In brief:
- Corporate KYC – also known as KYB – is the process of a company verifying the legitimacy of another business, the identities of its UBOs, and the risks both represent before onboarding that business and throughout the relationship.
- Corporate KYC involves verifying the identity information of both a business and its UBOs, conducting customer due diligence (and enhanced due diligence, if necessary) to check all of them for risk signals, developing (or modifying) an ongoing monitoring plan in case the business’s risk profile changes, and reporting potential suspicious activity.
- You can automate some manual corporate KYC tasks using tools like Middesk, accelerating your verification and onboarding processes while freeing up money and employee time to work on higher priority tasks.
KYC, or “Know Your Customer” – the process of financial institutions verifying the identities of individuals who want to do business with them – has been around in the US since the 1970s with the passing of the Bank Secrecy Act (BSA). Corporate KYC, however, is a fairly new concept dating back to around 2016. That’s when a global scandal known as “The Panama Papers” erupted with many secret corporate documents being leaked to the public.
The leaked documents revealed powerful people and corporations were illegally taking advantage of the much looser KYC checks financial institutions were required to do on business customers. They would create “shell companies” – businesses that existed on paper but had no physical locations or operations – using them to hide money from tax authorities and mask who was really involved in certain transactions. Corporate KYC was invented to catch, stop, and prevent this kind of activity.
This article will give you a primer on what corporate KYC is, the steps and documents it typically involves, the laws and regulations you have to follow when performing it, and how you can automate the process using tools to relieve some of your compliance burdens.
- The fundamental components of corporate KYC
- Corporate KYC process: what’s involved
- What documents are required for corporate KYC?
- 4 KYC requirements for corporations and who needs to follow them
- 4 top corporate KYC software & tools to enhance your compliance program
- How to automate your corporate KYC process
We’ll start with the basics: corporate KYC’s meaning, what types of companies most need to conduct it, and why it’s a crucial process for your company.
The fundamental components of corporate KYC
So what is corporate KYC? Why is it important to conduct? And are there certain kinds of companies that need to conduct it more than others? This section will cover these basic questions.
What is corporate KYC and what does it really mean?
Corporate KYC refers to the steps a company needs to take to verify another business and its owners are what they claim to be and present low enough risk. These steps need to be taken when two businesses form a relationship, and also periodically after that (as business info can change over time).
KYC for corporate clients is also often referred to as “Know Your Business”, or KYB.
Who needs to conduct corporate KYC?
Usually, businesses involved in finance are required to conduct corporate KYC, such as those in the U.S. classed as financial institutions by the Bank Secrecy Act (BSA). These include:
- Banks
- Credit unions
- Lenders
- Cryptocurrency platforms
- Fintech companies
- Securities brokers and dealers
- Investment (such as mutual funds) managers
- Currency exchanges
- Payment service providers
- Insurance agencies
- Casinos & gambling companies
- Precious metal/stone/jewel dealers
- Pawn shops
- Vehicle dealerships
- Travel agencies
- Real estate companies
Some of the business types on this list may not be directly related to finance, but they do tend to regularly process high-value transactions. So they’re counted as FIs because they’re at a greater risk of being used to steal or illegally move around large amounts of money.
Other types of companies may or may not be required to conduct corporate KYC, depending on jurisdiction or industry regulations. However, we recommend treating corporate KYC as mandatory regardless of whether it actually is for you. We’ll explain why below.
{{related-content-block="/blog/fintechs-when-should-you-use-kyc-vs-kyb"}}
Why KYC for corporate clients is critically important
The main goal of KYC for corporate companies is to provide transparency around where businesses are moving their money and who is ultimately benefiting from those moves. In that capacity, it helps your company do things like:
- Prevent financial crime – Knowing what a business is, who controls it, and what potential risks they represent allows you to filter out entities committing or already known for crimes like money laundering, terrorism financing, and illegal trafficking.
- Protect your company from fraudsters – Financial criminals may target your own company to steal money or sensitive information. Screening businesses and who’s behind them lets you detect and block these risky entities before they get into your system.
- Meet regulatory requirements – Many jurisdictions have laws and other regulations companies have to follow to keep illicit money out of the legitimate financial system. Corporate KYC is usually one of them, so conducting it properly helps your company stay out of trouble with governments and compliance agencies.
- Establish trust with stakeholders – Having a solid KYC program shows customers, partners, and investors your company is committed to doing business ethically and protecting them from bad actors. In turn, this makes your company attractive to new potential customers, partners, and investors.
