Coredo

Since 2016 I have been developing COREDO as a partner for entrepreneurs for whom technology, finance and law form a single growth ecosystem. During this time the COREDO team has implemented dozens of projects in the EU, the UK, Singapore, Dubai, the Czech Republic, Slovakia, Cyprus and Estonia, registering legal entities, obtaining financial licences and building AML frameworks. Today I see a key challenge for those implementing algorithmic recommendations: legal liability for AI errors in finance is distributed among several participants and jurisdictions, and the rules are changing faster than IT teams’ roadmaps.

Regulatory map: what’s changing

AI regulation‑advisors in the EU has become systemic: The European AI Act, MiFID II, DORA and ESMA/EBA guidance letters shape requirements for explainability, operational resilience and model risk management. In practice this means: any platform with automated investment recommendations falls under the “high‑risk” test; it needs model documentation, decision logs, model validation procedures and human‑in‑the‑loop for critical actions. COREDO’s practice confirms: where a client has implemented explainability and logging in advance, the risk of regulatory claims is significantly lower.

United Kingdom follows the principle «same risk, same regulation» through the FCA, emphasizing conflict of interest management, bias tests and documentation of model assumptions. In Estonia and Cyprus regulators apply MiFID II and, in places, local clarifications for robo‑advice. In the Czech Republic and Slovakia central banks focus on operational risk and DORA approaches. COREDO’s team adapts licensing packages and internal policies taking these nuances into account so that the registration of AI financial advisors proceeds without legal gaps.

Who is responsible for the AI advisor’s decision

The commercial liability of the AI solution provider is contract‑based: warranties of operability, caps on losses, exclusion of indirect damages and indemnity for IP claims and data breach. Product liability (product liability), however, can arise outside the contract if a software defect is proven. In contracts we record the allocation: manufacturer’s fault vs user’s fault in an AI error linked to zones of control, data, parameters, environment, updates.

The human‑in‑the‑loop (human‑in‑the‑loop) and the legal consequences come down to the question: whose action triggered the loss. If the interface explicitly required a human to confirm the investment advice, and the confirmation was given without verification, liability shifts to the person who made the decision. Where the system executes the advice automatically, the regulator expects enhanced measures of explainability, alerting and risk limits.

The rights and duties of depositaries regarding AI advice in funds (UCITS/AIFMD) remain classic: safekeeping of assets and oversight of compliance with the investment mandate. If AI leads to deviations from limits, the depositary must signal and block the breach, otherwise joint liability with the manager arises.

Contractual architecture: risks upfront

Contractual liability when implementing an AI adviser is not a single clause, but a system. I consider four blocks to be fundamental: limitation of liability and contract disclaimers for AI (liability cap, exclusion of indirect/ consequential damages, warranty disclaimers), a contract for AI customization and risk allocation (transfer of liability for changes), vendor management and legal liability of contractors (flow‑down of obligations), as well as SLAs and KPIs for AI services.

In SLAs we include metrics not only for uptime but also model performance: tracking error, drawdown thresholds, training details (data freshness SLAs), explainability latency and time for human review. COREDO’s practice confirms: such KPIs help demonstrate Due Diligence to the regulator and structure incident-response procedures.

Contracts for AI customization and risk allocation take into account the use of open‑source and pretrained models (transfer learning). If an open‑source component causes a licensing conflict or a vulnerability, the vendor must provide indemnity and an obligation for prompt remediation. For clients with an international footprint we add a prohibition on unauthorized transfer learning on client data and specify rights to model artifacts.

Automation of AML and compliance

Liability for AML violations in AI recommendations most often arises in automated KYC, transaction monitoring and sanctions screening workflows. EU regulators rely on AMLD frameworks, in Asia: on comparable acts and central bank guidance; in some African markets, less formalized, but local risks are high due to poor-quality lists and limited data sources. The COREDO team builds data quality controls and escalation processes so that garbage-in garbage-out does not become the cause of a fine.

Model risk management: documentation

Model validation (model validation) and related legal protection go hand in hand. We build three lines of defense: development with unit‑ and integration‑tests, independent validation (backtesting, stress, calibration) and a model committee audit. Model risk metrics include VAR tests, evaluation of performance drift and probability calibration for credit and market models. Such a framework provides causation (causation) in your favor when forensic ML is required.

regulatory requirements for AI explainability (explainability) vary, but the trend is fixed: document features, limitations, applicability and counterfactual explanations (counterfactual analysis). In investment recommendations local regulators require a clear rationale, even if the internal model is a complex ensemble. A solution developed at COREDO records the decision path and confidence score, which reduces disputes about foreseeability and the limits of liability for unforeseen advice.

