UBOs: How to effectively manage the risks

Why is managing your UBO risks relevant?

The misuse of corporate vehicles to facilitate the flows of illicit funds or place a veil over criminal activity is a long-standing financial crime typology. In attempts to address this, successive upgrades to Anti-Money Laundering (AML) legislation and regulation have raised the bar for financial institutions with respect to understanding who owns and controls their corporate customers.

The latest upgrade,[1] implemented in January 2020, requires firms to report material discrepancies between the Ultimate Beneficial Owner (UBO)[2] information presented to them by customers, and the records held by national corporate registries (for example, Companies House in the UK). This enables the Registrar to take action to increase the accuracy of the register, which, in turn, benefits organisations who rely on Registry data – including financial institutions.

Availability of accurate and reliable UBO information is just part of the picture, as financial services firms must also be equipped to make best use of that information. Without effective procedures and controls, firms risk facilitating criminal activity and may be exposing themselves to the proceeds of corruption, circumvention of sanctions or sheltering of assets from tax authorities.

High-profile cases uncovered by the Panama Papers and Paradise Papers highlight several common risks associated with the lack of transparency around UBOs:[3]

• Failure to identify the UBOs of a corporate customer can lead to the onboarding of politically exposed persons (PEPs) or their relatives that are involved in money laundering or tax evasion, as seen in the case of prominent politicians such as Nazib Rajak (and 1MDB-linked entities) and Ilham Aliyev, or sanctioned individuals such as the Rotenberg brothers.[4]
• Failure to conduct thorough due diligence on UBOs can lead to not being able to identify clusters and links within complex company and ownership structures used for large-scale laundromats, as seen in the Danske Laundromat or Troika Laundromat.[5]
• Failure to maintain updated information on UBOs of corporate customers, due to customer data not being actively monitored, updated or remediated, can leave financial institutions in the dark about frequent changes in ownership or control, as reflected in the examples named above.

What are the key challenges?

Determining the ultimate ownership of non-personal customers, sufficiently verifying the identity of these individuals, and conducting appropriate due diligence, are crucial aspects of financial crime risk management. Understanding the true origins, ownership and control of the funds or assets which are the subject of a firm’s relationship with its clients enables better-informed client acceptance decisions, and more focused due diligence and monitoring efforts. In turn, this can help to protect a firm from a multitude of financial crime risks and reduce the likelihood of regulatory intervention or reputational damage.

Financial services firms which manage the client portfolios of privately-owned entities are increasingly giving UBO-related controls greater attention and priority within their financial crime risk management framework. However, in our experience, few firms’ controls and processes are fully prepared to mitigate the risks associated with UBOs across their business areas, customer portfolios and product groups.

In addition, collecting, assessing and maintaining data on ownership and control structures is complex and can require significant resources, further challenged by an institution’s legacy systems. Entities such as privately-owned corporates and trusts can have a multitude of linked entities and individuals in their ownership and control structures, which leads to a significant volume of data points that need to be captured and assessed correctly in order to avoid large volumes of false positives.

How should these challenges be approached?

Although exposure to UBO-related risks varies from firm to firm, depending on the composition of the customer base, products offered and markets served, a successful model includes the following key components:

• Data Capture: the capability to identify, validate and capture all required UBO information for all relevant customers (including intermediate owners/intermediaries).
• Data Storage: the capability to store UBO information that meets technical and financial crime requirements.
• Financial Crime Controls: the capability to apply customer due diligence (CDD) to UBOs and use their information for customer screening and customer risk assessment.
• Data Maintenance: the capability to maintain and update UBO information regularly in order to keep adequate, accurate and current information on ownership.
• Reporting: the capability to identify and report material discrepancies in UBO information to Companies House and the persons with significant control (PSC) Register and other relevant registries.

How can these challenges be overcome?

In light of increasing awareness of the associated risks and the raising of the regulatory bar, some financial services firms will likely need to enhance their systems and controls with respect to UBOs. BCS Consulting recommends a six-step approach that assesses the effectiveness and proportionality of existing controls while taking into account the firm’s customer portfolio, products and risk appetite:

1. Identify Regulatory & Policy Requirements: Identify the legal, regulatory requirements and industry guidelines relevant to UBOs and ensure that they are reflected in the firm’s policies.
2. Assess the Current State: Assess the current state of the five key UBO components for all relevant business areas: Capture, Storage, Financial Crime Controls, Maintenance and Reporting.
3. Identify Gaps: Identify any gaps in the current state through comparison against regulatory/policy requirements and industry standards.
4. Design UBO Gap Resolution Plans: Design action plans to resolve gaps identified across the relevant business areas.
5. Implement UBO Gap Resolution Plans: Implement the agreed changes required to remedy the gaps identified across the relevant business areas.
6. Provide Assurance: Test if the outcome and desired benefits have been realised and are effective and proportionate to the risks and requirements.

[1] 5^th EU Anti-Money Laundering Directive (5MLD) came into effect on 10 January 2020.

[2] The beneficial owner, in the case of a corporate entity, is defined as the natural person who ultimately owns or controls, directly or indirectly, more than 25% of the shares or voting rights, or controls the entity through other means.

[3] The 2016 Panama Papers and the 2017 Paradise Papers leaks, published by the International Consortium of Investigative Journalists, demonstrated that individuals who control assets can remain behind the scenes by setting up anonymous companies and using these companies for tax abuse, see https://www.icij.org/

[4] https://www.wsj.com/articles/stepson-of-malaysias-najib-razak-bought-34-million-london-house-with-1mdb-funds-1463634207 ; https://www.icij.org/investigations/panama-papers/20160404-azerbaijan-hidden-wealth/ and https://www.icij.org/investigations/panama-papers/artful-dodgers-us-senate-finds-billionaire-putin-pals-evaded-sanctions-through-art-deals/

[5] https://www.occrp.org/en/investigations/7698-report-russia-laundered-billions-via-danske-bank-estonia and https://www.occrp.org/en/troikalaundromat/