Beneficial Ownership (UBO) Screening: A Practical Guide for AML-Obliged Firms: Understanding UBO requirements under EU AMLD, how to identify beneficial owners in complex structures, and how to build a UBO screening process that…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
What Is a Beneficial Owner (UBO)?
A beneficial owner — or Ultimate Beneficial Owner (UBO) — is the natural person who ultimately owns or controls a legal entity. Under EU anti-money laundering law, identifying the UBO is a mandatory component of Customer Due Diligence (CDD) for every corporate client relationship.
The EU Anti-Money Laundering Directives define beneficial ownership along two parallel tracks:
- Ownership track: Any natural person who directly or indirectly holds more than 25% of the shares or voting rights in the entity, including through bearer shares, convertible instruments, or multiple layers of ownership.
- Control track: Any natural person who otherwise exercises control — through board positions, veto rights, shareholder agreements, or other mechanisms — even if their ownership stake is below the 25% threshold.
If no natural person can be identified through either track, or if their identity cannot be verified, the senior managing official (typically the CEO or executive director) is treated as the beneficial owner of last resort — but this is a fallback, not a satisfactory outcome, and must be documented as such.
The 25% threshold is a floor, not a ceiling. The obligation is to identify all beneficial owners above 25%. But in practice, regulators expect obliged entities to look harder — particularly for structures with multiple shareholders clustered just below 25%, or where the 25% threshold is clearly being used as a deliberate obscuration technique.
The Regulatory Framework: From 4AMLD to the 2025 AMLA Package
EU UBO requirements have evolved significantly through successive Anti-Money Laundering Directives, and are now being consolidated under the new EU AML Authority (AMLA) framework adopted in 2024.
| Directive | Key UBO development | Status |
|---|---|---|
| 4AMLD (2015) | Introduced 25% threshold; required UBO registers for companies and trusts | Implemented by most Member States |
| 5AMLD (2018) | Made UBO registers publicly accessible; extended to trusts with tax consequences; required enhanced due diligence for high-risk third countries | Implemented |
| 6AMLD (2021) | Expanded predicate offences for money laundering to 22 categories; extended criminal liability to legal persons; tightened correspondent banking rules | Implemented |
| AMLA Regulation (2024) | New EU AML Authority (Frankfurt); harmonised CDD standards; single EU AML rulebook; direct supervisory authority over highest-risk entities from 2026 | Adopted; phased implementation |
| AML Regulation (direct effect) | Replaces 6AMLD national transpositions; directly applicable across all Member States; standardised UBO identification requirements | Entering into force 2026–2027 |
The key practical change under the AMLA package is that UBO obligations are being standardised — ending the patchwork of national transpositions that allowed inconsistent interpretation of the 25% threshold, documentation requirements, and fallback procedures.
Who Must Conduct UBO Screening
UBO identification is required for all "obliged entities" under AMLD. This list is broader than many businesses realise:
- Credit institutions (banks) and financial institutions
- Auditors, external accountants, and tax advisors
- Notaries and legal professionals when they assist in corporate transactions
- Trust and company service providers (TCSPs)
- Estate agents (for transactions above €10,000)
- Dealers in high-value goods (art, jewellery, precious metals) for cash transactions above €10,000
- Gambling operators
- Investment firms, asset managers, and wealth advisors
- Crypto-asset service providers (CASPs) under MiCA
- Mortgage credit intermediaries
If you are in any of these categories and accept corporate clients — including LLPs, partnerships, foundations, associations, or trusts — you have a UBO identification obligation for each relationship.
The UBO Identification Process: Step by Step
Obtain the entity's constitutional documents (articles of association, shareholder register) and a current extract from the relevant company registry. Map the ownership chain from the top entity down to natural persons. For multi-layer structures, you must trace every intermediate holding company.
Identify all natural persons who own or control more than 25% of shares, voting rights, or ownership interest, including indirect ownership through intermediate entities. Calculate ownership stakes for multi-layer structures by multiplying percentages: a person owning 60% of a company that owns 50% of your client entity has a 30% indirect interest — above the threshold.
Review shareholder agreements, board composition, veto rights, preferred share classes, and loan agreements that may confer control. A person with a 20% stake but a casting vote on all major decisions exercises control and must be identified as a UBO despite falling below the ownership threshold.
Check the relevant national UBO register for the entity's jurisdiction. Document discrepancies between self-reported ownership and registered information — inconsistencies are a risk indicator requiring explanation. Note: CJEU ruling in November 2022 (Joined Cases C-37/20 and C-601/20) restricted public access to UBO registers; access rules now vary by Member State, and professional access via sector-specific portals may be required.
Collect identity documents for each UBO (passport, national ID card). For high-risk relationships, verify against independent sources (credit bureau, public records, KYC database). The level of verification must be proportionate to the risk rating of the client relationship.
