Sufficiently detailed beneficial ownership information
Developing robust legislation
Gathering information as part of BO declarations requires a legal basis for registrars to retrieve or collect it, and obligations for reporting legal vehicles to disclose it. [12] Policy aims determine the purpose of BO disclosure and should be clearly specified in legislation. This determines the legal basis for data collection, processing, storage, and use. A broad purpose, such as ensuring the functioning – and preventing the misuse – of legal vehicles, may allow for a broader range of use cases by more types of users than a narrower purpose, such as fighting money laundering.
Legislation should also make it clear which authority should collect BO information in a central register, and provide it the requisite powers, mandate, and responsibility. Different types of authorities can function as the registrar, such as company registers, tax authorities, financial intelligence units, or regulatory authorities, such as securities commissions or central banks. [13] Company registers may be best placed to house the register, particularly where there is a broader policy aim related to the overall transparency of the business environment. Company registers also have the advantage of easy integration of company information to complete (or complement) a BO declaration.
The progression from writing to implementing legislation is not linear, and the steps covered in the remainder of this briefing should be considered before beginning to draft or revise legislation. In general, robust legislation setting out the basis for sufficient detail includes provisions covering:
1. who has the responsibility to submit information;
2. when information should be submitted; [14]
3. what information should be reported;
4. how the information should be reported;
5. which authority the information should be reported to. [15]
Typically, reporting obligations are placed on the legal entity itself or the trustee for legal arrangements (Box 3). As per international anti-money laundering (AML) standards, many countries also require certain legal entities to hold and maintain registers of their own beneficial owners. [16] There may also be obligations on the beneficial owner to provide information to the legal entity, as well as powers for the legal entity to compel the beneficial owners to provide information on request and issue penalties for failure to comply. [17]
Box 3. The legal obligation to disclose information in Nigeria, Norway, and Indonesia
Nigeria’s Companies and Allied Matters Act specifies that the entities it covers “shall submit information in relation to a person with significant control (that is beneficial owner) to the [Corporate Affairs Commission]” during incorporation, filing of annual returns, amendments, or in any other case the Commission may determine.18 It specifies which information is to be submitted for each type of entity, and includes a wider range of fields than in many other countries, such as Norway. For example, for a company or limited liability partnership, it includes place of birth, occupation, email address, and status as a politically exposed person (PEP), if applicable.
In Norway, the Act on the Register of Beneficial Owners includes the obligation to disclose information: “The person subject to the registration obligation shall identify the beneficial owners of the legal person, entity or association or foreign legal arrangement”. [19] It specifies that the person obliged to register a declaration must obtain the following information about beneficial owners: name, national ID number or D-number (a temporary ID number), country of residence, and citizenship. If a beneficial owner does not have a national ID or D-number, information on date of birth must be obtained instead. The Act also empowers the government to issue regulations “providing further rules on the duty to provide information when parties subject to registration are to identify and obtain information about beneficial owners”. [20]
Article 14 of Indonesia’s regulations on implementing BOT notes that a “Corporation shall apply the principle of Corporate Beneficiary Identification… [and] shall appoint an official or staff to: a. Implement the principle of Corporation Beneficiary identification; and b. Provide information on the Corporation and its Beneficiary as requested by the Authorized Institution and law enforcement institution”. [21] It also specifies the minimum information fields to be collected (i.e. “at least”), such as the tax ID number and address contained in the person’s identity card, and notes that this information should be accompanied with supporting documents.
Legislation should clearly and exhaustively specify what information should be included in a declaration, particularly where this pertains to personal data. Other sections of this briefing cover how to determine which specific types of information should be collected. Information required to be disclosed should also be enumerated in law and limited to what is necessary, in line with common requirements in privacy and data protection legislation.
Because the implementation context may change over time, it is useful to include provisions for powers to amend the list of information through secondary legislation. This is a way to future-proof legislation in light of the evolving nature of the BOT policy area and international standards, as well as the iterative approach to implementation to accommodate these changes, without needing to go through the more lengthy procedure of amending primary legislation (Box 4).
Box 4. Legislating for the collection of beneficial ownership information in Zambia
The BO register for companies in Zambia is run by the Patents and Companies Registration Agency. The Companies Act, 2017 requires intending and existing companies to provide the following: “a statement of beneficial ownership which shall state, in respect of each beneficial owner— (i) the full names; (ii) the date of birth; (iii) the nationality or nationalities; (iv) the country of residence; (v) the residential address; and (vi) any other particulars as [may be] prescribed”, [22] among others.
This list does not include the information about the relationship between the beneficial owner and the company. However, it does contain a provision for powers to prescribe “any other particulars”, allowing this to be addressed in secondary legislation. The Companies (Prescribed Forms) and The Companies (General) Regulations in 2019 expand on this list to include: “(i) full names, (ii) date of birth; (iii) nationality; (iv) country of residence; (v) gender; (vi) residential address; (vii) number of shares owned; (viii) class of shares owned; and (ix) nature of beneficial ownership”. [23]
The primary and secondary legislation together include provisions to collect information about the beneficial owner and their relationship with the company.
Moreover, information should be collected with accompanying guidance. Forms should be designed with user needs in mind. Both the forms and the information contained within them should be tested with actual users in order to facilitate and enable compliance and data use, and they should be periodically reviewed. [24] Forms must be able to accommodate different scenarios; for example when beneficial owners are from different jurisdictions, data may be retrieved for those who are residents and collected for those who are not. To enable effective testing and design, legislation should not include the forms themselves, but rather define the information fields to be gathered. Reporting obligations should specify which authority the information should be reported to (e.g. the registrar), and clearly mandate their responsibilities to maintain the register. Legal considerations for verifying information and other parties’ access to it are not covered in this briefing.
