TL;DR
- The Corporate Transparency Act (CTA) took effect in January 2024, and requires companies doing business in the United States to report information about the individuals who ultimately own or control them.
- FinCEN’s implementing rule defined “beneficial owner” as an individual who, either directly or indirectly, exercises “substantial control” over the reporting company; or owns or controls at least 25% of the reporting company’s ownership interests.
- Organizations must further solicit and verify UBO information in compliance with trade and economic sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), which maintains and enforces a directory of restricted parties.
- Integrating UBO controls into third-party onboarding practices and determining the UBOs of third parties is a critical element of a mature third-party risk management (TPRM) program. Organizations should partner with an established and reputable vendor in the compliance solutions space – one with expertise grounded in the day-to-day operational needs of the compliance, risk, and legal functions.
Updated Ultimate Beneficial Ownership (UBO) requirements
In January 2024, the Corporate Transparency Act (CTA) took effect, requiring companies doing business in the United States to report information about the individuals who ultimately own or control them. While the scope of ultimate beneficial ownership (UBO) disclosure requirements continues to evolve, the U.S. government’s broader enforcement approach to curb financial crimes and sanctions evasion remains.
UBO reporting requirements aside, having in place a mature anti-money laundering/countering the financing of terrorism (AML/CFT) compliance program just makes good business sense. From a legal and compliance standpoint, being able to identify the UBOs behind a complex web of corporate ownership, including third parties’ UBOs, not only helps tackle illicit finance, but also prevents the alternative – potentially significant administrative or criminal sanctions, reputational damage, and loss of business.
The regulatory landscape of UBO reporting requirements
In September 2022, the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final “ Beneficial Ownership Information Reporting Rule,” implementing the CTA. The rule required corporations and limited liability companies (LLCs) to file a report with FinCEN disclosing their beneficial ownership information (BOI). Before then, a company could be formed without having to publicly disclose its owners.
FinCEN’s implementing rule defined “beneficial owner” as an individual who, either directly or indirectly, exercises “substantial control” over the reporting company; or owns or controls at least 25% of the reporting company’s ownership interests.
The rule established that an individual exercises “substantial control” over a reporting company if that individual falls into any one of the following four categories:
- The individual is a senior officer (president, chief financial officer, general counsel, chief executive officer, chief operating officer, or any other officer who performs a similar function)
- The individual has authority to appoint or remove certain officers or a majority of directors of the reporting company
- The individual is an important decision-maker for the reporting company, including decisions about the reporting company’s business, finances and structure
- The individual has “any other form of substantial control over the reporting company,” as defined in FinCEN’s Small Entity Compliance Guide
Under the CTA, FinCEN has authority to allow access to UBO information to various types of agencies, including certain foreign, federal, state, local, and tribal law enforcement agencies; and regulatory agencies that supervise or assess financial institutions with access to BOI to supervise their compliance with customer due diligence (CDD) requirements. Effectively, this created greater transparency into the UBO information of companies.
Recent amendments to BOI reporting requirements
In February 2026, FinCEN issued an order granting exceptive relief to covered financial institutions from certain requirements under FinCEN’s “ CDD Requirements for Financial Institutions,” a rule that was introduced a decade ago and took effect in 2018.
Under the FinCEN order, covered financial institutions now have the option to limit the identification and verification of beneficial owners of legal entity customers to the following circumstances:
- When a legal entity customer first opens an account with the institution
- When the financial institution has knowledge of facts that reasonably call into question the reliability of previously obtained BOI
- As otherwise required, based on the financial institution’s risk-based procedures for ongoing CDD
Importantly, however, covered financial institutions must still ensure compliance with all other applicable AML/CFT requirements in compliance with the Bank Secrecy Act (BSA), “including the obligation to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information,” FinCEN stated.
Additional exemptions for domestic U.S. companies and U.S. persons
In March 2025, FinCEN published a revised interim final rule that exempts domestic U.S. companies and U.S. persons from having to meet the BOI reporting requirements. The rule establishes that all companies created in the United States, including those previously known as “domestic reporting companies,” and their beneficial owners, are exempt from the BOI reporting requirements.
The definition of “reporting company” has also been revised to now mean only entities formed under the law of a foreign country that have registered to do business in any U.S. State or tribal jurisdiction by the filing of a document with a secretary of state or similar office (formerly known as “foreign reporting companies”).
