FATF Beneficial Ownership Requirements: Customer Due Diligence Guide

Introduction

Beneficial ownership failures remain one of the most cited deficiencies in AML/CFT examinations — and one of the most preventable. Under FATF's Customer Due Diligence (CDD) framework, financial institutions must identify and verify the natural persons who ultimately own or control any legal entity customer. This guide is for compliance officers, BSA officers, MLROs, and fintech/crypto/banking teams operating in FATF member jurisdictions.

The gap between policy and practice is where enforcement happens. A 2026 analysis of FCA AML fines found that 32% involved failures to identify and verify ultimate beneficial owners — most commonly because institutions accepted customer declarations without independent verification.

This guide covers FATF's ownership thresholds, verification standards, how major jurisdictions implement them, and the operational gaps that draw regulatory scrutiny.

TL;DR

  • FATF Recommendations 10 and 24 require customer ID, beneficial owner identification, relationship purpose, and ongoing monitoring
  • Beneficial ownership typically means any natural person owning or controlling 25% or more, plus anyone exercising ultimate effective control
  • Refresh CDD on a risk basis; some jurisdictions also require periodic review regardless of risk level
  • Risk-based approach means simplified, standard, or enhanced CDD matched to each customer's risk profile
  • The US, UK, EU, and Canada have each translated FATF standards into binding local rules with varying thresholds and scope

What Are FATF's Beneficial Ownership Requirements?

FATF beneficial ownership requirements flow from two distinct Recommendations that work together: Recommendation 10 (Customer Due Diligence) and Recommendation 24 (Transparency and Beneficial Ownership of Legal Persons).

Beneficial owner is defined by FATF as any natural person who ultimately owns or controls a customer (legal entity), through direct or indirect ownership or control, or on whose behalf a transaction is conducted. This differs from simply identifying the named account holder or authorized signatory.

The Four Core CDD Measures Under Recommendation 10

Financial institutions must implement these measures when establishing business relationships, conducting occasional transactions above designated thresholds, or when ML/TF is suspected:

  1. Identifying and verifying the customer's identity using reliable, independent documentation
  2. Identifying the beneficial owner and taking reasonable measures to verify their identity
  3. Understanding the purpose and intended nature of the business relationship
  4. Conducting ongoing due diligence on the business relationship and transaction scrutiny

Four core FATF CDD measures process flow under Recommendation 10

What Recommendation 24 Adds

Recommendation 24 requires countries to ensure legal persons are transparent about their ultimate ownership, that competent authorities can access accurate and current beneficial ownership information, and that this information can be obtained in a timely manner.

This is the recommendation the US was rated "largely compliant" with (not fully compliant) as of March 2024 following the Corporate Transparency Act's enactment.

FATF Standards vs. Enforceable Domestic Obligations

The US rating illustrates a broader challenge: FATF sets international benchmarks, but each member country enacts its own laws implementing them. The same underlying standard can produce meaningfully different compliance obligations depending on jurisdiction.

Compliance teams must understand both layers:

  • US: FinCEN's CDD Rule (31 CFR § 1010.230) governs beneficial ownership for covered financial institutions
  • UK: The Money Laundering Regulations 2017 (MLRs 2017) implement the FATF framework under UK law
  • EU: The 6th Anti-Money Laundering Directive (6AMLD) sets the standard across member states

What satisfies MLRs 2017 in the UK may not meet FinCEN's CDD Rule in the US — and vice versa.

How the FATF CDD Process Works for Legal Entity Customers

When the customer is a legal entity (corporation, LLC, trust, partnership), CDD becomes structurally more complex. The institution must look through the entity to identify and verify the real human beings in control—this is where FATF's beneficial ownership requirement becomes concrete.