Balancing privacy and data protection considerations
Beneficial owners are natural persons by definition; therefore, there are privacy and data protection considerations around the collection and storage of information about them that need to be taken into account to ensure effective and responsible implementation. The principle of data minimisation should guide implementation decisions when it comes to determining the types of personal information to gather and store in a BO register.
For example, Article 5(1)(c) of the European Union’s (EU) General Data Protection Regulation (GDPR) says that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. [25] The purposes in question here should take into account both the information needs of the registrar, covered in this briefing, and the requirements of prospective data users who will have access to the information. The data protection and privacy considerations around access are more extensive than the collection of information, and are not covered in this briefing. [26]
Most data protection legislation will also include specific provisions for sensitive personal data. Continuing with the EU GDPR example, the following information is designated as sensitive: “genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership”. [27] While generally this information is not necessary to collect as part of BO declarations, information collected – including names and passport scans – may contain information about gender or racial and ethnic origins. Even when not sensitive on its own, the combination of certain types of information about individual characteristics can constitute personal data, and can fall under the purview of data protection legislation. [28]
Finally, some approaches to verification may rely on biometric data for identity verification. Implementers should be mindful that the information they collect is personal and may be sensitive, and put in place appropriate data security measures around storage and internal access to the information. A jurisdiction’s domestic and international legal obligations related to privacy and data protection should be a guiding framework.
Footnotes
[12] For more detailed guidance, please see: Favour Ime and Tymon Kiepe, Guide to drafting effective legislation for beneficial ownership transparency (Open Ownership, 2024), https://www.openownership.org/en/publications/guide-to-drafting-effective-legislation-for-beneficial-ownership-transparency/.
[13] Favour Ime and Tymon Kiepe, Guide to drafting effective legislation for beneficial ownership transparency, 21.
[14] Ime and Kiepe, Guide to drafting effective legislation, 17.
[15] Ime and Kiepe, Guide to drafting effective legislation, 21
[16] Financial Action Task Force (FATF), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation – The FATF Recommendations (FATF, updated 2023), 95, https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf.
[17] See, for example: UK Government, Companies Act, 2006, Part 21A, Chapter 2, Section 790CB, https://www.legislation.gov.uk/ukpga/2006/46/part/21A/chapter/2.
[18] Government of Nigeria, Companies and Allied Matters Act, No. 3, 2020, https://www.cac.gov.ng/wp-content/uploads/2021/01/COMPANIES-REGULATIONS-2021-published.pdf.
[19] Government of Norway, Ministry of Finance, Lov om register over reelle rettighetshavere, § 4. Innhenting av opplysninger om reelle rettighetshavere, updated 2022, https://lovdata.no/lov/2019-03-01-2/§4. Note: translation from Norwegian done using Google Translate.
[20] Government of Norway, Ministry of Finance, Lov om register over reelle rettighetshavere, § 5. Relevante personers opplysningsplikt, updated 2022, https://lovdata.no/lov/2019-03-01-2/§5. Note: translation from Norwegian done using Google Translate.
[21] Government of Indonesia, “Regulation of President of the Republic of Indonesia Number 13 Year 2018 Regarding Implementation of Principle of Corporate Beneficiary Identification for Preventing and Eradicating Criminal Actions of Money Laundering and Terrorism Financing”, Article 14, 2018.
[22] Government of Zambia, The Companies Act, 2017 (Act No. 10 of 2017), The Companies (General) Regulations, 2019, Sections 12(3)(e) and 30(1)(b), 1 March 2019, https://www.pacra.org.zm/wp-content/uploads/2021/08/CompaniesActStatutoryInstrument-No14_of_2019.pdf.
[23] Government of Zambia, The Companies (Prescribed Forms) Regulations, 2019, Statutory Instrument No. 21 of 2019, 7 March 2019, https://www.pacra.org.zm/wp-content/uploads/2021/08/STATUTORYINSTRUMENTNO.-21OF2019.pdf; Government of Zambia, The Companies (General) Regulations, 2019, Statutory Instrument No. 14 of 2019, 1 March 2019, https://www.pacra.org.zm/wp-content/uploads/2021/08/CompaniesActStatutoryInstrument-No14_of_2019.pdf.
[24] See: Open Ownership, A guide to doing user research; Alanna Markle, “Comparing compliance? Proceed with caution”, Open Ownership, 22 August 2024, https://www.openownership.org/en/blog/comparing-compliance-proceed-with-caution/.
[25] GDPR, Chapter 2, Article 5 – Principles relating to processing of personal data, n.d., https://gdpr-info.eu/art-5-gdpr/.
[26] See: Tymon Kiepe, “Striking a balance: Towards a more nuanced conversation about access to beneficial ownership information”, Open Ownership, 18 October 2023, https://www.openownership.org/en/blog/striking-a-balance-towards-a-more-nuanced-conversation-about-access-to-beneficial-ownership-information/; Favour Ime and Tymon Kiepe, Guide to drafting effective legislation for beneficial ownership transparency.
[27] GDPR, Key Issues – Personal Data, n.d., https://gdpr-info.eu/issues/personal-data/.
[28] Tymon Kiepe, Verification of beneficial ownership data (Open Ownership, 2020), https://www.openownership.org/en/publications/verification-of-beneficial-ownership-data/.