TL;DR. Buying UBO data in 2026 is harder than it was in 2024. Three regulatory shifts have changed the market: FATF Recommendation 24 now carries real enforcement bite, the EU AMLA Directive 2024/1640 sets a 2027 implementation deadline, and US FinCEN’s March 2025 interim final rule narrowed BOI reporting to foreign-registered entities only, leaving domestic CTA enforcement in flux. Procurement leads who signed supplier contracts before these changes may be buying the wrong coverage at the wrong refresh rate. This guide gives you a 6-dimension evaluation framework, four supplier archetypes, seven procurement pitfalls, and a 60-day pilot plan to make a defensible purchase decision.
Why 2026 is the hardest year to buy UBO data
In 2023, a compliance lead could justify buying from a Tier-1 aggregator, set the contract to auto-renew, and move on. The underlying registers were stable, enforcement was light, and the aggregator’s global coverage claim was plausible on a slide deck. That approach carries material risk now.
Three forces have converged.
FATF Recommendation 24 has enforcement teeth. The 2023 revision to Recommendation 24 raised the bar from legal framework compliance to demonstrated effectiveness. FATF’s fourth mutual evaluation round now downgrades jurisdictions that have the right law but cannot show accurate, timely, adequate UBO information in practice. For compliance teams, this means a file citing a UBO register from a jurisdiction with known filing-enforcement gaps is a weak file, regardless of what your data supplier’s contract says about source lineage. The risk sits with you, not the supplier.
The EU AMLA package changes the access architecture. Directive 2024/1640 (the sixth AML Directive) requires EU member states to grant obliged entities access to centralised, interconnected UBO registers by mid-2027. The regulation also introduces the EU Anti-Money Laundering Authority, which will take direct supervisory jurisdiction over the highest-risk financial entities from 2028. Suppliers with EU coverage are reconfiguring their data agreements ahead of this deadline. If your current supplier’s EU data comes from pre-AMLA scraped sources rather than direct register access, that supply chain may break or degrade before your contract ends.
The US BOI rule churn creates a coverage trap. FinCEN’s March 2025 interim final rule suspended BOI reporting requirements for US domestic companies, narrowing the CTA regime to foreign-registered entities operating in the US. Suppliers who marketed their US BOI datasets as a complete domestic UBO source are now selling a partial product. If your workflows assumed full domestic coverage, you are sourcing from an incomplete dataset without necessarily knowing it.
For a compliance lead with budget authority, these three shifts mean you are buying into a moving target. The evaluation framework below is built for that environment.
The 6-dimension evaluation framework
Every UBO data supplier can be assessed against six dimensions. Use these as the skeleton of your procurement scoring matrix. Each dimension is independent: a supplier can score high on coverage and low on compliance defensibility. Weight the dimensions to your organisation’s risk profile.
Dimension 1: Coverage breadth. Which jurisdictions have real UBO data versus nominal shareholder lists versus paper-based-only sources? A supplier quoting “150 jurisdictions” may have direct register access in 30, scraped data of variable quality in 70, and a manual retrieval service for the remaining 50. Ask for the breakdown by data source type, per jurisdiction, before you build the coverage number into a business case. The FinCEN BOI direct vs commercial UBO providers comparison shows how even a single jurisdiction can have multiple supply tiers with different depth profiles.
Dimension 2: Source authority. There are three tiers of source. Official register direct means the supplier has a data-sharing agreement or API connection with the national registry operator. Scraped or aggregated means the supplier pulls from a public-facing portal and normalises the output. Investigative or proprietary means the supplier derives UBO data from corporate filings, disclosed shareholdings, and cross-referenced databases rather than from a live register. Each tier carries a different level of evidentiary weight in an audit. For regulated obliged entities, source authority is not optional due diligence.
Dimension 3: Refresh cadence. Real-time, monthly snapshot, and quarterly batch are meaningfully different products. A quarterly batch file is acceptable for a static portfolio monitoring use case. It is not acceptable for onboarding a new counterparty where ownership changed three weeks ago. Ask the supplier to document refresh frequency per jurisdiction in the contract, not in a sales deck.
