UBO Verification: What It Is and Where Banks Keep Getting It Wrong

Most KYB processes look solid on paper. Registry checks pass, documents are collected, the business is verified, and the case is approved. Then, months or years later, an audit pulls a file and finds a beneficial owner who was never identified — because nobody looked past the first layer of the corporate structure. The legal shareholder on the registry was itself a holding company, and the natural person who actually controlled the business sat three layers up.

UBO verification is where KYB most commonly fails, and where regulators most commonly find gaps. Under the EU's AMLD6, FinCEN's Beneficial Ownership Information rule, and equivalent frameworks across the UK, Singapore, and the Gulf, banks are expected to identify the natural persons who ultimately own or control every corporate customer. The financial penalties for failing to do so are well documented — multi-million-pound fines, deferred prosecution agreements, and consent orders that restrict a bank's ability to onboard new customers. The reputational cost, when a failure becomes public, is harder to quantify but harder to recover from.

What Is a UBO?

A Ultimate Beneficial Owner is the natural person — never a company, trust, or other legal entity — who ultimately owns or controls a business. The definition is set by FATF Recommendation 24 and was carried into EU law through the Fourth Anti-Money Laundering Directive (4MLD, 2015), tightened by the Fifth Anti-Money Laundering Directive (5MLD, 2018) which opened beneficial ownership registers to the public and pulled crypto-asset service providers and high-value art dealers into scope, and consolidated by AMLD6 and the 2024 EU AML Package. Across most major jurisdictions, the threshold for "ownership" sits at 25% of shares or voting rights, either directly or indirectly. 4MLD set the 25% bar across EU member states; 5MLD preserved it; FinCEN uses the same 25% threshold; the UK's PSC regime uses 25% plus any other person who exercises significant control. Some jurisdictions and some industries apply lower thresholds — Switzerland uses 25% for ownership but 10% for certain regulated entities, and several FATF-listed jurisdictions have moved to 10% for higher-risk sectors.

The critical distinction is between direct and indirect ownership. A direct UBO holds shares in the customer entity in their own name. An indirect UBO holds shares through one or more intermediate legal entities. Consider a worked example: Natural Person N owns 100% of Company A. Company A owns 60% of Company B. Company B owns 50% of Company C, which is your customer. N's effective ownership of C is 100% × 60% × 50% = 30%. That puts N above the 25% threshold and makes N a UBO of C — even though N does not appear anywhere on C's shareholder register. Missing this chain is the single most common UBO failure in regulated banking.

Why UBO Verification Is Harder Than It Looks

Three problems make beneficial ownership verification structurally harder than other KYB checks.

The first is layered corporate structures. Sophisticated customers — and not only the ones with something to hide — routinely interpose holding companies, special-purpose vehicles, family trusts, and offshore entities between themselves and the operating business. Some of these structures exist for legitimate tax, succession, or liability reasons. Others exist to obscure ownership. The KYB process has to work through both, and the analyst staring at the case file cannot always tell which is which.

The second is inconsistent registry data. The UK's Companies House publishes People with Significant Control filings under a strict regime; Germany's Transparenzregister, France's RCS, and the Netherlands' UBO-register are similarly well-maintained. But the moment a chain passes through Delaware, the BVI, the Cayman Islands, Hong Kong, or any of a dozen other jurisdictions, public beneficial ownership data either does not exist or is meaningfully incomplete. Even within the EU, data quality and refresh cadence vary enormously. A platform that treats all registries as equally reliable will produce false confidence.

The third is nominees and proxies. The legal shareholder on paper is not always the controlling party in practice. Nominee directors, nominee shareholders, and informal proxy arrangements are common — particularly in jurisdictions where nominee services are a regulated industry in their own right. A pattern we see often: a fintech onboards what looks like a clean UK-registered payments company. The PSC filing names a single director-shareholder with a UK address. The KYB platform marks the case as low risk. What it misses is that the UK director is a professional nominee acting for an offshore trust whose settlor is a sanctioned individual in a third jurisdiction. The information needed to catch this exists — it just sits across four different registries and a Trust Disclosure filing that the platform never queried.

For more on how this changes when you move from one-time onboarding to ongoing monitoring, see our perpetual KYB guide.

The Five Mistakes Banks Make in UBO Checks

1. Stopping at the first layer. The most common failure mode by a wide margin. The analyst verifies the immediate shareholder, sees that it is a registered company in a reputable jurisdiction, and stops. The PSC filing for that company is never pulled, the ownership chain is never traced through to a natural person, and a UBO who sits two or three layers up is missed entirely. This is the failure that turns up in audit findings more than any other.

