In brief:
- KYC for business accounts – also called KYB or corporate KYC –requires verifying a business's official registration details and the identities of its beneficial owners (UBOs) using their unique identification credentials.
- KYC for business customers also involves checking information about the business and its UBOs that could point to unacceptable risk, monitoring potential changes to their risks over time (if they are onboarded or retained), and reporting suspicious activity.
- You can use KYB software tools like Middesk to automate certain manual processes in KYC for businesses such as data collection, risk scoring, customer approval or rejection, and ongoing information monitoring.
KYC for business accounts wasn’t a very thorough process until 2016, the year the “Panama Papers” scandal broke out. Secret corporate documents leaked to the public revealed wealthy people and companies around the world were exploiting the light KYC checks required on businesses to create illegitimate “shell companies”, then use these fake businesses to hide money and move it around anonymously.
To combat this practice, the U.S. amended the Bank Secrecy Act (BSA) to mandate that businesses, particularly financial institutions, implement stricter identity verification for their business customers. This necessitated verifying business registration and ownership (ultimate beneficial owners, or UBOs) and checking for risk indicators related to financial crimes for both the business and its UBOs.
So what does KYC mean in a business context? What exactly does it involve, and what rules does it have to follow? And what tools are available to simplify the process for risk & compliance teams? This article addresses those questions.
- What is KYC for business accounts?
- 6 benefits of corporate KYC for business customers
- What corporate documents are required to conduct KYC for business accounts?
- 4 KYC requirements for businesses to follow during corporate customer onboarding
- The KYC business process: steps & considerations
- 4 top KYC solutions for business accounts
To start, we’ll explain KYC’s meaning in a business context and its overall purpose.
What is KYC for business accounts?
KYC for business accounts refers to verifying a business’s registration details are accurate and belong to that business, as well as identifying the business’s ultimate beneficial owners (UBOs) and verifying their identities to ensure they’re real people accurately representing themselves.
In addition, companies conducting KYC on business customers have to check both the business itself and its UBOs for risk signals. A company has to be able to reasonably conclude that neither the business nor its UBOs are involved in illegal activities – especially financial crimes like money laundering and terrorism financing – or present any other kind of serious risk to the company (operational, reputational, etc.).
Did you know?
KYC for business accounts is also sometimes called ‘corporate KYC’ or ‘Know Your Business’ (KYB). You will see it referred to by these names throughout this article.
Why corporate KYC is essential for business accounts
Corporate KYC is critical to conduct on business customers because it helps to identify businesses being used as fronts for crime or that otherwise present serious risks to your company. Ultimately, it’s about protecting your company from getting involved with – or even being attacked or used by – businesses that aren’t properly registered to operate, or business owners involved in illegal activities and possibly using their business as a cover.
In short, KYC for business customers protects your company from financial losses and data breaches caused by fraudulent or risky entities. Furthermore, it helps your company keep dirty money out of the legitimate financial system and avoid liability for enabling financial crime.
Since this is such an important process, you should implement it at every stage of your company’s lifecycle. But that can be especially difficult when you’re just starting out and trying to prioritize making your company profitable. If you need help striking that balance, Middesk has created a “crawl, walk, run” framework you can follow to meet compliance standards while remaining competitive. Get your copy of the guide at the link below.
{{gated-content-block="/insights/kyb-for-every-stage-of-a-business"}}
6 benefits of corporate KYC for business customers
We just covered the major overall benefits of conducting KYC for businesses, but there are other upsides to it for your company. Here’s an expanded list.
1. Prevent financial crime and protect the legitimate financial system
To carry out financial crimes, criminals need mechanisms to exchange dirty money for clean money and move money around discreetly. By using corporate KYC to weed out risky entities, you’re denying criminals those channels and helping to keep the proceeds of crime from being laundered through the legitimate financial system.
