Month: October 2023

The greatest inventions that have revolutionized the way we live, work and do business have originated from the minds of people. It all starts in the mind as an intangible idea. With rising competition, organizations are developing innovative strategies to develop more business and attract investments. The value of intangible assets (a non- physical asset such as patents, trademarks, copyrights, industrial designs and trade secrets etc. that a company owns) are increasingly proving to be game changers in business competitiveness and growth.

It is important for businesses and startups in particular, to recognize intellectual property (IP) as a valuable corporate asset. However, as an intangible asset, steps must be taken to protect such asset to mitigate the potential risks associated with unauthorized use within domestic and international markets. Generally, IP refers to creations of the mind such as inventions, literary and artistic works, designs and symbols, names and images used in commerce. Regardless of size and sector, a business loses the immense potential of its innovation and ideas, if it fails or neglects to protect its innovations.

Startups drive real innovation and growth, new products, services and solutions that can propel business growth and ultimately economic growth and development. As is to be expected, startups invest their energy in the first few years on gaining credibility with their target market and seeking additional capital and investments to grow their business. Innovative ideas of startups require resources for its development. However, in the quest to seek funding, startups risk disclosing ideas to investors without the required protection. This is attributable to the fear that, hesitation to disclose may lead to loss of interest of investors. Due to this fear, startups thus end up disclosing without required protections. Whilst new businesses navigate the challenges of starting a new enterprise, they must not be oblivious to the need to protect their IP assets.  Big organizations such as Apple, Samsung, Microsoft, Metro-Goldwyn-Mayer and Google spend huge amounts of money in research and development and ensure that their inventions, literary works, applications, designs, images etc. are legally protected (to gain maximum value from their creations). Established organizations, therefore, unlike startups do not face the same challenges in protecting their intellectual property rights (IPR) as startups.

This article discusses the importance of IPR protection for startups, the modes for the protection of IPRs in Ghana, enforcement of IPRs and the strategies that a startup can adopt for the protection of their IPRs.

Importance of Protecting IPRs for Startups

The success of Ghanaian startups depends on their ability to protect their IP assets. Though protection of IP in Ghana at the initial stages of an organization’s life may involve time and costs, the future benefits are numerous. For startups to scale up and commercialize their ideas, protection to gain IPRs is key for a number of reasons including:

• Protection against infringement of their IPRs
• Safeguards against exploitation by potential investors.
• Competitive advantage when market share translates into brand reputation and increased income.
• Leverage in negotiations with potential investors.
• Sale, lease, assignment or transfer for value.
• Realization through valuation of assets of the company in the event of acquisition

Protection of Intangible Assets in Ghana

Generally, ideas cannot be successfully commercialized if not legally protected. Where an IPR can be used by anyone and everyone, there will be no need to pay the originators of the idea. It is for this reason that IPRs are deemed to be assets or properties of the originator. Under Ghana’s IP laws, IPRs may be acquired specifically for the following categories of intangible assets:

1. Inventions (patents) – Patent can be a design, process, an improvement or physical invention that provides a new way of doing things. Technology and software companies often have patents for their designs. An example is Alan Emtage’s, creation of the world’s first search engine which provided a solution to easy access to information. Also, IBM’s invention of the smartphone, the portable device that combines mobile telephone and computing functions into one unit enabled a new way of doing things.
2. Cultural, artistic and literary works (copyright)- this provides authors and creators of original material the exclusive right to use, copy or duplicate their material. For example, one of Africa’s prominent writers, Ama Ata Aidoo whose works comprise of plays, novels, short stories, poetry and essays has her works copyrighted and only grants limited access for research or for study.
3. Symbols, names and images used in commerce (trademarks)- This protects business names, logo, shape, slogan, image, color etc. of goods and services that distinguish it from the goods and services of others. Trademarks are often associated with a company’s brand. For example, the logo and brand of “Coca Cola” is owned by the Coca Cola Company.
4. Trade secrets- It involves a company’s process or practice that is not public information which affords a business a competitive edge. These are typically the result of a company’s research and development. It could be in the form of a design, pattern, recipe (think of Burger King or KFC), formula or proprietary process.
5. Unique designs for commercial use (industrial designs)-This focuses on the physical appearance and functionality of the product including textile which is a product of industry or handicrafts
6. Geographical indications- these are products that are synonymous with certain locations for their quality. For example, the cloth weaving patterns of Kente which are unique and attributed to the Akans and Ewes. The traditional smocks associated with people in the northern part of Ghana, shea butter (with medicinal benefits), handicrafts such as beads by the Krobos and the local baskets and hats from the North.

