Global Guide

Global Business Due Diligence in 2026: A Compliance Team's Reference Guide

How to verify any company anywhere. Registries by region, jurisdiction comparison, FATF/OECD framework, UBO disclosure, and a workflow compliance teams use in 2026.

Global Business Due Diligence in 2026: A Compliance Team's Reference Guide

TL;DR. Verifying a business counterparty in 2026 involves navigating registries that range from instantly free (Singapore, Denmark, Norway, New Zealand, UK) to account-gated and local-language only (India MCA21, Japan, Vietnam). The universal workflow has five steps: identify the legal entity, verify its status, map control through to ultimate beneficial owners, assess financial standing, and screen for sanctions and adverse media. FATF Recommendations 10 and 22 set the international baseline for customer due diligence obligations. A November 2022 ECJ ruling restricted public access to EU UBO registers, while the US Corporate Transparency Act has faced enforcement injunctions since early 2025. The registry layer is the foundation. Everything else is enrichment.

1. What “global business due diligence” actually means in 2026

Due diligence is not one thing. The term covers at least four distinct obligations depending on who is doing it and why.

Customer Due Diligence (CDD) is the baseline obligation imposed on regulated financial institutions under FATF Recommendation 10. It requires verifying the identity of customers and beneficial owners, understanding the nature of the business relationship, and conducting ongoing monitoring of transactions. For a corporate customer, CDD means confirming the legal entity exists, is active, and is controlled by who claims to control it.

Enhanced Due Diligence (EDD) applies when standard CDD is insufficient: high-risk jurisdictions, politically exposed persons, complex ownership structures, unusual transaction patterns. FATF Recommendation 19 requires intensified scrutiny for business relationships with persons from higher-risk countries. EDD typically adds source-of-funds verification, senior management approval, and more frequent review cycles.

Know Your Business (KYB) is the corporate equivalent of Know Your Customer (KYC). It refers to the process of verifying a business entity’s legal identity, ownership, and operational legitimacy. The term is used widely in fintech, payments, and trade finance contexts. Practically, KYB involves registry lookups, UBO identification, sanctions screening, and adverse media review.

Ongoing monitoring is the requirement, also anchored in FATF Recommendation 10, to keep due diligence current. A one-time file is not a compliance programme. Changes in directors, ownership, sanctions status, and financial condition all require the file to be updated.

Four example use cases, each with different requirements:

  • A correspondent bank onboarding a foreign bank counterparty applies EDD by default, following Wolfsberg Group guidance on correspondent banking due diligence. The emphasis is on FATF grey-list jurisdiction exposure and the foreign bank’s own AML programme quality.
  • A fund administrator onboarding a new fund vehicle needs to trace beneficial ownership through potentially multiple SPV layers to identify the natural person investors above the 25% threshold, and to verify that the fund manager’s regulatory authorisations are current.
  • A law firm conducting a conflicts check under Solicitors Regulation Authority (SRA) or Law Society rules needs to verify the client entity’s registered status and identify its ultimate owners to check for conflicts with existing clients.
  • A trade credit insurer underwriting a limit on a buyer needs registry data, financial filings, payment history, and directors’ track record across related entities. The use case is credit risk, not AML, but the underlying data sources largely overlap.

The universal data points that compliance teams across these use cases need are: registered legal name and number, jurisdiction of incorporation, current status (active or not), list of directors and their appointment dates, beneficial owners above the relevant threshold, filed financial statements, sanctions and PEP screening results, adverse media, and any court or regulatory enforcement records.

2. The five-step universal due diligence workflow

The following framework applies regardless of jurisdiction or industry. Each step names the data required, the typical source, and the most common failure mode.

Step 1: Identify the legal entity

Data: registered legal name, company registration number, jurisdiction of incorporation, registered address, legal form (Ltd, GmbH, SARL, Pte Ltd, etc.).

Source: the counterparty’s own documentation, cross-referenced against the official registry. Never rely on a company’s own letterhead as the only identity confirmation.

Failure mode: matching on name only. Company names are not unique. There can be multiple companies with identical or near-identical names in the same jurisdiction, particularly common short trading names. The company registration number is the only reliable unique identifier. Confirm it against the official registry before proceeding.

Step 2: Verify status

Data: current registration status (active, dissolved, struck off, in liquidation, dormant), date of incorporation, date of any status change.

Source: official registry, queried directly. Aggregator data can lag by weeks or months.

Failure mode: proceeding with a counterparty that is in liquidation or has been struck off. A dissolved company cannot enter binding contracts. A company in liquidation may have a liquidator as the only authorised signatory. Status must come from the primary registry, not a business card or a counterparty’s assertion.

Step 3: Map control

Data: current directors (names, appointment dates, nationalities where available), shareholder register or list, ultimate beneficial owners (UBOs) above the relevant threshold (typically 25% in EU/UK/US frameworks).

