How to Meet Regulatory
Requirements, Expectations and Best
Practices in the Face of Persistent
Obstacles
Beneficial
Ownership
An insider’s view versus an auditor’s
perspective
Nadine N. Al Shirawi
[BENEFICIAL OWNERSHIP] 2015
Executive Summary:
Ultimate beneficial ownership (UBO) is perceived as one of the primary challenges in antimoney laundering/counter-terrorist financing (AML/CTF) efforts. The related obstacles to
detecting and verifying the ultimate beneficiary of financial transactions and business
relations in AML/CTF-related investigations forms part of an existing hot debate in literature
and the industry. In this paper, beneficial ownership will be explored from a procedural
point of view as well as from an AML auditor’s perspective. The issue will particularly be
investigated from a local point of view, analyzing whether there are localized more
significant challenges pertaining to doing business in the Middle Eastern/GCC region, such
as a large number of politically exposed persons (PEPs), high-net-worth individuals,
charities, and private trusts and often nontransparent nature of doing business. Being a
nontaxable jurisdiction, publicly available information on natural persons and legal entities
in the GCC region is quite limited.
With increasing technological innovations in banking, anonymity has progressively become
a feature of doing business, such as with mobile banking, Internet banking and straight
through processing or electronic near real time fund transfer systems, as opposed to
conventional branch initiated transactions. This has added a further dimension of difficulty
to the successful detection of beneficial ownership for any business relation or transaction.
With increasing non-face-to-face interaction in banking and the global reach of various
regulatory requirements such as the Foreign Account Tax Compliance Act (FATCA),
detection of UBO has become increasingly crucial. Its importance, the associated challenges
and the related risks have become over reaching and are not just confined to a single
regulatory jurisdiction. The risks are not only related to money laundering or financing of
terrorism but also to other criminal or illicit activities such as tax evasion and corruption.
Then comes the ever persisting question of how far do we need to go in order to successfully
detect UBO? What is expected as per the regulations and what is viable considering the
challenges? What is considered as effective or efficient detection and is it actually a fully
attainable goal? How do we identify UBO through establishing underlying supporting
processes, procedures, controls and systems? What are the risks related to the inappropriate
and ineffective detection of such information and what controls may be established to
minimize those risks? How can the question of how far to go be tackled from the two differing
perspectives: a business insider versus an independent auditor? Finally, how can an
independent party, such as audit, review controls in order to recommend enhancements and
ACAMS: advanced audit certification
Page 1
[BENEFICIAL OWNERSHIP] 2015
detect weaknesses in the identification of beneficial ownership? How can an auditor best
assess and judge the effectiveness and adequacy of processes and procedures established to
detect UBO?
As the topic is relatively new and indecisive, there is still insufficient guidance on
UBO. Hence, AML professionals in the industry and regulators need to develop such
guidance gradually through the sharing of experiences, knowledge and professional advice.
This paper is an attempt to analyze existing views from a critical perspective and an effort to
come up with practical recommendations in order to enhance the current assessment,
controls and processes.
The Definition of Beneficial Ownership
UBO cannot be directly or completely defined. It is a highly subjective term, which depends
on the case, relation or transaction under analysis. It is about assessing control and often
analyzing multiple layers. Legal ownership may not necessarily reflect UBO, nor for that
matter the provision of funds. Beneficial ownership is ultimately about exercising control
and authority. Hence, conventional customer due diligence (CDD) practices may not be
sufficient to assess UBO since they are tailored to direct and straightforward customer
assessment. Assessing who the customer is acting on behalf is a different and more complex
exercise than merely direct customer assessment. In fact, beneficial ownership identification
should be an integral part of CDD procedures, or at least of the enhanced due diligence (EDD)
process.
The Financial Action Task Force (FATF) defines UBO as “the natural person/s who ultimately
owns or controls a customer and/or the person on whose behalf a transaction is being
conducted. It also incorporates those persons who exercise ultimate effective control over a
legal person or arrangement.” 1 Determining beneficial ownership involves a two-step
approach of identification, as well as taking reasonable measures to verify the established
identity and to understand the ownership and control structure of the customer. Both
identification and verification measures may be risk based. Ultimate effective control refers
to “situations in which ownership/control is exercised through a chain of ownership or by
means of control other than direct control.”