Dimension 4: API integration depth. Portal-only access, SFTP batch delivery, and REST API access represent different levels of operational integration. A portal-only product is a manual lookup tool; it does not fit into an automated KYC workflow. A REST API with sub-second response times fits into onboarding automation. SFTP batch delivery fits into overnight risk scoring runs. Know which integration pattern your workflow requires before evaluating suppliers on price.
Dimension 5: Pricing model fit. Per-query, subscription, and enterprise minimum pricing each optimise for a different usage pattern. Per-query pricing is cost-effective for low-volume, high-value due diligence workflows. Subscription pricing suits high-volume screening. Enterprise minimums work for very large institutions with predictable query volumes. The mismatch risk is paying a subscription for a workflow that generates 200 queries a month when the minimum viable subscription assumes 5,000.
Dimension 6: Compliance defensibility. Can the supplier produce an audit trail of every query you ran, with timestamps, source citations, and the underlying record state at the time of the query? Can that output be watermarked and attached to your customer file? Auditors increasingly expect this, especially post-FATF fourth-round evaluations. A supplier whose output is a PDF without a source citation attached is a liability in an enforcement review. The what is ultimate beneficial ownership guide covers what the underlying verification standard requires.
The 4 supplier archetypes
UBO data suppliers are not a uniform category. Understanding which archetype a supplier fits tells you more about fit for purpose than any feature comparison table.
Archetype 1: Global Tier-1 aggregators
Examples: Dun and Bradstreet, Experian Business Information Services, LexisNexis Risk Solutions, Bureau van Dijk (Moody’s).
Tier-1 aggregators have built global databases over decades by normalising data from thousands of sources into a single entity graph. Their strengths are real: established procurement relationships with procurement and legal teams who have already run supplier security reviews, broad jurisdictional coverage claims, contractual SLAs, and the kind of market presence that survives an audit conversation with a regulator. If your institution needs a single-vendor answer for 120+ jurisdictions with a signed contract and an enterprise support line, the Tier-1 shortlist is where you start.
The weaknesses are structural. Source lineage at the record level is opaque. A Tier-1 aggregator’s entity record combines data from dozens of underlying sources, but the output typically does not tell you which source populated which field. When an auditor asks “how do you know who the UBO is,” the answer “our data vendor says so” is weaker than “this came from the Companies House PSC register, accessed on this date, and here is the underlying record.” Pricing is also premium: emerging market jurisdictions often carry a 5-10x per-query markup over what direct registry access would cost. See the D&B UK vs Bureau van Dijk FAME comparison for a worked example of how these trade-offs play out on a specific product set.
Archetype 2: Regional specialists
Examples: CRIF (EU, Central and Eastern Europe, Middle East), illion (Australia, New Zealand), Tofler (India), Tianyancha and Qichacha (China).
Regional specialists have deep roots in a specific geography. Their coverage in their home region is usually better than anything a Tier-1 aggregator offers: they maintain direct register access or close partnerships with the national registry operators, they have native-language source processing, and they carry institutional knowledge about local registry idiosyncrasies that global aggregators miss. The boutique vs Tier-1 Singapore data suppliers comparison illustrates how a regional specialist can out-perform a global brand on depth within a single market.
The limitation appears at scale. If your compliance programme covers 40 jurisdictions across multiple regions, you cannot consolidate around a single regional specialist. You end up with four or five regional contracts, each with different APIs, data dictionaries, and renewal dates. The operational overhead of maintaining a multi-regional specialist stack is non-trivial and is frequently the reason compliance teams migrate to a Tier-1 aggregator despite the price premium.
Archetype 3: Investigative and UBO specialists
Examples: Sayari Analytics, Castellum.AI, Kharon, ICIJ Offshore Leaks (free, public).