2. Safeguard your own company from theft
KYB also helps protect your own company from fraudulent activities. For example, criminals may pose as a business to get onboarded by your company, then abuse their access privileges to steal money and sensitive information. Corporate KYC lets you identify and stop these phonies before they get anywhere near your systems.
3. Comply with financial regulations
KYC for businesses is essential for legal and regulatory compliance in the US and globally. These rules protect the financial system's integrity by preventing companies from facilitating financial crime. A strong KYB program guarantees adherence to government and regulator standards.
4. Protect your company’s image
On the other hand, failing to comply with financial regulations by not instituting adequate business KYC and other ID verification processes makes your company look risky and unattractive to stakeholders. In a worst-case scenario, your company could suffer a data breach or be implicated in financial crime. The resulting reputational damage can be extensive and long-lasting, making it difficult to retain current customers and attract new ones, as well as deterring potential partners and investors.
5. Avoid paying fines and legal expenses
Non-compliance with financial laws doesn’t just threaten your company’s reputation. Regulators that catch you being non-compliant can issue penalty fines, or even bring civil or criminal charges against you. Having to spend money and time fighting these charges in court is a distraction your company can ill afford.
6. Build trust with customers, partners, and investors
On a more positive note, implementing robust corporate KYC procedures demonstrates you’re serious about safeguarding stakeholder resources. This signals to customers and partners that their funds and sensitive data are secure by proactively preventing fraudulent or harmful entities from accessing your systems. Investors will also appreciate the efficiency of preventing incidents rather than expending more resources on post-incident cleanup.
What corporate documents are required to conduct KYC for business accounts?
Authorities aren’t always specific in which business KYC documents you need to screen businesses and their owners. They’re more interested in you having enough information from credible sources to only work with businesses and business owners that are truthfully representing themselves and present levels of risk your company finds acceptable.
However, there are certain kinds of documents that companies conducting KYB tend to look for and check. These include:
- Formation documents: Legal documents such as Articles of Incorporation, Articles of Organization, and Partnership Agreements that outline essential information about a business. They need to be filed with authorities in a jurisdiction (usually the Secretary of State office for a given state in the US) before a business can legitimately operate there, so knowing how to get business formation documents for KYB compliance is one of the more important steps here.
- Proof of address documents: Documents that prove a business has a physical location somewhere in a jurisdiction (either a registered or operating address), and isn’t just a shell company. Some formation documents may have one or more addresses on them, while documents like utility bills or lease agreements will have them as well.
- Tax returns: These show a business is registered to pay tax where it operates. In the US, this is indicated by an Employer Identification Number (EIN) issued by the Internal Revenue Service (IRS). Knowing how to do an EIN search helps you ensure each number belongs to the correct business.
- Ownership structure documents: These are documents like lists of trustees, shareholder agreements, and shareholder registers (ideally, ones that indicate each shareholder’s ownership percentages). Use them to find who a business’s ultimate beneficial owners (UBOs) are and check its corporate governance structure for points vulnerable to abuse.
- UBO ID documents: At minimum, you need a full name, street address, date of birth, and at least one government-issued ID number to verify the identity of a UBO. Scans of documents like passports, vehicle licenses, and other ID issued by a federal government should have this information.
- Financial statements: Documents like bank account summaries and transaction histories let you see a business’s current financial health and compare that to its previous money moves. This lets you check for risk signals like bad credit or transactions that don’t add up or are of questionable purpose.
So what are the specific rules dictating that you need to find all of these documents and the information they contain? We’ll talk about those in the next section.
4 KYC requirements for businesses to follow during corporate customer onboarding
Some corporate KYC regulations give guidelines on how to implement them, while others are risk-based parts of conducting reasonable due diligence. You have to follow these to avoid being found non-compliant, or being held responsible if a financial crime happens at your company.
We’ll explain some of the key KYC requirements for businesses here.