There are specific legislation in Ghana protecting each IP. These include the Copyright Act, 2005 (Act 690) which protects copyrights in Ghana. The Industrial Designs Act, 2003 (Act 660) for the protection of industrial designs. Patent Act, 2003 (Act 657), for the protection of inventions and the Trademarks Act, 2004 (Act 664) for the protection of trademarks. In addition, there is the Protection Against Unfair Competition Act, 2000 (Act 589) which regulates and sanctions persons causing confusion with respect to another’s enterprise or its activities, damaging another person’s goodwill or reputation, misleading the public, discrediting another person’s enterprise or its activities, unfair competition in respect of secret information, and unfair competition in respect of national and international obligations.

For obtaining protection for each IPR, there are requirements under the specific laws that must be complied with.

Some of the Strategies to be Adopted by Startups for the Protection of IPRs

• Initial Step

As a first step, startups must protect their ideas. While they may be excited about the prospects of partnerships and investors, prudence is key. Prior to disclosing an idea to third parties, these must be considered:

• physically ensuring that the idea is kept safe from unauthorized access
• where disclosure is required, that there is first, some due diligence on the recipients of the IP information and where the outcome of the due diligence is positive that there is a confidentiality or non-disclosure agreement in place which must restrict the use of information disclosed.

 

• Registrations

Startups should register their ideas with the relevant statutory entities to provide protection from infringement. For example, it is necessary to recognize that, although we live in a globalized world, the registration of some ideas like trademarks are territorial. According to the principle of territoriality, intellectual property rights are limited to the territory of the country where they have been granted. This is despite increased globalization and the ease with which products protected by IPRs can cross national borders as a result of technological advancements. It is therefore important for Ghanaian startups to register their trademarks in Ghana and other key jurisdictions.

Additionally, since Ghana is a member of ARIPO, an IP protection may be obtained in other ARIPO member states by filing a registration application through ARIPO and designating any member state to protect your IP rights.

 

• Contractual Protection

Startups may seek to protect their IP through well drafted legal contracts which must include the following:

• ownership and use of the IP rights
• monitoring mechanism to ensure compliance with rights of use
• restriction of IP access to essential parties, contractors or supply chain partners
• prohibition of unauthorized use or copies of IP, e.g., on devices, shared network drives etc.

 

Enforceability of IP Rights

Under Ghanaian law, there are civil and criminal sanctions for the infringement of IPRs. Additionally, Ghana is a signatory to international treaties/protocols for the protection of IP including the World Intellectual Property Organization (WIPO) and a signatory to certain WIPO-administered treaties, the Berne Convention for the Protection of Literary & Artistic Works and the Paris Convention for the Protection of Industrial Property. These international treaties afford additional rights for persons (from member states) whose IPRs are infringed.

 

Conclusion

People will always try to replicate a unique idea for their own commercial gains. In Ghana, even protected ideas are replicated illegally, as such, failure to protect an idea only opens a floodgate. Hence, before any third party infringes on a startups IPR, it is very important for the startup to protect their IP. Startups must therefore prioritize the need to protect their IP assets to position them well for any potential merger or acquisition, a valuation of their company, or a dispute on the ownership, use or infringement of their IPR. IPRs can be protected irrespective of the kind and size of the business. Consequently, after evaluating the business needs and circumstances, appropriate action for IP protection must be taken. It is crucial to note that, it is the complete responsibility of the proprietor to protect its IP from infringement.

The competitiveness of the business environment requires investment in research and development. To fully utilize innovations from research and development, organizations must recognize the proprietary nature of their ideas, take necessary actions to protect such IP and aggressively enforce unauthorized use or any infringement of their IPR.