Technical auditability: logging, an audit trail and decision replication are part of our mandatory setup. We recommend immutable logs, versioning of models and datasets, artifact hashing and time-stamping. This creates evidentiary proof of actions during an incident and helps distinguish a software defect from incorrect data interpretation.

Testing for adversarial attacks and legal security obligations come to the forefront: data poisoning, prompt injection in generative components and bypasses of restrictions. We combine ISO 27001 requirements, role‑based access control, separation of duties (Dev/ML/SOC) and signed approvals for deployment. Our experience at COREDO has shown: formal change‑management logs often resolve a dispute about blame long before court.

Data governance covers provenance, lineage, consent and retention, including confidentiality and cross-border transfer of personal data (GDPR‑like regimes). For open banking and API connections to AI advisors, PSD2/OB framework restrictions apply: customer consent, channel security and clear allocation of responsibility between the TPP, the bank and the platform.

Legal consequences of incidents

Direct damage and lost profits from errors of an AI adviser are assessed using damages methodologies that take into account VAR, drawdown, tracking error and the market environment. The rigor of the evidentiary base requires establishing causation: without forensic ML and counterfactual analysis, showing that the algorithm specifically caused the loss is difficult. We prepare clients for this in advance: model cards, data versions and replication of experiments.

Public reporting and disclosure of AI use to investors are gradually becoming a market standard. In several COREDO projects we prepared sections of AI ethics policy where we documented good faith, absence of discrimination and explainability — this reduced reputational risk in incidents.

Insurance and financial guarantees

risk insurance of AI errors (AI liability insurance) complements professional indemnity and cyber insurance (cyber). Insurers look at the maturity of model risk governance, the presence of human‑in‑the‑loop, logs and regular validations. I advise drafting insurance clauses with requirements for notification, the right of recourse and coordination of dispute resolution.

Allocation of responsibility in COREDO cases

Practical case: liability in the event of an incorrect liquidity forecast. A platform in the EU issued a rebalancing recommendation without taking local clearing windows into account; a temporary liquidity shortfall occurred. The COREDO team conducted forensic ML, proved model drift due to an outdated feed and initiated a review of the SLA with the data provider. Responsibility was split: the feed provider compensated direct losses up to the cap, the asset manager assumed operational costs and revised the human override.

AML case: an automated KYC missed a client’s sanctions indicator in Asia. During the root cause analysis we identified data poisoning; an external database had applied the wrong tag. The solution developed at COREDO included immutable logs and alert corridors, so the regulator assessed the due diligence positively. Compensation was limited to administrative measures, and the data vendor accepted indemnity for the error.

Model drift in a new market: scaling to Dubai led to an increase in suitability errors. We insisted on a staged rollout, a control period with human-in-the-loop and limits on automatic execution. After three weeks the metrics stabilized; this illustrates the cost-benefit analysis of implementing human-in-the-loop to reduce liability.

Registration of an AI advisor and Licensing: in Singapore the client obtained a license with COREDO’s support, embedding algorithm transparency rules, vendor audits and explainability procedures. In the EU a similar service is structured under MiFID II with a focus on suitability and DORA controls; for Estonia we prepared local policies and reports for the FSA.

From idea to sustainable practice

Due diligence when implementing AI:

• Regulatory map: AI Act, MiFID II, DORA, GDPR‑like regimes, MAS, SFC.
• Assessment of legal risks of using AI for asset management: licenses, limits of automation, open banking/APIs.
• Vendor due diligence: certificates, SOC reports, incident history, bias policy.
• Contractual architecture: caps, indemnities, warranty disclaimers, arbitration clauses, choice of law.

Design of corporate AI governance:

• Model committee, independent validation, periodic review, model cards.
• Logging, versioning, immutable audit trail, blockchain‑stamps.
• Access control: RBAC, segregation of duties, role of SOC/DevOps.
• AI ethics policies, conflict of interest management and public disclosure.

Contract templates and negotiation position:

• SLA and KPIs: uptime, drift, explainability, latency, human review.
• Contractual mechanisms: transfer of liability and vendor indemnification, flow‑down to subcontractors.
• Limitation of liability: caps, exclusion of lost profits, carve‑outs for intent and data breaches.
• International agreements and choice of jurisdiction; arbitration clauses and force majeure in case of AI service failures.

