The end of the unrestricted access to the Luxembourg register of beneficial owners - ECJ joined cases C‑37/20 and C‑601/20
As we reported in our newsletter dated 27 May 2022, the European Court of Justice (the “ECJ”) had to rule for several months on the compatibility of access to the Luxembourg Register of Beneficial Owners (the “RBO”) system with European law.
The legal opinion of Advocate General Pitruzzella raised in 2022 the issue of the open-data system: anyone, without specifying his or her identity, could have access to the RBO, which the Advocate General considered incompatible with the duties of the Member States concerning privacy.
The ECJ recently ruled in a judgment of 22 November 2022 that public access to beneficial ownership information under the amended AML Directive (the Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing) constitutes a serious interference with the fundamental rights to privacy and personal data protection enshrined in Articles 7 and 8 respectively of the Charter of Fundamental Rights of the European Union (hereinafter the “Charter”).
More specifically, the data that anyone could find on the RBO allows:
- to draw up a profile of certain personal identification data, the state of wealth of the person concerned and the specific economic sectors, countries, and companies in which he or she has invested.
- this information becomes accessible to a potentially unlimited number of persons so that such processing of personal data is likely to also allow persons who, for reasons unrelated to the purpose of this measure, seek information on the material and financial situation of a beneficial owner, to have free access to this information.
- the potential consequences for data subjects resulting from possible misuse of their data are aggravated by the fact that once made available to the general public, they can not only be freely consulted, but also stored and disseminated and that it thus becomes all the more difficult, or even illusory, for those persons to defend themselves effectively against misuse.
The open-data system of the RBO affects the privacy rights of the listed beneficial owners. Therefore, the ECJ held that this serious interference can be derogated from and that in this respect the interference is justified by a general interest objective because the Directive at the source of the RBO institution: “aims at preventing money laundering and terrorist financing by creating, through increased transparency, an environment less likely to be used for these purposes.”
Firstly, the ECJ found that serious interference, even if justified, is not confined to what is strictly necessary. The conditions of access to the RBO go beyond what is strictly necessary, even if the press and the usefulness of the RBO to criminal investigations are not in dispute. Secondly, the ECJ finds that the interference is not proportionate either. In this respect, the Court finds that the substantive rules governing that interference do not meet the requirement of clarity and precision.
The fight against money laundering and terrorist financing is primarily the responsibility of the public authorities as well as of entities, such as credit or financial institutions, which, because of their activities, have specific obligations in this respect (the “KYC duties”). For this reason, the amended AML Directive provides that information on beneficial owners must be accessible, in all cases, to the competent authorities and financial intelligence units, without any restriction, as well as to reporting entities, in the context of customer due diligence.
In comparison with the previous regime, which provided access to information on beneficial owners not only for the competent authorities and certain entities but also for any person or organisation able to demonstrate a legitimate interest, the regime introduced by Directive 2018/843 represents a considerably more serious infringement of the fundamental rights guaranteed by Articles 7 and 8 of the Charter, without this aggravation being offset by the possible benefits, which could result from the latter regime compared to the former, as regards the fight against money laundering and terrorist financing.
Following this decision, access to the RBO was immediately suspended in Luxembourg as of 22 November 2022.
European Court of Justice issues clarification on Luxembourg Business Registers and fundamental rights of beneficial owners
The EU’s fourth Anti-Money Laundering Directive established a new regime for public access to registers of beneficial owners of companies and other legal entities incorporated in member states, requiring their governments to obtain and maintain adequate, accurate and up-to-date information on beneficial owners. In Luxembourg, the directive was transposed by the law of January 13, 2019 establishing a register of beneficial owners.
Any member of the public has access to the information on beneficial owners contained in the registers without the requirement to prove a personal interest. Until this year, the validity of this regime in the light of the fundamental right of respect for privacy and family life and the protection of personal data, enshrined in articles 7 and 8 respectively of the EU Charter of Fundamental Rights of the European had never been examined.
However, Luxembourg’s district court (Tribunal d’arrondissement de et à Luxembourg) submitted two references for a preliminary ruling to the European Court of Justice questioning whether access to personal data complied with the principles of the European legislation and whether access provided sufficient protection for economic beneficiaries without representing illegal intrusion. The decision in these linked cases is of significant importance regarding potential restrictions applicable to information in the Register of Beneficial Owners.
