4th

Aug

With the Transparency Register and Financial Information Act (TraFinG), the German legislature transposes the applicable EU Directives (EU) 2015/839 (Money Laundering Directive) and (EU) 2019/1153 (Financial Information Directive) into German law.

The conversion of the transparency register from a backup register [1] to a full register and the EU-wide interconnection of registers are intended to enable a fast and simple communication between the member states and Europol. For this, the EU stipulates the use of structured data records in a uniform data format at country level.

The transparency register has been in existence since October 1, 2017. Legal entities under private law and registered partnerships pursuant to §§ 18 et seqq. German Anti-Money Laundering Act (AMLA) are obliged to obtain information on the beneficial owner[3] pursuant to § 19 (1) AMLA, to retain it, to keep it up to date and to immediately notify the register-keeping office for entry in the electronically-maintained transparency register. The objective of the transparency register and its EU-wide interconnection is to combat money laundering and terrorist financing, to create transparency with regard to beneficial owners and also the joint use of account and financial information for the purpose of preventing and prosecuting serious crimes.[4]

The previous backup register

Due to the so-called "fiction of notification" according to § 20 Section 2 AMLA, the previous backup register did not contain complete data records but referred to a different subject register (commercial register, register of persons, etc.) with information on or documents about the beneficial owner, depending on the data situation. In these cases, no separate entry in the transparency register was necessary until now. This was only obligatory if no information was contained in the registers listed in § 20 Section 2 AMLA. Since the data used and stored in the respective registers was not available in a uniform data structure, it could not be used for the interconnection of the transparency registers according to the EU Directive. 

Changes due to the conversion into a full register 

General changes

Due to the conversion into a full register, legal entities pursuant to § 20 Section 1 AMLA, legal persons under private law and registered partnerships as well as foundations without legal capacity pursuant to § 21 AMLA must now not only identify their beneficial owner but also explicitly report it to the transparency register due to the fiction of notification superseded in the TraFinG. The accuracy of the data is henceforth the responsibility of the respective legal entities. Misrepresentations, failure to comply with the obligation to notify and update of the data will be punished by the Federal Office of Administration (BVA) as administrative offenses. It remains to be seen whether § 17 OWiG (German Administrative Offenses Act) will be relevant for the amount of penalties in these cases and what the consequences of the sanctions will be. The notification obligation became effective in the form of the TraFinG on August 1, 2021, but there are transitional periods depending on the legal form in which the periods for the upcoming first-time reports are staggered.[5]

Changes for obligated parties pursuant to § 2 AMLA

For obliged parties pursuant to § 2 AMLA, § 11 Section 5 AMLA new[6] stipulates that the collection of information on beneficial owners in the case of new customers and/or initial contacts "shall be carried out by the contracting party or, if applicable, by the person acting on behalf of the contracting party". Another change relates to already existing business relationships. Pursuant to §12 Section 3 Sentence 3 AMLA new, the duty of verification is satisfied with the inspection of the transparency register, provided that the information there corresponds to the information collected pursuant to § 11 Section 5 AMLA new. If there are doubts about the accuracy of the data and/or the identity of the beneficial owner, further identification measures must be taken. This leads to a considerable saving of time and greater efficiency in the verification of existing business relationships. 

Changes for listed companies

Listed companies were previously exempt from the notification obligation, but this changes with § 3 Section 2 Sentence 5 AMLA new. In the future and like other legal entities, listed companies must also report their beneficial owner to the transparency register according to the existing guidelines of § 3 AMLA.

Changes for associations based abroad in the case of share deals

Due to an amendment to § 20 Section 1 AMLA, associations with registered offices abroad shall also be obliged to report their beneficial owners to the German Transparency Register if they simultaneously obtain ownership rights to a domestic property pursuant to § 1 Section 3 Gewerbesteuergesetz (GrEStG (German Trade Tax Act)) by means of a so-called share deal, i.e. by acquiring shares in a domestic company.

Implementing agencies at federal level

The Federal Gazette Publisher (Bundesanzeiger Verlag) is responsible for maintaining the register. Following the EU Directive requirement, the German Federal Office of Justice (Bundesamt für Justiz (BfJ)) and the German Federal Criminal Police Office (Bundeskriminalamt (BKA)) are designated by the German Federal Government for account retrieval and account data exchange with Europol. The BKA is also the central office for the EU-wide exchange of financial information and available for the access to the exchange of information with the German Central Financial Transaction Investigation Authority at federal level.[7]

Conclusion

The conversion of the backup register into a full register is generally regarded as a positive step towards a more effective fight against money laundering and terrorist financing, but even after the introduction of the TraFinG, questions remain regarding its effectiveness and sustainability.

