Commercial Onboarding: The Framework Behind the Paperwork

Commercial onboarding feels complicated, but underneath the complexity is a clear, learnable framework. Understand it, and you can navigate the process yourself, explain it to clients, and diagnose where your institution may be creating unnecessary friction.

The process takes an average of 49 days and costs $14,700 per client, according to research by Celent commissioned by nCino. That pace has a second cost that doesn't show up on the invoice. Fenergo's Financial Crime Industry Trends 2025 report highlights that globally, 70% of financial institutions lost clients last year because of slow, inefficient onboarding, up from 67% the year before.

The institutions that streamline the process gain a measurable competitive advantage. The ones that don’t leave revenue on the table.

If you've recently stepped into a role with ownership over commercial onboarding, you already know the process is highly complex. Many institutions struggle with it. The documentation piles up, the regulatory vocabulary shifts depending on who's explaining it, and the concern is real: you don't want to get something wrong in front of a client, a colleague, or a regulator.

Every stage of the process exists because your institution needs to understand who it's doing business with. The steps required are far more complex for a commercial client than a consumer one, and the requirement that makes it so complex is beneficial ownership: the question of who truly owns and controls a business. Once you understand that requirement, all the documentation demands, extended timelines, and client frustration start to make sense.

To get there, it helps to start from the beginning: why commercial onboarding works the way it does, what each stage is trying to accomplish, and how to pinpoint where the friction at your institution starts.

Commercial Onboarding vs. Consumer Account Opening

Commercial onboarding operates on entirely different logic from opening a consumer bank account. When a consumer walks into a branch and opens a checking account, the bank is dealing with one individual's identity: is this person who they say they are? The complexity is bounded. Commercial onboarding asks a different set of questions:

• Who owns this business, and in what proportions?

• Who controls it, regardless of ownership?

• What does it actually do?

• Where does it operate?

• What transaction volumes should you expect, and do those volumes create financial crime exposure?

Your institution isn't just answering who a person is. It's answering a more complex, layered set of questions about ownership, control, business activity, and risk, and the documentation requirements follow that difference.

McKinsey reports case managers at some institutions collect upward of 100 documents across 150 data fields for a single commercial onboarding. Behind every one of those data fields is a step that takes time, a handoff that can stall even further, and a client waiting on the other end. That volume is what causes friction and may have your client wondering if the rest of the relationship will be this slow. Commercial onboarding is relationship establishment, not just account opening.

The good news is that the regulatory logic underneath this process is consistent across markets globally. The US Bank Secrecy Act and Customer Identification Program, the EU Anti-Money Laundering Regulation, and their equivalents in every major jurisdiction all start from the same premise: before a commercial banking relationship can begin, the institution needs to understand what it's entering into. The specific rules and citations differ by market. The underlying obligation doesn't.

That obligation also doesn't have an expiration date. All the information your institution collects during onboarding becomes the foundation for ongoing monitoring, periodic reviews, and every future decision about that client relationship. Onboarding is just the first chapter of a broader client lifecycle that determines whether your institution retains, grows, or eventually loses that relationship.

Four Stages, One Underlying Question: Who Really Owns This Business?

Commercial onboarding can be broken up into four stages, each one answering specific questions. Skip one, and the stages that follow sit on an unstable foundation. Here's what each stage is asking and why it exists.

Stage 1: Customer Identification

Who is this legal entity, and does it exist?

The first stage is the most basic. It’s also the foundation that everything else builds upon, so nothing moves forward without it. Before the banking relationship can begin, you have to confirm the entity’s legal registration, tax identification, and the government-issued identification of key individuals. Every major jurisdiction requires this first step.

Stage 2: Customer Due Diligence (CDD)/Know Your Business (KYB)

Who controls this business, what does it do, and what risk does it represent?

CDD moves beyond the legal existence of a business and into the substance of the business, especially the people behind it. You'll hear both "CDD" and "KYB" used to describe this stage. KYB is industry shorthand for the CDD requirements that apply specifically to businesses. They refer to the same underlying obligation, so if you hear both terms used interchangeably, that's why. But keep in mind: they're still distinctly different concepts with specific purposes. CDD rests on four pillars, present in every major market:

• Identity verification

• Beneficial ownership determination

• Business purpose assessment

• Ongoing monitoring

Each one exists because the more complex a business is, the more risk the banking relationship carries. The beneficial ownership pillar is widely considered to be the most complex and challenging part of CDD. Understanding it can help the rest of the process make sense — more on that soon.

