Harmonisation of the beneficial ownership registers in European Union Open Access

Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (further as: “4AMLD”) introduced a requirement for Member States to create databases called Beneficial Ownership Registers (BORs) [Directive (EU), 2015, 2015/849 Art 30, Para 3]. The requirement was justified by the need to increase the security of business transactions, enable better verification of contractors and facilitate the analysis of financial structures. Member States were required to keep all the information they obtained in the National Central Registers (further as: NCRs). The required information concerned the Beneficial Owner (further: BO) and details of the shares held by business partners (Daudrikh, 2021, p. 143). The Registers were also intended to eliminate weaknesses in the system, under development since the 1990s, for counteracting money laundering and terrorism financing in the European Union. Aggregating and verifying reliable information on BOs was supposed to reduce the risk of criminals hiding their identities in a complex capital structure. In most money laundering cases, unclear ownership structures continue to be used to hide the origin and affiliation of illegally obtained funds. Implementation of the 4AMLD into national law was due by 26 June 2017 [Directive (EU), 2015, 2015/849, Art 67, Para 1].

Unfortunately, in the course of the implementation of the Directive into national law, too much latitude was allowed in the interpretation of its provisions. This resulted in differences in the functioning of NCRs – particularly with respect to access to data by entities verifying entries. The definition of the term BO also proved problematic for private entities, public supervisory authorities and financial intelligence units (further: FIUs). The lack of experience of some obliged entities led to a number of complications in the process of entering and verifying data in the BORs. As a result, the process of registering BOs, rather than mitigating the risk of money laundering, has reduced the effectiveness of the overall anti-money laundering (further as: AML) policy in the European Union.

The European Commission recognised rather quickly that the measures provided by the Directive were not being carried out properly in practice – by private entities or Member States supervisors. It therefore took steps to make the BORs effective tools for verifying complex ownership structures whilst guaranteeing the protection of personal data. Corrective actions were presented on 20 July 2021 in the Proposal for a Directive of the European Parliament and of the Council on the mechanisms to be put in place by the Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. Ultimately, in 2024, the European Union significantly changed the definition of BO, through Regulation (EU) 2024/1624 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, known as the Anti-Money Laundering Regulation (further: “AMLR”). This Regulation was published in the Official Journal of the European Union on 19 June 2024. On the same day, as a part of the AML package, Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (further: “6AMLD”) was also published. The Directive introduced a series of changes that will significantly strengthen transparency around BOs and a comprehensive overhaul of who may verify access to BORs, and how they verify it.

Initially, the aggregation and verification of data on BO did not appear to cause problems. After the implementation of the 4AMLD, FIUs were tasked with creating an integrated ICT system. For most Member States, this was done between 2017 and 2020. The Directive listed legal entities that were obliged to report information regarding their own BO. The entities included legal persons, trusts, companies, foundations and similar legal arrangements. The scope of the data to be reported included name and surname, date of birth, nationality, country of residence and nature and extent of the beneficial interest held [Directive (EU), 2015, 2015/849, Art 30, Para 5, as amended by Directive (EU), 2018, 2018/843]. In the next step, the second group of entities – the obliged entities – was responsible for verifying the identity of customers according to data available in NCR prior to establishing business relations or conducting an occasional transaction [Directive (EU), 2015, 2015/849, Art 14, Para 1]. The obliged entities were primarily financial, credit, investment, factoring and insurance entities or ones involved in several other independent professions. The reporting and subsequent verification of data was intended to increase the transparency of economic relations. When discrepancies were found, the entities were first to take steps to clarify them. When the reporting institution was unable to clarify a discrepancy, the matter was to be reported to the national FIU, which would launch an investigation that could result in an administrative or financial penalty (Matras, 2024, p. 11). The main problem in this overall process was how the definition of the BO was to be interpreted. The 4AMLD indicated that a BO is a natural person who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings, or through control via other means. A shareholding of 25% plus one share indicated direct ownership. Additionally, if, after having exhausted all possible means, no person was identified as a BO or the direct owner, the natural person holding the position of senior managing official was recognised as the BO [Directive (EU), 2015, 2015/849, Art 3, Para 6]. Indirect ownership was identified when an individual exercised control over a legal entity that was equivalent to the same share or the same ratio of ownership interest as in the case of direct ownership (Daudrikh, 2021, p. 140). In theory, proper implementation of the Directive’s provisions by Member States should not have caused problems. In practice, however, the term BO became a key challenge to private and public entities alike (Gilmour, 2023, pp.71–76; Yeoh, 2018, pp.37–39). The diversity of national definitions of the term gave rise to a variety of interpretations as to who should be listed as a BO (Konovalova et al., 2022, p.3).

