Hande
Know Your Business (KYB) is the process regulated institutions use to verify the identity, ownership, and risk profile of the business customers they work with. It is a legal obligation under anti-money laundering (AML) and counter-terrorism financing (CTF) frameworks in most major jurisdictions and, for the institutions that do it well, a meaningful commercial variable.
This guide covers what KYB requires, how it works in practice, where the process typically breaks down, and what the next generation of KYB infrastructure looks like.
Why KYB exists
Financial crime does not operate through individuals alone. Criminal networks route proceeds through corporate structures — shell companies, complex ownership chains, layered holding entities — precisely because the opacity of legal persons is harder to penetrate than individual identity.
KYB is the regulatory response. By requiring regulated institutions to verify who they are actually doing business with — not just the company name, but the real people who own and control it — regulators aim to close the routes through which illicit funds enter the financial system.
The obligations are codified in legislation: the European Union's Anti-Money Laundering Directives (AMLD3 through AMLD6), the Financial Action Task Force (FATF) recommendations that shape global standards, the Bank Secrecy Act and FinCEN rules in the United States, and a range of national implementations including the UK's Money Laundering Regulations. All impose substantially similar requirements: know who your customer is, understand what they do, assess the risk they represent, and keep your knowledge current.
These regulations apply broadly. Banks, payment processors, insurance companies, crypto asset service providers, lending platforms, marketplace operators, and any other entity classified as an "obliged entity" under the relevant framework must maintain a KYB program.
What KYB actually checks
A complete KYB process covers seven distinct domains. Each is a regulatory requirement in its own right; together they constitute a full picture of a business customer's identity and risk profile.
Entity verification is the foundation. It confirms that the business exists in its stated form: registered name, registration number, legal form (GmbH, Ltd, BV, SRL, and so on), registered address, and active status. In Europe, this means querying national company registries — the Handelsregister in Germany, Companies House in the UK, the Kamer van Koophandel in the Netherlands, and over 200 equivalent registries across other jurisdictions. In markets where registry data is incomplete or unreliable, documentary verification — articles of incorporation, certificates of good standing — provides the fallback.
Ultimate Beneficial Owner (UBO) identification is where the complexity concentrates. Regulators require institutions to identify and verify the natural persons who ultimately own or control the business, typically anyone with a direct or indirect ownership stake above 25%, though stricter thresholds (10%) apply in some contexts. For simple structures, this is straightforward. For businesses with layered holding companies, trust structures, or nominee arrangements, tracing the beneficial ownership chain requires both data and judgement. Each UBO must then be verified, in practice, through government-issued identity documents and, where required, biometric checks.
Sanctions screening checks the business and its owners and directors against official sanctions lists: the EU Consolidated List, the OFAC Specially Designated Nationals list, the UK Office of Financial Sanctions Implementation (OFSI) register, and the UN Security Council lists, among others. A match is a hard stop; it means the institution cannot proceed without specific authorisation, and in most cases cannot proceed at all. Sanctions lists change daily; a customer who cleared screening on onboarding may appear on a list at any point afterwards.
Politically Exposed Person (PEP) checks identify whether any associated individual holds or has recently held a significant public position: heads of state, senior government officials, members of parliament, senior executives of state-owned enterprises, and their immediate family members and close associates. PEPs are not prohibited customers, but they present elevated corruption risk and require enhanced due diligence (EDD).
Adverse media screening extends the search to open-source information: news coverage, regulatory enforcement actions, court records, and other public-domain signals. It captures risks that do not appear on structured watchlists, fraud investigations that have not yet resulted in sanctions, environmental or labour violations, reputational risks that a compliance team would want to know about before entering into a business relationship.
Business activity verification confirms that the business does what it says it does. A company registered as a retail merchant should have the commercial footprint of one. Discrepancies between stated activity and the observable evidence — website, trading history, sector classification — are a risk signal. This check is particularly important for platforms onboarding third parties at scale, where the risk of misrepresentation is elevated.
Ongoing monitoring is the final element, and the one most often treated as an afterthought. A customer who passes checks today will not necessarily pass them tomorrow. Sanctions lists update. Beneficial owners change. Adverse media emerges. Regulated institutions are required to maintain an ongoing view of their customer base, not just to verify it once at onboarding and file it away.
The KYB process in practice
For most regulated institutions today, KYB is a multi-step process involving a combination of automated data retrieval and human review.