Stage 3: Sanctions Screening

Is this entity, or any individual associated with it, on a prohibited list?

The third stage checks entities against official government watchlists.

In many workflows, sanctions screenings run concurrently with Anti-Money Laundering (AML) and CDD, which often leads people to lump them together. That's a common error worth correcting. Sanctions carry separate regulatory authority and separate enforcement in most jurisdictions. The two processes often happen in parallel, but they’re two categorically distinct requirements.

The obligation is universal: OFAC in the U.S., the EU Consolidated Sanctions List, and the U.N. Security Council list represent different regional implementations of the same screening requirement. The individuals identified through beneficial ownership determination in Stage 2 are among those you'll need to screen here. While there are different lists based on jurisdiction, the requirement to screen against them remains.

Stage 4: Ongoing Monitoring

Has anything changed that affects the risk of this relationship?

Your institution’s due diligence obligation doesn’t expire when the account opens. It continues throughout the life of the account.

Any changes, such as ownership shifts, geographic expansion, and unusual transaction patterns, can trigger re-verification. Many institutions have historically approached this through periodic calendar-based review cycles, but the industry is increasingly moving to event-triggered monitoring.

Imagine you have a client that sells a 40% stake to a foreign investor in March. Under calendar-based review, you might not learn about that ownership change until the annual review cycle hits in December. That’s nine months of exposure to a risk your institution didn't know it was carrying.

Event-triggered monitoring catches those changes when they happen, not months later. For you, this could be the difference between managing risk proactively or discovering it after the fact.

This strengthens your compliance posture, but it also drives revenue. Banks that connect onboarding to ongoing monitoring are adding 77 new relationships per year through better processes alone, according to Celent’s research. Each triggered event presents an opportunity for deeper engagement and additional products.

Beneficial Ownership: The Most Complex Step

Beneficial ownership is the single CDD requirement that explains the most about why commercial onboarding demands what it demands.

Consumer banking never asks who owns and controls a business. Commercial banking does, and that question is the source of most of the additional complexity, documentation, and timeline pressure.

The concept is more straightforward than it sounds. At its core, beneficial ownership is about identifying the real people behind a business: who profits from it and who has decision-making authority. Every regulator in every major market wants a clear picture of those individuals before a relationship can begin.

Beneficial ownership is determined using a two-prong test. These two prongs are ownership and control, and they work together.

The first is the ownership prong: every individual who owns 25% or more of the equity in the entity must be identified and verified.

The second is the control prong: one individual with significant managerial control over the entity must be identified, regardless of their ownership percentage.

Both the U.S. CDD Rule and the EU AML Regulation (2024/1624) use this two-prong structure. It's a global standard.

In practice, the control prong is where most clients get stuck. Many complex entities have widely dispersed ownership, meaning no single individual owns 25% or more. The control prong exists to ensure someone is always identified, even when ownership is spread across many parties. This way, there will always be one person accountable for the entity’s decisions.

Picture you’re onboarding a private equity-backed company with 12 limited partners, none holding more than 15%. The ownership prong identifies no one, because nobody crosses the 25% threshold. Without the control prong, you would have no individual tied to the relationship at all. The control prong closes that gap by requiring the identification of the person who actually runs the business: the CEO, the managing partner, or whoever holds decision-making authority, regardless of their equity stake.

Financial crime risk is one of the biggest reasons behind beneficial ownership requirements. The Financial Action Task Force (FATF) — the global standard-setting body for anti-money laundering and counter-terrorism financing — has documented how corporate vehicles like shell companies, layered ownership structures, and nominee arrangements are among the most widely used methods for laundering criminal proceeds and concealing illicit activity. The vulnerability, in each case, is the same: when the real people behind a business can't be identified, regulators and financial institutions can't follow the money. Beneficial ownership requirements exist to close that gap.

For complex entities, such as those with multiple individuals crossing the 25% ownership threshold, the documentation requirements expand. Organizational charts, multiple certifications, additional verification cycles — timelines often extend here, not because the requirement is unreasonable, but because more structural complexity demands more documentation.

Understanding this helps you explain to a client why you're asking for what you're asking for. A client who understands why the bank needs an organizational chart showing all equity holders above 25% is a client who sends the right document the first time. A client who gets an unexplained request for "ownership documentation" sends whatever they have on hand, which may not be what the bank actually needs.