Source: registry filings for directors and formal shareholders; UBO registers where available (UK PSC register, EU member state UBO registers with access caveats); corporate structure documentation from the counterparty; cross-referenced against company filings.

Failure mode: stopping at the first layer of ownership. A corporate shareholder requires its own registry lookup. Nominee shareholders and nominee directors require documented beneficial owner declarations. Trusts above the entity add another layer. The ownership map is only complete when you reach natural persons.

Step 4: Assess financial standing

Data: most recent filed annual accounts (balance sheet, P&L, audit opinion where applicable), years of continuous filing, any gaps in filing history, credit risk score where available.

Source: registry-linked filing portals (Bundesanzeiger for Germany, Companies House for UK, EDGAR for US public companies, ASIC for Australia). Credit agencies for scored assessments.

Failure mode: skipping this step for private companies that file abbreviated accounts. Even abbreviated accounts show net assets and whether the company is filing at all. A company that has not filed accounts for two years may be dormant, insolvent, or in administrative chaos. The absence of filings is itself a signal.

Step 5: Screen for risk

Data: current and historical sanctions designations (OFAC SDN, EU Consolidated List, HM Treasury OFSI, UN Security Council list), PEP status of directors and beneficial owners, adverse media, court and regulatory enforcement records.

Source: primary sanctions lists (OFAC at sanctions.ofac.treas.gov, EU Consolidated List, UK OFSI consolidated sanctions list); commercial screening services for PEP databases and adverse media (LexisNexis WorldCompliance, Refinitiv World-Check, Dow Jones Risk and Compliance, Sayari); national court record portals where accessible.

Failure mode: screening at onboarding only. Sanctions designations happen without notice. A counterparty that was clean at onboarding may be designated six months later. Ongoing monitoring, not just point-in-time screening, is the standard.

3. Where the data lives: a tour of global registries by access tier

The most practically useful way to organise the world’s registries is by access pattern: what does a foreign compliance buyer actually need to do to get the data?

3.1 Free, open, and English (the easy tier)

These registries are accessible without an account, without local credentials, and in English. They represent the lowest friction path to primary-source verification.

  • Singapore (ACRA BizFile+): instant free name and status search, basic company profile free, full business profile available for a small fee of SGD 5.50. English interface, no account required for basic searches.
  • Denmark (CVR register): fully public, English interface, company data free including directors, ownership, and financial filings for most entity types.
  • Norway (Brreg): open access, English available, company search free, ownership and directorship data publicly accessible.
  • Australia (ASIC Companies Register): free name and status search, director and shareholder details for a fee. ABN Lookup for business number verification is free and instant.
  • New Zealand (Companies Office): free, English, detailed company information including directors and share registers publicly available.
  • United States (federal level): SEC EDGAR for registered securities issuers provides free, detailed corporate filings. State Secretary of State portals vary widely; many offer free name searches. Federal corporate registry remains fragmented by state.

3.2 Free and open but local-language (the translation tax)

These registries are legally accessible and technically free but present the data in a local language with no English interface option. The practical barrier for foreign compliance buyers is translation and navigation, not access rights.

  • Thailand (DBD eServices): free search, Thai interface, company data accessible but requiring translation tools.
  • Vietnam (National Business Registration Portal): accessible, Vietnamese-language, basic registration data free.
  • Japan (Commercial Registration System / Touki Net): requires understanding of Japanese corporate number (hojin bango) system; some data accessible via the National Tax Agency corporate number lookup in English.
  • South Korea (Dart / Supreme Court registry): DART (Korean SEC equivalent) provides English-language filings for listed companies; unlisted company data is Korean-only.
  • Taiwan (MOEABOC): accessible, Chinese-language interface.
  • Philippines (SEC eFAST): English registration forms but search interface is inconsistently English.

3.3 Free name search but paid certified extracts (the most common pattern)

This is the dominant global model. Basic company name and status confirmation is free; official certified documents that carry legal weight cost money.

  • Germany (Handelsregister): free name search since August 2022; certified extracts (Aktueller Ausdruck) cost EUR 4.50.
  • France (Infogreffe / Registre National du Commerce): free basic search via Infogreffe; kbis extracts typically EUR 3-4.
  • Italy (Registro Imprese / InfoCamere): free name search; visura camerale extracts carry a fee through the Chamber of Commerce system.
  • Spain (Registro Mercantil): free basic search; certified nota simple or certificacion extracts carry fees.
  • Belgium (KBO / BCE): free basic search and substantial data freely available; certified extracts require payment.
  • Netherlands (KVK register): free company number lookup; official extracts (uittreksel) typically EUR 2.50-14 depending on type.
  • Switzerland (Zefix, cantonal registries): Zefix national portal free; certified Handelsregisterauszug extracts are cantonal and carry fees.
  • Ireland (CRO): free name and basic search; certified documents have fees.

