Know Your Business (KYB): Definition and Use in Compliance

What is Know Your Business (KYB)?

KYB is the process by which financial institutions and other regulated entities verify that a business customer is legally registered, operationally real, and owned by the people it claims to be owned by. That means confirming registration, identifying the humans who own and control the entity, screening those individuals against sanctions and PEP lists, and assessing the risk the relationship represents.

It's the business-entity version of Know Your Customer (KYC). The underlying logic is identical: before you take on a client, you need to know who you're actually dealing with. The difference is that businesses are harder to see through. A company can have multiple subsidiaries, nominee directors, and holding structures between you and the person in control.

A standard KYB check has four components:

1. Entity verification. Is the business incorporated? Active? Authorized to operate in its stated jurisdiction? This means checking national company registries: Companies House in the UK, state-level databases for U.S. LLCs, and commercial registry feeds for EU entities.

2. Beneficial ownership identification. Who owns or controls 25% or more of the entity? Under most current frameworks, this requires a certified disclosure. The individuals identified then get screened for PEP status, sanctions exposure, and adverse media.

3. Control person identification. A CEO with 10% ownership can still control the business entirely. Regulations require identifying at least one control person regardless of ownership stake, because ownership percentage and actual control don't always match.

4. Risk rating. Based on industry sector, geography, ownership structure, transaction profile, and any red flags in screening, the institution assigns a risk tier that determines ongoing scrutiny levels and review frequency.

KYB isn't a one-time event. Businesses change ownership. Directors get sanctioned. Subsidiaries get absorbed into groups under investigation. The framework requires periodic review and event-triggered re-verification throughout the relationship, not only at onboarding. Any compliance program that treats KYB as a box ticked at account opening is already out of step with supervisory expectations.

How is Know Your Business (KYB) used in practice?

The typical KYB workflow starts when a new business customer submits an onboarding application. An analyst or automated system pulls incorporation documents, cross-references them against the relevant national registry, and confirms the entity is active and in good standing. That step alone can surface mismatches: a company incorporated in Delaware but claiming to operate exclusively out of Dubai, for instance, warrants a second look.

For a well-established publicly listed company, the full check can take hours. For a private company with layered ownership across multiple jurisdictions, it can take weeks.

Customer Due Diligence (CDD) is the baseline every business customer goes through. When the risk profile is elevated, the team escalates to Enhanced Due Diligence (EDD): source-of-funds documentation, audited financials, confirmation of genuine business operations, or independent site visits.

In practice, beneficial ownership is where things break down. The U.S. CDD rule requires a certification form at onboarding, but institutions aren't required to independently verify every disclosure unless they have reason to doubt it. We've seen banks discover years later that beneficial ownership had changed and was never updated in the file. That gap is exactly what regulators probe during examinations.

Modern programs are shifting toward automated ongoing monitoring. Instead of waiting for annual reviews, they set triggers: ownership changes in corporate registries, new adverse media hits, material shifts in transaction patterns, or court filings naming company officers. The approach described in AI Agents in Financial Crime Investigation is specifically designed for this kind of continuous surveillance rather than point-in-time snapshots.

When suspicious activity surfaces during KYB or ongoing monitoring, a Suspicious Activity Report (SAR) is filed. The KYB file becomes supporting evidence in the SAR narrative. Incomplete KYB documentation is one of the most common deficiencies cited in SAR-related enforcement actions.

Know Your Business (KYB) in regulatory context

KYB sits at the intersection of multiple AML frameworks that reached their current form between 2015 and 2021.

In the United States, the anchor is FinCEN's Customer Due Diligence Final Rule (31 CFR Parts 1010, 1020, 1023, 1024, and 1026), published May 2016 and effective May 11, 2018. It added beneficial ownership as the fifth pillar of AML compliance, alongside customer identification, customer due diligence, enhanced due diligence, and suspicious activity reporting. Covered financial institutions must collect and verify the identity of every natural person owning 25% or more, plus at least one control person regardless of ownership stake.

In the European Union, the same territory is covered by the 4th (2015/849/EU) and 5th (2018/843/EU) Anti-Money Laundering Directives. The 5th AMLD strengthened beneficial ownership disclosure requirements and required member states to maintain accessible registers of ultimate beneficial owners for corporate and other legal entities. The 6th AMLD (2021) expanded the list of predicate offences and toughened criminal liability for money laundering.

