Beneficial Ownership Was the Hardest Part of KYC at Citi Dallas

I led the Citi Retail KYC transformation programme in Dallas from requirements through enterprise deployment. Beneficial ownership was the hardest component — not because the regulatory requirement was ambiguous, but because the data to satisfy it often did not exist.

FinCEN's Customer Due Diligence rule requires banks to identify the natural persons who ultimately own or control their legal entity customers. The rule is clear. Identify natural persons owning 25% or more of a legal entity. Identify one person with significant control.

Simple on paper. Every layer of a corporate structure is another question.

What I encountered in the Citi Dallas programme changed how I think about KYC programme design — and specifically about the difference between a technically complete programme and a defensible one.

---

Why beneficial ownership is harder than the rule suggests

The FinCEN CDD rule defines beneficial ownership in terms of natural persons. A natural person is a human being. The rule is designed to prevent legal entities from being used to obscure the identity of the humans who ultimately benefit from or control them.

The problem is that legal entities can own other legal entities, which own other legal entities, which are held in trust, which are registered in jurisdictions with no public ownership registry. Each layer is a legitimate legal structure that may have entirely legitimate purposes — and each layer is another question that needs to be answered before you reach a natural person.

In the Citi Dallas programme, I encountered four categories of beneficial ownership complexity that were representative of the broader portfolio challenge.

Multi-layer holding structures

Holding companies with six to eight layers of intermediate ownership between the account-holding entity and the ultimate natural person beneficial owner. Each layer required documentation: the entity at that layer, its ownership structure, the basis on which we determined the percentage held, and the source used to verify it.

Six layers means six separate ownership determinations, each requiring verification. For large corporate groups with international structures, this could mean ownership verification across multiple jurisdictions, each with different public registry access, different documentation standards, and different legal concepts of ownership and control.

The question was not whether to do this. The question was how to build a process that was consistent, documented, and scalable across a large portfolio.

Trust structures

Trust structures present a specific definitional problem. Under some trust arrangements, the legal beneficial owner as defined by trust law is the trustee — a fiduciary who holds assets for the benefit of beneficiaries but may exercise independent discretion over distributions.

FinCEN's rule targets natural persons who ultimately benefit from the entity. In a discretionary trust, the trustee holds the beneficial interest legally but distributes at discretion — the ultimate human beneficiary may be formally unidentifiable at any given point. In a fixed trust, the beneficiaries are defined but may themselves be legal entities requiring further tracing.

Our approach was to document the trust structure completely, identify the trustee (who was typically an institutional trustee — a corporate entity requiring its own beneficial ownership determination), trace the trust's beneficiaries as far as possible, and escalate to Enhanced Due Diligence where the chain did not resolve to a natural person within a defined number of steps.

Foreign entities without public registries

A significant number of legal entity customers had ownership structures that traced to entities incorporated in jurisdictions without accessible public ownership registries. For some jurisdictions, no public registry exists. For others, the registry exists but is not digitised, requires in-country legal representation to access, or does not require disclosure of beneficial ownership at registration.

The standard approach — verify ownership against the public registry — was simply not available for these entities. The alternatives were: rely on customer-provided documentation (with attendant verification challenges), engage third-party due diligence providers with in-country capability, or document the limitation and apply Enhanced Due Diligence risk controls.

Each of these alternatives has cost, timeline, and risk implications. Building the decision framework for which alternative to apply in which circumstances — and documenting that framework consistently — was a significant part of the programme design work.

Subsidiary accounts without parent KYC

The most operationally uncomfortable category: customers where Citi held accounts for subsidiaries of larger corporate groups but had no KYC on the ultimate parent company.

This situation arises in practice because account relationships are often established at the subsidiary level — the subsidiary is the contracting party, the subsidiary is the account holder, and from an operational perspective the subsidiary is the customer. The ultimate parent may be a globally recognised corporation. It may also be an entity whose ownership structure has never been traced to natural persons in the context of this account relationship.

Comfortable assumptions — "this is a well-known company, the parent is publicly listed, we know who they are" — are precisely what examiners probe. The fact that a parent company is publicly listed does not automatically satisfy the beneficial ownership requirement for the subsidiary account. The connection needs to be documented, the ownership percentage verified, and the ultimate natural person beneficial owners of the parent identified if they meet the 25% threshold.

---

The decision that added three months — and what it prevented

Early in the programme, I made a decision that was not universally popular: we would not accept "unable to determine" as a completed beneficial ownership status without documented justification of every step taken to make the determination.

The pressure to accept gaps was real. The programme had a timeline. The portfolio was large. Some ownership structures were genuinely opaque. The temptation was to mark them as "unable to determine" — which is a recognised status under the CDD rule — and move on.

My position was that "unable to determine" is a defensible conclusion only if you can demonstrate the steps you took to make the determination and why each step did not resolve the question. An "unable to determine" record with no documentation of the tracing steps is not a defensible conclusion. It is a gap with a label on it.