Challenge to Luxembourg’s beneficial ownership register regime
Case C-37/20
In case C-37/20, an individual brought an action against Luxembourg Business Registers, the economic interest group that has been managing the country’s Register of Beneficial Owners (Registre des bénéficiaires effectifs or RBE) since March 1, 2019. The proceedings before the Luxembourg court were to limit access to information about the plaintiff, a corporate officer of an entity listed in the register. The applicant argued that publication of this information would expose him and his family to “a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”.
The legal ground for this action was article 15 of the 2019 law, which states that a registered entity or beneficial owner may request, on a case by case basis with appropriate justification, that the manager limit access to the information referred to in article 3 to national authorities, credit and financial institutions, and court bailiffs and notaries acting in their capacity as public officers, in exceptional circumstances where access would expose the beneficial owner to a disproportionate risk of fraud, abduction, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or is otherwise incapacitated.
The applicant argued that disclosure of the economic beneficiary information would place him in a dangerous position. He could become subject to the pressure of an economic struggle for control of his companies and endanger his safety due to his travels in hostile territories. However, the LBR rejected the application on the grounds that article 15 should be interpreted narrowly and that the applicant’s activities were in the public domain. The plaintiff appealed the decision before the Luxembourg district court.
Case C-601/20
In a parallel procedure, the alleged insufficient protection of information available at the register was also challenged by a Luxembourg company, SOVIM SA, which criticised the Luxembourg legislature for failing to incorporate adequate security measures to establish the identity of persons accessing the information in the register.
According to the claimant, Luxembourg’s beneficial ownership register regime would infringe the right to protection of the beneficial owner’s private and family life, as provided for in article 8 of the European Convention on Human Rights on protection of private and family life, home and correspondence, article 7 of the EU’s Charter of Fundamental Rights and article 11(3) of the Luxembourg Constitution.
SOVIM also asserted that public access to personal data contained in the register is a breach of various fundamental principles set out in the EU’s General Data Protection Regulation of April 27, regarding the processing and free movement of personal data.
Interpreting ‘exceptional circumstances’, ‘risk’, ‘data protection’ and ‘private family life’
Issues at stake
In case C-37/20, the Luxembourg judge, responding to the application for annulment of the decision not to restrict access to information regarding the claimant in the RBE, noted a divergence in interpretation of the scope of the exception provided for in article 15 of the 2019 law. Noting that the preparatory work of the EU directive did not allow exceptions to the publication of beneficial ownership information, in particular with regard to the concepts of exceptional circumstances and risk, the judge concluded it was necessary to refer the question to the ECJ for a preliminary ruling.
Furthermore, it was unclear whether publication of the information solely involved beneficial owners, or whether it also applied to the corporate officers of an entity, as in the C-37/20 case. The question at issue is therefor whether a corporate officer is entitled to invoke a derogation not to be listed in the register.
In case C-601/20, the issue concerned public access to the RBE and the claimants’ argument that open access is not necessary to achieve the goal of combating money laundering and financing of terrorism. They say the existing requirements entail a serious and disproportionate interference in the private lives of beneficial owners, criticising the Luxembourg law for not creating security measures to establish the identity of persons seeking access to the information in the register, for example by requiring them to create an account on its website.
They argued that any person could obtain access to the register in total anonymity with prejudice to the claimant, raising the risk of economic profiling – that the Register of Beneficial Owners could be exploited by private economic intelligence or strategy firms to conduct data mining, for example in view of a possible hostile takeover bid.
The position of the court’s advocate-general
The court’s advocate-general, Giovanni Pitruzzella, noted in his opinion that the principle of transparency, as enshrined in European primary law, can lead to a delicate balancing act. He also recalled that the philosophy of the EU directive was to “set out a comprehensive and effective legal framework to combat the collection of property or money for terrorist purposes, requiring member states to identify, understand and mitigate the risks of money laundering and financing of terrorism”.
The advocate-general concluded that the actions to identify beneficial owners do constitute an infringement of the fundamental rights guaranteed in articles 7 and 8 of the Charter of Fundamental Rights. However, he pointed out that the data available in register is linked to the civil (date of birth, name) and economic (interest shares) status of the beneficial owner and therefore appears less sensitive than other categories of personal data.
