Coredo

In recent years «beneficial ownership transparency» has ceased to be a narrow compliance term and has turned into a board-level topic. By 2026, against the backdrop of the EU AML package 2021–2026, the tightening of AMLD6 and global pressure from the FATF, companies, banks and payment providers are restructuring processes as if oversight will become total tomorrow.

My experience has shown: those who do not fight the trend but design business processes with UBO realities in mind come out ahead. EU beneficial owner registers, UBO registration rules when forming a legal entity in the EU, information exchange between jurisdictions: all of this has ceased to be «paper» bureaucracy. It is the very core of the operating model on which access to banking services, onboarding speed, the ability to obtain licenses and expansion into new markets depend.

Who is a UBO and why are thresholds needed?

Complex ownership structures and UBOs: my daily reality. Trusts and foundations, nominee shareholder arrangements and nominee directors, remnants of historical mechanisms like bearer shares (which are de facto prohibited), these are all layers that compliance peels away one by one. The practice of COREDO confirms: if a structure looks “too neat”, the bank will immediately raise the bar: enhanced due diligence (EDD) is inevitable.

UBO Registers 2026

UBO Registers and the Fight Against Money Laundering

COREDO’s practice confirms: a UBO register and information exchange between jurisdictions via TIEA and MLA are not theory but a tool for «rapid tracing» of control, especially in M&A transactions and when entering new markets. We regularly see how open-access registers vs restricted-access ones differently affect the speed of banks’ Due Diligence of UBOs and the risk of de-risking clients from offshore jurisdictions.

How banks verify UBOs in offshore jurisdictions

KYC and UBO: the combination without which you won’t be able to open an account or keep correspondent banking relationships. Bank UBO due diligence includes checking UBOs in offshore jurisdictions: banks use methods to verify beneficiaries through registers, requests to CSPs, independent sources, sanctions regimes and lists, PEP screening and adverse media. When a structure includes trusts and foundations, beneficiary verification for trusts and foundations requires a named breakdown of beneficiary classes and protector roles.

Requested documents and evidence

How do banks verify UBOs in offshore jurisdictions? At the core is a chain of documents: articles of incorporation, shareholder registers, trust declarations, director appointment minutes, certificates of good standing, CSP letters about nominee structures, and confirmations of the renunciation of bearer shares. Which documents prove the UBO in offshore jurisdictions? It always depends on the jurisdiction, but the single principle is the same: documentary continuity from the legal entity to the ultimate beneficiary with verified identity.

ETL pipeline and graph databases

Automating UBO checks for banks is impossible without integrating UBO registries into banks’ KYC pipelines. API tools for accessing UBO registries, APIs for exchanging registry data and real-time screening of UBO registries provide an advantage in time to onboard and reduce false positives/false negatives in checks. The solution developed at COREDO for one of the partner banks built an ETL pipeline for UBO registries with data quality validation, storage of data provenance and multi-stage source verification.

Graph analysis of company ownership and link analysis for detecting UBOs is my favorite part. Graph databases (for example, Neo4j) make it possible to visualize chains of dozens of entities and detect fraud analytics and shell structures. Machine learning helps with entity matching and fuzzy matching, and blockchain for storing provenance data improves audit immutability. Such a stack reduces MTTR on compliance cases and increases TPR with controlled FPR: metrics that CFOs understand without translation.

Metrics and ROI of AML technologies

Any technology is worth exactly as much as the savings it delivers or the risk it reduces. The costs of implementing UBO procedures in a bank and the compliance cost per customer should be compared with ROI metrics: reduction in time to onboard, decrease in operational hours spent on repeat requests, reduction in the number of SARs (suspicious activity reports) without loss of quality, and increased case throughput. The COREDO team implemented an ROI calculation model where we link the operational scalability of AML processes to business volume and correspondent relationship uptime.

Tuning of transaction monitoring rules and algorithms for prioritizing UBO checks helps eliminate bottlenecks in compliance queues. Compliance automation: RPA and workflows create repeatability and version control of playbooks. When the task is scaling AML processes for multinational companies, unified data quality control and data reconciliation (entity resolution) between systems deliver the real economies of scale.

Regulatory framework: standards and penalties

The UBO register and sanctions lists are a pairing that banks check daily. The bad news: sanctions regimes are updated unevenly; the good news: UBO monitoring practices in banks for 2026 already incorporate adverse media and PEP flags into unified screening frameworks. COREDO’s practice confirms: companies that document data provenance and best practices for documenting UBO sources more easily meet regulatory inquiries and respond to audits without stress.

COREDO case studies: solutions to complex challenges

First case: a fintech group entering the EU through a payment services license in Cyprus. The client came with a complex ownership structure involving a trust and two holding companies in different Asian jurisdictions. The COREDO team built an ownership graph, assessed the reliability of UBO data, and prepared compliance playbooks for UBO checks. Result – Licensing was completed on time, and the acquiring bank reduced time to onboard by 40% thanks to a pre-agreed document package and an EDD dossier.

Second case, a crypto provider opening an office in Estonia with subsequent expansion to the UK and Dubai. Registering UBO when forming a legal entity in the EU required alignment with the FCA’s AML registration requirements and with VARA rules in Dubai. The solution developed at COREDO included automation of KYC and UBO checks via API, entity matching with EU beneficiary registries and negative news. The client avoided de-risking of clients from offshore jurisdictions, as the banking dossier contained justification of control and a renunciation of nominee structures.