The rise of the information age has forced businesses to re-evaluate their modes of carrying on business with a key shift in advertising. Advertising is no longer the dominant way to pay for information and culture. What previously was the purview of corporate logic has been replaced by algorithms and informational architecture meant to create a personalised experience for the user. In the heightened noise of marketing, with all fighting for the user’s attention, the temptation to directly engage the user with a targeted and personal advertisement is understandable, yet such engagement often comes at the risk of violating the user’s right to privacy. In this article, we explore ways through which a business can navigate these murky waters and strike a balance between respecting a customer’s right to privacy whilst creating an effective and satisfactory user experience through direct marketing.

 

Direct Digital Marketing: The Basics

Hamman and Papaodulos define direct digital marketing (DDM) as a system of marketing where the marketer communicates directly with the intended customer over a medium, with the expectation that such interaction will elicit a measured response, often positive. Whereas traditional direct marketing can take various forms such as the use of fliers, DDM involves the use of a digital medium such as a mobile phone, e-mail, television, or web-based platforms for the direct or indirect purpose of promoting a good or a service. Practically, this can take the form of Short Message Services (SMS) alerts sent to a person informing them of the latest offers in a particular restaurant or email alerts notifying a user of an ongoing promotion in a department store.

 

In Kenya, an attempt to codify the meaning of DDM has been made under regulation 13 of the Draft Data Protection (General) Regulations, 2021 (the Draft Regulations) which are still under consideration. Regulation 13 stipulates that a data processor or controller will be deemed to have used data for commercial purposes where they send a catalogue through any medium which addresses a data subject; display an advertisement on an online media site where a data subject is logged on using their personal data relating to the website the data subject has viewed – this includes the use of data collected by cookies to target users; send an electronic message to a data subject about a sale or other advertising material relating to a sale, using personal data provided by a data subject.

 

The foregoing definition of DDM casts a wide net as to the possible forms of DDM that may be used by advertisers in marketing. This includes covert methods of targeting audiences such as the use of cookies and data analytics to determine the age, gender and sites visited by a data subject for the purposes of determining which forms of advertisements should be displayed to the user, as well as overt methods such as the use of SMS to target a data subject.

 

It is critical to note that under the Draft Regulations, a person will not be considered to have utilised a data subject’s personal data for DDM purposes, where the personal data is not used or disclosed to identify or target particular recipients. For instance, the use of data analytics by a data processor or controller for the purposes of estimating the content most viewed by users, or the resources a user sought when using an organisation’s website, would not qualify as DDM. However, should the organisation proceed to either use personal data collected from an analytical review of their website, such as one’s age and gender to then target the user during their next visit to the organisation’s website or to sell that data to an advertiser, then such use would effectively qualify as DDM thus calling for the application of the Data Protection Act, 2019 (DPA).

 

The Risk

For DDM to be successful, marketers need to address a target audience. To accomplish this, marketers will ordinarily require large volumes of personal data thus the crux of direct marketing. This is premised on the fact that most of the data sought by marketers is often of a personal nature such as details of a person’s name, age, gender, residence, purchase habits or preferences. In most instances, this data is likely to be collected from a consumer’s interaction with the concerned entity or platform. DDM may however present a risk to a marketer, where the marketer obtains a consumer’s personal data without their consent. An example would be the collection of one’s phone number by a hotel while booking one’s accommodation where the hotel uses such information to send promotional messages on their discounted rates, without disclosing to the customer that they intended to use the customer’s phone number for that purpose. As innocuous as such collection, storage and subsequent use might seem, it presents a real legal risk to the enterprise. To begin with, such collection would be a violation of a data subject’s rights under section 26 (1) (a) of the DPA which provides that a data subject has the right to be informed of the use to which their personal data is to be put. Further, these actions would constitute a violation of section 30 (1) of the DPA which prohibits the processing of a data subject’s personal data without their consent. In addition to this, the resultant storage and use of a customer’s data in the example above would be in further breach of the DPA which prohibits the use and storage of personal data without obtaining a data subject’s consent. As such, the enterprise is likely to incur liability for breaching the user’s right to privacy thereby exposing the business to the risk of lawsuits and regulatory fines. The unlawful disclosure of personal data constitutes an offence under the section 72 (1) of the DPA and upon conviction, one would be liable to a fine not exceeding KES 3,000,000 (USD 30,000) or to a term of imprisonment not exceeding ten (10) years or both.

