Beyond ID verification: getting UBO right under Tranche 2

Most accounting firms will do the identity verification part correctly. A client signs the engagement letter, the practitioner triggers a KYC (Know Your Customer) check, the client photographs their driver’s licence and takes a selfie, and a result comes back within minutes. Verified. Move on.

For individual clients — sole traders, employees, individuals — that is often enough. You have confirmed the person is who they say they are, run them through AML screening, and have a record.

For corporate clients, you have confirmed the messenger. You have not confirmed the principal.

That gap is the beneficial ownership obligation. Under AUSTRAC’s Tranche 2 reforms, it is not optional.

What beneficial ownership actually means

A beneficial owner — referred to in AML/CTF compliance as a UBO (Ultimate Beneficial Owner) — is the natural person or persons who ultimately own or control an entity.

The threshold AUSTRAC works to: 25% ownership or control. Any individual who owns 25% or more of a company’s shares, or who exercises significant control over the entity’s decisions, is a beneficial owner for AML purposes. The firm needs to know who these people are.

This applies across the corporate structures that accounting firms deal with daily:

Companies — who are the shareholders above 25%? Are any of them also holding companies? If so, who owns those?
Trusts — who are the trustees? Who are the settlors? Who are the named beneficiaries?
SMSFs — who are the trustees and who are the members?
Partnerships — who are the partners and what is their percentage of control?

The word “ultimately” in the definition matters. If a client is a company owned by another company, owned by another company, owned by a natural person — the obligation runs to that natural person. The chain must be followed.

Under Tranche 2, which applies to accounting firms from 1 July 2026, identifying beneficial ownership for corporate clients is a hard requirement under the AML/CTF Act. It is not a nice-to-have extension of a standard KYC check. It is a separate compliance obligation with its own documentation requirements.

Most accountants we’ve spoken to during demos understand this in principle. Where the gap appears is operational: how do you actually collect, verify, and record beneficial ownership in a way that survives an AUSTRAC audit?

Why verifying the individual is not enough

Run this scenario. A company director comes on as a new client. Your firm verifies the director: identity confirmed, AML screening clear, risk assessment completed. The task closes. Compliance record filed.

Six months later, AUSTRAC conducts an audit. They ask for the beneficial ownership record for that client. You provide the director’s KYC. The auditor asks: who owns 30% of that company? You don’t have a record.

That is the gap. You verified the messenger — the person in front of you. The AML obligation under Tranche 2 requires you to verify the principals — the people who actually control the entity behind the client relationship.

This is not a theoretical problem. The two scenarios play out in practice:

Scenario 1 — The straightforward case. A company with two shareholders, each owning 50%. You verify the director (one of the shareholders). You still need to identify and screen the second shareholder. If you haven’t, your beneficial ownership record is incomplete.

Scenario 2 — The layered structure. A company is owned 60% by a holding company. That holding company is owned by two natural persons. Your CDD (Customer Due Diligence) obligation runs to those two natural persons — not just to the entity in front of you. You cannot complete the beneficial ownership record without recursively tracing the ownership chain.

Without beneficial ownership records, the audit consequence is the same regardless of how thorough your individual KYC was: incomplete CDD on a corporate client. Under AUSTRAC enforcement, “we verified the director” is not a sufficient answer to “who controls this entity?”

The risk consequence is separate. The purpose of beneficial ownership checks is to detect situations where criminal actors are using corporate structures to distance themselves from the client relationship. A PEP (Politically Exposed Person) or sanctioned individual who owns 30% of a client’s company may not appear in any check you run on the director alone. The individual KYC protects you from the director being a problem. The UBO check protects you from the structure being a problem.

What good UBO collection looks like

There are four components to a UBO process that holds up under audit. Most manual processes cover one or two. A compliant process covers all four.

1. An entity onboarding form that captures shareholding and control structure

The first step is collecting the information the client can provide about their own ownership structure. This includes: who are the shareholders above 25%, what percentage does each hold, and are any of those shareholders themselves corporate entities (triggering the recursive obligation)?

This is not a standard KYC intake form. It requires specific fields designed for corporate structure capture — not a generic “upload your documents” request. The form needs to be structured enough that the answers produce a usable ownership map, not a pile of PDFs for someone to manually interpret.

In IdentityCheck, the UBO onboarding form is purpose-built for this. It captures the shareholding and control structure as structured data, not as a document upload.

2. An ACN-based UBO Report sourced from authoritative registers

Client self-declaration is one input. It is not the whole picture. A client may not fully understand their own ownership structure. A client may not disclose ownership they consider irrelevant. A client may be unaware of changes at the holding-company level.

The authoritative source for company ownership is ASIC and the underlying corporate register data. An ACN-based UBO Report takes the company’s ACN, queries the register, and recursively traces the ownership structure — following holding companies up the chain until it reaches natural persons.