This archetype is built for hard cases. Investigative specialists derive UBO data by cross-referencing corporate filings, disclosed shareholdings, leaked document sets, sanctions registers, and proprietary research. Where a Tier-1 aggregator shows registered shareholders, an investigative specialist attempts to map actual beneficial control through layered structures, including offshore holdings that official registers do not capture. Sayari’s entity graph, for example, is particularly strong on high-risk jurisdictions and sanctions-adjacent entities where official register data is either absent or unreliable.
The trade-off is cost and use-case fit. Investigative specialists price their output at investigative cost, not at transactional data cost. A per-entity query for a complex offshore structure can cost multiples of what a Tier-1 query costs. For a bank that needs to check 50,000 customers annually, investigative specialist costs at scale become prohibitive. The right application is targeted: use investigative specialist tools for the red-flag escalations and high-risk segments rather than for the full onboarding population. The enhanced due diligence guide maps the use cases where this level of scrutiny is required.
Archetype 4: Direct-registry concierge
Examples: businessdataguide (editorial reference layer), legal-agent networks, jurisdiction-specialist retrieval services.
When the official registry has the data you need and you do not need an aggregator’s normalisation layer, a direct-registry concierge approach retrieves the original record, in the original format, with the original source citation attached. This is the cleanest audit trail available: the output is what the registry says, not what an aggregator’s normalisation algorithm decided the registry says.
The limitation is throughput and coverage. A direct-registry concierge works well for one-off CDD on specific counterparties in specific jurisdictions. It does not work for automated bulk screening of large populations. It also requires knowing which registry to go to, which is non-trivial across 200 jurisdictions with different access mechanisms, fee structures, and authentication requirements. For one-off investment due diligence or litigation support where evidentiary quality matters more than speed, direct-registry retrieval is defensible in a way that aggregated output is not.
Decision tree: which archetype fits your situation
Not every organisation needs the same supplier mix. Use this branching logic as a starting point, not a prescription.
If you are a global bank with KYC obligations across 150 or more jurisdictions. Start with a Tier-1 aggregator as the base layer. Accept that the coverage claim is real but the depth is variable. Supplement with an investigative specialist for emerging-market counterparties, PEP-adjacent entities, and any relationship where the Tier-1 output shows opacity at the UBO level. Do not rely on the Tier-1 aggregator for source citation quality in high-risk relationships.
If you are a fintech operating in a single region. Start with the regional specialist for that geography. The depth advantage over a Tier-1 aggregator is real and the integration is typically simpler. Expand to a Tier-1 aggregator only when your geographic footprint demands it, not as a default. The per-query cost differential over the course of a two-year contract can be material.
If you are an investment fund doing CDD on portfolio companies. Direct-registry concierge first, using jurisdiction guides like those in the businessdataguide jurisdiction library to identify the right source per entity. Escalate to an investigative specialist only when the direct-registry output shows incomplete UBO chains, complex offshore layering, or other red flags requiring deeper cross-reference. A subscription to a Tier-1 aggregator for a fund doing 40 CDD exercises a year is likely to be oversized.
If you are a corporate compliance team with an annual data budget under USD 50,000. A Tier-1 aggregator subscription will consume most of that budget. Direct-registry retrieval plus targeted investigative spot-checks for high-risk cases typically gives better coverage per dollar spent. The AML monitoring best practices guide covers how to build a defensible ongoing monitoring programme without enterprise-tier supplier pricing.
The 7 procurement gotchas
These are the structural pitfalls that cost compliance teams money, coverage quality, or both. Each one is preventable at procurement stage if you know to ask.
Gotcha 1: Per-jurisdiction pricing variability. Tier-1 aggregators frequently charge 5-10 times more for emerging market jurisdictions than for US, UK, or EU queries. A contract priced on your historical query mix will run over budget as your coverage needs expand. Ask for a per-jurisdiction price list, not a blended rate, before signing.
Gotcha 2: Data lineage opacity. Most aggregators do not cite the underlying registry per record in the output they deliver. You receive a normalised data point with no indication of whether it came from a direct register feed, a scraped portal, or a proprietary model. This matters when an auditor asks you to demonstrate the basis for your UBO determination. Request a sample output set with full source citation before the contract stage.