Although access to such data may provide a limited view of a person’s wealth, it does not generally allow accurate conclusions to be drawn regarding the individual’s total wealth nor to draw precise conclusions about their investment profile. Therefore, according to the advocate-general, the potentially harm to persons affected by such infringement may be regarded as moderate.
Nonetheless, Mr Pitruzzella pointed out that member states may, under certain conditions determined by national law, give access to additional information allowing the identification of the beneficial owner (at least, date of birth or contact details, depending on data protection rules). This ability to extend the amount of data concerning beneficial owners that is accessible to the public could potentially give rise to additional infringement of the fundamental rights guaranteed in articles 7 and 8 of the charter.
He concluded that the provision under which member states may make additional data available to the general public, which is not precisely defined or determinable, does not satisfy the requirement that the information is sufficiently precise, as laid down by the directive itself. As a result, his opinion was that the fourth Anti-Money Laundering Directive is invalid in this respect.
Turning to the data protection issue, the advocate-general concluded that the GDPR does not object as such to the creation of a register containing personal data that is accessible to the general public, therefore to an unlimited and indeterminate number of persons, without control and justification, and without the subject of the data being able to know who has access to it.
On the question of the proportionality of disclosure of data on beneficial owners, Mr Pitruzzella referred to the principle of data minimisation. He considered that indicating the name, month and year of birth can be considered a minimum and sufficient set of data to precisely identify the beneficial owner, while nationality appears relevant and necessary information for determining potential money laundering or financing of terrorism risks.
Regarding the indication of the nature and extent of beneficial interests held, these constitute a minimum and sufficient set of data to identify the scope of the investment or participation, which is also relevant for the assessment of the risk of misuse of companies and other legal entities for money laundering or financing of terrorism. In the advocate-general’s view, this regime does not result in disproportionate interference with the fundamental rights of the subjects of the data, in particular their right to respect for private life and the protection of personal data, as guaranteed by articles 7 and 8 of the charter.
The provisions of the GDPR must also be interpreted as not precluding a register from being partially accessible to the public, without any requirement to demonstrate a legitimate interest or limitation as to the location of those accessing data, he concluded. However, according to Mr Pitruzzella, the transfer of data from a register may be carried out only in accordance with article 49(1)(g) of the GDPR, if the conditions for consultation of the register provided for by law are fulfilled and provided that the consultation does not involve the entire register.
On interpretation of the notion of exceptional circumstances, the advocate-general advised that the Luxembourg judge is required to interpret the AML directive in a manner consistent with the fundamental rights guaranteed by the charter, specifying that the derogations are of strict interpretation.
Potential consequences for Luxembourg’s RBE regime
The advocate-general concludes, first, that article 30(5a) of the fourth Anti-Money Laundering Directive, read in the light of articles 7, 8 and 52(1) of the Charter of Fundamental Rights, must be interpreted as meaning it is incumbent on member states to ensure that the national bodies or authorities responsible for keeping registers of beneficial owners are aware of the identity of individuals or entities that access the register. The open data system of the Luxembourg register could be illegal in this respect.
Secondly, the existence and disproportionate or otherwise nature of such a risk may be determined by considering links between the beneficial owner in question with companies and other legal entities, as well as with trusts and legal arrangements with a similar structure or functions, in their capacity as beneficial owner of such entities, other than the one for which an exemption from public access to information concerning them is requested.
It is for the beneficiary or entity requesting an exemption from public access to information to demonstrate that these links constitute a factor that justifies or supports the existence of a disproportionate risk of harm to the fundamental rights of the beneficial owner. Article 30(9) excludes the granting of an exemption from public access to information concerning a beneficial owner where that information is easily accessible to third parties through other information channels.
To conclude, if the European Court of Justice follows the reasoning of the advocate-general, it is likely that new identification measures will be required to obtain access to the Luxembourg Register of Beneficial Owners. The derogation provided for in article 30(9) will not be granted if the economic links and interests of the beneficial owners are accessible to third parties through other information sources such as newspaper articles or online news.
A final decision from the European Court of Justice is expected shortly.
