icon-clock 9 minutes

The Ultimate Guide to Customer Onboarding for Compliance Teams – Part 2

Customer onboarding involves diverse and complex processes and considerations that regulated businesses need to understand to operate securely in the digital economy.

Part 2 of our Ultimate Guide to Customer Onboarding dives into ultimate beneficial ownership, sources of wealth, transactions and record keeping from a compliance-drive onboarding perspective.

Welcome to Part 2 of our Ultimate Guide to Customer Onboarding. In Part 1, we covered what customer onboarding is, what it involves, and how to successfully implement it — all while adhering to global Anti-Money Laundering (AML) guidelines and responsibilities. 

In this guide, we go deeper into AML and Know Your Customer (KYC) processes, exploring how the two concepts relate to:

A.  Customer due diligence, ownership and transactional parties

B. Record keeping and reporting

Any Questions?

Our team is always ready to help you and your business.

Customer Due Diligence

To gain a comprehensive understanding of due diligence investigations, it’s crucial to explore the various elements involved in any client transaction. In this section, we’ll delve deeper into three key aspects of conducting effective due diligence: 

  1. Sources of funds and wealth
  2. Ultimate beneficial ownership
  3. Third party transactions 

Source of funds and wealth: diving into the origins

In some cases, it’s necessary to determine both the source of funds (SOF) and the source of wealth (SOW) as part of a customer due diligence (CDD) process. While the terms may sound similar, they encompass distinct aspects that are critical in understanding a client’s financial profile.

SOF: Unraveling transactional origins

SOF refers to the specific funds or assets used in a client’s business relationship, particularly for a particular transaction. In essence, it’s about understanding the origin of the funds the client intends to use. Knowing the SOF is vital in ensuring that the funds involved in the transaction are legitimate and not derived from illicit activities.

For example, if a client plans to make a significant investment, the onboarding team must determine the SOF used for this investment. The client may have received the funds through legitimate means, such as selling a property or receiving an inheritance. Alternatively, the funds may have originated from suspicious activities, raising red flags that warrant further investigation.

Tracing the SOF often requires a meticulous examination of bank statements, transaction records, and financial documents to ensure transparency and legitimacy.

SOW: Understanding the Big Picture

SOW refers to the broader source of a client’s wealth, unrelated to a specific transaction. It involves understanding the client’s overall financial position, including the origins of their accumulated wealth.

While it’s important to know how much wealth a client possesses, it’s even more critical to understand where the wealth comes from. This broader perspective helps in assessing the overall money laundering or terrorist financing risks associated with the client.

For instance, if a client has amassed considerable wealth through legitimate means such as successful business ventures, investments, or inheritance, it indicates a lower risk profile. However, if the source of wealth is obscure or linked to suspicious activities, it raises concerns and necessitates additional due diligence.

Differentiating between SOF and SOW enables companies and institutions to grasp the complete financial picture of their clients and identify any discrepancies or suspicious patterns in their financial behavior.

Considerations and Red Flags

Determining SOF and SOW involves gathering information from various sources to build a holistic view of a client’s financial activities and profile. While bank statements provide a primary source of SOF information, additional records may be required to ascertain the legitimacy of funds used in a transaction.

Ultimate Beneficial Ownership: Peering Beyond the Veil

Ultimate beneficial ownership refers to the individual who holds ownership or control of a client, either directly or indirectly — the Ultimate Beneficial Owner (UBO). A UBO may not always be the person initiating a transaction, so the onboarding team must dig deeper to identify the true owner and assess whether they are legitimate or attempting to conceal their identity for illicit purposes such as money laundering or terrorism financing.

Unraveling complex ownership structures can be a challenging task, especially when dealing with corporate entities that may have layers of intermediaries. Thus, the onboarding team needs to go beyond identifying the apparent clients or key parties involved in a proposed transaction. They must conduct thorough investigations to trace the ownership chain and identify the UBO(s).

