Determining the ultimate beneficial owner (UBO) of individuals and companies your firm does business with can be a tricky thing.

What is ultimate beneficial ownership?

Beneficial owner refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted, according to the definition from the Financial Action Task Force. It also includes those persons who exercise ultimate effective control over a legal person or arrangement, the FATF said.

 

In the United States, the Corporate Transparency Act, passed in 2021, defines a beneficial owner as an individual who holds at least a 25 percent stake in the entity’s capital, at least 25 percent of the voting rights, and is a beneficiary of at least 25 percent of the legal entity’s capital.

Find out too little about your customers and counterparties, and your firm unknowingly could be partnering with sanctioned individuals, terrorist groups, or money launderers. Tasking a compliance department to ferret out who is behind every bank account and shell company in your firm’s network, though, is impossible using manual processes.

So, where is the sweet spot on understanding the UBO of the entities your firm does business with? And what technology is available to get you there?

First, there is the black-and-white issue of whether your firm can do business with sanctioned entities or individuals, even unknowingly. The Office of Foreign Assets Control (OFAC) bars U.S-based companies from doing business with all sanctioned individuals. The sanction system is based on the idea of strict liability, said Carlton Greene, partner with law firm Crowell & Moring.

“OFAC doesn’t care if you didn’t mean it or didn’t know you were doing business with a sanctioned individual,” he said.

During an investigation into a possible sanction violation, OFAC will want to learn how much effort the firm put into understanding the beneficial ownership of its counterparties.

“The more reason you had to think you might be dealing with a sanctioned entity, the more diligence OFAC expects you to do,” Greene said.

But doing nothing is not an option, either. OFAC recently sanctioned Tornado Cash, an Ethereum-based virtual currency mixer, over allegations the platform “failed to impose effective controls” to stop the laundering of proceeds from cybercrime.

“OFAC is sending a message that having no due diligence of any kind is not acceptable,” Greene said. “You can’t have zero protocols or compliance capabilities and hope to escape consequence.”

“You can’t have zero protocols or compliance capabilities and hope to escape consequence.”

Carlton Greene, Partner, Crowell & Moring

OFAC also expects companies to share information internally. One department at a firm might be aware of a risk of doing business with a sanctioned individual but not share that information with, say, compliance.

“Any and all reasonably available information ought to be shared,” Greene said.

Some firms maintain separate databases for know your customer (KYC) and sanctions compliance, which creates a lot of inefficiencies, said Ted Datta, head of the financial crime compliance practice for Europe and Africa at Moody’s Analytics. Businesses “should consider drawing those two streams of information together” in one database, he said.

The International Compliance Association, a sister company to Compliance Week under the umbrella of Wilmington plc, earlier this year relayed best practices for identifying UBOs, including:

  • Unwrap corporate structures and understand the chain of ownership and differing legal requirements in a range of jurisdictions;
  • Identify any political connections, including links to politically exposed persons (PEPs);
  • Ascertain whether there is any sanctions exposure or potential to circumvent sanctions;
  • Determine whether the structures make economical or business sense;
  • Have in place a clear escalation process;
  • Document (and follow) a procedure for de-risking, which might involve termination of client relationships;
  • Provide training to staff at all levels, including the board of directors and senior management;
  • Engage senior management at all relevant stages of the client relationship (including approving high-risk relationships); and
  • Encourage staff at all levels to report any suspicions promptly.

UBO technology options

The most efficient UBO investigations require an understanding of your firm’s risk appetite and appropriate technology to automate searches. Here are a few tech suggestions:

  • Software that blocks all attempts to access a firm’s services via IP addresses from sanctioned jurisdictions. The software should also create alerts for all such attempts.
  • Software that collects all publicly available information about sanctioned individuals and entities in a searchable database. The database should not be limited to UBO registries but should include information and original documents collected from company registries, court records, real estate registries, and specialized company registration databases for things like intellectual property.

    Information can also be found in China’s corporate registry database and with the Russian Central Bank, which both require corporations in those countries to file UBO details. Sometimes information assumed to be hidden in opaque registries like Guernsey, the British Virgin Islands, or the Cayman Islands are revealed in some of these other databases.

    “There’s a lot we can learn about offshore companies and the people behind them using legally disclosed public data, if we know where and how to look for that,” said Jessica Abell, vice president of solutions at Sayari, during a Compliance Week webcast on unmasking offshore holdings of Russian oligarchs using public data. Sayari is an information vendor which maintains a database of more than two billion corporate disclosure documents.
  • Many financial institutions only conduct KYC and beneficial ownership checks every three to five years. Proactive and perpetual monitoring software allows firms to monitor changes as they are filed, as well as track the negative media on particular individuals or entities.

    “Perpetual monitoring provides notification of a change in UBO without waiting for a customer to notify. That’s really important data to capture. When the UBO changes, the risk changes,” said Datta. “It’s really going to change landscape.”
  • In the digital asset space, software can trace ownership through blockchain analysis and track patterns connected to different assets and wallet addresses to known threat actors, including sanctioned individuals, Greene said.

“The key is to try to automate sanctions compliance,” said Greene. “You’re looking for solutions that draw connections between different pieces of information, some of which is very difficult to access, to give you a complete threat picture.”