High-Risk NAICS Codes: A Compliance Team's Reference Guide for KYB

Most NAICS code discussions focus on how to find the right code for your business. This one is about what to do when you find the wrong kind of code on someone else's.

Compliance teams use NAICS codes as risk signals every day. A business submits for onboarding. A KYB platform retrieves their industry classification. A risk engine scores it. In a well-designed workflow, that score determines whether the business proceeds to standard onboarding, gets routed to enhanced due diligence, or triggers an outright review before the relationship even begins.

The problem is that most published resources on "high-risk NAICS codes" are either incomplete, generic, or written for the wrong audience — business owners trying to avoid a classification, not compliance professionals trying to act on one.

This guide is written for the latter. It covers which codes should trigger a pause, what each one is actually signaling in a KYB and AML context, how misclassification creates blind spots, and how to build a NAICS-based risk matrix that holds up to regulatory scrutiny.

Why NAICS Codes Matter More Than Generic Risk Labels

Before the list, a grounding in how NAICS codes actually function in a compliance workflow.

When a business submits for onboarding, a compliance team typically needs to answer three questions quickly:

1. Does this business exist and is it legitimately registered?
2. Who controls it?
3. What does it actually do, and is that activity something we can bank?

The third question is where NAICS codes come in. They give compliance teams a standardized, six-digit shorthand for answering "what does this business do" — without relying solely on what the business tells you.

This matters because, as JPMorgan Chase's own compliance job listings describe, real institutions maintain dedicated processes for "NAICS Code Approvals" — reviewing and approving NAICS codes when high-risk industry classifications appear during client onboarding or transfers. This is not a theoretical risk exercise. It is a live, staffed compliance function at some of the largest financial institutions in the world.

What makes a NAICS code "high risk" in a compliance context is not just the industry's general reputation. It is the combination of three factors:

• Transaction opacity: industries where cash, complexity, or cross-border activity makes it hard to see what money is actually doing
• Structural risk: entity types that are commonly used to obscure ownership or beneficial control
• Regulatory friction: industries that face heightened scrutiny from FinCEN, FATF, or state-level regulators, creating compliance cost and exposure

The codes below are organized by which of these three factors dominates — because that shapes what kind of due diligence the classification should actually trigger.

Tier 1: Structural Risk Codes

These are entity types where the structure itself is the risk signal, regardless of what the business claims to do. They require UBO tracing, ownership chain documentation, and enhanced scrutiny of the relationship between legal ownership and actual control.

551112 — Offices of Other Holding Companies

This is the highest-CPC NAICS code in the entire compliance and KYB space ($900 per click in paid search), which tells you something about how urgently compliance teams are searching for guidance on it — and finding none.

A 551112 entity holds equity interests in other companies without actively managing them. It is a legitimate and common structure in private equity, family offices, and corporate group management. It is also, as FinCEN's advisory on shell companies explicitly states, the type of entity that poses elevated risk because "lack of transparency in the formation and operation of shell companies may be a desired characteristic for certain legitimate business activity, but it is also a vulnerability that allows these companies to disguise their ownership and purpose."

The risk is not the holding structure itself. The risk is what it can conceal. A holding company sitting above three other LLCs — each registered in a different state, each with a nominee director — creates exactly the kind of layered ownership that makes UBO verification both critical and difficult. When 551112 appears at onboarding, the right response is to map the full ownership chain before proceeding, not after.

What enhanced due diligence should cover:

• Full UBO trace: all natural persons with 25% or more ownership interest across every subsidiary in the chain
• Registered agent history: how many times has the agent changed, and in which jurisdictions?
• Formation date relative to stated business activity: a holding company formed three months ago with no subsidiaries yet is a different risk profile from an established group structure
• Source of funds for the entity's equity holdings

551111 — Offices of Bank Holding Companies

Similar structural risk to 551112 but with an additional regulatory layer. Bank holding companies are regulated by the Federal Reserve, which means they have formal oversight — but the oversight is on the bank subsidiary, not necessarily on the holding entity itself. Foreign bank holding companies present additional cross-border opacity.

531390 — Other Activities Related to Real Estate

Real estate is among the most consistently flagged sectors in FATF guidance on money laundering risk, with FATF dedicating a full guidance document to the sector's vulnerabilities. The "other activities" catch-all within this subsector is particularly difficult to classify accurately.

A FinCEN advisory from 2017 made the mechanism explicit: "Drug traffickers, corrupt officials, money launderers, and other criminals seek to exploit real estate transactions to hide their illicit profits, conceal their identities, and launder funds." The advisory cited the 1MDB case as a high-profile illustration — in 2016, the U.S. Department of Justice filed civil forfeiture complaints seeking over $1 billion in assets traceable to funds misappropriated from Malaysia's sovereign wealth fund, including luxury real estate in Beverly Hills, New York, and London, acquired through a web of shell companies across multiple jurisdictions.