According to the Wolfsberg Group, “beneficial owners should, for money laundering
purposes, be broadly conceived of as including the individuals i) who generally have ultimate
control over such funds through ownership or other means and/or ii) who are the ultimate
“Transparency and Beneficial Ownership,” FATF, October 2014, http://www.fatfgafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf
1
ACAMS: advanced audit certification
Page 2
[BENEFICIAL OWNERSHIP] 2015
source of funds for the account and whose source of wealth should be subject to due
diligence.” 2 Beneficial ownership is therefore about the control rather than provision of
funds, and about beneficial interest rather than legal title.
In the U.K., control is defined as an ownership stake of 25 percent or beyond, although in
general beneficial ownership indicates control or on whose behalf a transaction is being
conducted, regardless of the ownership stake held. Therefore, controllers may be indirect
owners, even if it means that their ownership stake is lower than the specified identification
threshold.
In the U.S., regulations such as the USA PATRIOT Act and FATCA with global reach, include
requirements on ascertaining beneficial ownership, from the perspective of foreign financial
institutions with presence in the U.S. through correspondent banking for the former, and for
U.S. nationals resident outside the united states for the latter. With the introduction of such
regulations, beneficiary assessment has become even more imperative, as the risks and
reputational risks have significantly increased and the customer base is no longer confined
to a single regulatory jurisdiction. Even for local retail banks, this still applies, with the
opening of nonresident accounts or even for resident customers with varying nationalities
or dual nationalities, as well as for their U.S. correspondent banking relations.
The Financial Crimes Enforcement Network (FinCEN) has proposed a two test approach to
beneficial ownership identification as per the following:
•
Ownership test which requires the identification of any person owning 25 percent or
more of the shareholding of a legal entity customer
•
Control test requires the identification of any person with significant responsibility to
control, manage or direct the legal entity customer
In
the
financial
crime
module
of
the
Central
Bank
of
Bahrain
(CBB) rulebook, banks in Bahrain are obligated to formulate a risk-based approach to
beneficial ownership identification. Before opening of an account, the bank has to ascertain
whom the customer is acting on behalf. An attestation is collected from the customer upon
onboarding. As per the CBB rulebook,
“Conventional bank licensees must establish and verify the identity of the customer and
(where applicable) the party/parties on whose behalf the customer is acting, including the
2
The Wolfsberg AML Principles: Frequently Asked Questions with Regard to Beneficial Ownership in the Context
of Private Banking,” 2012, http://www.wolfsberg-principles.com/pdf/faq/Wolfsberg-FAQs-on-BeneficialOwnership-May-2012.pdf
ACAMS: advanced audit certification
Page 3
[BENEFICIAL OWNERSHIP] 2015
beneficial owner of the funds. Verification must take place in accordance with the
requirements specified in this Chapter.
Licensees must also obtain and document the following due diligence information. These due
diligence requirements must be incorporated in the licensee’s new business procedures:
(a) [I]nquire as to the structure of the legal entity or trust sufficient to determine and
verify the identity of the ultimate beneficial owner of the funds, the ultimate provider
of funds (if different), and the ultimate controller of the funds (if different);
Conventional bank licensees must have appropriate risk management systems to
determine whether a customer or beneficial owner is a politically exposed person (PEP)
or a person who is or has been entrusted with a prominent function by an international
organization, both at the time of establishing business relations and thereafter on a
periodic basis.”3
Is beneficial ownership customer specific?
Beneficial ownership cannot be defined or interpreted in abstract, as it would depend on the
circumstances of the account being analyzed. The type of account—whether a natural
person, legal entity, trust, charity or association—would almost dictate how and what would
need to be collected in terms of beneficial ownership information.
Beneficial ownership is thus highly customer specific and would depend on the risks
associated with the customer under analysis and the type of customer. In addition, there are
regional and local specific challenges and impediments to successfully obtaining accurate
beneficial ownership details such as the lack of overall transparency, little shared
information and limited public disclosures, confidentiality issues related to PEPs and highnet-worth individuals, and the existence of a large number of charities and trusts often with
disguised ownership structure.
The conduct of beneficiary ownership assessment would differ if the customer is an
individual or legal entity, if for a listed company or private partnership or SME, if for a PEP
or a semi-government foundation, if for a charity or for a trust, just to provide a few examples
that would reflect how the process cannot be uniform.