 

Solutions

1. Obtain consent

Businesses that intend to adopt a DDM strategy should obtain consent from their intended audience before carrying out any advertising campaign. This obligation is founded on the provisions of section 30 (1) of the DPA which imposes the obligation to obtain a data subject’s consent before processing any data upon a data controller or data processor. The above position is further bolstered by the provisions of regulation 14 (1) of the Draft Regulations which sets out the instances in which commercial use of personal data other than sensitive data may be permitted.

 

Under regulation 14 (1), a data controller or processor would be permitted to use personal data if they meet five (5) conditions. Firstly, the data controller or processor must have collected the personal data sought to be used from the data subject. Secondly, the data subject must be notified that direct marketing is one of the purposes for which the data has been collected. Additionally, the data subject must have consented to such use of their personal data. Further, the data controller or processor must provide an opt-out mechanism for the data subject to not receive the DDM communications.

 

Generally, opt-out mechanisms allow a data subject to withdraw their consent from the use of their personal data in DDM. Practically, this may be in the form of an unsubscribe button. To effect this, regulation 15 (1) of the Draft Regulations prescribes the features that should accompany an opt-out mechanism. First, opt-out mechanisms must have a visible, clear, and easily understandable explanation of how to opt-out, such as instructions written in simple language and in a font size that is easy to read. Also, opt-out mechanisms must use a simplified process for opting-out that requires minimal time and effort. In addition, opt-out mechanisms must provide a direct and accessible communication channel and be free or involve not more than a nominal cost to a data subject. Finally, the data subject must have not made an opt-out request at the time of the collection, use and/or processing of the data.

 

1. Use the data obtained for a limited purpose

The obligations of a business entity are not strictly limited to lawfully obtaining data. A business must also ensure that they use the data obtained for the purpose for which it was acquired. Where the initial purpose for which personal data was obtained changes, a data controller may still use the data, subject to obtaining consent from the data subject for the changed use. This is in line with regulation 5 (3) of the Draft Regulations which provides that where the data controller or processor intends to use personal data for a new purpose, it shall ensure that the new purpose is compatible with the initial purpose. For instance, if a business collects a customer’s phone number for the purposes of determining whether payment made through a mobile money payment platform has been effected, the same number should not be used to send out promotional messages. To use such data for a purpose which is not intrinsic to the root purpose would constitute a violation of the data subject’s rights under section 26 of the DPA.

 

1. Respect the data subject’s rights

A data subject has a right under section 26 (c) of the DPA to object to the processing of their personal data. Examples of this include the sending of SMSs to specific codes calling for the cessation of promotional marketing messages or the clicking of an unsubscribe button on email marketing. It is critical to note that once a customer has objected to the processing of their data, then, any subsequent use of such data becomes unlawful, and the marketer runs the risk of incurring liability for such use. For this reason, once a customer objects to the use and or processing of their data, a business is obliged to comply with the same and cannot continue to use the customer’s data.

 

1. Adopt data protection by design in devising DDM Strategies

The use of DDM as a marketing strategy involves the collection and subsequent storage of data. Therefore, a business which seeks to adopt DDM must at the very core ensure that its technical and organisational measures are designed at all times to implement the data protection principles in an effective manner and integrate necessary safeguards for the purposes of processing. The above obligation is consistent with the provisions of section 41 (2) of the DPA, which mandates data processors and data controllers to adopt technical and operational measures that implement the data protection principles at the time of determining the means of processing the data and at the time of processing data. Failure to adopt technical and organisational measures that ensure data protection by design, may expose the business to a data breach and potential legal liability. It is thus important for a business to ensure that the technical and operational measures adopted comply with this principle.