Most often, this concerned situations where the “controlling” party was a legal person, not a natural one. In such cases, the actual BO was to be found by analysing the structure of the company that was a party in the entity subject to reporting. Not all private and public entities were able to perform such a complex legal analysis. The practice of data reporting also showed that many obliged entities did not exercise due diligence when determining the identity of the persons who actually control the entity. Many financial institutions had difficulties in determining the identity of the BO behind their customers because identification was burdensome (Koster, 2020, p. 384).

Setting the ownership threshold at 25% also raised a major question mark. Depending on the type of legal entity, a 25% threshold may not be adequate to ensure the accurate and significant identification of all the real owners behind companies (Van der Merwe, 2020, p. 9). The 4AMLD definition of a natural person in a senior management position was unclear – the exercise of control by members of corporate boards and managements was interpreted differently in this context. In general, the implementation of BORs did not lead to the identification of complex ownership structures of a cross-border nature due to a lack of intergovernmental cooperation mechanisms for the exchange of information (Gilmour, 2020, pp. 720–722).

The European Commission first drew attention to these problems in 2017, when Member States were still preparing national legislation to implement the Directive. As the Commission emphasised in a special report:

In fact, the provisions of national law adopted by Member States gave obliged entities considerable freedom in the process of verifying and reporting data. The European Parliament drew attention to many weaknesses in the system and called on the European Commission to undertake the following:

• address the lack of sufficient and accurate data in NCRs that can be used to identify BO;

• reinforce oversight of the transposition of provisions related to setting up BORs in Member States to ensure that they function properly and provide public access to high-quality data;

• explore the lowering of the threshold for the identification of a BO and to suggest the creation of publicly accessible BORs of trusts and similar arrangements;

• put forward proposals to close existing loopholes that allow companies to hide their ultimate BO; and

• request the termination of a business relationship in the event that the ultimate BO cannot be identified (European Parliament, 2020, p. 5).

The second issue that aroused controversy was the ability to search for information in NCRs. In accordance with Article 30 of the 4AMLD:

Nevertheless, in 2018, Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (further as: “5AMLD”) was published. It softened provisions on access to data in BORs. According to Article 30 of the 5AMLD, “Member States shall ensure that the information on the BO is accessible in all cases to any member of the general public” [Directive (EU), 2015, 2015/849, Art 30, Para 5, as amended by Directive (EU), 2018, 2018/843].

