Subjects and targets of sanctions
When legislating for sanctions, policy makers and implementers should consider who should be the subject or target of the BOT sanctions. There are relative merits to applying sanctions against various parties associated with a legal entity as well as the legal entity itself. However, there should be sanctions against all these parties to ensure that offending actors cannot claim plausible deniability or transfer liability to a single actor, and to widen the pool of actors that have an interest in ensuring compliance, maximising deterrence. As a general principle, it is important to ensure that sanctions are available against both the natural persons (the beneficial owner, the person making the declaration, and registered officers of the company) and the legal entity (the company making the declaration) to ensure that the deterrent effect of sanctions applies to all the key actors involved in the declaration.
To incentivise compliance from the beneficial owner(s) and to ensure that they cooperate with the legal entity in accurately providing the required information for BO disclosure, it is important to include beneficial owners within the BO sanctions regime. This is an approach that has been adopted by the AMLD5, which requires member countries to impose an obligation on beneficial owners to provide the legal entity with all the necessary information which the legal entity requires to comply with the BO disclosure regime and to apply “effective, proportionate, and dissuasive” measures or sanctions in cases where this obligation is breached by the beneficial owner. If a nominee has been intentionally declared as the beneficial owner, rather than the actual beneficial owner, sanctions could extend to the nominee. Sanctions should only be applied if the person was complicit, and this was done with knowledge and intent; for example if the person has voluntarily and knowingly done this as a service in exchange for payment. However, if there is evidence that an individual was not informed or was coerced into serving as a nominee, sanctions may not be applicable.
Provisions applying sanctions against beneficial owners can be found in the BO disclosure regimes of a number of countries within the EU, including Austria, Luxembourg, and Poland, as well as in the UK. The type of sanctions that are, or should be, applied against beneficial owners include:
In Luxembourg, a financial sanction of up to EUR 1,250,000 (approximately USD 1,370,000) can be imposed on a beneficial owner in the case of their non-disclosure of information or documents to the registered entity, that the entity may need to fulfil its BO disclosure obligations under the law.
These include, for instance, subjecting the shares or rights of the beneficial owner to restrictions, such as suspending the payment of dividends or voting rights (as in India, Poland, and the UK). A provision that gives companies the power to impose sanctions on beneficial owners for their failure to provide information or for providing false information can be incorporated within relevant BO disclosure laws.
Depending upon their legal system, implementers also need to determine whether a company could reach this decision internally by passing a resolution, or whether it needs to apply to the court for such an order. In the UK, for instance, the effects of a “restrictions notice” on beneficial owners’ rights are set out in the Register of People with Significant Control Regulations 2016 and Companies Act 2006, which can be triggered by the company without an express provision in the company’s articles. Under the UK law, a company may issue a restrictions notice to the beneficial owner, which has the effect of freezing that person’s relevant interest (their shares, voting rights, or board appointment rights) in a company, if the beneficial owner has failed to respond to two requests from the company to provide the relevant BO information. Implementers should ensure that a company cannot evade liability by simply declaring their BOs to be uncooperative, and the effectiveness of these sanctions will depend on how they combine with other sanctions, including against the legal entity.
It should be noted that non-financial sanctions may be effective against a beneficial owner where they have an ownership stake in the entity in question, and where the company has an incentive to self-regulate. They will have little impact where the company is a shell company set up wholly for unlawful activities, or where the beneficial owner exercises de facto control over the entity that does not involve formal ownership.
Similar provisions can be found in the US banking legislation which are imposed on “institution-affiliated parties”, who are administratively removed from their positions by the bank supervisory authorities in cases of serious violations of the banking legislation.[E] Effective enforceability of these sanctions is limited to regulated industries. Another approach, similar to the one taken by Hungary (see Box 3), could also be useful if the beneficial owner has failed to provide the necessary BO information required to be disclosed on the centralised register. In addition to applying sanctions against the beneficial owners, it is recommended to also declare or flag such a company as “uncertain” or “unreliable” in the BO register for the competent authorities and reporting entities to take note of such a non-disclosure and apply appropriate due diligence checks and measures accordingly. If such information is disclosed to the reporting entities as a part of their CDD process, they should notify it to the register. This creates an incentive for the legal entity to self-regulate and mitigate potential reputational consequences.