Third case: M&A with an offshore target asset and correspondent banking risks. We performed due diligence on the M&A involving an offshore target, built link analysis, identified nominee owners at the level of the second holding and proposed a restructuring to fall below the 10% UBO threshold in the EU with disclosure of the actual controller. This removed the risk of the deal being blocked by correspondent banks and reduced the cost of insuring representations and warranties.

Preparing a company for a bank UBO request

First – an ownership structure map showing all beneficial interests. Include shareholdings, control rights, shareholders’ agreements, trust documents and confirmations of the roles of protector and settlor. Second – a KYC package for each UBO: proof of identity, address, source of funds confirmation, PEP status and adverse media results. Third – a policy for monitoring changes in ownership structure and UBOs with an SLA for data updates and procedures for notifying the bank.

How to avoid mistakes when declaring UBOs? Do not rely on generalizations and “umbrella” formulations. Specify thresholds, disclose concerted actions and avoid nominee terminology without explanations. If foundations and offshore legal structures are present: attach legal opinions on the nature of control and beneficial interest, as well as letters from the CSP. At COREDO we implement checklists that minimize the risk of bank rejections.

Registry data quality: normalization

Integrating UBO registries into banks’ KYC pipelines via API increases speed. Still, do not forget about access control and personal data protection: set up a lawful basis for access to UBO data and an access revocation procedure. In some jurisdictions, part of the data is available only upon request from authorized persons – the COREDO team prepares such requests in advance and factors in a buffer in project plans.

Compliance: What to monitor at the C-level

Best practices for UBO verification for C-level: regular reports with performance and risk metrics. Include MTTR for compliance cases, FPR/TPR for screening, time to onboard, the number of cases in EDD and the share of structures with trusts and nominees. Add a cost-benefit analysis of implementing UBO registries and ROI metrics: reduction in cost per client, preserved correspondent relationships and the speed of opening bank accounts.

Practical steps for the CFO when assessing UBO risk: classify jurisdictions by EDD complexity, create a catalog of CSPs and company formation agents with a reliability rating, and create a map of sanctions linkages. The COREDO team implemented an owner risk-scoring model for a multinational client, where machine learning and graph features improve the accuracy of prioritizing UBO checks and reduce the load on the EDD team.

Linking the UBO to the actual operation

COREDO’s practice confirms: early alignment of UBO and licensing requirements saves weeks.

In Asia and the Middle East, the differences are significant. In Singapore, MAS emphasizes actual control, while in Dubai VARA and local regulators require clear documentation of ownership. In the Czech Republic, Slovakia, Estonia and Cyprus the processes are formally straightforward, but banks supplement them with their own EDD. The COREDO team builds a unified package that equally convinces the registering authority and the bank officer.

Outsourcing vs in-house: sustainable model

Shared utilities and centralized registries: a logical future. Corporate registries and interoperability will reduce the costs of duplicated checks, but there’s still a way to go before unified standards. For now, the winner is the one who can link different sources, maintain entity resolution and support real-time screening where it is critical for payments and correspondent settlements.

Monitoring changes in ownership structure

Monitoring changes in ownership structure and UBO is a process, not an event. I set an SLA for data updates: changes to the EU register of beneficial owners and to bank dossiers within specified business days. Include triggers: new shareholders, director changes, emergence of nominee services, trust relocation, material M&A transactions.

Banks value transparency and predictability. If a company announces a restructuring in advance and provides a package of documents, the risk of account freezes is noticeably lower. In one project, a solution developed at COREDO automated bank and registrar notifications via RPA, reducing the update cycle from weeks to days.

Common mistakes: how to avoid them

The first mistake: underestimating nominee structures and front owners. The bank will spot it if the beneficial owner is “hiding” behind a service company without a business reason. Second: incomplete information on trusts and funds: ignoring the protector, failure to provide a letter renouncing bearer shares, lack of description of beneficial interest. Third — lack of a documented source of funds for the UBO.

How to reduce onboarding time during UBO checks? Assemble the package in advance, use BODS standards and formalized structure diagrams, note sanctions and PEP checks, attach an adverse media report. Our experience at COREDO has shown that a proactive approach reduces the number of follow-up requests from the bank by 30–50% depending on the jurisdiction.

Conclusions: what to do next

COREDO was created to connect clients’ strategies with real regulatory practices in the EU, the United Kingdom, the Czech Republic, Slovakia, Cyprus, Estonia, Singapore and Dubai. I see how well-designed UBO processes, supported by technology and clear playbooks, turn the “pain” of compliance into a scalability advantage. Going forward, those who embed the UBO circuit into their business architecture will win: from company registration to bank onboarding and day-to-day operations.

UBO Registers 2026: public vs closed

Institutional interoperability is growing thanks to the Beneficial Ownership Data Standard (BODS) and the Open Ownership platforms, but the standard’s implementation is uneven. Where national corporate registers are synchronized with UBO records and use BODS, banks gain in time to onboard and reduce FPR without losing TPR. Below: a practical comparison.

Regulatory framework 2026: UBO checks

The regulatory map for 2026 relies on FATF Recommendations 24/25 on the transparency of legal persons and trusts, the AMLD5/AMLD6 directives and national transpositions. In the USA the Corporate Transparency Act (CTA) operates with Beneficial Ownership Information (BOI) reporting to FinCEN and access regimes for financial institutions. In the EU a horizontal AML regulation is being formed at the same time and control over the quality of registers is being strengthened, which directly affects banks’ KYC procedures and the checking of UBOs in offshore jurisdictions.

