Multi-Layered Corporate Structures: A Risk-Scoring Framework for Escalation Decisions
The problem? No regulator gives you a clean number. FATF Recommendation 10 says apply enhanced due diligence to "complex ownership structures." The EU's Anti-Money Laundering Directives reference "opaque beneficial ownership." The FCA's Financial Crime Guide flags structures that are "unnecessarily complex."
None of them tell you what "complex" actually means.
This article does.
Below is a risk-scoring framework that gives compliance analysts a repeatable, defensible method for deciding when ownership layers cross from standard due diligence into enhanced due diligence territory. No gut feel. No inconsistency between analysts. Just a scored decision.
Before we get to the framework, let's be clear: multiple ownership layers are not inherently suspicious. Companies use them every day for legitimate reasons.
- Tax efficiency. Cross-border structures often route through jurisdictions with favorable double-taxation treaties. A UK parent holding a Dutch BV that owns an Asian operating subsidiary is a textbook tax-efficient structure.
- Liability separation. Real estate developers, PE funds, and infrastructure operators use layered SPVs to isolate liability across projects.
- Regulatory compliance. Some jurisdictions require a local holding entity to operate. A foreign company entering India, for instance, may need an Indian subsidiary, which in turn may need project-specific entities.
- IP protection. Technology companies often hold intellectual property in a separate entity from the operating business.
- Obscuring the UBO. The most common motivation. Each additional layer — especially across borders — makes it harder for compliance teams to trace through to the natural person with ultimate control.
- Sanctions circumvention. The FATF specifically notes that DPRK "frequently uses front companies, shell companies, joint ventures and complex, opaque ownership structures for the purpose of violating sanctions."
- Layering illicit funds. Money laundering's second stage — layering — literally describes the process of moving funds through multiple entities to distance them from their criminal origin.
- Tax evasion. Unlike tax efficiency (legal), evasion structures use layers to hide income from tax authorities entirely.
The compliance problem is straightforward: you often can't tell the difference between the legitimate and the illegitimate without digging through every layer. And when the structure spans three, four, or five jurisdictions — each with different disclosure requirements — the cost of investigation escalates fast.
That's exactly why you need a framework.
Ask five compliance analysts at the same institution when an ownership structure becomes "complex" enough to trigger enhanced due diligence. You'll get five different answers.
This inconsistency is not theoretical. It has real consequences.
When the FCA fined Barclays £72 million, a central finding was that the bank applied a lower level of checking than required for PEPs using offshore entities spread across multiple jurisdictions. When MAS imposed S$27.45 million in fines on nine financial institutions in 2025, the enforcement actions highlighted failures in identifying beneficial ownership across complex corporate networks. When Deutsche Bank was fined £163 million, the regulator found that failings in overseeing customer relationships with complex structures exposed the UK financial system to crime risks.
The pattern is consistent: the institutions failed not because they didn't know the structures were layered, but because they lacked a systematic method for deciding when that layering warranted escalation.
FATF Recommendation 10 says to apply enhanced due diligence to higher-risk relationships. Recommendation 24 requires countries to ensure adequate beneficial ownership information is available. But neither provides a numeric threshold. Neither says "three layers = EDD trigger."
Most compliance teams fill this gap with analyst judgment. The result: inconsistent risk treatment across the same portfolio — exactly the finding regulators look for during examinations.
This framework replaces gut feel with a scored decision. It evaluates four variables — layer count, jurisdiction opacity, entity type, and modifier presence — and produces a composite score that maps to a specific action.
| Layers | Base Score | Rationale |
|---|---|---|
| 1–2 | 1 | Standard corporate structuring. Common in domestic and simple cross-border setups. |
| 3–4 | 3 | Elevated complexity. Legitimate in PE, funds, and multinationals — but warrants closer review. |
| 5–6 | 5 | Unusual outside large multinationals and investment fund structures. |
| 7+ | 7 | Rare outside deliberate obfuscation or fund-of-fund arrangements. |
How to count layers: Start from the entity you're onboarding. Count each corporate entity between that entity and the first natural person who meets the UBO threshold (typically 25% ownership or significant control). Each entity in the chain = one layer. If the chain branches, count the longest branch.
Not all layers carry the same risk. A three-layer structure through the UK, Netherlands, and Germany is categorically different from one through BVI, Seychelles, and Panama.
| Jurisdiction Category | Score Per Layer | Examples |
|---|---|---|
| High transparency | 0 | UK, Netherlands, Germany, Singapore, Australia, Canada |
| Moderate transparency | 1 | USA (Delaware, Nevada, Wyoming), Luxembourg, Hong Kong, UAE (mainland) |
| Low transparency | 2 | BVI, Seychelles, Marshall Islands, Vanuatu, Samoa |
| FATF high-risk / grey list | 3 | DPRK, Iran, Myanmar, plus current FATF grey list |
Calculation: Sum the opacity score for each layer in the chain. A 4-layer structure going UK → Luxembourg → BVI → Seychelles = 0 + 1 + 2 + 2 = 5.
| Entity Type | Score | Why |
|---|---|---|
| Operating company (employees, revenue) | 0 | Tangible business activity reduces obfuscation risk. |
| Holding company | 1 | Legitimate but adds structural distance from operations. |
| SPV / SPC | 2 | Common in finance but also in laundering. |
| Shell company (no employees, no operations) | 3 | Highest obfuscation risk. FinCEN guidance specifically flags these. |
| Trust or foundation | 3 | Separates legal ownership from beneficial interest by design. |
Calculation: Take the highest-scoring entity type in the chain. If any entity is a shell company, the score is 3.