ROI and reducing litigation risks:

• Metrics of error impact: VAR, drawdown, tracking error in risk team’s KPIs.
• Continuous validation, drift monitoring and explainability as savings on future claims.
• Human‑in‑the‑loop at critical thresholds: cost‑benefit compared to liability exposure.
• Insurance solutions: proper alignment of professional indemnity, cyber and AI liability.

Specific issues people forget

Responsibility for bias and discrimination in AI advice is not only an ethical concern but also a legal risk. Regulators expect bias tests, data adjustments and documentation of fairness metrics. In one project the COREDO team implemented regular bias audits as part of the SLA with the vendor.

Liability when using open models (open‑source) in an advisor: a high‑risk area. The legal frameworks of product liability applicable to AI-powered financial software are increasingly debated in the EU; a prudent strategy is to clearly separate “as-is” components and your integration guarantee.

The impact of local Asian legislation on cross-border AI solutions manifests in data localization requirements, periodic audits, and additional consents. Here COREDO helps choose a group policy structure that withstands both GDPR-like regimes and Asian rules.

The role of the corporate lawyer

Technical auditability and tools for Forensic ML constitute a pre‑prepared platform for defense. We recommend assembling a set of assumptions, versions, test cases, and counterfactual scenarios suitable for legally admissible examinations of models. This approach makes it possible not only to win disputes, but also to learn from incidents.

What to do today: checklist

• Conduct a gap‑analysis against the AI Act, MiFID II, DORA, MAS/SFC and local AML acts.
• Formalize model risk governance: committee, validation, drift monitoring, explainability.
• Re-check contracts: caps, indemnities, warranty disclaimers, SLAs for model metrics, arbitration and choice of law.
• Configure immutable logs, role‑based access control, segregation of duties and incident-response procedures with notifications.
• Review insurance coverage: AI liability insurance, professional indemnity and cyber with coordinated terms.
• Update public disclosures on AI use so customer expectations align with reality.

Conclusions

Intelligent advisors are transforming the financial industry, but with opportunities come legal and operational obligations. Platform liability for algorithmic recommendations, the management company’s liability for automated advice, and contractual liability when implementing an AI consultant are manageable categories of risk if the process and contract architecture are set up correctly.

If you are preparing to enter new markets in the EU, the UK, Singapore, Dubai, Cyprus, Estonia, the Czech Republic or Slovakia, or building a financial AI service with international liability: let’s discuss a practical roadmap. I am responsible for ensuring that every line of code and every contract clause work towards your resilience and predictability of outcomes, and COREDO’s practice confirms: it is achievable.

Since 2016 I have been developing COREDO as a partner for entrepreneurs and investors who value accuracy, speed and predictability when entering international markets. Over that time the COREDO team has executed hundreds of projects in Europe, Asia and the CIS countries: from company registrations in the EU, the Czech Republic, Slovakia, Cyprus and Estonia to launching structures in the United Kingdom, Singapore and Dubai. We have completed the full cycle of deal support: investments and M&A, obtaining financial licenses (crypto, forex, payment services and e‑money), setting up AML/KYC, as well as investment and technical due diligence of an IT startup.

In this article I have collected the pre-investment due diligence practices that we embed into comprehensive client support. My goal: to give you a methodology that saves months, reduces uncertainty and strengthens the negotiating position. Examples and tools are based on real COREDO projects: no unnecessary theory, with a focus on actionable results.

Does an IT startup need due diligence?

I follow the principle “measure twice, cut once”. That means, before signing an SPA/SSA or SAFE you need to check IP, the cap table, regulatory constraints, ARR/MRR and technological risk at the level of architecture, DevOps and data security. This creates confidence that integration will proceed without shock to the team and clients, and that jurisdictional and tax aspects will not put you at risk.

COREDO verification model: 6 contours

The COREDO verification model provides six assessment contours that comprehensively cover both the business and the project’s risks. One of the key contours, legal due diligence and IP matters, focuses on agreements, technology rights and potential risks that can significantly affect the startup’s fate.

Startup legal due diligence and IP

I start with IP due diligence, because rights to the source code and the brand are what protect the core value of the deal. I request an inventory of assets: code, libraries, patents, trademarks and domains, as well as assignment agreements with all employees and contractors. It’s important to ensure the founders had the authority, that the chain of title is clean and does not conflict with open source licenses (GPL, MIT, Apache).

I pay special attention to software escrow and source code release conditions: especially when there’s dependence on a key supplier. I review license agreements with clients, exit clauses and non‑compete, as well as dispute jurisdiction, arbitration, force majeure and the dispute resolution mechanism. In industries subject to export control and restrictions on cryptography or dual‑use technologies, compliance issues are included in the mandatory checklist.

