In 2025, EU regulators fined banks €2.3 billion for AML failures, and 40% of cases are linked to underestimating risks from shelf companies: ready-made firms that seem like the perfect quick solution for entering new markets. You launch a business in the EU, Asia or the CIS, buy a ready-made company in the Czech Republic or Singapore to save time,, and suddenly face account freezes, UBO investigations or license refusals because of hidden laundering chains. Why does this happen to you? Because compliance breaks not at the finish line, but at the start, during onboarding. Read this article to the end: I will analyze exactly where AML vulnerabilities arise for ready-made companies, show real failure points and give a roadmap so your business can scale without fines and downtime.
Why this topic matters for business
Compliance for ready-made companies is not a formality but a strategic barrier to international expansion.
Our experience at COREDO has shown how timely EDD can save from €500k in remediation costs. This guide will help your board make informed decisions.
What is a shelf-company and why do criminals use it
Shelf / ready-made company at first glance appears to be a quick and convenient way to «enter the market» without unnecessary bureaucracy, but it is precisely this readiness for immediate use that makes such structures especially attractive to malicious actors. To understand where the line lies between a legitimate tool and a risky scheme, it is important to clarify what shelf, shell and hybrid constructions like shelf/shell are, how they differ and how they are used in practice.
Shelf vs. Shell vs. Shelf/Shell: Differences
The difference is critical: a shelf company with a “clean” past may seem safe, but conceals UBO chains.
Typical abuses: layering, structuring
Where compliance breaks down on the client journey
At every step of the client journey there are points where compliance “breaks down”: seemingly minor details become major vulnerabilities along the client journey and hit both risk and conversion. This is especially acute at the initial risk decision during the onboarding process, where the cost of any error is highest.
Onboarding process errors
Banks in the EU ignore anomalies like dormant status, as in ACRA for “sleeping” Pte Ltd.
Insufficient EDD for old or complex ready-made companies
The need for EDD for older shelf companies is obvious: firms older than 5 years require enhanced Due Diligence, but clients skip forensic analysis of documents. COREDO’s practice confirms: without EDD UBO chains slip away.
Issues with third-party providers and supply chain anonymity
Problems with legacy systems and alert fatigue
How to assess the risk of shelf companies in KYC/KYB
How to properly assess the risk of shelf companies in KYC/KYB: methodology and control points — this is not about a formal checkbox on a form, but about a structured three-level model that allows you to record the baseline risk, work through scenarios, and not miss changes in dynamics. Below we will examine how to integrate such a methodology step by step into KYC/KYB processes and which control points to make mandatory at each level.
Three-level risk assessment model
When to apply EDD: checklist (contracts, accounts)
How to conduct EDD for an acquired shelf company in the EU?
UBO check: integration of registries and enrichment
Technologies for Closing Compliance Gaps
Technologies and processes that genuinely close gaps in compliance enable the automation of routine checks and minimize human error, increasing the overall effectiveness of the compliance system. The implementation of solutions such as an integrated AML stack has already shown cost reductions of up to 90% in real-world fintech and banking cases.
Integrated AML stack: KYC, sanctions, TM
The key advantage — the absence of gaps between onboarding a shelf company and its subsequent behavior. With this approach KYC data is automatically passed into sanctions and transaction monitoring, and list updates (EU, OFAC, UN, local) are applied without delays. At COREDO such an architecture is used as a standard: a single risk profile, continuous updates and automatic triggers when the status of a beneficiary or controllers changes.
RegTech: vendor or in-house?
The choice between a RegTech provider (AML SaaS) and an in-house solution should be based not on the license cost but on the full TCO: implementation, support, regulatory updates and scaling. For external KYC/KYB vendors clear SLAs are critical: MTTR no more than 24 hours, false positive rate below 15%, transparent scoring logic and the possibility of an audit trail. In-house makes sense for high volumes and non-standard typologies, but requires an internal team, regular rule updates and legal responsibility for regulatory compliance.
AI/ML, graph analytics, and typology simulation for detecting hidden ownership
Typology simulation is used to test the robustness of rules against new circumvention schemes, and regular stress testing prevents model degradation when behavioral patterns change.
Rules for monitoring mass requests
Key triggers include frequency (>10 legal entities per month per provider or contact), recurring directors/addresses and similar jurisdictions. Behavioral monitoring algorithms aggregate these signals into a dynamic risk profile, allowing legitimate corporate services to be distinguished from shell factories. When thresholds are exceeded, enhanced due diligence (EDD) is automatically activated with an in-depth check of the ownership chain and sources of funds.
ROI and TCO of compliance
Operational metrics: this is the language that makes it easiest to demonstrate the economic justification of compliance and move from abstract risks to clear ROI and TCO figures for compliance. Through indicators such as MTTR alerts, percentage of false positives, cost per case and remediation cost, the compliance function becomes transparent to the board and comparable with other business initiatives in terms of investment efficiency.
KPIs for the board: MTTR, false positives, cost
With such metrics, a typical ROI on compliance investments reaches 3:1 due to reduced penalty risks, faster onboarding and reduced manual work.
TCO of automated EDD vs manual review
Comparing the TCO of automated EDD and manual review reveals differences not only in direct costs but also in scalability. Manual EDD costs on average €8–10k per company, taking into account analysts’ hours, legal reviews and repeat data requests. RegTech solutions reduce TCO by 40% or more: an average cost of €2–3k per company includes automated data collection, sanctions and adverse media screening, and profile reuse. An additional effect is reduced MTTR and lower operational risk as volumes grow.