- Avoid legal costs – While meeting corporate KYC requirements is often expensive, the potential costs of failing to do so are even higher. You can face penalty fines from regulators, or even civil or criminal charges that require you to spend money on legal experts to defend you in court.
- Preserve your company’s reputation – If your company isn’t compliant with corporate KYC rules, it can look untrustworthy to customers, partners, and investors. And if you end up stolen from or used as an accessory to financial crime because your defenses weren’t tight enough, your brand’s image can take an even bigger hit. This can scare away both current and potential stakeholders, and takes a long time to fix.
There are many potential upsides to implementing corporate KYC in your company –and many potential risks if you don’t. However, it isn’t always easy to balance AML compliance with growing your company. To help you out, Middesk has created a crawl-walk-run framework for keeping your company compliant and secure while still providing great service that wins you both new and returning customers. The link below will take you to the e-book.
{{gated-content-block="/insights/kyb-for-every-stage-of-a-business"}}
Corporate KYC process: what’s involved
To conduct KYC for a corporate entity, there are a few extra steps you need to take when compared to standard KYC. Here’s a breakdown of what you need to do.
Business identity verification
You first have to verify that the business’s identity is legitimate. Is its name registered with the proper authorities? Is its registration and licensing documentation filed with them as well? Does its address point to a place you can physically visit? Does it have a valid tax ID number?
If any of these pieces of information are missing, aren’t valid, or belong to another business, it’s an early warning sign something isn’t right.
Ultimate beneficial owner (UBO) identity verification
The next step is to find out the ultimate beneficial owner (UBO) to determine who actually owns or controls the business. This is anyone who holds at least 25% of the company’s stock options or director voting power. At minimum, you need to verify their legal names, home addresses, dates of birth, and at least one government-issued ID number (such as their SSN or passport number).
Basically, you’re checking if the UBOs are real people with unique identity credentials. Information that isn’t registered, or is actually from another person entirely, may be a red flag you’re dealing with shady people.
Did you know?
Some businesses have complex management structures that use vague officer titles like ‘nominee director’. This can make it difficult to tell who actually owns the business versus who is just elected or appointed to run it. Sometimes this is done intentionally to cover the UBOs’ identities or actions. While this can sometimes be justified, it’s more often done illegally.
Customer due diligence (CDD)
This is where you look beyond a business’s identity for other information that may indicate it’s risky to deal with. You’re looking at things like what the business is worth, where it’s based, how it has banked in the past, why it claims to want to form a relationship with you, how it’s being covered in the news, and whether it’s on a sanctions list or other watchlist for criminal activity.
You need to ask these same questions about the business’s UBOs. An extra question you need to ask, though, is whether any of the UBOs are politically exposed persons (PEPs) or relatives or close associates (RCAs) of people who are. They represent higher risks because they’re in (or are close to people who are in) roles with significant administrative power that are vulnerable to being abused or targeted for financial crime.
Enhanced due diligence (EDD)
If a business or its owners raise too many or too serious risk indicators, it’s time for an even deeper dive into their affairs. For example, if a UBO is a PEP, what is the title and nature of their position? What social or economic elements could they influence? Ask the same kinds of questions if the UBO is an RCA of a PEP, along with what the nature of their relationship is.
You should also check the company’s suppliers and income sources. How is the company getting money and property, and is it actually getting enough money to afford the property it buys?
Then look deeper into the company’s transactions. Who are they doing business with, and why? What methods do they use to carry out their transactions, and how long do they take? How much money is moved or exchanged for goods and services, and do the values match up?
You may even want to visit the business’s headquarters in person to see if it actually has a physical presence at its address. Does the company’s actual address match what’s officially on file? If the business is missing any identity information or documentation that should be registered, can headquarters provide copies of it?
Did you know?
There’s actually a distinct difference between CIP, CDD, & EDD. We break down the nuances for you, and explain what you need to know in our guide CIP, CDD, & EDD: The Core Elements of KYC/KYB.
Ongoing monitoring
Even if you decide to onboard a business as a customer or partner, you should still have a plan for keeping an eye on its information and transactions – especially if you had to put it through EDD — this is know as ongoing compliance. The business or its owners could change their identity information, their relationships (regarding PEPs and RCAs), they could have liens filed against them, change the business’s ownership structure, or even file for bankruptcy. This could alter how much risk the business presents, and some of these actions may be considered suspicious. Either way, a review of the business’s risk profile may be necessary.