New rules clarify practical aspects of the Luxembourg Register of Beneficial Owners
The Luxembourg government adopted on February 15, 2019 a Grand-Ducal Regulation regarding the registration, fees and other charges relating to the forthcoming Register of Beneficial Owners, as well as on to the register’s information. The regulation supplements and adds additional detail to the provisions of the law of January 13, 2019 creating the register of beneficial owners. Both the regulation and legislation came into force on March 1.
Registration procedure
The regulation sets out technical details of the registration procedure for entities required to identify and disclose their beneficial owners to the Register of Beneficial Owners in accordance with the January law. The registration must be submitted online on the website of the Luxembourg Business Register (www.lbr.lu), or directly at the premises of the Luxembourg Business Register in the case of entities that are unable to complete the registration online. The registration request must be submitted in one of Luxembourg’s three official languages, French, German or Luxembourgish. This means that registration requests may not be submitted in English. If the registration request concerns one or more beneficial owner(s) who are not personally registered in the Luxembourg Register of Companies and Commerce, the request must include the beneficial owners’ official identification documents, along with a translation into French, German or Luxembourgish if the official identification document is not written in Latin characters.
Verification of information
Under the legislation, the Luxembourg Business Register can require any registered entity to verify whether the information indicated in the Register of Beneficial Owners is correct and up to date. The regulation stipulates that in such cases the entity must check the information available on the website of the Luxembourg Business Register, and either confirm its accuracy or update the information by submitting a fresh registration request online.
Access to the register
The regulation provides that certain information in the Register of Beneficial Owners concerning beneficial owners, including their name, nationality, date and place of birth, country of residence and nature and extent of their ownership interests in the entity in question, are publicly available on the website of the Luxembourg Business Register and accessible free of charge.
The public can access the information by entering details of the entity concerned, such as its name, corporate purpose or register identification number. However, it will not be possible for members of the public to search the register through the name of the beneficial owner, which is possible only only for the national authorities. It is also possible to request official extracts from the register or certificates of non-registration, which may be provided either in electronic or paper form.
Fees
Any registration or modification of the information concerning the beneficial owner is subject to a fee of €15 + VAT. Separate fees will be charged for extracts from the register or certificates of non-registration, €5 +VAT in electronic form and €10 + VAT on paper.
All entities obliged to register under the law are exempted from the payment of such administrative fees until August 31, 2019.
Circular on the Luxembourg Business Register
To clarify practical details on the registration procedure and other aspects of the functioning of the Register of Beneficial Owners, its operator, the Luxembourg Business Register, issued on February 25 Circular LBR 19/01 regarding the Register of Beneficial Owners. It contains a summary of the key elements of the law and regulation as well other practical aspects of the register. The circular is available (in French only) on the website of the Luxembourg Business Register (www.lbr.lu).
We would be happy to help you if you need any further information on the Register of Beneficial Owners.
Luxembourg law on register of beneficial owners and new corporate AML obligations
Luxembourg’s parliament adopted on January 13, 2019 legislation instituting a register of beneficial owners as part of the implementation of the EU’s fourth and fifth anti-money laundering directives. The law came into force on March 1, and existing companies have up to six months, until September 1, to comply with the new requirements.
The law applies to all entities registered with the Luxembourg Register of Commerce and Companies, including the most popular types of commercial company: public limited company (société anonyme or SA), private limited company (société à responsabilité limitée or sàrl), corporate partnership limited by shares (société en commandite par actions or SCA), common limited partnership (société en commandite simple or SCS), special limited partnership (société en commandite speciale or SCSp) and co-operative company (société cooperative or SC). Importantly, both regulated and unregulated investment funds, including open-ended and closed-ended investment companies (SICAVs and SICAFs), as well as contractual funds (FCPs), fall under the scope of the legislation.
These entities will be required to identify their beneficial owners and maintain certain up-to-date details concerning them at their registered office. This information must also be provided to the central register of beneficial owners, as described below. Listed companies whose securities are admitted to trading on regulated markets are exempt from the obligation to provide details of their beneficial owners to the register, but they must make an application for exemption.
The law establishes a central Register of Beneficial Owners (Registre de bénéficiaires effectifs, or RBE), which will retain information on the beneficial owners and make it available to public authorities, other entities and the general public. The register will be maintained and operated by the Luxembourg Business Register based on rules and procedures due to be published soon by the government.
Who is a beneficial owner?