Regulators recognize this friction and have recently addressed it. In February 2026, FinCEN issued exceptive relief eliminating the requirement to re-collect beneficial ownership information every time an existing customer opens a new account, as long as current information is already on file. If you've ever had to ask a longstanding client to re-submit ownership documents they provided six months ago for a new account, you know why this matters. Asking a client for the same documentation they’ve already provided erodes trust and creates friction. FinCEN’s exceptive relief acknowledges this.

This development indicates a shift towards a more streamlined, efficient process. The short-term friction you may experience is still real, but the trajectory is toward less of it.

Beneficial ownership is one of the most complex parts of commercial onboarding. The better you understand it, the better you can explain it to a client or colleague. That’s a vital skill to have in a role with ownership over the commercial onboarding process.

The Onboarding Friction You Can Actually Fix

Here's the distinction that will make you immediately more effective in your role: some onboarding friction comes from regulation, but some of the friction comes from how your institution designed the process.

These are different problems with different solutions, and separating the two is the first step toward fixing what’s actually fixable.

According to research from Celent commissioned by nCino, 66% of banks require customers to submit the same information multiple times during onboarding. No regulation requires that. That's a process design problem.

McKinsey notes that relationship managers spend up to 30% of their time on onboarding administration tasks like chasing documents, re-entering data, and coordinating handoffs between disconnected systems. Most of that is process architecture, not regulation requirements.

Consider what 30% actually means. If a relationship manager works 50 hours, up to 15 of those hours could be spent on administrative onboarding tasks. That's 15 hours not spent building client relationships, not spent on deal structuring, not spent on the work that actually generates revenue. It's 15 hours spent copying data from an email into a spreadsheet, then from that spreadsheet into a loan origination system, then following up with the client because the document they sent was the wrong version.

One misconception that makes the problem even worse is the idea that collecting more documentation from every client is the safe, conservative approach. It’s not.

Regulators globally require banks to take a risk-based approach to due diligence, which means matching the level of scrutiny to the risk each client presents. There’s no reason for a local landscaping company to have the same documentation requests as a multinational holding company.

It's understandable why institutions default to a single comprehensive checklist for every client. It feels safer. But it could be demonstrating that there’s no real risk assessment happening at all. Examiners are looking for evidence that your institution assessed each client's risk and matched the requirements to it. They aren’t measuring sheer volume of documentation collected.

A practical way to start seeing this clearly: when a commercial client pushes back on a documentation request, can the relationship manager explain why that specific document is needed? There are really only three answers.

• If it's a regulatory requirement, the answer is simple: this is mandatory, and here's why.

• If it's a risk-based policy decision your institution made, the answer is still defensible: the risk assessment determined this is appropriate for the client's profile.

• If nobody can explain why it's required, it might not need to be. It could just be a process artifact, something that's always been done that way. That's fixable.

Every institution has these artifacts. They accumulate over years of things like policy revisions, system migrations, and staff turnover. The result is an onboarding process that grows heavier over time, but not necessarily more compliant.

An important boundary to keep in mind: enhanced due diligence triggers such as politically exposed persons, foreign correspondent banking relationships, or high-risk jurisdictions are regulatory obligations tied to those specific client characteristics. Those are different from the risk-based decisions an institution makes about how to handle everyone else. Treating them as the same thing muddies the picture and makes it harder to diagnose where your friction is actually coming from.

This distinction between regulatory friction versus process friction is the most useful lens you can bring to your own institution's onboarding. Knowing which kind you're looking at changes what you do about it.

The Two Questions Worth Asking

Commercial onboarding has a coherent logic. Four stages, each asking different questions, all built around the same concern: making sure you know who you're doing business with. Beneficial ownership is the requirement at the center of that concern, and the one that explains the most about why the process demands what it demands. Once you understand it, the process becomes something you can navigate, explain to a client, and evaluate at your own institution.

That evaluation starts with two questions. How much of your friction is regulatory? And how much comes from how the onboarding process was designed?

The answers to those two questions are worth getting right. According to Guidehouse, customers who have a smooth onboarding experience are two to three times more likely to adopt additional products in their first year.

Onboarding is the first impression, and first impressions stick. The client who endures a 60-day onboarding full of redundant requests and unexplained delays is frustrated. They've already formed an opinion about what the rest of the banking relationship will feel like. That opinion is hard to reverse, and it influences every cross-sell conversation, renewal discussion, and referral that client does or doesn't make.

The regulatory requirements aren't going anywhere. The process friction — redundant requests, disconnected handoffs, the steps nobody can explain — is where your institution may have room to improve. That’s where nCino focuses its work with financial institutions around the world.

For a closer look at how we help institutions reduce onboarding friction, visit nCino Commercial Onboarding.