KYB verification explained: the process, the checks, and the evidence examiners look for
KYB (Know Your Business) is the business-side of onboarding. It is required by FinCEN's CDD rule in the US and by equivalent AML regimes worldwide. Here is what KYB verification actually checks, the six-stage process, the vendors buyers shortlist, and the record that keeps the whole thing queryable when an examiner asks.
What KYB verification actually is
KYB (Know Your Business) is the compliance process a financial institution or fintech runs when onboarding a business customer. It is the business-side counterpart to KYC (Know Your Customer), which handles individual consumers. Where KYC establishes that an individual is who they claim to be, KYB does the same for a legal entity: that the business exists, who its beneficial owners are, who is authorized to act for it, and what its risk profile is against the institution's onboarding policy.
In the US, KYB is required by the FinCEN Customer Due Diligence (CDD) rule for covered financial institutions. The rule mandates identification and verification of the beneficial owners of legal-entity customers at account opening. Internationally, KYB obligations sit under national AML regimes (AMLD6 in the EU, PCMLTFA/FINTRAC in Canada, MAS in Singapore, and so on). Each jurisdiction has its own document-collection and threshold expectations; the underlying shape of the process is similar.
The six KYB checks
KYB verification is a bundle of checks that together produce enough evidence to make an onboarding decision. Six checks are standard:
- Entity verification. Confirm the business exists as a legal entity. Lookup against the secretary of state where the business is registered, D&B, or a vendor's aggregated registry data (Middesk in the US, Trulioo internationally). Confirm active status (not dissolved, not suspended).
- Document collection. Articles of incorporation or formation, operating agreement or bylaws, IRS documentation (EIN letter, W-9, or W-8 for foreign entities), and a business license where applicable. Documents are checked for authenticity, not just presence.
- UBO (Ultimate Beneficial Owner) identification and verification.Identify every natural person with 25 percent or more ownership, and any person with significant control (executive, board seat, veto). Run KYC on each identified UBO: identity verification, sanctions and PEP screening, adverse media. FinCEN CDD sets the 25 percent threshold; the EU is stricter in some cases.
- Principal KYC. Verify the identity of the persons authorized to act for the business (signatories, officers). Distinct from UBOs; some UBOs are principals and some are not.
- Sanctions and PEP screening. Screen the entity and every UBO and principal against OFAC SDN, EU consolidated list, UN, OFSI, and country-specific lists, plus PEP databases. Continuous re-screening as lists update; hits require investigation and disposition.
- Adverse media screening. Search structured news datasets for negative coverage of the entity, its UBOs, or its principals that would affect the risk assessment. Adverse media does not automatically disqualify, but has to be reviewed and dispositioned.
The KYB process, end to end
The six checks run in a specific sequence, with the outputs feeding a decision.
- 1. Data collection. The applicant provides the entity details, principals, UBOs, and supporting documents through your onboarding UI or API. Typically an EIN, legal name, address, industry code (NAICS/SIC), incorporation date and state, plus UBO identities.
- 2. Registry lookup. Verify the entity exists and confirm its status. Middesk provides real-time US secretary-of-state data across all 50 states. Trulioo, Baselayer, and Sumsub cover international registries with varying depth.
- 3. UBO resolution. Identify every beneficial owner meeting the threshold. Run KYC on each: identity verification (Persona, Onfido, Sumsub), the same sanctions and PEP screen as the entity, adverse media on each individual.
- 4. Screening. Sanctions, PEP, and adverse media screening on the entity and every associated person. Vendors: ComplyAdvantage, Refinitiv (LSEG), Dow Jones Risk Center. Hits trigger disposition workflows.
- 5. Risk assessment. Score the completed KYB output against the institution's onboarding policy. Industry risk (crypto, cannabis, adult, MSB elevate score), geography (high-risk jurisdictions), ownership complexity (multi-layer offshore structures), and screening result severity all feed into the score.
- 6. Decision and record. The rulebook or the analyst approves, rejects, or escalates for enhanced due diligence. The decision, the policy version that applied, the analyst if any, and every signal the decision stood on land on the record.
The KYB vendor landscape
Fintech teams shortlist a small set of KYB providers. Each has strengths:
- Middesk. US-focused. Strongest on US business registry data (real-time secretary-of-state coverage across all 50 states), tax status, TIN matching. Fast to integrate, well-documented API. The default choice for US-focused fintechs.
- Alloy. Identity decisioning platform. KYB is one workflow within a broader identity orchestration platform. Fits teams that want a single vendor for KYC + KYB + fraud with a rulebook layer.
- Persona. Started in identity verification; extended to KYB. Popular for teams standardized on Persona for KYC.
- Sumsub. International coverage, particularly strong in EMEA and APAC. Popular with crypto exchanges given their global user base.
- Trulioo. Global business verification across 195 countries. Fits teams whose customer base is not US-concentrated.
- Baselayer, Ondato, iDenfy. Emerging or region-specific KYB providers. Each targets a slice of the market with a specific coverage or pricing angle.