Watch how the business conducts transactions, too. It may start making transactions that don’t line up with its normal activities, or that otherwise just don’t make sense. For example, these transactions may be carried out through obscure or complicated financial methods when much simpler alternatives are readily available. Or they may be for suspicious amounts – high-value money moves the business isn’t typically known for, or amounts that always seem to fall just below limits that would require reporting those transactions.
Reporting suspicious activity
Give employees clear protocols on filing suspicious activity reports (SARs): how to initiate them, what to include in them, who to submit them to (and when), and how to handle them after they’re sent.
For example, in the U.S., most SARs are to be sent to the Financial Crimes Enforcement Network (FinCEN) no later than 30 days after the suspicious activity is detected. They should also be kept on file for some time in case law enforcement or regulatory agencies need more information or to follow up. The reports should include:
- Identifying information about the entities involved
- What the suspicious activity was and when it happened
- Which parts of your business (locations, software, etc.) the suspicious activity affected
- Who to contact at your business or with law enforcement for more information
- A full explanation of why the activity was flagged as suspicious
As for what activity counts as “suspicious”, asking similar questions to the ones you did in CDD, EDD, and forming an ongoing monitoring plan should be a decent starting point. Ultimately, though, it’s a judgment call based on how well you know a customer or partner’s typical financial behavior. It’s probably best to play it safe, reporting – or at least investigating – anything that seems out of place.
What documents are required for corporate KYC?
Governments and regulators don’t always specify which documents you need to request or screen for the corporate KYC process. All they require is you getting the information you need from trustworthy sources to determine whether or not a business is registered, its owners are real people, and both present low enough risks that they likely aren’t involved in anything illegal.
With that being said, here are some common types of official corporate KYC documents used to check the identities of businesses and their owners:
Formation documents
These are the legal documents that explain a business’s purpose, ownership structure, management system, typical operations, and any other required information relevant to the business's creation and existence. They can be different depending on the type of business you’re investigating. For example, corporations need Articles of Incorporation and Corporate Bylaws. Limited liability companies (LLCs) need Articles of Organization and an Operating Agreement. Partnerships require a Partnership Agreement.
A business can’t legally operate in a jurisdiction unless it has these documents filed with the appropriate authorities there – in the U.S., that’s usually a state’s Secretary of State office. These documents will also likely contain a business’s official name. Understanding how to get business formation documents is a critical step in the corporate KYC process.
Proof of address documents
These help you check if the business has an actual physical property where it operates from. This is important for confirming the business isn’t a shell company: a business that exists on paper, but has no physical presence and no operations besides moving money around.
Some formation documents contain a business’s registered address (its location in the place it was first formed) and may contain a business’s operating addresses (its offices located elsewhere in the jurisdiction, or in a different jurisdiction). You may also be able to confirm a business’s operating address with property-specific documents like utility bills or building lease agreements.
Tax returns and other tax documents
Documents like tax returns help to confirm a business is properly registered to pay tax wherever it operates. In the U.S., this is denoted by an Employer Identification Number (EIN), a unique number assigned to registered businesses by the Internal Revenue Service (IRS). Check a business’s reported EIN against these official documents – if information is missing or mismatched, that’s a risk signal you should investigate.
Financial statements and transaction histories
You also want to look at documents that show the business’s current financial status, as well as how it has banked in the past. Unusual transactions and totals that don’t add up could be warnings that a business is too high-risk to start or continue a relationship with.
Ownership structure documents
To supplement the information you find in a business’s formation documents about how its chain of command is set up, you should also look into documents like shareholder agreements, shareholder registers (ideally including ownership percentages), and lists of trustees. These will help you understand who ultimately is in control of the business and who benefits from it.
Remember that businesses – especially larger ones – can have complicated ownership and management structures. Analyze these systems carefully and look for areas where a concentration of power could be abused for illegal purposes.
UBO identification documents
Finally, you need information on who the business’s UBOs are: their names, addresses, dates of birth, and at least one government-issued ID number for each UBO. Documents that can provide this information include passports, vehicle licenses, and other federal government-issued ID cards.
This lets you check if their identities represent real, unique people and actually correspond to the people submitting them. If a UBO’s ID credentials belong to someone else, or don’t match any known person, investigate further – they could have something to hide.
4 KYC requirements for corporations and why you need to follow them
Conducting corporate KYC isn’t just about protecting your company. It’s actually required by law in many places. Here are four examples of corporate KYC regulations you have to follow – or at least avoid breaking if they don’t have clear guidelines for what you should do.