Box 3. “Uncertain” and “unreliable” legal entities in Hungary 
Under Hungary’s Act XLIII of 2021 (also called the Ultimate Beneficial Owners’ (UBO) Register Act or the Afad act), which came into force on 22 May 2021, legal entities are assessed on a ten-point reliability index called the TT index. Each legal entity starts with ten points. If an authority, public prosecutor, court, or other reporting entity under the AML/CFT Act detects a material discrepancy between the data it knows and the data uploaded to the central BO register, it may notify the National Tax and Customs Administration of Hungary, which is the responsible authority for maintaining the BO register.
The tax administration will amend the legal entity’s TT index based on this notification. Depending on who the notification is submitted by (a competent authority or by another service provider), the legal entity’s TT index will be reduced by two or one points. A legal entity with a TT index below eight will be labelled “uncertain”, or “unreliable” if it drops below six. Following a change, legal entities will be notified and will have a five-day grace period to amend the data.
The UBO Register Act does not cover monetary sanctions for “uncertain” or “unreliable” legal entities, but it does include other sanctions. These include:
- First, the names of legal entities labelled as “unreliable” will be published on the tax administration’s website. Legal entities labelled as “uncertain” will be published after 180 days, unless the legal entities regain their ten-point TT index in the meantime by duly updating their data.
- Second, all reporting entities under the AML/CFT act (including lawyers, banks, and domiciliary service providers) are banned from facilitating transactions exceeding HUF 4.5 million (approximately USD 13,000) with an “unreliable” client due to their high money laundering risk.
In the UK, for instance, failure to provide information by a beneficial owner is a criminal offence punishable by two years’ imprisonment, a fine, or both. In France, Ordinance 2020-115 also provides that a beneficial owner who fails to provide the legal entity with the required information within the prescribed time limits, or provides inaccurate or incomplete information, shall be liable for criminal sanctions i.e., six months’ imprisonment and a fine of EUR 7,500 (approximately USD 8,200). A similar approach has also been proposed by the US, where the breach of BO obligations under the Corporate Transparency Act could result in a fine of USD 10,000 and imprisonment for up to two years.
A declaring person discloses or declares the necessary BO information to the register. Such a declaring person may be an individual or a DNFBP, depending upon the law. A declaring person can be a beneficial owner themselves, but in many instances, they may also be a company advisor (such as a lawyer, auditor, or consultant) or a notary who is required, in some countries, to certify the accuracy of the BO information submitted to the register.
To ensure BO information is made available and updated in an accurate and timely manner, various international standards require legal entities to authorise  one or more natural persons who are residents of the country, or a DNFBP, to provide the required BO information. In compliance with these standards, many jurisdictions require that there is an authorised person who is a resident in the jurisdiction who will be responsible to disclose the necessary BO information to the register. Such an approach is recognised to be particularly useful for ensuring compliance by foreign legal entities with the BO disclosure regime, particularly in terms of enforcement. Nonetheless, to make the disclosures more effective, it is also important that sanctions be applied against these authorised or declaring persons, including the company’s representatives, holding them personally liable for noncompliance with the BO disclosure requirements.
However, in the case of the involvement of third parties (such as lawyers, accountants, and notaries) in disclosing the required BO information, a question often arises as to the liability of a third party if it is not aware of having received false or misleading BO information before providing it to the register. Some countries, such as Slovakia, specifically hold third parties liable for information accuracy as a means of verification (see Box 4). By contrast, in Ukraine, notaries were reportedly against such a system, as they did not want to be held liable and sanctioned for submitting false information that was provided to them by legal entities who they believed would make it difficult for them to establish whether the information was accurate or not.
