Closing public access to RBE: background and impact

In the early stages of the summer break, which is often synonymous with a slowdown in the news, an article in Le Monde on June 16, 2024 upsets this quietude and the priorities of compliance functions. This article announces the closure on July 31 of public access to the Register of Beneficial Owners (RBE), used directly or via service providers by many compliance functions to obtain the names of the beneficial owners of a French company as part of their AML/CFT or anti-corruption vigilance measures.

While the impact is limited, if not non-existent, for almost all of Ellisphere's compliance and customer functions, we felt it was important to take a look at the whole subject from the outset, to understand its ins and outs.

The^4th AML directive: the origin of the GBR

The origin of the register of beneficial owners comes from the transposition of the 4th AML Directive no. 2015/849 of May 20, 2015 (known as AMLD4) into French law. One of the recitals (14) reads:

"The need for accurate and up-to-date information on the beneficial owner [...]. Member States should therefore ensure that entities established on their territory in accordance with national law collect and maintain sufficient, accurate and up-to-date information on their beneficial owners [...],

Member States should ensure that information on beneficial owners is kept in a central register held outside the company, in full compliance with Union law. [...].

Member States should ensure that, in all cases, this information is made available to the competent authorities and FIUs (Financial Intelligence Units), and is communicated to reporting entities when the latter take customer due diligence measures..

Member States should also ensure that access to information on beneficial owners is granted, in accordance with data protection rules, to other persons who can demonstrate a legitimate interest in money laundering, terrorist financing and related underlying offences such as corruption, criminal tax offences and fraud.

Persons demonstrating a legitimate interest should have access to information concerning the nature and extent of the effective interests held in the form of their approximate weight."

This desire is reflected in article 30 of the same directive.

In France, this requirement was transposed into the French Monetary and Financial Code (CMF) by Order no. 2016-1635 of December 1, 2016 strengthening the French system for combating money laundering and the financing of terrorism, and in particular Article 8*. This has led to the creation of Section 9, entitled "The register of beneficial owners". Among other things, this new section includes the creation of article L561-46 of the CMF, which defines those who may access data on beneficial owners as follows:

"1° The company or legal entity that filed it ;

2° Without restriction, the following competent authorities, within the framework of their mission:

-judicial authorities ;

-the national financial intelligence unit referred to in article L. 521-23;

-customs officials acting on the basis of the prerogatives conferred by the Customs Code;

-authorized agents of the public finance administration responsible for tax control and collection;

-the supervisory authorities referred to in article L. 561-36 ;

3° Persons subject to the anti-money laundering and combating the financing of terrorism (AML/CFT) legislation mentioned in article L. 561-2, as part of at least one of the due diligence measures mentioned in articles L. 561-4-1 to L. 561-14-2;

4° Any other person demonstrating a legitimate interest and authorized by the judge responsible for overseeing the trade and companies register in which the company or legal entity referred to in 1° is registered.

It is interesting to note that, in its first version, the RBE was primarily intended for control purposes, whether by the authorities or by entities subject to anti-money laundering regulations as part of their due diligence measures. It was also a response to a major difficulty encountered by these entities in implementing their due diligence measures.

If a legitimate interest in accessing the information was already present to cover other unexplained needs, this was left to the discretion of the judge responsible for overseeing the Trade and Companies Register.

The ^5th directive: opening to the public...

Dated May 30, 2018, the 5th AML Directive (AMLD5) n° 2018/843)) amends the^4th... The terms and conditions of access to the EBP are part of the scope of the text.

Recitals 30 to 35 explain some of the reasons for the changes made, stressing the benefits of public knowledge of BEs (30, 31, 32), the objective and necessity of establishing a "clear rule for public access, so that third parties can identify, throughout the Union, who the beneficial owners of companies and other legal entities are" (33), while recalling that " a fair balance should, in particular, be sought between the interest of the general public in the prevention of money laundering and terrorist financing and the fundamental rights of the persons concerned " (34). Article 15 of this directive amends article 30 of the^4th and these changes are transposed into French law via Ordinance no. 2020-115 of February 12, 2020 reinforcing the national system for combating money laundering and the financing of terrorism. It amends art L.561-46 of the CMF by :

• Amending points 1, 2 and 3 from previous transposition
• Transforming the previous point 4 into " Only information relating to the name, surname, pseudonym, forenames, month, year of birth, country of residence and nationality of the beneficial owners and the nature and extent of the beneficial interests they hold in the company or entity shall be accessible to the public."

We can see that this transposition has had the effect, on the one hand, of considerably widening the scope of those who can access the information, and on the other, of removing the need to go through a judge; thus opening the way to more rapid exploitation of the data for various uses such as the vigilance measures imposed by Art 3 and 17 of the Law of December 9, 2016, known as the Sapin II Law.

...invalidated by the European Court of Justice

It is precisely the ^5th Directive's amendment of Article 30 of the^4th AML Directive that is the basis for the decision of the Court of Justice of the European Union (CJEU) on November 22, 2022.

To sum up, the Court held that "public access to information on beneficial owners constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter. The information disclosed enables a potentially unlimited number of people to find out about the material and financial situation of a beneficial owner. Moreover, the potential consequences for data subjects resulting from the possible misuse of their personal data are aggravated by the fact that, once made available to the general public, such data can not only be freely consulted, but also stored and disseminated".