GDPR defines the lawful basis for banks’ access to UBO personal data, and this is a practical matter, not theory. Banks most often rely on Art. 6(1)(c) “compliance with a legal obligation” and Art. 6(1)(f) “legitimate interest”, supplementing them with internal DPIAs and data minimization policies. Special categories of data require a separate analysis, and for cross-border transfers, mechanisms compatible with EU standards and local privacy laws.

Practical compliance checklist for UBO checks

• Define thresholds and control: record the ownership percentage, veto rights, shareholders’ agreements and actual influence on management. Prepare a written justification of the beneficial interest and attach a legal opinion if there are gray areas.
• Record the lawful basis: specify the GDPR basis, describe the bank’s role as controller and collect consents where necessary. Add DPIA/LIAs and data minimization and retention procedures.
• Keep them up to date: set SLAs for updates in the national register and at the bank when UBOs change. Include RPA reminders and checkpoints for internal legal and finance teams.
• Prepare an EDD file: collect Source of Funds/Wealth, CSP letters, nominee agreements and confirmations of the renunciation of bearer shares. Conduct PEP/sanctions/adverse media screening in advance and attach the results.
• Log provenance: preserve sources, document versions and hash-based integrity checks. This will speed up responses to regulatory inquiries and internal audits.

How banks verify UBOs and KYC

A bank KYC pipeline for UBO is a managed sequence of steps with clear owners. I advise clients to align their internal procedure to the same logic to shorten question‑and‑answer cycles and minimize false positives/negatives.

Step-by-step KYC pipeline

• Intake and pre‑screening: collection of the questionnaire, corporate documents and an initial description of the structure. Sanctions and PEP checks are run, as well as a quick adverse media review.
• Ownership mapping: building an ownership graph up to the ultimate beneficial owner, recording controlling rights and agreements. Threshold rules of 25% and 10% in the EU are applied, taking cumulative control into account.
• Documentary verification: matching registries, certificates and nominee agreements with client and provider data. A request is sent to the CSP and a formal reconciliation with local registries takes place.
• Screening and risk‑scoring: combining sanctions, PEP, negative news and geo‑risks into a single profile. ML models support entity matching and reduce FPR as TPR increases.
• Decision and onboarding: either standard approval, escalation to EDD, or rejection with justification. Results and provenance are logged for audit and correspondents.

Roles and responsibilities are allocated in advance and by name. The Relationship Manager gathers the package and manages communication, the KYC analyst handles the structural and documentary layer, the AML/Financial Crime team performs screening and risk‑scoring, and complex cases go to EDD/SME with the final decision by the Compliance Officer. Such a matrix reduces MTTR and provides predictability for the business and the client.

KYC pipeline diagram (textual)
Client intake → Pre‑screening → UBO mapping → Documentary verification → Sanctions/PEP/Adverse media → Risk‑scoring → Decision/EDD → Onboarding/Monitoring. Each stage records provenance and SLA, and integration points with registries go via API or formalized requests.

UBO verification in offshore jurisdictions

Офшоры привлекают гибкостью и скоростью, но для банка это маркеры повышенного риска. Nominee directors and shareholders, historical bearer shares, foundations and trusts, as well as a prominent role of CSP, all of this requires combined validation and a closer dialogue with the client. Чем раньше клиент покажет экономическую логику структуры и реальный контроль, тем ниже вероятность де‑райзинга.

Рекомендации банка и типичные red flags

• Применять EDD, когда структура включает nominee arrangements, трасты без прозрачной экономической цели, или страны с высоким риском по FATF. Дополнительно запрашиваются SoF/SoW, интервью с UBO и письма от независимых юридических консультантов.
• Красные флаги: несоответствия между реестрами и документами, частые смены директоров без бизнес‑обоснования, CSP без лицензии, и негативные news о связанных лицах. Такие сигналы активируют расширенный скрининг и могут привести к отказу.

Disclosure of beneficial interest

Идентификация nominee начинается с документов и не заканчивается ими. Банки запрашивают декларации nominee, договоры оказания услуг и подтверждение полномочий, а также правовые мнения о том, кто вправе распоряжаться голосами и дивидендами. Важно показать, что номинал не осуществляет самостоятельного контроля и действует строго по инструкциям бенефициара.

Мы всегда совмещаем документальный слой с данными о поведении и транзакциях. Если фактические платежи, подписи и IP‑логи инициируются одними и теми же лицами, это поддерживает картину бенефициарного контроля. Когда наблюдается расхождение между ownership data и транзакционным профилем, кейс уходит в EDD, и банк запрашивает дополнительные подтверждения beneficial interest.

EDD for UBOs: criteria and thresholds

EDD is triggered by a combination of risk factors, and this is normal practice for offshore structures and complex ownership. Classic triggers: PEP status of the UBO or key directors, high‑risk or sanctioned jurisdictions, structural complexity with trusts/funds/nominees, and discrepancies between registers and the documents provided. In the EU banks increasingly rely on a 10% threshold for UBOs in the EU in complex structures, even if the formal general threshold remains 25%.

Standard EDD procedures are detailed and resource‑intensive, so it is better to prepare for them in advance. Extended SoF/SoW packages, bank references, tax returns, asset sale agreements and interviews with the owner—where the structure’s motivation and sources of capital are discussed—are requested. In offshore jurisdictions a letter from the CSP about the nominee, confirmation of the renunciation of bearer shares and legal opinions on trusts and foundations are almost always required.

Cross-verification of UBO registries

Reliable due diligence relies on the right mix of primary and secondary sources. National registries and trusted corporate registers form the “gold standard”, while OpenCorporates, Open Ownership, commercial aggregators and sanctions lists provide breadth and speed. Cross-verification through entity matching, fuzzy matching and reconciliation resolves contradictions and documents data provenance.

