What is Know Your Business (KYB)? A guide to KYB verification
Hande
On this page
Know Your Business (KYB) is the regulated process of verifying the identity, ownership, and risk profile of a business customer before — and throughout — a financial relationship.
Key takeaways
KYB is a legal obligation under EU AMLD6, FATF Recommendation 24, the US Bank Secrecy Act, and equivalent regimes — applying to banks, payment firms, lenders, crypto asset service providers, and marketplaces.
A complete KYB programme covers seven domains: entity verification, ultimate beneficial owner (UBO) identification, sanctions screening, politically exposed person (PEP) checks, adverse media screening, business activity verification, and ongoing monitoring.
Financial institutions spend 10–20% of their workforce on financial crime operations, most of it on manual review — and the cost is structural, not fixed.
The dominant failure modes are follow-up loops, single-user portals for multi-party data, point-in-time verification, fragmented tooling, and a near-total absence of operational metrics.
AI-native KYB systems are reducing screening false positives by approximately 70% and pre-filling onboarding fields from registry data — work proven in production at Plaid, CCV (Fiserv), Moss, and Bol on Duna.
What is Know Your Business (KYB) verification?
KYB is the process regulated institutions use to verify the identity, ownership, and risk profile of the businesses they serve. It is the corporate counterpart to KYC and a core obligation under anti-money laundering (AML) and counter-terrorism financing (CTF) law in most major jurisdictions.
Criminal networks move proceeds through corporate structures — shell companies, complex ownership chains, layered holdings — because the opacity of legal persons is harder to penetrate than individual identity. KYB exists to close those routes. By requiring institutions to verify the real people who own and control a business customer, regulators aim to keep illicit funds out of the financial system.
The obligations are codified in the EU Anti-Money Laundering Directives (AMLD3 through AMLD6, with the AMLA single rulebook now in force), the FATF Recommendations that shape global standards, the Bank Secrecy Act and FinCEN rules in the United States, and a range of national implementations including the UK Money Laundering Regulations. All impose substantially similar requirements: know who your customer is, understand what they do, assess the risk they represent, and keep your knowledge current.
The rules apply to banks, payment processors, insurance firms, crypto asset service providers, lending platforms, marketplace operators, and any other entity classified as an "obliged entity" under the relevant framework.
What is the difference between KYB and KYC?
KYC (Know Your Customer) verifies individuals. KYB (Know Your Business) verifies legal entities and the people who ultimately own or control them. Where KYC verifies a natural person against a government ID, KYB has to verify a registered entity, trace its beneficial ownership through any intervening corporate layers, and then run KYC on each ultimate beneficial owner and key controller.
In practice this means a KYB process is always a superset of KYC. A business onboarding involves the entity (registry, legal form, address, status), the ownership graph (shareholders, holding companies, trusts, nominees), the individuals (UBOs, directors, legal representatives), and the risk overlay (sanctions, PEP, adverse media, activity). KYC handles only the third of those layers.
What does KYB actually check?
A complete KYB process covers seven distinct domains. Each is a regulatory requirement in its own right; together they constitute a full picture of a business customer's identity and risk profile.
Entity verification confirms that the business exists in its stated form: registered name, registration number, legal form (GmbH, Ltd, BV, SRL), registered address, and active status. In Europe, this means querying national company registries — the Handelsregister in Germany, Companies House in the UK, the Kamer van Koophandel in the Netherlands, and over 200 equivalent registries across other jurisdictions. Where registry data is incomplete or unreliable, documentary verification (articles of incorporation, certificates of good standing) provides the fallback.
Ultimate Beneficial Owner (UBO) identification is where complexity concentrates. Regulators require institutions to identify and verify the natural persons who ultimately own or control the business — typically anyone with a direct or indirect stake above 25%, though stricter thresholds (10%) apply in some contexts. For simple structures this is straightforward. For businesses with layered holding companies, trust structures, or nominee arrangements, tracing the chain requires both data and judgement. Each UBO is then verified through government-issued identity documents and, where required, biometric checks.
Sanctions screening checks the business and its controllers against the EU Consolidated List, the OFAC Specially Designated Nationals list, the UK OFSI register, and the UN Security Council lists. A match is a hard stop. Sanctions lists change daily; a customer who cleared screening at onboarding may appear on a list at any point afterwards.
