NEWSFLASH – Transparency vs. data protection: questions raised by the draft law 7217/00 on the creation of Luxembourg register of beneficial owners of registered company

On 20 May 2015, the European Parliament adopted the Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the “AMLD 4”), providing EU members states (the “Members States”) with improved rules on money laundering to fight against tax evasions and terrorism financing.

Pursuant to articles 30 and 31 of the AMLD 4, each Member State shall create a central register, the purpose of which being to record information regarding the beneficial owners (the “BO[1]”) of corporate entities, other legal entities and trusts. In this respect, two draft bills have been published by the Luxembourg Parliament to implement the transparency level required by the AMLD 4, namely (i) draft bill 7217/00 which creates an electronic national register of beneficial ownerships (the “REBECO”) for commercial companies and other legal entities registered with the Luxembourg Trade and Companies’ Register (the “7217/00 Draft Bill”) and (ii) draft bill 7216/00 which introduces a register for trusts.

 

1. REBECO: collecting BO’s information to strengthen the level of transparency

Based on the current text and managed by the Luxembourg Trade and Companies Register (the “RCS”), the REBECO will ensure the maintenance and provision of adequate, accurate and up to date information regarding BO of registered companies[2] (the “Information on BO”).

 

1.1       Adjustment of the notion of BO

The notion of BO is defined by the Luxembourg Law dated 12 November 2004 on the fight against money laundering and terrorist financing, as amended by the Luxembourg law dated 13 February 2018 transposing the AMLD 4[3] (the “AML Law”). Article 7(1) of the AML Law[4] states that “any natural person who ultimately owns or controls the customer and/or any natural person on whose behalf a transaction or activity is being conducted.”

In any case of companies, the beneficial owner shall at least satisfy one of these criteria:

(i)            any natural person who ultimately owns or controls a legal entity by owning directly or indirectly a sufficient percentage of shares or voting rights or an ownership interest in that entity, and by means of bearer shares or control by other means, other than a company listed on a regulated market which is subject to disclosure requirements compatible with European Union law or to equivalent international standards that ensure adequate transparency for ownership information;

(ii)          a natural person who hold up to 25 % of the shares plus one or more than 25 % ownership interest in the client may be considered as an element evidencing a  direct ownership. A shareholding interest of 25 % of the shares plus one or more than 25 % ownership interest in the client, owned by a company, which is controlled by one or more natural persons, or by several companies , which are controlled by the same natural person (s), may be considered as an element evidencing an indirect ownership;

(iii)         if none of the persons referred to in the above (i) and (ii)are identified, or if it is not certain that the person or persons identified are the BO, any natural person who holds the position of main manager/director, as applicable, is considered as BO.

 

1.2 Scope of information required

According to article 1 of the 7217/00 Draft Bill, all Luxembourg commercial companies as well as any other entities registered with the RCS (the “Registered Entities”) [5], apart from listed companies, common funds and branches, will have to provide information on their respective BO in the REBECO.

These Registered Entities are required to obtain and hold the Information on BO at their registered office[6].

Such Information shall contain the name, nationality, date and place of birth, the country of residence and the exact private address or exact professional address of the BO, an identification number for the individuals registered in the Luxembourg Register of Natural Persons[7] and foreign identification number for non-residing BO, as well as detailed information on the nature and the extent of the beneficial interest held by the BO in the relevant company[8].

The 7217/00 Draft Bill further provides that any individual which has been granted access (condition of access being developed in more details in paragraph 2.1 below) to the REBECO shall inform the RCS of any inaccuracy or incompleteness in the information provided thereof. The Registered Entities have a period of 30 days starting as of the date of the notification by the RCS of such deficiency to comply with its obligations. The state prosecutor may be seized at the end of that 30 days’ cure period[9].

 

1.3       Sanctions for non-compliance

Articles 23 to 25 provide that in case of an infringement to the law, criminal fines ranging from EUR 1.250 to EUR 1.250.000 may be imposed to the Registered Entities which, among others, (i) do not register the relevant information in the REBECO within the required timeframe[10], (ii) consciously do not provide correct or complete or updated Information on its BO or (iii) fail to obtain and keep such information at their registered office[11].

 

2.   REBECO: controlling the access to BO’s information for personal data security

Even though REBECO is not a register freely accessible to the public, its implementation is raising data protection and privacy issues. Article 19 of the 7217/00 Draft Bill states that the processing of the personal data collected and stored in the REBECO is governed by the Luxembourg Law of 2 August 2002 on the Protection of Individuals with regard to the Processing of Personal Data as amended[12].

Hence, the Luxembourg legislator tries to set out safeguards to allow protection against improper access to Information on BO.

 

2.1       Restrictions on access to the REBECO

Articles 11 to 16 of the 7217/00 Draft Bill provides for different types of access to the information contained in the REBECO depending on the person applying for an access to the information.

-       Unrestricted access to the Information on BO will be made available electronically only to national public authorities[13] in the framework of their mission e.g. to the prosecutor, the CSSF[14], the Luxembourg Insurance Commission and some tax administrators notably[15].

-       Limited access to the Information on BO will be granted electronically to self-regulatory bodies within the strict context of their supervisory mission[16] and obliged entities with regards to their respective customers due diligences obligations (such as the Bar Council, Notary Chamber and the Institut des réviseurs d’entreprises).Their access to Information on BO will remain subject to the authorisation of the REBECO manager and partial information shall be disclosed[17]. It can be noted that criminal sanctions may be imposed on the self-regulatory bodies or the obliged entities if they purposely access the REBECO outside the strict context of their functions[18].