Cross-verification mechanics must be formalized and reproducible. We use entity resolution with canonicalization of names, addresses and identifiers, fuzzy matching to recognize transcriptions and aliases, and then run reconciliation against an internal “golden profile” and the client’s documents. This approach reduces MTTR and prepares the data for automated solutions and organizational audits.

Integration of registry data via ETL

A correct ETL pipeline for UBO data starts with ingestion via API and batch channels, then normalization according to BODS and local schemas, enrichment with sanctions and PEP data, and matching to already known entities. It’s important to log every transformation, store sources and versions, and also maintain re-validation on schedule and on triggers. At COREDO we additionally hash document versions and write provenance to immutable storage to simplify audit defense.

Best practice: separate the operational layer and the analytical data layer. The operational layer serves real-time screening and onboarding, while the analytical layer handles periodic reconciliation, reporting and ML training. This reduces the risk of SLA degradation and makes the system resilient to peak loads.

Automating UBO verification for banks

Integration into the KYC pipeline requires an architecture with clear SLAs and monitoring. Queueing systems, retries, deduplication and observability (tracing/metrics/logs) reduce operational risk, and graph analysis helps uncover hidden links between transactions and ownership data. In several projects, graph features produced a jump in the accuracy of detecting nominee structures without increasing FPR.

Integration of API, real‑time and ETL

APIs must meet requirements for performance, security and compatibility with the BODS standard. We use JSON schemas, OAuth2/MTLS, idempotent keys and detailed error handling with typing and recovery codes. Implementing rate limiting and queues ensures even load and predictable SLAs even during peaks.

Best practices for real‑time screening and batch reconciliation include separating data paths and independently scaling resources. Real‑time serves the “decide here and now” needs for onboarding and payments, while batch addresses “quality debt” and checks profile consistency. Regular A/B tests of rules and ML models allow reducing FPR without losing TPR.

Correspondent Banks and Sanctions

Correspondent banks assess UBO risk through the lens of their own regulatory exposure and reputational loss. If a client’s profile combines an offshore structure, weak documentation and adverse news, the likelihood of de-risking rises sharply. Strong UBO documentation and pre-agreed EDD packages: the best protection against sudden shutdowns.

Practical tips for clients

• Prepare a “correspondent folder”: sanctions provisions, UBO structure in BODS format, SoF/SoW, screening results and the contact details of the responsible person. This speeds up responses and reduces uncertainty.
• Communicate proactively: notify structural changes and regulatory news before the bank asks. This builds trust and reduces the risk of preventive de-risking.

Implementing UBO procedures in a bank

Costs consist of data licenses, integration development, infrastructure, training, and operational support. In a typical bank, average TCO in the first year includes 40–60% of costs for data and APIs, 25–35% for development and integration, and 15–25% for operational processes and training, although proportions change with scale. I strongly recommend budgeting for data quality and ongoing reconciliation, because that is where MTTR is reduced and onboarding time is shortened.

Profitability is measured through a set of applied metrics related to business value. Reducing time to onboard by 30–50%, lowering FPR by 20–35% and stabilizing correspondent relationships are direct drivers of ROI that the C-level and the board understand. For multinational companies the effect is amplified if you use shared utilities, centralized registries, and a hybrid outsourcing vs in-house model with strict SLAs and KPIs.

KPI for UBO AML checks

Quarterly targets should be ambitious but achievable. I often budget for -20% FPR while maintaining TPR, -25% time to onboard for standard cases and -15% MTTR for EDD thanks to templates and pre-checks. Such targets discipline the team and show the board of directors tangible progress.

Prepare the legal entity for the bank’s UBO request.

Proper preparation saves weeks and reduces stress for all parties. I recommend assembling three packages: corporate, beneficial and sanctions, each with versioning and provenance. Below is a consolidated checklist of documents by scenario.

Recommendations for registrations in the EU/Asia are simple and effective. In the EU, pre-synchronize the UBO record with bank onboarding and licensing, and in Singapore and Dubai arrange with the CSP the timing and format for issuing UBO documents for banks. Before submission the CFO should go through an internal checklist, ensure registers are up to date, and run a test sanctions/PEP/adverse media report.

UBO verification in M&A and transactions

UBO‑due diligence in mergers and acquisitions – это speed diligence с акцентом на контроль и санкционные сопряжения. Мы строим ускоренный граф владения, валидируем бенефициарный интерес, проверяем скрытые соглашения акционеров и оцениваем риски де‑райзинга у банков‑партнёров покупателя. Чем раньше покупатель покажет план ремедиации структуры под требования AMLD6 и корреспондентов, тем ниже скидка на риск в цене сделки.

Post‑deal мониторинг должен быть автоматизирован и связан с триггерами изменений. Смена директоров, перераспределение долей, назначение nominee или переезд траста запускают переоценку риска и при необходимости, EDD. Мы используем RPA для оповещений регистраторов и банков и графовые подписки для сигналов о новых связях в adverse media.

Practical templates for the deal

• UBO‑request list: структурированный перечень документов, включая BODS‑выпуск и карту контроля. Он экономит время юридических команд и снижает количество уточнений.
• Risk‑скоринг владельцев: модель приоритизации проверок с весами по юрисдикциям, санкциям, PEP и сложностям структуры. Она помогает фокусировать EDD там, где это действительно нужно.

Recommendations for C-level executives and owners

I’ve compiled a focused ten-point checklist to help prepare for banks’ UBO checks.