1. Customer Identification Program (CIP)
The USA PATRIOT Act in 2001 made it a requirement for U.S. financial institutions to each create a written plan for verifying customer identities, as well as checking whether customers are under any U.S. sanctions or present other risks. CIPs must meet at least 6 criteria, including telling customers what information the FI needs from them and why, collecting this information, verifying it’s accurate, checking it against sources that could indicate risk, and securely storing it until it’s reasonably no longer needed for compliance.
2. FinCEN CDD Final Rule
The FinCEN CDD Final Rule is the law that created KYC requirements for corporations in the USA. It’s an amendment made in 2016 to the Bank Secrecy Act that calls for U.S. financial institutions to check the legitimacy and potential risks of business customers. Additionally, FIs have to find out who a business customer’s UBOs are and conduct KYC checks on them.
This rule is meant to close the loopholes exposed by the Panama Papers scandal, where individuals and businesses could hide their money and transactions by funneling them through illegitimate “shell” companies. Now, businesses have to prove that they’re legitimate and have real people behind them before they can form financial or corporate relationships.
3. Sanctions and watchlist screening
National and international regulatory agencies publish lists of individuals and groups known for criminal activity, or countries that have high rates of financial crime. Companies conducting corporate KYC need to factor these lists into due diligence to know which businesses – or the people behind them – are dangerous or even illegal to form relationships with.
The main authority for these lists in the U.S. is the Office of Foreign Assets Control (OFAC). Its lists denote entities that are illegal to deal with because their activities threaten U.S. national security or foreign policy. So it’s critical to run an OFAC check when performing corporate KYC to ensure a potential business customer – or anyone involved with it – isn’t on one of these lists.
Also important are the “greylist” and “blacklist” from the Financial Action Task Force (FATF). These lists name countries that aren’t meeting international standards on preventing financial crime. The “greylist” is for countries under stricter FATF monitoring while they work to build better anti-financial crime systems. The “blacklist” is for countries known for financial crime and not making serious efforts to address it. So it’s a good idea to check where a business customer and its owners are operating, and keep these potential risks in mind.
Expert tip
If your onboarding process requires sanctions screening checks on a high-volume of businesses each month, an automated sanctions screening software might be a necessary addition to your Corporate KYC process.
4. Politically exposed persons / relatives and close associates screening
You also need to check if any of the UBOs from the businesses you’re conducting corporate KYC on are politically exposed persons (PEPs) or relatives and close associates (RCAs).
PEPs are people who hold positions with significant administrative authority such as politicians, judges, financial institution directors, government corporation executives, and military officers. This makes them high-risk because they could abuse their positions to commit financial crime, or be higher-profile targets for criminals looking to make their crimes appear legitimate or even influence society.
RCAs are people with strong familial, professional, or social connections to PEPs. While they can’t directly abuse public administrative positions, they can still exploit their relationships with PEPs for criminal purposes (and vice-versa). And criminals may attempt to coerce PEPs into cooperating with illegal activities by targeting their RCAs first. So RCAs can present the same kinds of risks as PEPs themselves, and it’s just as important to make sure you are following RCA compliance.
Since PEPs and RCAs are defined differently across jurisdictions, there aren’t universal guidelines for screening for them. Generally speaking, though, you want to conduct CDD on them as part of your PEP KYC process to identify and define their positions and relationships, and how these could be exploited for crime or other influence. You should also look at where these people are sourcing their funds from. If necessary, you should conduct EDD and involve senior managers in the decision to onboard or retain an associated business customer or partner.
4 top corporate KYC software & tools to enhance your compliance program
Corporate KYC takes a lot of work, but you can simplify that work by using certain tools. Specific software programs can organize the required information and automate certain tasks for corporate KYC. This not only takes pressure off your compliance team, but it also makes for smoother onboarding and verification processes that keep your customers happy.
Here are our top 4 recommendations for corporate KYC software.
1. Middesk
Middesk is your go-to software choice for corporate KYC if you want to work with another business in the United States. Pulling frequently-refreshing business identity data from Secretary of State offices and other U.S. government agencies, Middesk has complete and current information on every U.S. business.
Middesk also retrieves many other kinds of information to help assess a business’s risk, including data on UBOs (through our partnership with Socure), sanctions lists and watchlists, industry classification, negative press, legal proceedings, liens, bankruptcies, and more.
Best for: Complete identity data that is refreshed daily and covers every U.S. business.