The requirement I set was:

Every beneficial ownership record, regardless of outcome, must document the ownership tracing steps taken, the sources consulted, the basis for any percentage calculation, and — if the determination was "unable to determine" — the specific reason at each step that prevented resolution to a natural person.

Where the documented tracing process reached a point that could not be resolved with standard due diligence, the case was escalated to Enhanced Due Diligence. EDD then applied additional investigation steps — third-party screening, adverse media review, senior relationship manager sign-off — and documented those steps as well.

This added three months to the programme timeline. It also meant we had zero beneficial ownership findings in subsequent OCC examination.

Not because our data was perfect. Because our process was documented and our escalations were justified.

---

What the OCC actually examines

The OCC does not expect perfection. Beneficial ownership for complex corporate structures is genuinely hard. Examiners know this. What they examine is the quality of the process, not the completeness of the outcomes.

In examination, the questions are:

When you encountered a complex ownership structure, what steps did you take? Can you show me the documentation of those steps? Where you could not resolve to a natural person, what was your escalation path? How did you apply risk-based judgement to decide when Enhanced Due Diligence was required? Can you demonstrate that the same process was applied consistently across the portfolio?

Banks that can answer these questions cleanly — with documented evidence — perform well in examination even when their beneficial ownership data has gaps. Banks that have technically complete data but undocumented processes often perform worse, because the examiner cannot verify that the completeness was achieved through a consistent, risk-based process rather than through assumptions and shortcuts.

The documentation discipline is not bureaucratic overhead. It is what transforms an effort into a defensible programme.

---

Building a beneficial ownership programme that survives examination

Based on the Citi Dallas experience and subsequent KYC programmes, three design principles consistently differentiate programmes that perform well in examination from those that generate findings:

Define the ownership tracing standard before you start. Before collecting a single piece of beneficial ownership data, define: how many layers of ownership will be traced, what sources are acceptable for verification at each layer, what constitutes a sufficient determination at a trust, what the escalation threshold to EDD is, and what documentation is required for each outcome including "unable to determine." Write this down. Get it approved. Apply it consistently.

The standard does not need to be perfect. It needs to be defensible and consistently applied. An examiner finding that 15% of your records have gaps is a much smaller problem if those gaps all follow the same documented escalation path than if they are random inconsistencies with no apparent process behind them.

Build the documentation workflow into the data collection tool, not as a separate step. If documentation of the tracing process requires a separate manual entry after the data collection is complete, it will not be done consistently. The documentation fields should be part of the same workflow as the ownership data fields — so that completing the beneficial ownership record means completing both the data and the documentation of how that data was obtained.

EDD escalation is a programme feature, not a programme failure. Some beneficial ownership structures will not resolve to natural persons through standard CDD procedures. This is expected and acceptable. The EDD escalation path exists precisely for these cases. A programme with a well-documented EDD escalation queue — with cases that clearly document why standard CDD was insufficient and what additional steps were taken — is demonstrating mature risk management. Treat EDD volume as a measure of the programme's rigour, not as evidence of incomplete work.

---

Frequently asked questions

What is beneficial ownership in banking KYC?

Beneficial ownership is the identification of natural persons who ultimately own or control a legal entity customer. Under FinCEN's CDD rule, banks must identify natural persons owning 25% or more of a legal entity and one person with significant control. The challenge is the data — multi-layered structures, trusts, foreign entities without registries, and subsidiary accounts without parent KYC all create gaps requiring documented tracing and EDD escalation.

What is the FinCEN CDD rule?

The FinCEN Customer Due Diligence rule requires covered financial institutions to identify and verify the beneficial owners of legal entity customers — natural persons owning 25% or more of equity interests, plus one control person. It applies at account opening and requires ongoing monitoring. It was designed to prevent legal entities from obscuring the identity of the humans who ultimately benefit from or control them.

What are the hardest beneficial ownership structures?

Multi-layer holding companies (six or more layers), trust structures where the beneficial owner is a trustee rather than an identifiable natural person, foreign entities without public ownership registries, and subsidiary accounts without KYC on the ultimate parent. Each requires documented ownership tracing and, where resolution is not possible, escalation to EDD with documented justification.

What does the OCC expect in a KYC examination?

A defensible process — not perfect data. Documented ownership tracing showing the steps taken, clear escalation procedures, consistent application across the portfolio, and evidence that gaps were not simply accepted without justification. Banks with documented processes and justified escalations consistently outperform banks with technically complete data but undocumented processes.

---

Found this useful? I write weekly on banking compliance, KYC programme design, and the lessons 24 years at Citi and Standard Chartered taught me about building programmes that survive regulatory scrutiny. Subscribe to the newsletter — no spam, unsubscribe anytime.

Building a beneficial ownership or CDD programme? Explore my consulting services or get in touch directly.

Raj Thilak is Head of Technology for Data & Analytics with 24 years at Citi and Standard Chartered. He led the Citi Retail KYC transformation programme in Dallas from requirements through enterprise deployment. Based in Pune, India. rajthilak.dev