When do we conduct and detect beneficial ownership
“Financial Crime Module,” Central Bank of Bahrain,
http://cbb.complinet.com/cbb/display/display_viewall.html?rbid=1820&element_id=5295
3
ACAMS: advanced audit certification
Page 4
[BENEFICIAL OWNERSHIP] 2015
The review and assessment of beneficial ownership is completed at intervals similar to
ongoing CDD or updating know your customer (KYC) information. It is important to
complete it at customer onboarding and acceptance, as well as throughout the relationship
during transactions monitoring. These processes will validate the established customer
profile.
In addition, during the regular scheduled cycle of a KYC update, beneficial ownership would
need to be reassessed, being a non-static feature. Therefore, changes in the size, volume or
nature of transactions may signal changes in the control of the relationship. Hence, when a
customer conducts an occasional significant transaction, carried out other than as part of a
normal business relationship or when there is suspicion of money laundering or doubts
regarding the inadequacy or authenticity of customer documentation obtained, beneficial
ownership information previously collected needs to be reviewed.
The CDD process, depending on the policies and procedures of the bank and the applicable
regulatory requirements, may include identification of beneficial ownership for all
established relations or at least for higher risk relations. CDD process therefore becomes not
only about identifying and verifying the customer, source of funds, purpose and intended
nature of relationship but also about identifying beneficial ownership on a risk sensitive
basis and about establishing measures to understand the ownership and control structures
of a person or legal entity.
For occasional or walk-in customers, detection of beneficial ownership is also crucial and
would depend on the perceived risk. If for instance, the transaction conducted by a walk-in
customer is significantly large, then such assessment may be necessary. In Bahrain, as per
the financial crime module of the CBB rulebook, any transaction for an occasional customer
beyond the regulatory threshold is subject to full KYC requirements, such as with opening an
account.
Challenges and Controls: The Risk-Based Approach
According to the financial crime module of the CBB rulebook, a customer needs to declare
who he or she is acting on behalf upon initial onboarding. However, declaring such
information may not necessarily lead to the detection of UBO or who exercises control over
the relationship, the transactions and the funds in the account.
However, how far do we go in order to assess who the customer is acting on behalf, and who
possesses actual control on the funds and transactions? This will greatly depend on the risk
ACAMS: advanced audit certification
Page 5
[BENEFICIAL OWNERSHIP] 2015
assessment of the relationship. The opening of an employee account for the purpose of direct
salary transfer and normal daily expenses may not require detailed beneficial ownership
assessment to the extent needed when opening a private trust account or opening an account
for a financial organization, with major shareholding held by a trust, known informally to be
controlled by a PEP, but with public disclosure details not available due to the strict
confidential nature of this link. The more complex the relation and the higher its associated
risk, the more layers to be reviewed in order to effectively detect UBO.
Money laundering, terrorist financing and other types of illicit or illegal activities such as tax
evasion, corruption and embezzlement may be risks or consequences of inadequate
identification of UBO. While complete and accurate beneficial ownership identification may
not be fully attainable or achievable, risks may be effectively mitigated through process and
system enhancements and improvement of controls. Policies and procedures need to
describe when and how beneficial ownership assessment has to be conducted. Training
programs need to raise awareness on what defines and constitutes beneficial ownership and
how it may be identified. KYC documentation and update needs to be risk based and robust.
Automated AML system, if implemented, should signal changes in behavior or nature, type
and size of transactions and thereby facilitate monitoring efforts to review and update
established profile. Identification of beneficial ownership is critical in helping to identify
potentially suspicious activity through better understanding of the relations involved.
Understanding ownership and control, both direct and indirect, is instrumental to the
effectiveness of the KYC process and the reporting of STRs.
As per FATF, “in general, the lack of adequate, accurate and timely beneficial ownership
information facilitates money laundering and terrorist financing by disguising:
• The identity of known or suspected criminals
• The true purpose of an account or property held by a corporate vehicle, and/or
• The source or use of funds or property associated with a corporate vehicle.”4
With innovation and technological advancement, non-face-to-face business has become
common. The difficulty of finding out the details of beneficial ownership and its verification
is aggravated due the inevitable indirect nature of the relationship. Innovation and
globalization have also increased the anonymity and opacity of relations and transactions.
The challenge is how to set controls in order to ensure adequate documentation and
understanding of the relation, transaction and its control, despite this opacity.
“Transparency and Beneficial Ownership,” FATF, October 2014, http://www.fatfgafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf
4
ACAMS: advanced audit certification
Page 6
[BENEFICIAL OWNERSHIP] 2015
Verification of beneficial ownership is yet another challenge. Verification is a step in the
beneficiary assessment which follows initial identification and should ideally also be risk
based. Similar to EDD requirements, the verification of beneficial ownership involves
collecting additional supporting documentation and is often conducted for higher risk
relations and non-face-to-face business.
