On November 22nd, an appeals court in Luxembourg issued a decision that highlights the tensions between anti-money laundering (“AML”) goals and privacy concerns, and could impact impending beneficial ownership regulations to be issued under the U.S. Corporate Transparency Act (“CTA”).  Specifically, the appeals court decided that the general public’s access to beneficial ownership information (“BOI”) interfered with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union (“EU”).

Luxembourg Court Strikes Down Public Access to BO Database

In 2019, pursuant to an AML Directive to Member States of the EU, Luxembourg established a Register of Beneficial Ownership (“Register”) for information on beneficial owners of corporate entities. BOI provided by a corporate entity is generally available to regulators, law enforcement and financial institutions conducting due diligence on the corporate entity.  Further, some BOI from the Register is available publicly, including through the internet – but upon request from a beneficial owner, the administrator of the Register could place restrictions on the broad access of certain information of that beneficial owner.  To restrict public access, the beneficial owner must show that “access to [BOI] would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable.”

A case was brought by two companies and their beneficial owners after the beneficial owners unsuccessfully requested that the administrator of the Register prevent public access to information concerning them. The Luxembourg district court found that the beneficial owners’ claims of privacy violations raised issues of fundamental rights under European law and sent questions to the appeals court for a preliminary ruling. As noted, the appeals court ruled that the general public’s access to BOI through the Register constituted a “serious interference” with the fundamental right of privacy granted under the Charter of Fundamental Rights of the European Union:

[I]n so far as the information made available to the general public relates to the identity of the beneficial owner as well as to the nature and extent of the beneficial interest held in corporate or other legal entities, that information is capable of enabling a profile to be drawn up concerning certain personal identifying data more or less extensive in nature depending on the configuration of national law, the state of the person’s wealth and the economic sectors, countries and specific undertakings in which he or she has invested.

In addition, it is inherent in making that information available to the general public in such a manner that it is then accessible to a potentially unlimited number of persons, with the result that such processing of personal data is liable to enable that information to be freely accessed also by persons who, for reasons unrelated to the [AML] objective pursued by that measure, seek to find out about, inter alia, the material and financial situation of a beneficial owner . . . . That possibility is all the easier when, as is the case in Luxembourg, the data in question can be consulted on the internet.

Furthermore, the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated and that, in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.

Importantly, when the appeals court balanced the right of privacy against the AML objectives of the Directive, it found that the AML objectives were critical enough to justify “even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter.” Nonetheless, the appeals court found the public nature of the Register to reach beyond the AML objectives and tip the scale in favor of privacy rights. Luxembourg’s method of storing BOI, which required a person or entity to be able to demonstrate a legitimate interest in the information before it was disclosed, did not run afoul of European privacy rights. However, the appeals court found that there was insufficient AML benefit derived from allowing public access to the Register to justify such access.  Specifically, the appeals court noted that although “the general public’s access to information on beneficial ownership ‘can contribute’ to combating the misuse of corporate and other legal entities and [public access] ‘would also help’ criminal investigations, it must be found that such considerations are also not such as to demonstrate that [public access] is strictly necessary to prevent money laundering and terrorist financing.”

Privacy Implications for FinCEN and the CTA

As we have blogged, the Financial Crimes Enforcement Network (“FinCEN”) has issued a final rule regarding the BOI reporting requirements pursuant to the CTA. The Final Rule will require millions of corporate entities registered to do business in the United States to report their BOI to FinCEN. While FinCEN and AML watchdog groups view this development as a “historic step in support of U.S. government efforts to crack down on illicit finance and enhance transparency,” there are also those who are concerned with the privacy risks involved in housing BOI in a government database.  FinCEN still needs to issue further regulations under the CTA, including as to how the BOI data base will be maintained and accessed.

The CTA itself addresses privacy concerns in several ways, and does so in a manner that is dramatically different than the AML Directive.  For example, BOI is only available to government agencies that send a written request, including a basis for the request, and is not generally available to the public. Within the Department of the Treasury specifically, access to beneficial ownership information is limited to officers and employees whose official duties require them to inspect the information and who have been appropriately trained and authorized. Overall, the CTA requires that FinCEN “maintain information security protections, including encryption, for information reported to FinCEN . . . . and ensure that the protections . . . prevent the loss of confidentiality, integrity, or availability of information that may have a severe or catastrophic adverse effect.”

One of the most telling aspects of the CTA’s intent to protect privacy are the penalties for unauthorized disclosure of information: up to $500 per day for each day the violation continues, and/or imprisonment for up to five years. These penalties actually outweigh the penalties under the CTA for not registering as a beneficial owner, or for providing false BOI: up to $500 per day for each day the violation continues, and/or imprisonment for up to two years.

As noted, FinCEN still must issue regulations on the creation and mechanics of the BOI database. Given the privacy protections baked into the CTA by Congress, FinCEN already will be required to craft regulations that strongly protect BOI and restrict access.  Even so, the recent decision in Luxembourg should put even more pressure on FinCEN to be careful.  Certainly, the decision will provide industry commentators to the forthcoming regulations with more ammunition.

New York Considers an Alternative Approach

In March 2022, New York proposed legislation that would require limited liability companies registered in the state to disclose the names and addresses of their beneficial owners to the New York Department of State. Contra the CTA, and more akin to the EU AML Directive, the proposed legislation contemplates a public database to house BOI – although the information available to the greater public would be limited to which LLCs share common ownership. The public database would not contain names or addresses of beneficial owners; rather, if someone wanted to request that information, they would need to submit a formal request to law enforcement, similar to the federal Freedom of Information Act (FOIA).

New York is the only state to propose this type of BOI database at the state level, and the legislative intent offers insight into why New York has a particular focus on BOI. One of the Democratic Senators who proposed the bill said that “[m]oney laundering, tax avoidance, evasion of sanctions, and systemic code violations have been protected for too long in New York by the veil of LLC anonymity. Sometimes tenants don’t even know who their landlord actually is.” Thus, while AML objectives are certainly relevant at the state level, the New York legislation also seeks to address non-AML concerns, such as providing information to tenants and watchdog groups on otherwise unknown landlords who may be contributing to the deterioration of neighborhoods.

Conclusion

In the three approaches reflected by the EU AML Directive, the CTA and the proposed New York legislation, there is a balancing act between collecting and allowing access to BOI in order to fight money laundering and terrorist financing, and protecting privacy rights enshrined in our foundational legal texts like the EU Charter or U.S. Constitution. Beyond those considerations, this spectrum of privacy approaches raises the question of how global AML programs and requirements can be implemented with maximum consistency.  Finally, looming over all of the government-maintained BOI databases is the specter of data breaches and cyber attacks, which threaten not only the individuals whose BOI is affected, but the government agencies themselves.

[View source.]