Binary signals. Each one present adds to the composite score.
| Modifier | Score | Description |
|---|---|---|
| Nominee shareholders or directors | +3 | Someone else is hiding behind the named individual. |
| Circular ownership | +4 | Almost never legitimate. Designed to prevent tracing. |
| Rapid structural changes (<90 days old) | +2 | New entity + immediate large transaction = classic layering. |
| Bearer shares | +3 | Ownership changes hands without any paper trail. |
| Mismatched business purpose | +2 | No operational logic across adjacent layers. |
| Free Trade Zone registration | +1 | Lighter disclosure requirements in many FTZs. |
| Cross-border mixing (3+ countries) | +1 | Each border crossing adds investigative cost. |
| Score | Risk Level | Required Action |
|---|---|---|
| 0–4 | Standard | Standard CDD. Proceed with normal onboarding. Document the structure. |
| 5–9 | Elevated | Enhanced monitoring. Flag for periodic review. Document rationale for not escalating. |
| 10–14 | High | EDD required. Senior compliance review. Full UBO trace through every layer. |
| 15–19 | Very High | EDD + senior management sign-off. Consider independent verification. |
| 20+ | Critical | Potential SAR trigger. Escalate to MLRO immediately. Consider declining. |
| Variable | Score |
|---|---|
| Layer count: 4 layers | 3 |
| Jurisdiction opacity: Dubai FTZ (1) + BVI (2) + Luxembourg (1) + Seychelles (2) | 6 |
| Entity type: Trust in chain (highest risk) | 3 |
| Modifiers: FTZ registration (+1) + Cross-border 4 countries (+1) | 2 |
British Virgin Islands (BVI). Over 400,000 active companies on an island with a population of 30,000. The BVI's register of beneficial owners is not publicly accessible. While the country has implemented a beneficial ownership secure search system for UK law enforcement, commercial due diligence teams cannot access it.
Seychelles. IBCs do not require public disclosure of shareholders. The registry has limited enforcement capacity. Seychelles appeared repeatedly in the Pandora Papers as a favored jurisdiction for obfuscation.
Marshall Islands. Popular for maritime and offshore structuring. Minimal disclosure requirements. Frequently used in layered structures involving shipping and energy.
Delaware (USA). Delaware LLCs do not require disclosure of members or managers to the state. Formation takes hours and costs under $200. Over 1.9 million business entities are registered there. The Corporate Transparency Act intended to address this, but enforcement for domestic companies was suspended under the current administration.
Luxembourg. A major holding company jurisdiction. Luxembourg's Register of Beneficial Owners (RBE) exists, but a 2022 court ruling restricted public access.
Dubai Free Trade Zones. Dubai has over 30 FTZs, each with its own authority. Disclosure requirements vary. DIFC and ADGM apply higher standards; some zones have minimal beneficial ownership requirements.
United Kingdom. Companies House maintains a publicly accessible PSC register. Enforcement of filing accuracy has been criticized, but data is available for verification.
Netherlands. The UBO register is maintained by the Chamber of Commerce. Access was restricted following a 2022 CJEU ruling but remains available to obliged entities.
Singapore. The RORC requires companies to identify and record controllers. Singapore's 2025 reforms under the Companies and Limited Liability Partnerships (Miscellaneous Amendments) Act and the Corporate Service Providers Act further strengthen nominee disclosure and increase fines.
When a structure spans three or more jurisdictions, investigative cost increases nonlinearly. Each jurisdiction means a different registry, different data format, different language, and different level of publicly available information.
A UK → Netherlands → Germany structure can be traced using publicly accessible registries. A UK → BVI → Seychelles structure cannot — because two of those three jurisdictions don't provide public access to beneficial ownership data. Cross-border jurisdiction mixing is how sophisticated launderers create investigative dead ends.
Some characteristics should trigger enhanced scrutiny regardless of how many layers exist. Even a two-layer structure with one of these flags warrants a closer look.
A nominee holds a position on behalf of someone else. The practice is legal. But when nominees appear in a multi-layered structure, they add obfuscation that is, by design, difficult to trace.
Singapore's High Court set a precedent in 2025 by imposing a 10-month jail term on nominee directors who acted for hundreds of companies without exercising control. The result: scam proceeds exceeding US$2.4 million flowed through undetected.
What to check: Ask whether any director or shareholder is acting in a nominee capacity. If the entity is in a jurisdiction with nominee disclosure (UK, Singapore, Netherlands), verify the register. If not, request a declaration.
Company A owns B. B owns C. C owns A. This structure has almost no legitimate purpose. Its function is to prevent tracing by creating a loop with no terminus.