Additionally, the interim final rule establishes that reporting companies do not need to report the BOI of any U.S. persons, and U.S. persons are exempt from having to provide BOI for any reporting company for which they are a beneficial owner.
“This relief supports a more efficient, risk-based approach to customer due diligence and reduces unnecessary regulatory burden without weakening the foundational requirements that protect the U.S. financial system.”
Andrea Gacki
FinCEN Director
OFAC 50 Percent Rule
Organizations must further solicit and verify UBO information in compliance with trade and economic sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), which maintains and enforces a directory of restricted parties. Such lists include the Specially Designated Nationals and Blocked Persons List (SDN List), as well as other sanctions lists implemented under various executive orders and statutory authorities.
Under the OFAC 50 Percent Rule, any entity owned, directly or indirectly, fifty percent or more in the aggregate by one or more blocked persons is, itself, considered a blocked person, regardless of whether the entity is explicitly named on the SDN List. In effect, companies must take care to accurately identify and verify UBOs to prevent transactions that would constitute the direct or indirect provision of goods, services, or value to sanctioned persons.
Operational hurdles to effective UBO compliance
The ever-evolving UBO compliance regulatory and enforcement landscape demands that organizations have in place robust AML/CFT policies and procedures, including for:
- Identifying and verifying UBOs
- Standing up a robust third-party onboarding process
- Documenting third-party risk management controls
- Continuously monitoring for risks
However, many organizations still face operational and internal control hurdles that prevent them from ensuring effective UBO compliance – mainly, reliance on antiquated manual screening controls. Many organizations continue to rely on manual controls to screen their counterparties, customers, vendors, suppliers, third-party intermediaries, and other agents. Because a company’s web of third parties often is so complex and globally dispersed, ensuring effective due diligence without automation creates the risk of illicit finance activities going unchecked.
Manual screening controls are also inadequate for ensuring compliance with current sanctions regimes and export control restrictions. Sanction lists – such as those targeting the Russian Federation, Belarus, Iran, North Korea, and other jurisdictions – are constantly being amended. BIS, too, continues to expand end-user and end-use controls in response to geopolitical developments, further heightening the risk of relying on manual screening controls that can’t keep up with evolving regulatory developments.
Organizations with operations in high-risk regions of the world that remain reliant on manual screening controls especially risk being ill-equipped to effectively identify or prevent illicit financial transactions, or unlawful exports involving sanctioned or restricted parties.
Third-party onboarding is another risk area in which manual controls will not suffice, especially given that third parties often have complex ownership linkages and siloed data. Integrating UBO controls into third-party onboarding practices and determining the UBOs of third parties is a critical element of a mature third-party risk management (TPRM) program. If the organization is not already regularly soliciting UBO information from third parties and evaluating such information as part of its third-party onboarding process, it should start doing so immediately.
In short, without automated processes, critical UBO information pertaining to both the organization and its third parties could be missed, resulting in BOI disclosure failures. However, while automation can substantially reduce the likelihood of severe and costly administrative and criminal sanctions against the organization, it cannot eliminate risk entirely. Regulators are not expecting perfection, but rather demonstrable due diligence and compliance responsiveness.
UBO compliance checklist
To ensure proactive compliance with UBO compliance and disclosure requirements, organizations should take the following foundational steps as a starting point, all with the help of automated controls:
- Verify the identity of the UBO information
- Adopt risk-based policies and procedures for flagging when UBO information must be updated
- Regularly monitor for suspicious activity, and submit suspicious activity reports (SARs), as required by regulations
- Maintain thorough documentation of organization’s UBO information, as well as on its third parties, including written or oral changes in ownership
Choosing the right third-party vendor will further support the organization in ensuring UBO compliance. Not all automated systems are created equal. To ensure compliance with UBO due diligence and disclosure requirements, organizations should partner with an established and reputable vendor in the compliance solutions space – one that has expertise grounded in the day-to-day operational needs of the compliance, risk, and legal functions.
A due diligence framework that integrates the collection of UBO information, automates screening, and allows for the continuous identification, monitoring, and analysis of UBO information will better empower the organization to not only better spot financial crimes, but reduce regulatory risk and more clearly demonstrate a commitment to transparent practices that regulators now expect as standard for satisfying UBO compliance requirements.
For more in-depth guidance and insights about UBO compliance, download our 2026 ultimate beneficial ownership white paper here.