Politically Exposed Person (PEP) checks identify whether any associated individual holds or has recently held a significant public position: heads of state, senior government officials, members of parliament, senior executives of state-owned enterprises, and their immediate family members and close associates. PEPs are not prohibited customers, but they present elevated corruption risk and require enhanced due diligence.
Adverse media screening extends the search to open-source information: news coverage, regulatory enforcement actions, court records, and other public-domain signals. It captures risks that do not appear on structured watchlists — fraud investigations that have not yet resulted in sanctions, environmental or labour violations, reputational risks a compliance team would want to know about before opening a relationship.
Business activity verification confirms that the business does what it says it does. A company registered as a retail merchant should have the commercial footprint of one. Discrepancies between stated activity and observable evidence — website, trading history, sector classification — are a risk signal. This check is particularly important for platforms onboarding third parties at scale.
Ongoing monitoring is the final element, and the one most often treated as an afterthought. A customer who passes today will not necessarily pass tomorrow. Sanctions lists update. Beneficial owners change. Adverse media emerges. Regulated institutions are required to maintain an ongoing view of their customer base, not to verify it once and file it away.
How does the KYB verification process work?
For most institutions today, KYB is a multi-step process combining automated data retrieval and human review.
The journey begins with data collection: the business provides its basic details through an onboarding form or portal, submits the required documents, and — for companies with complex structures — provides information about its beneficial owners. The quality of this first step sets the ceiling for everything that follows. Ambiguous form design, unnecessary fields, and poor localisation all generate downstream errors and follow-up requests.
Data verification cross-checks the submitted information against external sources: company registries, identity verification providers, sanctions databases, and adverse media feeds. Much of this is automated. The output is a set of verified data points alongside any exceptions — unresolvable mismatches, potential watchlist hits, missing documents — that require human review.
Risk assessment uses the verified profile to assign a risk rating: low, medium, or high. The criteria are determined by the institution's own risk appetite and compliance policies, within the constraints set by regulators. High-risk customers require enhanced due diligence: deeper investigation, additional documentation, more senior sign-off. Low-risk customers may qualify for simplified due diligence.
Approval and decision is where the compliance function makes its determination: approve the relationship, approve it subject to conditions, or decline. The decision and the evidence supporting it must be documented in a way that would withstand regulatory scrutiny.
Periodic review closes the loop. Existing customers are subjected to fresh checks at intervals determined by their risk rating — typically annually for high-risk customers, every three years for standard-risk customers. Any material change in a customer's circumstances should trigger an out-of-cycle review. This is sometimes called re-KYB.
Why do KYB processes fail?
Most institutions understand what KYB requires. The gap is in execution.
The most common failure point is follow-up loops. Onboarding flows that collect the minimum upfront and rely on email follow-up to gather the rest lose roughly 15% of submissions per round-trip, compounding across multiple requests. The first-time-right rate — the proportion of submissions that contain everything needed for a decision in a single pass — is one of the most important metrics a KYB team can track, and one of the least commonly measured. Where fields are pre-populated from registry data, follow-up rates on those same fields drop to near zero.
Collaboration bottlenecks are a structural problem specific to business onboarding. The information required for KYB is rarely held by a single person. UBOs may be unrelated to the primary contact. Legal representatives may need to sign off. Directors may need to submit identification. Systems that route the entire onboarding through a single login create waiting, confusion, and drop-off. The onboarding of a business requires multiplayer infrastructure, not a single-user form.
Point-in-time verification is the central weakness of most KYB programmes. Checking a customer once and then reviewing them every three years leaves a significant window of exposure. Beneficial ownership changes. Directors are added. Sanctions lists are updated. Continuous monitoring — watching for signals in real time rather than relying on scheduled reviews — addresses this directly. The regulatory expectation exists; the implementation often does not. (See: how Duna approaches ongoing monitoring.)
Fragmentation is the operational reality for most compliance teams. Identity verification, sanctions screening, adverse media, registry data, and case management typically run through separate tools with no shared data layer. Analysts navigate between systems, screenshot outputs for audit trails, and reconcile information manually. Two analysts processing identical cases with the same information may reach different conclusions, not because the decision is genuinely ambiguous but because the process gives them no common framework.
Finally, the analytics gap compounds all of the above. Most compliance teams cannot tell you their onboarding completion rate by customer type, their false positive rate on adverse media screening, or their average time from case creation to decision. Without that visibility, there is no baseline from which to improve.
How does KYB affect customer conversion?
