UBO Screening Automation: Managing Beneficial Ownership Above the 25% Threshold
A practical guide for CSPs and law firms on automating ultimate-beneficial-ownership screening — what the 25% threshold means across jurisdictions, how to build a defensible screening workflow, and which software handles the UBO lifecycle from onboarding to periodic review.
Beneficial ownership screening sits at the center of every corporate formation, and for good reason: regulators across BVI, Cayman, the UAE, Singapore, the UK, and the US have all made UBO transparency a mandatory filing requirement in recent years. The question for CSPs and law firms is not whether to screen — it is how to do it reliably at volume without drowning the compliance team in manual data entry.
This guide covers the mechanics: what the 25% threshold means and where it varies, how to structure an automated UBO workflow, and what to look for in software that handles this without creating new risks.
The 25% rule and where it varies
The Financial Action Task Force (FATF) Recommendations establish 25% ownership or control as the default trigger for mandatory beneficial-owner identification. Most jurisdictions have adopted this as a floor, but many have gone further:
- BVI: BOSS (Beneficial Ownership Secure Search) filings require identification of any UBO above 25%, but registered agents typically apply a lower threshold (10% or effective control) as a matter of best practice. The BVI Financial Services Commission has indicated stricter enforcement since 2023.
- Cayman Islands: The Beneficial Ownership Transparency Act 2024 (BOTA) requires all exempted companies and foundations to file a beneficial ownership register with their registered agent. The threshold is 25%, with a control test that catches nominees and proxy arrangements.
- Singapore: ACRA requires every private company to maintain a register of registrable controllers — natural persons owning/controlling more than 25%, or any corporate controller. The register must be kept at the registered office or with a registered filing agent.
- UAE DIFC / ADGM: Both free zones require UBO disclosure for license applications and ongoing filings. DIFC applies a 25% threshold; ADGM applies both a 25% ownership test and an effective-control test.
- US Corporate Transparency Act: Reporting companies must disclose beneficial owners — any individual with 25% or more ownership or substantial control. The injunction history around the CTA means you should verify current enforcement status before advising clients.
- UK: The PSC register (People with Significant Control) uses a 25% threshold, but the economic crime legislation amendments since 2023 have expanded the verification requirements.
Practical implication: if you run a multi-jurisdiction portfolio, you need a data model that can store jurisdiction-specific UBO records with different thresholds and different filing destinations — not a single 25% checkbox that maps to every jurisdiction's requirement.
Building a defensible UBO workflow
A defensible workflow has three phases: capture, verify, and maintain.
Phase 1: Capture at onboarding
The worst time to collect beneficial ownership information is after the corporate documents have been generated. The right moment is during the intake questionnaire — before the engagement letter is signed and before the incorporator starts drafting.
A good intake flow asks for:
- Ownership structure: a simplified org-chart showing every layer between the applicant and the ultimate natural persons. For simple structures (one company, one or two natural persons), this is a form. For complex structures (multiple holding layers, discretionary trusts, foundations), you need a document-based submission with a certified structure chart.
- UBO identity documents: passport (certified copy), current proof of address (dated within 3 months), and for high-net-worth or politically exposed individuals, a source-of-wealth narrative with supporting documentation.
- Control questions: beyond percentage ownership, collect data on voting rights, director appointment rights, and any shareholder agreements that give outsized control to a minority holder.
- PEP and sanctions self-declaration: a signed declaration at intake speeds up the screening workflow and creates a liability anchor if a client misrepresents their status.
Phase 2: Verify and screen
Intake data must be verified against independent sources before the engagement proceeds:
- Document verification: certified copies of passports and proof-of-address documents, verified by the registered agent or by a third-party ID verification service.
- PEP and sanctions screening: run every natural person UBO against PEP lists and consolidated sanctions lists (UN, OFAC, EU, HM Treasury). This should be automated via API integration with a screening provider — manual list checks at the point of onboarding and then never again is the common failure mode.
- Adverse media screening: run the UBO's full name, aliases, and associated entities against adverse media databases. False-positive rates are high for common names — your screening workflow needs a human-in-the-loop review step for flagged results, not an automated block.