3.4 Account-gated or local-ID friction

Access to these registries technically exists but requires account creation, local credentials, or a practical level of friction that blocks casual foreign access.

  • India (MCA21): basic company search free but much data requires MCA account registration. Detailed filings (Form AOC-4, MGT-7) require account login.
  • Canada (Corporations Canada + provincial registries): federal Corporations Canada offers free name search; detailed corporate profiles require payment. Provincial registries (Ontario, BC, Quebec, Alberta) each operate separately with varying access models.
  • Israel (ICA): Hebrew-language interface is the primary friction point; a login is required for some data.
  • Saudi Arabia (Wathq / MoCI): Wathq verification portal accessible for basic license confirmation; full corporate extracts through Ministry of Commerce require Arabic navigation and in some cases Saudi entity credentials.

3.5 Multi-registry or fragmented

These jurisdictions require checking more than one registry to build a complete picture.

  • United Arab Emirates: mainland companies register with the Department of Economic Development in their emirate (Dubai DED, Abu Dhabi DED, etc.). Financial free zones (DIFC, ADGM) have their own separate registries with different legal frameworks. Non-financial free zones (approximately 40) each maintain their own registers. A UAE company verification requires first identifying which register the entity is in.
  • Canada: federal incorporation through Corporations Canada and provincial incorporation through 13 provincial and territorial registries are entirely separate. A company incorporated in Ontario does not appear in the federal Corporations Canada register unless it has registered federally. Both layers may need to be checked.
  • United States: 50 state Secretary of State portals plus the District of Columbia, plus federal registrations for specific entity types (SEC EDGAR for public companies and investment vehicles, FinCEN for beneficial ownership disclosures post-CTA). The absence of a federal commercial registry for private companies means that state of incorporation must be identified first.

4. The UBO problem: why “ultimate beneficial owner” is harder than it sounds

The concept of the ultimate beneficial owner (UBO) is straightforward in principle: the natural person or persons who ultimately own or control a legal entity. In practice, identifying UBOs in complex corporate structures is one of the hardest problems in compliance.

The standard threshold in most frameworks is 25% ownership or control. EU 5th Anti-Money Laundering Directive (5AMLD) Article 30 requires member states to maintain central registers of beneficial owners of corporate and other legal entities, with the threshold set at more than 25% shareholding or voting rights. FATF Recommendation 24, revised in 2022, requires countries to ensure that competent authorities can obtain timely access to accurate information on the beneficial ownership of legal persons.

The divergence between jurisdictions is wide.

The United Kingdom operates one of the world’s most open UBO registers. The People with Significant Control (PSC) register, maintained by Companies House and publicly searchable at no cost, requires UK companies to identify and record any person who holds more than 25% of shares or voting rights, or who otherwise exercises significant influence or control. The data is freely accessible and updated when changes occur.

EU member states were moving toward publicly accessible UBO registers following the 5th AMLD requirement. A November 2022 European Court of Justice ruling (Cases C-37/20 and C-601/20, WM and Sovim SA v Luxembourg Business Registers) changed this overnight. The ECJ held that the public access provision of the 5th AMLD was invalid as it conflicted with EU Charter rights to privacy and data protection. Member states were required to restrict public access. As of 2026, access to most EU member state UBO registers requires demonstration of a legitimate interest, typically limited to regulated institutions, journalists, and defined public-interest categories.

The United States Corporate Transparency Act (CTA), which required millions of small companies to file beneficial ownership information with FinCEN, faced a series of legal challenges. Enforcement was largely enjoined by US federal courts in late 2024 and into 2025, following rulings that raised constitutional questions about the legislation. The practical effect in 2026 is that the US beneficial ownership database at FinCEN is not fully populated and is not publicly accessible even where filings exist.

Many Asian jurisdictions never built a public UBO register at all. Singapore maintains a register of registrable controllers that companies must keep internally, but it is not public. Japan requires disclosure only for listed companies in practice. Thailand, Vietnam, and the Philippines require nominee disclosure to the registry in limited circumstances.

The practical complications compound these access restrictions. Nominee structures are legally used in many jurisdictions. A nominee shareholder holds shares on behalf of the true owner under a declaration of trust, with the beneficial owner appearing nowhere in the public registry. Layered holdings where a company is owned by a holding company in a second jurisdiction, which is in turn owned by a trust in a third jurisdiction, can require verification across three or more registries and legal systems to reach the natural person. Trusts as shareholders create particular opacity because trust beneficiaries typically do not appear in corporate records at all.

