Definition
Ownership and Control in AML specifically identifies natural persons who hold more than a threshold share (typically 25%) of equity interests or voting rights in a legal entity, or who exercise ultimate effective control through other means, such as management positions or contractual arrangements.
This dual-pronged approach—ownership prong (25%+ equity) and control prong (significant responsibility to manage or direct)—ensures institutions “look through” nominees, shells, or trusts to reach the ultimate beneficial owners (UBOs).
For example, FATF defines beneficial owners as those who own or control 25%+ shares/voting rights or exercise control via other mechanisms, emphasizing transparency to combat hidden ownership.
Purpose and Regulatory Basis
Ownership and Control matter in AML because they prevent money launderers from exploiting opaque corporate vehicles to disguise illicit proceeds, enabling regulators to trace funds to true controllers.
Its primary role is to support robust CDD, mitigate risks from politically exposed persons (PEPs), sanctions evasion, and terrorist financing by ensuring institutions understand who benefits from transactions.
Key regulations include FATF Recommendations 10 (CDD), 24 (legal persons), and 25 (legal arrangements), mandating accurate beneficial ownership (BO) information via registries accessible to authorities.
In the US, the USA PATRIOT Act Section 326 and FinCEN’s CDD Rule (31 CFR 1010.230) require identifying 25%+ owners and one control person (e.g., CEO) for legal entity customers.
EU AML Directives (AMLDs), especially 5AMLD and 6AMLD, plus the 2024 AML Regulation (AMLR), demand centralized BO registers, treating ownership and control independently, with retroactive reporting for non-EU entities linked to the EU.
National examples include Pakistan’s Anti-Money Laundering Act 2010 (updated 2020), aligning with FATF via State Bank of Pakistan guidelines for 25% thresholds.
When and How it Applies
Ownership and Control applies during CDD for legal entity customers, triggered by account opening, high-value transactions, or risk events like ownership changes.
Real-world use cases include onboarding a holding company where institutions “drill down” multiple layers to identify UBOs, or screening complex structures involving trusts/shells for sanctions compliance.
For instance, if Entity A (40% owned by non-listed B) grants control to listed Entity C via board appointment rights, C controls A, freezing A’s assets under sanctions.
Triggers encompass high-risk jurisdictions, PEPs, or nested entities; low-risk cases may limit to one layer, while high-risk demands full tracing to natural persons.
Types or Variants
Ownership prong: Individuals owning 25%+ equity directly/indirectly (e.g., via holdings or contracts).
Control prong: Single individual with significant responsibility (e.g., executive officer like CEO/CFO) or other influence (board veto, shareholder agreements).
Variants include Controlling Beneficial Owner (CBO)—control without 25% ownership (e.g., veto rights)—and UBO (ownership-focused).
In trusts, BO is the trustee or settlor if controlling; for foundations, senior managers if no clear owner.
Examples: Dual-class shares giving minority owners control; pyramids where <25% cascades to dominance.
Procedures and Implementation
Institutions implement via risk-based CDD: Collect entity docs (registers, articles), verify BO with IDs/shareholder ledgers, and use tools like registries/OSINT.
Steps: 1) Map ownership tree; 2) Apply 25% rule; 3) Assess control (agreements, influence); 4) Certify via customer declaration; 5) Screen against sanctions/PEPs; 6) Document audit trail.
Systems include automated KYC platforms for real-time BO checks, integrated with transaction monitoring; controls feature periodic reviews (annually for high-risk).
Processes mandate training, independent audits, and reliance on third-party data only if reliable (e.g., FATF-compliant registries).
Impact on Customers/Clients
Customers must disclose BO details at onboarding, facing delays/rejections if unverifiable, but gain faster processing with compliant structures.
Restrictions include account freezes for incomplete info or sanctioned controllers; rights involve appealing decisions and accessing personal data under privacy laws.
Interactions require ongoing updates (e.g., ownership changes within 14 days in EU); non-compliance risks service denial, enhancing trust via transparency.
Duration, Review, and Resolution
Initial verification at onboarding; reviews annually (high-risk), event-triggered (e.g., mergers), or per policy (1-3 years low-risk).
Ongoing obligations: Monitor changes, refresh data every 12-24 months; resolution via enhanced due diligence (EDD) or closure if unresolvable.
Timeframes: EU mandates immediate updates; US FinCEN expects reasonable measures, with 30-day SAR filing for suspicions.
Reporting and Compliance Duties
Institutions document all steps, retain 5-10 years, and file SARs for suspicious patterns (e.g., opaque ownership).
Duties: Quarterly audits, annual regulator returns (e.g., SBP in Pakistan), BO reporting to registries; penalties include fines (10% turnover or €10M in EU), revocation, criminal charges.
Proven compliance via “reasonable measures” defenses audit trails.
Related AML Terms
Links to Beneficial Ownership (core concept), CDD/KYC (implementation framework), UBO/CBO (specific identifiers), PEPs/Sanctions (risk overlays).
Connects to EDD (high-risk escalation), STR/SAR (reporting), and FATF R.24/25 (mechanisms).
Challenges and Best Practices
Challenges: Complex nests, nominee directors, non-cooperative jurisdictions, false declarations; tech gaps in verification.
Best practices: Adopt ownership trees, AI-driven drilling (OSINT/registries), risk-scoring models; train on control > shares; collaborate via public-private partnerships.
Regular scenario testing and multi-tool verification (e.g., declarations + registries) mitigate issues.
Recent Developments
FATF 2024 updates equalize ownership/control in BO definitions, targeting “soft power.”
EU AMLR (2024) mandates BO for non-EU entities with EU ties (retro to 2014), AMLA supervision from 2025.
US FinCEN BOI reporting resumes March 2025; UAE emphasizes <25% control via agreements.