To avoid such potential situations, it is important that the law incorporates some preconditions on third-party submissions of the BO information to ensure the effectiveness of sanctions. For instance, in the case of DNFBPs, since they are the entities obliged in the majority of jurisdictions under the AML/CFT framework to submit this information, they are required to carry out proper due diligence on their customers, including verifying the information provided to them based on reliable and independent documents. Such preconditions should also be incorporated in the relevant BO disclosure regime to ensure that the declaring person undertakes all the necessary BO due diligence checks to verify the accuracy of the BO information before submitting it to the register. If a third party has been found to be in breach of these due diligence checks, resulting in the breach of BO disclosure obligations (for example, the submission of inaccurate, false, or misleading information), they should be held liable for sanctions. Sanctions should also be imposed if they knowingly or recklessly facilitate the submission of false or misleading information to the register.
Box 4. Third-party liability in Slovakia 
In Slovakia, the BO information on the Register of Public Sector Partners is required to be filed by an authorised person, which may include a lawyer, notary, auditor, or tax advisor. Under Section 5(6) of the Law on the Register of Public Sector Partners, it is the obligation of an authorised person to provide true and complete information in the application for registration of BO data on the register. The law also obliges an authorised person to notify the registrar within 60 days of the date when any changes have occurred to the BO data and to update the BO information and submit a verification document (Section 9). Section 11(1) of the law clearly states that:
… the public sector partner and the authorised person shall be responsible for the accuracy of the data entered in the register, the identification of the beneficial owners and the verification of the identification of the beneficial owner.
Under Section 13 of the Law on the Register of Public Sector Partners, an authorised person shall also be held liable to pay the fine imposed on the legal entity for the provision of false or incomplete BO information in the register unless such an authorised person proves that they have acted with professional care. The authorised person shall also be a party to the proceedings for a financial fine imposed on the legal entity.
Box 5. Provisions on third-party obligations and liability in Denmark 
In Denmark when a company is established, the business register requires confirmation from third parties such as a lawyer, auditor or bank that the required capital has been fully paid. This means that parties subject to AML/CFT obligations and required to perform CDD checks are most often involved in a company’s incorporation.
Individuals or entities that are creating or managing legal persons in the CVR are required to use a special form of ID (NemID), and are required to sign an electronic declaration stating that the information entered into the CVR is correct. NemID is issued by a government agency, and leaves an electronic footprint with digital information about the person registering that the Danish Business Authority (DBA) can use for the purposes of verification. NemID is also used as a secure internet login for other purposes, such as procuring information from public authorities and online banking.
To ensure that the officers of a company take necessary steps to provide adequate, accurate, and up-to-date BO information on the register, it is important that company officers are also covered within the BO sanctions regime. Here, the question might arise as to who qualifies as a company officer. Usually, this includes company directors [F], executives, and management. In Denmark, for instance, if the company does not register the BO information or provide it to the competent authorities, the company and its management have committed a criminal offence. A similar provision can also be found in France, where the managers of a company can be held liable for criminal penalties (six months’ imprisonment and a fine of EUR 7,500, or approximately USD 8,200) or even banned from being involved in the management of companies, for noncompliance with BO disclosure requirements.
In Belgium, if a company fails to comply with the BO reporting requirements, a criminal fine of between EUR 50 and EUR 5,000 (approximately USD 55-USD 5,500 which could be multiplied 8 times) is applicable to directors, and an administrative fine of between EUR 250 and EUR 50,000 (approximately USD 275-USD 60,300) is applicable to those responsible for the infringement: directors, members of statutory board, the executive committee, and persons participating in the effective management. Jurisdictions should consider including sanctions against the company officers as part of a comprehensive sanctions regime.