The legislation refers to the definition of the beneficial owners provided by the Luxembourg law of November 12, 2004 on combating money laundering and the financing of terrorism, as subsequently updated. The AML law defines a beneficial owner as any individual(s) who ultimately owns or controls a legal entity or on whose behalf a transaction or activity is carried out.
In case of a corporate entity this includes any individual who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient proportion of the entity’s shares, voting rights or ownership interests. The 2004 legislation sets 25% as the minimum ownership share in an entity to be treated as indicating direct ownership.
If, after having exhausted all possible means provided by the AML law and provided there are no grounds for suspicion in this respect, no individual can be identified as the beneficial owner(s), a senior manager shall be designated in the register as the beneficial owner.
What information must be provided?
The information required comprises the following data on the beneficial owner:
name.
- nationality;
- date and place of birth;
- country of residence;
- private or professional address;
- national identity number;
- nature and extent of beneficial interests in the entity in question.
Registration requests are submitted to the Register of Beneficial Owners through the electronic platform provided by the Luxembourg Business Register. The information, including supporting documents, will be retained by the register for five years after the dissolution of the entity or it ceasing to exist.
The register may refuse the registration request if it is incomplete, does not comply with legal or regulatory requirements, or is inconsistent with the supporting documents.
Any changes to the information provided to the register must be notified within one month from the moment at which the registered entity learned or should have learned about the changes.
Criminal penalties, including fines ranging from €1,250 to €1.25 million, may be imposed on entities or their representatives if they fail to supply the information to the register by the deadline, provide partial, incorrect or outdated information, or fail to maintain up-to-date records at the registered office. The same penalties will apply to beneficial owners who fail to provide the entity with the necessary information. Anyone with access to the register who becomes aware of incorrect or missing information must inform the register without delay.
Who can access the register?
Principal information provided to the register (excluding private or professional addresses and national identity numbers) will be publicly available and can be consulted online by any person. Full, unrestricted and unlimited access will be granted to Luxembourg’s public authorities, including the public prosecutor’s office, the financial intelligence unit, the financial regulator CSSF and the tax authorities.
Exceptionally, on a case-by-case basis and subject to justification, the legislation allows entities to request restriction of access to the information included in the register. However, access restriction is possible only under certain exceptional circumstances, such as a disproportionate risk of fraud, kidnapping, blackmail, harassment or intimidation of the beneficial owner, or in cases where the beneficial owner is a minor or otherwise does not enjoy full legal rights. Restriction does not affect access by the Luxembourg public authorities.
Obligation to communicate information on the beneficial owner
The registered entity will be obliged to communicate on request all relevant information concerning the beneficial owner, as maintained in its registered office, to the Luxembourg national authorities. Communication of the information must be made to the public authority within a deadline of three days from the request.
Furthermore, unless access to this data had been restricted in accordance with the exceptional procedure described above, each registered entity must communicate relevant information on the beneficial owner (except for their private or professional address and the national identity number) to institutions and professional entities subject to anti-money laundering requirements under the AML law, including banks, financial sector professional entities, investment funds, insurance companies, notaries and lawyers. Communication of the information must be made, subject to proper justification, within three days of the request by the institution or professional entity. Failure to comply within the deadline is also punishable by fines ranging from €1,250 to €1.25 million.
For further information, please contact Olivier Sciales at oliviersciales@cs-avocats.lu.
Luxembourg introduces draft legislation to create beneficial ownership registers
Luxembourg’s government has published draft legislation to incorporate into national law the requirements under articles 30 and 31 of the European Union’s Directive 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, better known as the 4th Anti-Money Laundering Directive.
Placed before the Chamber of Deputies on December 6, 2017, draft law no. 7217 would establish a central register of beneficial owners of Luxembourg legal entities such as companies and partnerships under the authority of the minister of justice, while draft law no. 7216 would create a similar register of beneficial owners of fiduciary contracts, that is express trusts, under the authority of the Administration de l’Enregistrement et des Domaines, Luxembourg’s indirect tax authority.
Fourth money-laundering directive
The requirement for each member state to establish beneficial ownership registers is the main new feature of the fourth AML directive, one that has already been implemented by many EU countries. While the final form of the Luxembourg legislation is subject to the parliamentary process, it is unlikely to move far away from the EU text.
