Who Is a UBO? Definition and Requirements

UBO stands for Ultimate Beneficial Owner. 

At its core, a UBO is the real, living human being who ultimately owns or controls a company or legal arrangement even if their name doesn't appear on any official document.

The Financial Action Task Force (FATF), the global standard-setter for anti-money laundering (AML) defines a UBO as "the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement."

A few things stand out in that definition:

A UBO must be a natural person: a human being, not another company. You can't identify a holding company as a UBO. You have to keep going up the ownership chain until you reach an actual individual. If a company owns 60% of your client's business, and that company is owned by a trust, and that trust benefits a specific individual, that individual is the UBO.

Ownership alone isn't enough. Control matters just as much as shares. Someone who holds veto rights, the power to appoint or remove directors, or dominant influence over decision-making can qualify as a UBO even without a large shareholding. This is a detail that trips up many compliance teams.

"Ultimate" is the key word. You're not looking for the first layer of ownership, you're looking for the last one. The person who truly benefits, truly controls, truly calls the shots.

The 25% Threshold and Why It's Changing

For years, the standard benchmark for UBO identification across the EU has been 25% or more of shares, voting rights, or ownership interest. This came from the EU's Fourth Anti-Money Laundering Directive (4AMLD) and was adopted widely.

However, there's an important technical update happening right now that regulated businesses need to be aware of.

Under the EU's Anti-Money Laundering Regulation (AMLR), Regulation (EU) 2024/1624, which was published in the Official Journal on 19 June 2024, the threshold has been lowered from "more than 25%" to "25% or more." This might sound like a trivial tweak, but this could require obligated entities to identify additional UBOs in their existing client portfolios because someone sitting at exactly 25% now qualifies where they previously did not.

Beyond the standard 25% threshold, the European Commission can lower the threshold further to as little as 15% for corporate entities deemed high-risk for money laundering or terrorist financing. This is particularly relevant for sectors or structures that regulators identify as being commonly misused.

The AMLR applies directly across all EU Member States from 10 July 2027, replacing the need for national transposition of the previous directives. The parallel Sixth AML Directive (AMLD6) must be transposed by the same date.

Who Qualifies as a UBO? The Three Tests

In practice, there are three ways someone can qualify as a UBO under the EU framework:

1. The Ownership Test
The individual directly or indirectly holds 25% or more of shares or voting rights in the entity. This is the most commonly used route and the most straightforward to check.

2. The Control Test
Even without meeting the ownership threshold, a person qualifies if they exercise dominant influence through other means, such as veto rights over significant decisions, the contractual right to appoint or remove directors, or control via shareholder agreements.

3. The Fallback: Senior Managing Official
Under AMLR Article requirements, if after exhausting all reasonable identification steps, no natural person can be identified as a UBO through ownership or control, then the senior managing official (such as a CEO or Managing Director) must be identified and verified instead. Crucially, this person is not treated as the actual beneficial owner; they are identified as a substitute. The obliged entity must also keep a full written record of all the steps taken and why no UBO was found. Failing to document this process is itself a compliance risk.

Direct vs. Indirect Ownership & Why Corporate Structures Matter

One of the most important and often underestimated parts of UBO identification is working through indirect ownership chains.

Direct ownership is simple: Person A holds 30% of Company X. Person A is a UBO.

Indirect ownership is where it gets complex. Imagine Company Y holds 60% of Company X. Person B owns 55% of Company Y. That means Person B indirectly controls 33% of Company X (55% × 60%), which exceeds the 25% threshold, making Person B a UBO of Company X, even though they have no direct shareholding in it.

Now layer in trusts, foundations, nominee structures, and cross-border ownership, which is the norm rather than the exception in complex regulated industries, and the challenge becomes significant.

This complexity is precisely why regulators require obliged entities to "look through" corporate structures, rather than stopping at the first legal owner they find.