-       Restricted access may also be granted to any person or organisation that (i) can demonstrate a legitimate interest and (ii) has made an official written and duly justified request in this respect. Such access request can only concern one Registered Entity by request and searches only introduced by the name, the registered number or national identification number of the Registered Entities. Such access is finally subject to the prior approval of a formal commission to be created by the Ministry of Justice[19] (the “Commission”).

Article 13 (2) of the 7217/00 Draft Bill further ensures that the access to the Information on BO be made through a strong identification process thereby tracking the contact information of the requesting person/entity, the Information on BO consulted, the date and hour of consultation and the reasons of consultation. Most of the Member States that have already transposed the AMLD 4 such as Germany, Denmark and UK seem to have adopted the same approach regarding the implementation of safeguards due to personal data protection considerations.

Despite some underlying efforts to limit access to BO’s personal data, restricted access is only subject to any person or organization demonstrating a “legitimate interest”. It is interesting to note that the legislator has chosen not to use the wording of the AMLD 4 which provides a more precise framework by granting access to other persons able to demonstrate a legitimate interest with respect to money laundering, terrorist financing, and the associated predicate offences, such as corruption, tax crimes and fraud[20].

The lack of precision around this notion of legitimate interest raises red flags in terms of privacy and protection of personal data. From a data protection law perspective the legitimate interest of the persons and organisations requesting access should not be overridden by the fundamental rights or interests of a BO. In the present case the Commission should have to assess on a case by case basis whether the right to privacy (e.g the right of a BO to privately dispose of his own assets) could be a sufficient ground which could potentially limit such legitimate interest.

Any assessment made by the Commission, could be challenged by a Registered Entity before the competent administrative Court as well as before the Luxembourg National Commission for Data Protection (Commission Nationale pour la Protection des Données, the “CNPD”); which has not issued any opinion on the 7217/00 Draft Bill yet.

 

2.2       Ability granted to the Registered Entities to seek for limited access to Information on their BO

Article 17 of the 7217/00 Draft Bill finally provides that the Registered Entities may request, on an exceptional basis, a restriction of access to the REBECO. Access to Information on BO shall thus only be granted to the national public authorities when the disclosure of such information would expose the BO to a risk of fraud, kidnapping, blackmail, violence or intimidation, or where the BO does not have legal capacity. Any such request will be subject to the prior approval of the Commission.

The creation of such Commission and the forthcoming entry into force of the GDPR will probably lead to further adjustments to the 7217/00 Draft Bill which still has to complete the ongoing legislative process[21] in order to be adopted and to implement the REBECO like other European Countries such as France (filing of the information with the competent court) or Germany (creation of a transparency register available online). The second register for trusts is also expected to be implemented in 2018 and will managed by the Luxembourg Administration de l’Enregistrement et des Domaines in accordance with the draft bill 7216.

 

Download newsletter in PDF

For further details, please contact :

 Audrey Rustichelli      Arnaud Joseph
 Audrey Rustichelli      Arnaud Joseph
 Head of Technologies & IP      Senior Associate
 rustichelli@mnks.com      joseph@mnks.com
 +352 26 48 42 35 98      +352 26 48 42 35 65

[1] Article 2 of the 7217/00 Draft Bill;

[3] Circular CSSF 18/684 which draw the attention of financial sector professionals to the major changes brings by the Law dated 13 February 2018 to the Luxembourg financial sector. It should also be highlighted that, at this stage, the law of 22 November 2004 has been updated to reflect this. The version published by the CSSF is however the only one being up-to-date at this stage.

[4] Article 2 (4) of the Law dated 13 February 2018

[5]As expressly mentioned in article 1, 2° to 4°, 6° to 13° and 15° of the law of 19 December 2002 on the Luxembourg Trade and Companies Register as well as accountancy and company annual accounts, as amended.

[6] Article 20 of the 7217/00 Draft Bill.

[7] As entailed in the law of 19 June 2013 on identification of natural persons, as amended.

[8]Article 3 of the 7217/00 Draft Bill.

[9] Article 9 of the 7217/00 Draft Bill.

[10] E.g. 6 Months from the implementation of the law initially (article 27 of the 7217/00 Draft Bill) and then within one month following the event triggering the obligation for a Registered Entity to provide information in the REBECO (article 4 of the 7217/00 Draft Bill).

[11] Articles 23 and 24 of the 7217/00 Draft Bill.

[12] Such law will be repealed with the entry into force of the European General Data Protection Regulation (the “GDPR”) on 25 May 2018.

[13] as defined in article 1 of the 7217/00 Draft Bill.

[14] Commission de Surveillance du Secteur Financier.

[15] Article 11 of the 7217/00 Draft Bill.

[16] as defined in article 1 of the 7217/00 Draft Bill.

[17] Article 12 of the 7217/00 Draft Bill.

[18] Article 25 of the 7217/00 Draft Bill.

[19] Article 15 of the 7217/00 Draft Bill.

[20] Recital 14 of the AMLD 4

[21] Latest opinion of Conseil de l’Ordre du Barreau de Luxembourg dated 7 March 2018.