Corporate structure and transactions

Regulatory framework for AML/KYC

Financial due diligence for SaaS

Financial KPIs: mirrors of reality. I compare ARR, MRR, churn, gross margin and burn multiple with the monetization model and the contract base. For SaaS, revenue recognition and deferred revenue, the correctness of subscription cycles and discounts are critical. We often perform cohort analysis, check retention and NPS to see the sustainability of the streams.

Unit economics, another marker: CAC, LTV, payback period and contribution margin. If CAC “eats” LTV or the payback period falls outside hypotheses, I propose correction scenarios. Tax compliance and VAT/digital services tax in the EU affect net economics; I check VAT registration, OSS/IOSS and the correctness of invoicing. For recurring payments, PCI DSS, chargeback risks and the choice of payment provider are important.

Customer and contract verification

Technical due diligence

A technological assessment is an “X‑ray” of architecture, DevOps and security. The IT startup review includes an audit of the startup’s source code, checking commit history and the Git repository, analysis of unit tests, coverage and CI/CD processes, code scanning for vulnerabilities and SAST, as well as penetration testing and pentest results. I look at governance: code review practices, branch protection rules, SBOM and management of third‑party dependencies.

Technical due diligence: the COREDO method

For assessing the product and infrastructure we use the COREDO methodology as part of in-depth technical due diligence, which allows us to identify architectural constraints and technical risks in advance. Next we’ll move on to analysis of architecture and scalability: the key aspects that determine a system’s ability to grow and withstand load.

Architecture and scalability

Repository and codebase

Checking a Git repository is not just the commit history. I evaluate the reputation and provenance of the code: signed commits, CLA and contributor license agreements, authorship and involvement of external contributors. To assess technical debt I use metrics: maintainability index, cyclomatic complexity and frequency of changes in hot files.

DevOps infrastructure and CI/CD

Dependency visibility: SBOM and software bill of materials are becoming a standard. This is related to SCA (Software Composition Analysis) and license management, to eliminate legal and vulnerable third‑party dependencies. The risk of supply chain attacks after examples like SolarWinds is not theoretical; I assess the build chain, access controls and environment isolation. Secrets and key management (Vault, KMS, HSM) plus IAM, RBAC, least privilege and MFA are mandatory elements.

Vulnerabilities and application security

Data encryption and compliance

Backups, retention strategy and recovery testing are basic things that are often underestimated. I validate RTO and RPO, as well as the disaster recovery plan (DRP). Without regular recovery testing, backups are just an expensive illusion of security.

Vendors and third-party dependencies

Third‑party vendor risk assessment is not a formality: cloud providers, analytics, PSPs and KYC providers affect availability and compliance. I check DPAs, SLAs, penalties, the right to audit and migration terms. Software supply contracts, service level agreements and penalties must be synchronized with your promises to customers. For critical components we discuss software escrow and the conditions for source release.

COREDO Cases: Typical Scenarios

In COREDO’s practice we systematize typical scenarios and cases to provide practical guidance for complex cross-border operations. The first example — the purchase of a European SaaS from Slovakia by a fund from Singapore — clearly demonstrates the key legal, tax and corporate issues that participants most often face.

Singapore fund to buy a Slovak SaaS

Licensed fintech in Estonia

Integration into a corporate portfolio and M&A

Checklists and questions for founders, CTO

Documents and evidence I am requesting

• IP and legal: IP register, agreements transferring code rights (employees and contractors), patents and trademarks, software escrow and release terms, open source licenses and SCA‑reports.
• Commercial: list of top clients, contracts, SLAs, penalties, exit clauses, non‑compete, references, pilot agreements and PoC.
• Financial: reports on ARR/MRR/churn, revenue recognition and deferred revenue, cohort analysis, unit economics (CAC, LTV, payback), payment reconciliation and chargeback statistics.
• Regulatory: licenses and permits (including PSD2/financial), DPA, DPIA, SCC/BCR, data residency policy, ISO27001/SOC2, PCI DSS.
• Security and engineering: SAST/DAST reports, pentest results, remediation roadmap, SBOM, secret management policy (Vault/KMS/HSM), IAM/RBAC, DRP plans and recovery tests.
• Corporate: cap table, option plans (vesting, cliff), SAFE/convertible notes, liquidation preferences, anti‑dilution provisions, board and shareholder minutes.
• Legal and compliance: current/potential disputes, regulatory correspondence, sanctions and PEP checks of counterparties, tax compliance and VAT in the EU.

