Beneficial ownership verification identifies the natural persons who ultimately own, control, or benefit from a legal entity. UBO rules prevent criminals from hiding behind companies, trusts, nominees, shell entities, and layered ownership chains. A strong UBO process collects company registry documents, ownership charts, shareholder data, control information, senior managing official details, and identity verification for relevant natural persons. Complex structures require enhanced review and clear evidence of how ownership and control were determined.
This article is part of the KYC & AML Compliance pillar. Use the pillar page to explore the full topic cluster and related Kurums Law guides.
Legal entities make commerce efficient, but they also create opacity. A company can open accounts, move money, sign contracts, hold assets, and transact globally while the real people behind it remain hidden. Beneficial ownership rules exist to close that gap. They force businesses to look through the entity and identify the humans who own or control it.
This guide is part of the KYC and AML Compliance pillar inside the Kurums Law department. It explains UBO definitions, ownership thresholds, control tests, document collection, verification, red flags, privacy issues, and how beneficial ownership connects to customer due diligence.
What is a beneficial owner?
A beneficial owner is a natural person who ultimately owns or controls a customer or on whose behalf a transaction is conducted. The exact threshold varies by jurisdiction and sector, but many regimes use ownership or control percentages such as 25% as a starting point. Control can also exist through voting rights, shareholder agreements, appointment rights, veto rights, trusts, nominee arrangements, or other influence.
The key word is natural person. A company cannot be the final UBO. If Company A owns Company B, compliance must keep looking until it identifies the individuals behind Company A, unless a specific listed-company or regulated-entity exemption applies.
Ownership vs control
What documents are used for UBO verification?
UBO verification should combine customer declarations with independent or reliable evidence. Common documents include certificates of incorporation, commercial registry extracts, articles of association, shareholder registers, cap tables, trust deeds, partnership agreements, board registers, organizational charts, ownership declarations, identity documents for UBOs, and proof of authority for signatories.
The document set should match risk. A simple local company with two individual shareholders may require only registry and ID verification. A multi-layer offshore structure may require ownership charts, upstream registry documents, source of wealth review, adverse media checks, and senior approval under enhanced due diligence. For the broader onboarding workflow, see Customer Due Diligence: CDD, EDD, and Risk-Based KYC.
How should complex structures be reviewed?
Complex structures require a reasonableness test: does the structure make commercial sense, and can the customer explain it clearly? Holding companies, funds, trusts, and cross-border groups can be legitimate. But unexplained complexity, circular ownership, nominees, bearer-like arrangements, secrecy jurisdictions, and reluctance to provide documents are red flags.
Compliance should identify the business rationale, tax or investment rationale, control persons, source of funds, and whether any person appears to exercise control without formal ownership. If the customer cannot or will not explain the structure, the relationship may require escalation or rejection.
UBO red flags
- Layered entities with no clear commercial purpose.
- Nominee shareholders or directors without transparent principals.
- Ownership split just below reporting thresholds.
- Trusts or foundations with vague beneficiaries.
- Customers refusing to provide upstream documents.
- UBOs linked to high-risk jurisdictions, sanctions, PEPs, or adverse media.
- Frequent ownership changes before onboarding.
Privacy and retention issues
UBO verification requires sensitive identity processing, so privacy controls must be built into the workflow. Collect only necessary documents, restrict access, encrypt files, define retention, and explain processing in privacy notices. Where data crosses borders or vendors process documents, the company should review data processing agreements and transfer mechanisms under the Data Privacy and KVKK pillar.
How should trusts, funds, and nominees be handled?
Trusts, funds, and nominee arrangements require special review because ownership and control may not appear in a simple shareholder register. For trusts, review settlors, trustees, protectors, beneficiaries, classes of beneficiaries, and persons exercising ultimate effective control. For funds, review the fund manager, general partner, investment manager, administrator, and any controlling investors where the rules require it. For nominee arrangements, identify the principal behind the nominee.
The compliance question is practical: who can direct the customer, benefit from the customer, or use the customer to move value? If the answer is hidden behind legal form, enhanced due diligence may be required. A business should not accept “professional nominee” or “discretionary trust” as an endpoint without understanding the control structure.
What should be recorded in the UBO file?
The UBO file should show not only the final names, but also how the company reached them. Keep the ownership chart, registry extracts, shareholder documents, control analysis, ID verification, screening results, adverse media notes, and any escalation decisions. If no UBO meets the threshold and a senior managing official is used, record why that fallback was appropriate.