In practice, removing the provision on demonstrating a legitimate interest meant that access to data should not be limited in any way. On this basis, after providing the tax identification number, all data on natural persons appearing in the BOR could be accessed. This resulted in the public being able to access data on the BO behind local and global capital structures. Before the amendment, the provision in 4AMLD allowed any person or organisation that could demonstrate a legitimate interest access to information. The lack of a uniform definition of the term “legitimate interest” had caused practical difficulties; thus, the European Commission considered removal of this condition as an appropriate solution. It was argued that if a definition of “legitimate interest” had been proposed, it could have been expected to be applied differently in the Member States, which would, consequently, have led to arbitrary decisions (Cindori, 2023, p. 123). However, only some Member States opted not to place any restrictions on the use of the BOR. To narrow down the circle of people that could use the data, the countries opted for some mechanisms to limit the disclosure of information on BOs. Several countries, including Germany, Finland and Ireland, required registration, authorisation, authentication or charged a fee for finding information. By contrast, Poland, Czech Republic, France and Slovakia did not impose any restrictions on access to the BORs (European Commission, 2023). The lack of harmonisation in maintaining NCRs coincided with a judgement by the Court of Justice of the European Union (further as: CJEU). On 22 November 2022, hearing the case WM and Sovim SAv Luxembourg Business Registers, the CJEU declared invalid the provision of the 5AMLD that had granted the general public nearly unrestricted access to data. According to the Court, the general public’s access to information on BOs constituted serious interference with the fundamental rights to respect for private life and to the protection of personal data embodied in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The CJEU ruled that disclosure of information enabled a potentially unlimited number of persons the ability to access the material and financial situation of a BO (CJEU, 2022). Ultimately, the CJEU judgement invalidated the amendment to Article 30 of the 5AMLD, prompting Member States to redesign access regimes based on a “legitimate interest” test and restricted categories of users.

Following the judgement, some countries suspended open public access and moved to a “legitimate interest test” or restricted-user models. Others refrained from making changes, arguing the issue should be regulated at the European Union level. This provoked even greater discrepancies between Member States with regard to access to the BORs. In some countries, the BORs remained fully accessible, whilst elsewhere, including in Luxembourg, The Netherlands and Cyprus, access was temporarily suspended. However, most Member States returned to granting the ability to view data based on the demonstration of “legitimate public interest”. The possibility of obtaining information on BOs was only granted if a natural or legal person proved that they deal with AML issues. A requirement was introduced for stakeholders to submit a form containing information about the purpose for which the data is needed. These types of conditions were introduced in Austria, Belgium, Spain, Germany and Lithuania, among others. Detailed information about differences between countries regarding rules for access to data is presented in Table 1.

On 7 May 2020, the European Commission, having identified weaknesses in the functioning of AML processes in the European Union, presented an outline of forthcoming reforms. In a communication on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing, six priorities were listed. One related to ensuring the effective implementation of the uniform AML framework, a crucial step given the lack of harmonisation of the BORs (European Commission, 2020, p. 2). In the next step, on 20 July 2021, the European Commission presented a package of legislative proposals to thoroughly reform AML. Among these, the most significant changes to the way BO would be defined were introduced in 6AMLD and AMLR. According to the 20 July 2021 draft:

Another important change was the possibility for the entity in charge of the NCR to be empowered to carry out checks, including on-site investigations at the premises or registered office of the legal entity to establish the current BO of the entity and to verify that the information submitted to the BOR was accurate (European Commission, 2021, Art 10, Para 8). The modifications were intended to reduce the risk of reporting institutions failing to conduct due diligence in submitting data to the BORs and to prevent legal entities from providing information only on senior management whilst entirely omitting those who actually exercised control through ownership interests. Changes were also anticipated for the process of verifying the data available in the BORs. Whilst unrestricted access for supervisory authorities and public authorities responsible for combating money laundering has been maintained, overall public access to information by the general public has been restricted. According to the 2021 draft of the EU AML Package, Member States were to be able to make information on BOs held in their BORs available to the public upon payment of a fee and authentication using electronic identification and relevant trust services (European Commission, 2021, Art 12, Para 2).

In October 2021, the draft of the EU AML Package was submitted to the European Parliament, where it became the subject of work of two bodies – The Committee on Economic and Monetary Affairs (ECON) and the Committee on Civil Liberties, Justice and Home Affairs (LIBE). According to the European Parliament’s amendments, full access to information collected in the BOR should be given primarily to public entities. However, access to the data will also be available, for a limited time, to others, including journalists, higher education institutions, civil society organisations, financial institutions and service providers, if they are demonstrably involved in the prevention or combating of money laundering. A decision to allow access will be automatically issued ten days after submission of a declaration of honour and proof of identification and shall be valid for a period of at least 2.5 years. Such a decision shall be recognised in all Member States as a proof of having a legitimate interest. The question of whether an individual will be able to access the BOR will be reviewed on a case-by-case basis by the authority in charge of the NCR, whilst the decision will be based on the information received and evidence of legitimate interest. The possibility of granting access to persons who state that they intend to establish business contacts with the entity and therefore need to verify the information collected in the BOR was also signalled (European Parliament, 2023a, Amdt. 168–169).

