Beneficial Ownership Verification: What UBO Means for B2B Payments in 2026

UBO verification and bank account verification are two halves of the same fraud control. Bank verification confirms a specific account belongs to the entity that's claiming it. UBO verification confirms the entity itself is real and who actually owns it. Neither alone is sufficient: a perfectly verified bank account can still belong to a shell company, and a clean UBO check on a legitimate entity doesn't stop someone redirecting payments to an unverified account. The 2025 regulatory shifts make the layered model more important, not less — here's how to operationalise both in a B2B payment workflow.

For most of the past decade, B2B payment teams treated bank account verification and ownership verification as two separate compliance problems. Bank verification was the AP team's concern — does the IBAN match the supplier name, does the account exist, does it pass VoP or CoP. UBO verification was the compliance team's concern — is the supplier registered, who owns it, are any beneficial owners sanctioned. The two workflows ran in parallel, with different tools, different vendors, and different audit trails.

That separation no longer works. The fraud variants that defeat one layer routinely pass the other. A vendor with an inbox-compromise attack will have a perfectly verified bank account at the bank-level but a beneficial owner who doesn't exist at the entity-level. A shell company set up for invoice fraud has clean UBO documentation from a complicit director, but the bank account doesn't match the entity name when properly verified. The 2025 FinCEN reversal — which removed BOI reporting requirements for all U.S.-formed companies — made the gap wider by removing one of the two data sources B2B teams had been relying on. The EU went the opposite direction, tightening UBO verification standards under the new AML Regulation, but the principle holds: both layers have to work together, in any jurisdiction.

This article explains how UBO verification and bank account verification combine into a single fraud control in 2026 — what changed in the U.S., what changed in the EU, where the data comes from, and how to operationalise both layers in a B2B payment workflow. The framing throughout is operational: not the regulatory theory of UBO, but the workflow that survives an examiner, an auditor, or a sophisticated VEC attack.

What "beneficial owner" actually means

Beneficial owner — also called Ultimate Beneficial Owner or UBO — is the natural person who ultimately owns or controls a legal entity, directly or indirectly. The point of the concept is to look through layers of corporate structures, nominee shareholders, trusts, and other arrangements to identify the real human being benefiting from the entity's activities.

The standard threshold across most regulatory regimes is 25% ownership or control, though it varies in detail:

• FATF recommends the 25% threshold as the international standard, applied via direct ownership, indirect ownership through chains of entities, or control by other means (voting rights, board control, contractual arrangements).
• U.S. (FinCEN definition, still on the books) — a beneficial owner is any individual who, directly or indirectly, exercises substantial control over a reporting company OR owns or controls at least 25% of its ownership interests. Note: the definition hasn't changed; what changed is which companies have to report it.
• EU AMLR (Regulation 2024/1624) — also 25% ownership threshold, though the European Commission may lower it for high-risk sectors. The EU regulation harmonises this across all 27 Member States from July 10, 2027.
• UK — uses "Person with Significant Control" (PSC), with 25% as the headline threshold, plus control-via-other-means tests.

For B2B payments, the operational distinction that matters most is between direct ownership (a person who personally holds shares) and indirect or control-based ownership (a person controlling the entity through a holding company, voting agreement, or contractual arrangement). Most fraudsters who use shell companies design ownership structures to obscure the second category. UBO verification that only checks direct shareholders misses the people the regulation was written to surface.

What changed in the U.S. — the FinCEN reversal

The Corporate Transparency Act, enacted in 2021 and effective January 1, 2024, required most U.S. entities and foreign entities registered to do business in the U.S. to file Beneficial Ownership Information reports with FinCEN. Penalties for non-compliance were severe — civil penalties up to $591 per day, plus potential criminal liability.

The reversal happened in stages. On December 3, 2024, the U.S. District Court for the Eastern District of Texas, in Texas Top Cop Shop, Inc. v. McHenry, issued a nationwide preliminary injunction halting CTA enforcement. The case bounced between courts. By February 18, 2025, reporting requirements were briefly reinstated.

Then, on March 21, 2025 — consistent with a Treasury Department announcement on March 2 — FinCEN issued an interim final rule that fundamentally rewrote the scope of the CTA. The rule:

• Removed BOI reporting requirements for all U.S.-formed entities ("domestic reporting companies" as previously defined).
• Exempted U.S. persons from being identified as beneficial owners in any reports filed by foreign entities.
• Narrowed the "reporting company" definition to only foreign entities registered to do business in U.S. states or tribal jurisdictions.
• Set new deadlines for foreign reporting companies — most required to file by April 25, 2025; new registrants get 30 days from their effective registration date.