Sanctions and PEP screening is typically bought separately from the KYB vendor: ComplyAdvantage, Refinitiv (LSEG), or Dow Jones Risk Center. Some KYB vendors bundle screening; most compliance teams still keep a specialist sanctions vendor for reliability.
What examiners look for in KYB evidence
When a bank examiner or a sponsor bank runs a look-back on a business customer's onboarding, they are checking that the KYB process was done correctly and the evidence still exists. Specifically:
- Every UBO who met the ownership threshold was identified and verified.
- Every UBO and principal was screened against sanctions and PEP lists at onboarding, and continuously since.
- The documents collected match the entity and are authentic (or authenticated).
- The policy version that applied at onboarding is retrievable, so the decision can be assessed against the standard that applied at the time (not the current policy).
- Any adverse media, sanctions hits, or exceptions were dispositioned with a written rationale, not silently overridden.
- Ongoing monitoring caught any material changes since onboarding (a new UBO, a new sanctions hit, a change of registered agent).
The evidence to answer that examiner query today typically lives across the KYB vendor console, the sanctions vendor console, the case-management tool, and the internal rulebook. Assembling it takes days per customer. On one record per business customer, it is a query.
Where KYB signals land on the record
FinQub is the single source of truth for fintech risk decisions. For KYB, that means one record per business customer holds:
- The Middesk (or Trulioo, or Sumsub) entity verification output.
- Every UBO identified and the KYC result on each.
- Every document collected and the authentication result.
- The sanctions and PEP screen on the entity and every associated person, at onboarding and continuously.
- Adverse media hits and their dispositions.
- The onboarding decision the rulebook or the analyst made, with the policy version pinned.
- Any override, with who did it and why.
- Every subsequent event: ownership change, sanctions delta, policy version change, that touched the record after onboarding.
When the examiner asks "what did you know about this business on the date you onboarded them," the answer is the record as it stood on that date. When you swap KYB vendors (see the guide on switching a KYC or KYB vendor without losing your audit history), the record survives the change.
Frequently asked questions
What is KYB verification?
KYB (Know Your Business) verification is the compliance process a financial institution or fintech runs when onboarding a business customer, distinct from KYC which handles individual consumers. KYB establishes the legal existence of the business, its ownership structure (Ultimate Beneficial Owners), the identities of principals, its status against sanctions and PEP lists, and its risk profile against the institution's onboarding policy. The process is required by the FinCEN Customer Due Diligence (CDD) rule in the US and by equivalent AML regimes worldwide.
What checks are included in KYB?
Six standard checks. (1) Entity verification: confirm the business exists as a legal entity via registry lookup. (2) Document collection: articles of incorporation, operating agreement, IRS documentation (EIN letter, W-9). (3) UBO (Ultimate Beneficial Owner) identification and verification: identify every natural person with 25%+ ownership or significant control, run KYC on each. (4) Principal KYC: verify the persons authorized to act for the business. (5) Sanctions and PEP screening: check the entity and every UBO/principal against OFAC, EU, UN, OFSI, and PEP lists. (6) Adverse media screening: check for negative news that would affect the risk assessment.
What is the KYB process end to end?
Six stages. (1) Data collection: gather the entity details, principals, UBOs, documents from the applicant. (2) Registry lookup: verify the entity exists and its status via secretary of state, D&B, or a vendor like Middesk. (3) UBO resolution: identify beneficial owners, running KYC on each. (4) Screening: sanctions, PEP, adverse media on the entity and every person. (5) Risk assessment: score against the institution's onboarding policy, considering industry, geography, ownership complexity. (6) Decision and record: approve, reject, or escalate for review, then record the decision with the policy version that applied.
What KYB vendors do fintechs use?
The main KYB verification vendors: Middesk (US-focused, strongest on US business registry data), Alloy (identity decisioning platform with KYB as part of a broader identity workflow), Persona (identity verification that extends to KYB), Sumsub (international coverage, popular for crypto), Trulioo (global coverage across 195 countries), Baselayer (US-focused, emerging), Ondato, and iDenfy. Sanctions screening is typically layered on with ComplyAdvantage, Refinitiv (LSEG), or Dow Jones Risk Center.
What does an examiner ask about KYB decisions?
For any business customer, an examiner can ask: what did you know about this business when you onboarded them, what did the KYB checks return, who were the UBOs, what documents did you collect, how did you verify them, what was your risk assessment, what policy version applied at the time of the decision, and what has changed since. Answering that requires the KYB signals, the decision, the policy version, and any subsequent overrides to be together on one record per customer. Assembling it across five vendor consoles at exam time is where teams underestimate the effort.
How is FinQub involved in KYB?
FinQub does not verify businesses; that is the KYB vendor's job. FinQub is the record the KYB signals land on. The Middesk report, the UBO KYC results, the sanctions screen, the adverse-media hits, the onboarding decision the rulebook or the analyst made, and the policy version that applied all sit on one record per business customer. When the examiner asks about the customer, or when the team switches KYB vendors, the record survives the vendor change and the audit history is continuous across the swap.
KYB verification produces signals. The signals need a record beneath them. See how to swap a KYB vendor without losing the audit history, or book a short walkthrough below.