In line with the changes proposed by the European Parliament, NCRs were to be available digitally in the official language of the European Union and in English. The entity responsible for maintaining the BOR had the right to request from legal persons any information required to identify and verify their BOs (European Parliament, 2023a, Amdt. 135). The threshold at which BOs were to be identified was also to be lowered from 25%. According to the European Parliament’s proposal, the possession of 15% plus one of the shares or voting rights or other direct or indirect ownership interest in the corporate entity, including through bearer shareholdings, on every level of ownership, was sufficient to indicate one’s status as a BO (European Parliament, 2023b, Amdt. 251).

Ultimately, AMLR introduced a refined and comprehensive definition of a BO. The European Commission chose to implement these fundamental changes through a regulation rather than incorporating them into the 6AMLD. A regulation is a binding legislative act that must be applied in its entirety across all EU Member States, without the need for national implementation. This approach ensures that uniform legal standards are enforced simultaneously in every Member State, eliminating discrepancies that could arise from divergent national transpositions.

According to Chapter IV of the new AMLR, ownership interest refers to the direct or indirect holding of 25% or more of the shares, voting rights or other ownership interests in a corporate entity. This includes rights to a share of profits, internal resources or liquidation balance. Indirect ownership will be determined by multiplying the shares or voting rights held by intermediate entities in the ownership chain and summing the results across various chains. All shareholdings at every level of ownership will have to be considered when assessing ownership interest [Regulation (EU), 2024, 2024/1624, Art 52, Para 1]. Member States will be able to adopt a lower threshold – no less than 15% – for entities assessed as high risk [Regulation (EU), 2024, 2024/1624, Art 52, Para 2]. Thus, the 25% ownership interest threshold has been slightly adjusted rather than replaced by the new 15% threshold that had been under consideration. The AMLR also establishes a definition of control, even in the absence of a significant ownership interest. Control is defined as the ability to exercise significant influence and make decisions within a legal entity. Such control may be exercised through ownership interests or by other means, including formal or informal agreements, voting arrangements or relationships between family members [Regulation (EU), 2024, 2024/1624, Art 53].

The AMLR also extends the scope of BO transparency to various types of legal arrangements and specifies how authorities will have to identify the ultimate controllers or beneficiaries. In the case of multi-layered ownership structures, a BO includes the natural persons who control, directly or indirectly, through ownership interests or other means, legal entities that have a direct ownership interest in the corporate entity [Regulation (EU), 2024, 2024/1624, Art 54]. For legal arrangements similar to express trusts, individuals holding equivalent positions will be considered the BO. In cases where these roles are held by legal entities, the BO of those entities will also have to be identified. In addition, Member States will be required to notify the European Commission by 10 October 2027 of the types of legal arrangements that are similar to express trusts under their jurisdiction [Regulation (EU), 2024, 2024/1624, Art 58].

The method of defining a BO and maintaining NCR, introduced by the 4AMLD and 5AMLD, was flawed in numerous ways. There is no doubt that the European Commission’s reform in this area of AML regulation is justified. In the context of the judgement issued by the CJEU, the adoption of a harmonised method of maintaining NCRs throughout the European Union appears to be wholly justified. It is therefore commendable that the European Commission acted quickly to eliminate the lack of coherence in the regulations. According to 6AMLD, Member States will be required to grant access to BOs information held in BOR to any natural or legal person demonstrating a legitimate interest in combating money laundering and terrorist financing (Directive (EU), 2024, 2024/1640, Art 12, Para 1]. Entities managing BORs will have to verify the existence of a legitimate interest based on documents and information the applicant provides. The assessment considers the applicant’s function or occupation and, where applicable, their connection to the specific legal entities or arrangements. If an applicant’s legitimate interest has been previously verified by another Member State’s BOR, that verification should be accepted, facilitating mutual recognition across borders [Directive (EU), 2024, 2024/1640, Art 13, Para 3].