UBO Requirements for Obliged Entities in the EU

If your business is an "obliged entity" under EU AML law, you have specific UBO-related duties. Obliged entities include:

• Banks and credit institutions

• Insurance companies

• Investment firms

• Crypto-asset service providers (VASPs)

• Auditors, accountants, and tax advisors

• Notaries and lawyers involved in financial or real estate transactions

• Real estate agents

• Trust and company service providers

• High-value goods dealers (luxury vehicles over €250,000, jewellery over €10,000, yachts over €7.5 million, etc.)

• Art dealers and auction houses (transactions of €10,000+)

• From 2029: professional football clubs and agents (newly added under AMLR)

For all of these, the core UBO requirements are:

Identify UBOs before or at the start of a business relationship. You must collect enough information to understand who ultimately owns and controls your client entity. Relying solely on what the client tells you is not sufficient, you must use independent and reliable sources, such as central beneficial ownership registers, shareholder documents, corporate registries, and where needed, multiple corroborating data points.

Verify the information. Identification is not enough. You must verify the UBO's identity using reliable documentary or data evidence.

Keep records up to date. UBO information must be monitored and refreshed throughout the business relationship. If ownership or control changes, your records must reflect this. In the Netherlands, for example, changes must be registered with the Chamber of Commerce within 7 days.

Register UBOs in national registers. Every EU member state has a UBO register, and most legal entities are required to file. Corporate entities, trusts, foundations, and other legal arrangements have reporting obligations, the specifics vary by jurisdiction and legal form.

The EU's New AML Package & What's Actually Changing

The EU's AML landscape has undergone its most significant overhaul in a generation. Here's the current picture:

• AMLR (Regulation EU 2024/1624): The "Single Rulebook." Directly applicable across all EU Member States from 10 July 2027. Harmonises and strengthens UBO identification, customer due diligence, record-keeping, and reporting obligations.

• AMLD6 (Directive EU 2024/1640): Governs the institutional AML framework, including national UBO registers. Must be transposed by 10 July 2027. Significantly expands and interconnects central beneficial ownership registers.

• AMLA (Regulation EU 2024/1620): Establishes the European Anti-Money Laundering Authority, now operational from 1 July 2025, headquartered in Frankfurt. AMLA will directly supervise 40 of the highest-risk financial institutions across the EU from January 2028.

Practically speaking, the new package means:

• More UBOs to identify. The lowered threshold (from >25% to ≥25%) means more individuals may qualify.

• Non-EU entities are now in scope. For the first time, non-EU legal entities with links to the EU must disclose their UBOs under Article 67 of the AMLR.

• Higher penalties. Maximum sanctions for serious, repeated, or systematic breaches have been doubled, from €5 million or 5% of annual turnover to €10 million or 10% of annual turnover under AMLD6.

• Interconnected registers. National UBO registers across the EU must be interconnected via a central European platform, making cross-border beneficial ownership information more accessible.

What Happens When You Get UBO Wrong

The consequences of UBO failures are not theoretical. They are financial, reputational, and increasingly criminal.

Danske Bank was fined €2 billion after AML failures, and its share price dropped 50%, with 28,000 customers walking away. More recently, Starling Bank and Monzo were both fined by the UK's Financial Conduct Authority in 2024 and 2025 for weak AML controls that allowed high-risk customers to be onboarded. These cases matter for EU regulated entities because they illustrate a global trend: regulators no longer require proven money laundering to impose serious penalties. Weak systems alone are now sufficient grounds for enforcement action.

A PwC survey found that 30% of respondents in financial services identified beneficial ownership information as the single most critical component of their customer due diligence process. If your UBO verification process is fragile, your entire KYC and risk-scoring framework is built on uncertain ground.

Failure to identify UBOs can also mean:

• Inadvertently onboarding sanctioned individuals

• Onboarding politically exposed persons (PEPs) without enhanced due diligence

• Missing entire clusters of connected risk within complex ownership structures

• Being unable to demonstrate compliance during a regulatory audit or examination

Practical Steps for UBO Compliance

For compliance and legal teams in regulated businesses, here's what a robust UBO process looks like:

1. Map the full ownership structure: don't stop at the first legal entity. Follow every chain of ownership and control to its natural-person endpoint.

2. Apply both the ownership test and the control test: shareholding percentage alone is not sufficient.

3. Use multiple, independent data sources: central registers, shareholder documents, corporate registries, and other reliable records. FATF's 2023 guidance specifically recommends a multi-source approach.

