Know Your Business (KYB) is the structured due-diligence process by which a regulated financial institution, fintech, or marketplace verifies the legal identity, beneficial ownership, and legitimate purpose of a corporate customer before establishing a business relationship. Mandated by FATF Recommendation 10, the EU's successive Anti-Money Laundering Directives, and national transpositions worldwide, KYB extends beyond the individual identity checks of KYC to encompass entity verification, ultimate beneficial owner (UBO) mapping, sanctions and PEP screening, and source-of-funds assessment — forming a critical first line of defence against financial crime.
Know Your Business — commonly abbreviated KYB — denotes the set of customer due diligence (CDD) controls applied specifically to legal entities: companies, partnerships, trusts, foundations, and other corporate structures. The term is operationally distinct from Know Your Customer (KYC), which governs natural persons, although KYB necessarily incorporates KYC-grade checks on the individuals who control or own the entity in question.
The normative foundation of KYB sits in FATF Recommendation 10 (Customer Due Diligence for Financial Institutions, revised October 2023), which obliges covered entities to identify and verify the customer, understand the nature and purpose of the business relationship, and conduct ongoing monitoring. For legal entities, Recommendation 10 further requires identification of the ultimate beneficial owner (UBO) — defined by FATF as the natural person(s) who ultimately own or control the legal entity.
Within the European Union, these obligations are transposed through the successive Anti-Money Laundering Directives. The Fourth AML Directive (4AMLD, 2015/849/EU) introduced mandatory UBO registers and set the primary ownership threshold at 25 % of shares or voting rights. The Fifth AML Directive (5AMLD, 2018/843/EU) opened those registers to the public, extended scope to virtual asset service providers, and lowered enhanced-due-diligence triggers. The Sixth AML Directive (6AMLD, 2018/1673/EU) harmonised predicate offences for money laundering across member states, raising the criminal-liability bar for compliance failures. The forthcoming EU AML Regulation (AMLR), expected to apply from 2027, will replace directive-based transposition with a directly applicable EU-wide rulebook, and the new AMLA supervisory authority will directly oversee the highest-risk obliged entities from 2025–26.
KYB must be distinguished from mere company registration lookup. Verifying that a company exists on a national companies register is necessary but not sufficient; a compliant KYB programme additionally maps the full ownership chain to natural persons, screens all relevant parties against sanctions lists (OFAC SDN, EU Consolidated List, UN Security Council, HM Treasury), checks for politically exposed person (PEP) status, and assesses the plausibility of the stated business purpose relative to observed transaction behaviour. This holistic approach is what separates genuine risk management from box-ticking.
A complete KYB programme moves through several discrete but interlinked stages, each producing artefacts that feed both the initial onboarding decision and the ongoing risk profile of the corporate customer.
1. Entity verification. The process begins with confirming the legal existence and good standing of the applicant entity. This involves cross-referencing official company registration data — Companies House (UK), Registre du Commerce (FR), Handelsregister (DE), the Malta Business Registry for EU-passported structures, and equivalents — against the documents submitted by the applicant: certificate of incorporation, memorandum and articles of association, and, where applicable, a certificate of incumbency. Automated integrations with national registers and aggregators (e.g. Dun & Bradstreet, Bureau van Dijk, OpenCorporates) have largely replaced manual document review for tier-one checks, reducing turnaround from days to minutes.
2. UBO identification and verification. Once the entity is confirmed, the compliance team maps its ownership and control structure. Under 4AMLD, the UBO threshold is ownership or control of 25 % plus one share or voting rights; certain high-risk scenarios (regulated sectors, correspondent banking) apply a tighter 10 % threshold. Complex layered structures — holding companies, trusts, nominee arrangements — must be unwound until natural persons are identified at each node. Each UBO then undergoes individual identity verification equivalent to a KYC check: government-issued photo ID, proof of address, liveness detection where remote. Where no natural person can be identified above the threshold, the senior managing official(s) are recorded as beneficial owners by default (the so-called "fallback UBO" provision under 5AMLD Article 3(6)).
3. Sanctions, PEP, and adverse-media screening. All directors, authorised signatories, and identified UBOs are screened in real time against consolidated sanctions lists and PEP databases. Adverse-media screening — scanning structured and unstructured news sources for negative associations — supplements list-based checks, catching risks that pre-date formal designation. Screening must be repeated periodically and triggered by material changes (e.g. change of director, acquisition).
4. Source of funds and business purpose assessment. The compliance officer or automated decisioning engine assesses whether the stated source of business funds — retained earnings, investor capital, trade revenue — is plausible given the entity's age, sector, and jurisdiction. Supporting documentation may include audited accounts, investment agreements, or bank reference letters.
5. Risk scoring and ongoing monitoring. Outputs from the above stages feed a risk model that assigns the entity a risk tier (low / medium / high / enhanced). High-risk entities trigger Enhanced Due Diligence (EDD) requirements under Article 18 of 4AMLD: additional documentation, senior management sign-off, and more frequent periodic review. Transaction monitoring then runs continuously against the established baseline, with anomalies surfaced for human review.