Framing KYB as purely a regulatory obligation misses a significant part of the economics. For platforms that onboard business customers — payment facilitators, embedded finance providers, marketplace operators, B2B lenders — KYB is the first substantive interaction a customer has with the product. How that experience feels determines not just whether the customer completes the process, but how they engage afterwards.
Businesses that receive a compliance decision within 24 hours of applying activate at materially higher rates than those that wait longer. A business using the product the day it applies is in a different state than one that waited a week. The latter has had time to look at alternatives, lose the original context, and deprioritise the integration. In markets where the underlying product is commoditised, the experience of getting started is often the differentiator.
Faster, smoother onboarding also affects lifetime value, not just initial conversion. As David Schreiber, Duna's co-founder, has put it: "It's really a structural shift — the LTV goes up, not just the addressable LTV with conversion rate, but the total LTV actually went up." The relationship is explored further in Compliance is a conversion problem.
How is AI changing KYB?
AI is entering KYB through several vectors.
The most immediate is document processing. AI models can read and extract information from incorporation documents, UBO declarations, identification documents, and proof of address more reliably and faster than manual review. The gains are real; the challenge is auditability. Every AI-assisted decision must be explainable and repeatable. The compliance team must be able to show a regulator exactly why a particular document was accepted or rejected. Systems that deploy AI without the audit infrastructure to support it introduce regulatory risk as they remove operational cost.
Registry enrichment is the second vector. Rather than asking customers to provide information that exists in a public registry, AI systems can retrieve it automatically — legal form, address, directors, ownership structure — and use it to pre-populate the onboarding form. The customer confirms or corrects; they do not re-enter.
Adverse media intelligence is where AI's capabilities extend furthest beyond what was previously practical. Natural language processing can distinguish between a business named in passing in a news article and one that is the subject of a regulatory enforcement action. False positive rates in adverse media screening — historically a perennial drain on analyst workload — are directly reducible with well-designed AI filtering.
The direction of travel points toward evidence-based compliance systems in which a business's identity information is verified once and stored as structured, reusable evidence. A business that has onboarded with one institution on a shared network does not need to re-verify from scratch when it onboards with another. Onboarding becomes a consent action.
What metrics prove a KYB programme is working?
Most compliance functions are not measured. The ones that are tend to track four to six numbers:
First-time-right rate — share of submissions complete enough to decide in a single pass.
Average time to decision — case creation to approval, broken down by risk tier.
Onboarding completion rate — share of started applications that reach a decision, by funnel stage.
False positive rate — share of sanctions, PEP, and adverse media hits that turn out to be irrelevant.
Re-KYB cycle time — time taken to refresh a periodic review.
Analyst throughput — decisions per analyst-day, by case complexity.
A KYB programme without these numbers is operating on intuition. With them, the cost of compliance becomes a function that can be optimised rather than a fixed line on the budget.
What does KYB look like when it works?
The institutions that have moved beyond the fragmented, manual model share several characteristics.
They treat first-time-right collection as a design principle. Before building an onboarding form, they ask what information is genuinely required for a compliance decision and what can be retrieved automatically from registries. Every field that can be pre-filled and is not represents friction with no corresponding compliance benefit.
They build multiplayer onboarding flows. UBOs, directors, and legal representatives receive direct, private invitations to provide their portion of the information. The coordinating party has real-time visibility into what has and has not been submitted. Nothing waits in an email chain.
They separate policy from process. Compliance policies are encoded in a system rather than stored in a document and interpreted anew by each analyst. When a regulator changes a requirement, they update the system once. When they enter a new market, they deploy the relevant policy configuration without rebuilding the underlying infrastructure. This is what a policy engine makes possible.
They have continuous monitoring, not just periodic review. Sanctions alerts, registry change notifications, and adverse media hits feed into a case management system that can trigger re-verification automatically when something material changes.
And they measure it.
How does Duna support KYB?
Duna is an AI-native business identity platform built for the full KYB lifecycle. Onboard handles business onboarding with registry pre-fill, adaptive question logic, and multiplayer UBO flows. Decide automates case management and risk-based decision-making. Lifecycle manages ongoing monitoring, periodic review, and re-KYB.
In production, Duna customers — including Plaid, CCV (Fiserv), Moss, and Bol — see 10.6x faster onboarding, 37% higher conversion, and approximately 70% reduction in screening false positives using Duna AI. Banks commonly assign up to 10–15% of their full-time equivalents to KYC/AML alone, with automation rates remaining low amid fragmented data resources. That cost is not fixed. It is a function of how the KYB programme is designed.