When to scale in-house and when to outsource?
At a load above ~50 shelf companies per year, it is economically justified to scale in-house with API integration of KYC/KYB and proprietary scoring rules. This provides control over data and flexibility of typologies. At lower volumes, outsourcing remains optimal since it does not require fixed costs for a team and infrastructure. In typical scenarios, scaling the compliance function pays back within up to 6 months due to reduced TCO and accelerated time-to-decision.
Regulatory requirements for inspections
regulatory requirements and the evidentiary basis for inspections form the framework within which TCSP companies must build KYC processes, risk assessment and documentation of decisions made. In this section we’ll examine how FATF standards, local guidance for TCSPs and specific UBO disclosure requirements become a practical evidentiary base for passing inspections and engaging with the regulator.
Financial Action Task Force guidance for trust and company service providers and ultimate beneficial owners
The regulator expects not a formal naming of the beneficiary, but demonstrable disclosure of the full UBO with a verifiable ownership chain to the natural person. The use of official registers (e.g., ACRA and their analogues) should be complemented by independent sources and a risk-based analysis. Special attention is paid to bulk monitoring: mass registrations, recurring structures and nominee directors are considered higher risk and require enhanced procedures (EDD) and documented decision logic.
What regulators look for in remediation
A key element is the evidentiary base: audit trail, review logs, alert history and case decision records. Failures are almost always tied to the onboarding stage, so it is critical to retain case management with a timeline of actions, data sources and justification of the risk rating. The absence of a link between the identified incident and corrective measures is treated as a systemic defect rather than an isolated error.
GDPR and UBO restrictions across jurisdictions
Regulators expect compliance with the principles of data minimisation, purpose limitation and the existence of a legal basis — consent, legitimate interest or contractual obligations. In practice this means storing only relevant UBO attributes and a clear access policy. In Asian jurisdictions their own regimes (PDPA and equivalents) often impose stricter data localization requirements, which requires adapting KYC architecture and segregated storage of information.
Implementation plan for improvements over 90/180/365 days
A practical roadmap for implementing improvements (Actionable plan for 90/180/365 days) helps not only to define strategic goals but also to break them down into clear, actionable steps with definite deadlines and responsibilities. Below is the focus on the first 90 days, where we collect “quick wins” and launch key changes that immediately affect process quality and reduce risks.
90 days: quick wins in bulk formation
The first 90 days — the “quick wins” phase — aims to sharply reduce obvious risks without complex transformations.
Responsibility is assigned to the CCO, the success metric — no unidentified mass cases and at least a 20% reduction in risk exposure. At the same time, standardized SLAs and EDD checklists for high-risk cases are introduced, which reduces manual work and delivers direct operational savings of around €50k per quarter by reducing repeat checks and accelerating decisions.
Integration of UBO, RegTech, and risk-scoring in 180 days
The 180-day horizon is the transition from point improvements to a system architecture. The main focus is data enrichment for UBO and API integration of RegTech solutions into existing KYC/KYB processes. All data sources are consolidated into a single risk profile, and scoring becomes reproducible and auditable.
365 days: typologies, machine learning, governance and KPIs for the board
After 12 months the compliance function moves to a mature phase focused on proactive risk management. Typology simulation and ML elements are implemented to test the robustness of rules against new schemes, and the governance model is elevated to the board level.
Error cases with lessons
Case 1: Onboarding failure. The client bought a shelf in the Czech Republic: director swaps were missed. Fine €1M. Lesson: EDD would have detected the anomalies.
Case 2: Mass registrations. A provider in Singapore: 200 firms/month. COREDO blocked them, saving €300k.
Case 3: Graph analytics saves the day. In Asia a UBO chain was uncovered via linkage analysis – the license was obtained in time.
Questions for the provider and compliance officer
| Category | Questions for provider/officer |
|---|---|
| EDD | Which documents confirm the actual activity of a shelf company? Do you use automated EDD? |
| SLA/KPI | What is the MTTR for alerts? % false positives <10%? |
| UBO | Do you integrate ACRA registers and adverse media? |
| Audit trail | Do you retain logs for FATF checks? |
| Third-party | How do you monitor bulk formation and sub-letting? |
| GDPR | Does the exchange of UBO comply with data minimisation? |
Practical conclusions and recommendations
- Implement EDD for all shelf >3 years (effort low, impact high).
- Audit providers for bulk formation.
- Integrate graph analytics for UBO.
- Set KPI: false positives <10%.
- Test typology simulation quarterly.
- RFP for RegTech with SLA <24h.
- Board review risk appetite.
Templates and metrics for RFP tenders
| Requirement | Minimal | Advanced | Desirable |
|---|---|---|---|
| SLA | MTTR 48h | 24h | 12h |
| Features | KYC + sanctions | + TM, graph analytics | + typology simulation, API |
| Sources | ACRA registers | + PEP/adverse | + real-time reg platforms |
| Metrics | False positives 20% | 10% | 5%, ROI tracking |
These steps from COREDO’s practice will ensure compliance. For deep due diligence of your shelf, get in touch — the team is ready to conduct an audit.