A European bank we worked with onboarded a mid-sized trading company in 2024. The KYB pack looked clean. Companies House filings were current, two declared beneficial owners both held 50%, neither hit any sanctions or PEP list, the corporate structure declaration showed a single UK parent. Three months later, an enforcement notice landed against a designated individual who, through a chain of nominees and a Jersey trust, controlled 62% of the trading company. The bank had asked. The customer had filled in the form. The form was a fiction.
The regulator's question afterwards was the one that matters: do you know who actually owns this company? The bank's answer was the one nobody wants to give. They had a piece of paper. They did not have a defensible verification.
This is the gap that most KYB stacks leave wide open. UBO discovery is not the same thing as a form plus a register lookup. It is an investigative process, and if you are not running it, you are guessing.
Why self-declaration plus a register lookup is not enough
Most onboarding flows treat beneficial ownership the same way they treat a delivery address. Ask the customer. Type it in. Maybe cross-check against a central beneficial ownership register. Move on.
The problem is structural. Central registers (Companies House PSC, EU beneficial ownership registers under AMLD5, equivalents elsewhere) are themselves populated by self-declaration. The company tells the registrar who its beneficial owners are. The registrar publishes it. You query it. The data flows in a circle, with no independent verification at any point.
For straightforward businesses (single jurisdiction, two natural-person directors who own the shares, no holding company), this works fine. The form and the register agree because the structure is genuinely simple. But the moment the structure is even mildly complex, the register stops being a verification source. It becomes another copy of the customer's claim.
In our audit work, we see roughly 30% of corporate applications involve structures where self-declaration alone produces an incomplete or incorrect picture: trusts, nominee shareholders, holding companies layered across jurisdictions, recent ownership changes not yet filed, foundations, partnership interests, voting agreements that override percentage ownership. (Note: this 30% figure reflects what we typically see in our audits of mid-market financial institutions across the UK and EU. Your mix will vary depending on your customer base.)
The four patterns that defeat a form
If you want to close the gap, start by understanding what you are looking for. Four ownership patterns reliably break self-declaration.
| Pattern | What it looks like | What the form will say |
|---|---|---|
| Nominee shareholders | Registered shareholder holds shares for someone else under a declaration of trust or nominee agreement | Lists the nominee company or individual, not the beneficial owner |
| Layered holding structures | Operating company owned by HoldCo A, owned by HoldCo B, owned by an offshore entity, owned by a trust | Lists the immediate parent and stops |
| Trusts and foundations | Shares held by a trustee on behalf of beneficiaries whose identities are private | Lists the trustee, not the beneficiary |
| Recent change in control | Ownership transferred in the last 30 to 90 days, share register updated, filings pending | Reflects the previous owner because the customer is using stale information |
You need a discovery method that handles each of these. One technique on its own will not cover all four.
Method 1: multi-source cross-check
This is the baseline. For every declared UBO, pull data from at least two independent sources and compare them against the declaration. Disagreement is a signal, not a glitch.
Typical sources:
- Domestic company register (Companies House PSC, Handelsregister, Crossroads Bank for Enterprises, equivalents)
- Commercial corporate structure provider (Bureau van Dijk Orbis, Dun and Bradstreet, Refinitiv) for aggregated multi-jurisdiction ownership chains
- Shareholder register obtained directly from the company where available, particularly for unlisted entities
- Filing history showing recent confirmation statements, allotments, transfers of shares
When the declaration says "50% Alice, 50% Bob" and the share register shows a third allotment to a holding company three months ago, you have something to investigate. When the corporate structure provider shows an intermediate Luxembourg entity that the declaration never mentioned, you have something to investigate. Most of these discrepancies turn out to be benign (data lag, rounding, forgotten subsidiary), but the ones that are not benign are the ones you needed to find.
Method 2: corporate structure analysis
Layered structures need to be unwound, not just acknowledged. A declaration that says "100% owned by HoldCo Limited" without unwinding HoldCo Limited is not a UBO declaration. It is a deferral.
The discipline is to trace ownership through every layer until you reach a natural person, a publicly listed company, a regulated entity in a Tier 1 jurisdiction, or a verified state actor. Each hop in the chain needs its own evidence. For each entity in the chain, you need to know its jurisdiction, its register entry, its directors, and its declared ownership.
This is where automation pays off. Manually unwinding a four-layer structure spanning three jurisdictions takes an analyst between two and four hours. Automated corporate structure tools that pull from cross-border data providers can produce a draft chain in seconds. The analyst's job becomes review and challenge, not data gathering.