CTO questions for the pre-investment audit

• What to check in the source code when investing in a startup: ownership, test coverage, complexity and dependencies.
• How to assess the scalability of a SaaS architecture: target SLOs, current bottlenecks (latency/throughput), sharding/caching plan.
• What the DevOps practices review includes: reproducible and signed builds, IaC and drift control, release policy (canary, blue‑green), post‑mortems.
• How to assess risks of using open source: SBOM/SCA, GPL/MIT/Apache licenses, update process and CVE remediation.
• How to limit risks when integrating a third‑party service: vendor risk assessment, SLA, right to audit, escrow, migration and lock‑in assessment.
• What guarantees to require for backups and RTO/RPO: recovery test procedures, reports, independent verification.
• How to verify GDPR compliance and cross‑border processing: DPA/DPIA, SCC/BCR, data mapping, minimization and logging.

COREDO Support: How to Reduce Risk

I structure the work in phases with clear artifacts. At the start we establish the deal hypothesis, geography and regulatory perimeter: EU, Czechia/Slovakia, Cyprus/Estonia, United Kingdom, Singapore and Dubai — COREDO’s practice is especially strong there. Next we open the virtual data room and launch parallel tracks: legal, regulatory/AML, financial, commercial and technical.

Each track has its deliverables: from a report on the startup’s legal due diligence and an IP map to a technical risk matrix with an assessment of technological risk and a remediation plan. The output is a consolidated investment memorandum where risk items are linked to the economics of the deal: price adjustments, escrow/holdback terms, warranty obligations and KPI blocks. This approach shortens negotiations and simplifies post-closing integration.

A separate vector is licensing and registration. If the model requires a license (crypto, forex, payment services), the COREDO team takes on structuring, preparation of AML/KYC policies, configuration of transaction analytics and engagement with the regulator. For registering legal entities in the EU, United Kingdom, Singapore or Dubai we prepare a set of incorporation documents, a banking package and a tax compliance plan.

How to contractually mitigate red flags

• Unresolved critical CVEs and pentest failure. Solution: remediation roadmap with deadlines, escrow/holdback until closing, reps & warranties and the right to an independent re‑test.
• Lack of agreements assigning code rights from part of the team. Solution: urgent assignment, cap table adjustment, partial price‑adjustment.
• Customer concentration and fragile enterprise‑contracts. Solution: earn‑out, expanded SLAs, liability insurance, pilots with diversification.
• Weak GDPR compliance and absence of SCC/BCR for cross‑border transfers. Solution: DPA/DPIA before closing, controlled regional rollout, architectural segmentation.
• Issues with revenue recognition and deferred revenue. Solution: restatement, valuation adjustment, covenants on financial reporting.
• Tax and VAT risks. Solution: price reserve, voluntary correction, post‑closing support and registration in OSS/IOSS schemes.

Hiring the core team by region

Regional risks in Europe, Asia and Africa differ in localization, licensing and provider stability. I recommend checking local regulation and licensing in countries of presence, export controls and restrictions on cryptography in advance. In some regions data residency is required, which entails infrastructure segmentation and duplication of DR processes.

Conclusions

Investment due diligence for a startup – is not a set of disparate checks, but an interconnected system in which legal, financial, commercial, and technical blocks reinforce one another. When this mechanism operates smoothly, a startup’s pre-investment valuation becomes more accurate and the deal structure safer. In my approach, COREDO acts as an integrator: from company registration and obtaining financial licenses to AML consulting and in-depth technical expertise.

I have been leading COREDO since 2016 and see every day how entrepreneurs in Europe, Asia and the CIS countries balance the need to protect privacy with the duty of full transparency towards banks and regulators. Nominee services for companies are a finely tuned instrument. They work when AML/KYC methodology is observed, powers are properly documented and economic substance is established; and they also carry significant legal, tax and reputational risks if implemented carelessly.

Over the years the COREDO team has delivered projects in the EU, the Czech Republic, Slovakia, Cyprus and Estonia, as well as in the United Kingdom, Singapore and Dubai. We’ve taken clients through the full cycle, from company formation and bank account opening to obtaining financial licenses and an independent AML audit. In this article I combine COREDO’s practice and the regulatory novelties of 2024–2026 to give you a practical roadmap for nominee service taking into account beneficial ownership registers, economic substance requirements and evolving rules on information exchange.

Why do entrepreneurs need nominee service?

Nominee director and nominee shareholder: these are appointed persons, formally holding positions and/or owning shares on behalf of the beneficiary (beneficial owner). Nominee holder services are used for operational flexibility, protection from competitors’ intrusive attention, and structuring corporate governance when operating in multiple jurisdictions. A proper nominee arrangement does not change economic control and does not conceal the UBO; it allocates functions and formalizes agency powers.