The end-to-end flow includes:

  • Collecting identity documents for the entity itself
  • Mapping its ownership and control structure
  • Identifying all qualifying beneficial owners
  • Verifying their identities using independent and reliable documentation
  • Documenting the purpose of the relationship
  • Establishing ongoing monitoring triggers

FATF uses a 25% ownership threshold as the starting point for identifying beneficial owners through ownership, but also requires identifying anyone exercising "substantial control" even if they hold no formal ownership stake. The 2024 FATF Mutual Evaluation Report for India noted that this "control prong" is often under-implemented, with financial institutions overly reliant on ownership percentages and public registries.

Step 1: Identify and Verify the Legal Entity

Collect these details for the entity itself:

  • Legal name
  • Registration number
  • Jurisdiction of incorporation
  • Registered address
  • Legal form (corporation, LLC, partnership, etc.)
  • Governing documents (articles of incorporation, operating agreement)

This verifies the entity's legal existence before any beneficial owner look-through begins.

Step 2: Map the Ownership and Control Structure

Institutions must trace the full ownership chain until they reach the ultimate natural persons. Multi-layered structures require going beyond the first layer of disclosed shareholders—one of the most common gaps cited in regulatory exams.

In practice, mapping the structure means:

  • Collecting ownership documentation at each layer (share registers, organizational charts, trust deeds)
  • Identifying intermediate holding companies and their jurisdictions
  • Continuing the look-through until no further legal entity owners remain
  • Flagging structures with nominee shareholders or opaque jurisdictions for enhanced scrutiny

Step 3: Identify and Verify Beneficial Owners

Identify qualifying beneficial owners using both prongs:

Prong Who Qualifies
Ownership (≥25%) Any natural person who directly or indirectly holds 25% or more of equity interests
Control test Any individual exercising effective control via management authority, board appointment rights, or operational decision-making — regardless of ownership percentage

Verify each beneficial owner's identity using government-issued ID, independent database checks, or other reliable means. When no natural person meets the ownership threshold, identify the most senior managing official as a fallback — though per FATF guidance, this fallback does not redefine who qualifies as a beneficial owner.

Beneficial ownership identification two-prong test ownership versus control comparison

Step 4: Establish Purpose of Relationship and Ongoing Monitoring

Document the intended nature of the business relationship at onboarding. This baseline profile should capture:

  • Expected transaction types and volumes
  • Counterparty jurisdictions and payment corridors
  • Declared source of funds and source of wealth
  • Stated business purpose for the relationship

This documented baseline drives ongoing monitoring. Transactions that fall outside the stated profile — unexpected volumes, new jurisdictions, or unusual counterparties — become the primary triggers for review and SAR consideration.

Applying the Risk-Based Approach: Simplified, Standard, and Enhanced CDD

FATF explicitly requires a risk-based approach to CDD, meaning the depth and frequency of due diligence measures must be proportional to the assessed risk. Institutions are not required to apply the same intensity to every customer, but they must have a defensible methodology for calibrating what level applies and why.

Simplified CDD

Appropriate for lower-risk customers such as:

  • Listed public companies
  • Government entities
  • Regulated financial institutions

When sufficient public information is available, simplified measures may apply. However, "simplified" does not mean "skipped"—core identification requirements still apply.

Enhanced Due Diligence (EDD) Triggers

High-risk factors requiring enhanced measures include:

  • Politically Exposed Persons (PEPs): Individuals entrusted with prominent public functions require senior management approval, source of wealth and funds documentation, and enhanced ongoing monitoring
  • High-risk jurisdictions: Customers from FATF grey or black list jurisdictions (as of February 2026: DPRK, Iran, Myanmar on the black list; Algeria, Angola, Bulgaria, Kuwait, Vietnam among others on the grey list)
  • Complex ownership structures: Opaque or multi-layered legal entity arrangements
  • High-risk business types: Cryptocurrency exchanges, money service businesses, high-cash businesses

Enhanced due diligence trigger factors requiring heightened AML customer scrutiny

EDD Operational Implications

Once a trigger condition applies, the operational requirements shift materially. For beneficial ownership specifically, EDD requires:

  • Senior management approval for onboarding
  • Source of wealth and source of funds documentation
  • Enhanced frequency of ongoing monitoring
  • Documented escalation protocols

Many fintech and crypto firms get examined because their EDD frameworks for high-risk customers lack documented escalation steps. For firms without in-house expertise to build and calibrate these frameworks, Fraxtional's fractional BSA Officers and CCOs build risk-based CDD programs that align with FATF expectations and the requirements of your specific regulator or sponsor bank.