The journey begins with data collection: the business provides its basic details through an onboarding form or portal, submits the required documents, and — for companies with complex structures — provides information about its beneficial owners. The quality of this first step sets the ceiling for everything that follows. Ambiguous form design, unnecessary fields, and poor localization all generate downstream errors and follow-up requests.
Data verification then cross-checks the submitted information against external sources: company registries, identity verification providers, sanctions databases, and adverse media feeds. Much of this is automated. The output is a set of verified data points alongside any exceptions — unresolvable mismatches, potential watchlist hits, missing documents — that require human review.
Risk assessment uses the verified profile to assign a risk rating: low, medium, or high. The criteria are determined by the institution's own risk appetite and compliance policies, within the constraints set by regulators. High-risk customers require enhanced due diligence: deeper investigation, additional documentation, more senior sign-off. Low-risk customers may qualify for simplified due diligence.
Approval and decision is where the compliance function makes its determination: approve the relationship, approve it subject to conditions, or decline. The decision and the evidence supporting it must be documented in a way that would withstand regulatory scrutiny.
Periodic review closes the loop, subjecting existing customers to fresh checks at intervals determined by their risk rating — typically annually for high-risk customers, every three years for standard-risk customers. Any material change in a customer's circumstances — change of ownership, sanctions hit, regulatory action — should trigger an out-of-cycle review. This is sometimes called re-KYB.
Where KYB breaks down
Most institutions understand what KYB requires. The gap is in execution — specifically in how the process is designed, staffed, and measured.
The most common failure point is follow-up loops. Onboarding flows that collect the minimum information upfront and rely on email follow-up to gather the rest introduce friction at precisely the point where customer engagement is highest. Each follow-up cycle loses a portion of the customers who have already submitted their initial information — approximately 15% per round-trip, compounding across multiple requests. The first-time-right rate, the proportion of onboarding submissions that contain everything needed for a decision in a single pass, is one of the most important metrics a KYB team can track, and one of the least commonly measured. In customer portfolios where fields are pre-populated from registry data, follow-up rates on those same fields drop to near zero.
Collaboration bottlenecks are a structural problem specific to business onboarding. The information required for KYB is rarely held by a single person. Ultimate beneficial owners may be unrelated to the primary contact. Legal representatives may need to sign off. Directors may need to submit identification. Systems that route the entire onboarding through a single login — requiring one person to gather and submit information on behalf of multiple parties — create waiting, confusion, and drop-off. The onboarding of a business requires multiplayer infrastructure, not a single-user form.
Point-in-time verification is the central weakness of most KYB programs. Checking a customer at onboarding and then reviewing them on a fixed schedule every three years leaves a significant window of exposure. The risk profile of a business can change materially in three years. Beneficial ownership changes. Directors are added. Sanctions lists are updated. A continuous monitoring approach — one that watches for signals in real time rather than relying on scheduled reviews — addresses this directly. The regulatory requirement exists; the implementation often does not. (See: how Duna approaches ongoing monitoring.)
Fragmentation is the operational reality for most compliance teams today. Identity verification, sanctions screening, adverse media, registry data, and case management typically run through separate tools with no shared data layer. Analysts navigate between systems, screenshot outputs for audit trails, and reconcile information manually. The result is not just inefficiency — it is inconsistency. Two analysts processing identical cases with the same information may reach different conclusions, not because the decision is genuinely ambiguous but because the process gives them no common framework.
Finally, the analytics gap compounds all of the above. Most compliance teams cannot tell you their onboarding completion rate by customer type, their false positive rate on adverse media screening, or their average time from case creation to decision. Without that visibility, there is no baseline from which to improve.
KYB and conversion
The framing of KYB as purely a regulatory obligation misses a significant part of the economics. For platforms that onboard business customers — payment facilitators, embedded finance providers, marketplace operators, B2B lenders — KYB is the first substantive interaction a business customer has with the product. How that experience feels determines not just whether the customer completes the process, but how they engage with the product afterwards.
Businesses that receive a compliance decision within 24 hours of applying activate at materially higher rates than those that wait longer. A business that begins using your product the same day it applies is in a different state than one that waited a week for a decision. The latter has had time to look at alternatives, to lose the original context, to deprioritize the integration. In markets where the underlying product is commoditized — payments, lending, embedded finance — the experience of getting started is often the differentiator.
Faster, smoother onboarding also affects lifetime value, not just initial conversion. Customers who improve their KYB onboarding flows report improvements in total portfolio LTV — not only because more customers complete the process, but because the customers who start faster tend to engage more deeply. As David Schreiber, Duna's co-founder, has noted: "It's really a structural shift — the LTV goes up, not just the addressable LTV with conversion rate, but the total LTV actually went up."