The practical effect: FinCEN's BOI database, which was designed to be the authoritative source for ownership data on roughly 32 million U.S. companies, is now operationally relevant only for foreign-registered entities — a small fraction of that volume. The vast majority of U.S. companies a B2B buyer might pay are no longer required to file BOI at all. If you want ownership data on a U.S. counterparty, FinCEN's database isn't where you'll find it.

Two further notes for operational accuracy. First, the definition of "beneficial owner" itself has not changed — only the reporting obligation. The concept still applies in customer due diligence rules (FinCEN's 2016 CDD Rule), in state-level requirements, and in U.S. obligations to foreign jurisdictions. Second, FinCEN signalled in the interim final rule that it intends to issue a finalised rule "this year" (i.e., during 2025), and in Congressional testimony on September 9, 2025, FinCEN Director Andrea Gacki confirmed that intent. As of early 2026, no final rule has been issued — meaning the interim rule remains in effect, but is subject to further change.

What changed in the EU — AMLR and AMLD6

The EU went in the opposite direction. On May 31, 2024, the European Parliament and Council adopted the new AML Package — three pieces of legislation that together replace the existing AML Directive framework:

• EU Regulation 2024/1624 (the "AML Regulation" or AMLR) — the directly applicable "Single Rulebook" that harmonises customer due diligence, beneficial ownership transparency, and obligated-entity rules across all 27 Member States. Applies from July 10, 2027.
• Directive (EU) 2024/1640 (AMLD6) — the 6th Anti-Money Laundering Directive, which sets out granular rules on Member States' beneficial ownership registers and supervisory frameworks. Member States must transpose most provisions by July 10, 2027. Provisions on access to beneficial ownership registers (including for persons with legitimate interest) had to be transposed by July 10, 2025. Further beneficial ownership register provisions must be transposed by July 10, 2026.
• Regulation (EU) 2024/1620 (AMLAR) — established the new EU Anti-Money Laundering Authority (AMLA), based in Frankfurt, with supervisory authority over high-risk cross-border financial entities.

What AMLR actually changes for beneficial ownership verification:

• Harmonised UBO definition across all 27 Member States. Previously, transposition variation produced 27 different operational interpretations of "beneficial owner." From July 2027, one definition applies everywhere.
• Expanded reporting obligations to more entity types — including legal arrangements like trusts, non-EU entities holding EU real estate, and entities with complex ownership structures.
• Stricter timelines for change reporting — beneficial ownership changes must be reported within 28 calendar days, and the data verification standards have tightened.
• Public access remains constrained following the November 2022 European Court of Justice ruling in WM and Sovim, but AMLD6 reinstates access for persons with "legitimate interest" — including journalists, civil society, and academics — and creates a presumption of legitimate interest for that category.

The European Commission has been actively enforcing the existing transposition deadlines. In late September 2025, the Commission initiated infringement proceedings against 11 Member States for failing to fully notify their transposition of AMLD6's first set of requirements on access to beneficial ownership information by the July 10, 2025 deadline.

The net direction: while the U.S. removed reporting requirements for most domestic companies, the EU tightened, harmonised, and expanded UBO requirements across the bloc — and added a supranational supervisor to enforce them. For a B2B buyer paying suppliers in both regions, the asymmetry is meaningful.

Who is exempted from what — the 2026 matrix

Reading both regulatory narratives back-to-back creates a common confusion: am I still subject to anything? The answer depends on three variables — your entity's jurisdiction of formation, whether you're paying a domestic or foreign counterparty, and whether you're an "obligated entity" under EU AMLR (most banks, payment institutions, and financial services firms are). The matrix below resolves the most common scenarios.

Two operational takeaways from this matrix. First: U.S. companies don't escape UBO obligations by virtue of FinCEN's interim rule — financial sector obligations under the 2016 CDD Rule are unchanged, and EU counterparties pull you into AMLR's orbit through their compliance obligations. Second: the data source has shifted — from a centralised FinCEN database that was supposed to solve the problem, back to fragmented national registries that have always been the operational source.