1. Customer Identification Program (CIP)
This rule requires US financial institutions to have a concrete plan for checking customers’ identities, sanctions statuses, and other potential risks. A CIP plan must meet at least six criteria:
- Have a written version outlining a risk-based approach to verifying customer identities
- Let customers know what information is needed from them, and why
- Collect the necessary customer information, using specified methods
- Verify that a customer is who they claim to be, using specified methods
- Determine the potential risks a customer presents, using specified methods
- Keep customer information on file until 5 years after their account closes or is inactive
The regulation is part of the Bank Secrecy Act, as amended by section 326 of the USA PATRIOT Act in 2001.
2. FinCEN’s CDD Final Rule
Another amendment to the BSA, this one was made in 2016 by the US Financial Crimes Enforcement Network (FinCEN) in response to the Panama Papers scandal. Its purpose is to stop the kind of illegal activities exposed by the scandal: concealing and secretly transferring funds through illegitimate shell companies.
As such, the FinCEN CDD Final Rule requires US financial institutions to check business customers’ credentials to make sure those businesses are operating legitimately and present a low enough risk of financial crime involvement. It also requires FIs to identify each business’s UBOs, confirm they are who they say they are, and ensure they have little chance of being involved in financial crime too.
3. Screening against sanctions lists and financial watchlists
Some businesses or their UBOs may have committed crimes before, or are known to be presently involved in financial crime. They are often put on sanctions lists by the US Office of Foreign Assets Control (OFAC) as threats to national security and foreign policy. It’s illegal for any US entity to deal with these businesses and people, so you have to know how to run an OFAC check when conducting KYB to ensure neither a business nor any of its UBOs are on one or more OFAC lists.
The international Financial Action Task Force (FATF) also issues a "greylist" and "blacklist" to identify nations with insufficient efforts in combating financial crime. The "greylist" includes countries actively improving their anti-financial crime measures under FATF oversight, though they may still present risks. The "blacklist", meanwhile, designates extremely high-risk countries with very poor protections against financial crime and showing little action towards bolstering those safeguards. So it’s important to check if the country a business or its UBOs are operating out of is on one of these lists, as this can be a critical risk signal.
Expert tip
It may be necessary to add automated sanctions screening software to your Corporate KYC system for sanctions screening checks on businesses if you onboard a large number of business customers per month..
4. Identifying politically exposed persons and their close associates
UBOs may hold public positions where they have significant political or economic influence. If they do, they present heightened risks because their authority gives them resources and opportunities to commit or facilitate financial crime that other people don’t have. They’re known as politically exposed persons (PEPs). So implementing PEP screening in your KYB processes is a critical risk evaluation step.
Even family members or close friends of PEPs can still pose elevated risks, as their relationships with PEPs could be exploited for criminal gain. That’s why they are often classified as a subtype of PEPs called relatives and close associates (RCAs). So while knowing how to perform a PEP risk assessment for KYB is important, knowing how to maintain RCA compliance is just as essential because RCAs can present similar types of risks to your company as PEPs themselves.
Unfortunately, there aren’t standardized guidelines for who is a PEP/RCA and how to handle them during KYC. Generally, though, you want to look at other roles a UBO occupies and ask if those roles could be exploited to affect public social or economic decision-making. Examples include politicians, judges, leaders at financial institutions or government-owned corporations, and military officers. Also look for people UBOs may know or be related to that occupy these roles.
If you find positive matches on either front, you should conduct enhanced due diligence (EDD) on the UBO in question, including finding out where their funds are coming from. You should also involve your senior managers in the KYC process and have them weigh in on whether to ultimately onboard (or keep ties with) a business with a PEP/RCA UBO.
The KYC business process: steps & considerations
Corporate KYC is a system you need to apply whether onboarding a business customer or reviewing its risk profile to decide whether to keep ties with it. It involves a series of procedures you need to continually carry out – and information you need to continually check – throughout a business customer’s lifecycle. Here are the major steps in the KYC business process, along with what you’re trying to do or find out at each of them.