The FATF's Forty Recommendations, specifically Recommendation 10 on customer due diligence and Recommendations 24 and 25 on transparency of beneficial ownership of legal persons and arrangements, provide the global reference standard. FATF's guidance on beneficial ownership of legal persons is the go-to document for compliance teams building or reviewing KYB programs.

In the UK, the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (as amended) set equivalent requirements. The FCA's Financial Crime Guide provides sector-specific detail.

Penalties for KYB failures are real. In January 2017, Deutsche Bank agreed to pay approximately $630 million to the FCA and the New York Department of Financial Services after examiners found systemic failures in due diligence on business customers who routed $10 billion through Russian mirror trades. The KYB gaps, particularly around beneficial ownership verification, were central to the enforcement case.

Common challenges and how to address them

The biggest KYB problem is opacity. A business can present a clean incorporation certificate while burying its actual beneficial owner behind multiple holding companies in jurisdictions that don't require public disclosure.

Shell company structures are the primary vehicle for that opacity. The FATF has consistently documented this pattern across its mutual evaluations and guidance, noting that legal persons are among the most commonly used vehicles for concealing criminal proceeds. For KYB purposes, the specific problem is that corporate registries in many jurisdictions don't require beneficial ownership disclosure at all. An institution relying solely on registry data will miss it.

The practical response is document triangulation. If the company's stated ownership doesn't match the signatory authority on account documents, the stated revenue doesn't fit the business model, or nominee directors appear across multiple high-risk structures, those are signals worth investigating. This is where Identity Verification and KYC/AML Automation tools add real value: they cross-reference multiple data sources simultaneously rather than checking each one in sequence.

Ultimate Beneficial Owner (UBO) identification is the specific pressure point regulators are pushing on right now. The EU's beneficial ownership registers are live but inconsistent across member states. In the U.S., the Corporate Transparency Act (effective January 2024) extended disclosure requirements to an estimated 32 million small businesses, most of which had never previously filed beneficial ownership information with federal authorities.

Ongoing monitoring is a separate operational challenge. A business that passed KYB at onboarding three years ago may now have a sanctioned individual on its board, a new subsidiary in a high-risk jurisdiction, or a fraud indictment against its CFO. Periodic review intervals, typically annual for standard-risk and quarterly for high-risk counterparties, must be enforced at scale. Many compliance teams use Regulatory Compliance Automation to manage this across portfolios of thousands of business clients, where manual annual reviews are simply not feasible.

Related terms and concepts

KYB doesn't operate in isolation. It's one component of a broader due diligence framework applied at different points in the customer lifecycle and at different levels of intensity.

Customer Due Diligence (CDD) is the parent category. KYB is how CDD is applied specifically to business entities. For natural persons, the same set of obligations is called KYC. The rules and documentation requirements are structurally similar but differ in how you identify the subject: a person has a passport; a company has an incorporation certificate, an ownership chain, and potentially dozens of directors, shareholders, and associated parties to work through.

Enhanced Due Diligence (EDD) applies when a business relationship carries elevated risk. High-risk industries (gambling, cryptocurrency, arms dealers), high-risk jurisdictions, PEP ownership, or inconsistencies in application documents all trigger EDD. It goes further than the standard KYB checklist: source-of-funds documentation, confirmation of genuine operations, and sometimes independent site visits.

Beneficial Owner and Ultimate Beneficial Owner (UBO) are the outputs of the ownership-identification step within KYB. Once identified, those individuals go through their own separate KYC process. A complex corporate structure can produce four or five beneficial owners, each requiring individual screening and verification.

KYB connects directly to transaction monitoring. The risk profile assigned during KYB sets the expected transaction behavior baseline for the account. Deviations from that baseline can trigger a Suspicious Activity Report (SAR) or, depending on jurisdiction, a Suspicious Transaction Report (STR).

For teams building or upgrading their KYB programs, the RegTech Platform for Banks and Fintechs category has expanded substantially, with tools covering automated registry lookup, document verification, UBO mapping, and ongoing monitoring in integrated workflows.