On 22 November 2022 the Grand Chamber of the Court of Justice of the European Union (CJEU) delivered its judgment1 in Joined Cases C-37/20 Luxembourg Business Registers and C-601/20 Sovim (the Judgment). These cases were referred to the CJEU by the Luxembourg District Court as to matters of interpretation of EU law for a preliminary ruling2 , following the court's consideration of arguments from the claimants, a Luxembourgish corporation and its beneficial owner respectively who had previously requested the Luxembourg Business Registers (LBR) to restrict the general public's access to information about them. The Judgment has a profound impact on the EU legislative and regulatory regimes and compliance requirements in respect of prevention of money laundering, terrorist financing and financial crime as well as various sanctions regimes that financial services firms and non-financial corporates (collectively Obliged Entities) are required to comply with.
The CJEU was requested to deliver a preliminary ruling (i.e. the Judgment) regarding the interpretation of certain provisions of the EU's Directive (EU) 2015/849 Anti-Money Laundering Directive (AMLD 4) and the subsequent amendments introduced by Directive (EU) 2018/843 Anti-Money Laundering Directive (AMLD 5) (collectively the AMLDs) (as implemented in the EU Member States) and the validity of those provisions in light of the fundamental freedoms as enshrined in the Charter of Fundamental Rights of the European Union (the Charter). Specifically, the question that the CJEU considered was whether the AMLDs provisions could involve a disproportionate risk of interference with the fundamental rights of beneficial owners under the Charter.
This Client Alert summarises the CJEU's considerations, the impact on obliged entities and assesses what possible options might be available to EU policymakers, who are at the time of writing hereof, are aiming to revise and replace the AMLDs with the forthcoming finalisation of an EU Regulation on the prevention of money laundering, terrorist financing and financial crime (AMLR) and the operationalisation of a proposed EU Anti-Money Laundering Authority (working title at present AMLA).
Background
Under AMLD 4, EU Member States were required to maintain certain transparency registers, notably detailing information on (ultimate) beneficial owners (collectively UBOs). This obligation follows the recommendations first set by the Financial Action Task Force (FATF), as an international standard-setting body that aims to fight financial crime, money laundering and terrorist financing. Under AMLD 4 public authorities and specific entities (such as financial services firms but also other Obliged Entities) were able to access the transparency and UBO registers. The general public needed to demonstrate the existence of a "legitimate interest" to access such data. Equally, under AMLD 4, EU Member States were allowed to limit access to this data on a case-by-case basis, provided certain "exceptional circumstances"3 were met.
AMLD 5 expanded the transparency obligations that previously existed under AMLD 4. AMLD 5 also extended the definition of Obliged Entities to include certain crypto asset service providers. Part of this was in response to the Panama Papers and other scandals. AMLD 5 retained the structure of the AMLD4 beneficial ownership provisions, while also making a number of amendments, including giving Obliged Entities access to information held in the central transparency and/or UBO registers for the purposes of complying with the AMLD4's obligations.
The AMLD 5 also required that EU Member States establish a clear "public access rule", so that third parties can ascertain, throughout the EU, who qualifies as a UBO. As a result, in certain EU Member States, including Luxembourg, such registers became accessible to the general public, including via the internet, without much restriction. The level of breadth and depth of who can access what (as well as when UBOs can restrict access to such information made available to the general public via the relevant register) equally differs across EU Member States.
In its Judgment the CJEU ruled that AMLD 5's requirement that Member States make sure that any member of the general public can always access information on the beneficial ownership of corporations and other legal entities incorporated within their territory is invalid in light of the fundamental rights set out in the Charter. In response to the Judgment, a number of EU Member States were quick to remove public access to respective registers.4 However, the Judgment does not revert the position on access back to the standards that existed under AMLD 4. In summary, while the Judgment protects fundamental data privacy protections set out in the Charter, it complicates how Obliged Entities may efficiently comply with the objectives and outcomes of the AMLDs and indeed FATF's standards with respect to UBOs.
The CJEU's considerations
The CJEU held that the general public's access to data on beneficial ownership violates Articles 7 and 8 of the Charter in different ways. In particular, the information made available makes it possible for an essentially infinite number of people to learn about the material and financial circumstances of a UBO. Furthermore, the fact that, once such data has been made available to the public, it can not only be freely consulted, but also retained and disseminated. This therefore may exacerbate the potential consequences for the data subjects resulting from potential abuse of their personal data, which, as a result is contrary to the fundamental protections established in the Charter.
While the CJEU concluded that EU co-legislator's implementation of AMLD 4 and to a certain extent AMLD 5's amendments, were a means of attempting to prevent money laundering and terrorist financing by fostering an environment of greater transparency, this measure was not proportionate. The CJEU held that the interference caused by such public access rule is neither strictly necessary nor appropriate given the goal being pursued by the AMLDs does not trump the fundamental protections guaranteed in Articles 7 and 8 of the Charter.
