Beneficial Ownership verification is where most KYC systems fail. You verify the person applying is who they claim to be (natural person verification). You verify the company exists and is registered (entity verification). But you don't verify who actually owns the company. That is the job of Beneficial Ownership (UBO) verification.
For a company with one shareholder, this is simple; ask for proof of ownership, verify it, move on. For a company with a complex ownership structure (multiple shareholders, holding companies, nominees, family trusts), it becomes a multi-level investigation that can take weeks.
Blockchain adds a wrinkle. On-chain data provides immutable, verifiable transaction history. If a company's beneficial owners move crypto through their personal wallets, that movement is traceable on-chain and cannot be erased. In theory, this makes UBO verification easier. In practice, GDPR's right to be forgotten conflicts with blockchain immutability. You can verify a beneficial owner's historical activity but cannot publish their identity on-chain.
Beneficial Ownership Verification Challenges
Shell companies are entities with no real business operations. They exist only to obscure ownership. A shell company has no employees, no office, no revenue, but has dozens of bank accounts and millions in holdings.
UBO verification is designed to prevent money laundering through shell companies. You require the company to disclose all individuals with significant ownership (typically 25%+). You verify those individuals against sanctions lists, PEP databases, and internal watch lists. If you find a mismatch, you reject the application.
But shell companies are effective at hiding actual ownership. A holding company (HoldCo) might own 51% of your target company. But HoldCo's UBO is another HoldCo, which is owned by a foundation, which is managed by a professional firm. The professional firm's partners are not disclosed publicly. You are now three layers deep and have hit a wall.
This is not a bug in KYC systems; this is intentional regulatory design. You are supposed to hit these walls. When you do, you escalate to a compliance officer, who makes a judgment call about whether to trust the company enough to onboard them despite the incomplete UBO chain.
Scenario-Based Verification Approaches
Three scenarios dominate UBO flows. The first is simple ownership with a single natural person. The second is institutional ownership via VCs or PE funds with disclosed UBO. The third is complex chains using holding companies, trusts, or nominees.
For simple ownership, request a cap table, identify the 25%+ owner, verify them against sanctions/PEP lists, and run standard KYC. For institutional ownership, verify the fund's general partners. For complex chains, iterate the cap table analysis recursively until you reach a natural person or legitimate fund. If you hit an opaque wall (nominee ownership in weak-disclosure jurisdictions), escalate to a compliance officer for judgment.
GDPR and Right to Be Forgotten
GDPR gives data subjects the right to request deletion of their personal data. But once data is on-chain, it is immutable. You cannot delete it. This creates a legal conflict.
You can verify a person's beneficial ownership status on-chain by examining historical transactions. But you cannot store that verification permanently and you cannot publish it on-chain.
The solution involves verifying on-chain data, then storing the verification result off-chain only, in a database with appropriate access controls. The verification result (for example, "Person X is the UBO of Company Y") is stored in your KYC system, subject to data retention policies and GDPR rights.
If Person X later requests deletion of their data (right to be forgotten), you delete their personal data from your system. But you cannot delete the on-chain transaction history they initiated. The deletion is asymmetric.
For your KYC flow, this means the following is allowed and disallowed. You are allowed to examine on-chain history to verify beneficial ownership. You are allowed to store the verification result in your off-chain KYC database. You are not allowed to publish the person's identity or the verification result on-chain. If the person requests deletion, you delete your off-chain records. The on-chain records remain (because you don't control them). If the person later initiates a new transaction, you must re-verify (you don't have the old KYC data anymore).
This is operationally cumbersome but legally sound. The on-chain immutability is not a problem because you are not trying to erase on-chain data. You are only erasing your own KYC records.
EU AMLD6 Requirements
The sixth Anti-Money Laundering Directive (AMLD6, adopted 2023) tightens UBO requirements. The threshold is 25%+ direct or indirect ownership. You must check all indirect chains (companies owning companies owning your client), consult public UBO registries, and verify trusts and nominees. For compliance officers, cascade analysis is now mandatory—you cannot stop at a holding company; you must reach a natural person or legitimate institutional fund.
Practical Implementation
Build your onboarding flow as a recursive cascade. Layer 1 is natural person verification (ID, address, KYC). Layer 2 is entity verification (company registration check). Layer 3 is cap table submission. Layer 4 is shareholder verification for 25%+ owners (run Layer 1 or 3). Layer 5 is iteration (if a shareholder is a company, repeat). Layer 6 is escalation (opaque structures to compliance officer). Set a maximum depth of 5 to prevent infinite loops. Almost all legitimate ownership chains resolve within 3 layers.
Practical Onboarding Flow
Example. A Malta-based crypto trading firm shows Alice (60%) and Bob (30%) as beneficial owners. Request ID from both, run KYC checks (sanctions, PEPs). Both pass. Onboarding approved.
Alternative. A holding company owns 26%. Request its cap table. It traces back through a Cayman Islands vehicle to a Singapore PE fund. Verify the fund's GPs (Dan and Emma). Both pass KYC. Onboarding approved. This 4-layer cascade takes weeks but is complete and documented.
Cost and Timing
Simple verification takes 1-2 days. Institutional investors take 5-7 days. Complex chains take 2-4 weeks. Tell applicants upfront that typical onboarding is 7-10 business days, with complex structures taking up to 30 days. Most cases are simple; complex ones are rare. Rushing UBO verification enables money laundering. Do it right, do it documented.