The past few years have seen authorities seek to increase corporate transparency and accountability by introducing publicly accessible registers of beneficial ownership. This has been lauded as an important step in the fight against fraud and other threats to the integrity of the international financial system. A recent decision by the Court of Justice of the European Union (CJEU), however, restricting access to such information, will leave fraudsters rubbing their hands with glee.

Jon Felce

Jon Felce

In fraud cases, victims are often playing catch-up, trying to work out what precisely happened, the identity of the perpetrators and their accessories, and where the assets are. This has taken on a new dimension with the growth in cybercrime, where the fraudsters conceal identities or masquerade as others online and transfer assets into the ether. As such, obtaining information – and doing so quickly and cost-effectively – is key. Beneficial ownership registers – while not without their flaws – contain a treasure trove of useful material. Not only can they allow identification of corporate ownership structures, and therefore who owns what, but they can also provide useful data about individuals and their affiliates and whereabouts. The type of information available includes names, nationalities, countries of residence, dates of birth, the nature of corporate control and the size of the interest in the company.

Within the EU, the right to public access to such information was enshrined in an EU Directive. However, the CJEU’s ruling on 22 November, which followed two requests from the Luxembourg courts, has materially altered the landscape (Judgment of the Court (Grand Chamber) – WM and Sovim SA v Luxembourg Business Registers). Coincidentally, it was Luxembourg’s registers (rather than a documentary leak such as that which led to the Panama Papers) that provided the basis for the recent OpenLux investigation, where data concerning some 124,000 commercial companies registered in Luxembourg was interrogated.

The CJEU’s judgment found that permitting public access constituted a breach of articles 7 and 8 of the Charter of Fundamental Rights of the European Union, being a serious interference with the fundamental rights to respect for private life and to the protection of personal data. Following the decision, steps are already under way in Europe to restrict public access to national registers in jurisdictions such as Luxembourg and the Netherlands. The European Commission has since announced that it will analyse the implications of the judgment and work with co-legislators to ensure full compliance. It remains to be seen what access rights will look like as a result, and whether, for example, there will be a mechanism for parties who can demonstrate a legitimate interest to obtain access to data.

Thankfully, the position remains unaffected in the UK, which was one of the first countries to implement a public beneficial ownership register. Proposed legislative changes may enhance the position further, by mandating persons with significant control and company officers to verify their identity with the Registrar of Companies.

But where does this CJEU decision leave victims of fraud pursuing perpetrators from within the EU? The good news is that all is not lost. Fraudsters invariably make mistakes and do not always completely hide their tracks or conceal identities. There will always be information derived from the fraud itself that can be used against the fraudsters. That information can be supplemented by human intelligence. Meanwhile, public registers of beneficial ownership within the EU are not the only open source data that can be interrogated – there is a wealth of material available (including registers outside the EU unaffected by the ruling).

Perhaps most importantly, however, legal mechanisms are available to obtain information and documentation, a position strengthened by recent developments in England and Wales.

First, a landmark decision in 2017 entitled claimants to obtain relief against ‘persons unknown’ to support efforts to identify fraudsters and track the proceeds of a fraud.

Second, in early October 2022, the Civil Procedure Rules were amended in relation to claims and applications for disclosure in order to obtain information from third parties. The focus of the changes was information regarding the identity of a defendant or a potential defendant, and what has become of the property of a claimant or applicant. These are often crucial pieces of information in fraud cases, allowing victims to identity perpetrators and what has become of assets misappropriated from a victim. The amendments to domestic procedural rules now provide a gateway for the courts to grant permission for such claims to be served out of the jurisdiction on third parties. Interestingly, as an aside, while these types of application often require consideration of the balance between: (i) privacy and data protection rights (that is, the factors that lie behind the CJEU’s decision); and (ii) the public interest in allowing litigants to vindicate their legal rights, especially in cases of fraud, invariably when fraud is concerned courts do not consider the former to outweigh the latter.

Coupled with existing legal mechanisms for seeking information and documents, and mutual legal assistance provisions, there are plenty of options available to victims of fraud. So while the CJEU’s ruling is an unhelpful development and a regressive step in the fight against fraud, it is certainly not the end of the road for claimants.

 

Jon Felce is a partner at specialist disputes firm Cooke, Young & Keidan LLP, London