531390 specifically matters because businesses that do not fit neatly into standard real estate brokerage (531210), property management (531311), or appraisal (531320) end up here. That vagueness is itself a flag — it is worth understanding why a more specific code was not used.

525920 — Trusts, Estates, and Agency Accounts

Trust structures are one of the four vehicles FATF specifically identifies in its beneficial ownership guidance as capable of "completely disconnecting the beneficial owner from the names of the other parties." Onboarding a business under this code requires, at minimum, trust deed review, identification of settlors, trustees, and beneficiaries, and assessment of who exercises effective control.

Tier 2: Transaction Opacity Codes

These industries generate high-volume, high-cash, or hard-to-trace transaction flows that make monitoring more difficult and suspicious activity harder to surface.

713210 — Casinos (except Casino Hotels)

The NAICS Association's BSA/AML high-risk NAICS codes list — a reference document compiled specifically for Bank Secrecy Act compliance — lists casinos as a primary high-risk category. The combination of large cash volumes, international patrons, and chip-based transactions creates inherent monitoring difficulty.

State-level licensing requirements vary significantly. A casino operator legally licensed in Nevada faces a very different compliance profile than one operating in a jurisdiction with weaker oversight. Compliance programs that treat all 713210 entities the same are missing an important risk dimension.

522390 — Other Activities Related to Credit Intermediation

This code covers check cashers, money transmitters, and money order sales — the core definition of Money Services Businesses (MSBs). MSBs have specific FinCEN registration requirements under the Bank Secrecy Act, and a business in this code that is not registered with FinCEN is operating illegally.

The verification question for 522390 is not just "is this a legitimate business" but "is this business compliant with its own regulatory obligations?" FinCEN registration status should be confirmed before any relationship proceeds.

522320 — Financial Transactions Processing, Reserve, and Clearinghouse Activities

This code covers payment processors, including non-bank payment facilitators and some fintech infrastructure companies. Legitimate use is common — many well-known payment companies fall here. The risk is the variation within the category: a processing company handling primarily domestic card payments is a very different risk profile from one handling cross-border remittances to high-risk jurisdictions.

523130 — Commodity Contracts Dealing

This code covers commodity trading, including crypto asset dealing under several state regulatory frameworks. As the regulatory environment around digital assets continues to evolve, the compliance obligations for businesses in this code are actively shifting. A classification that was low-risk two years ago may now carry FinCEN or state licensing obligations.

441110 / 441120 — New and Used Car Dealers

Auto dealers appear on the NAICS Association's BSA/AML list as a cash-intensive high-risk category. The combination of large individual transaction values and historically inconsistent cash reporting makes this sector a documented money laundering vector. FinCEN has issued multiple advisories on suspicious activity in vehicle sales.

Tier 3: Catch-All Codes That Deserve Scrutiny

These codes are not inherently high risk. They are catch-alls used when a business does not fit neatly anywhere else — and that lack of specificity is itself a signal worth investigating.

812990 — All Other Personal Services

When a business ends up here, it means their primary activity did not match any of the hundreds of more specific personal service codes. That can be legitimate — some businesses genuinely operate across categories. But it can also indicate that a more specific (and more scrutinized) classification was avoided. The question to ask: what does this business actually do, and is there a more specific code that should apply?

453998 — All Other Miscellaneous Store Retailers

Same principle. This catch-all code is used across a wide range of retail activity. It appears in front business structures not because of any specific risk inherent to "miscellaneous retail," but because the vagueness of the classification makes it difficult to challenge. Retail businesses with significant cash activity and limited online presence warrant a second look regardless of their NAICS code — but 453998 is a reason to start that second look sooner.

541990 — All Other Professional, Scientific, and Technical Services

One of the most frequently self-selected codes among businesses that provide professional services but are not sure exactly where they fit. Consulting firms, advisory businesses, and unlicensed financial service providers sometimes land here. It does not trigger automatic EDD, but combined with other risk signals — offshore connections, complex ownership, high transaction volumes — it is worth confirming the actual business activity.

The Misclassification Problem: When the Code Is Technically Wrong

The codes above are only useful if the classification is accurate. As covered in our companion piece on NAICS code lookup, IRS researchers found that self-reported NAICS codes on tax forms are frequently incorrect — and that reporting an incorrect code or leaving it blank has no tax consequences for the filing business.

This creates a specific risk for compliance teams: a business in a Tier 1 or Tier 2 category may not self-identify that way.

