Skip to content
AuditFront
WHO.4 EU Sanctions DD

EU Sanctions DD WHO.4: Shell Company and Complex Structure Assessment

What This Control Requires

Are there intermediaries, shell companies, or complex corporate structures without clear economic justification?

In Plain Language

The use of intermediaries, shell companies, or overly complex corporate structures that do not match the business profile is a key circumvention red flag identified by the European Commission circumvention guidance (September 2023).

Legitimate businesses use multi-entity structures for good reasons: tax efficiency, local regulatory compliance, operational separation, or historical acquisitions. The red flag is not complexity itself but complexity without economic justification.

Particularly suspect are offshore entities in opaque jurisdictions, recently formed companies with no track record, registered addresses shared with many other entities, and layered holding structures where each entity has no employees or genuine business activity.

How to Implement

Map out the full corporate structure of each counterparty. Every entity in the chain should serve a clear commercial purpose - tax efficiency, local regulation, operational needs, or historical acquisition.

Red flags to investigate: - Multiple layered holding companies in different jurisdictions with no employees - Entities incorporated shortly before the business relationship began - Registered addresses shared with many other companies (mass-registration agents) or at residential addresses - Entities in jurisdictions with low transparency and no public registry of beneficial owners - Corporate structures that changed significantly after sanctions designations - Intermediaries that add no visible value (no warehousing, no local compliance, no technical support)

Request and verify: incorporation documents, financial statements (do they show genuine revenue and expenses?), proof of employees and physical premises, and evidence of genuine business activity.

Compare the structure's complexity against what would be normal for the type and size of business. A small trading company with 8 holding entities across 5 jurisdictions needs explaining.

Evidence Your Auditor Will Request

  • Corporate structure mapping for each counterparty showing all entities and their purpose
  • Assessment of economic justification for each entity in the ownership chain
  • Verification of genuine business activity: financial statements, employee records, premises
  • Red flag analysis of recently formed entities, shared addresses, and opaque jurisdictions
  • Documentation of any concerns identified and risk mitigation measures applied

Common Mistakes

  • Accepting counterparty self-descriptions of corporate structure without independent verification
  • Not investigating the commercial rationale for complex multi-jurisdictional structures
  • Failing to check whether intermediary entities have genuine business operations
  • Ignoring recently formed entities in the ownership chain as a potential red flag
  • Not mapping the full corporate structure - stopping at the direct counterparty level

Related Controls Across Frameworks

Framework Control ID Relationship
EU Sanctions DD EU Sanctions DD WHO.2 (related mapping) Related
EU Sanctions DD EU Sanctions DD WHO.5 (related mapping) Related
EU Sanctions DD EU Sanctions DD GEO.3 (related mapping) Related

Frequently Asked Questions

What makes a corporate structure suspiciously complex?
Complexity is suspicious when it lacks economic justification. A multinational with operations in 20 countries naturally has a complex structure. A small trading company with 8 holding entities across 5 jurisdictions does not. Key indicators: entities with no employees, no revenue, no physical presence; holding companies in secrecy jurisdictions; structures that changed recently without business rationale; and intermediaries that add no visible commercial value.
Which jurisdictions are considered high-risk for shell structures?
Jurisdictions with limited transparency, no public beneficial ownership registries, and weak enforcement are higher risk. Traditional offshore centres (BVI, Seychelles, Panama, Cayman Islands) are well known, but structures can also use onshore jurisdictions with limited registry access. The EU's list of non-cooperative jurisdictions and the FATF grey/black lists provide guidance, but the key test is whether you can verify the actual beneficial owner through public sources.
How do we verify that an entity has genuine business activity?
Request and review: audited financial statements (look for genuine revenue, costs, and assets), evidence of employees (headcount, payroll records), physical premises (address verification through mapping tools or site visits), trade records (invoices, shipping documents), industry memberships, and regulatory licences. A genuine business leaves a documentary trail. An entity that exists only on paper does not.

Track EU Sanctions DD compliance in one place

AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready.

Start Free Assessment