The effectiveness of the interconnection of the European transparency registers with regards to data quality must be critically questioned. The transparency registers of the individual member states must consist of uniform, structured data records according to the EU Directive, but the individual national legislations are not based on uniform requirements for the data collection of beneficial owners. To this end, an EU-wide regulation on the collection of beneficial owner data should be introduced so that every EU member state has the same standard in the data collection process and to increase the data quality of the transparency registers.

In addition, the register-keeping body does not verify the content of the reported data, so that false reports are more or less only noticed by chance, for example through discrepancy notifications. According to the "Transparency Register – Questions and Answers to AMLA of 09 February 2021", these discrepancy notifications must be submitted by obligated parties pursuant to § 2 Section 1 AMLA and some authorities via the website of the transparency register. Discrepancies exist if the own findings on beneficial owners differ from the data entered in the transparency register. In practice, this will rarely be the case especially in the case of beneficial owners that are considered as being critical. Accordingly, consistently misstated data cannot be identified if, for example, a legal entity, which is subject to the notification obligation, reports an incorrect beneficial owner to the transparency register and reports the same information to an obliged party in the course of establishing a business activity. Since the obligated party is responsible for the identification and the ongoing verification of the accuracy of the data on the beneficial owner, these do not represent a discrepancy with the transparency register in the example given and therefore do not lead to a discrepancy notification.

Transactions with contractual partners with nested corporate structures abroad entail an increased risk per se. It is precisely such structures that conceal the actual beneficial owners very well, so that it is difficult to uncover them even in the course of a sound analysis. The interconnection of the transparency registers supports the identification of beneficial owners, which are already difficult to identify, only to a very limited extent, as § 3 Section 2 Sentence 5 AMLA states: "If no beneficial owner can be identified after comprehensive checks have been carried out, the legal representative, the managing shareholder or the partner of the contracting party shall be deemed to be the beneficial owner.” This means that it will not be less difficult to identify persons, which could not be identified by the obligated parties and other legal entities so far, even with the reporting obligation in place, so that possibly only the so-called fictitious beneficial owners are reported again in particularly difficult cases. Thus, the identification of the beneficial owner remains unresolved, both in terms of the problem and the methodology. Only the ongoing audit requirement of the obligated parties to examine the full register is facilitated and time is saved. The significantly greater effort and thus also the greatest risk in the form of the "initial identification" of the beneficial owners remains unaffected by the conversion to a full register.

Despite the weaknesses listed above, the ultimate effectiveness of the EU-wide interconnection of the transparency registers will become clear after the first round of evaluation, when the first figures and cases are published by the responsible EU and German federal authorities.

 

 

[1] A backup register "backs up" data (in our case data on beneficial owners) that are not listed in any other subject register. Thus, only sporadic data are available in the backup register, including references to other registers. Only if data are not entered into any other register it must be listed in the backup register. Therefore, the backup register only contains data on beneficial owners that are not entered anywhere else.

[3] Who is subject to the term beneficial owner is governed by § 3 AMLA.

[4] Compare BT Drucksache (printed document) 19/28164 p. 30.

[5] If no natural person is identified as beneficial owner, the fictitious beneficial owner is reported to the transparency register pursuant to § 3 Section 2 Sentence 5 AMLA. This has been confirmed by the Bundesverwaltungsamt’s (BVA (German Federal Office of Administration)) "Questions and Answers on the Money Laundering Act", as of 09.02.2021.

[6] AMLA new refers to the amendments to the AMLA that already became effective in the course of the introduction of the TraFinG.

[7] Compare BT Drucksache (printed document) 19/28164 p. 2.

21st

Jul

Authorities and financial institutions (FIs) are highly aware of the challenge of detecting financial crime. Modern criminals are using increasingly more complex structures and are acting across multiple financial institutions and jurisdictions. Parties, such as FIs, FIUs , and law enforcement, operating alone encounter challenges in the identification and tracing of suspicious behavior. Therefore, collaborative information sharing among private organizations (e.g., FIs) and public authorities (e.g., FIUs, law enforcements, and regulators) is needed in order to detect highly networked activities in money laundering, terrorist financing, or consumer fraud (domestic and global).

However, the crucial point in sharing customer and transaction data is the restrictions imposed by data privacy laws. The protection of privacy and the individuals’ right to control their personal information are a core value of modern society, which is why every institute has to ensure that the stored data is kept confidential and secured. The question is, how can we solve the dilemma of analyzing data across multiple participating organizations and protecting it at the same time? One central and promising approach is the so-called privacy-enhancing technology (PET), which aims at enabling participants to analyze and share data without disclosing any sensitive personal information.