Learn how Middesk’s flagship Verify product offers a 31% lift in auto-approvals during Corporate KYC checks.
2. Trulioo
If you need information about a business’s UBOs, chances are that Trulioo will have it. Trulioo’s database has information on over 5 billion people from over 195 countries, cross-referenced from over 450 data sources worldwide. It also recognizes over 14,000 types of ID documents. Trulioo also has business identity verification capabilities, but they’re mostly focused on tracing UBO relationships and presence on watchlists; they’re not as thorough with detecting and assessing other risk signals.
Best for: Identifying and assessing risk for a business’s UBOs.
Learn about Trulioo’s business verification solutions.
3. Ondato
Ondato is able to verify identities through several different methods: photo-based biometrics, video-based liveness detection, physical ID document scanning, or near-field communication (NFC) document checking. This allows for a multi-layered identity verification approach where one method may be able to detect something another method missed. Additionally, Ondato can recognize UBOs from businesses in over 50 countries, and over 10,000 types of identity documents from over 195 countries.
Keep in mind, though, that choosing more options can make Ondato more expensive and more resource-intensive to set up. Also, like Trulioo, Ondato is more focused on individual identity verification. So its corporate KYC risk assessment capabilities are mainly limited to sanctions lists, PEP lists, and adverse media.
Best for: Various identity verification options for a multi-layered KYC approach.
Get more information on Ondato’s remote business verification services.
4. iDenfy
iDenfy features a number of different identity verification and risk assessment tools that you can mix and match to customize how your corporate KYC processes run. It features business verification, watchlist screening, PEP identification, and verification functions for many different types of identifiers: utility bills, addresses, faces, phone numbers, NFC chips, bank details, and IP addresses. Like with Ondato, though, adding more options makes the software overall more expensive and difficult to implement. Also be careful you don’t add so many options that it slows down your identity verification and onboarding processes with unnecessary friction.
Best for: A highly-customizable global corporate KYC solution.
Read an overview of iDenfy’s KYB platform designed for compliance teams.
For our full list of options, check out our guide on the best KYB solutions and the one that’s right for your business.
How to automate your corporate KYC process
You can automate corporate KYC through a few different methods, such as rule-based decision making, big data analytics, or AI / machine learning. Here are some ways to get the most out of whatever automation you choose to implement:
1. Clearly identify problems to solve and goals to reach
Think about things like what regulations you have to follow, the quality and quantity of proof you need to verify identities, and the specific issues with your company you’re trying to fix when choosing how to automate corporate KYC. Depending on if you’re trying to do things like reduce false positives, cut down on manual reviews, or just save everyone’s time and money, one option may be better for you than another.
2. Confirm your data sources are credible, complete, and up-to-date
Using a corporate KYC automation isn’t going to do you much good if it’s using bad data. Check each of your sources to make sure they aren’t missing any information you need, or are using data that’s outdated or inconsistent with your other sources. This will help avoid discrepancies that may lead to false positives or negatives.
3. Pick an option that has the level of customization you need
Depending on your industry and your company’s specific circumstances, you’re going to encounter certain types of risk in corporate KYC more than others. Look for an automation solution that you can tune to the types of risk you face most, or that potentially have the biggest impact on your company. Also ensure you can and know how to make further customizations in response to changing conditions.
4. Include a briefing on automation in employee training
Your employees will likely be more excited and efficient in putting your corporate KYC automation in place if you explain why you’re doing it and how it helps them. Highlight the benefits to your company: what problems you’re trying to solve, what goals you’re trying to achieve, and how employees won’t have to do as many tedious manual tasks.
5. Measure, review, and adjust the automation’s performance over time
Corporate KYC regulations and applicable information can change frequently, so make sure your automation is keeping up. Track metrics like how often it flags suspicious entities or information, how much faster your verification and onboarding processes become, and how much money and time you save from employees having to do fewer manual tasks.
If something seems off, check if the automation is set up correctly and using up-to-date data sources. You may need to make modifications if you encounter issues like new kinds of information being needed, rules not being set up properly, information not refreshing quickly enough, or friction actually increasing in your KYC processes.
{{related-content-block="/blog/kyb-automation"}}
Automate—and optimize—your corporate KYC procedures with Middesk
Middesk gives you the full picture on any U.S. business both before you onboard it and during your relationship with it. Get registration details and documents, UBO identities via Socure, and many different types of risk-related information – all pulled directly from U.S. government agencies and other trusted sources. Contact us for a demo to learn more and try it for yourself.