KYB obligations fall on a broad class of obliged entities defined by Article 2 of 4AMLD: credit institutions, payment institutions, electronic money institutions (EMIs), investment firms, insurance companies, accountants, notaries, real-estate agents, and — following 5AMLD — virtual asset service providers (VASPs). Failure to implement adequate KYB controls exposes both the institution and its senior management to administrative sanctions, criminal liability (under 6AMLD), and reputational damage.
European Union. Supervision is conducted at the national level by financial intelligence units (FIUs) and prudential regulators — the DNB (Netherlands), BaFin (Germany), the NBB (Belgium), the MFSA (Malta), and so forth — until AMLA assumes direct supervision of the highest-risk entities under Regulation 2024/1620/EU. The EBA's 2021 Guidelines on ML/TF Risk Factors provide detailed guidance on risk-based calibration of CDD measures across customer types, including complex corporate structures.
United Kingdom. Post-Brexit, the UK transposes FATF standards through the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017, as amended), supervised by the FCA and HMRC depending on entity type.
United States. FinCEN's Customer Due Diligence Rule (31 CFR § 1010.230, effective 2018) codifies the four pillars of CDD — customer identification, beneficial ownership, understanding the nature of the relationship, and ongoing monitoring — and requires identification of UBOs at the 25 % threshold for legal entity customers of covered financial institutions. The Corporate Transparency Act (CTA, effective January 2024) additionally mandates that most US companies file UBO information directly with FinCEN's Beneficial Ownership Information (BOI) database, materially simplifying corporate verification workflows.
Key obligations in practice: maintain CDD records for at least five years after the end of the business relationship (4AMLD Art. 40); file Suspicious Activity Reports (SARs) where money laundering is suspected; apply EDD for customers in high-risk third countries listed by the European Commission under Art. 9 of 4AMLD; and ensure that UBO data is re-verified at least annually or upon material change.
Modern KYB programmes rely heavily on API-driven automation to compress onboarding timelines without sacrificing rigour. The core workflow typically chains together: a company data API (pulling live registry data), a document OCR and verification engine (extracting and cross-validating fields from incorporation documents), a UBO resolution service (graph-based ownership unwinding), and a screening API (sanctions, PEP, adverse media). For straightforward, low-risk entities in well-documented jurisdictions, straight-through processing (STP) rates of 70–85 % are achievable, with human review reserved for exceptions.
Common red flags that should escalate a case to manual EDD include:
— Opaque ownership chains: multiple layers of holding companies across secrecy jurisdictions (BVI, Cayman Islands, Panama) with no evident commercial rationale, making UBO identification deliberately difficult.
— Mismatched business profile: a newly incorporated shell with minimal paid-up capital seeking high transaction volumes, or a stated business purpose inconsistent with the counterparties being transacted with.
— Nominee directors or shareholders: professional nominees without genuine management responsibility, used to obscure the true controller.
— Jurisdiction mismatches: incorporation in a high-risk third country (per the EU Commission list) while claiming to operate exclusively in low-risk markets.
— PEP proximity: UBOs or directors who are close family members or known associates of politically exposed persons, even if not PEPs themselves.
— Inconsistent financial information: stated turnover or source of funds that cannot be corroborated by publicly available financial accounts.
— Adverse media hits: news coverage linking the entity, its principals, or associated businesses to fraud, bribery, environmental crime, or other predicate offences listed under 6AMLD.
Common failure modes in KYB programmes include static onboarding checks with no ongoing monitoring (a particular enforcement focus for the EBA since 2022), failure to re-screen following corporate restructurings, over-reliance on self-certification without independent corroboration, and inadequate documentation of the risk-based rationale for acceptance or rejection decisions. Regulators increasingly expect a clear, auditable decision trail — not just a pass/fail output — for every corporate onboarding.
As a European Banking-as-a-Service provider operating under NBB electronic-money distribution authorisation and advancing towards full EMI status via Codego Europe SIA, Codego is itself an obliged entity subject to the AML framework described above — and is therefore a counterparty that B2B clients can trust to have completed its own rigorous KYB before extending infrastructure access.
For programme partners launching products on Codego's white-label bank or BaaS platform, KYB is embedded directly into the onboarding questionnaire at /questionarie. The workflow covers entity verification against EU company registries, automated UBO mapping with 25 % threshold resolution, real-time sanctions and PEP screening, and source-of-funds documentation — all integrated into a self-service portal that allows programme configuration without prolonged back-and-forth. For partners issuing payment cards under Codego's Visa and Mastercard BIN sponsorship, KYB clearance is a prerequisite before any card issuing programme goes live, consistent with scheme rules and the EBA's card-issuer CDD expectations.
End-clients onboarded by Codego-powered programmes benefit from the same infrastructure: native EU IBAN issuance across six countries, SEPA Instant payments, and crypto-funded card programmes via white-label crypto rails — all gated behind a compliant KYB layer. The entire process, from KYB submission to virtual card activation, can complete within 24 hours for straightforward corporate applicants, with physical cards following within 15 days under Codego's standard SLA. Compliance teams at partner institutions retain full audit trails and risk-tier documentation through the core banking dashboard, satisfying both internal governance and regulator access requirements.