Step 1: Verifying the business’s credentials
You should start by checking if the business itself is legitimate. That means going to where businesses are registered in your jurisdiction (in the U.S., that’s usually a state Secretary of State office) and seeing if the business’s information is there. That includes its formation documents, proof of address, tax ID, and any applicable special licensing.
Also double-check that this information is valid, is the same as what the business reports about itself, and doesn’t belong to another business.
Step 2: Identifying the business’s UBOs
You next need to look at the business’s corporate structure and determine who actually owns the business: the ultimate beneficial owners (UBOs). This can be tricky because businesses sometimes have complicated chains of command with vague titles like ‘nominee director’ and ‘bearer shareholder’. That can make it tough to tell who owns and controls the business versus who is just managing it.
As a guideline, you want to look for anyone that has at least 25% of either the company’s stocks or voting weight in decisions on the company’s direction. At a minimum, you need their full name, address, date of birth, and at least one government-issued ID number (such as on a passport or driver’s license). Like with the business itself, check that this information exists, is valid, and doesn’t belong to another person.
Step 3: Conducting customer due diligence (CDD)
Now you need to search for information on both the business and its UBOs that could indicate potential risk. For example:
- Are they extremely wealthy?
- Do they live in or operate out of a country with high levels of financial crime?
- Have any of their past financial moves seemed suspicious?
- Is the news reporting they’re (allegedly) involved in illegal or unethical activity?
- Are they on any sanctions lists or financial watchlists?
- Is any of the business’s UBOs a PEP or RCA?
Compare answers to these questions with what your company considers low or high risk, as well as any applicable regulations (e.g. you typically can’t do business with an entity on a sanctions list under any circumstances). Based on those comparisons, you may decide to clear a business for onboarding, reject the business, or investigate the business for further potential risk indicators.
Step 4: Escalating to enhanced due diligence (EDD) if necessary
If the risk level of a business and its UBOs approaches the limit your company will tolerate, you may decide to do further research to help you make a final decision. Look into information about the business and its UBOs such as:
- What politically-exposed positions UBOs hold and what they could influence
- Where they’re getting their supplies and funds
- Whether the value of their real property lines up with the value of their financial assets
- Who they are conducting transactions with, what methods they’re using, and why
- How long their transactions take, how valuable they are, and what’s exchanged
- Whether you can visit the business to confirm its address or get missing information
If you find further risk indicators here, it may convince you the business isn’t safe to onboard or continue a relationship with.
Did you know?
Customer Identification Program (CIP), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) are distinct aspects of Know Your Customer/Know Your Business (KYC/KYB) procedures. Our guide, CIP, CDD, & EDD: The Core Elements of KYC/KYB, clarifies these nuances and provides essential information.
Step 5: Monitoring the business and its UBOs on an ongoing basis
If you end up onboarding a business (or keeping ties with it) as a customer or partner, you still need to perform ongoing compliance monitoring to keep tabs on its risk level. That includes watching how the business’s UBOs’ risk profiles change, such as if they become a PEP or RCA, get added to a sanctions list or financial watchlist, or do something else suspicious.
The business itself may change its branding, how it’s organized, or what it does. It may also have a lien filed against it and potentially lose critical assets for operating if the lien isn’t paid off. Or the business may suddenly declare bankruptcy, either because it actually can’t pay its debts or as part of a fraud scheme. You should know as soon as possible if a business does things like this – or anything else financially suspicious – so you can review your relationship and take any necessary action.
Step 6: Reporting suspicious activity
Ensure your employees know the proper procedures if they see suspicious behavior from a business customer or its UBOs. That includes what a suspicious activity report (SAR) is, how to create one, what information it needs to include, who to submit it to, when it needs to be submitted, and what to do with it after they submit it.
Usually in the US, SARs are filed with FinCEN within 30 days of detecting suspicious activity. They should identify the business or UBO that was acting suspiciously, explain when the behavior occurred and why it was suspicious, how the behavior affected your company, and who regulators can contact at your company or local law enforcement agencies for more information. You should also keep records of SARs in case FinCEN or law enforcement need to follow up.