In some instances, a private individual may present themselves as the client, but they might merely be acting as a nominee for the actual owner. In such cases, it becomes imperative for the onboarding team to delve deeper into the true ownership structure and ascertain the beneficial owner’s identity. Understanding who the UBO is is crucial to detecting and preventing money laundering or terrorist financing attempts, as individuals may attempt to hide behind intricate structures and other people.

Qualifying a UBO: Navigating the thresholds

Corporate entities often have diverse ownership structures, with shares distributed among various entities and individuals. However, not all shareholders may warrant extensive or enhanced due diligence (EDD). Instead, the level of scrutiny required is contingent upon local laws and institutional policies.

For instance, in the UK and EU, beneficial owners who control more than 25 percent of body corporates or partnerships, or those who otherwise own or control the client, warrant further investigation. This threshold varies from jurisdiction to jurisdiction, and institutions must ascertain the ownership percentage that necessitates a deeper investigation.

In parallel, it’s not solely about ownership percentage but also about identifying those individuals who exercise significant control over the presenting entity or individual. Even if an individual does not meet the ownership threshold, they may still exert considerable influence over the entity, making it crucial to investigate their role and intentions.

Beneficial Ownership of Trusts, Foundations, or Legal Arrangements: Unraveling the Structures

Different types of entities have different types of beneficial owners, and understanding these nuances is key to conducting effective due diligence. For example, in common law trusts, the beneficial owners may include the settlor (the creator of the trust), trustees (those holding assets on behalf of beneficiaries), beneficiaries, and controllers of the trust.

Similarly, foundations or legal arrangements that bear similarities to trusts often have similar beneficial ownership structures. The challenge arises when dealing with entities or arrangements that do not conform to these conventional models. In such cases, the onboarding team must ascertain the UBOs through meticulous investigation and verification.

Where the legal entity or arrangement does not resemble any of the entities described above, identifying beneficial owners becomes more intricate. In such scenarios, the beneficial owners may include any individuals deriving benefits from an entity’s property or arrangement, and the class of persons for whom the entity has been established or operates.

Identification and Verification of Beneficial Owners: Piecing Together the Puzzle

When a client is an individual (‘natural persons’), the onboarding team will just need to secure SOF and SOW information from them. This ensures that they have a comprehensive understanding of their financial activities, background and position.

On the other hand, when dealing with an entity, it will be critical to understand its UBOs. The level of due diligence required for beneficial owners depends on the onboarding firm’s policies and risk assessments — as well as the regulations of relevant authorities. 

Intergovernmental AML watchdog and regulatory guidance issuer the Financial Action Task Force (FATF) issued new guidance in March 2022 which outlined that its signatory and committed countries — the vast majority of jurisdictions in the world — are required to “ensure that competent authorities have access to adequate, accurate and up-to-date information on the true owners of companies.” These new requirements, included in the FATF’s Recommendation 24, are designed to make it possible for regulated businesses to have access to reliable UBO data for companies they transact with or offer services to. 

However, implementation of UBO databases around the world is still very much a work in progress, and has faced significant delays and stumbling blocks, even in highly regulated jurisdictions such as the EU. Furthermore, in high-risk money laundering or terrorist financing scenarios, relying solely on documents provided by the client or contained in government databases may not suffice. In such cases, enhanced verification measures are necessary, and the onboarding team must be diligent in assessing the legitimacy of a beneficial owner’s identity.

In addition, certain factors may necessitate additional scrutiny of beneficial owners, such as the involvement of politically exposed persons (PEPs) or individuals residing in high-risk jurisdictions. Institutions must establish appropriate procedures to verify the identities of beneficial owners, taking into account the level of risk associated with the transaction and nature of the business.

The US Approach to Beneficial Ownership: the Final Rule

In the United States, the approach to identifying beneficial owners can be observed in the Final Rule of the Financial Crimes Enforcement Network (FinCEN), the US financial intelligence unit responsible for receiving suspicious transaction reports.

The Final Rule lays out four core elements of a covered institution’s anti-money laundering (AML) program:

  1. Customer identification and verification
  2. Beneficial ownership identification and verification
  3. Understanding the nature and purpose of customer relationships to develop a customer risk profile
  4. Ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.