What compliance teams actually do in the absence of full public UBO data is multi-source triangulation: the registered shareholders are cross-referenced against directorship records in multiple jurisdictions, corporate group structures are mapped using aggregated data sources (Moody’s Orbis, Sayari), and where the analysis is insufficient, the onboarding questionnaire or a banker’s introduction letter with explicit beneficial owner certification fills the gap. On-the-ground verification through local counsel or notarised declarations is the last resort and is used for higher-risk or higher-value relationships.

5. FATF, OECD, and the global AML/CFT framework

The global framework for anti-money laundering and countering the financing of terrorism (AML/CFT) rests on two principal pillars: the Financial Action Task Force (FATF) standard-setting body and the OECD tax transparency architecture.

FATF is an intergovernmental body established in 1989. Its 40 Recommendations set the international standard for AML/CFT measures. The Recommendations cover customer due diligence, record keeping, reporting of suspicious transactions, correspondent banking, regulation of money services businesses, international cooperation, and the legal and institutional framework countries need to maintain. FATF conducts Mutual Evaluations of member countries on a rolling cycle, assessing both technical compliance with the 40 Recommendations and the effectiveness of implementation.

The FATF maintains two public lists that directly affect compliance buyer decisions:

The Increased Monitoring list (commonly called the grey list) identifies jurisdictions with strategic deficiencies in their AML/CFT regimes that have committed to an action plan to address them. As of May 2026, countries on the grey list include Vietnam (added June 2023), Thailand (added June 2024), and a broader group including South Africa, Nigeria, Algeria, Senegal, Cameroon, Cote d’Ivoire, Kenya, Tanzania, Monaco, the Philippines, and Syria, among others. The complete and current list should always be verified at fatf-gafi.org, as it is updated at each FATF plenary session (typically February, June, and October).

The High-Risk Jurisdictions Subject to a Call for Action list (the black list) identifies countries with serious AML/CFT deficiencies against which FATF calls for countermeasures. As of May 2026, this list contains only North Korea (DPRK), Iran, and Myanmar.

The OECD Common Reporting Standard (CRS) is the multilateral framework for automatic exchange of financial account information between tax authorities. Approximately 120 jurisdictions participate. Financial institutions in CRS jurisdictions are required to identify account holders who are tax resident in other CRS jurisdictions and report their account information to their home tax authority, which then exchanges it with the relevant foreign tax authority. CRS has changed the calculus for offshore structures; hiding taxable income using foreign company accounts in participating jurisdictions is substantially harder.

The Wolfsberg Group is an association of 12 global banks that develops financial crime compliance guidance for the industry. Its Correspondent Banking Due Diligence Questionnaire (CBDDQ) is a widely used tool for banks evaluating foreign financial institution relationships. The Wolfsberg AML Principles and guidance papers are industry consensus on what constitutes adequate financial crime compliance, particularly for trade finance, private banking, and payments.

United States sanctions are administered by the Office of Foreign Assets Control (OFAC) within the US Treasury. The Specially Designated Nationals and Blocked Persons list (SDN list) identifies individuals and entities whose assets are frozen and with whom US persons are generally prohibited from dealing. OFAC also administers country-level sanctions programs (Cuba, Iran, North Korea, Russia, Syria, Venezuela) with varying scope. The Section 311 authority under the Patriot Act allows FinCEN to impose special measures on foreign financial institutions or jurisdictions of primary money laundering concern.

United Kingdom sanctions are administered by the Office of Financial Sanctions Implementation (OFSI) within HM Treasury. The UK Consolidated List is maintained separately from EU sanctions following Brexit. The Sanctions and Anti-Money Laundering Act 2018 provides the UK’s domestic sanctions framework.

EU sanctions are adopted under Common Foreign and Security Policy and published in the Official Journal of the European Union. The EU Consolidated Financial Sanctions List is maintained by the European Banking Authority (EBA) and accessible via the FSAP sanctions tool. The 6th Anti-Money Laundering Directive (6AMLD) expands the predicate offences for money laundering and strengthens criminal liability frameworks.

In practice, compliance teams do not check primary sanctions lists manually for every counterparty screening. They use commercial screening services that aggregate and normalise multiple lists: Refinitiv World-Check, LexisNexis WorldCompliance, Dow Jones Risk and Compliance, Comply Advantage, and Sayari (which specialises in corporate ownership and sanctions network analysis) are among the commonly used platforms. These services provide match scoring, fuzzy name matching to handle transliteration variants, and adverse media aggregation.

6. Aggregators versus primary sources: when to use what

Global company verification data divides into two tiers: primary sources (the official registries themselves) and aggregators (commercial data services that compile and enrich registry data).