Jurisdiction-Specific Implementation Across Key Markets

United States

The FinCEN CDD Rule (31 CFR 1010.230) requires covered financial institutions to identify:

  • Ownership prong: Each individual who directly or indirectly owns 25% or more of equity interests
  • Control prong: A single individual with significant responsibility to control, manage, or direct the legal entity (e.g., CEO, CFO, Managing Member)

Covered financial institutions include banks, brokers or dealers in securities, mutual funds, and futures commission merchants or introducing brokers in commodities.

The Corporate Transparency Act (CTA) added a separate federal registry requirement for reporting companies to file beneficial ownership information (BOI) with FinCEN directly. However, a March 26, 2025 FinCEN Interim Final Rule removed BOI reporting requirements for US domestic companies, limiting reporting to specific foreign entities registered to do business in the US.

FATF Critique: The 2024 FATF Follow-Up Report identified a minor deficiency because the CDD Rule only requires risk-based updates, whereas FATF prefers both periodic and risk-based refresh requirements.

United Kingdom and European Union

United Kingdom: The Money Laundering Regulations 2017 (MLRs) define beneficial owner for a body corporate as any individual who ultimately owns or controls more than 25% of shares or voting rights, or exercises ultimate control over management. Relevant persons cannot rely solely on information delivered to the registrar (Companies House) — independent verification is required.

Under the Economic Crime and Corporate Transparency Act 2023, mandatory identity verification for all directors and Persons with Significant Control (PSCs) for new incorporations commences in Autumn 2025.

European Union: The EU is transitioning to a single AML Rulebook. The AML Regulation (Regulation (EU) 2024/1624) applies from July 10, 2027, setting the ownership threshold at 25% and requiring:

  • Legal entities to report BO information to the central register within 28 calendar days of creation or any change
  • Annual verification of the information
  • 5-year record retention

Following a 2022 CJEU ruling that general public access to UBO registers is invalid as it constitutes serious interference with privacy rights, AMLD6 restricts access to competent authorities, obliged entities, and those with a "legitimate interest."

Canada

FINTRAC's PCMLTFA regulations require reporting entities to identify beneficial owners of corporations, trusts, and other entities, typically applying a 25% threshold similar to FATF.

For trusts, beneficial owners include the trustees, known beneficiaries, and settlors. Reporting entities must take reasonable measures to confirm accuracy, using source documents such as:

  • Minute books and shareholder registers
  • Trust deeds
  • Records of measures taken when no individual meets the 25% threshold

All records must be kept for at least 5 years.

Canada was rated Partially Compliant for Recommendation 24 in its 2021 FATF Follow-Up Report.

Common Compliance Gaps and Misconceptions in Beneficial Ownership CDD

Misconception: Beneficial Ownership Verification Is a One-Time Task

FATF requires ongoing due diligence, meaning institutions must update beneficial ownership information when material changes occur and, in many jurisdictions, on a periodic risk-based schedule. The US CDD Rule's "risk-based refresh" standard was specifically flagged by FATF as a partial deficiency compared to its preference for both risk-based and periodic updates.

Over-Relying on Customer Self-Certification

Many institutions accept beneficial ownership declarations from the entity without independently corroborating them against corporate registry data, commercial databases, adverse media, or other independent sources. FATF expects "reasonable measures to verify" rather than mere collection of a signed form.