Phase 3: Maintain through the entity lifecycle
UBO information goes stale. The three events that most commonly cause a UBO record to become inaccurate:
- Transfer of shares: a shareholder sells or gifts shares, crossing or falling below the threshold.
- Restructuring: the parent company reorganizes, adding or removing an intermediate holding layer.
- Death or incapacity: a natural-person UBO passes away; succession or estate administration changes the effective ownership.
A good workflow triggers a UBO review on any corporate action that could affect ownership — share transfers, change-of-director filings, and material transactions — plus a scheduled periodic review at the cadence set by the client's risk tier.
What automation actually handles
The parts of the UBO workflow that can be fully automated today:
- Intake form generation: generate structured intake forms with jurisdiction-specific field requirements from a template library.
- Document collection and storage: secure upload portal with file-format validation and storage tied to the entity record.
- Screening API calls: trigger PEP, sanctions, and adverse-media checks via API at intake completion and at each periodic review date, log results to the entity's compliance record.
- Review scheduling: set the next review date based on risk tier, alert the assigned compliance officer 30 days before, escalate if the review is overdue.
- Filing generation: generate the BOSS data submission for BVI, the BOTA register for Cayman, and the PSC register update for UK entities from the verified UBO data — without re-entering it.
The parts that still require human judgment:
- False-positive adjudication: a sanctions hit or adverse-media match requires a trained compliance officer to determine whether it is a genuine match or a name collision.
- Risk rating: assigning a risk tier to a new client requires human assessment of the jurisdiction mix, industry, ownership complexity, and PEP exposure — automated scoring models are a useful input, not the final word.
- Source-of-wealth adequacy: whether the documentation submitted is sufficient to explain the beneficial owner's wealth is a judgment call that varies by jurisdiction and the transaction type.
Where Misolla fits in the stack
Misolla's incorporator requires beneficial-owner identification above the applicable threshold before generating any corporate document. The UBO data captured at onboarding flows directly into the entity's compliance workspace — no manual re-entry for BOSS, BOTA, or PSC register filings. Screening results from connected providers are logged to the entity record and trigger a review task when a match is returned. Periodic review scheduling runs automatically based on the entity's risk tier.
For CSPs managing dozens or hundreds of entities, the leverage is in the pipeline: one intake → verified UBO data → automated filings → scheduled reviews → reminder alerts. Each manual touch that gets removed from that chain is a compliance risk that stops being missed.
This article describes general practice, not jurisdiction-specific legal requirements. UBO regulations change frequently. Before designing or updating your beneficial ownership screening workflow, engage qualified AML/compliance counsel in each relevant jurisdiction. Misolla AI provides the tooling; your MLRO and legal advisors provide the compliance opinion.
What is the UBO threshold and is it always 25%?
The FATF recommendation is 25% ownership or control as the threshold for mandatory beneficial-owner identification, but jurisdictions vary. BVI and Cayman apply 10% for BOSS/BOTA filing purposes in some cases. The US CTA uses 25% for reporting company beneficial owners. Always check the applicable jurisdiction's specific regulations.
What happens if a UBO owns less than 25% but still exercises control?
Ownership percentage is only one test. Most AML frameworks also require identification of any person who exercises control through other means — voting rights above a threshold, the right to appoint or remove the majority of directors, or contractual control. A person who owns 20% but controls the board must still be treated as a UBO.
How often should UBO information be reviewed?
Periodic review cadence depends on risk tier. Low-risk structures: typically every 3 years. Medium-risk: annually. High-risk (PEP connections, FATF grey-list jurisdictions, complex multi-layer structures): every 6 months or on trigger events. Trigger events always require an out-of-cycle review: change of director, change of shareholder, material transaction, adverse media hit.
Which software automates UBO screening at incorporation?
Misolla AI captures UBO data at the point of incorporation — the incorporator requires beneficial-owner identification for every shareholder above the applicable threshold before generating the corporate documents. This data flows directly into the entity's compliance workspace for ongoing BOSS/BOTA filings and periodic review scheduling.