Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Eric Lochner: Public registers expand EU third-party compliance risks

In mid-December EU lawmakers adopted amendments to the region’s 4th AML Directive that will bring more transparency and enforcement to the corporate world.

The intention is noble: to crack down on money-laundering, tax evasion, and other corporate corruption, as put on display by release of the Panama Papers in 2016.

Compliance officers, however, will have fresh challenges for disclosure, third-party governance, and enforcement risk.Under EU law, member states now have 18 months to “transpose” the requirements of the AML Directive into national law. Which means you have no more than 18 months to assess your company’s exposure and stay ahead of these new demands.

The new amendments require that:

  • All companies disclose their “beneficial” owners (that is, the persons who really control the business) in a publicly available register. Until now, the directive required a register, but allowed states to restrict public access
  • All trusts disclose the same in a register not available to the public, but still available to tax and law enforcement authorities, as well as businesses subject to AML rules
  • All member states verify the accuracy of data companies and trusts submit to those registers, and
  • AML rules be extended to virtual currencies and works of art.

Under the 4th AML Directive, the EU is expanding its definition of AML risk to include virtual currencies and works of art. It is also collecting new troves of data on the people behind economic transactions, and making that data available to the public and law enforcement agencies.

The consequences for third-party oversight — and for the compliance programs that oversee third-party oversight — will be significant.

First, outside stakeholders will expect corporations to put all this new data to work.

For example, the Panama Papers exposed clandestine business relationships that were questionable at best, and many were solely devoted to tax avoidance or other illicit activity.

Previously, a company might have been able to claim that it didn’t know it played an unwitting role in that activity. That claim rings hollow if the ownership data of other parties is available for anyone to see.

Journalists, shareholder activists, anti-corruption groups — they’ll all be able to hold up a company’s business partners and transactions for scrutiny. In our social media age, that might result in swift, harsh judgments from the public (which might be inaccurate if the public doesn’t know all the facts).

More transparency is a good thing, but it heightens a company’s reputation risk. And few events alarm a board more than sudden, unexpected attacks on the company’s reputation.

Second, law enforcement will put this new data to work. Anti-corruption activists were disappointed that ownership data about trusts won’t be publicly available, but it will still be available to AML, tax, and anti-corruption authorities. Therefore a company’s enforcement risk will increase if it does business with suspected tax cheats, money-launderers, or persons on sanctions lists.

From a business perspective, then, the risk (and therefore the cost) of a lax approach to customer due diligence and third-party risk management will increase. The best way to avoid that risk will be improved customer due diligence that weeds out those risks before they infect the enterprise.

The challenge in the near term will be to measure the gap between what the company does now for customer due diligence, and what it should do in the future to address those heightened new risks. More documentation might be needed to satisfy regulators that the company is checking all ownership data other companies file.

The new risks might also lead to some strategic considerations: “Do we really want to keep working with this type of customer, or in this line of transaction, if the public will be watching?”

Without question, however, the risks are about to go up. Compliance functions will need to plan accordingly.


Eric Lochner, pictured above, @ELochner1 is the President and CEO of global intelligence and software firm Steele Compliance Solutions, Inc. | @SteeleGlobal. Steele provides comprehensive third-party due diligence, software-as-a-service (SaaS) solutions that help organizations comply with regulatory third-party compliance requirements, and engaging compliance training. Eric has more than two decades of experience building successful global technology companies.  

Steele’s Whitepaper, “Managing Third Parties in EMEA Countries,” can be requested here.

Share this post


Comments are closed for this article!