Coming in 2018: More Transparency, More Third-Party Risk

Prepare yourselves, corporate compliance officers: compliance with anti-money laundering rules in the European Union is about to get even more prickly.

In mid-December EU lawmakers adopted amendments to the region’s 4th AML Directive that will bring more transparency and enforcement to the corporate world. The intention is noble: to crack down on money-laundering, tax evasion, and other corporate corruption, as put on display by release of the Panama Papers in 2016. Compliance officers, however, will have fresh challenges for disclosure, third-party governance, and enforcement risk.

Under EU law, member states now have 18 months to “transpose” the requirements of the AML Directive into national law. Which means you have no more than 18 months to assess your company’s exposure and stay ahead of these new demands.

Let’s review what the new amendments require:

That all companies disclose their “beneficial” owners (that is, the persons who really control the business) in a publicly available register. Until now, the directive required a register, but allowed states to restrict public access;
That all trusts disclose the same in a register not available to the public, but still available to tax and law enforcement authorities, as well as businesses subject to AML rules;
That all member states verify the accuracy of data companies and trusts submit to those registers;
That AML rules be extended to virtual currencies and works of art.

In other words, the EU is expanding its definition of AML risk (to include virtual currencies and works of art); and collecting new troves of data on the people behind economic transactions; and making that data available to the public and law enforcement agencies. The consequences for third-party oversight — and for the compliance programs that oversee third-party oversight — will be significant.

First, outside stakeholders will expect corporations to put all this new data to work.

For example, the Panama Papers exposed clandestine business relationships that were questionable at best, and many were solely devoted to tax avoidance or other illicit activity. Once upon a time, a company might have been able to claim that it didn’t know it played an unwitting role in that activity.

Well, that claim rings hollow if the ownership data of other parties is available for anyone to see. Journalists, shareholder activists, anti-corruption groups: they’ll all be able to hold up a company’s business partners and transactions for scrutiny. In our social media age, that might result in swift, harsh judgments from the public (which might not even be accurate, if the public doesn’t know all the facts).

More transparency is a good thing, but it heightens a company’s reputation risk. And few things alarm a board more than sudden, unexpected attacks on the company’s reputation.

Second, law enforcement will put this new data to work, too. Anti-corruption activists were disappointed that ownership data about trusts won’t be publicly available, but it will still be available to AML, tax, and anti-corruption authorities. Therefore a company’s enforcement risk will increase, if it does business with suspected tax cheats, money-launderers, or persons on sanctions lists.

From a business perspective, then, the risk (and therefore the cost) of a lax approach to customer due diligence and third-party risk management will increase. So the simplest, best way to avoid that risk will be improved customer due diligence, that weeds out those risks before they infect your enterprise.

The good news is that AML risk and customer due diligence aren’t new concepts. Policies to prevent AML risk, procedures to perform due diligence, systems to gather useful data so your compliance program can actually do its job — those building blocks already exist. They may not work well at your specific company, or they may need new attention to address the heightened risks the expanded AML Directive just created; but they exist.

The challenge in the near term will be to measure the gap between what your company does now for customer due diligence, and what it should do in the future to address those heightened new risks. Some of it might be prosaic: documentation, to satisfy regulators that will be checking all the ownership data companies file. Some might be strategic: “Do we really want to keep working with this type of customer, or in this line of transaction, if the public will be watching?”

Without question, however, the risks are about to go up. Compliance functions will need to plan accordingly.