Moreover, the CJEU also considered whether limiting access rights to persons or organisations that evidence a "legitimate interest" would be compatible with the fundamental rights of the Charter. In particular, the CJEU considered the European Commission's line of argumentation that part of the AMLD 5's expansion of the transparency obligations was necessary given the difficulties in defining the circumstances and conditions under which such a legitimate interest arises. The CJEU held that this does not support the EU co-legislators' decision to provide for public access to the relevant data. The CJEU's Press Release stated that (its emphasis in bold – albeit not binding upon the CJEU and our clarifications in square brackets):
"In particular, the fact that it may be difficult to provide a detailed definition of the circumstances and conditions under which such a legitimate interest exists, relied upon by the [European] Commission, is no reason for the EU legislature to provide for the general public to access the information in question. The [CJEU] adds that the optional provisions which allow Member States to make information on beneficial ownership available on condition of online registration and to provide, in exceptional circumstances, for an exemption from access to that information by the general public, respectively, are not, in themselves, capable of demonstrating either a proper balance between the objective of general interest pursued and the fundamental rights enshrined in Articles 7 and 8 of the Charter, or the existence of sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse."
The CJEU therefore reached the conclusion that the additional provisions of AMLD 5 whereby EU Member States have the option to make access to UBO information subject to condition of online registration with the transparency and/or UBO register and equally to exceptionally limit such access to information would not present a sufficient safeguard of UBO's rights in protecting their personal data as they are permitted to do so pursuant to the fundamental rights afforded to them under the Charter.
Resulting problems for Obliged Entities and market participants
The fallout of the Judgment was felt immediately with a number of national transparency and UBO registers shutting down public access so as to comply with the CJEU's ruling and prevent any further unlawful access. As such, it is currently not possible to get information about UBOs of companies registered in some EU Member States, which makes difficult for some Obliged Entities but equally other market participants who may have various compliance requirements, in particular when fulfilling their know-your-counterparty/customer due diligence (collectively, KYC) obligations as required by the AMLDs and indeed under FATF standards both at the inception and during the lifetime of a business relationship.
As a further complication, even if a relevant register is not shut down, but instead cannot be directly accessed anymore, (without showing a legitimate interest or registration etc., where this remains possible), persons that are required to comply with the AMLD/FATF standards might also be prevented from performing their KYC checks in a timely manner. Obliged Entities that have AMLD/FATF compliance obligations must therefore adapt their processes, depending on the different markets they operate in and may need to adjust various policies and procedures as well as information gathering means and contractual rights when dealing with their counterparties, clients and customers. The following fallback solutions however may provide some interim relief, even if they are perhaps time consuming and possibly costly. These include:
- Requesting that a counterparty, client or customer provide a certified ownership chart, including all details of its UBOs and requesting certified extracts from transparency and UBO registers, which the counterparty/customer, as data owner, can provide; and/or
- Working with specialist firms who continue to have access to transparency and/or UBO registers to provide the information detailed in point 1 where one's own access is no longer as easily accessible or reliable.
However, in both cases, it must be considered to not circumvent the justified data protection concerns, that the CJEU pointed out, by requesting third parties with the provision of the data.
Outlook ahead
The Judgment comes at a difficult stage of the EU's efforts to combat financial crime and sanctions compliance. Nevertheless, the Judgment may provide an opportune incentive for EU legislative and regulatory policymakers to redress some of the key questions raised by the CJEU when finalising the forthcoming AMLR as well as the mandate and powers of AMLA at a faster pace. This would provide much needed clarity and uniformity for what is expected of Obliged Entities and market participants more broadly.
Any further versions of the AMLR will therefore have to be drafted so as to respect the CJEU's rationale reached in its Judgment in respect of the Charter but be balanced against the overarching aims of the European Commission (as well as EU Member States) in complying with FATF standards. If the AMLR cannot be used as a means of resolving the unclear state of AMLD compliance, it runs the risk of leading to the EU's financial crime prevention and sanctions compliance efforts across the entirety of the Single Market, and not just for financial services, being even more fragmented than before the adoption of AMLD 5 let alone AMLD 4.
What remains equally important is that the CJEU's rationale in its Judgment could lead to further cases on similar matters, notably with respect to other data collection and centralised reporting requirements as (currently) applicable in other registers required by what remains still valid EU and/or national law.
Footnotes
1 Press release available here. Judgment in full available here.
2 A reference for a preliminary ruling of the CJEU allows the courts and tribunals of an EU Member States, in disputes which have been brought before them, to refer questions to the CJEU about the interpretation of European Union law or the validity of a European Union act. The CJEU does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the CJEU's decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
3 Such as situations in which the UBO were to be exposed to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.
4 As at the time of writing, this includes Luxembourg and the Netherlands.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