At the same time, Member States will be required to grant access, without case-by-case demonstration, to among others, journalists and media professionals, civil society organisations engaged in AML objectives, natural or legal persons likely to enter into a transaction with a legal entity or arrangement who wish to avoid links to money laundering and third-country AML authorities [Directive (EU), 2024, 2024/1640, Art 12, Para 2]. By 10 July 2026, they should deliver to the European Commission the list of public authorities that are entitled to consult a BO information [Directive (EU), 2024, 2024/1640, Art 12, Para 3]. The European Commission is tasked with defining the technical specifications and procedures necessary for implementing access based on legitimate interest. This includes creating standardised templates for requesting access and for the BOR to confirm or refuse such requests. Additionally, procedures will be established to ensure the mutual recognition of legitimate interest across Member States and to facilitate secure information transfer between BORs [Directive (EU), 2024, 2024/1640, Art 14, Para 1].

The European Commission’s efforts were aligned with the Financial Action Task Force’s (FATF) revisions to Recommendation 24 and its Interpretive Note. On 4 March 2022, the FATF adopted significant enhancements concerning access to BO information. These amendments require that competent authorities can promptly access adequate, accurate and up-to-date BO information. The revised standard obliges jurisdictions to ensure that all competent authorities – including FIUs, law-enforcement agencies, tax and regulatory bodies and public-procurement authorities – have access, “without delay”, to BO information. Such access is critical for measures like asset freezes, sanctions enforcement and cross-border investigations (FATF, 2022).

Despite the enhancements introduced by the AMLR and 6AMLD, the fundamental shortcomings in identifying BOs persist. Legal entities incorrectly reporting senior management as BOs may continue to be a key issue. Under AMLR:

As a result, some entities may still submit to the BOR only a declaration – accompanied by a justification – that no actual BO exists or can be identified.

To eliminate incorrect reporting of senior management as BOs by some entities, effective control mechanisms introduced by Member States are needed. In practise, it will be difficult to expect Member States to effectively enforce correct and reliable data reporting from legal entities, as there are no standards to classify financial penalties for incorrect reporting. In addition, national supervisors have rarely undertaken a significant number of proceedings against obliged entities. For example, in Poland, between 2020 and 2022, supervisory authorities initiated 406 administrative proceedings, 334 of which were related to a failure to submit information to the NCR, 48 to submitting a notification after the 14-day deadline and 23 to providing false data (Matras, 2024, p. 4).