The most common misclassification patterns that create compliance blind spots:

The practical implication: a NAICS code retrieved from a self-reported source should not be the end of the classification process. It should be cross-referenced against what the business's website, documents, and transaction patterns actually show. When a mismatch exists between self-reported classification and actual observed activity, that mismatch is itself a red flag — not just a data quality issue.

How to Build a NAICS-Based Risk Matrix That Holds Up

A risk matrix that simply lists "high-risk NAICS codes" as a prohibited or EDD-trigger list is incomplete. Here is what a defensible, auditable NAICS risk framework actually needs:

1. Three tiers, not a binary

The structure of this guide reflects a practical compliance reality: not all high-risk codes are equal. 551112 holding companies, 522390 MSBs, and 812990 catch-alls all warrant attention — but for different reasons and through different processes. A flat "high risk = EDD" rule does not distinguish between a passive holding structure that needs UBO mapping and a cash-intensive business that needs transaction pattern review. Your matrix should define what specific additional steps each code triggers.

2. Code plus context

A 531390 real estate business operated by a local property developer in Ohio is a different risk profile from a 531390 entity with offshore ownership, multiple jurisdictions of operation, and no clear operating address. The NAICS code identifies the category; the context determines the actual risk level. Your matrix should define what contextual factors escalate or de-escalate the baseline code risk.

3. Mismatch as an independent trigger

Beyond specific high-risk codes, build a mismatch trigger into your process: if the business's website, submitted documents, or transaction patterns describe activity inconsistent with their self-reported NAICS code, that inconsistency warrants review regardless of whether the claimed code is itself high-risk. A business claiming to be a consulting firm but processing payments for overseas merchants is a mismatch. A holding company classifying itself as management consulting is a mismatch. These are independent risk signals.

4. Ongoing monitoring, not just onboarding

Businesses change. A NAICS code that was accurate at onboarding may no longer reflect the business's primary activity two years later. A payment processor that expands into crypto. A consulting firm that acquires subsidiaries and becomes a de facto holding company. Your monitoring program should include periodic NAICS revalidation, not just a one-time check at the point of onboarding.

5. Source your risk designations

When an examiner asks why a particular NAICS code triggers enhanced due diligence in your program, you should be able to point to a documented rationale: FATF guidance, FinCEN advisories, the BSA/AML high-risk codes list published by the NAICS Association, or your own institution's risk appetite statement. "It feels high risk" is not an auditable answer. "This code appears on FinCEN's advisory on shell company structures" is.

What Automated KYB Does That a Risk Matrix Alone Cannot

A well-built risk matrix handles known risk codes correctly. What it cannot do on its own is catch the misclassifications.

A compliance program that only screens against a list of high-risk NAICS codes will miss every case where a high-risk business has self-reported a lower-risk code. And as the IRS research shows, that is not a rare edge case — it is a systemic property of self-reported classification data.

This is why the best KYB implementations use industry classification as a derived signal, not a passed-through one. Rather than trusting what the business filed with the IRS or the state, automated KYB platforms cross-reference the business name, registered address, and website against multiple independent sources — company registries, commercial data, web content — and return a classification based on what the business actually does.

When that derived classification conflicts with the self-reported one, the mismatch surfaces. A holding company that has been classifying itself as a consulting firm for three years still gets flagged — not because it came up on a prohibited list, but because the system identified that its actual structure does not match its claimed activity.

Signzy's KYB platform does exactly this across all 50 US states. It screens businesses against company databases and registries, verifies EINs, analyzes beneficial ownership chains through AI-powered document forensics, and surfaces risk signals — including industry context derived from multiple sources — through a unified API. When the derived classification signals elevated risk, the compliance team sees it at the top of the funnel, before a relationship has been established.

Book a demo with Signzy to see how industry risk classification fits into your onboarding workflow.

Bottom Line

A list of high-risk NAICS codes is only as useful as the process built around it.

The codes in Tier 1 — holding companies, trusts, real estate catch-alls — are primarily structural risks. The right response is ownership tracing, not just a flag. The codes in Tier 2 — casinos, MSBs, payment processors, commodity dealers — are primarily transaction opacity risks. The right response is activity verification and regulatory status confirmation. The catch-alls in Tier 3 are not inherently high risk, but their vagueness warrants a question: why did this business not use a more specific code?

And behind all of it is the misclassification problem. A risk matrix that only catches businesses that self-identify as high-risk will miss a meaningful share of the businesses that are.

The compliance teams that get this right are the ones that treat NAICS codes as a starting point for classification, not an endpoint — and build processes that can surface the gap between what a business claims to be and what it actually is.