Gotcha 3: Contract minimums disconnected from usage. Annual contract minimums are often set at the supplier’s minimum commercial unit, not at your expected query volume. A USD 60,000 annual minimum sounds reasonable until you calculate that your actual query volume is 800 per year, making each query cost USD 75. Model your actual usage before agreeing to a minimum.
Gotcha 4: Exclusivity clauses. Some Tier-1 contract templates include clauses that restrict you from using a competing supplier’s data in the same workflow or for the same purpose. This prevents you from supplementing weak coverage with a regional specialist or an investigative tool without breaching the primary contract. Read the exclusivity language before signing and push to remove or limit it.
Gotcha 5: Free trial limitations. Trial datasets provided during the sales process frequently exclude the jurisdictions most relevant to your high-risk segments. A supplier might offer a 500-query trial covering US, UK, and Germany while your actual need is Nigeria, UAE, and Vietnam. Request a trial that covers your five most complex jurisdictions rather than the supplier’s easiest markets.
Gotcha 6: Refresh-cadence misrepresentation. “Real-time” in a supplier’s marketing often means the supplier re-scrapes the registry monthly and delivers a current snapshot rather than maintaining a live connection. Monthly is fine for portfolio monitoring; it is not real-time. Ask for the documented technical definition of “real-time” in the contract, and ask which specific jurisdictions have live register connections versus scraped snapshots.
Gotcha 7: UBO-depth gap. The most common structural deficiency across all archetypes. Most suppliers stop the ownership trace at registered shareholders, not at natural persons who are the actual beneficial owners. A record showing “Holding Company X, incorporated Cayman Islands, 100% owner” is a shareholder record, not a UBO record. Ask the supplier to demonstrate, using a sample entity with a multi-layer structure, where their trace terminates and what the output looks like when the UBO layer is not accessible from the underlying source.
10 questions for the vendor demo
Use these verbatim or adapt them. The answers will tell you more than the sales deck.
-
“For each jurisdiction in our watchlist, what is the underlying source you cite when we audit a UBO record? Show us the citation in the actual output, not in a data dictionary.”
-
“Show us your data dictionary: which fields are mandatory across all jurisdictions, which are optional, and which are jurisdiction-specific. We want to see it as a downloadable spec, not as a slide.”
-
“What is your refresh frequency per jurisdiction, and where is that documented in the service level agreement we would sign? Not in a FAQ. In the contract.”
-
“Can you produce a complete audit log of every query we make, with timestamps, input parameters, the version of the underlying data record served, and the source citation? Show us what that log looks like.”
-
“Where does your trace stop when the UBO layer is not directly available from the register? Show us a live example using an entity incorporated in a jurisdiction where the official register does not publish UBO data.”
-
“What is your per-jurisdiction pricing for the 10 jurisdictions we care about most? We want a written per-jurisdiction rate card, not a blended global rate.”
-
“If we add a jurisdiction not in our current contract scope, what is the process and the typical lead time before we have live data access?”
-
“Describe your data-sharing agreement with each of the top 5 registries you use. Are those direct agreements, sub-license arrangements, or open-access portal scraping?”
-
“What happens to our query history and output data if we terminate the contract? Are we entitled to an export? Is there a retention period after termination, and who owns the derived records?”
-
“Show us a record that changed within the last 30 days. Walk us through how the change propagated from the source registry to what we would have received in our API output, and how long that took.”
Contract-stage red flags
Getting through demo and POC and into contract review is where procurement discipline saves money. Five clauses should trigger a conversation before you sign.
Auto-renewal without notice. A contract that renews automatically unless you provide written notice 60 or 90 days before expiry is a supplier cash-flow mechanism, not a partnership norm. Push for at-will renewal, or at minimum a 30-day notice window.