Why this matters for B2B payments

The asymmetry is striking. The U.S. reduced its UBO reporting requirements while the EU expanded them. For B2B teams operating in both regions, the practical implication is that EU-side obligations now extend further than U.S.-side obligations through the supply chain. A U.S. company paying a German supplier is subject to German verification expectations via the supplier's compliance with AMLR. A German company paying a U.S. supplier has lost FinCEN as a data source and must rely on state-level filings and commercial registry data instead.

The simplest framing: your verification obligations don't follow your physical location — they follow the regulatory regime of the counterparty and the underlying transaction. A U.S. company paying European suppliers operates under EU AMLR's UBO due diligence rules through those counterparties, regardless of whether the U.S. company files anything with FinCEN. An EU company paying a U.S. supplier still has to verify the supplier's ownership under EU AMLR — and now has less help from FinCEN's BOI database to do it.

Three specific operational consequences of the post-2025 environment:

1. The FinCEN BOI database is not a usable verification source for U.S. counterparties anymore. Even if a foreign entity has filed, the data is non-public and accessible only by law enforcement and authorised financial institutions in narrow contexts. For B2B verification, you need a different source.

2. Sanctions and PEP screening can't substitute for UBO verification. Many compliance teams have historically treated sanctions screening as the primary AML control, with UBO verification deprioritised. Under EU AMLR, that approach is increasingly insufficient — obligated entities must "identify the beneficial owners and take reasonable measures to verify their identity," not just screen them against lists. The verification standard is rising.

3. Shell-company fraud has become harder to detect with deregulated U.S. data. A fraudster who registers a U.S. LLC for a vendor email compromise attack no longer has to disclose ownership to FinCEN. The only way to identify the entity's owners is through state-level registries (which vary wildly in depth) or commercial registry-data providers. For an in-depth look at how shell-company fraud defeats bank-level verification, see our analysis of vendor email compromise.

For B2B payment teams that operate across both regions — which is most enterprise and mid-market AP teams — the practical conclusion is that UBO verification has become more important in the deregulated environment, not less, because the data is harder to source and the failure modes (shell companies, opaque foreign owners, intentionally complex structures) have a wider operational gap to exploit.

What this looks like in practice — two scenarios where one layer alone fails

Two anonymised scenarios, composite from publicly reported B2B fraud incidents, that illustrate why both layers matter — and what happens when either one is missing.

Scenario 1 — Shell company with a verified bank account. A mid-market AP team in Germany onboards a new IT services vendor, "Stellaris Cloud Solutions Ltd," a UK-registered company supplying cloud infrastructure. Standard onboarding: VAT number checked, Companies House registration confirmed, bank account verified via UK CoP. Match. The vendor passes onto the master file; a €240,000 contract is signed. What the bank-level CoP check could not see: Stellaris is a shell company. Its beneficial owner — through three holding entities in two offshore jurisdictions — is the cousin of a fraudster the AP team unknowingly paid €180,000 to two years earlier under a different shell. CoP correctly confirmed the account belongs to "Stellaris Cloud Solutions Ltd." That fact is true. What CoP cannot confirm is who ultimately owns Stellaris. A registry-based UBO check at onboarding would have surfaced the corporate group structure and the connection to the prior fraudster. The contract would not have been signed.

Scenario 2 — Legitimate vendor, hijacked bank details. A different mid-market AP team in France has worked with "Maréchal Industriel SARL" — a real French manufacturer — for four years. UBO data is on file from onboarding; Maréchal's directors and beneficial owners are documented in the French Registre du Commerce. Every quarter, an automated check confirms the registry data hasn't changed. Then on a Wednesday morning, an email arrives at the AP team — from Maréchal's actual address — requesting that the upcoming €82,000 invoice be paid to a new IBAN. The vendor's inbox has been compromised; the "new IBAN" belongs to a fraudster's account in Cyprus, opened in the name "Maréchal Industriel SARL" through identity-theft documentation. A registry-based UBO check would pass cleanly — Maréchal is real, the directors are real, the company is in good standing. What catches the fraud is the bank-account-layer verification: the new IBAN does not pass a VoP check, because the account holder name registered at the receiving bank does not match Maréchal's legal name.