Once UBOs are identified, run them through PEP (Politically Exposed Person) screening and sanctions list checks (EU, UN, OFAC, UK OFSI). A clean company can have a high-risk UBO. PEP status or sanctions exposure on any UBO triggers Enhanced Due Diligence for the entire relationship.
Record the UBO identification process, the sources consulted, the verification steps taken, and the conclusions reached. Under AMLD, records must be retained for 5 years after the business relationship ends. The documentation trail is what regulators review in inspections — "we did it but can't show it" is treated the same as "we didn't do it".
Complex Structures That Require Deeper Analysis
Most UBO violations in regulatory inspections involve not simple corporate structures but complex ones where the complexity itself was accepted without adequate investigation. The following structures require particular care:
Multi-layer holding chains
A client entity owned by a Cayman Islands holding company, owned by a BVI trust, managed by a licensed trustee. Each layer potentially reduces the visibility of the underlying natural persons. Under AMLD, you must trace the chain until you reach natural persons — "the trustee is the owner" is not sufficient; you must identify who controls and benefits from the trust.
Trusts and similar arrangements
For trusts, the UBO includes: the settlor(s), the trustee(s), the protector(s) if any, the beneficiaries (if identified in the trust deed) or the class of beneficiaries, and any other natural person exercising ultimate effective control. This often means identifying multiple UBOs from a single trust structure.
Nominee arrangements
Where nominees hold shares or directorships on behalf of undisclosed principals, the nominee is not the beneficial owner — the principal is. Nominee structures are not inherently suspicious (they are commonly used for legitimate privacy reasons) but they require additional documentation: a nominee agreement disclosing the principal must be obtained and the principal verified as UBO.
Bearer shares
Bearer shares (where ownership follows possession of the physical share certificate) are now prohibited or severely restricted across most EU jurisdictions. However, legacy structures may still exist, particularly for companies incorporated before the 4AMLD period. If you encounter bearer shares, this is itself a significant risk indicator.
Red flags requiring EDD: Structures with three or more corporate layers; companies in secrecy jurisdictions (BVI, Cayman, Panama, Seychelles) without a clear business rationale; nominee shareholders with no disclosed principal; UBO register information that contradicts client-provided documentation; refusal to provide information about intermediate holding companies; recent corporate restructuring coinciding with increased scrutiny in another jurisdiction.
Ongoing Monitoring of UBO Information
UBO screening is not a one-time exercise at onboarding. Under AMLD, you must maintain up-to-date CDD information throughout the business relationship. For most relationships, this means an annual review. For higher-risk relationships, quarterly or triggered reviews are expected.
Triggers that require immediate UBO re-verification include:
- Notification from the client of a change in ownership or control
- Corporate acquisition or merger involving the client
- Addition of a new UBO above the threshold
- PEP status change for an existing UBO
- Sanction designation of an existing UBO or associated party
- Unusual transaction patterns or red flags in the business relationship
UBO Registers: What They Tell You (and What They Do Not)
EU Member States maintain central UBO registers as required under 5AMLD. These registers are valuable — but they have significant limitations that obliged entities must understand.
| What UBO registers provide | What they do NOT provide |
|---|---|
| Self-declared UBO information as filed by the company | Independent verification that the information is accurate |
| Name, nationality, date of birth, country of residence of declared UBOs | Copies of identity documents or verification evidence |
| Nature and extent of the beneficial interest | Details of control mechanisms beyond ownership percentage |
| Date of entry and history of changes | Information on trusts or nominee arrangements |
| A baseline for cross-checking client disclosures | A substitute for your own independent verification |
The most important point: the UBO register is a starting point, not a conclusion. Regulators have found that many firms use register data as a "tick-box" exercise without probing discrepancies or conducting independent verification. This is insufficient and will fail a regulatory inspection.
UBO Screening Checklist
- Corporate structure chart prepared and ownership chain traced to natural persons
- All UBOs above 25% ownership threshold identified
- Control mechanisms assessed beyond ownership (voting rights, agreements, veto rights)
- National UBO register checked and discrepancies documented
- Identity documents obtained for each UBO
- Identity independently verified (risk-proportionate)
- PEP screening completed for all UBOs
- Sanctions screening completed for all UBOs (EU, UN, OFAC, UK)
- Adverse media check conducted for high-risk relationships
- Risk rating assigned and documented
- EDD triggered where required (PEP status, high-risk jurisdiction, sanctions match)
- Full documentation filed and linked to client CDD record
- Ongoing monitoring schedule set (annual minimum; quarterly for high-risk)
Frequently Asked Questions
Get AML and compliance insights in your inbox
Join 300+ compliance officers and legal teams getting weekly updates on AML, KYC, and GDPR regulation — no noise, unsubscribe anytime.
See HubSecure AML/KYC in action
Automated PEP and sanctions screening, UBO identification workflows, CDD record management, and real-time monitoring — all in one platform built for regulated businesses.
Book a 20-minute demo →