2. Relying on self-declaration. Asking the customer to fill in a UBO declaration form is a useful starting point, not a verification. A customer who answers honestly will declare what they understand to be the ownership chain — which may or may not match what the registries actually say. A customer who answers dishonestly will simply not name the person you most need to identify. Independent verification against authoritative registries is the only check that meets the regulatory standard.

3. Treating UBO as a one-time check. UBO is a state, not a transaction. Ownership changes, often without notification — a share transfer, a death, a divorce, a restructuring. A KYB file that captures UBO at onboarding and never refreshes it will be wrong within months for a non-trivial fraction of corporate customers. Continuous monitoring against PSC filings, sanctions updates, and PEP designations is now a regulatory expectation, not a differentiator.

4. Inconsistent thresholds. Different teams applying different ownership thresholds — or the same team applying different thresholds across jurisdictions without a documented reason — is a finding waiting to happen. The threshold should be set at the policy level, documented, and applied consistently in code, not left to the analyst's judgement on each case.

5. No audit trail. A UBO check that produces a clean outcome but cannot show the examiner which registries were queried, what data was returned, how the ownership chain was constructed, and what the decision logic was, may as well not have happened. The point of the audit trail is not just to prove the work was done — it is to prove the work was done correctly, in a way that survives examination two or three years later.

The same principle applies to the broader distinction between entity-level and individual-level checks; we cover that in KYB vs KYC.

What Good UBO Verification Actually Looks Like

The ideal process is straightforward to describe and demanding to build. Multi-source registry lookup happens automatically — PSC filings for UK entities, Transparenzregister for German entities, the equivalent register for every jurisdiction in the chain — with the platform handling the differences in data shape, refresh cadence, and access protocol. The ownership graph is constructed programmatically from those registry pulls, with the platform recursing through each intermediate legal entity until natural persons are identified. Every natural person identified is then screened against sanctions lists, PEP databases, and adverse media sources — not just the customer's named UBOs, but every person the chain resolution surfaces.

Finally, the decision is documented with a complete evidence chain: which registries were queried at which timestamps, what data came back, how the ownership percentages were calculated, which UBOs cleared screening, which were flagged for analyst review, and what the analyst decided. That evidence sits in an exportable, machine-readable record that an examiner can interrogate years later.

The best platforms do this automatically across jurisdictions, returning a complete ownership graph and clean screening outcomes in seconds rather than asking analysts to stitch together results from five different registry portals. This is the model First Mile Labs is built around — vendor-agnostic registry connectors, automated chain resolution, screening on every natural person surfaced, and a full audit trail produced by default. The aim is to make the correct outcome the path of least resistance, not a discipline that depends on individual analyst rigour.

Frequently Asked Questions

What is the UBO ownership threshold in the EU? Under AMLD6, the threshold for beneficial ownership across EU member states is 25% of shares or voting rights, either directly or indirectly. Some regulated sectors apply lower thresholds in specific contexts, and some member states allow competent authorities to lower the threshold for higher-risk customers, but 25% is the default standard.

Do I need to verify UBOs for every business I onboard? For regulated financial institutions, yes — UBO identification and verification is a core requirement of customer due diligence under every major AML regime, including AMLD6, the US Beneficial Ownership Information rule, the UK Money Laundering Regulations, and equivalent frameworks across Asia and the Gulf. The depth of verification can be calibrated to the risk profile of the customer, but the obligation to identify the UBO applies in every case.

What happens if a UBO can't be identified? The regulatory expectation, where a UBO cannot be identified through registry data and customer-provided documentation, is to treat the case as enhanced-risk and apply additional due diligence — typically including senior management approval before onboarding. If the chain still cannot be resolved to a natural person after enhanced due diligence, most regimes expect the relationship to be declined rather than onboarded with a gap in the record.

Closing

The audit risk is the reason this matters. Every UBO chain that ends at a holding company rather than a natural person is a finding waiting to be written into an examination report. Every self-declared UBO that was never independently verified is a regulatory exposure that compounds with every passing year the customer remains on the books. Every case file with no audit trail is a case the bank cannot defend.

If your current KYB process stops at the first ownership layer, it is worth reviewing before your next audit does. See how First Mile Labs handles UBO verification →