AMLR, BOI, and ECCTA: Ultimate Beneficial Ownership Rebuilt

Every regulated firm onboarding a business runs the same UBO drill to meet AML compliance requirements. Identify each ultimate beneficial owner of the company above 25%. File the UBO data. Refresh annually. Every counterparty runs the same lookup against the same register. The drill feels solved. It isn't.

UBO disclosure leaks personal data into public registers and duplicates UBO lookups across every bank. The failure is architectural: the regime assumes disclosure-into-a-register is the right primitive. AMLR 2024/1624, FinCEN FIN-2026-R001, and ECCTA 2023 each move the architecture — and each leaves material money laundering and fraud risk in the gaps that criminals exploit.

What ultimate beneficial ownership actually means

FATF Recommendation 24 anchors the global beneficial ownership regime. The Financial Action Task Force amendments adopted in March 2022 require every country to prevent misuse of legal persons for money laundering and to ensure accurate beneficial ownership information on each legal entity (1). Every anti money laundering regime that followed — EU, US, UK — anchors on the same ultimate beneficial owner concept and the same 25% trigger. FATF Recommendation 24 defines the test in terms of ultimate effective control: the individual who exercises ultimate effective control over the company is the UBO, regardless of who holds legal title to the shares. UBO identification is the precondition for AML compliance — financial institutions must identify the owner of the business and perform customer checks before opening an account for that company.

The 25% test and how "beneficial owner" differs from "legal owner"

A legal owner holds the share certificate. An ultimate beneficial owner is whoever the share certificate ultimately benefits. Across the three regimes, a UBO is any individual who, by direct or indirect ownership, controls shares above the disclosure threshold, exercises voting rights above the threshold, or otherwise exerts ultimate control over the company. The 25% threshold — codified in EU AMLR Article 52(1), FinCEN's 31 CFR 1010.380, and the UK PSC regime — is the disclosure trigger, not a UBO definition.

The natural-person test under FATF Recommendation 24

R.24 builds on a structural UBO test: every legal entity ultimately resolves to a flesh-and-blood individual. A natural person who owns a 30% holding in a holding company that owns 100% of an operating company is the ultimate beneficial owner of that operating business under indirect-ownership rules (2). FATF expects competent authorities to identify every UBO and run customer-due-diligence checks regardless of how complex the corporate structures are. For trusts and legal arrangements, FATF R.25 distinguishes the ultimate beneficiary — the individual who economically benefits from the asset — from the nominee or legal-title beneficiary. The natural-person test is the load-bearing element; the 25% test is the trigger.

The UK PSC regime and what ECCTA 2023 changed

The UK moved first in Europe with the Companies Act 2006 Part 21A "Persons with Significant Control" regime, in force from 6 April 2016 (7). Every UK company became subject to UBO transparency obligations to identify the natural-person owner who ultimately owns or controls the business. Part 21A defines four conditions for an ultimate beneficial owner of the company: more than 25% of shares; more than 25% of voting rights; the right to appoint or remove a majority of directors; or otherwise exercising significant control. Each registrable controller is filed at Companies House on the company's public register.

Companies Act 2006 Part 21A ��� "significant control" in UK statute

Significant control under UK law extends beyond equity: an individual who can appoint or remove a majority of the board, or controls the company through contractual rights, qualifies as an ultimate beneficial owner regardless of shares held. The four-condition test, as defined in Part 21A, captures the indirect-control patterns FATF flagged: nominee shareholders, agreements vesting control elsewhere, and intermediate holding companies hiding the UBO behind the legal owner of record.

ECCTA 2023 and Companies House identity verification (from 18 November 2025)

The Economic Crime and Corporate Transparency Act 2023 received Royal Assent on 26 October 2023 (8). From 18 November 2025, ECCTA requirements force every PSC, every director, and every member of a UK LLP to verify their identity with Companies House under AML-aligned identity-verification regulations (9). The UK Government's factsheet states the change "will make it much harder to register fictitious beneficial owners" (9). ECCTA layers verification on top of the PSC regime — but each register entry is still consumed many times after one filing, by every bank, broker, and counterparty checking the UBO of a UK business.

How EU AMLR 2024/1624 rebuilt ultimate beneficial ownership disclosure

The EU's Anti-Money Laundering Regulation, Regulation (EU) 2024/1624, applies in all 27 Member States from 10 July 2027 (3). The AMLR rebuilt the UBO architecture in three moves. The threshold became "at least 25% of shares" — capturing exactly 25%, where AMLD5 only captured "above 25%". The Commission can lower it to 15% for high-risk sectors. Register access was redesigned in response to the CJEU's WM/Sovim judgment of November 2022. AMLR also tightens AML obligations on obliged entities: enhanced due diligence on higher-risk business relationships, and an AMLA-coordinated supervisory regime regulators must comply with from 2027 onwards.

