What You Need to Know About KYB in Merchant Onboarding

What is the difference between KYC and KYB?

You might already be familiar with KYC (know your customer) rules, which verify individual identities. Some may call it customer due diligence, though the two processes are different and intertwined. KYC is common in many industries and is the process of verifying who someone is and checking to ensure that the person isn’t engaged in any overtly problematic activities such as money laundering or terrorism financing. KYC seeks to answer the question: “Is this person who he or she says they are, and are they engaged in any problematic activity?”

KYB is the business equivalent of KYC. It asks, “Is this company real, and are its owners/trustees legitimate?” The goal is straightforward — to be confident that the business isn’t a shell company or front for criminal activity, and that its principals aren’t on a most-wanted list. In practice, KYB due diligence gives you two assurances: (1) the business is a real, legally registered entity, and (2) the people running it are real, live humans who aren’t known bad actors such as money launderers, fraud kingpins, or terrorist financiers.

Why does KYB matter so much? 

For one, KYB is increasingly a legal requirement. Back in the early 2000s, KYC processes became mandatory for banks (thanks to AML laws like the USA PATRIOT Act). But for a long time, business clients weren’t under the same microscope — and criminals noticed. They exploited that loophole, setting up shell companies to hide illicit activity behind a veil of corporate legitimacy. Basically, why launder money through personal accounts (risking getting caught by KYC) when you can create “Acme Imports Limited,” get a bank account or payment processor relationship for it, and move dirty money through a seemingly legit business?

Regulators eventually caught on. In 2016, the U.S. Financial Crimes Enforcement Network (FinCEN) rolled out new rules to extend due diligence to businesses — essentially formalizing KYB in what’s known as the Customer Due Diligence (CDD) Final Rule. Now, any covered financial institution (including banks and many payment companies) must identify and verify the ultimate beneficial owners (UBOs) of legal entity customers. These include anyone who has a stake in the company of 25% or more.

Even when not explicitly required, KYB is just good business practice. It’s about trust and safety. You want to trust that your merchants aren’t going to defraud customers, launder cartel money, or sell illegal products under your nose.

What’s involved in a KYB check?

KYB isn’t a single check — it’s a process and framework. Here are the key components of KYB when onboarding a merchant:

Verify the business’s existence and legitimacy.
This is step one: ensure the company is real and properly registered. This means collecting official business registration documents (e.g., articles of incorporation, certificates of formation), verifying they’re genuine, and confirming the business is in good standing. Check that they provided a valid registered address and tax identification number (like an EIN in the US). If the merchant claims to have certain licenses or permits (say, a license to sell alcohol or operate a money service business), you’d want to validate those too.

Verify the owners (UBOs) and controllers.
Knowing the business is not enough; you need to know who’s behind the business. Ultimate beneficial owners are typically anyone who owns 25% or more of the company or otherwise controls it. A thorough KYB process will ask the merchant for a list of these individuals (names, dates of birth, addresses, identification documents). You also screen those names against watchlists and other risk indicators. Are any of the owners on sanctions lists or wanted lists? Are they politically exposed persons (PEPs) that might pose corruption risk? Do a quick adverse media search — have they been in the news for fraud, lawsuits, or scandals?

Assess the business’s background and honesty.
Beyond identities and registrations, you want to answer: “Is this business being truthful about itself?” What is its industry and is it high-risk? Does it have a history, and if so, is that history clean? A few practical checks come in here. One is to examine the business’s financial history and creditworthiness. Many PSPs will run credit reports on the business and its principals. A company drowning in debt or with a pattern of default might be more likely to engage in desperate (read: fraudulent) behaviors, or might simply go bankrupt and leave customers hanging. You’d also look at any available payment processing history. If this merchant has processed before (maybe they are switching providers), what were their chargeback rates, volumes, and fraud incidents?

Conduct compliance checks (AML, sanctions, etc.).
This overlaps with verifying owners, but extends to the business itself. Run the business name through sanctions and watchlist databases too, not just the owners. It’s possible the company name itself is flagged (maybe it was a shell used in a prior fraud scheme). If the business has any licensing (e.g., a money transmitter license), verify it. Ensure they’re not operating in a jurisdiction that’s under sanctions or high-risk. For example, doing business with a company registered in a known offshore haven might prompt extra KYB steps or outright rejection depending on your risk appetite.

Have a process for documentation and record-keeping.
As part of a manual KYB process, you’ll be collecting a pile of documents: incorporation docs, IDs for owners, perhaps utility bills for proof of address, financial statements, etc. Keeping these organized is important not just for your process but also because regulators might ask for proof that you did your due diligence should a problem later arise. Automated solutions can help centralize and streamline this process.

LegitScript's KYB feature consolidates documentation into a single dashboard. Here, you see business lookup details, including business registration and company address information all in one place.

Another tab on LegitScript's KYB results provides a risk assessment of the business contact information, including email address and phone number, as well as the findings of reported business watchlist activity.

Balancing Speed With Rigor in KYB 

Doing all the above thoroughly can sound heavy, and it can be, especially if done 100% manually. In practice, many companies use a risk-based approach for KYB. This means if a merchant is deemed higher risk (say they’re in a gambling or adult industry, or a foreign company from a high-risk country), you ramp up the scrutiny — maybe you ask for more documents or perform deeper background research (enhanced due diligence). Conversely, a low-risk domestic business might go through a more streamlined KYB. This tiered approach helps manage resources and friction.

But even with a risk-based approach, KYB is cumbersome and difficult to scale if performed manually. Furthermore, the manual aggregation and analysis of KYB data is more error-prone, increasing your risk. Performing all of the necessary checks can take hours, and it may take days or weeks before a merchant application is approved. In today’s competitive environment, merchants want a fast and seamless customer experience.

Leveraging Automation and AI in KYB

Many leading payment companies are now leveraging automation in KYB to handle scale and complexity. For example, they might use API integrations to instantly pull a business’s registration info from government databases, or to fetch corporate credit scores. Some use AI-based document verification for passports/IDs of UBOs — far faster than manual review and often more accurate in spotting fakes. KYB orchestration platforms (including some offered by identity verification companies) allow you to input a business name and get a lot of the puzzle pieces (registration data, sanctions status, shareholder info) in one submission. 

Another point: KYB isn’t a set-it-and-forget-it task. Think of onboarding as the first checkpoint, but you may need to revisit your KYB info periodically or enroll your merchants in persistent merchant monitoring. Owners can change, businesses pivot, new information can come to light. Leveraging automation and third-party partners can allow you to grow while continuing to ensure the integrity of your merchant portfolio.

Want to learn more?

LegitScript Merchant Onboarding provides a real-time, comprehensive view of payments risk at the onboarding/underwriting stage. Our industry-leading data and proprietary content crawling technology help payments companies maximize efficiency and minimize merchant time-to-processing, all while reducing compliance risk. Unlike other approaches to onboarding risk detection, our solution:

• Incorporates thorough, automated KYB checks 
• Cuts through the noise with clear risk summaries on demand
• Empowers your team with descriptive insights and examples
• Instills confidence with supporting information such as screenshots

Reach out to us to explore how our AI-powered solutions can help you mitigate risk while accelerating growth. Or learn more about onboarding with our new guide below.