Going one step further, one has to ask how the appliance of privacy preserving analytics can be used to tackle financial crime. This question has been observed by the Future of Financial Intelligence Sharing (FFIS) program. In January 2021, the FFIS published an Innovation and Discussion Paper, which analyzes how cryptographic technology can be of use in the detection of financial crime. Having tested 10 different PET providers in a case study, the FFIS delivered insights into the status of development, capabilities, and challenges of this technology.

The tested technologies are based on encryption and allow the requesting party to send a query to a data owner without disclosing it. The execution of the computations takes place in encrypted format and the results will not be decrypted before they are sent back to the requestor’s own trusted environment. Therefore, neither sensitive data is shared with the requestor nor are the sensitive query parameters shared with the data owner. Also, it is important to mention that PET providers use different functionalities and work in different parts of the compliance world. Some of them can work together, others are rather isolated.

Technology Capabilities & Challenges
Privacy-enhancing technology can be used to check external sets of data in order to gain new information about matching customer profiles, transactions, or Suspicious Activity Reports (SARs), and helps to detect discrepancies in the client reference data (e.g., via reports). This can lead to identifying differences in data, setting indicators of discrepancy detection, detecting suspicious behavior, or even generating a set of reference data for the market.

The collaboration in transaction analysis can be useful to analyze the payment behavior and to identify “risky money flows” through different financial institutions while performing computations. Furthermore, the aggregated information can help to detect unusual behavior among different participants. Ideally, this would be used in the future to also collaborate cross-border.

The capabilities of this technology reach up to machine learning on a group wide approach across different countries. Data from subsidiaries of a group in non-domestic countries can be incorporated for a machine learning algorithm without sharing the underlying data. This approach could even be applied within different parties who want to enrich their machine learning capabilities with combined data.

Not only the private sector but also the above-mentioned public entities and public private partnerships (e.g., AFCA in Germany, JMLIT in UK, or APPPI in Austria) can benefit from this new technology. Using a platform to connect databases across a network of financial institutions generates a bird-eye-view and helps to identify suspicious patterns.

All in all, it is easy to see how PETs are offering a great potential in new technology which can help public and private participants to act more efficiently against financial crime. Also, PETs constitute a valuable approach for future collaborations in this fight. That is why FFIS has a point in analyzing this option on a long-term basis as criminal organizations with complex global structures have to be faced with collaborative power to detect suspicious behavior.

Still, there are many obstacles to overcome. The acceptance and the usefulness in the market is depending on many factors. Some of the key challenges are the technical complexity, the data quality, and the interoperability. FIs are already facing challenges in their internal IT infrastructures – it might be even more difficult to harmonize systems across different FIs and to support the exchange of data between private and public sectors. In addition, the costs (e.g., computational, operational, or hardware) can be tremendous, as well.

Even more critical is the legal uncertainty. Due to the high regulatory risk – there is practically no regulatory acknowledgement or guidance – companies are afraid to adopt PETs. This causes a great deal of uncertainty in the market and prevents companies from investing.

It is clear that the development of PETs cannot go without a general standard, a legal framework, and an appropriate governance, preferably transnationally harmonized for private and public collaboration. There is a need for a common regulatory approach, coordination, and guidance since the exchange of data and protection of privacy can no longer be governed separately. We need the authorities and the standard setters (e.g., FATF, Wolfsberg Group, and Egmont Group) to act quickly and to guide the development of the global fight against financial crime into the right direction. With around 10 FFIS in the EU block, the EU might be well equipped with experiences to play a leading role in this discussion. For a global approach, it would also be beneficial to include the US in this discussion and to benefit from the experiences of the US FinCEN Exchange.

Nevertheless, there are already steps taken in the right direction, which provides hope. The president of the Financial Action Task Force (FATF), Dr. Marcus Pleyer, has realized the potential of this new technology and emphasizes the need for collaboration in the public and private sector. At present, the necessity for new AML regulations constitutes a discussing point in European circles. Within the FIUs, information sharing is already common practice (e.g., multi-lateral agreements, and information sharing based on goAML) and the key for an effective detection of financial crime and legal prosecution. For instance, the Egmont Group uses a system – Egmont Secure Web (ESW) – which allows a better and secure communication among FIUs worldwide.

In summary, it can be stated that the necessary technology already exists, it just needs more attention and investment. The journey has just started and the day when PETs will play a key role in the anti-financial crime detection does not seem far away anymore. Let’s hope the regulators and the standard setters take their place quickly to support privacy-enhancing technologies. The framework needs to be created to modernize the financial crime investigations and to keep up with the technological capacities of bad actors.

Let us stay tuned on how to make information exchange easier whilst staying GDPR compliant.