What this produces: a beneficial owner diagram showing the full ownership structure, the identity of all natural persons above the 25% threshold, and their respective ownership percentages.

In IdentityCheck, the UBO Report is sourced by ACN and recursively compiled. The output is an audit-ready report showing the beneficial ownership structure — not a summary, a structured record.

3. AML screening run on each beneficial owner above 25%

Identifying the beneficial owners is half the job. The second half is screening them.

Each natural person above the 25% threshold needs to be screened against:

PEP (Politically Exposed Person) databases — 3,000+ sources, updated daily
Sanctions lists — 70+ lists, updated every 30 minutes
Adverse media — 15,000+ sources across 195 countries, real-time

This screening cannot be assumed from the individual KYC on the director. It must be run against each beneficial owner’s identity. A director who is clean may have a beneficial owner behind them who is not.

In IdentityCheck, AML screening runs automatically against each beneficial owner identified in the UBO Report. The firm does not need to run separate checks manually on each owner — the screening is built into the UBO report process.

4. Ongoing monitoring — UBO structures change

Beneficial ownership is not static. Companies are sold. Shareholders exit and new ones join. Holding structures are reorganised. A corporate client whose ownership structure was clean at onboarding may have a new beneficial owner eighteen months later.

A compliant UBO process includes a mechanism to detect changes to the ownership structure and trigger a review when they occur. Enrolling beneficial owners in ongoing AML monitoring — so that a change in their screening status generates an alert — is the monitoring layer that prevents a “clean at onboarding” record from becoming a liability two years later.

What document intake tools don’t do

It’s worth understanding where general document-intake and client-onboarding tools fit in the UBO picture — and where they don’t. Several accounting firms run tools of this kind alongside IdentityCheck for general client correspondence and document collection. They serve a real purpose. But other onboarding tools have a range of limitations worth being aware of when it comes to beneficial ownership specifically. The distinction worth being precise about is this: document intake covers the ask. UBO resolution covers the obligation.

A document-intake tool can ask a client to upload their trust deed, their company structure, or a shareholder list. It collects what the client provides. That is the extent of its capability for UBO purposes.

What this category of tool does not do:

It does not query ASIC or corporate registers independently. It cannot source the ownership structure from an authoritative register; it can only receive what the client volunteers.
It does not recursively resolve beneficial ownership. If a shareholder is itself a holding company, there is no mechanism to trace who owns that holding company — the obligation to trace the chain sits with the accountant, manually.
It does not run AML screening on identified beneficial owners. Collecting a document is not the same as screening the person named in that document against global PEP, sanctions, and adverse media databases.
It does not produce an audit-ready compliance record in the format AUSTRAC would expect to see during a beneficial ownership verification audit.

This is not a criticism of those tools — they are not built for UBO compliance. The risk arises when document collection gets framed as beneficial ownership compliance: that creates a gap that will be visible to an auditor and may not be visible to the firm until the audit happens.

If your current UBO process is “we ask the client to tell us who the shareholders are and upload whatever they have” — that is document intake. It is the start of a UBO process, not the completion of one.

What it costs

UBO pricing in IdentityCheck is structured to support firms running corporate-client work through Tranche 2 — included form access at higher tiers, per-report pricing for the ACN-sourced report itself, and clear upgrade math as your volume grows. The full per-tier breakdown lives on the IdentityCheck pricing page. For a tier-fit conversation specific to your firm’s corporate-client volume, get in touch and we’ll walk you through where the upgrade threshold sits for your shape of book.

What you do this week

The most useful thing you can do with this article is test it against one live corporate client.

Pick a company in your current book. Answer these questions:

Do you have a documented beneficial ownership record for this client? Not a copy of a document they sent you — a structured record showing who owns 25%+ of the entity, traced to natural persons.
Was that ownership verified against an authoritative register, or did it come solely from what the client told you?
Were the identified beneficial owners screened against PEP and sanctions lists? Not the director — the owners.
When did you last check whether the ownership structure has changed?

If any of those four answers is “no” or “I’m not sure,” you have a gap in your current process. That gap does not close itself between now and 1 July 2026.

For accounting firms doing corporate client work — trusts, companies, SMSFs, partnerships — beneficial ownership is the compliance layer that matters most. The individual KYC is the floor. The UBO process is what sits above it.

IdentityCheck’s UBO capability — ACN-sourced report, AML screening on each identified owner, audit-ready record — is available now. For example – firms using Karbon, the UBO flow is triggered from inside the Karbon task, writes back into the Karbon job, and sits in the same compliance record as the individual KYC. One workflow. One place to find it.

If the gap is there, start with one corporate client here and see what the report returns.