• Structure map in BODS and as a graph. Keep it current and version it for audit.
• A single UBO document package with provenance. Update it with every change and register SLAs.
• Preliminary sanctions/PEP/adverse media screening. Catch issues before the bank sees them.
• Nominee and trusts policy. Document the economic rationale and boundaries of control.
• SoF/SoW for UBO. Prepare evidence in advance and store independent confirmations.
• Data quality and entity resolution. Implement normalization procedures and reconciliation of sources.
• API integrations and RPA workflows. Reduce manual work and ensure process observability.
• Metrics and targets: time to onboard, MTTR, FPR/TPR. Link them to bonuses and performance management.
• Correspondent ‘folder’ and playbooks. Maintain trust with banking partners and reduce the risk of de‑risking.
• Remediation plan under AMLD6/CTA. Update structural arrangements for new rules and jurisdictions.

Frequently Asked Questions

Answer: UBO, the ultimate beneficial owner, controlling the company directly or through a beneficial interest. The general ownership threshold of 25% is supplemented by a 10% threshold in the EU for complex structures and high risk, as well as by analysis of de facto control beyond shareholding.

Answer: Banks compare local registers, CSP letters, corporate documents and trust agreements, then perform sanctions/PEP/adverse media screening. Most often they request a certificate of incumbency, register of members/directors, trust deed, nominee declarations, renunciation of bearer shares and confirmations of SoF/SoW.

Answer: Prepare legal opinions and nominee declarations confirming absence of independent control and demonstrate the economic rationale of the structure. If disclosure is refused, the bank will likely apply EDD or refuse the relationship, so it’s better to proactively provide the maximum evidence of beneficial interest.

Answer: The bank relies on Art. 6(1)(c) and Art. 6(1)(f) GDPR, supplemented by a DPIA and a minimisation policy. For cross-border data transfers compatible mechanisms are used and all requests and justifications of the lawful basis are logged.

Answer: Costs depend on scale, but in the first year the lion’s share goes to licenses and integrations, and thereafter the main effect comes from reduced FPR and time to onboard. In typical cases payback is achieved within a 9–18 month horizon due to OpEx savings and preserved correspondent lines.

Conclusion

Your next steps are clear and achievable. Conduct an internal audit of UBOs and update the structure map in BODS format, assemble a package of documents with provenance and set up API integrations with key registries and aggregators. If you need to accelerate the process, contact our COREDO team: we will carry out an express readiness diagnostic, share document templates and help implement the technology stack for your processes and jurisdictions.

Since 2016 I have been leading COREDO through dozens of investigations, thematic reviews and interviews with regulators in the EU, the UK, Singapore and the UAE. During that time the COREDO team has assisted clients in obtaining crypto, payments, forex and banking licenses, as well as in subsequent supervision, including high-stakes episodes: from AML investigations and sanctions issues to requests concerning cross-border transactions. This article is a distillation of practice: how to prepare the Chief Compliance Officer (CCO) and MLRO for questioning, what to expect, which rights to protect and which documents to present in order to pass the inspection professionally, maintain the regulator’s trust and controllably reduce risks.

COREDO’s experience shows: a regulatory interview is a controllable process if you start preparing in advance, ensure a transparent communications strategy and establish documentation discipline. Below is the working framework I personally use when, together with a client, I build the defence, communications and execution of supervisory authorities’ requests.

Activation of the response plan

The first signal is a request for documents, an invitation to an interview, or a supervisory notice. At this stage it is important to ensure procedural fairness: confirm receipt of the notice, clarify the scope of the inspection, agree on the timing and format of interaction, including consent to record the interview and participation of an external lawyer. The solution developed by COREDO begins with a risk triage: determining the scope of affected jurisdictions, applicable regulations (AMLD5/AMLD6, FATF, Wolfsberg), data categories (GDPR), and the list of involved roles.

Roles and responsibilities of CCO, MLRO, CEO

The rights and duties of the Compliance Officer during an inspection should be documented in writing. CCO and MLRO are responsible for the completeness of the factual part and the accuracy of references to policy, the CEO – for the company’s position and the strategy for interaction with supervisory authorities, and the board of directors for oversight and approval of key decisions, including the remediation plan and the budget for external consultants and forensic investigation.

Privilege and data protection: documents

Handling documents, observing privilege and data protection measures determine which materials are subject to disclosure and how to store them securely during a dispute. Below we will examine document production, legal hold and the practical application of privilege rules to clarify steps and minimize risks.

Documents, legal hold and privilege

GDPR: DPIA and cross-border requests

Cross‑border issues and cross‑border requests often raise GDPR compatibility questions when transferring data to regulators. At COREDO we prepare a DPIA in advance, determine the legal basis for the transfer (for example, performance of a legal obligation), and apply data minimization and encryption. Under MLAT (mutual legal assistance) we check compliance with local law and bank secrecy exceptions, and also ensure client confidentiality when multiple supervisory authorities are involved.

Preparing the CCO and MLRO for an interview

I view preparation as a multi-level program. First, we conduct interview preparation for legally significant statements: we build a structured interview protocol and template answers, and practice regulator question scenarios on sanctions, AML and KYC, SAR/STR procedures and monitoring. Then we run mock interviews and stress tests to prepare for interrogations, including roleplay scenarios and assessment of witness suitability.

Questions on AML/KYC/sanctions/transactions

Regulators often examine the depth of the risk‑based approach. We prepare responses to regulator questions about transactions: matching transactions and monitoring analytics, methods to reduce false positives, use of automated AML monitoring and machine learning in transaction monitoring. If external software is used, we present AML‑software providers and vendor screening, results of independent testing, and the monitoring and testing of AML controls.