However,"the Court notes that, by the measure at issue, the Union legislature aims to prevent money laundering and terrorist financing, by creating, through increased transparency, an environment less likely to be used for those purposes". It considers that "the legislature is thus pursuing an objective of general interest capable of justifying interference, however serious, with the fundamental rights enshrined in in articles 7 and 8 of the Charterand that public access to information on beneficial owners is likely to contribute to the attainment of that objective. The Court finds, however, that the interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued."

So it's not the BGR itself that is deemed invalid, or even the distribution to the public, but rather the very modalities of this distribution and the absence of limits. Among the collateral effects, NGOs and press organizations whose legitimate interest is confirmed by the ruling are taking to the streets, as the decision has a considerable impact on their activities.

Immediate and later reactions

As mentioned in this blog post, this ruling has generated numerous other reactions and actions.

Firstly, most European BPRs immediately ceased public access. France, on the other hand, decided to maintain access via the INPI (Institut National de la Propriété Industrielle) APIs - used by Ellisphere - through the datainpi.fr website or via Infogreffe. Technical difficulties had led INPI to believe that this RBE would be discontinued, but the reason for this was to be found in the opening of the new "Registre National des Entreprises" rather than in the CJEU ruling. In a press release dated January 19, 2023, the French Minister of the Economy justified the maintenance of a publicly accessible RBE by " waiting to draw all the consequences of the ruling of the Court of Justice of the European Union", and announced that "future modalities of access to the data of the register of beneficial owners taking into account the decision of the CJEU" would be defined.

The summer of 2023 saw a new twist, as the law firm behind the CJEU ruling referred the case to the European Commission and the CNIL, asking them to issue a formal notice to France to comply with the CJEU ruling, " the first stage in the infringement procedure". This action was aimed at France and all other countries failing to comply with the CJEU ruling, such as Latvia, Estonia and Denmark.

The recent ^6th AML directive sets appropriate limits

The European Commission was quick to react, declaring its willingness to comply with the ruling. The "AML package", a set of EU texts on AML and FT, seemed the perfect legislative vehicle.

Included in the package is the ^6th AML directive (AMLD6 - 2024/1640) published in the OJEU in June 2024. This is of fundamental importance, as it will eventually repeal AMLD4 and AMLD5, replacing them in their entirety.

The changes will be applied in successive stages.

By July 10, 2025, France must have transposed Art. 74, which remodifies art. 30 of AMLD4 (2015/849) as amended by the 5th. In concrete terms, we're back to the original version of AMLD4, since the access "to any member of the general public" brought in by AMLD5 reverts to : " to any person or organization able to demonstrate a legitimate interest", thus enacting the CJEU ruling as quickly as possible.

For July 10, 2026, it will be necessary to go further and transpose articles 10, 11 and 12 of the ALMD6. The GBR is defined in article 10, and its access modalities in articles 11 and 12. Article 11 deals with access by competent authorities, self-regulatory bodies and reporting entities, and does not fundamentally change anything in relation to previous requirements.

Article 12, on the other hand, goes on to define "the specific rules for access to the GDPR by persons having a legitimate interest". In particular, it lists the natural or legal persons "deemed to have a legitimate interest" and therefore entitled to access certain information on beneficial owners.

We can therefore consider that the CJEU ruling is reflected in article 12 of the AMLD6, which also allows "case-by-case" access to information on BEs by persons beyond this list.

The remainder of AMLD6 must be transposed by July 10, 2027, the date on which AMLD4, as amended by AMLD5, will be repealed.

Summer 2024: public access to the RBE closes, as announced in Le Monde article

In the article in Le Monde, we learn that the CNIL has given formal notice to the Ministry of the Economy to comply with the CJEU ruling. In concrete terms, this will take the form of an email from INPI (attached to Bercy) on July 12, 2024, confirming that public access will be definitively closed on July 31, 2024, and that access will be maintained for those with a legitimate interest, with supporting evidence to be provided. Infogreffe will do the same.

Although the AMLD6 has not yet been transposed into French law, the operational procedures have already been put in place, to avoid any interruption of access to "natural and legal persons deemed to have a legitimate interest".

The other interesting fact is that those subject to Art 17 of Law 2016-1691 of December 9, 2016, known as the Sapin II Law, relating to the implementation of a system for the prevention and detection of corruption, are explicitly cited by INPI as having a legitimate interest in accessing certain data on beneficial owners, as corruption is considered to be an offence underlying money laundering.

In conclusion

Leaving aside the debates on the transparency of economic and financial life, and the hindsight generated or not by this CJEU ruling and its operational consequences, subjects which have been discussed at length, the first thing we'd like to point out is that, in the final analysis, the impact on compliance departments is nil or almost nil.

For Compliance departments of entities subject to AML/CFT requirements, the impact is clearly nil. Nothing changes for them in terms of access to BGR data. That said, the AMLD6 recognizes that their technical service providers, known as "AML/CFT product suppliers", have a legitimate interest in accessing the data. It should be noted, however, that the scope of accessible data is limited, whereas reporting entities have access to complete data. By way of example, the full date of birth will not be communicated, even though it is invaluable in false-positive filtering operations (combined with the identity document often in the taxable person's possession).

Compliance departments of companies subject to the Sapin II law will gain in clarity, as their legitimate interest is duly specified in the INPI documents to be completed. There is one drawback, however: companies that have voluntarily set up a system to prevent and detect corruption, as encouraged by the AFA, could be excluded, and thus have to make requests on a "case-by-case" basis.

*In the same year, art. 139 of the Sapin II law referred to this point, while leaving the details to a decree which will never see the light of day, leaving the ordinance to define the modalities of access.