In the majority of jurisdictions, liability and sanctions against legal entities for breaches of the BO disclosure regime is a common provision found in the legislation. However, these sanctions are often limited to non-criminal financial and non-financial sanctions.
Imposing corporate criminal liability is not a common feature in the majority of jurisdictions, for applying such a sanction depends largely upon the legal system of the jurisdiction and varies from country to country. In the UK and the US, for instance, corporate criminal liability normally arises in the regulation of corruption and money laundering, whatever the predicate offence. In the UK, it is a criminal offence for a company to disclose false information about their beneficial owners. This is punishable by two years’ imprisonment (with the directors also being criminally liable, as mentioned above). Similarly, Section 7 of the UK Bribery Act 2010 also establishes it as an offence for a company to not take adequate measures to prevent bribery.
However, the constitutional appropriateness of imposing corporate criminal liability is an issue of major debate, especially in civil law countries where great emphasis has been placed upon the inability of inanimate actors such as legal entities to have intent, and therefore cannot be held responsible.Nevertheless, some civil law countries, such as Belgium, Denmark, France, and the Netherlands, have also adopted corporate criminal liability, demonstrating to an extent that it is clearly not a constitutional concomitant of the civil code. However, as stated earlier, imposing criminal corporate liability might not work for all countries, depending entirely upon each country’s legal system.
[E] U.S. Federal Deposit Insurance Act, section 8(e). An “institution-affiliated party” includes, among others, a controlling person of a bank, roughly the equivalent of a beneficial owner under the FATF Standards.
[F] In the UK, even a shadow director is required to be treated as an officer of the company.
 Directive (EU) 2018/843 (AMLD5), Article 30(a)(1).
 UBO disclosure requirements within the EU, KPMG International, 34.
 “Regulation 19 – Content of a restrictions notice”, The Register of People with Significant Control Regulations 2016, https://www.legislation.gov.uk/uksi/2016/339/regulation/19/made. See also: “Schedule 1B – Enforcement of Disclosure Requirements”, Companies Act 2006, https://www.legislation.gov.uk/ukpga/2006/46/schedule/1B.
 2021. évi XLIII. törvény a pénzügyi és egyéb szolgáltatók azonosítási feladatához kapcsolódó adatszolgáltatási háttér megteremtéséről és működtetéséről (Afad.), 22 May 2021, https://njt.hu/jogszabaly/2021-43-00-00.0; for more information, see: Gábor Gelencsér and Judit Sós, “Summary regarding the introduction of the ultimate beneficial owners registry”, Kinstellar, July 2021, https://www.kinstellar.com/locations/news-deals-insights/detail/11/1492/summary-regarding-the-introduction-of-the-ultimate-beneficial-owners-registry.
 “Corporate Transparency Act 2019”, part of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Id. § 6403(c)(3)(A), https://www.congress.gov/116/plaws/publ283/PLAW-116publ283.pdf.
 On this, see: Transparency and Beneficial Ownership (Paris: FATF, October 2019), 27, https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf, which states that “[b]oard members of senior management may not require specific authorisation by the company, as this might already fall within the scope of their authority.”
 International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF Recommendations, FATF, 93.
 Best Practices on Beneficial Ownership for Legal Persons, FATF, 23. See also: The EITI Standard 2019, EITI, 15 October 2019, https://eiti.org/sites/default/files/attachments/eiti_standard_2019_en_a4_web.pdf. (The EITI Standard Requirement 2.5 suggests that companies attest to the BO declaration form through sign-off by a member of the senior management team or senior legal counsel, although residency in the country of BO disclosure has not been stated).
 Act. No. 315/2016 Coll. on Register of Public Sector Partners and on Amendment and Supplement on Certain Acts as amended 25 Oct 2016, https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2016/315/20191101.
 Ibid, Section 11(1).
 Best Practices on Beneficial Ownership for Legal Persons, FATF, 32.
 Ibid, 67.
 UBO disclosure requirements within the EU, KPMG International, 19.
 Ibid, 7.