"We had a customer declare a single UK parent. The corporate structure tool surfaced four entities the customer had not mentioned, including a Cyprus holding company and a BVI entity. Two of them turned out to be irrelevant operational subsidiaries, but one was the actual controller. We would never have found it from the declaration alone."
Method 3: nominee detection
Nominees are designed to be invisible. You will not find them by looking at a single share register, because the whole point is that the register shows the nominee, not the beneficiary. But there are signals.
- Registered shareholder is a corporate service provider. If the shareholder of record is a company whose primary business is providing nominee and trust services, the probability that it is a nominee is high. Maintain a list of known nominee providers and flag any registered shareholding to such an entity for additional documentation requests.
- Registered shareholder address is a serviced office or formation agent. Particularly when combined with a generic-sounding company name ("International Holdings Limited", "Trading Investments Limited"), this is a classic nominee signal.
- Multiple unrelated companies share the same shareholder. A pattern of one entity appearing as shareholder across multiple seemingly unrelated companies often indicates a professional nominee.
- The customer cannot answer follow-up questions. If you ask "who is the beneficial owner behind the registered shareholder?" and the customer struggles to answer or refers you back to lawyers, that is data.
For higher-risk relationships, the right control is to require either a declaration of trust or a written confirmation from the nominee provider identifying the beneficiary. Refusal to provide one is itself a finding.
Method 4: change-in-control monitoring
Discovery is not a one-time activity. The UBO you verified six months ago is not necessarily the UBO today. Ownership changes (acquisitions, share transfers, trust resettlements, new allotments) happen continuously and are often not declared by the customer until something forces the issue.
The monitoring controls that catch this are:
- Daily change feeds from company registries showing director changes, allotments, transfers, confirmation statements
- Adverse media monitoring on the customer entity and its declared UBOs, where ownership-change announcements often surface before registry filings
- Periodic re-verification on a risk-tiered cadence, with full corporate structure pulls and cross-checks against the declaration of record
The combination of event-driven and cadence-based review is what AMLA's ongoing due diligence requirements expect. (See our companion piece on setting up risk-tiered KYB refresh cycles for the operational detail.)
What the regulator actually asks
When AMLA, the FCA, BaFin, or any peer authority reviews your file, the question is not "did the customer fill in the form?" The question is "can you demonstrate that you independently verified the beneficial owners?"
A defensible answer has four parts:
- The declaration on file, with the date and the declarant identified
- The independent sources you cross-checked it against, with extraction dates
- The discrepancies you found and how you resolved them
- The risk-tiered ongoing monitoring you have in place to catch changes
If any one of those four is missing, the answer is incomplete. If the answer is just "we got a form", you are exposed. AMLA's central UBO requirements, set out in the AML Regulation, are explicit that obliged entities must take risk-based measures to verify beneficial ownership and cannot rely solely on a central register where the obliged entity has reason to suspect the information is incomplete or inaccurate. See our AMLA overview for the full framework.
Operationalising the four methods
The four methods (multi-source cross-check, corporate structure analysis, nominee detection, change-in-control monitoring) only work if they run as part of your standard KYB workflow, not as ad-hoc enhanced due diligence reserved for cases that already looked suspicious.
The operational pattern that scales is:
- Tiered application. Run all four methods on high-risk and complex structures by default. Run methods 1 and 4 on every corporate customer regardless of risk. Methods 2 and 3 trigger when the structure passes a complexity threshold (number of layers, jurisdictions involved, presence of a known nominee provider).
- Orchestrated data sources. Route registry queries, corporate structure pulls, nominee-list checks, and adverse media monitoring through a single integration layer rather than maintaining a dozen vendor connections in your KYB workflow. See how the Zenoo KYB orchestration handles this, or how it applies to specific KYB use cases.
- Evidence capture. Every method output (cross-check report, structure diagram, nominee assessment, monitoring alert history) needs to land in the customer file with a timestamp and source attribution. This is what makes the regulatory answer defensible.
Key takeaways
- Self-declaration plus a central register check is not UBO verification. Both are populated by the customer and neither provides independent corroboration.
- Roughly 30% of corporate applications involve patterns (trusts, nominees, layered structures, recent change in control) that defeat the form.
- Four methods close the gap: multi-source cross-check, corporate structure analysis, nominee detection, and change-in-control monitoring. None of them works in isolation.
- The defensible regulatory answer has four parts: the declaration, the independent sources, the discrepancies resolved, the ongoing monitoring. If any part is missing, you are exposed.
- The methods only work when embedded in the standard KYB workflow with orchestrated data sources and complete evidence capture, not when reserved for cases that already looked suspicious.