Article 52(1) and the 25% threshold inclusive of equal

The shift from "above 25%" to "at least 25%" closes a calibration gap shell-structuring exploited. When the threshold was strictly above 25%, a company's ownership chain could sit at exactly 25% — a single share short of UBO disclosure on the beneficial owner. AMLR Article 52(1) eliminates that arbitrage. Article 52(2) authorises a 15% threshold for high-risk sectors by 10 July 2029. The single AML rulebook the AMLR codifies as binding regulations across 27 Member States is also the single-rulebook problem we diagnosed when the regulation landed.

CJEU WM/Sovim and the tiered-access redesign

The Court of Justice of the European Union ruled in Joined Cases C-37/20 and C-601/20 on 22 November 2022 that "the public's access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data" (11). The Court declared Article 30(5)(c) of Directive (EU) 2015/849 invalid. WM/Sovim drew the line between disclosure and exposure: competent authorities and obliged entities can still access UBO data on each beneficial owner; the public cannot. AMLA's first supervisory output, published 11 May 2026, mapped supervisory fragmentation across the 27 Member States (10).

The FinCEN BOI rule and the February 2026 exceptive-relief order

The Corporate Transparency Act produced 31 CFR 1010.380 — FinCEN's Beneficial Ownership Information rule — effective 1 January 2024 (4). Every domestic and US-registered foreign reporting company filed an initial BOI report by 1 January 2025. The statutory definition mirrors the EU regime: a beneficial owner is any individual who, directly or indirectly, exercises substantial control over the reporting company or owns or controls ≥25 percent of its ownership interests (5). The Financial Crimes Enforcement Network maintains the company-level dataset in a non-public registry — closer to the post-WM/Sovim EU architecture than the UK public register.

31 CFR 1010.380 — the BOI Rule and the substantial-control test

The "substantial control" test catches the same indirect-control patterns FATF R.24 anchors — a senior officer, authority over directors, or any other form of decision-making control. The 25% test runs alongside it; meeting either qualifies an individual as the UBO of the company. Each reporting company files initial reports and updates as ownership and control change. The dataset helps financial institutions identify the beneficial owner of the business, helps them run customer due diligence, and helps complete PEP / politically exposed person checks when opening accounts.

FIN-2026-R001 — why FinCEN told banks to stop verifying BOI per account opening

On 13 February 2026, FinCEN granted exceptive relief to covered financial institutions from the CDD Rule's requirement to identify and verify each beneficial owner of a legal entity customer at every new account opening (6). The order recalibrates CDD Rule requirements to align with the regulations FinCEN now centralises: financial institutions report once and rely on the central dataset for subsequent customer onboarding of a new business. The order acknowledges that asking every bank to perform the same UBO check on the same company is wasteful. We covered the fallout in our analysis of the post-FinCEN KYC provider landscape. Each institution now relies on the central dataset; its accuracy and access controls become the binding risk constraint on every UBO query.

Where the regime fails: shell layering and supervisory fragmentation

The three UBO regimes converge on the same disclosure architecture and inherit the same failures.

Shell-company layering and the indirect-ownership problem

The Pandora Papers identified more than 29,000 ultimate beneficial owners hidden behind chains of shell companies, nominee directors, intermediate holding companies, and trust structures (14). The canonical UBO layering patterns recur:

• Nominee directors holding the board seat for an undisclosed beneficial owner of the business.
• Intermediate holding companies between the operating business and the natural person who owns the chain.
• Trust structures vesting economic benefit in beneficiaries while the legal owner of the company is a corporate trustee.
• Offshore providers in low-transparency jurisdictions where the local register captures less than FATF expects on each UBO.

Anonymous shell companies and complex corporate structures help criminals route funds through compliant-looking entities; the chain obscures the true owner and lets criminals layer transactions across jurisdictions faster than enforcement actions can pursue them. Multi-jurisdiction layering crosses three or more business registers faster than the registers co-ordinate. None defeats the regime's intent. All defeat the regime's mechanism — every register identifies its local slice while the chain moves faster than the registers can.

Register data quality and supervisory fragmentation

Register data quality is uneven. FATF's 7th Enhanced Follow-Up Report flags that US states still allow a legal entity to use a nominee director (13). AMLA's 2025 Roadshow report flagged fragmented supervision across 27 Member States (10). The TD Bank consent order of October 2024 — $3.09 billion across DOJ, Federal Reserve, OCC and FinCEN — sits in the backdrop on the basis that TD Bank "failed to monitor roughly $18.3 trillion in transactions" (15). The architecture (disclose, register, hope the company data is clean) has no structural answer for the money laundering, tax evasion, and fraud risk shell-company chains leave behind. UBO legislation punishes filing failures without fixing the disclosure model itself. Fraud and money-laundering enforcement actions in 2024–2025 surfaced the cost of weak monitoring across the legal-entity perimeter. The same control-plane-versus-checklist problem appears in our analysis of CDD architecture.

A verifier-private attestation regime — what the architecture would look like

The disclosure-into-a-register primitive is wrong. The right primitive is verifier-private UBO attestation — a solution rooted in cryptographic proofs rather than register dumps. It draws on the same know your customer (KYC) discipline financial institutions run for natural persons, applied to the legal-entity perimeter. The attestation is issued once against a verified UBO set; counterparties verify it cryptographically and learn one bit — "no UBO above threshold" or "query the competent authority for identities".

