Regulus

Beneficial Ownership Checks
Valuable Tool or Compliance Theatre?

Beneficial ownership transparency has become one of the central pillars of AML/CFT due diligence. Registers, verification requirements, discrepancy reporting — the infrastructure around who ultimately owns and controls a business has expanded considerably in recent years, in the UK and on the Isle of Man alike.

The intention is sound.

Better data means better due diligence. Cleaner registers mean fewer places for criminal proceeds to hide. Firms with access to verified ownership information should, in theory, be able to make better risk decisions faster.

In practice, it’s more complicated than that. And if you’re not careful, beneficial ownership checks can become exactly the kind of compliance activity that looks thorough on paper but doesn’t actually reduce your risk.

That’s compliance theatre. And it’s worth knowing how to avoid it.

What’s changed in the UK

For some years now, UK obliged entities have been required to compare their beneficial ownership information against the Companies House PSC register and report material discrepancies. The idea was to use the compliance sector to improve the quality of data on a register that had long accepted filings without meaningful independent checks.

Those of us with long(er) memories will recall the newspaper stories about Companies House filings listing cats as directors, or beneficial owners named James Bond, Mickey Mouse and Jason Bourne. 

More recently, the Economic Crime and Corporate Transparency Act has significantly upgraded Companies House. Identity verification for directors and beneficial owners is being rolled out. Companies House has new powers to query, challenge and remove information. The register is moving, slowly but genuinely, from a passive filing house towards something more like an active gatekeeper.

Registry data is becoming a more reliable input. Not infallible, but better than it was.

The Isle of Man picture

The Isle of Man takes a different approach. Beneficial ownership information is held centrally, but the register is not public. Nominated officers are required to submit and keep BO data current through an online portal, within set timeframes.

Since the Beneficial Ownership (Obliged Entities Access) Order 2024, firms now have the option to request access to that data for AML/CFT purposes. Which sounds straightforward, until you look at how it works in practice. The data flow is asynchronous and asymmetric.

Access is via formal request. The Registry responds with an official extract, effectively a PDF. There is no guaranteed turnaround time. There is no live search access. Meanwhile, the obligation to submit and update data runs to tight statutory deadlines through a digital system.

There is a near real-time digital upload obligation on one side, and a slower, manual access model on the other. Firms now have the option to draw on registry data as part of their due diligence, while being given relatively limited tools to do so in any time-sensitive way. That asymmetry is a real operational constraint, and it’s worth building into your onboarding processes rather than discovering it mid-transaction.

Where the theatre risk creeps in

The bigger danger with beneficial ownership checks, in both jurisdictions, is treating verification as a proxy for low risk.

A verified director or beneficial owner is still perfectly capable of being a criminal, a sanctioned individual, or a politically exposed person. Registry checks confirm identity. They say nothing about integrity.

Over-relying on verified status, ticking the registry box and moving on, is one of the most common ways that due diligence becomes performative rather than substantive. The check has been done.

The risk thinking hasn’t.

Discrepancy reporting carries a similar risk. If your process generates a growing pile of reports with no visible improvement in the underlying data, and no feedback loop about what’s been done with them, the exercise starts to serve the regulator more than it serves your risk management.

Making it work

None of this means registry checks aren’t worth doing. They are. Used well, they’re a valuable triangulation tool. The question is how you use them.

Treat registry data as one input among several, not as a definitive source. Cross-check it against what your client tells you. Where something doesn’t add up, treat the discrepancy as a risk signal rather than an administrative inconvenience.

For Isle of Man clients specifically, design your onboarding process around the reality of how Registry access works. Don’t build a workflow that depends on an extract arriving by a particular time. Use client-provided evidence as your primary source and Registry data as corroboration.

Train your people to think critically about what verified status does and doesn’t mean. The goal is better risk decisions, not a completed checklist.