Banks may not necessarily need to be proactive in beneficial ownership searches. Banks
should, however, take a risk-based approach and should have appropriate and adequate
measures so that they are satisfied that knowledge of who the customer is acting on behalf
is well established, where it appears that the customer is not acting on his own behalf or in
complex and higher risk relations. Information may be gathered from public sources,
government registers or directly from the customer through extensive or EDD. The primary
objective is to understand who ultimately controls the relation, directly or indirectly. This
will provide a clearer understanding of the risks associated with the relation. However, the
gathering of information also has an associated cost and therefore should also be risk
sensitive. Nevertheless, countries as per the FATF are mandated to ensure that beneficial
ownership information related to legal persons is accessible in a timely manner by
competent authorities and obliged entities in order to tackle the risks raised by the opacity
of legal persons and arrangements. Regardless, practice dominant in the industry is often to
collect information pertaining to the first layer of ownership through sourcing information
from company or public registers due to the lower cost of this approach. With corporate
structures this is usually insufficient in order to fully understand the ownership structure
back to the ultimate beneficial owner/s. While ensuring full compliance with beneficiary
evaluation guidelines might be challenging and costly, adopting and following a risk-based
approach may be the best practical alternative to comply, but at a reasonable cost and scope.
Finally while confidentiality concerns, lack of transparency issues and inadequate
disclosures are global challenges in the banking industry, it may be argued that such
challenges are more pronounced in the Middle East and GCC region due to the lack of tax
related reporting and other credible forms of reporting to the government or regulator in
many of the countries, as well as the large population of PEPs and their networks often with
significant control in government and industries and opacity of the significant number of
trusts, associations and charities. Therefore, banks are likely to face more challenges related
to the identification of beneficial ownership in that region. In many countries, legal
structures, regulatory guidelines, information registers and general awareness are either yet
to be developed or are quite underdeveloped. Thus, it is insufficient to recommend controls
at a business level without reviewing the legal and regulatory framework and environment
in which those businesses operate. An effective solution would be both internal to an
organization and external to the industry and legal and regulatory framework in which the
organization functions.
ACAMS: advanced audit certification
Page 7
[BENEFICIAL OWNERSHIP] 2015
Audit Perspective
Any successful audit should be risk sensitive and should include and produce a risk
assessment of issues raised and recommendations provided. In the context of UBO, any audit
review would inevitably include judgment based on the calculated risks. Audit should review
policies and procedures, as well as controls and systems, but only after an appropriate risk
assessment is conducted. This risk assessment should take into consideration the overall risk
imposed on the bank related to failure to conduct effective UBO review as well, as the relative
risks imposed by the business relations, delivery channels and the transactions involved.
Only then would the output of the audit include recommendations which are customized and
beneficial to the organization to practically implement and apply.
The audit team should define at the very initial stage what would be considered as adequate
UBO given the nature and type of relationships and their associated risks in the bank under
review. The assessment is likely to be somewhat subjective as it would be case sensitive and
risk related. Judgment will need to be exercised to evaluate whether the identification
process is commensurate with the perceived risks and whether the controls are well
established and effective to facilitate this identification and mitigate the related risks.
The auditor should consider business perspective during the review, in terms of procedures
to be followed and challenges or obstacles faced, yet also move away from such a confined
business view in order to be able to recommend further enhancements and improvements
to the existing framework, from an independent perspective.
Audit should identify what information needs to be collected in order to acquire a
representative sample of bank’s customers and their relevant range of risks. Audit needs to
review documentation collected, verification conducted, reviews performed and at what
intervals, as well as adherence to policy, procedure and controls. As part of the review,
physical testing may be conducted by the audit team. Therefore, the auditor will (through a
selection of sample relations) conduct an assessment on how successful the identification of
beneficial ownership is relative to the case analyzed and risks involved.
The review may be simple and direct for straightforward low risk relations but for higher
risk more complex relations, an auditor would need to assess whether controls exist and are
effective to enable an organization to eliminate the risks associated with a lack of or
inadequate beneficial ownership identification. Total mitigation may not be possible
however. Audit still should review the existing controls, adherence to policy and procedure,
ACAMS: advanced audit certification
Page 8
[BENEFICIAL OWNERSHIP] 2015
overall awareness and then detect weaknesses and recommend improvements in order to
help the organization reach closer to its goal of robust KYC and beneficial ownership
documentation and recording.