Forensics and electronic evidence

In complex cases we engage the use of an external forensic expert and electronic examination and e-discovery, including e-mail discovery and investigation of corporate mail. We perform forensics and recovery of deleted data in compliance with the chain of custody, and carry out data handling in protected interview rooms and secure rooms, especially when the materials contain personal data or banking secrecy.

Mitigating factors and remediation

Notice of an investigation and self‑reporting is a difficult decision, but often yields credit for cooperation (voluntary disclosure strategies and credit for cooperation). In COREDO’s practice there is a case of a payment company in one of the EU countries where early disclosure and an immediate remediation plan with subsequent verification of the corrections and an independent audit of compliance‑measures allowed them to avoid a fine and be limited to an official warning.

Interaction with suppliers

Scaling the preparation process in a global company requires managing third parties and vendors during investigations. The COREDO team developed criteria for third‑party Due Diligence and supplier risk, as well as contracts with external consultants and experts, where responsibilities for confidentiality, information security and response times are clearly defined.

Compliance checklist for a regulator interview

This checklist is not an abstraction, but a distillation of our approach. Before the interview the team goes through it in full, recording execution in the incident management and tracking system (incident management):

• Confirm the scope of the review: supervisory notice, subject matter, timelines, recording format, and participation of counsel.
• Implement a litigation hold, define the legal hold scope, build a privilege log, and appoint custodians.
• Define the internal counsel vs external counsel strategy, select an approach and the boundaries of privilege.
• Conduct a gap analysis, prepare a remediation plan, and agree it with the board of directors.
• Confirm GDPR/DPIA, data transfer channels, encryption, cross‑border mechanisms, and banking secrecy.
• Organize document production: chain of custody, audit trail, document versions, and access control.
• Conduct mock interviews and stress tests, assess psychological readiness and backup witnesses.
• Form a structured response protocol and templates for the regulator reply.
• Check sanctions and AML/KYC blocks: OFAC/EU/UN, BO disclosure, SAR/STR, and automated monitoring.
• Prepare an executive summary of the investigation for the regulator and case law materials.
• Set up secure rooms/video conferences, obtain consent to record the interview, and document the risks.
• Conduct vendor screening (AML software, forensics), confirm ISO 27001/SOC 2.
• Agree media policy, D&O, escalation matrix, and BCP plans for the review period.
• Calculate preparation costs and economic efficiency, balance external consultant vs internal team.
• Set KPIs and ROI for preparation for regulatory interviews, time to resolution and recovery metrics.

Recording and Retention Policies

A records-keeping and retention policy is the foundation for the evidentiary base. We implement a retention policy and a destruction schedule with exceptions for legal hold, maintain an access log, and, as part of training, establish rules for documenting interviews and creating a transcript. Virtual interviews and secure videoconferences must meet recording requirements: obtaining consent and legal risks, storage and access in accordance with GDPR.

Pace and the economics of scaling

Preparation costs and economic efficiency — a matter not only of budget but also of decision-making speed. Analysis of costs for external consultants vs internal team allows forming a hybrid model: internal fact-gathering and preservation of privilege, external legal strategy and forensics. At COREDO we plan resources for investigations (resource planning), set SLAs for responses and rank issues by priority and risk so as not to waste time on secondary issues.

Typical question scenarios

During questioning of the AML officer (MLRO), the regulator may move on to the details of specific alerts, late escalation, or the absence of SAR/STR. Here the CCO should point to the risk‑assessment methodology, the monitoring frequency and the second‑line control function, as well as the improvements implemented after the incident. If sanctions are involved, we demonstrate checks against OFAC/EU/UN, enhanced triggers and a post‑event review.

COREDO practice cases

In one European jurisdiction, the COREDO team accompanied the questioning of the payment organization’s CCO after a series of sanctions alerts triggered on a client from a third country. We confirmed the correct configuration of the lists, demonstrated a reduction in false positives through retraining of the rules, and provided periodic monitoring reports. The outcome — an instruction to strengthen due diligence for a specific category of clients without imposing fines.

Pre-litigation dialogue with regulators

Best practices for preparing the CCO for European regulators include early pre-litigation dialogue, transparent demonstration of methodologies (AMLD5/6, FATF, Wolfsberg), a structured executive summary of the investigation and a clear reference base to policies and procedures. It is important not to argue about form, but to agree on reasonable timelines and process while protecting privilege and GDPR.

Conclusions

COREDO, after years of work in the EU, the United Kingdom, Estonia, Cyprus, the Czech Republic and Slovakia, Singapore and Dubai, has built a predictable, transparent approach that helps clients pass inspections, obtain licenses and grow. If you need a regulator engagement strategy, external legal support for an interrogation, e‑discovery or an independent audit of compliance measures, the COREDO team will offer a solution adapted to your business model and jurisdictions. I am convinced: a prepared CCO is the best argument for trust in your company and its sustainable growth.

I have been leading COREDO since 2016 and see every day how quickly the digital assets market is changing. Over the years the COREDO team has carried out dozens of projects for company registration and licensing in the EU, the United Kingdom, Singapore, Cyprus, Estonia, the Czech Republic, Slovakia and Dubai. Clients come with a variety of tasks: from creating an SPV for the tokenization of artworks to building institutional custodial infrastructure for NFTs. In this article I have compiled practical experience and strategic ideas: how to use NFTs as a financial instrument, how to manage risks, comply with MiCA, MiFID II, FATF and GDPR, and how to structure IFRS reporting so that the auditor has no questions left.