Liability cap below annual contract value. If the supplier’s liability for data errors, outages, or incorrect UBO records is capped at three months of fees and your annual contract is USD 120,000, your practical recovery for a compliance failure caused by bad data is USD 30,000. That is unlikely to cover the cost of a regulatory action. Negotiate the cap to at least one annual contract value.
Confidential pricing gag clauses. Some Tier-1 contracts include a clause preventing you from disclosing the pricing to competitors or for competitive procurement purposes. This clause prevents you from running a competitive renewal process by sharing the incumbent’s price with challengers. It is commercially hostile. Flag it and push to remove it.
Data-residency ambiguity. Your data protection obligations depend on knowing where the supplier processes and stores your query data. If the contract does not specify the processing location, you cannot certify your GDPR, PDPA, or equivalent compliance posture for data sent to that supplier. Require a specific data-residency clause.
Termination asymmetry. If the supplier can terminate the contract for convenience with 30 days’ notice but you cannot, you are carrying operational risk with no mitigation. Require symmetrical termination rights, or at minimum a data export guarantee that gives you 90 days of data access post-termination while you transition.
The 60-day pilot to production checklist
A pilot that does not stress-test your actual use cases tells you nothing useful. Structure it as follows.
Weeks 1-2: Baseline your hardest jurisdictions. Select three jurisdictions that represent your highest-risk or most complex coverage needs, not the easiest ones. Run 50 queries per jurisdiction against entities where you already have ground-truth UBO data from prior due diligence exercises. Document where the supplier’s output matches, where it is incomplete, and where it is incorrect. If the supplier cannot give you a trial that covers these jurisdictions, that tells you something.
Weeks 3-4: Document every gap. For each gap you found in weeks 1-2, send a written query to the supplier’s technical team asking for the root cause. Is it a source availability issue? A normalisation error? A refresh-lag problem? The quality of the answer tells you as much as the gap itself. A supplier who can explain the root cause and give you a timeline for resolution is a different risk from one who tells you the gap is “expected.”
Weeks 5-6: API integration into one production workflow. Connect the supplier’s API to one live workflow, not a sandbox. Measure real latency under your actual query load, the error rate, the timeout frequency, and the behaviour when the upstream source is unavailable. The customer due diligence checklist for fund admins shows the integration points where data quality gaps create downstream compliance risk.
Weeks 7-8: Procurement decision meeting. Present the evaluation matrix with dimension scores, gap documentation, supplier responses, and API performance data to the stakeholders with budget authority. This is where the decision gets made against evidence rather than against the supplier’s slide deck. The output should be a signed evaluation record that sits in your vendor selection file, not just a verbal decision.
How to use businessdataguide as your reference layer
businessdataguide is not a UBO data supplier. It is an editorial reference for compliance procurement decisions.
The jurisdiction library covers what each official registry actually contains, what access costs, whether an API is available, and what the English-language interface looks like. That information is the baseline for evaluating whether a supplier’s coverage claim for a given jurisdiction is plausible.
The comparison cluster covers supplier-vs-supplier trade-offs in specific markets. The FinCEN BOI direct vs commercial UBO providers piece is the most directly relevant to this guide’s audience: it shows how a specific jurisdiction’s supply chain looks when you map direct registry access against commercial aggregation.
The four cited bodies below are the sources your audit file should reference when justifying a UBO methodology: FATF for the standard itself, Open Ownership for the principles of quality beneficial ownership data, Wolfsberg for the CDD framework in financial services, and the EU AMLA package for the regulatory architecture reshaping European register access through 2027.
If a supplier’s pitch conflicts with what any of those sources say about data quality, source authority, or coverage requirements, that conflict is worth investigating before you sign.
Last verified: May 2026. Sources: FATF Recommendation 24 (2023 revision) via fatf-gafi.org; Open Ownership Principles via openownership.org; Wolfsberg Group CDD Principles via wolfsberg-group.org; EU Directive 2024/1640 (Sixth AML Directive, AMLA package) via eur-lex.europa.eu; FinCEN Beneficial Ownership Information Reporting Rule, March 2025 interim final rule.