Recent enforcement actions illustrate the consequences. A 2025 FCA Final Notice against Nationwide Building Society cited failure to calibrate CDD measures properly — "sufficient data on businesses and their beneficial owners was not captured to enable proper risk assessment."

FINTRAC's 2025 penalty against Canaccord Genuity Corp. made a parallel finding: "failure to consistently apply enhanced due diligence measures, including a lack of updates with respect to beneficial ownership information for high-risk clients."

Structural Complexity Problem

This verification gap becomes acute when ownership structures are complex. Compliance teams often stop the look-through at the first corporate layer, missing the ultimate natural persons FATF actually requires firms to identify. The goal is to reach the humans who exercise control — not the last identifiable legal vehicle.

Common scenarios where look-through fails:

  • Multi-tiered holding companies where intermediate entities obscure the final owner
  • Control by other means — voting agreements, powers of attorney, or contractual arrangements not reflected in share registers
  • Over-reliance on public registries without cross-checking against commercial databases or adverse media

Three common beneficial ownership look-through failure scenarios in AML compliance

The India MER noted that financial institutions struggle to identify beneficial owners in cases of "control by other means" or complex corporate structures, often relying exclusively on public registries.

Conclusion

FATF's beneficial ownership requirements under CDD are designed to ensure financial institutions cannot be exploited by customers who use legal entity structures to obscure true ownership. Implementing these requirements requires understanding both the FATF source standards and the specific domestic rules that apply in each jurisdiction—whether FinCEN's CDD Rule in the US, MLRs 2017 in the UK, the new AML Regulation in the EU, or FINTRAC's PCMLTFA requirements in Canada.

Effective compliance goes beyond checklist completion. The risk-based approach demands defensible judgment calls about when to escalate, how to verify, and how often to refresh.

For fintech, crypto, and banking companies navigating these requirements, that judgment needs to be embedded in the program from day one. Fraxtional provides fractional compliance leadership — CCO, BSA Officer, MLRO, and CAMLO roles — giving firms direct access to director-level expertise without the cost or commitment of a full-time hire.

Frequently Asked Questions

What is FATF Recommendation 10 on customer due diligence?

Recommendation 10 sets out the four core CDD obligations: customer identification and verification, beneficial owner identification and verification, understanding the business relationship, and ongoing monitoring. It applies to financial institutions when establishing business relationships, conducting occasional transactions above designated thresholds, or when money laundering or terrorist financing is suspected.

What is the FATF beneficial ownership recommendation?

Recommendation 24 requires countries to ensure legal persons are transparent about their beneficial ownership and that competent authorities can access accurate, current beneficial ownership information. It complements Recommendation 10 by setting country-level obligations that back the institution-level verification requirements.

What is beneficial ownership in due diligence?

Beneficial ownership in CDD refers to the identification and verification of the natural persons who ultimately own or control a legal entity customer. This typically includes anyone holding 25% or more of ownership interest, and anyone exercising effective control regardless of ownership stake.

What is the ownership threshold for beneficial ownership under FATF?

FATF guidance uses 25% as an indicative ownership threshold but explicitly requires institutions to also apply a control test to identify individuals with significant control who may hold no formal ownership. Jurisdictions may set their own thresholds in implementing legislation.

What is the difference between simplified and enhanced due diligence under FATF?

Simplified CDD applies where the money laundering/terrorist financing risk is lower — such as for listed public companies or regulated entities, while enhanced due diligence is required for higher-risk situations such as PEPs, customers from high-risk jurisdictions, or complex ownership structures. Both are calibrated through the institution's risk-based approach.

How often must beneficial ownership information be updated under FATF?

FATF requires ongoing due diligence, meaning institutions must update beneficial ownership information when they become aware of changes and on a risk-based basis. FATF's preference is for both risk-based and periodic refresh — some jurisdictions, including under the US CDD Rule, only mandate risk-triggered updates.