When NFTs are in a corporate portfolio

From an investment-logic perspective, NFTs and securities in the EU are different things. Security token vs non-fungible token: this is above all a difference in legal nature: a security token, as a rule, falls under MiFID II and national securities regimes, whereas an NFT is a unique digital token that may be an investment asset depending on its economic function, but does not automatically become a security. Classifying an NFT as an investment asset requires analysis of utility, rights, returns, market-making and liquidity availability.

Brands gain a new channel for audience engagement and licensing economics from NFTs. Our experience at COREDO has shown that strategic use of NFTs for brands pays off when the links between token ownership and utility are formalized in smart contracts, and IP-licensing and exclusivity issues are secured in clear agreements. Then an NFT logically becomes part of the corporate portfolio alongside tokenized lease rights, service vouchers and shares in an SPV.

NFT: a security under MiFID II?

We often use frameworks for assessing the legal nature of a token, where we apply the criteria of an investment contract (Howey test and analogies) specifically as an analytical lens: capital contribution, expectation of profit, efforts of a third party. In the EU this test is not law, but it helps structure arguments for regulators and platform compliance. COREDO’s practice confirms: when an NFT provides passive income or a promise of portfolio management, regulators may qualify such a token as a financial instrument, which brings MiFID II implications for brokers and platforms.

Tokenized securities vs NFTs: the key dividing line. If a token directly embodies a claim against an issuer, an equity share or a debt obligation, it becomes a security token subject to the full body of rules, up to prospectus requirements, provider licensing and reporting. If an NFT records access, a unique digital object or certifies a right of use without an investment component, we remain in a different regulatory zone.

Regulation of NFTs in the EU and secondary markets

Fractionalized NFTs (fractional tokens) and serial issuances with economically interchangeable properties may fall within the scope of MiCA, and in extreme cases: within MiFID II. The solution developed at COREDO: early token qualification and a compliance roadmap before launching smart contracts.

ESMA’s recommendations on digital assets complement MiCA with details on the delineation of services and investor protection. Regulation of NFT secondary markets requires transparency of fees, prevention of manipulation and manageability of listings. Monitoring for manipulation in the NFT market and combating wash trading become part of platforms’ internal controls, especially if they perform the functions of a broker or market operator.

If necessary, we launch the project through regulatory sandboxes for crypto startups in the EU to agree in advance on the approach to token functions and circulation mechanics. Interaction with regulators and supervisory authorities is critical here: it reduces the risk of the instrument being reclassified after launch.

AML/KYC: how to build compliance for NFTs

The COREDO team implemented risk‑scoring of buyers and sellers for marketplaces, sanctions filters and on‑chain analytics to detect links with “tainted” addresses.

Money laundering risks through NFTs are typical: rapid resales with inflated prices, wash trading, transactions through mixers, a high rate of order cancellations.

GDPR when processing NFT clients’ data requires minimization, justified retention periods and transparent information for the data subject.

Cross-border NFT sales and currency regulations add another layer. Our lawyers at COREDO set up cross-border compliance for buyers from Asia and the EU, aligning KYC procedures, withholding taxes and interaction with payment systems and PSPs. Banking oversight is also important: interaction with the banking system and banking supervision requires source of funds policies, invoicing standards and clear contractual documentation between the platform, the issuer and the buyer.

Royalties and licensing

Separation of rights: ownership vs right of use must be explicitly recorded in the terms of sale and/or in an on-chain link to the license. In COREDO projects we arrange IP licensing and NFT exclusivity through separate agreements, taking into account moral rights and assignment in EU jurisdictions.

NFT marketplaces and platform liability require clear rules in offers: transparency of fees, refund conditions, secondary NFT sales and fee regulation — all of this becomes a subject of attention for regulators and antitrust authorities if practices appear to restrict competition.

We insist on two-sided duplication of metadata, versioning and recording of hashes in the smart contract to prevent tampering. When IP is wrapped into an SPV and licensed via an NFT, the contractual framework links the rights holder, the custodian and the token holder.

Tokenization of art and real assets

SPV legal structures for tokenized art are a proven scheme: the assets are held by a rights‑holding company, and NFTs sell access to benefits, viewing rights, priority participation in exhibitions, or fractional rights through fractionalized NFT. Fractional ownership legal structures carry particular risks for investors: when ownership is fractionalized, characteristics of a security can sometimes emerge, which may trigger MiFID II.

SPVs and legal wrappers for art tokens are useful for managing taxes, rights, insurance and custody.

investment funds NFTs in the EU can be structured in the form of AIFs with corresponding regulation of the management company, custodian, valuer and auditor – the COREDO team has structured such funds taking ESMA and local supervision into account.

The distinctions between ICO/STO/ITO and the comparison with NFT issuance are needed to understand regulator expectations: STOs are securities; ICOs/ITOs can fall under MiCA; NFT issuance more often does not require a prospectus, but does require disclosure and compliance if investment characteristics are present. COREDO’s experience confirms that early consultation with the regulator reduces costs and speeds up market entry.

Taxes and accounting for NFTs under IFRS

The tax consequences of NFT sales in Europe depend on what is being sold: digital content, access to a service, or usage rights.

Royalty income may be subject to withholding tax in certain jurisdictions: this is taken into account when structuring SPVs and licensing agreements.

Accounting for NFTs on a company’s balance sheet (IFRS) is closer to accounting for crypto assets: they are more often intangible assets under IAS 38, except when held for trading as inventories under IAS 2.

Reporting and disclosure about NFT assets include accounting policies, valuation methodologies, liquidity and concentration risks.

Valuing NFTs for investors is built on three pillars.