4. Document everything: especially when a UBO cannot be identified. Your documented process is your audit trail.

5. Monitor and refresh: UBO information must be kept current. Set triggers for periodic review and for events that might change ownership (mergers, share transfers, director changes).

6. Train your teams: technical knowledge of UBO rules needs to reach the people actually conducting due diligence, not just the compliance officer.

About SpeedyDD

At SpeedyDD, our mission is simple: to make compliance manageable for complex and regulated businesses.

We understand that staying audit-ready is one of the biggest operational challenges in regulated industries, especially when your client base involves multi-layered corporate structures, cross-border ownership, and evolving regulatory requirements like the EU's incoming AMLR. SpeedyDD is built to support obligated entities in maintaining robust, documented, and defensible due diligence processes, so that when a regulator or auditor comes knocking, you're ready.

Frequently Asked Questions (FAQs)

What does UBO stand for?
UBO stands for Ultimate Beneficial Owner. It refers to the natural person who ultimately owns or controls a legal entity, directly or indirectly, regardless of what is shown on official legal documents.

What is the UBO threshold in the EU?
Under the current EU framework (4AMLD/5AMLD), the threshold is more than 25% of shares or voting rights. Under the incoming AMLR (Regulation EU 2024/1624), this changes to 25% or more, a small but practically significant difference. For high-risk sectors, the European Commission can lower the threshold to as little as 15%.

Can a company be a UBO?
No. A UBO must always be a natural person, a human being. If ownership traces back to a corporate entity, you must look through that entity to find the individual behind it.

What if no UBO can be identified?
Under AMLR requirements, if no UBO can be found after applying both the ownership and control tests, the senior managing official of the entity must be identified and verified instead. The obliged entity must also document all steps taken and the reasons why no UBO was found.

Who must comply with UBO requirements in the EU?
All "obliged entities" under EU AML law, including banks, insurers, investment firms, crypto-asset service providers, lawyers, notaries, accountants, real estate agents, trust and company service providers, and high-value goods dealers, among others.

Do UBOs have to be registered publicly?
In most EU member states, companies must register their UBOs in a central national register. Access rules vary; some registers are publicly accessible, others restrict access to parties with a demonstrable legitimate interest, following a 2022 ruling from the Court of Justice of the European Union on privacy grounds.

What is the difference between a UBO and a legal owner?
A legal owner is the person or entity whose name appears on formal ownership records. A UBO is the natural person who actually benefits from or controls those assets. In many cases, especially in complex structures, these are different people.

What is the difference between a UBO and a PSC (Person with Significant Control)?
PSC is the UK-specific equivalent of UBO, introduced under the Companies Act 2006. In the EU context, UBO is the standard term. Both refer to individuals who exercise significant control or ownership, the underlying concept is essentially the same, though exact thresholds and definitions differ slightly by jurisdiction.

When does the new EU AML Regulation (AMLR) apply?
The AMLR (Regulation EU 2024/1624) applies directly across all EU Member States from 10 July 2027. The AMLD6 must also be transposed by the same date. AMLA became operational from 1 July 2025.

Can a UBO be based outside the EU?
Yes. If a foreign national owns or controls an EU-based legal entity, they must still be identified and registered as a UBO. Nationality and residence are irrelevant, what matters is the ownership or control of an EU entity. Under the new AMLR, non-EU entities with links to the EU are also brought into scope for the first time.

What records must be kept for UBO compliance?
Obliged entities must keep records of all UBO identification and verification steps taken, the sources used, the documents reviewed, and if no UBO was found, the reasons why. These records must be available to regulators and auditors on request, and must be kept up to date throughout the business relationship.

What are the penalties for UBO non-compliance in the EU?
Under AMLD6, maximum penalties for serious, repeated, or systematic AML breaches, including UBO failures, are up to €10 million or 10% of total annual turnover, whichever is higher. Individual member states may also impose criminal penalties.

This article is written for informational purposes and reflects the regulatory framework as of February 2026. It does not constitute legal advice.