Business Verification (KYB)

What is business verification (KYB)?

Business Verification — most often referred to as KYB (Know Your Business) — is the operational process of confirming that a company exists legally, operates legitimately, and is suitable to be onboarded as a customer or counterparty. Where individual KYC verifies a natural person, business verification adds the layers specific to entities: validating the corporate registration, identifying directors and officers, drilling down through ownership to the ultimate beneficial owners (UBOs), and screening the entity and its principals against sanctions, PEP, and adverse-media lists.

Business verification is the operational counterpart of KYC for legal entities. It sits inside every B2B onboarding flow — banks opening corporate accounts, payment providers underwriting merchants, fintechs onboarding business customers, lenders qualifying SME borrowers, vendors completing supplier due diligence, and marketplaces approving sellers. Done well, it shortens time-to-onboard, prevents shell-company misuse, and produces an auditable evidence pack that satisfies regulator and counterparty scrutiny — see our how to check if a company is legitimate guide for the practitioner-level checks.

Why business verification matters

Two forces make business verification disproportionately consequential. First, regulatory exposure — entity-level AML failings consistently produce the largest enforcement penalties, often driven by inadequate UBO identification, weak sanctions screening at the beneficial-owner level, or onboarding of shell companies that were later used for laundering. Second, fraud exposure — synthetic businesses, impersonated entities, and shell-company fronts are now industrial-scale fraud vectors, particularly in payments, lending, and marketplace onboarding. A weak KYB programme is both a regulatory liability and a fraud vulnerability simultaneously.

The business verification process

A complete KYB workflow moves through five stages. The first stage is entity identification and registry validation — confirming the legal name, registration number, registered address, formation date, and current status against the authoritative corporate registry for the entity's jurisdiction. A registered but dissolved or struck-off entity is a hard reject; a discrepancy between claimed and registered details is a referral. The second stage is document and tax-identifier verification — collecting and validating the certificate of incorporation, memorandum and articles of association, board resolutions, tax-identification numbers (EIN, VAT, GST, equivalent), licences, and proof of operating address. The third stage is principal identification — identifying directors, officers, authorised signatories, and senior managing officials, and performing identity verification on each at the level the institution's risk policy requires.

The fourth stage is UBO drill-down — identifying every natural person who directly or indirectly owns or controls 25% or more of the entity (or otherwise exercises control), reconciling declared ownership against registry filings, share registers, and organisation charts, and applying control-tests where threshold ownership cannot be established. The fifth stage is sanctions, PEP, and adverse-media screening of the entity, the directors and officers, and every identified UBO — producing a single risk view that drives the onboarding decision. Step-by-step practical methodology is covered in our how to verify businesses guide.

Documents required for business verification

The document set varies by jurisdiction and entity type but typically includes the certificate of incorporation or business licence; the memorandum and articles of association (or equivalent constitutional documents); a current shareholding or ownership structure (often via a beneficial-ownership form); a board resolution authorising the relationship; identification for each director, signatory, and UBO; the tax-identification number (EIN in the US, VAT in the EU, GST in India, etc.); proof of operating address; and (for regulated industries) the relevant operating licence. For higher-risk customers or industries, additional documents — financial statements, source-of-funds evidence, customer references — may be required.

Business verification and UBO identification

UBO identification is the single most consequential step inside the business-verification workflow. Sanctions and PEP screening at the entity level alone are meaningless — a clean-looking company can sit on top of a sanctioned individual several layers up, and only UBO drill-down surfaces the exposure. Mature programmes operate dedicated UBO check workflows that combine registry data, graph analysis, and screening in a single process. Practical step-by-step methodology for individual cases is covered in our finding the UBO of a company guide.

Risk rating following business verification

Once the verification evidence is complete, the institution risk-rates the entity along several axes: industry risk (cash-intensive, sanctioned-sector, high-risk), geography risk (jurisdiction of incorporation, operations, and counterparties), product risk (cross-border payments, correspondent banking, high-value lending), structural risk (complex multi-layer ownership, shell-company indicators, nominee arrangements), and behavioural risk (declared activity vs. anticipated transaction profile). Higher-risk customers move into Enhanced Due Diligence — additional source-of-funds verification, site visits, additional document collection, and senior-management approval. Lower-risk customers move through streamlined onboarding with the standard evidence pack.

Ongoing monitoring after onboarding

Business verification is not complete at onboarding. The institution must refresh the entity profile on a risk-based cycle — typically every 1–2 years for high-risk customers and every 5–10 years for low-risk customers — and respond to event triggers such as changes in ownership, new sanctions designations, adverse media, regulatory actions, or material changes in transaction behaviour. Mature programmes integrate the entity record with sanctions, PEP, and adverse-media monitoring so that any new hit on the entity, its directors, or its UBOs automatically opens a case.

Automating business verification

Manual KYB does not scale. Modern programmes automate the entire workflow: registry data is pulled via API from authoritative sources (US-based KYB typically starts with Secretary of State business records); document capture and OCR extract data from incorporation papers and licences; UBO drill-down runs automatically through multi-layer structures; sanctions and PEP screening runs in real time against the entity and all identified principals; and clean cases pass through straight-through processing without analyst review. Only exceptions — partial registry matches, complex ownership chains, sanctions hits — are routed to human reviewers with a pre-built case file. The relationship to individual KYC is covered in our KYB vs KYC explainer, and the broader discipline in our Know Your Business (KYB) overview.