Boundary of control, the key criterion. The nominee’s agency powers should not turn into de facto management of the business without oversight by the beneficiary. When a nominee makes strategic decisions and the documents do not record mechanisms for instructions and reporting, there is a risk of requalification of control and of questions regarding substance and tax residency.

Regulatory outlook 2024–2026

The overview of regulatory changes for 2024–2026 reveals key trends toward tighter control and greater transparency requirements for corporate structures. Below we examine in detail what changed in nominee service practice in 2026 and what this means for compliance and operations.

What changed in nominee service in 2026?

By 2026, regulation of nominees in the EU and leading international centers is becoming more detailed. Beneficial ownership registers in the EU are evolving after restrictions on public access: access remains available to obliged entities (banks, corporate service providers) and regulators, and data verification standards are being tightened. COREDO’s practice confirms that even with formally closed registers, requests from banks and FIU (Financial Intelligence Unit) require the same depth of transparency as in 2022–2023.

Beneficial ownership registers in 2026 will likely receive improved APIs for inter‑agency exchange, and the obligation to update data within short timeframes will become standard. In the UK Company House is strengthening verification controls, and in a number of EU countries a preliminary KYC‑filter is being implemented when submitting UBO data, which increases the responsibility of the applicant and the provider.

Impact of CRS, FATCA and BEPS on nominee

CRS (Common Reporting Standard) and FATCA continue to act as an “X‑ray” for cross‑border shareholders and accounts. From 2026, active integration of the Crypto‑Asset Reporting Framework (CARF) by a number of jurisdictions is expected, which will erase the illusion of “invisibility” of operations with tokenized shares and corporate wallets. In COREDO projects we are already implementing CARF‑compatible processes in corporate and licensed crypto structures in Cyprus, Estonia and Singapore.

AML and nominee service: a guide

With tightening AML requirements, nominee service providers and their clients are forced to implement robust compliance procedures. This practical guide focuses on KYC/CDD/EDD and UBO identification, explaining the steps necessary to manage risks and meet regulatory requirements.

Know Your Customer / Customer Due Diligence / Enhanced Due Diligence: identification of the Ultimate Beneficial Owner

From the Anti‑Money Laundering (AML) compliance perspective, a nominee is a risk‑enhancing factor, meaning an increased level of scrutiny is required. KYC / CDD procedures for nominees include identity verification, source of funds and source of wealth checks, confirmation of professional background, and independent reference letters. Apply Enhanced Due Diligence (EDD) for nominal holders if there are offshore elements, complex chains or politically exposed persons (PEP screening).

AML requirements for nominee services

To comply with AML for nominee service, formalize: a nominee agreement, a powers matrix, an instructions policy, a reporting regime, and control measures. FIU reporting and SARs (suspicious activity reports) should be integrated into both the provider’s and the company’s procedures, with escalation thresholds and training for responsible staff. The COREDO team implements record‑keeping obligations and statutory registers as living documents: instruction protocols, a powers of attorney issuance log, a shareholder register and a UBO register synchronized with the jurisdiction’s registers.

Reducing false positives in AML software

A modern compliance ecosystem is not a set of disjointed tools. We integrate KYC, sanctions screening and transaction monitoring into a single platform to avoid data fragmentation and interpretation errors. Real‑time monitoring of sanctions and media risks, transaction patterns, alerting and subsequent incident investigations are combined and documented in case management.

False positives are inevitable, but their ratio is an important KPI. Optimizing screening rules, contextual lists and regular scenario calibration help reduce “noise”. COREDO’s practice shows that a risk‑based approach, combined with regular model testing (model validation), shortens the onboarding cycle without compromising control quality.

Tax aspects of economic substance

The concept of Economic substance today serves as a measure of genuine business activity and directly affects the tax aspects of companies operating in international jurisdictions. In the following points we will examine in detail what substance requirements are imposed on companies with nominees and what consequences their non-compliance entails.

Substance for companies with nominees

Tax mobility and the place of tax residency depend on where key decisions are made and where value is created. When a nominee director signs but the real management is abroad, this is a risk of reclassification. Formalize “reasonable measures” to prevent discrepancies: technological meeting logs, geotags, local contracts and evidence of available resources.