Aggregators include CRIF, Dun and Bradstreet, Experian, Moody’s Orbis (formerly Bureau van Dijk Orbis), Refinitiv, and OpenCorporates at the open data end. Their value is coverage and normalisation: they collect data from dozens or hundreds of registries, translate it, resolve naming variations, add credit scoring, financial ratios, group structure analysis, and payment behavior data, and deliver it through a single API or interface. For a compliance team that needs to onboard counterparties across 30 jurisdictions, an aggregator sharply reduces the per-country navigation overhead.

The tradeoff is freshness and certification. Aggregator data is a snapshot taken at the time of the last data pull from the source registry. For frequently updated fields like company status, director appointments, and capital changes, the lag can be days to weeks for major markets and months for smaller ones. For compliance use cases where the question is “is this entity currently active,” an aggregator response from three weeks ago may be inadequate.

Primary sources are required when:

  • Banking onboarding requires a certified extract as documentary evidence
  • A regulatory filing needs original source documents with official stamps or digital signatures
  • Court proceedings or M&A due diligence require documents that will withstand challenge
  • The jurisdiction is one where aggregator coverage is thin or unreliable (many ASEAN markets fall here)
  • The accuracy question is about a recent event (a director change in the last month, a dissolution filing last week)

A useful two-dimensional frame: on one axis, data freshness (how current does the answer need to be); on the other axis, coverage breadth (how many jurisdictions does the workflow span). Aggregators sit in the high-coverage, moderate-freshness quadrant. Primary registries sit in the high-freshness, single-jurisdiction quadrant. For most real-world compliance workflows, the answer is both: aggregator for initial screening and multi-jurisdiction coverage, primary registry for the documents that go into the compliance file.

7. Cost benchmarks: what global verification actually costs

Costs below are indicative for 2026. Registry pricing changes; always verify at point of purchase.

TierJurisdictionsTypical cost per extract
Free (basic company data)Singapore, Denmark, Norway, New Zealand, UK (Companies House basic), US (SEC EDGAR for listed)USD 0
Low-cost (certified extracts)Germany (EUR 4.50), Belgium (EUR ~8), Netherlands (EUR 2.50-14), Ireland (EUR ~15 for certified), France (EUR 3-4 kbis), Sweden, FinlandUSD 3-15
Mid-rangeSpain (EUR 15-30), Italy (EUR ~10-20), Switzerland (CHF 17-35), Israel (ILS 40-100), Greece (EUR ~15-25), India (INR 100-200 basic), Australia (AUD ~35 for certified), Canada federal (CAD ~35)USD 10-50
Multi-registry or complexUAE (requires identifying correct registry among 40+ free zones, fees vary by emirate), US 50-state aggregation (if checking all states, USD 5-50 per state), Saudi Arabia full corporate dossier (via Wathq + MoCI, official channels USD 20-100+)USD 50-500+ depending on scope

Luxembourg, Portugal, Austria, and other European jurisdictions not listed above typically fall in the USD 5-20 range for basic certified extracts. See individual jurisdiction guides for Luxembourg, Portugal, and Austria for current detail.

8. Workflow: a sample compliance file for a two-jurisdiction transaction

Consider a practical scenario: a UK-authorised fund administrator is onboarding a Singapore-incorporated Special Purpose Vehicle (SPV) with a German operating company parent. The compliance file needs to cover three entities: the SPV, the German parent, and the natural persons controlling the German parent.

Step 1: Entity identification

For the Singapore SPV, search ACRA BizFile+ by company name or UEN. Download the SGD 5.50 business profile: it confirms registered name, UEN, entity type, directors, shareholders, paid-up capital, and current status. Cross-reference the UEN against the entity’s constitutional documents. Any discrepancy requires resolution before proceeding.

For the German parent, search handelsregister.de by company name or HRB number. Download the Aktueller Ausdruck (EUR 4.50): it confirms registered name, register number, registered seat, legal form, and current Geschaftsfuhrer. The document carries the digital signature of the relevant Amtsgericht.

Step 2: Status verification

Confirm both entities as active from their respective registry records. For the German entity, also check the Unternehmensregister at unternehmensregister.de for any insolvency announcements (Insolvenzbekanntmachung). German insolvency proceedings must be published there once opened.

Step 3: Control mapping

The ACRA business profile shows shareholders. Any corporate shareholder requires its own registry lookup. If the German parent is the sole shareholder, you already have its record. For intermediate holding companies in other jurisdictions, each requires a separate registry pull.

For the German parent, the Handelsregister shows directors. The Transparenzregister holds UBO data; the fund administrator as an AML-obliged regulated entity has direct access under German GwG. If UBO identification cannot be completed from public sources, request a corporate structure chart and beneficial owner declaration with supporting ID. Keep these on file with a dated receipt note.

Step 4: Financial standing

For the Singapore SPV, confirm whether annual returns and financial statements have been filed with ACRA. A newly incorporated SPV may have no filings yet; note the incorporation date. For the German parent, check the Bundesanzeiger for the most recent annual accounts. A gap longer than 12 months past the filing deadline is a flag.