 

1. Notify the data subject in case of breach

If a data breach occurs, the business must first notify the data subject of the breach, the nature of data lost, and the intended remedial action taken up to prevent further loss of data. This obligation is imposed by section 43 (1) (b) of the DPA which mandates a data controller to notify a data subject of any unauthorised access or risk of unauthorised access to the data subject within forty-eight (48) hours. Such notification not only serves to alert the data subject of the expected loss of personal data, but also allows the data subject to take on remedial actions as an end-user such as changing or updating their credentials, which can stave off the worst of attacks.

 

In conclusion, the use of DDM, whilst a viable and useful method of reaching and engaging with one’s clientele, is often laden with the risk of violating a customer’s right to privacy. To avoid such risk, businesses are advised to adopt a DDM strategy that is alive to the target’s right to privacy and data protection duties and obligations.

Bruce Schneir, an American privacy specialist and computer security professional, famously stated that “data is the pollution problem of the information age and protecting privacy is the environmental challenge”. In Kenya, the Data Protection Act, 2019 (the Act) provides an elaborate regime for dealing with the “environmental challenge” that is protection of data through inter alia the establishment of the Office of the Data Protection Commissioner (ODPC), which is primarily tasked with overseeing implementation of the Act and comprises of the Data Protection Commissioner (DPC) and other staff appointed by the DPC.

To this end, the ODPC has, in conjunction with the Cabinet Secretary for matters relating to information communications and technology, promulgated the Data Protection (Compliance and Enforcement) Regulations, 2021 (the Regulations), which will come into effect on 14th July 2022.

In this article, we set out an overview of the compliance and complaint handling mechanisms under the Act and the Regulations, and we also highlight the consequences of non-compliance

Functions of the ODPC

The functions of the ODPC are contained in section 8 of the Act and include receiving and investigating any complaint by any person on the infringement of rights and obligations set out under the Act. Section 9 (1) of the Act gives the DPC wide powers to superintend compliance with the Act, including powers to conduct investigations; facilitate conciliation, mediation, and negotiation on disputes; issue summons to witnesses for purposes of investigation; and to impose administrative fines for failure to comply with the Act.

Lodging Complaints

Pursuant to section 56 (1) of the Act, a data subject who is aggrieved by the decision of any person pertaining to the Act, can make a com- plaint to the DPC. Subsection 2 as augmented by Rule 4 (1) of the Regulations permits lodging of complaints either orally or in writing through electronic means, including by email, web posting, complaint management information systems, or by other appropriate means. The DPC is required to reduce a complaint made orally to writing.

Pursuant to Rule 4(3) of the Regulations, a complaint can be lodged in person, by a person acting on behalf of the complainant, or by any other person authorized by law to act on behalf of a data subject (such as an Advocate, an agent or anonymously). Once a complaint is received, the DPC is required to conduct a preliminary review upon which the ODPC may either admit the complaint, advise that the matter is not within its mandate, advise that the matter lies for determination by another body or institution and refer the complainant to that body or institution, or alternatively decline to admit the complaint altogether where the same does not raise any issue under the Act.

The various avenues through which a complaint may be lodged, coupled with the fact that there is no cost implication for lodging a com- plaint, conforms the process to the dictates of the right of access to jus- tice as enshrined under Article 48 of the Constitution of Kenya, 2010.

This is further buttressed by section 56 (5) of the Act which provides for an expeditious ninety (90) day period within which the DPC must investigate and make a determination on complaints made to it.

Admission and Investigation of Complaints

Rule 6 (4) of the Regulations provides that where a complaint is admit- ted, the DPC may either conduct an inquiry into the complaint; con- duct investigations; facilitate mediation, conciliation, or negotiation; or use any other mechanism to resolve the complaint. In this regard, the ODPC has recently published a draft Alternative Dispute Resolution (ADR) Framework which is currently at the public participation stage, and which are ultimately aimed at codifying the ADR processes con- templated under the Act.