Although such an audit may not be perceived as fully objective or systematic, it may be the
only method through which beneficial ownership may be adequately and effectively
reviewed independently. Adherence to specified thresholds of identification may be
straightforward but if the auditors only place focus on compliance with such defined criteria,
then it is likely that when reviewing higher risk and more complex relations, UBO
information would never be completely tackled. Being subjective is about being considerate
and thoughtful to the spirit of the regulations related to understanding control structures.
Evidently no specific threshold or number of layers to analyze can be prescribed in general,
as it depends on the cases and type of customer under analysis. Audit needs to review to
what extent the business performs beneficial ownership identification away from any
limited definitions or shareholding proxies.
An audit of beneficial ownership may therefore never be based on a defined checklist. It must
include a sample review of relations from varying types and risk ranges. While in CDD
review, a list of documents and information details may be reviewed relevant to regulatory
and policy requirements. With beneficial ownership review, it would depend on the nature
of the relation, type of customer and related risks and therefore no general list of information
or documents may be used.
In performing such a review, the auditor may at a sample basis perform the actual
identification independently and compare the results with what the business has collected,
so as to adopt a more informed and independent evaluation perspective. In the cases
analyzed, the question would be: Have the bank officials gone far enough to successfully
reach comfort that beneficial ownership has actually been detected? Was the assessment
conducted by the bank risk sensitive? What sources have been utilized? Are controls in policy
and procedure adequate to encourage bank staff or officials to perform such an enhanced
review, especially for legal arrangements and higher risk relations? Does an automated
monitoring system exist and is ongoing scrutinization performed in order to test the
accuracy and consistency of profiles established? How often and in what cases does
beneficial ownership information need to obtained, reviewed or reassessed?
Finally, the audit cycle should ensure high periodicity due to the high risks associated with
improper and inadequate ultimate beneficiary detection.
Although the review specified in this section is internal to the organization, there is yet a
broader review that needs to be conducted by the regulators and countries in order to ensure
ACAMS: advanced audit certification
Page 9
[BENEFICIAL OWNERSHIP] 2015
that an enabling legal, regulatory and business environment is established with guidelines
on overall beneficiary assessment, sharing of information, minimum disclosures, etc.
Conclusion
Beneficial ownership identification depends largely on the customer case being handled as
well as on regional and cultural factors. There is no objective or straightforward answer to
what beneficial ownership constitutes. It is case specific and judgmental. In almost all cases,
appropriate judgment and assessment would need to be exercised whether by the business
employee, MLRO or the AML auditor. However, informed judgment is paramount, meaning
that you must be aware of direct and indirect control structures and frameworks.
Establishing effective controls in systems, processes, policies and training/awareness
programs is critical for building an organizational culture which is sensitive to the
importance of finding and detecting UBO. Auditors should independently test that controls
in training, awareness, documentation, policies and systems are well established and
efficient in achieving their intended goals.
Beneficial ownership identification may lack uniformity due to the customer specific
dependency of the information. However, the overall processes and procedures should
ideally be risk based and should emphasize control over legal entitlement as an underlying
concept.
However, as previously indicated, solutions internal to the organization should be
complemented by a supporting regulatory environment, which clearly specifies related
guidelines and expectations and encourages the accessibility and sharing of information on
beneficial ownership. A checklist approach may not be possible or beneficial; however,
availability of information and its sharing is key.
UBO may not be fully achievable in all cases. However, effective controls both inside and
outside an organization will impact how far and how successful it is attainable.
References:
“The Wolfsburg AML principles: frequently asked questions with regard to beneficial
ownership in the context of private banking.” The Wolfsburg group, 2012.
ACAMS: advanced audit certification
Page 10
[BENEFICIAL OWNERSHIP] 2015
Mcdermott, Hugh. “Ultimate beneficial ownership: an AML/CFT challenge: approaches,
issues and challenges.” Charles Sturt University, Australian graduate school of policing.
Allen, Daren. “The risk based approach: beneficial ownership: AML challenges.” Berwin
Leighton Paisner, 27 February 2014.
FATF guidance. “Transparency and beneficial ownership.” October 2014.
Shearman & sterling. “FINCEN proposes new rule requiring identification of beneficial
owners.” September 2014.
ACAMS: advanced audit certification
Page 11