Step 5: Screening and file assembly

Run all directors and UBOs through your PEP and sanctions screening service. Screen entity names against OFAC SDN, EU Consolidated List, and UK OFSI list at minimum. Document name variants searched, match results, and disposition of any fuzzy matches.

Check both jurisdictions for FATF status: neither Singapore nor Germany is on the grey list as of May 2026.

The completed compliance file should contain: ACRA business profile (dated), Handelsregister Aktueller Ausdruck (dated), Unternehmensregister check note, Bundesanzeiger accounts confirmation, corporate structure chart, UBO declarations with supporting ID, sanctions screening records, and a dated cover note stating the purpose of the relationship.

Retain for a minimum of five years after the end of the business relationship (UK POCA/MLRs: five years; EU 6AMLD: five years; Singapore MAS Notice 626: five years).

9. Common mistakes compliance teams make

  • Matching on company name alone. Company names are not unique identifiers. A search for “Global Trading Ltd” may return dozens of results across multiple jurisdictions. The company registration number, together with the jurisdiction of incorporation, is the only reliable unique identifier. Always anchor the verification to the registration number.

  • Treating a single snapshot as ongoing monitoring. A compliance file built at onboarding is accurate at that moment. Directors change, companies enter insolvency, sanctions are imposed, and UBO structures are restructured. Without a defined refresh cycle, the file becomes stale. For active counterparties, periodic re-verification and event-triggered re-verification (change of beneficial owner, sanctions designation, adverse media alert) are both needed.

  • Missing the branch office versus subsidiary distinction. A branch is an extension of the foreign parent entity, not a separate legal person. A subsidiary is a separately incorporated company in the host jurisdiction. Compliance due diligence on the branch requires looking at the parent entity in its home jurisdiction. Compliance due diligence on the subsidiary focuses on the subsidiary itself while also mapping back to the parent group. The two are not interchangeable and require different approaches.

  • Confusing tax identification with company registration ID. In many jurisdictions these are different numbers assigned by different authorities. In Germany, the Handelsregisternummer (commercial register number) is different from the Steuernummer (tax number) and the USt-IdNr (VAT number). In Singapore, the UEN serves multiple purposes but the ACRA-issued number is what appears in the official registry. Using the wrong number type to search a registry will return no results and may incorrectly suggest the entity does not exist.

  • Stopping at the director list without completing the UBO walk-through. Directors are not necessarily beneficial owners. In many structures, the director is a management appointee and the ultimate owner is invisible in the director record. The share register or shareholder list is the starting point for UBO analysis, not the director list.

  • Reusing extracts beyond their freshness window. A certified extract from a company registry is a snapshot at the moment of issue. For banking and regulated use cases, most internal policies and regulatory guidance (including EBA Guidelines on internal governance and AML) treat extracts older than three months as stale for ongoing CDD purposes. The Kbis in France, the Aktueller Ausdruck in Germany, and the ACRA business profile in Singapore all reflect the state at the moment of download and should be refreshed at intervals appropriate to the risk profile of the counterparty.

  • Treating aggregator data as primary source. An aggregator report is research-quality data. It is appropriate for initial screening, risk scoring, and portfolio monitoring. It is not an official certified extract and should not be presented as one to a bank, regulator, or court. Where documentation requirements specify “official extract” or “certified copy,” the primary registry document is required.

  • Neglecting to check insolvency and court registers separately. In many jurisdictions, insolvency proceedings, court judgments, and enforcement actions are recorded in separate registers from the commercial registry. In Germany, insolvency announcements are in the Unternehmensregister and the Insolvenzbekanntmachungen portal, not in the Handelsregister. In the UK, winding-up petitions are searchable at Companies Court. A registry check alone does not surface all litigation exposure.

10. Building an in-house due diligence playbook

A workable compliance playbook for cross-border counterparty verification rests on four design decisions: sources of truth, refresh cadence, audit trail discipline, and policy anchoring.

Sources of truth per jurisdiction

Map each jurisdiction you regularly encounter to its primary registry, the data available free versus paid, and the specific document type that constitutes the official extract for compliance file purposes. The jurisdiction guides on this site provide this mapping for the 30+ covered jurisdictions: see Singapore, Germany, France, Netherlands, Italy, Spain, Belgium, Switzerland, Ireland, United States, Canada, Australia, New Zealand, Japan, South Korea, India, Israel, UAE, Saudi Arabia, Greece, Sweden, Denmark, Norway, Finland, Austria, Luxembourg, and Portugal. For jurisdictions not yet covered, document the source mapping yourself and record the date you last verified the access instructions.

