NorthRow

Hidden UBOs: the AML risk hiding in plain sight
Ultimate Beneficial Ownership (UBO) data gaps, often caused by outdated or fragmented KYB processes, create significant AML risks. Automation and continuous monitoring are essential to maintain visibility and prevent compliance failures.

Ultimate Beneficial Ownership (UBO) data has always been a challenging piece of compliance. If you can’t confidently trace a corporate client’s ownership structure from top to bottom, you’ve got a risk on your hands. And if you’re relying on static records, spreadsheets, or periodic reviews to do it, you’re not alone, but you are exposed to a significant amount of risk. 

Unraveling what can be a complex web of ownership information shows who really controls the entities you’re doing business with. However, some beneficial owners go to great lengths to hide their involvement intentionally, using layers of shell companies, nominee directors, or opaque structures to stay out of sight. This deliberate concealment increases the risk of unknowingly facilitating money laundering, sanctions breaches, or other financial crime.

But when your Know Your Business (KYB) information is out of date, incomplete, or stored across disconnected systems, it creates gaps that no policy or process can cover up. These gaps may go unnoticed during everyday operations, yet they become glaringly apparent when there’s a regulatory enquiry, a sanctions update, or an ownership change that should have triggered a reassessment of risk.

For MLROs and compliance managers, the greatest risk isn’t always what’s visible. It’s what’s missing. Hidden UBOs are, by design, harder to detect, harder to explain, and much harder to defend against once the questions start coming. 

The risk in static KYB files

Many firms have designed KYB workflows around checklists, document requests, and ownership charts that are prepared manually during onboarding. These processes are often well-managed, but they’re fundamentally limited by the tools being used. When UBO data is pulled from Companies House, written into a PDF, and stored in a shared drive, it becomes a snapshot in time, not a source of live insight. 

This creates two major problems. First, the data can change incredibly quickly. If a director resigns, a company is struck off, or a new holding entity is created, those changes won’t be picked up until the next review cycle, if they’re picked up at all. 

Second, the structure can’t be connected easily across systems. If a single beneficial owner appears in multiple entities or controls a network of related companies, those connections are invisible unless someone happens to spot them manually. These gaps are often unintentional, but they carry real consequences. 

This creates a compliance gap that’s difficult to detect. The file may look complete, but the underlying assumptions no longer match reality. And when the business continues to engage with that client based on stale information, the risk becomes a point of regulatory exposure.

🔍 How manual processes can miss ownership changes: an example

You onboard a client with a straightforward UK limited company structure. At the time, the UBO is a local businessman with no red flags. Nine months later, the company quietly transfers 75% ownership to a holding company in Cyprus.

Behind that holding company is a politically exposed person (PEP) – a former finance minister with links to corruption charges in their home country. Because the client is on a 12-month review cycle, the change goes unnoticed.

Where manual processes fall short

Many compliance teams still depend on spreadsheets, document folders, and manual checks to manage UBO records. These systems may be familiar, but they don’t scale well and they don’t provide consistent visibility across your client base. 

When ownership data is stored in multiple places such as PDFs, internal folders, and CRM notes, it’s hard to know which version is correct or whether it reflects recent changes. If a new shareholder appears or a sanctioned individual gains indirect control, that information might sit unnoticed until a formal review uncovers it. 

This is how avoidable problems slip through. A missed connection to a sanctioned entity, a shell company masking illicit flows, or a beneficial owner who should have triggered escalation is more than just an operational oversight. This can quickly become a regulatory liability and one that’s difficult to justify when clearer data and proper tracking could have prevented it.

🕵️‍♂️ How manual checks can miss the risks behind a shell company: an example

You onboard a newly registered UK company claiming to be a business consultancy. It has no physical office, no employees, and minimal financial activity but all documentation appears in order. Manual checks raise no red flags, and the client is approved.

Months later, the company begins moving large volumes of international payments that don’t align with its profile. Because data was stored in different systems and periodic reviews weren’t automated, these red flags were missed. It’s eventually discovered that the company is a shell entity, part of a wider network used to disguise illicit fund flows – activity that could have been flagged earlier with more connected, ongoing monitoring.

How automation closes the gaps

Many compliance leaders think that fixing UBO monitoring means buying an entirely new platform or overhauling processes from the ground up. In reality, most firms already have the right intent but the missing piece is live, connected data.

Automation transforms UBO monitoring by shifting from periodic, manual checks to continuous, real-time updates. Traditional approaches often rely on snapshot data collected during onboarding or annual reviews but ownership structures can change rapidly, and those snapshots quickly become outdated. Automated monitoring systems connect directly to authoritative sources like Companies House and global registries, pulling the latest filings as soon as they’re published.

This constant data feed means your team no longer needs to chase changes or wait for scheduled reviews to discover new risks. When an ownership change occurs, the system flags it immediately, sending alerts to the compliance team. This prompt notification allows you to review and reassess the client’s risk profile quickly, rather than finding out months later during a routine check.

The automation doesn’t stop there. Screening is rerun automatically at intervals you define – daily, weekly, or monthly – on all beneficial owners and associated entities. If any red flags emerge, such as new sanctions listings, PEP status changes, or adverse media, the system triggers a predefined workflow. That might include escalating the case to senior compliance officers, freezing accounts, or initiating enhanced due diligence procedures.

New posts

Sign up to our newsletter

Repost

Categories

Become a compliance hero

Join 55,000 others and learn the secrets to compliance success with our weekly blog posts.

compliance hero