The most effective way to reconcile discrepancies between actual ownership and registry entries is to empower authorities to conduct inspections to verify current BOs. Whilst this measure is sensible in principle, it raises concerns about the capacity of supervisory bodies to carry out such inspections. Given limited human and financial resources, auditing every obliged entity – whose numbers can range from several hundreds to several million, depending on the Member State, would be untenable. Instead, authorities would need to implement risk-based sampling, auditing subsets of entities on a regular cycle calibrated to each jurisdictional and risk profile. However, supervisory authorities already shoulder multiple responsibilities, and adding further formalities could detract from the overall effectiveness of AML processes. The most significant reform to BORs will be a reduction in the transparency of the data they disclose. Under the new scheme, anyone seeking access will have to demonstrate a legitimate public interest. Whilst this requirement – mandated by the CJEU’s ruling – is arguably the only practicable way to safeguard individuals’ personal data, it is likely to introduce a range of practical and operational challenges. Primary among them will be verifying whether a person who can access the BOR will be required to navigate additional bureaucratic steps. For journalists or civil society organisations engaged in AML objectives, this should not be difficult – systemic access can be granted collectively for representatives of selected branches or professions. However, complications will arise if a request for access is made by a legal entity or individual not explicitly mentioned in article 12 of 6AMLD, citing a legitimate public interest. To assess whether such an entity has a legitimate public interest, it will be necessary to provide appropriate documentation. The national authority responsible for maintaining NCR will be obliged to consider each application. The experiences of Member States that have introduced such solutions after the CJEU judgement show the amount of additional work to be done. In Germany, for example, between January and September 2023, the BOR received 60,000 requests for information from entities demonstrating legitimate interest. Monitoring the registration of requests and processing them was performed by 33 employees (Martini, 2023). At the same time, granting excessive discretion to Member States can erect barriers to accessing BO information. Imposing additional requirements on entities seeking data from the BOR may deter them from applying, reducing the number of inquiries and the time and resources needed to process them. However, this would run counter to both the spirit of the CJEU’s ruling and the EU’s own declarations that civil society has a legitimate interest in accessing these records, given its vital role in promoting financial integrity and combating money laundering. In a worst-case scenario, some Member States might deliberately restrict access to attract investment from entities unwilling to disclose their ownership structures. This could create competitive imbalances between Member States, placing those with stricter transparency at a disadvantage. Such an outcome cannot be dismissed, as the divergent transpositions of the 4AMLD and 5AMLD have already demonstrated. On the other hand, this risk is somewhat mitigated by the fact that technical standards are governed by the regulation and should be directly applicable in all Member States.

The lack of harmonisation in defining BOs and maintaining BORs has exposed the entire European Union to the threat of losing its reputation as a place where the principles of equal and transparent economic competition are respected. Financial criminals, taking advantage of the differences that exist between Member States as well as the lack of effective controls, could conduct business, invest and circulate illegally earned funds. Harmonised BORs are therefore one of the pillars of AML policy, making it crucial that Member States introduce uniform criteria in this area. As experience with the implementation of 4AMLD and 5AMLD has shown, this is no easy task. The regulation introduced by the 6AMLD offers strong potential to resolve the existing lack of harmonisation. However, this promise will only be fulfilled if Member States refrain from exercising inappropriate interpretive discretion during transposition. Accordingly, it will be essential for the European Commission to closely monitor the implementation of national legislation.

Splitting the AML package into a Regulation (with direct effect in all Member States) and a Directive (requiring national transposition) reflects a careful balance between uniformity and flexibility. AMLR applies directly in every Member State, eliminating discrepancies that arose under previous AML directives – especially in the definition of BO. Complementing this, Directive 2024/1640 sets binding rules for BORs in each Member State, including standardised access rights for authorities, obliged entities and persons with legitimate interests. Because national register structures vary widely across legal traditions, this Directive affords Member States until July 2027 to transpose its common principles whilst tailoring implementation to local frameworks. Comprehensive, validated assessments of the AMLR and 6AMLD will only be possible once full transposition is achieved – particularly after the European Commission’s first implementation report, due in July 2032.

The text presents a series of risks and critical reflections on how BORs may function in practice following the implementation of the 6AMLD. It should be stressed that these observations do not undermine the important rationale for fundamentally overhauling BOR registration mechanisms. With respect to the hypothesis posed at the outset of this research, it must be noted that the mere adoption and publication of the 6AMLD is not, in itself, sufficient to harmonise the maintenance of NCRs. Experience with the 4AMLD and 5AMLD has shown that Member States often interpret Directive provisions in ways that avoid overburdening national supervisory authorities. However, the combined introduction of AMLR and 6AMLD appears to address the weaknesses formerly evident in the definitions of a BO and reporting practices. Ultimately, the success of these reforms will hinge on the correct and consistent performance of the EU law by obliged entities, FIUs and supervisory authorities.