The instructive pattern is that each scenario defeats one layer and is caught only by the other. In Scenario 1, bank verification passed but UBO would have caught the fraud. In Scenario 2, UBO data was clean but bank verification would have caught the fraud. A team running only one layer is exposed to whichever attack variant the other layer would have stopped. A team running both — at onboarding and continuously — closes both gaps.

How UBO and bank account verification work together

The two layers address different parts of the same fraud problem. Putting them side-by-side makes clear why neither alone closes the operational gap.

The two layers are complementary, not interchangeable. Skipping bank verification while running UBO checks doesn't catch VEC attacks. Skipping UBO checks while running bank verification doesn't catch shell-company fraud. The operational architecture most regulated B2B payment teams now build runs both layers — bank verification at every payment cycle, UBO verification at onboarding and continuously — and treats a failure at either layer as a stop signal for the payment.

This is why MonitorPay was built as a single verification platform spanning both layers. Bank account verification across 49+ countries via direct integrations with Pay.UK, SEPA VoP, Nacha-aligned ACH validation, NPCI, and equivalent rails. UBO verification across 200+ government registries with 600M+ companies in coverage. The same API call can return both — so an AP team's decision tree is one path, not two parallel workflows.

For a deeper comparison of how bank-level verification methods themselves differ by country, see the 7 verification methods compared. For why one-time verification at either layer is insufficient against continuously shifting fraud patterns, see why one-time verification fails.

Where UBO data actually comes from in 2026

With FinCEN's BOI database operationally unavailable for most U.S. counterparties, and EU public access constrained by the 2022 ECJ ruling, the practical sources of UBO data for B2B verification have shifted. The four sources that matter in 2026:

1. National business registries

Most countries maintain public business registries that include directors, officers, and (depending on jurisdiction) shareholders or persons with significant control. Coverage and depth vary widely:

• UK (Companies House) — strong public access, includes PSC information for most companies.
• EU Member States — varies. AMLD6 is requiring tighter access rules for "persons with legitimate interest" by July 2026, but national implementation varies. Germany's Transparenzregister, France's INPI, and Italy's Camera di Commercio all maintain UBO data.
• U.S. — state-level Secretary of State filings provide director/officer data but not ownership. Beneficial ownership data is now generally not available at the federal level under the interim final rule.
• Asia / LatAm — varies significantly. India's MCA21, Brazil's Receita Federal, Mexico's SAT all provide entity-level data but not always beneficial ownership.

2. Sanctions and PEP databases

OFAC SDN List, EU Consolidated List, UN Sanctions List, and various national PEP databases. These are necessary but not sufficient — they tell you whether a known person is on a watchlist, but they don't help you identify who the beneficial owners of an entity are in the first place. Sanctions screening sits downstream of UBO verification, not in place of it.

3. Commercial registry aggregators

Providers that aggregate data from national registries into unified APIs. This is the layer most B2B verification platforms operate at — including MonitorPay, which sources UBO data from 200+ government registries covering 600M+ companies, with 378M+ corporate linkage records mapping parent-subsidiary relationships. The value proposition is operational: one API call returns harmonised UBO data regardless of which national registry actually holds the underlying record.

4. Self-attestation and supporting documents

Customers fill out UBO declaration forms; vendors submit shareholder schedules; suppliers provide certified ownership documents. This is the layer most B2B onboarding processes use in addition to registry data — it works as a confirmation against registry data, not as a substitute for it. Self-attestation alone fails the "reasonable measures to verify" standard under EU AMLR.

The combination most regulated B2B verification workflows use is registry data as the primary source, sanctions/PEP screening as the secondary check, and self-attestation as the customer-supplied confirmation. Where registries don't go deep enough — typically for entities in jurisdictions without modern beneficial ownership registers — manual review with supporting documents (notarised ownership certificates, audited financials) takes over.

For more on how registry-sourced data fits into the broader bank verification toolchain, see the 7 verification methods compared.

The UBO verification workflow that works in 2026

What a working UBO verification workflow looks like for a typical B2B payment operation in 2026 — across onboarding, before-payment checks, and continuous monitoring.

At vendor onboarding

Onboarding is when both layers are cheapest and most informative. The vendor's incentive to provide accurate data is highest (they want to be paid); the verifications can run before any commercial relationship exists; and the audit trail starts at the point of first contact.