Refresh cadence

Standard guidance from the EBA Guidelines on internal governance (EBA/GL/2021/05, updated with 2024 revisions) and MAS AML/CFT Notice 626 (Notice applicable to Banks and Finance Companies) points to risk-based review cycles: minimum annually for standard-risk counterparties, more frequently for elevated-risk. Event-triggered review should always be in addition to scheduled review, not a substitute for it. Triggering events include: change of beneficial owner reported by counterparty, sanctions designation of a connected person, adverse media flag from monitoring, expiry of the corporate extract freshness window, or any material change in the business relationship.

Audit trail discipline

Every registry query and document fetch should be logged with: the legal entity identifier queried (company number, jurisdiction), the source queried, the date and time of the query, the stated purpose (using the purpose taxonomy appropriate to your regulatory framework: CDD, EDD, periodic review, event-triggered review), and the person conducting the query. Document retention should follow the applicable regulatory requirement; the default across EU AML Directives, UK MLRs, Singapore MAS Notice 626, and US FinCEN rules (31 CFR 1010.230) is five years from the end of the business relationship, with some regimes requiring seven years.

Policy anchoring

Frame your internal playbook against the relevant regulatory standards. For EU-regulated entities: EBA Guidelines on customer due diligence (EBA/GL/2024/01 or the current revision), 6AMLD transposition in your member state. For UK-regulated entities: FCA SYSC 6.3 (systems and controls for financial crime), the Joint Money Laundering Steering Group (JMLSG) guidance. For Singapore-regulated entities: MAS Notice 626 (AML/CFT) and the associated MAS Guidelines. For US-regulated entities: FinCEN Customer Due Diligence Rule (31 CFR 1010.230) and applicable Bank Secrecy Act obligations. Policy should cite the specific regulatory standard it implements and be reviewed whenever that standard is updated.

11. The 2026 outlook

Machine-readable registries and the open data trend

A growing number of registries are moving toward open data APIs or bulk data releases. Denmark’s CVR provides a full RESTful API at cvrapi.dk. Companies House in the UK provides a public API covering all company data. Singapore’s ACRA provides API access through a commercial data partnership programme. This trend is driven by EU Open Data Directive compliance requirements, government digital transformation agendas, and commercial pressure from the fintech sector. As machine-readable registry data becomes more available, the cost and latency of primary-source verification will fall. The jurisdictions that remain closed or local-language-only will stand out more sharply, creating a two-tier split.

The UBO public access pendulum

The EU is in a period of rebuilding its UBO access framework following the 2022 ECJ ruling. The 6th Anti-Money Laundering Directive and the proposed EU AML Authority (AMLA) create a new institutional architecture for AML supervision that includes provisions for UBO register access. The direction of travel is toward conditional public access with defined legitimate interest categories, rather than the fully open model the 5th AMLD originally required. The UK PSC register remains fully public and is the global reference for open beneficial ownership data. The US remains in legal uncertainty around the Corporate Transparency Act. The practical implication for compliance teams is that multi-source triangulation remains the method for UBO identification in most markets; full public register access is the exception rather than the rule.

Real-time monitoring versus annual filing cadence

Most company registries are structured around periodic filing events: annual returns, annual accounts, director change notifications filed within a defined window. The data is updated when someone files, not continuously. This creates windows of stale data even for registries that are technically open and free. The response from the compliance industry has been monitoring services that alert on registry changes: Companies House email alerts, ACRA BizFile change notifications, and commercial monitoring services that track registry events across multiple jurisdictions. For counterparties in active relationships, registry monitoring is more defensible than periodic manual re-checks.

AI and LLM for normalization

Large language models are being applied to the translation and normalisation problems that have historically made non-English registry data expensive to process. Translating a Japanese commercial registration extract, normalising a Vietnamese company name across different romanisation conventions, or parsing an Arabic-language Saudi licence document are tasks that LLMs can now handle with reasonable reliability. The result is that the practical translation tax on non-English registries is falling. The friction of accessing Thai, Vietnamese, or Japanese registry data is decreasing, though the underlying data quality and completeness of those registries has not changed.

The editorial point of view

The registry layer is the foundation. Official company registration data, directly from the authority that maintains it, is the only irrefutable starting point for any due diligence programme. Aggregators, screening services, credit bureaus, and AI-normalised extracts are all enrichment layers that add value on top of the registry record. They do not substitute for it. The compliance teams that understand which primary registry governs the entity they are verifying, and know how to access and interpret that registry’s official documents, have a systematic advantage over those who rely entirely on aggregated data. That knowledge, systematically applied, is what a genuine global due diligence capability looks like in 2026.

FAQ

What is the difference between CDD and EDD?

