What is KYB, how it works, and what it is used for

Customer due diligence does not concern only individuals. When the client is a company, the KYC (Know Your Customer) procedure adapts accordingly and becomes Know Your Business, or KYB. 

In addition to being a legal obligation for entities identified by AML/CFT regulations (Anti-Money Laundering and Countering the Financing of Terrorism), the KYB procedure is an important risk management tool that helps prevent fraud, protect the supply chain, and safeguard against legal and reputational risks.

What is KYB (Know Your Business)?

The KYB process, short for Know Your Business, is a verification procedure aimed at establishing the legitimacy of companies with which business relationships are established. Just like KYC (Know Your Customer), KYB is a Due Diligence procedure designed to prevent fraud, money laundering, and terrorist financing, and is therefore one of the fundamental pillars of Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations.

Unlike KYC, which applies to individuals, the KYB process is used to verify the authenticity and reliability of legal entities such as companies, tracing, among other things, the corporate structure and the ultimate beneficial owners (UBOs).

For banks, financial institutions, cryptocurrency companies, and other entities designated by the AML/CFT regulatory framework, KYB is a legal requirement as part of Customer Due Diligence (CDD). Companies that are not legally required to comply may still adopt KYC and KYB procedures voluntarily to manage business risks (e.g., avoiding fraud and insolvency) and protect their reputation by ensuring they are not associated with unreliable or scandal-involved partners or suppliers. 

How to perform KYB checks?

In short, the KYB procedure takes place through 4 main stages:

1. Information collection in KYB

First, clients are asked to provide information and documents to obtain the data necessary to verify the company’s existence and legitimacy. Among other things, the following must be requested:

• Basic company data such as business name, registered office, and VAT number;
• Certificate of incorporation or registration;
• Updated company registration extract;
• Company’s organizational structure;
• Declaration of the Ultimate Beneficial Owner (UBO), i.e., the individuals who control the company.

In some cases, articles of association, financial statements, licenses, and permits may also be required. The specific KYB procedures applied each time essentially depend on the risk level associated with the company.

2. Due Diligence in Know Your Business

Once the data has been collected, it must be compared with official public records (for example, the Chamber of Commerce) to verify that the information provided by the client is truthful. As with KYC, there is no universal procedure: Due Diligence depends on the risk level associated with the entity. 

Banks and financial institutions must first gather basic identification information to determine the type of client, geographical area, and type of service requested: this information is sufficient to perform a preliminary risk assessment and thus determine the type of Due Diligence to apply.

Standard Due Diligence, for example, requires performing KYC checks on all individuals at the top of the company: this means verifying their identity, screening against Sanctions Lists, identifying Politically Exposed Persons (PEPs), and checking for Adverse Media — articles or news linking the individual to criminal activities or damaging their reputation.

The ultimate goal of this process is to assess more accurately the potential risks associated with a given company. Therefore, after verifying the collected data and assigning an initial risk profile, it is necessary to analyze the information to better understand the company’s key characteristics (corporate structure, hierarchy, financial situation, business relationships, etc.).

3. Risk assessment in KYB Due Diligence

The risk assessment is the most crucial phase of the KYB procedure. The AML regulatory framework follows a risk-based approach, which does not apply standard measures but tailors procedures to each entity’s level of risk. The risk level associated with a company, as seen earlier, determines the Due Diligence procedures to be applied.

Risk assessment is based on various factors, including the business sector, the complexity of the corporate structure (more complex structures correspond to higher risk levels), and the results of previous screenings.

At this point, the company is assigned a risk level, and thus a simplified, standard, or enhanced Due Diligence: this determines whether a simple document check is sufficient or whether standard or deeper Due Diligence is needed. The higher the risk level associated with an entity, the more extensive the checks required.

In any case, onboarding can only proceed after determining the Due Diligence procedures to be applied to the client.

4. KYB: continuous monitoring

The AML/CFT framework requires ongoing monitoring of the business relationship and the client company’s status, including the periodic update of information on file. For low-risk clients, periodic reviews of company extracts and Ultimate Beneficial Owners every 3–5 years are generally sufficient, while in standard Due Diligence these updates typically occur every 2–3 years. 

There is also transaction monitoring (at least for obliged entities), which can rely on automatic alerts for operations inconsistent with the company’s profile or involve more targeted checks, for example by analyzing the historical transaction volume and unexpected partners. For high-risk clients, such as PEPs or companies operating in high-risk countries, this monitoring is carried out in real time and focuses on detecting known money laundering patterns such as structuring or the use of shell companies. In this case, monitoring also includes regular checks of Adverse Media concerning key company figures and the identification of the source of funds used in significant transactions.

Why perform KYB checks?

The KYB procedures do not concern only obliged entities such as banks and insurance companies. Professionals and businesses — especially those with commercial relations in countries considered high-risk under AML/CFT regulations or working with public administrations — should view this type of Due Diligence as a strategic best practice. 

Checks like those required by KYB procedures allow companies to protect themselves on several fronts:

• Business risk management: while analyzing the corporate structure may reveal opaque links affecting solvency, a KYB check ensures that key suppliers are not vulnerable to disruptions, financial instability, or sanctions;
• Reputation: working with a compromised company can have major reputational consequences, undermining trust from clients, investors, and stakeholders;
• Compliance: applying Due Diligence to business partners helps prevent unintentional involvement in illegal activities, ensuring full compliance with local, national, and international laws and regulations.

Applying effective Due Diligence to clients, partners, and suppliers helps monitor supply chains and prevent payment and refund frauds as well as “Man-in-the-Middle” (or IBAN change) scams. It also helps identify participation in VAT evasion schemes and, more generally, significantly reduces the risk of contractual non-compliance.