The definition of beneficial owners, initially as set out in the law of November 12, 2004 on money laundering and terrorist financing, has just been amended by the law of February 18, 2018 on professional duties and regulatory powers in relation to money laundering and the financing of terrorism, which incorporates into national law other provisions of the fourth AML directive governing information on the transfer of funds.
While the directive and the Luxembourg legislation are intended to create greater transparency regarding owners and beneficiaries of corporate and fiduciary structures, the government has chosen to incorporate safeguards against improper access to the registers and use of the data they contain.
Who is a beneficial owner?
The newly-enacted law designates the beneficial owner as any individual who ultimately possesses or controls the entity in question or for whom a transaction or activity is carried out. For companies and similar entities, this means that directly or indirectly, they possess or control a sufficient proportion of shares, voting rights or capital interest, including via bearer shares or other means, in an entity other than one listed on a regulated market and subject to EU or equivalent international requirements on transparency of ownership.
Direct ownership is measured by a shareholding exceeding 25% of the capital held by an individual, or indirect ownership by a shareholding exceeding 25% held by one or more companies controlled by the same individual(s). The law states that if this definition does not identify one or more beneficial owners, the designation applies to any individual acting as the principal executive of the entity.
In the case of fiduciary arrangements and trusts, the designation covers the settlor, any trustees, the protector (if applicable) and the beneficiaries, or, if these have not yet been designated, the category of persons for whose benefit the trust or entity has been established, any other person exerting ultimate direct or indirect control over the fiduciary arrangement or trusts. The same applies to any individuals exercising equivalent roles for legal entities such as foundations or structures similar to trusts and fiduciary arrangements.
What kind or corporate entities are covered?
The register of beneficial owners under draft law no. 7217 covers all Luxembourg commercial companies and other legal entities recorded in the country’s trade and companies’ register. These include commercial companies, including public limited companies, private limited companies, simplified joint stock companies, simplified private limited companies, partnerships limited by shares, common limited partnerships, special limited partnerships; foundations and non-profit organisations; civil law partnerships; national or European economic interest groupings; corporate investment funds; pension, mutual insurance and agricultural associations; and state and municipal public bodies.
Excluded from the requirement are companies listed on regulated markets in Luxembourg, in the European Economic Area or any other country with equivalent regulatory standards, as well as mutual funds (FCPs) and branches of foreign companies.
What are companies’ obligations?
Entities covered by the law will be required to obtain and keep complete, accurate and up-to-date information on their beneficial owner(s) at the entity’s registered office. The information must be provided to the central register of beneficial owners (Registre des bénéficiaires effectifs, or REBECO), which is maintained by the Luxembourg trade and companies’ register but separate from it.
Existing companies will have up to six months after the legislation comes into force to apply to REBECO for registration of the required information; subsequently they must apply for registration within a month of becoming subject to the law’s requirements.
Criminal penalties, including fines of between €1,250 and €1.25 million, may be applied to entities or their representatives that fail to supply the information to the register within the deadline, knowingly provide partial, incorrect or outdated information, or fail to maintain up-to-date records at their registered office. Anyone with access to REBECO who becomes aware of incorrect or missing information must inform the register without delay.
What information must they provide?
The information required includes the identity of the beneficial owner, their date and place of birth, nationality, and private or professional address of residence and national identity number, as well as the nature and extent of beneficial interests held in the entity in question. A future grand-ducal decree will set out the list of supporting documents that must be attached to the request for registration with REBECO. The information, including supporting documents, will be kept by REBECO for five years after the dissolution of the entity or it ceasing to exist.
Entities or their representatives, which can include the appointed notary or the creator of the applicable incorporation deed or any amending deed of the entity in question, must apply electronically to the register for registration. Once the request is filed, the administrator has three working days to process the registration.
The administrator may refuse the registration request if it is incomplete, does not comply with legal or regulatory provisions, or is inconsistent with the supporting documents. They will then send the applicant a request for regularisation, giving the applicant 15 days to comply. In the event of refusal of registration, the administrator will notify the applicant, citing the reasons for its decision; the applicant has a right of appeal against a refusal.
Who can access the REBECO register?
Full, unrestricted and unlimited electronic access to the information held by REBECO will be limited to national public authorities, including the public prosecutor’s office, the Financial Intelligence Unit, the Financial Sector Supervisory Authority (CSSF), the insurance regulator (Commissariat aux Assurances), direct and indirect tax authorities, and customs and excise.