Rule 11 of the Regulations requires the DPC to, upon admission of a complaint, notify the respondent of the same within fourteen (14) days so as to give the respondent a chance to either respond to the allegations against them; resolve the complaint made in a manner that is satisfactory to the complainant; or make representations and submit evidence relevant to support their representations. Where a respondent fails to act on the complaint against them, the DPC will proceed to determine the complaint without any responses thereto. However, the DPC re- serves the right to discontinue a complaint where the same does not merit further consideration or where a complainant refuses, fails or neglects to communicate further without justifiable cause. A complainant is also at liberty to withdraw the complaint before its determination. Section 57 of the Act, taken in conjunction with Rule 13 (1) of the Regulations, gives the DPC discretion to conduct investigations, issue summons requiring attendance of any person at a specified time and place for examination, administer an oath or affirmation on any person during proceedings, require any person to produce any document or information and upon obtaining warrants from the Court, enter into  any establishment or premises to conduct a search and may seize any material relevant to the investigation. Upon the conclusion of the investigations, the DPC is then required to make a determination based on findings thereof. Under Rule 14 (2) of the Regulations, the said determination should be in writing and should state, among others, the remedy to which the complainant is entitled. The remedies contemplated include issuance of an enforcement notice to the respondent, issuance of a penalty notice imposing an administrative fine in case of non-compliance, dismissal of the complaint where it lacks merit, recommendation for prosecution, or an order for compensation to the complainant by the respondent.

Enforcement Notices

In case of failure to comply with the Act, section 58 empowers the DPC to serve an enforcement notice requiring the recipient to take certain defined steps within a period of time specified within the notice itself. The enforcement notice must clearly indicate what provision of the Act has been or is likely to be contravened; what steps the recipient can take to address the actual or potential contravention of the Act; the time- frame within which the recipient is to implement the remedial steps; and any right of appeal available to the recipient. An appeal against a decision arising out of the enforcement notice may be made to the High Court within thirty (30) days from service of the notice.

Section 9 (1) of the Act gives the DPC wide powers to superintend compliance with the Act, including powers to conduct investigations; facilitate conciliation, mediation and negotiation on disputes; issue summons to witnesses for purposes of investigation; and to impose administrative fines for failure to comply with the Act.

Failure to comply with an enforcement notice constitutes an offence and upon conviction one is liable to a fine not exceeding KES. 5,000,000, or to imprisonment for a term not exceeding two (2) years, or to both. Further, the obstruction of the DPC in relation to the exercise of her functions under the Act attracts criminal liability and sanctions.

 

Penalty Notices, Administrative Fines and Compensation

In case of failure or likelihood of failure to comply with an enforcement notice, the DPC may issue a penalty notice requiring the person in de-fault to pay the ODPC an amount specified under the penalty notice. A penalty notice is to be issued for each breach identified in the enforcement notice and shall contain, among others, an administrative fine im- posed as contemplated under section 63 of the Act. Section 63 of the Act prescribes the administrative fine payable under a penalty notice as not more than KES. 5,000,000 or in the case of an enterprise, up to one percent (1%) of its annual turnover for the pre- ceding financial year, whichever is lower. Rule 20 (4) of the Regulations provides that a penalty notice may impose a daily fine of not more than KES. 10,000 for each breach identified until the breach is rectified. It is important to note that the right of appeal to the High Court has been preserved, as against any administrative action taken by the DPC, including as against the issuance of penalty notices.

The seemingly steep administrative fine is intended to deter non-compliance with the provisions of the Act. Indeed, data protection enforcement authorities in other jurisdictions such as the Information Commissioner’s Office (ICO) in the United Kingdom, have not shied away from imposing hefty fines against persons found to be in violation of data protection laws. For instance, the United Kingdom’s ICO fined American Express Services Europe (a credit card company) a sum of nine thousand euros (€ 9,000) for sending marketing emails to various customers who had not given their consent for the same. Should Kenya’s DPC follow the precedents set by other jurisdictions’ data protection enforcement authorities, then the importance of compliance with the Act will not need to be gainsaid. The DPC would how- ever do well to temper the need for compliance and enforcement of the Act with proportionality and reasonableness, in line with the principle that the punishment should fit the crime. In addition to administrative fines, section 65 of the Act provides that a data subject who suffers damage by reason of contravention of a requirement of the Act is entitled to compensation for that damage from the data controller or data processor, save where the data controller or data processor can establish that the damage occasioned on the data subject is not attributable to any fault on their part.

