Today’s guest post, from Geoff Cook (the CEO of Jersey Finance), continues an ongoing debate an exchange we’ve been hosting here at GAB regarding the desirability of public (as opposed to confidential) registries of the ultimate beneficial owners (UBOs) of companies and other legal entities. This exchange was prompted by a piece that Martin Kenney, a lawyer specializing in asset recovery in the British Virgin Islands, published on the FCPA Blog, which criticized the UK’s decision to mandate that the 14 British Overseas Territories create public UBO registries. Mr. Kenney’s post prompted reactions from Rick Messick and from me. Our critical reactions stimulated another round of elaboration on the critique of the UK’s decision, with a new post from Mr. Kenney and another from Mr. Cook. I subsequently replied, explaining why I did not find Mr. Kenney’s or Mr. Cook’s criticisms fully persuasive. Mr. Kenney responded to that post earlier this month, and in today’s post Mr. Cook contributes his critical reactions to my response:

In the debate over public registries, Matthew Stephenson asks for more evidence that would indicate public registers are less effective than the verifiable system Jersey has adopted. I can turn to examples in the UK itself where only this year the government recognized the harm that can be done by disclosing the personal addresses of business directors. To combat the risk of identity fraud, the government is bringing in new legislation, expected to come into force this summer, which will permit company directors to replace their residential address with a company address.

Furthermore, I would contend that self-certification is an incentive for unsatisfactory completion of the information required, and the evidence we have from the UK would support this. There have been media reports indicating that hundreds of thousands of companies have failed to identify beneficial owners, there was the case of the 85-year-old woman who is apparently a founding director of more than 25,000 companies, while some criminals have actually written their occupation as “fraudster,” and over 4,000 companies have a registered beneficial owner under the age of two (see here, here, and here). Such revelations do not provide anyone with confidence in the effectiveness of a public system. As for prosecutions since public scrutiny, there has been one for deliberately filing false information which I believe was an attempt to show the weaknesses in the system.

It could be that the efficacy of public systems will improve in time, but so far the evidence proves otherwise, and the trouble is there is no serious debate on the issue. Instead, the assumption is made that if data is available online it must be a more effective way of catching criminals. Why should that be? Are Professor Stephenson and other supporters of public registers truly suggesting that media representatives and NGOS, with their various political agendas and prejudices, are better equipped to monitor and scan a registry of owner names than the experienced and interconnected law enforcement and intelligence agencies, alongside the specially trained regulators? These professionals know what they are looking for in detecting fraudulent activity and they can collaborate and compare data and do so without alerting criminals that they are under investigation.

If further evidence is needed that what we have is effective, look to the House of Commons review of the first six months of the enhanced exchange of information mechanisms introduced between the UK, the Crown Dependencies and selected Overseas Territories in 2017. MPs reported that on more than 70 occasions there had been enhanced law enforcement access to beneficial ownership data and it had been used “to enhance intelligence leads and investigations on illicit finance.”

Advocates of public registries also risk downplaying the risk of identity theft. Research has shown that almost 20% of victims of identity fraud are company directors, whereas only 9% of the population are directors. The publicly available information about company directors make them more vulnerable to this type of crime.

This site is proving valuable in providing an avenue where we can debate the issues properly, and I am not suggesting that there is not room for improvement in the standards of some of the current registries among international financial centers. For instance, not all jurisdictions have established a verification model for as long as Jersey has, there are still locations that permit anonymous shell companies, and I think everyone agrees that the US territories have a long way to go to reach acceptable standards. However, while there is much to do globally so we attain the highest standards across the board, the evidence that is emerging is that making them public is not the solution.

On the General Data Protection Regulation (GDPR) issue, Professor Stephenson misses the point. GDPR is a response to public concern over the extent of data privacy, its security, and how it is handled with a view that more protection is needed. Company information contained on a public register is still about individuals and their personal information and places yet more data in the public domain which is exactly opposite to the policy thinking behind GDPR.

I believe he is also taking an idealized position that all NGOs and others scouring public registers are doing so with the best intentions. These organizations are not always in control of their employees’ actions as recent events affecting charity organizations have shown. There is also an assumption that the information NGOs gather and publish from the registries is always in the public interest, when doing so may harm an individual’s reputation when he or she has done nothing wrong. This was evident during the release of data in the Panama and Paradise Papers episodes where individuals were named and a narrative formed to suit a populist agenda that criticized international financial centers, and yet relatively few prosecutions have been brought following the theft of data.