Professional self-regulatory bodies such as the Bar Council, Chamber of Notaries, Institute of Auditors, Order of Accountants and Chamber of Bailiffs, will also have electronic access to the register, subject to authorisation from the REBECO manager, but strictly limited to the exercise of their obligation to monitor the compliance with anti-money laundering and financing of terrorism obligations. They are not entitled to access the address or national identity numbers of beneficial owners.
Entities subject to anti-money laundering obligations such as banks, financial sector professional entities, insurance businesses and UCITS management companies, including foreign entities active in Luxembourg under freedom of services rules, may also obtain restricted access to REBECO, excluding the address or national identity numbers of beneficial owners, to comply with their obligations to carry out due diligence on their clients. A self-regulatory body or AML-subject entity can face a criminal fine of between €1,250 and €1.25m for making an unjustified request for access.
Can ordinary individuals access the register?
Restricted access, initially physical, may be granted to any Luxembourg-resident individual or organisation that can demonstrate a legitimate interest with regard to anti-money laundering efforts, subject to a formal written application justifying the request and its approval by a co-ordination committee to be created by the minister of justice. The entity concerned may contest the request.
In such cases, the applicant cannot access the beneficial owner’s date and place of birth, address and national identity number. Electronic access may be requested starting six months following the entry into force of the law; no access to the supporting documents will be permitted.
Exceptionally, any entity covered by the register may request restriction of access to their data in REBECO to national authorities if they can demonstrate that broader access might expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation, or if they are a minor or otherwise do not enjoy full legal rights. In such cases, the administrator will refer the request to the co-ordination committee, which will decide on the legitimacy of the request and inform the entity and administrator accordingly. Pending the decision, access will be temporarily limited to national authorities.
How do the rules differ for trust information?
The regime governing the register of trusts and fiduciary arrangements (Registre des Fiducies), as defined by Luxembourg’s law on trusts and fiduciary contracts of July 27, 2003, is broadly similar to that for REBECO, but with certain differences reflecting their different nature.
The trustees of any express trust governed by Luxembourg law and that entails tax consequences must obtain, hold, maintain and upload information in the central fiduciary register. They must request registration of the trust within six months of the law coming into force.
Compliance by trustees with these requirements and other professional obligations defined by the AML law is monitored by regulatory authorities, which may impose administrative penalties such as a fine or temporary suspension from exercising professional activity.
What information must trustees provide?
The information must include the identity of the settlor, trustee(s), protector (if any), beneficiaries or class of beneficiaries, as well as any other individuals exercising effective control over the trust. If beneficiaries are designated by characteristics or categories, the trustee must obtain sufficient information to be able to identify them at the time of a pay-out or when the beneficiaries exercise their vested rights.
The information must be kept in the register for five years following the dissolution or termination of the trust. Anyone with access to the register that detects incorrect or missing information must inform its manager without delay.
If the parties to the trust to be identified are individuals, the trustee must collect the same information as for beneficial owners of companies and other entities, apart from the nature and extent of the interests held. If they are legal entities, the trustee must obtain their legal designation, including any abbreviation or commercial brand, their registered address, and the registration number or name if they are entered in the Luxembourg Trade and Companies Register, or any foreign registration number if they are not.
Who can access the trust register?
Trustees must provide the identity of the parties to the trust and its registration number on request to the national authorities, disclose their status as trustees and provide information to entities subject to AML requirements with which they enter into business relationship in their capacity as trustees, or carry out transactions exceeding thresholds defined in the AML Law.
Access to the trusts register is limited to national authorities. The law, which provides extended supervisory and sanctioning powers to the Administration de l’Enregistrement et des Domaines, calls on the public regulatory authorities, including the CAA and CSSF, to co-operate and exchange any relevant information in order to perform their duties as stipulated by the beneficial ownership registry legislation and Luxembourg’s anti-money laundering law.
The creation of these two new registers will give rise to additional obligations and responsibilities for companies and trustees in Luxembourg, which should begin preparations even though the draft legislation may be amended before becoming law. Stakeholders affected by the two registers should also bear in mind that they will have to comply with applicable data protection laws, notably the EU’s General Data Protection Regulation, which will come into force on May 25, 2018.