Regarding beneficial ownership, the rule distinguishes between two types of beneficial owners for corporate / legal entity customers:

  1. Ownership — An individual who directly or indirectly owns 25% or more of the equity interests of the legal entity customer.
  2. Control — An individual who holds a significant responsibility to control, direct, or manage the legal entity customer, such as the CEO or vice president.

Importantly, the beneficial owner must be a natural person and cannot be another company or legal entity. Each legal entity can have between one and five beneficial owners, depending on the ownership structure.

The Final Rule also specifies that certain legal entity customers are exempt from beneficial ownership identification and verification requirements. These exemptions are essential for institutions to consider when conducting due diligence.

The EU’s Approach to Beneficial Ownership: the 4th, 5th and 6th Anti-Money Laundering Directives

The European Union (EU) has made significant strides in combating money laundering and terrorist financing through its 4th, 5th and 6th Anti-Money Laundering Directives.

Under the EU’s 4th Directive (4AMLD), a beneficial owner is any person controlling or owning more than 25% of the shares or voting rights in a legal entity. The ultimate beneficial owner, in this case, is the natural person who ultimately owns or controls the corporate customer or conducts a transaction on their behalf.

The 5th Directive (5AMLD) introduces additional measures, such as requiring member states to maintain publicly available national ultimate beneficial ownership registries. Several EU countries, including the UK, Germany, France, and Ireland, have already established beneficial ownership registers, while others are still in the process of setting them up.

The most recent 6th Anti-Money Laundering Directive (6AMLD) requires companies to obtain and hold accurate and up-to-date information on the beneficial owners of their customers. This includes identifying who ultimately owns or controls a business, as well as any individuals who exercise control over the company through direct or indirect ownership or other means. 

Under 6AMLD, companies must take reasonable measures to establish the identity of beneficial owners and keep records of any information obtained. This includes obtaining documents, data or information on the ownership and control structure of businesses. 

In the UK, the relevant rules can be found in Part 5 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. These regulations outline the obligations of corporate bodies and trustees to provide beneficial ownership information, along with requirements for maintaining a register of beneficial owners of taxable relevant trusts.

By implementing these and similar directives, the EU, US, UK and other major jurisdictions aim to enhance transparency and accountability in financial transactions, making it more challenging for criminals and illicit entities to hide behind complex ownership structures.

Third party transactions 

When conducting due diligence, the onboarding team should look out for red flags that signal potential money laundering or terrorist financing risks. These red flags include large and unusual cash payments, payments from unverified third parties, and transactions involving high-risk jurisdictions or politically exposed persons (PEPs).

Furthermore, depending on operating jurisdictions, an onboarding team should investigate any payments made to third parties on behalf of the client. Payments to unconnected entities for unrelated expenses may raise suspicions of potential money laundering or tax evasion.

Some jurisdictions require extensive due diligence on third party payors, while others are more laxed. Nevertheless, regulated businesses would be well-advised to have resources and capacity in place to be able to undertake thorough due diligence on third parties to the degree that they undertake CDD on their direct customers. The general trajectory of global and national regulations is that they are becoming more thorough and demanding on onboarding entities — so it’s highly likely that current regulatory ‘blind spots’ regarding third parties will not be there forever. 

CDD: Roundup

Identifying and understanding the SOF, SOW and beneficial ownership of clients is fundamental in conducting thorough due diligence investigations. By assessing these aspects of individual and corporate clients — as well as third parties — businesses can mitigate risks associated with money laundering, terrorist financing, and tax evasion, ensuring secure and compliant client relationships. 

Effectively navigating the complexities of ownership structures, legal arrangements, and regulatory requirements empowers financial institutions to safeguard their reputation and protect against illicit activities that can threaten the integrity of the global financial system. 

The Importance of Record Keeping and Documentation

To showcase the level of control your team wields over the onboarding process, it is crucial to have secure and easily accessible records. These records will play a vital role in any audit or investigations related to money laundering or terrorist financing demanded by regulators. Additionally, certain local jurisdictions may impose requirements that mandate retaining specific records for designated periods.