This evidence matters during audits and investigations. A regulator may not accept a bare statement that “UBO checked” if the file does not show percentages, layers, dates, document sources, or match decisions. The more complex the structure, the more important the narrative becomes.
How often should UBO information be refreshed?
UBO information should be refreshed on a risk-based schedule and whenever ownership or control changes. Triggers include new shareholders, new directors, mergers, restructurings, adverse media, unusual activity, sanctions alerts, expired documents, or customer statements that conflict with existing records.
High-risk entities should be reviewed more often, especially where ownership is layered or located in higher-risk jurisdictions. Refresh should not simply ask the customer whether anything changed. Where risk requires it, verify against registry data, documents, or reliable databases.
Infographic: UBO Verification Flow
Identify entity -> Collect registry -> Map ownership -> Find natural persons -> Verify IDs -> Screen UBOs -> Resolve red flags -> Record rationale
UBO implementation playbook
A strong UBO workflow starts with entity classification. Before asking for documents, determine whether the customer is a private company, public company, partnership, trust, fund, charity, government entity, regulated financial institution, or special purpose vehicle. Each type has different ownership evidence and different control questions. A single generic form will miss important details.
For private companies, request registry evidence, shareholder information, directors, authorized signatories, and an ownership chart where there is more than one layer. For partnerships, review partners and control rights. For trusts, identify trustees, settlors, protectors, beneficiaries, and anyone exercising control. For funds, review the fund structure, manager, general partner, administrator, and controlling investors where required. For listed companies, determine whether an exemption or simplified approach is permitted under the applicable rules.
The workflow should force analysts to record how the UBO was identified. If the answer depends on ownership percentage, record the calculation. If the answer depends on control, describe the control right. If no UBO is found and a senior managing official is used, record the search steps. This prevents UBO review from becoming a checkbox.
How should UBO information connect to sanctions and EDD?
UBO information should feed directly into sanctions screening, PEP review, adverse media checks, and customer risk scoring. A company may look low risk until its controlling person is identified. A low-risk industry can become high risk if the owner is a PEP, linked to sanctions exposure, connected to corruption allegations, or based in a high-risk jurisdiction.
If a UBO creates risk, the business should decide whether to apply enhanced due diligence, request source of funds or source of wealth, obtain senior approval, restrict products, increase monitoring, or reject the relationship. The decision should be documented. UBO review has value only if it changes the risk treatment when facts require it.
UBO audit evidence
The audit file should let a reviewer reconstruct the ownership analysis without asking the analyst to explain it verbally. Include source documents, ownership chart, calculations, control notes, UBO identity evidence, screening results, risk rating impact, and approval records. If documents are in another language, note whether translation or local counsel review was used.
For high-risk entities, keep evidence of independent verification. This may include registry screenshots, certified extracts, reliable database reports, notarized documents, or legal opinions. The more opaque the structure, the more important independent evidence becomes.
UBO metrics and quality controls
UBO controls should be measured because ownership review is one of the easiest KYC steps to perform superficially. Track how many entity customers require ownership charts, how many have layered ownership, how many use trusts or nominees, how often analysts use senior managing official fallback, how many files lack independent verification, and how often UBOs trigger PEP, sanctions, or adverse media escalation.
Quality review should sample entity files and ask whether another analyst could reconstruct the ownership structure from the evidence. If not, the file is not audit-ready. Reviewers should check percentage calculations, upstream entity documents, control rights, ID verification, screening results, and whether high-risk structures received enhanced due diligence.
The program should also watch for threshold avoidance. If many customers have ownership split at 24.9%, 9.9%, or another local threshold, compliance should review whether control is being hidden through coordinated minority holdings, family relationships, nominee arrangements, or contractual rights.
Board reporting should separate ordinary entity onboarding from complex ownership cases. Management needs to know how many relationships depend on layered structures, trust arrangements, offshore entities, or fallback senior managing officials, because these cases carry higher residual risk.
Final compliance note
UBO verification is not finished when a name is found. The business must understand how that person owns or controls the customer, whether the structure makes sense, whether the evidence is reliable, and whether the identified person changes the risk rating. Ownership opacity is itself a risk signal, especially when the customer wants fast onboarding, high limits, or cross-border access.
When analysts cannot explain the structure in plain language, the file should be escalated. Complexity is acceptable only when it is understood, documented, and commercially rational.
This is especially important for regulated customers, offshore holding structures, investment vehicles, and customers requesting high limits or rapid settlement.
In those cases, ownership clarity should be treated as an approval condition, not a post-onboarding clean-up task.
Frequently Asked Questions
Discover more from Kurums | Business Intelligence
Subscribe to get the latest posts sent to your email.