What to check: Map the full chain. If it loops back to any entity already present, stop. This is an automatic EDD trigger.
An entity incorporated three weeks before a $5 million transaction is a different risk than one operating for ten years. FinCEN's guidance specifically notes that newly formed companies "do not yet have any reportable history."
What to check: Verify the incorporation date of every entity. Any entity less than 90 days old should trigger additional questions.
Ownership instruments where the person physically holding the certificate is the owner. No register records the transaction. While most jurisdictions have abolished them, they still exist in a handful of countries.
What to check: Identify whether any entity is registered in a jurisdiction that still permits bearer shares. Confirm whether conversion to registered shares has occurred.
A tech holding in Ireland owns a shipping entity in the Marshall Islands, which owns a real estate SPV in Dubai. No operational logic connects these entities.
What to check: Review the stated business purpose of each entity. If adjacent layers have no connection, document why and consider escalation.
What happened: Barclays facilitated a £1.88 billion transaction for PEPs using offshore entities spread across jurisdictions. The structure involved purchasing secured notes through several offshore companies, with proceeds moving through temporary accounts in different currencies, ending in a trust.
What went wrong: Lower due diligence than required. No full trust deed obtained. Records kept on paper to avoid internal scrutiny. The team kept the deal confidential from other departments.
Lesson: The FCA found that "Barclays went to unacceptable lengths to accommodate the clients." Layered structures involving PEPs require full document trails for every entity in the chain.
What happened: ~€200 billion in suspicious flows from non-resident clients passed through the Estonian branch between 2007–2015. Clients used layered shell company structures across jurisdictions to obscure fund origins.
What went wrong: CDD controls severely deficient. The branch was used for tax evasion and potentially terrorism financing. Danske Bank pleaded guilty to fraud in the US for misleading American banks about its Estonian AML controls.
Lesson: When hundreds of non-resident clients use layered structures through a single branch, the aggregate pattern should trigger escalation. Systematic framework-based screening catches what individual analyst judgment misses.
What happened: Ten individuals laundered ~S$3 billion through Singapore using shell companies, nominee directors, and complex ownership chains to acquire luxury assets. MAS fined nine financial institutions S$27.45 million combined.
What went wrong: Institutions failed to verify beneficial ownership across corporate structures. Nominee directors were appointed across hundreds of entities without scrutiny.
Lesson: Nominee directors appearing across multiple entities is a systemic signal. Your EDD framework should flag when the same nominee appears in multiple relationships within your portfolio.
Use this when onboarding or reviewing any entity with more than two ownership layers. Complete all items. Document your findings.
- Map the full ownership chain. Identify every entity between the subject and the natural person(s) with ultimate control. Count the layers.
- Identify each jurisdiction. Note the transparency level. Flag FATF grey- or black-list jurisdictions.
- Classify each entity type. Operating company, holding, SPV, shell, or trust? Note the highest-risk entity.
- Check for nominees. Are any directors or shareholders acting in a nominee capacity? Verify against local registries.
- Check for circular ownership. Does the chain loop back to any entity already in the structure?
- Verify incorporation dates. Is any entity less than 90 days old?
- Check for bearer shares. Are any entities in jurisdictions that still permit them?
- Assess business purpose alignment. Does each entity's purpose logically connect to adjacent layers?
- Calculate the composite score. Use the framework above. Document the score and triggered action.
- Document your decision. Whether you escalate or not, write down why. Regulators want evidence of deliberate, defensible methodology.
Manual UBO tracing breaks down at scale. A compliance analyst can trace a three-layer domestic structure in an hour. A five-layer cross-border structure spanning BVI, Luxembourg, and Dubai? That can take days — if the data is even accessible.
Zavia.ai connects directly to government registries worldwide, pulling real-time corporate structure data and mapping ownership chains across jurisdictions automatically. Instead of an analyst manually requesting documents from each entity in the chain, Zavia traces the full ownership path — including branches, thresholds, and cross-border connections — in seconds.
The practical impact on the framework above:
- Layer counting becomes automated. Zavia maps the full structure and counts layers as part of the output.
- Jurisdiction scoring becomes dynamic. The platform flags high-opacity jurisdictions and FATF-listed countries automatically.
- Nominee detection improves. Zavia's AI-powered pattern recognition across thousands of entities surfaces nominees who appear across multiple structures — something no individual analyst would catch.
- Circular ownership is flagged instantly. Zavia detects loops in ownership graphs that would take manual analysts hours to map.
- Customizable UBO thresholds. Set your ownership threshold at 25% (EU standard), 10% (enhanced due diligence), or any custom level — Zavia recalculates the full ownership tree accordingly.
The shift is from reactive escalation — where an analyst encounters a complex structure and has to decide what to do — to proactive risk scoring, where Zavia pre-scores every entity and surfaces the ones that need attention.
For compliance teams dealing with hundreds or thousands of entity relationships, this isn't a nice-to-have. It's the difference between consistent, defensible EDD decisions and the kind of inconsistent analyst judgment that regulators penalize.