The compliance and conversion relationship is explored in more depth in Compliance is a conversion problem.
What KYB looks like when it works
The institutions that have moved beyond the fragmented, manual model share several characteristics.
They treat first-time-right collection as a design principle. Before building an onboarding form, they ask what information is genuinely required for a compliance decision and what can be retrieved automatically from registries or pre-populated from existing data. Every field that can be pre-filled and is not represents friction with no corresponding compliance benefit. Every field that could be optional but is marked required is a potential drop-off point.
They build multiplayer onboarding flows. Ultimate beneficial owners, directors, and legal representatives receive direct, private invitations to provide their portion of the information. The coordinating party — the compliance officer, the relationship manager — has real-time visibility into what has and has not been submitted. Nothing waits in an email chain.
They separate policy from process. Their compliance policies are encoded in a system rather than stored in a document and interpreted anew by each analyst. When a regulator changes a requirement, they update the system once. When they enter a new market, they deploy the relevant policy configuration without rebuilding the underlying infrastructure. This is what a policy engine makes possible.
They have continuous monitoring, not just periodic review. Their onboarding decision is the beginning of an ongoing relationship with the customer's risk profile. Sanctions alerts, registry change notifications, and adverse media hits feed into a case management system that can trigger re-verification automatically when something material changes.
And they measure it. They know their completion rates by funnel stage, their first-time-right rate, their average decision time, their false positive rate. They treat KYB as a function with measurable performance, not a compliance obligation to be satisfied and forgotten.
The AI dimension
AI is entering KYB through several vectors, and the implications are significant.
The most immediate is document processing. AI models can read and extract information from incorporation documents, UBO declarations, identification documents, and proof of address more reliably and faster than manual review. The gains in accuracy and speed are real; the challenge is the auditability requirement. Every AI-assisted decision must be explainable and repeatable. The compliance team must be able to show a regulator exactly why a particular document was accepted or rejected. Systems that deploy AI without the audit infrastructure to support it introduce regulatory risk as they remove operational cost.
Registry enrichment is the second vector. Rather than asking customers to provide information that exists in a public registry, AI systems can retrieve it automatically — legal form, address, directors, ownership structure — and use it to pre-populate the onboarding form. The customer confirms or corrects; they do not re-enter. This reduces form completion time and eliminates a significant source of errors in submitted data.
Adverse media intelligence is the area where AI's capabilities extend furthest beyond what was previously practical. Natural language processing allows systems to process vast volumes of news and public-domain information, identify relevant signals, and distinguish between a business named in passing in a news article and one that is the subject of a regulatory enforcement action. The false positive rate in adverse media screening — a perennial source of analyst workload — is directly reducible with well-designed AI filtering.
Looking forward, the direction of travel points toward evidence-based compliance systems in which a business's identity information is verified once and stored as structured, reusable evidence. A business that has onboarded with one institution on a shared network does not need to re-verify from scratch when it onboards with another. The verification work has been done; onboarding becomes a consent action. This is the core architectural argument Duna makes in its AI memo, that the right structure for compliance in an AI era is a system of record built on discrete, reusable pieces of evidence, not a sequence of workflow steps.
KYB as infrastructure
The compliance function is, in most institutions, treated as a cost centre. The framing is understandable, the direct output of compliance work is a decision, not revenue. But the indirect effects of how compliance operates touch every part of the business that depends on onboarding new customers.
Banks commonly assign up to 10–15% of their full-time equivalents to KYC/AML alone, with automation rates remaining low amid fragmented data resources. That cost is not fixed. It is a function of how the KYB programme is designed. The institutions gaining ground on this are the ones that have started treating KYB as infrastructure rather than administration — something to be designed, measured, and optimized with the same rigour applied to any other system that sits in the critical path of revenue. The regulatory requirement is fixed; the quality of the system built to satisfy it is not.
How does Duna support KYB?
Duna is an AI-native business identity platform built for the full KYB lifecycle. Onboard handles business onboarding with registry pre-fill, adaptive question logic, and multiplayer UBO flows. Decide automates case management and risk-based decision-making. Lifecycle manages ongoing monitoring, periodic review, and re-KYB, so compliance does not end at the point of onboarding.
Duna builds the infrastructure that regulated institutions use to verify, monitor, and manage their business customer relationships. The Duna platform covers the full KYB lifecycle: onboarding, ongoing monitoring, and periodic review — with a policy engine that encodes compliance requirements as automated logic rather than analyst discretion.