“Suspicious” activity includes patterns linked to financial crime, such as multiple small deposits made quickly to avoid anti-money laundering reporting rules. It also includes unusual financial activity for a particular client based on what you discovered about them in CDD and EDD. If in doubt, investigate the behavior and then decide if you should file an SAR.
4 top KYC solutions for business accounts
KYC for business accounts requires following several rules and carrying out a number of investigative steps – even more than standard KYC for individual customers. The good news is there are software tools out there that can do a lot of the legwork for you while keeping you compliant. Here are our 4 top picks for KYC solutions for business customers.
1. Middesk
If you need the details on any business in the U.S. for KYC purposes, Middesk will have them. It pulls business registration details and risk-related information directly from Secretary of State offices, other U.S. government agencies, and other credible sources on a daily basis. So you’ll know not only if a business is authentic and properly registered, but also if it’s on a sanctions list, being covered negatively in the news, has a lien filed against it, is filing for bankruptcy, and more. We’ve even teamed up with Socure to provide data on UBOs!
Best for: Up-to-date identity information on all US businesses, refreshed daily.
Companies have achieved up to 31% more auto-approvals during corporate KYC checks – smoothing the onboarding process – with Middesk Verify. Come find out how!
2. iDenfy
iDenfy is sort of a “build your own KYC/KYB program” platform where you can choose what functions you need most, depending on your company’s specific circumstances. In addition to business identity verification, sanctions list screening, and PEP/RCA identification, you can get identity verification for things like addresses, phone numbers, utility bills, bank details, and IP addresses – all in over 120 countries.
The downside is that putting all these features together individually can be more expensive and time-consuming than getting a solution that has them already included. In addition, adding more identity checks can slow down your onboarding and identity/risk review process, which your customers may not like.
Best for: If you need a worldwide business KYC solution with lots of customization options.
An overview of iDenfy’s Know Your Business service can tell you more about its corporate KYC capabilities.
3. Ondato
Ondato is able to recognize business UBOs from 50 countries, along with over 10,000 different types of identity documents from nearly 200 countries. But document-based ID verification is just one of Ondato’s options. You can also choose (or add) photo-based biometrics, video-based liveness detection, or checking digital ID documents through near-field communication (NFC) – whatever works best for your company!
Like with iDenfy, though, adding extra options to Ondato can add to the price and time required to implement the software. It can also add more friction to your onboarding and verification processes, slowing them down. Finally, Ondato’s risk-related information for businesses is limited to sanctions screening, adverse media, and PEP lists because it’s more focused on verifying individual customer identities.
Best for: A multi-layer KYC approach that works well when dealing with high-risk customers.
Visit the page on Ondato’s business verification services for KYB compliance if you want to learn how they work.
4. Trulioo
Trulioo is notable for having an information database on over 5 billion notable people – including business leaders – from nearly 200 countries. It also cross-references data from 450 sources worldwide to ensure its information is accurate. Trulioo also recognizes over 14,000 types of ID documents from around the world.
Trulioo is great for getting information on a business’s UBOs and tracing their connections for potential PEP/RCA-related risks. However, these features are only available in its upper-tier “Business Complete” package. In addition, Trulioo specializes in individual identity verification but offers limited corporate KYC risk evaluation, primarily focusing on PEP/RCA identification and sanctions screening.
Best for: Identifying UBOs and assessing their risks, including PEP/RCA status and connections.
Compare which of Trulioo’s business verification services for KYB compliance is right for your company.
For more information on what to look for when comparing corporate KYC software, see our guide to how to choose a KYB solution for business verification.
Simplify KYC for business customers in the U.S. with Middesk. Verify business legitimacy and assess financial crime risk by obtaining registration and risk data directly from U.S. government agencies and other trusted sources. Use our integration with Socure to quickly identify a business’s UBOs and analyze the potential risks they present. To see how it all works, contact us to book a demo.