Tax risks of using a nominee service

Tax risks of nominee service include requalification of beneficial ownership and disputes over the applicability of double tax treaties. How to prove the absence of control by a nominee shareholder? Through a nominee agreement, custodial holding of share certificates, confirmation of lack of dividend interest and documented instructions from the UBO. The tax consequences of transferring shares to a nominee in EU countries require an assessment of dividend withholding, rules on counterparties with significant participation and anti‑abuse provisions.

Contractual guarantees

Contractual guarantees and legal instruments are necessary to minimize risks when transferring rights and managing corporate assets. Below we will move on to practical schemes and drafting features, including the nominee agreement and best practices within EU law.

Best practices for a nominee agreement in the EU

A nominee agreement template should include an obligation to fully disclose the UBO to regulators and banks if required by law. For the beneficiary it is important to have the right to immediate replacement of the nominee in case of breach of AML‑policies, and for the provider – the right to suspend execution of instructions upon sanctions and AML triggers. Such symmetric mechanisms reduce the systemic risk for both parties.

Escrow and powers of attorney: the digital trail

Blockchain notarization and using blockchain to store records of nominee agreements is a workable option to ensure immutability of records, especially in cross‑border disputes. Smart contracts for automating nominee terms remain a niche tool, but we already see cases where smart escrow records the occurrence of conditions for transfer of control or dividends.

Sanctions and criminal risks

The legal consequences of hiding the UBO in 2026 are only intensifying: regulators actively exchange data, and banks fine for false declarations. At COREDO we include in contracts an obligation of immediate notification of sanctions events and a trigger for restructuring with the involvement of an external sanctions adviser.

Operational scenarios: from account to M&A

Operational scenarios cover a wide range of tasks: from managing a bank account to supporting M&A, and require coordinated processes, automation and strict risk controls. Below we consider bank KYC and cross-border governance as key elements of compliance and operational resilience.

Bank KYC: cross-border governance

Interaction with bank KYC during account opening is the most sensitive stage. The bank will request a full package: nominee agreement, appointment minutes, UBO confirmations, source of funds and substance arguments. Our experience at COREDO has shown that early engagement with the bank and providing a transparent structure map increase the likelihood of opening an account in the Czech Republic, Estonia, the United Kingdom and Singapore.

Cross-border corporate governance and corporate law require consistency: where statutory registers are kept, how nominees are appointed and removed, and which law applies to the shareholders’ agreement. Inconsistency creates delays and red flags with banks and regulators.

M&A, public deals, alternatives to nominee

Legal risks from using a nominee in M&A transactions are related to representations and warranties (W&I), disclosure of the ultimate owner and synchronization of voting and dividend rights. Rules for disclosing the ultimate owner in public transactions are stricter and often incompatible with anonymizing structures. We incorporate into the SPA mechanisms for phased UBO disclosure and escrow unwind upon confirmation of control.

Alternatives to nominee service – trust, corporate secretary, agency agreements with limited functions. Sometimes it is more sensible to split roles: the secretary maintains the registers, the agent: narrow functions, and the director: only operational signatures. Such modularity reduces concentration of risk in a single person.

Digital Identification Technologies

Modern digital identification technologies are reshaping methods of identity verification and access management, combining user convenience with security and compliance requirements. Below we will examine in detail the key elements of this ecosystem – e‑KYC, the eIDAS regulations and remote onboarding practices: to understand their significance for businesses and customers.

eKYC, eIDAS and remote onboarding

Digital identification and e‑KYC capabilities for nominees radically accelerate processes. eIDAS and qualified e‑signatures make it possible to conduct board decisions and sign nominee agreements remotely with strong evidentiary weight. Remote onboarding and biometric verification shorten onboarding timelines while maintaining reliability and creating a clear digital trail.

Contract Storage and Smart Contracts

Using blockchain to store records of nominee agreements provides immutability and verifiability. Smart contracts automate conditions for the transfer of rights, execution of instructions, or payment of fees tied to KPIs. While such solutions do not replace a legal contract, they create a strong audit trail and reduce operational errors.

Data retention policies establish retention periods and access controls. Data governance is not only a matter of security but also evidence of good faith in disputes and FIU audits.

How to choose a nominee service provider

При выборе провайдера nominee service важно сочетать проверку репутации и способность контролировать качество предоставляемых услуг. Раздел о due diligence и лицензировании подскажет, какие документы, проверки и стандарты должны быть на первом месте при сравнении кандидатов.

Provider due diligence

Как выбрать провайдера nominee service с минимальным риском? Проверьте Licensing провайдеров корпоративных услуг в соответствующей юрисдикции, репутацию, наличие PI insurance, независимый аудит AML‑процессов и состав комплаенс‑команды. Контроль качества провайдеров – due diligence checklist: KYC‑процедуры, санкционный скрининг, training‑планы, case management, incident response, GDPR‑политики и отчётность в FIU.

