Skip to content

How to identify UBOs in an unpredictable world

Michael Rasmussen
Michael Rasmussen
GRC Economist and Pundit at GRC 20/20 Research, LLC

Business operates in a world of chaos, where relationship risk is ever present. What’s the secret to understanding and identifying ultimate beneficial owners?

The modern organization is an interconnected web of relationships and interactions that span traditional business boundaries. Complexity grows as these interconnected relationships and transactions layer themselves in intricacy.

In this context, organizations struggle to identify and govern their relationships with a growing awareness that they can face reputation and economic disaster by establishing or maintaining the wrong business relationships.

AML Directive in 60 seconds

When questions of business practice, ethics, and corruption arise, the organization is held accountable for the actions of those who they do business with, and it must ensure adequate due diligence has been done to ensure it is doing business with the right individuals and organizations.

This is particularly critical in the context of knowing the ultimate beneficial owner (UBO) in business relationships.

Poor visibility

The fragmented governance of relationships can lead organizations to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the relationships.

Silos of data leave the organization blind to intricate relationships of beneficiary exposure that fail to get aggregated and evaluated in the context of the overall relationship.

An ad hoc approach to relationship management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of the relationship.

Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in relationship management.

What further complicates this is the exponential effect of relationship risk on the organization.

Relationship risks

Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane.

A small event cascades, develops, and influences what ends up being a significant issue.

Dissociated data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of relationship performance, risk and compliance across the enterprise and how it supports the organization’s strategy and objectives.

The organization is constantly reacting to relationship risks appearing around them and fails to actively manage and understand the complexity inherent in relationships and nested relationships as to who really is the beneficiary in a transaction.

The organization needs to have holistic visibility and situational awareness in relationships.

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual relationship (the tree) as well as the interconnectedness of relationships (the forest) to identify the UBO.

Risk in these relationships is non-linear.

They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all.

Failure to integrate

In a linear system, effect is proportional with cause. In the non-linear world of business, third party management risk is exponential. Business is chaos theory realized.

The small flutter of customer and third party risk exposure can bring down the organization.

If we fail to see the interconnections of risk on the non-linear world of business, the result is often unpredictable. For example, consider the following:

  • The recent Bahamas leakIs this likely to shed further light on the challenges associated with shell companies and UBO, in a very public manner?
  • Taiwan’s Mega Financial Holding Company fine. Several large banks were rocked when Taiwan’s Mega Financial Holding Co was fined US$180 million for violations that included lax attention to risk exposure in Panama. Could this have been avoided had they addressed UBO correctly?
  • The Financial Crimes Enforcement Network’s proposed customer due diligence rule. Similar to the Fourth Anti-money Laundering Directive, the US Treasury department has moved to strengthen the Bank Secrecy Act. Is there likely to be further regulation put in place or more enforcement placed on organizations?

Relationship management, particularly understanding and identifying UBOs, fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.

Trusted data

The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of relationship management information.

This is achieved by combining trusted data, human expertise and intuitive technology to develop an integrated Know Your Customer (KYC) or third party risk management program to govern relationships.

A successful process, information, and technology architecture for KYC or third party risk will be able to integrate information across internal business systems and external databases.

This requires a robust and adaptable information architecture that can model the complexity of customer and third party information, transactions, interactions, relationship, cause and effect, and analysis of information.

An abandoned department store is seen flooded in Bangkok January 13, 2015. Staff from Bangkok Metropolitan Administration (BMA) office were catching fish on Tuesday at the ground floor of the roofless New World department store that was closed down in 1997. Thousands of fish such as catfishes, fancy carps as well as black and red tilapias were released into the ground floor of the building, flooded with rainwater, as local vendors tried to control mosquitoes in the area, local media reported. BMA recently decided to remove the fish and release the water. REUTERS/Chaiwat Subprasom (THAILAND - Tags: SOCIETY) - RTR4L7VE
Photographer: Chaiwat Subprasom

Some core technical capabilities that organizations should consider in a KYC and third party management platform are:

  • Internal integration. Customer and third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization — procurement systems, spend analytics, enterprise resource planning, and governance, risk and compliance.
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with knowledge/content providers and adapts with technology solutions which rapidly assess changing regulations, risks, industry and geopolitical events.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. There should be standardized formats for measuring business impact, risk and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with customer and third party relationships in context of performance, risk, and compliance.

Avoid the risks of entering a contract or business relationship without full knowledge of past or present Ultimate Beneficial Ownership