elements is key. I would say adopt a data-centric governance and compliance framework that treats compliance as a data problem. Focusing on managing data integrity, completeness, and accessibility is also important.
There are several ways this can happen: using standardized taxonomies; mapping your KYC data requirements to your data architecture; building workflows to identify, collect, and validate mandatory data fields like customer IDs and beneficial ownership; and publishing a strong data-governance framework that eliminates data silos, enhances transparency, and provides a foundation for traceable and auditable processes.
Invest in high-quality data sources. Use trusted, verified external data sources to supplement internal data, and leverage APIs for real-time access. Implement advanced tools for automation, analytics, and AI-driven insights. Use things like machine learning to detect unusual patterns and preempt regulatory risks.
The key one is to build a single source of truth. Centralize your customer data into a master data-management platform to centralize and standardize data management, data formats, definitions, and storage protocols, and implement role-based access controls to protect sensitive customer data.
Ted: For KYC teams thinking about the types of stakeholders or change-management programs, is there any guidance?
Hemal: I think it’s crucial for KYC teams to engage stakeholders to build consensus, align objectives, and ensure smooth execution of regulatory compliance – probably quite a substantive checklist.
First and foremost, identify and prioritize those stakeholders. Map out key stakeholders and classify them based on their influence and interest levels. Establish a clear vision and objectives for the program. Early and consistent communication minimizes resistance and fosters a sense of ownership among stakeholders.
Measure the performance using metrics and KPIs. Solicit feedback, adapt as needed, be as agile as possible, celebrate milestones, and recognize contributions early and often.
Ted: More broadly around the theme of industry consultation and collaboration, there are quite lengthy timelines to ensure the right process. From your view on how those discussions take place, the interface between industry groups, the different types of large entities, the different industry representations, what is your perspective on how that machine works Alexandre?
Alexandre: Those formal consultations will be conducted through papers and requests for comments, which have already started to be released. On a more informal basis, exchanges can also happen through conferences and other industry related events.
But I would like here to stress the fundamental importance in policymaking, in particular in the AML/CFT field, of public-private partnerships. We see a dire need for public and private stakeholders to interact, collaborate, and communicate between each other. It’s paramount for policymakers and regulators to engage with obliged entities at both EU and national levels, and vice versa. The EU Single Rulebook provides for such engagement to take place and brings a lot of changes in terms of interactions between the various stakeholders involved in AML/CFT, it will be an interesting aspect to look at in the coming years in the EU and beyond.
Moody’s would like to thank our panel of professionals for participating in the webinar and providing their valuable insights.
Please find a link to both a replay of the event and a copy of the presentation Ted Datta delivered.
Additional resources:
At Moody’s, we provide robust data and analytics to help customers create new levels of certainty on risks associated with third-party entities and clarity on their ownership structures. We have extensive, global company and corporate structure data and access to live registers, combined with sanctions, PEPs, and adverse media data to help you create corporate transparency and a clearer picture of risk.
Please get in touch if you would like to discuss how Moody’s can support your approach to compliance and third-party risk management.