The COREDO team sometimes supplements the valuation with option models for rare cases involving buyback rights.

Smart contracts: standards and insurance

Smart contracts (ERC-721, ERC-1155) and security are a central part of legal protection: bugs in code can wipe out rights, reduce royalties to zero, or open the door to an exploit.

Smart contract audits for legal protection should combine static analysis, formal verification, and testing of business scenarios: edge cases for listing, token burns, upgrades, royalties, and pauses. Blockchain code audits and formal verification reduce the risk of smart contract vulnerabilities and exploits, while digital asset insurance and loss coverage close out tail risks. Within companies we insist on corporate access control for wallets, role separation, and multi-factor policies.

Institutional custodial infrastructure for NFTs requires custodian solutions for institutional NFTs, SLAs, key recovery procedures, and controls over corporate transactions. Custody APIs and interaction standards enable integrating NFTs with ERP and accounting systems, automating transfers and tags for accounting. The COREDO team helped clients build cold‑hot‑warm storage architectures and asset movement policies aligned with auditors.

Markets and liquidity: risk control

NFT liquidity risk and exit strategies: this is the main area for the CFO. Exit strategies: listings on exchanges, OTC processes with KYC, buyback agreements and NFT options, as well as framework agreements with marketplaces for prioritized listing. Stress-testing the liquidity of an NFT portfolio models a drop in floor price, widening spreads, departure of market‑makers and regulatory shocks.

counterparty assessment and marketplaces by reputation reduces the risk of failures in settlements and delistings. The commercial model: fees, royalties, listing fees must be transparent and compatible with antitrust and competition-related risks of marketplaces — especially regarding exclusivity and restrictions on parallel sales.

Institutional players look at blockchain resilience: PoS vs PoW and energy consumption. Carbon footprint and offsetting NFT emissions are becoming part of ESG policy: we build in compensation mechanisms or choose energy-efficient networks. For collateralized deals, using NFTs as collateral (collateral) requires independent valuation, agreements with custodians and tripartite agreements with lenders.

COREDO: case studies and launch roadmap

• Legal qualification: framework ‘security token vs non-fungible token’, MiCA/MiFID II/ESMA assessment, ICO/STO/ITO comparison.
• corporate structure: SPV, IP agreements, licenses, royalty agreements, option and buyback.
• Technical architecture: ERC-721/1155 standard, IPFS/Arweave, URI strategy, on-chain provenance.
• Compliance: AML/KYC, SoF, travel rule, sanctions and export controls, GDPR, cross-border compliance.
• Infrastructure: custody, insurance, corporate access control to wallets, custody APIs.
• Taxes and accounting: VAT, transactional taxes, IFRS (IAS 38/IAS 2), disclosures and valuation models.
• Market and liquidity: listing rules, fees and royalties, OTC processes, stress testing and exit.
• Interaction with regulators: sandbox, notifications, responses to inquiries, internal reporting and best practices for internal control and reporting on NFTs.

Legal risks in EU practice

Legal disputes and case law on NFTs in the EU are still taking shape, but precedents are already setting the direction. Court precedents regarding the sale of NFTs (European cases) emphasize the importance of clear license terms, fair commercial practice and truthful marketing. Legal enforcement mechanisms in NFT fraud include asset freezes, platform notifications, interaction with custodians and cooperation with law enforcement.

Regulation of secondary NFT markets and marketplace liability require attention to the impact of MiFID II on brokers and platforms, especially when they begin to perform the functions of an organized trading venue.

DAOs as a tool for managing collections and funds have also become relevant in Europe. The role of DAOs in managing collections and funds requires aligning governance tokens and voting rights with off-chain corporate law. We increasingly use a hybrid: DAO voting logic on top of a legal entity (SPV or fund), where mandatory corporate actions are executed by a delegated director.

Payments and banking between on-chain and off-chain

Для корпоративных клиентов COREDO выстраивает мосты: кастоди для хранения, PSP для мерчанта и банковские счета для расчетов, чтобы снимать вопросы у финансового контроля и аудита.

При крупных продажах due diligence чек-лист перед покупкой крупного NFT включает KYC контрагента, проверку provenance, юридический статус IP, анализ маркетплейса, репутационные риски и страхование доставки цифрового актива.

ESG for NFT sustainability and reputation

Clients in the institutional segment increasingly include ESG criteria. Blockchain sustainability: PoS vs PoW and energy consumption affects network choice. Carbon footprint and offsetting of NFT emissions are configured through compensation programs, green certificates, and sustainability reporting. For public companies this becomes part of non-financial disclosure alongside liquidity and compliance risks.

This approach protects the portfolio and accelerates deal approvals at the level of boards of directors and risk committees.

Conclusions

NFTs have moved from an experimental status to a managed asset class where legal qualification, compliance and infrastructure are as important as creativity and community. My position is simple: if NFTs are treated as a financial instrument from the start, a business gains transparent processes, clear economics and access to institutional capital. COREDO’s experience in the EU, the UK, Singapore, Cyprus, Estonia, the Czech Republic, Slovakia and Dubai shows: a well-designed SPV structure, clear IP licenses, proper IFRS accounting and AML/KYC discipline turn NFT initiatives from a risky bet into a sustainable product.

If you plan to launch, start with legal qualification and architecture: choose a standard (ERC-721/1155), describe ownership and usage rights, resolve custody and insurance issues, define the tax model and disclose risks in the white paper. The COREDO team will help build a compliance roadmap, align the approach with regulators, audit smart contracts and integrate accounting. This will preserve your speed and provide the reliability on which long-term value is built.