Conclusion

The Regulations offer comprehensive enforcement mechanisms coupled with penal sanctions for non-compliance. It is worth noting that the DPC is taking proactive steps to operationalize the Act and, in addition to the Regulations, has also embarked on a recruitment drive aimed at bolstering the human resource of the ODPC. It is yet to be seen how strict the DPC will be in dealing with complaints arising from breaches of the Act and imposing penalties where applicable. It is only matter of time before occasion for the DPC’s intervention arises, more so once the Regulations take full effect. It is therefore advisable for all data processors and data controllers to err on the side of caution by ensuring full compliance with the Act and the Regulations rather than being “caught off-side” by the imminent compliance and enforcement phase of the nascent data protection laws.

 

Companies are legal entities used by natural persons to undertake business or pursue an object. However, it is not always the case that natural persons want to use companies for lawful activities or to be identified with the company. Natural persons may use companies as fronts for unlawful activities including terrorist financing, money laundering, and tax evasion: circumventing legal compliance requirements, among others. In light of this, it is important to have full information on the persons using a company to undertake business or pursue an object.

This has led to the requirement of beneficial ownership disclosure globally. Ghana adopted the disclosure requirement in 2016 through an amendment of the now repealed Companies Act, 1963 (Act 179), and has restated the requirement in the new Companies Act, 2019 (Act 992). This article discusses beneficial ownership disclosure in Ghana.

Background to beneficial ownership disclosure

Studies conducted by the Financial Action Task Force (FATF) (an international body that sets standards for anti-money laundering and counter-terrorist financing) in 2006 revealed that the lack of adequate, accurate and timely beneficial ownership information on companies in jurisdictions, including Ghana, allows money laundering and terrorist financing to flourish in those jurisdictions.

Consequently, the FATF recommended its Recommendations 24 and 25 on transparency and beneficial ownership of companies. In parallel, the Ghana Extractive Industry Transparency Initiative (GEITI), an initiative that monitors payments by extractive industry companies to governments and government entities, initiated a beneficial ownership transparency agenda to push for transparency in payments in the industry. FATF Recommendations 24 and 25 and the GEITI served as catalysts for Ghana to consider a beneficial ownership disclosure regime covering all companies.

Ghana implemented the requirement by amending the now repealed Act 179 through the passage of the Companies (Amendment) Act, 2016, (Act 920). Act 920 provided for a beneficial ownership disclosure regime by mandating the inclusion of names and particulars of beneficial owners in the register of members. The beneficial ownership disclosure reveals how companies are owned and controlled by their beneficial owners.

Act 920 and Act 179 were repealed by the Companies Act, 2019, (Act 992) which was passed in August 2019. However, it restated the beneficial ownership disclosure requirement and expanded on it.

Who is a beneficial owner?

A beneficial owner is a natural person who ultimately owns or significantly controls a company or materially benefit from the assets held by a company. The control can be exercised directly (holding a significant share in the company) or indirectly (influential in the running of the business) through a legal ownership interest or a significant percentage of voting rights. Act 992 defines the beneficial owner as the natural or artificial person that has a direct or indirect significant interest in or substantial control over a company. It characterises the beneficial owner as an individual:

1. who directly or indirectly ultimately owns or exercises substantial control over a person or company;
2. who has a substantial economic interest in or receives substantial economic benefits from a company, whether acting alone or together with other persons;
3. on whose behalf a transaction is conducted; or
4. who exercises significant control or influence over a legal person or legal arrangement through a formal or informal agreement;

Thus, persons who fall into any of the above categories are beneficial owners and their details must be disclosed to increase transparency in business transactions. Act 992 requires Ghanaian companies (incorporated or external company) to disclose their beneficial owner(s) to the Office of the Registrar of Companies (ORC).

When to report/disclose beneficial ownership?

Act 992 establishes a Central Register (‘Register’) that allows the Registrar to, in accordance with Recommendations 24 and 25 and the provisions of Act 992, obtain, verify and record beneficial ownership information. Consequently, companies have reporting obligations under the beneficial ownership regime. The following reporting requirements have been adopted under Act 992:

1. Filing of beneficial ownership information with the ORC during incorporation/registration of a company. This involves the completion of the relevant Beneficial Ownership Declaration Form.
2. Entry of details of beneficial owners in the Register of Members, and thereafter, submitting their particulars to the ORC within 28 days.
3. Disclosure of beneficial owners in the annual returns forms.
4. The Registrar may request for details of beneficial owners of companies when updating its Register.