What "verifier-private" means — disclosure to competent authorities, exposure to no-one else

Verifier-private architecture rests on zero-knowledge proofs of a predicate over a verified UBO dataset. The dataset — UBO identities, share percentages, indirect-ownership chain — sits with the competent authority. Each obliged entity receives a cryptographic predicate check rather than the dataset. The competent authority's data sources stay up to date; obliged entities receive up to date information through the attestation rather than maintaining their own copy. This is the architecture WM/Sovim implicitly demanded. It is also the architecture Verifyo runs today for natural-person identity: the receiving platform queries a wallet address and receives a Zero-Knowledge KYC attestation — proof that the person behind the wallet has completed identity, sanctions, PEP, and adverse-media checks — without receiving the underlying documents.

The architectural primitive we run today for natural-person identity

Verifyo's Level 1 Zero-Knowledge KYC architecture operates this primitive today for natural-person identity, not corporate ownership chains. We do not offer KYB or UBO verification today; the point is architectural, not product. The verifier-private primitive we run for natural-person identity is the same primitive a UBO regime could use — a cryptographic proof of a predicate on each UBO, with the receiving business institution learning the answer and nothing else. The same architectural primitive could carry UBO disclosure obligations if regulators and standards bodies were to specify it. Verifier-private attestation lets banks rely on regulatory compliance tools that surface a binary answer to the disclosure question, not the underlying identities.

What changes for the compliance operator

Three changes flow from the diagnostic. The regulatory direction is clear: central reporting, institutional reliance, and tiered access — FIN-2026-R001, WM/Sovim, and AMLR 2024/1624 — are replacing the old pattern of every bank repeating the same UBO lookup. Compliance teams should stop treating UBO as a checkbox; the new requirements ensure central reporting replaces the old per-bank pattern. Verifier-private attestation resolves the disclosure-versus-exposure tension and addresses the money laundering risk shell layering leaves in the chain. Teams that engage early shape the regulatory primitive; those that wait inherit whatever frameworks land — and the compliance cost will rest on them.

Learn how Verifyo's Zero-Knowledge KYC architecture works to ensure verifier-private natural-person identity today at verifyo.com.

Sources

(1) FATF. Guidance on Beneficial Ownership of Legal Persons. 10 March 2023. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Guidance-Beneficial-Ownership-Legal-Persons.html

(2) FATF. Beneficial Ownership (topic page hosting R.24 + Interpretive Note). 2023 onwards. https://www.fatf-gafi.org/en/topics/beneficial-ownership.html

(3) European Parliament and Council. Regulation (EU) 2024/1624 (the Anti-Money Laundering Regulation). 31 May 2024. https://eur-lex.europa.eu/eli/reg/2024/1624/oj/eng

(4) FinCEN. Beneficial Ownership Information Reporting Requirements (final rule). 30 September 2022. https://www.fincen.gov/news/news-releases/fincen-issues-final-rule-beneficial-ownership-reporting-support-law-enforcement

(5) eCFR. 31 CFR 1010.380 — Reports of beneficial ownership information. Current text accessed 18 May 2026. https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1010/subpart-C/section-1010.380

(6) FinCEN. Order Granting Exceptive Relief to Covered Financial Institutions from Certain Beneficial Ownership Identification and Verification Requirements (FIN-2026-R001). 13 February 2026. https://www.fincen.gov/system/files/2026-02/FinCEN-Order-CCDExceptiveRelief.pdf

(7) UK Government. Companies Act 2006, Part 21A — Information about People with Significant Control. 2006 onwards. https://www.legislation.gov.uk/ukpga/2006/46/part/21A

(8) UK Parliament. Economic Crime and Corporate Transparency Act 2023. 26 October 2023. https://www.legislation.gov.uk/ukpga/2023/56

(9) UK Government. Economic Crime and Corporate Transparency Act 2023 factsheets — Beneficial ownership. Updated 1 March 2024. https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-act-2023-factsheets/economic-crime-and-corporate-transparency-act-beneficial-ownership

(10) AMLA. AMLA publishes findings of Chair's 2025 EU-wide Roadshow. 11 May 2026. https://www.amla.europa.eu/amla-publishes-findings-chairs-2025-eu-wide-roadshow_en

(11) Court of Justice of the European Union (Grand Chamber). Judgment in Joined Cases C-37/20 and C-601/20 (WM and Sovim SA v Luxembourg Business Registers). 22 November 2022. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62020CJ0037

(13) FATF. United States: 7th Enhanced Follow-Up Report (re-rating on Recommendation 24). 26 March 2024. https://www.fatf-gafi.org/en/publications/Mutualevaluations/united-states-fur-2024.html

(14) ICIJ. About the Pandora Papers. 3 October 2021 onwards. https://www.icij.org/investigations/pandora-papers/about-pandora-papers-investigation/

(15) FinCEN. TD Bank Consent Order (Number 2024-02). 10 October 2024. https://www.fincen.gov/sites/default/files/enforcement_action/2024-10-10/FinCEN-TD-Bank-Consent-Order-508FINAL.pdf