Service economics: fee structure, ROI and TCO

Коммерческая модель nominee: прозрачная fee structure, привязанная к обязанностям и SLA, плюс success‑fees за сложные кейсы (например, лицензирование). Оценивайте TCO (total cost of ownership) nominee решений: базовые гонорары, расходы на AML‑ПО, аудит, юридические апдейты, резерв на кризисное управление. ROI – это не только экономия времени, но и снижение вероятности задержек с банком и штрафов регулятора.

Метрики эффективности: время онбординга, заполненность dossier по UBO, доля отклонённых банковских заявок, время реакции на санкционные алерты. Управление репутационным риском и KPI кризисного менеджмента, подготовленные пресс‑брифы, контактные лица, таймлайн эскалации и сценарии замены номинала.

COREDO Case Studies

In one of the projects in Estonia, the client was launching a licensed virtual assets provider and insisted on a nominee director until the permanent one was approved. We carried out Enhanced Due Diligence (EDD) for the nominee, integrated e‑KYC, prepared a nominee agreement with clear limits and document escrow. The bank in Tallinn requested an additional audit trail: the solution developed at COREDO provided synchronization of instructions with board meetings and AML‑platform logs, and the account was opened without delays.

Third example: a holding in Dubai with operations in the EU and the UK. The sanctions landscape was changing, and the client feared payment blocks. The COREDO team implemented real‑time sanctions monitoring, updated KYC for nominees, implemented conflict of interest rules and approved crisis scenarios. When one of the counterparties was added to extended lists, an alert fired within an hour, and we timely filed the SAR notification and restructured the payment flow.

Scaling nominee services across jurisdictions

Scaling a business using nominee services in multiple jurisdictions requires a compliance matrix: UBO registers in the EU and international registries, local AML rules, substance and banking practices. Management of conflicts of interest between the beneficiary and the nominee is formalized through a code of conduct, independent compliance and regular reports to the board.

Information exchange between jurisdictions and ML/TF risks increase as the network of companies grows. Integrating KYC, sanctions and transaction monitoring into a single platform accelerates data consolidation and provides an end-to-end audit trail. The impact of CRS and FATCA on nominee structures in multi-tiered schemes requires a risk map, which we update in line with OECD and EU releases.

How to safely launch a nominee service

1. Need assessment. Determine whether a nominee is truly necessary, or whether alternatives will suffice: a corporate secretary, an agency agreement, a trust for specific assets.
2. Structuring. Describe the corporate structure, control boundaries, substance and tax residency.
3. Provider selection. Conduct due diligence on the provider, check licenses, AML processes, PI insurance and reporting.
4. Documentation. Prepare a nominee agreement, an authority matrix, POA, escrow mechanics, an instructions policy and a conflicts of interest policy.
5. AML/KYC. Implement CDD/EDD, UBO identification, PEP screening, sanctions compliance, FIU/SAR procedures and record‑keeping obligations.
6. Banks. Agree with the bank in advance the document package, substance arguments and UBO disclosure.
7. Technology. Set up an integrated AML platform, e‑KYC, e‑signatures, case management and performance metrics.
8. Monitoring. Introduce KPIs, regular reviews of UBO registers, contract reviews and updates based on regulator responses in 2024–2026.
9. Crisis plan. Provide for replacement of the nominee, sanctions scenarios, communications and legal support for the nominee service.
10. Audit. Conduct periodic independent audits and forensic accounting where there are signs of irregularities or at the request of the bank/regulator.

Conclusions

Nominee service: it is a corporate governance tool, not a way to hide the beneficial owner. Its effectiveness in 2026 is measured by transparency, the quality of AML/KYC, economic substance and readiness for cross-border data exchange under CRS, FATCA and new digital standards. When nominee services for companies are structured according to best practices, they accelerate scaling, protect operational processes and reduce friction in banking and regulatory interactions.

At COREDO I see the task not as “finding a nominee”, but as building a resilient architecture: legal documents, a verifiable economic reality, a digital footprint and a unified compliance platform. Our experience confirms: thoughtful transparency and discipline in the details are the best strategy against regulatory uncertainty and unexpected inspections. If you are planning a structure involving a nominee director or nominee shareholder in the EU, the United Kingdom, Singapore, Dubai, the Czech Republic, Slovakia, Cyprus or Estonia, incorporate the 2026 requirements today — you will save time, lower TCO and strengthen the trust of banks and partners.