← Blog · KYC Basics
Beneficial Ownership Verification: Finding Who Really Controls an Entity

Onboarding a company is not the same as onboarding a person. A legal entity cannot open an account, sign a contract, or move funds on its own — a human always stands behind it. Beneficial ownership verification, often called UBO (Ultimate Beneficial Owner) identification, is the process of tracing that entity back to the natural persons who own or control it. For fintechs onboarding business customers, it is one of the most error-prone parts of KYC.
What Counts as a Beneficial Owner
Most frameworks define a UBO through two lenses: ownership and control. The ownership test uses a percentage threshold. The FATF recommends 25%, and the EU's AML rules, the US Corporate Transparency Act, and FINTRAC guidance in Canada largely converge on the same figure, though some risk-based programs lower it to 10%.
The control test catches people who influence the entity without holding shares — for example, someone with authority to appoint or remove directors, or a person exercising control through other means. When no individual meets the threshold, most regimes require identifying a senior managing official as a fallback. This matters because criminals often engineer ownership so that no single person crosses 25%.
Peeling Back Layered Structures
The hard cases involve entities owned by other entities. A company may be held by a holding company, which is held by a trust, which is administered in another jurisdiction. Each layer must be unpacked until you reach natural persons. Two data points are essential at every layer:
- Direct ownership — who holds shares in the immediate parent.
- Indirect ownership — the cumulative percentage a person holds through the full chain, calculated by multiplying stakes across layers.
A person holding 50% of Company A, which holds 60% of Company B, has a 30% indirect stake in Company B — above the threshold, even though it is invisible at the top layer. Nominee shareholders, bearer shares, and offshore trusts add further opacity. Where a corporate registry lists a nominee, the verification is incomplete until the beneficial party behind the nominee is documented.
Documenting and Verifying the Data
Collecting names is not verification. A defensible UBO process pairs self-declaration with independent corroboration. Practical sources include:
- Corporate registries and beneficial ownership registers, where available.
- Certified incorporation documents, shareholder registers, and organizational charts.
- Identity verification of each natural person identified, at the same standard applied to individual customers.
- Sanctions, PEP, and adverse media screening against every identified owner and controller.
The individual verification step is often the bottleneck. Each UBO may sit in a different country, hold different documents, and respond on their own schedule. A chat-based collection flow can reduce this friction: an entity representative supplies the ownership structure, and each named individual receives a private verification link over Telegram or WhatsApp to submit their own identity documents directly, rather than routing scans through an intermediary who then re-shares them.
Keeping the Picture Current
Ownership is not static. Shares change hands, directors resign, and trusts are restructured — often without notifying the institution. A UBO snapshot taken at onboarding decays. A risk-based review cadence, triggered by both time and events (a change of signatory, a large transaction pattern shift, or a registry update), keeps the record aligned with reality.
Because UBO data is sensitive personal information about people who are not your direct customer, apply data minimization: collect only the identity attributes needed to satisfy the applicable threshold and screening obligations, and set configurable retention so records are deleted or archived when the relationship ends and the retention period lapses. This is general information, not legal advice — confirm thresholds and documentation standards with your own counsel and regulator, since they vary by jurisdiction and by the risk profile of each entity you onboard.
General information, not legal advice. Talk to your compliance counsel for guidance on your specific obligations.