Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Eric Lochner on customer due diligence: UBOs in diapers

Performing due diligence on third parties can be hard. When you discover that your third party is still in diapers, however — that’s pretty much a surefire sign something is amiss.

The diaper scenario isn’t made up. Earlier this year the watchdog group Global Witness reported that 4,000 toddlers are listed as beneficial owners of companies registered in the United Kingdom.

Five individuals in the UK Companies House registry are listed as owning more than 6,000 corporate entities.

Filing a bogus corporate registration is easy to do, complete with fictional executives, fictional funding, and fictional names.

The United States is little better. Corporate ownership is registered at the state level, with Delaware leading the country in registrations specifically because creating a new legal entity is so quick and easy. We could say the same for registries in Panama, the Bahamas, and elsewhere.

The scandals of the Panama Papers (2015) and the Paradise Papers (2017) are rooted in trusts, shell companies, and other corporate structures all legally registered but cloaked in ownership mystery.

Such stories are all the more unsettling to compliance professionals these days, as the May 11 deadline draws near for new customer due diligence (CDD) rules to go into effect in the United States. Those rules will require financial firms to identify and verify the beneficial owners and controllers of legal entities doing business with the firm.

At the preliminary level, companies can rely on evidence supplied by the customer about beneficial owners and controllers. That is, the person opening the account can supply the documentation you need, and that can suffice provided that your firm “has no knowledge of facts that would reasonably call into question the reliability of such information.”

That provision alone can be a big if. Other parts of the CDD rules specify that a firm must perform enough due diligence to develop a risk profile of the customer, so you can implement effective monitoring after the account is opened and detect suspicious transactions.

All of that means firms will need to perform better due diligence on customers. And as we see from the 4,000 toddlers supposedly running businesses in Britain, while screening beneficial ownership data against corporate registries is a useful first step, by no means should it be the only step.

Effective customer due diligence must be able to withstand the scrutiny of hindsight. After an adverse incident happens, somebody — a regulator, the board, an auditor, an angry public on social media — will ask, “How did this legal entity become a customer? What did your firm do to try to determine that this customer was legitimate?”

Questions in hindsight can be painful, and not always fair. Compliance officers need to answer them anyway.

First, your employees will gather that ownership information from the customer opening the account. You will also need to collect more information about, as the rules say, “the nature and purpose of customer relationships.”

Should any of that information raise suspicions, more due diligence will be required. Corporate registries are slowly becoming more useful to answer those questions, but more in-depth screens and investigations will still be part of the toolkit — probably until long after those 4,000 toddlers are grown adults in the corporate world themselves.


Eric Lochner, pictured above, @ELochner1 is the President and CEO of global intelligence and software firm Steele Compliance Solutions, Inc. | @SteeleGlobal. Steele provides comprehensive third-party due diligence, software-as-a-service (SaaS) solutions that help organizations comply with regulatory third-party compliance requirements, and engaging compliance training. Eric has more than two decades of experience building successful global technology companies.  

Steele’s Whitepaper, “5 Steps to Implementing a Risk-Based Due Diligence Program,” can be requested here.

Share this post



  1. The information shared seems to support that even with all the wonderful technology that exists for CDD there is a need for the element of human review. Those experienced resources do exist as a cost effective solution to support CDD programs.

  2. There are cost effective ways to conduct advanced due diligence. It just requires incorporating shell company flags and analytics into the DD process. Once you know what to look for, these entities are pretty easy to spot. Compliance, investigative and audit professionals need more training and awareness in this areas as well. I just wrote about the increasing risks that shell companies pose to organizations and how traditional due diligence isn't cutting it. Anonymous shell companies rising:
    Why organizations should be concerned about this growing threat.

Comments are closed for this article!