The details required from the beneficial owner includes the personal details, percentage interest held, approved national identification, details of politically exposed persons and in the case of a foreign beneficial owner, their passport details. The reporting requirements helps the Registrar to have records of beneficial owners to track their activities.

Should everyone report?

Act 992 does not require everyone that has or controls interest directly or indirectly or receives benefits from a company to disclose. The Act qualifies the reporting thresholds with the words ‘significant’ or ‘substantial’. This is necessary to ensure that the Register contains details of persons who only hold significant or substantial interests. Pursuant to that, the Beneficial Ownership Declaration Forms sets out the thresholds for disclosure in the Register. The thresholds are dependent on the type/sector of the company and the type of beneficial owners involved. The prescribed thresholds are as follows:

1. A natural person who has a direct or indirect interest of 20 percent interest or greater.
2. Foreign politically exposed person in any company who holds 5 percent interest or greater.
3. Domestic politically exposed person with any amount of shares or form of control.
4. In a high-risk company (e.g., oil and gas), any person with an interest of 5 percent.

The thresholds provided under the law are to ensure that only significant and substantial ownership by beneficial owners is disclosed. This is to avoid the disclosure becoming an unnecessary burden for the acquisition of any interest or receiving any benefit, no matter how insignificant in a company.

What happens if you fail to disclose?

To ensure compliance with the disclosure requirements, Act 992 prescribes sanctions for non-compliance. Non-compliance with the reporting/disclosure requirements attracts payment of a fine or a term of imprisonment not exceeding 2 years or both. The prescription of sanctions for non-compliance in Act 992 is necessary as it serves as a check on companies hiding share ownership or control.

Additionally, where persons act as ‘fronts’ for beneficial owners per the terms of an undisclosed agreement, allowing the beneficial owner to use various means to control the actions of the front in the company; such an agreement will have no legal effect on the basis that it is unlawful.

It is therefore important that companies take necessary steps to comply with the disclosure requirements to avoid the prescribed sanctions.

Practical issues arising with implementation register

The disclosure requirement is not without faults. Concerns raised include:

• There are generally technical challenges related to the verification of information obtained on beneficial owners. Consequently, it is difficult for the ORC to verify the information on beneficial owners who are publicly listed companies. This has led to delays in filings by companies (especially foreign-owned companies) who have publicly listed companies as beneficial owners. The Registrar must issue a clear directive on how to proceed in respect of this matter.
• Under the regime, it is mandatory for beneficial owners who do not have a Tax Identification Number (TIN) to procure a TIN. Beneficial owners who are non-residents are reluctant to procure the TIN on the basis that it exposes them to tax liabilities in Ghana. Foreign beneficial owners must be made aware that tax liability does not arise just by the procurement of a TIN but only applicable on taxable activities.
• The Form allows companies to indicate if there are no beneficial owners who meet the prescribed thresholds. There is no requirement for an applicant to provide any supporting information for that statement. However, the ORC would only file such a form if it has supporting documentation. The form should be amended to include the provision of supporting information if there are no beneficial owners.

Conclusion

The beneficial ownership disclosure regime is being implemented to ensure best practices in business operations. Undoubtedly, there are issues associated with its implementation. However, businesses must comply with the requirements. For businesses to be compliant with the requirements, the following measures can be adopted:

• Procurement of TIN- beneficial owners must take steps to procure TINs. Having a TIN does not equate tax liability. Tax payment is generally triggered if the income is accrued in, derived from, and brought into Ghana.
• Submission of completed Beneficial Ownership Forms to the Registry (despite its non-filing by the Registry). This may reduce the compliance risk.
• Where a company does not have a natural person, listed company, or government entity as beneficial owner, provide the additional information/explanation with the application before submission.
• Registrar to develop its verification system to ensure accuracy of the data.