KYB Requirements Checklist: What Data You Need and How to Collect It
A practical checklist of the data required to meet KYB compliance under the CDD Rule — and your three options for collecting it.
Know Your Business (KYB) is the legal requirement for financial institutions to verify the identity of every business customer before doing business with them — and to keep verifying over time. The goal is to prevent working with entities involved in money laundering, fraud, or other financial crimes.
If you’re a bank, fintech, online marketplace, or any other financial institution that works with business customers, the CDD Rule requires you to:
- Verify the business’s identity
- Verify the identity of that business’s managers and owners
- Monitor and track risk of that business over time
This checklist covers the specific data you need to collect to meet those requirements, and the three paths available for collecting it.
The data you need to collect
Know Your Business
To verify the identity of a business entity, you need to collect:
- The business’s legal name and any aliases or DBA names
- The business’s registered and operating addresses
- Proof of active registration (typically via Secretary of State filing)
- Whether the business conducts activity in a high-risk category
- Whether the business appears on any sanctions or watchlists
Each of these items has compliance implications. Registration status needs to be current — a business that was in good standing at onboarding may fall out of good standing later. High-risk activity classification covers categories like cannabis, adult entertainment, gambling, firearms, money transfer services, and others that require additional scrutiny or may be outside your acceptable risk appetite. Watchlist screening typically means running against OFAC lists, which are updated regularly.
Know Your Owners
In addition to the business entity itself, you must collect data on each Ultimate Beneficial Owner (UBO) — defined as any individual with more than a 25% ownership or voting stake in the company — and at least one person who holds significant managerial control. For each of those individuals, you need:
- Full name, date of birth, address, and SSN or TIN
- Whether the owner appears on any crime or sanctions watchlists
KYB regulations allow institutions to trust self-reported UBO information from businesses unless they have specific reason to doubt it. One trigger for doubt: when an owner’s name appears in KYB data but doesn’t match the owner listed on the business application. When discrepancies like this appear, they need to be resolved before onboarding.
Three ways to collect and use this data
Once you know what data you need, the next question is how to find it, aggregate it, and use it to make onboarding decisions. There are three approaches.
Option 1: In-house KYB
Many smaller financial institutions build their KYB processes entirely in-house, rather than relying on a specialized external provider.
- Invest — Build an auto-approval infrastructure in-house, build a manual review team, or both.
- Verify businesses — Pull name, address, registration status, and SoS filing details through internal data infrastructure. Screen against the OFAC list.
- Verify UBOs — Pull UBO data from SoS filings where available. (Note: UBO information is sometimes present in SoS filings and sometimes not. FinCEN has been working toward a centralized UBO database, but availability varies.) Screen UBOs against the OFAC list.
- Monitor over time — The CDD Rule mandates ongoing monitoring. In-house programs need bespoke methods to update customer records and re-verify businesses based on their risk profile.
In-house KYB offers full control and may make sense for institutions with simple, low-volume programs. For anything more complex, the operational overhead tends to be high and auto-approval rates tend to lag what specialized providers can achieve.
Option 2: Single outsourced service and data provider
Some institutions work with one external service and data partner — either supplementing an existing in-house program or replacing it entirely.
- Invest — Pay a setup fee and annual licensing fee to access the provider’s data on an ongoing basis.
- Verify businesses — The provider auto-approves businesses that meet verification criteria and flags others: businesses without an SoS filing, those with mismatched names or addresses, businesses in high-risk industries, and potential OFAC matches. Flagged businesses go to manual review — handled in-house or through an additional manual review service the provider offers.
- Verify UBOs — The provider pulls UBO data from SoS filings and screens against the OFAC list.
- Monitor over time — The provider periodically re-checks SoS registration statuses, re-screens for risky activities, and re-screens against the OFAC list.
- Establish trust — Validate provider accuracy by periodically sampling auto-approved businesses to confirm approvals are correct.
A single provider handles most of the heavy lifting while still allowing meaningful customization. Companies using Enigma as their sole KYB provider are estimated to reduce KYB costs by up to 80%.
Option 3: Waterfall multiple data providers
Some institutions work with multiple data providers through a third-party data aggregation platform — “waterfalling” business applications through a sequence of providers until a match is found. Platforms like Alloy or Oscilar connect multiple providers into a single KYB decisioning endpoint.
- Invest — Pay for a data aggregation platform that uses multiple data sources for auto-approvals. Manual review still needs a separate solution.
- Verify businesses — The platform tries to verify the business using the first provider in the sequence. If that provider can’t match it, the application moves to the next, and so on. This typically produces higher match rates and broader coverage of risky activity data than any single provider alone. Unmatched businesses go to manual review.
- Verify UBOs — The platform uses data from multiple providers to verify UBOs. It also screens UBOs against the OFAC list. When UBO names differ between the SoS filing and the application, the discrepancy must be resolved before approval.
- Monitor over time — The platform periodically checks SoS statuses, re-screens for risky activities, and re-screens against the OFAC list.
- Establish trust — Run monthly checks on individual data sources to confirm auto-approval accuracy.
The waterfall approach maximizes coverage and is the most adaptable to changing legislation — new data sources can be added as requirements evolve without rearchitecting the whole program.
Choosing the right approach
The right data collection approach depends on your volume, risk profile, and how much you want to own versus outsource.
| In-House | Single Provider | Waterfalled | |
|---|---|---|---|
| Best for | Low-volume, simple programs | Most institutions | High-volume or complex programs |
| Auto-approval coverage | Limited | High | Highest |
| Cost | High overhead | Up to 80% savings | Additional 50% on top of single-provider savings |
| Regulatory flexibility | Limited | Medium | High |
For a deeper look at the trade-offs involved in each approach — including input from industry CPOs at Alloy and IDology — read A Guide to Optimizing Your KYB Process. And if you’re evaluating what a single KYB data provider can do for your approval rates, see what Enigma KYB delivers.
Ready to put this checklist to work? Learn more about Enigma KYB or reach out to the team to talk through your specific requirements.