Documentation and record-keeping refers to the specific documents collected throughout the process (e.g., for KYC) and the recording of an onboarding team’s policies, controls, and procedures. As a business expands and takes on new customers, the volume of necessary documentation will naturally increase. It will also become more complex and diverse if scaling into new markets. 

While there is no one-size-fits-all set of record-keeping requirements for all businesses globally, it is essential to have a sufficient number of documents supporting your onboarding process, demonstrating why clients were onboarded and the KYC / AML steps they were processed through. 

In order to be able to meet regulatory requirements — in particular in the event of an audit — onboarding businesses are generally expected to maintain organized records that are accessible to auditors and regulators. These include:

  • KYC documentation for client identification and verification
  • Transactional information and the role of the provider
  • Evidence of CDD conducted during the onboarding process, which may include materials revealing for example a corporate client’s structure and UBOs.
  • Details about a client’s SOW and SOF, such as bank statements and email communications from the client and other relevant parties.
  • Records of clients whose applications were rejected and the reasoning of the decisions 
  • Records of any communication/correspondence between the applicant and the onboarding team. 
  • Evidence of searches carried out to identify any sanctions or PEPs associated with the client, as well as references to any negative media related to the client (for high-risk customers and industries).
  • Material generated during enhanced due diligence and ongoing monitoring.
  • Evidence and records of the AML training provided to your onboarding team 
  • Evidence and records of internal audits including the actions of individual employees involved in compliance

It is also important to maintain records and evidence of your company’s risk-based approach and risk assessments, which we covered in Part 1

Note on retention periods

The duration for retaining records depends on local laws and regulations. For example, in the UK, records of identification evidence must be kept for five years after the termination of the client-business relationship. After this period, documents should be destroyed, unless there are specific reasons for retaining them, such as legal proceedings, future legal requirements, or client consent for continued retention. The EU’s GDPR also sets clear guidelines for the destruction of records. 

Regulated businesses will need to define and adhere to their data retention policies with regards to KYC onboarding and CDD documentation. 

Suspicious Activity Reports

During the onboarding stage, it is crucial to have systems and measures in place for reporting suspicious activities and transactions. This reporting process is essential to safeguard the business.

The most vital tool in the fight against terrorist financing and money laundering is the Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). Ensuring that your processes for submitting these reports are easily understandable and accessible to the relevant regulators who will receive them is critical. 

Determining when to prepare an SAR is the responsibility of the onboarding/transaction /compliance team. They must make an informed assessment based on whether there are grounds for suspicion of money laundering, terrorist financing, or breaches of sanctions concerning a specific client or matter. Clearly-defined protocols on what constitutes such risks can aid these teams in making more informed decisions by identifying any activity that deviates from the client’s past behavior or the nature of the proposed transaction.

Red flags to look out for include unusual client behavior, atypical account activity, and irregularities within the relevant business sector. These red flags unique to your business should be recorded in a written protocol for escalating suspicious activity.

The decision to report suspicions externally is usually made by senior management — or for certain firms — their independent compliance or audit committees. For businesses or institutions that have adopted compliance technology, this can further assist the onboarding and compliance teams in generating the required information either proactively or in response to requests from senior management and external authorities.

It’s the responsibility of a regulated business to properly identify the specific regulatory body to send SARs to – as well as to draft them in the correct format and with relevant supporting documentation. 


CDD involves multiple and overlapping considerations and processes that onboarding teams need to consider and implement. From fully understanding information regarding ownership, source of funds and source of wealth of customers to determining their risk profiles and use of third parties, developing an AML-driven and compliant KYC onboarding process is a complex undertaking that requires specialized knowledge of regulations and your client base. 

With automated KYC onboarding tools like KYC-Chain, regulated businesses can systematize and curate their onboarding processes to allow for more seamless onboarding and compliant operations, no matter where and how they choose to scale. 

Ready to make compliance your competitive advantage? Get in touch to find out how KYC-Chain can transform your customer onboarding experience –  we’ll be happy to arrange a demo.