Customer Due Diligence (CDD) is the baseline: confirm legal identity, identify beneficial owners, understand the business relationship, conduct ongoing monitoring. Enhanced Due Diligence (EDD) applies when standard CDD is insufficient, triggered by high-risk factors such as FATF grey-list jurisdictions, politically exposed persons, or complex ownership structures. EDD adds source-of-funds and source-of-wealth verification, senior management approval, and tighter monitoring cycles. The EBA Guidelines on customer due diligence and MAS AML/CFT Notices set out minimum EDD content requirements for their respective regulated populations.

Who is an ultimate beneficial owner?

An ultimate beneficial owner (UBO) is the natural person who ultimately owns or controls a legal entity. The standard threshold in most frameworks is 25% of shares or voting rights (EU 5th AMLD Article 3(6), UK PSC rules, FinCEN 31 CFR 1010.230). Control below this threshold can still create UBO status through board appointment rights, contractual control, or dominant influence. Where no natural person meets the threshold, most frameworks require identifying the senior managing official as the deemed beneficial owner.

Do I always need a certified extract?

Not always. Free search results or aggregator reports are sufficient for initial screening and risk assessment. For the compliance file of record, regulatory guidance typically requires an official registry extract obtained directly from the primary source and dated within the freshness window (usually three months). Whether the extract requires notarisation or apostille depends on the use case: bank KYC onboarding rarely requires apostille; court filings or notary-driven transactions will.

How often should I refresh due diligence on a counterparty?

Risk-based, with a minimum annual cycle for standard-risk active counterparties (per EBA, MAS, and FCA frameworks). High-risk counterparties warrant quarterly review or tighter. Event triggers that require out-of-cycle review regardless of risk tier: change of beneficial owner, sanctions designation of a connected person, material adverse media, or a material change in the business relationship scope.

Which countries have the most open registries?

By the measure of free, English-language, no-account access to full company data including directors and shareholders: Singapore, Denmark, Norway, New Zealand, and the UK (Companies House) consistently rank as the most accessible. The UK PSC register adds publicly searchable beneficial ownership. Sweden and Finland are also highly accessible with substantial free data. Australia offers free status and director searches with paid certified extracts.

Which countries have the hardest registries to access?

The most difficult for foreign compliance buyers are typically: Saudi Arabia (Arabic interface, institutional access required for full data), Vietnam and Thailand (free data but local-language only with navigation friction), India (MCA21 requires account creation and navigation complexity for most useful data), China (not covered here, but the most restricted major registry globally for foreign access), and the UAE (correct registry identification is the first challenge given 40+ free zones). See individual guides for Vietnam, Thailand, India, Saudi Arabia, and UAE for current access details.

Are aggregators acceptable for compliance use?

Yes, with qualifications. Aggregator reports (Dun and Bradstreet, CRIF, Moody’s Orbis, Refinitiv, and similar) are appropriate for initial screening, periodic monitoring alerts, credit risk assessment, and portfolio-level due diligence. They are not a substitute for official primary-source documents where regulations or internal policies specify a certified registry extract. Most compliance programmes use both: aggregators for coverage and efficiency, primary registries for the documents that go into the compliance file.

What does FATF grey listing mean for compliance buyers?

Grey listing triggers EDD for all counterparties incorporated or resident in the listed jurisdiction, review of existing counterparties from that jurisdiction, and additional transaction monitoring. It does not prohibit business, but the compliance cost is higher and correspondent banks often reduce their exposure to grey-listed jurisdiction banks, which can affect those banks’ customers’ access to international financial services.

How do EU UBO restrictions affect non-EU buyers?

Following the November 2022 ECJ ruling, non-EU buyers can no longer access most EU member state UBO registers without demonstrating a legitimate interest. In practice, non-EU compliance teams verifying EU counterparties collect beneficial owner declarations and supporting documentation directly from the counterparty, rather than relying on register access. EU-regulated institutions with AML obligations in the relevant member state can access UBO registers directly under their AML authorisation.

What is the difference between sanctions screening and AML monitoring?

Sanctions screening checks whether a person or entity matches a designation on an official list (OFAC SDN, EU Consolidated List, UK OFSI, UN Security Council). A confirmed match means the transaction or relationship is prohibited. AML monitoring is the ongoing process of reviewing transactions and behavior for patterns suggesting money laundering or terrorist financing, with Suspicious Activity Reports filed when thresholds are met. Sanctions screening is typically automated and runs at onboarding and on periodic rescan. AML monitoring combines automated transaction surveillance with human alert review. Both are required obligations for regulated financial institutions under FATF Recommendations.

Last verified: May 2026. Sources: FATF (fatf-gafi.org), OECD (oecd.org/tax/transparency), Wolfsberg Group (wolfsberg-principles.com), European Banking Authority (eba.europa.eu), Financial Conduct Authority (fca.org.uk), Monetary Authority of Singapore (mas.gov.sg), FinCEN (fincen.gov), and named jurisdiction registries linked in section 3.

Related articles