• Run registry verification at the entity level — confirm the vendor exists, is in good standing, and the registration details match the supplied information.
• Verify the bank account at the bank level — use VoP (EU), CoP (UK), ACH validation (US), NPCI (India), or equivalent rail-appropriate verification to confirm the supplied bank account belongs to the vendor's legal entity name. Mismatches at this layer indicate the bank details either are wrong or belong to a different party.
• Pull UBO data from registries — identify all natural persons owning ≥25% directly or through control mechanisms. Map the corporate group structure where the vendor isn't an ultimate parent.
• Cross-check self-attested UBO declarations against registry data — discrepancies between what the vendor declares and what the registry shows are the most common signal of an intentional obfuscation attempt.
• Sanctions and PEP screening on every identified UBO — including individuals identified through indirect control, not just direct shareholders.
• Document both verifications with timestamps, source attribution, and result codes — auditors expect this; under EU AMLR the documentation standard is rising, and Nacha 2026 rules require equivalent documentation for ACH originators.

Before each material payment

For high-value payments — typically over a threshold defined by the firm's risk policy — pre-payment verification runs at both layers. The case for each: bank verification catches the VEC and account-redirection variants where bank details have been hijacked since the last payment; UBO verification catches restructurings, acquisitions, and corporate changes since onboarding.

• Re-verify the bank account — confirm the registered account holder name still matches the vendor's legal entity, especially after any bank-detail change request. This is the single highest-yield control against vendor email compromise.
• Re-run UBO verification — confirm the registered ownership at the time of payment matches what was verified at onboarding.
• Check entity status — confirm the vendor is still active in the registry; dissolved or inactive entities trigger an immediate pause.
• Re-screen UBOs against current sanctions lists — sanctions designations change frequently; an UBO who cleared screening at onboarding may have been designated since.

Continuous monitoring between payments

The case for continuous monitoring applies to both layers. Ownership changes happen between onboarding and the next payment — acquisitions, restructurings, new shareholders, director changes, dissolutions. Bank account changes happen too — vendor inbox compromises, supplier banking-relationship changes, account closures, fraudulent change requests submitted between payment cycles. Continuous monitoring catches both via webhook alerts when registry data or bank account status changes, so the next payment flows through checks that reflect current state rather than stale onboarding data.

See why one-time verification fails for the operational case for continuous monitoring across the full vendor lifecycle, and KYB verification for marketplaces for how UBO verification fits into high-volume onboarding workflows.

Which workflow applies to your situation

The workflow above describes the full pattern. Most teams need a smaller version of it depending on their situation. Use the questions below to identify which subset applies.

• Q1. Are you an EU-regulated obligated entity (bank, PSP, fintech, payment institution)?
  • Yes → Full AMLR-compliant workflow: onboarding UBO verification, pre-payment checks for high-value transactions, continuous monitoring. Document everything with the rigour AMLA examiners will expect from July 2027.
  • No → Continue to Q2.
• Q2. Are you a U.S. financial institution subject to the 2016 FinCEN CDD Rule?
  • Yes → CDD-compliant UBO identification at account opening, plus ongoing monitoring. The interim final rule did not change the CDD Rule — only BOI reporting changed.
  • No → Continue to Q3.
• Q3. Do you pay suppliers in jurisdictions with AMLR-equivalent UBO rules (EU, UK, parts of LatAm/APAC)?
  • Yes → Lighter version of the workflow: registry-based UBO check at onboarding, pre-payment re-verification for high-value transactions, continuous monitoring for material vendors. Your obligations come through your counterparties' compliance expectations.
  • No → Continue to Q4.
• Q4. Is fraud prevention the primary driver (not regulatory compliance)?
  • Yes → Even with no direct regulatory obligation, registry-based UBO verification at onboarding remains the strongest control against shell-company fraud. Skip the formal AMLR-style audit trail; keep the verification.
  • No → You likely don't need UBO verification at all. Most non-financial, non-EU-exposed B2B operations sit here. But "I don't need to" and "I shouldn't bother" are different — registry-based entity verification (without full UBO depth) is still worthwhile as a fraud control.

The pattern that emerges: most teams need some version of UBO verification, but the depth varies dramatically by regulatory exposure. Full AMLR-compliant workflows are heavy. Fraud-driven workflows can be much lighter. The mistake is assuming "no regulatory obligation" means "no UBO check needed" — for fraud prevention, the answer is almost always to keep the check, even when the regulator isn't watching.

Frequently Asked Questions