Frequently asked questions
Is KYB legally required? Yes. KYB is a statutory obligation for "obliged entities" under the EU AMLDs (and now the AMLA single rulebook), the US Bank Secrecy Act and FinCEN's Customer Due Diligence rule, the UK Money Laundering Regulations, and equivalent regimes worldwide. Banks, payment firms, lenders, insurers, crypto asset service providers, and marketplaces are typically in scope.
What is the difference between KYB and KYC? KYC verifies a person. KYB verifies a business, traces its ownership through any holding structures, and then runs KYC on each ultimate beneficial owner and key controller. KYB always includes KYC as a sub-process.
What is a UBO? An Ultimate Beneficial Owner is the natural person who ultimately owns or controls a business — typically anyone holding more than 25% of shares or voting rights, directly or indirectly. Some sectors and jurisdictions apply stricter thresholds.
How long should KYB onboarding take? Best-in-class providers complete straightforward KYB in minutes to hours rather than days. The variable is not the law — which sets no maximum — but the design of the onboarding flow and the quality of registry pre-fill.
How often does a business need to do re-KYB? Periodic review is typically annual for high-risk customers and every three years for standard-risk customers, with out-of-cycle reviews triggered by material changes (ownership change, sanctions hit, regulatory action). Continuous monitoring shortens that gap to real time.
Know Your Business (KYB) is the regulated process of verifying the identity, ownership, and risk profile of a business customer before — and throughout — a financial relationship.
Key takeaways
KYB is a legal obligation under EU AMLD6, FATF Recommendation 24, the US Bank Secrecy Act, and equivalent regimes — applying to banks, payment firms, lenders, crypto asset service providers, and marketplaces.
A complete KYB programme covers seven domains: entity verification, ultimate beneficial owner (UBO) identification, sanctions screening, politically exposed person (PEP) checks, adverse media screening, business activity verification, and ongoing monitoring.
Financial institutions spend 10–20% of their workforce on financial crime operations, most of it on manual review — and the cost is structural, not fixed.
The dominant failure modes are follow-up loops, single-user portals for multi-party data, point-in-time verification, fragmented tooling, and a near-total absence of operational metrics.
AI-native KYB systems are reducing screening false positives by approximately 70% and pre-filling onboarding fields from registry data — work proven in production at Plaid, CCV (Fiserv), Moss, and Bol on Duna.
What is Know Your Business (KYB) verification?
KYB is the process regulated institutions use to verify the identity, ownership, and risk profile of the businesses they serve. It is the corporate counterpart to KYC and a core obligation under anti-money laundering (AML) and counter-terrorism financing (CTF) law in most major jurisdictions.
Criminal networks move proceeds through corporate structures — shell companies, complex ownership chains, layered holdings — because the opacity of legal persons is harder to penetrate than individual identity. KYB exists to close those routes. By requiring institutions to verify the real people who own and control a business customer, regulators aim to keep illicit funds out of the financial system.
The obligations are codified in the EU Anti-Money Laundering Directives (AMLD3 through AMLD6, with the AMLA single rulebook now in force), the FATF Recommendations that shape global standards, the Bank Secrecy Act and FinCEN rules in the United States, and a range of national implementations including the UK Money Laundering Regulations. All impose substantially similar requirements: know who your customer is, understand what they do, assess the risk they represent, and keep your knowledge current.
The rules apply to banks, payment processors, insurance firms, crypto asset service providers, lending platforms, marketplace operators, and any other entity classified as an "obliged entity" under the relevant framework.
What is the difference between KYB and KYC?
KYC (Know Your Customer) verifies individuals. KYB (Know Your Business) verifies legal entities and the people who ultimately own or control them. Where KYC verifies a natural person against a government ID, KYB has to verify a registered entity, trace its beneficial ownership through any intervening corporate layers, and then run KYC on each ultimate beneficial owner and key controller.
In practice this means a KYB process is always a superset of KYC. A business onboarding involves the entity (registry, legal form, address, status), the ownership graph (shareholders, holding companies, trusts, nominees), the individuals (UBOs, directors, legal representatives), and the risk overlay (sanctions, PEP, adverse media, activity). KYC handles only the third of those layers.
What does KYB actually check?
A complete KYB process covers seven distinct domains. Each is a regulatory requirement in its own right; together they constitute a full picture of a business customer's identity and risk profile.
Entity verification confirms that the business exists in its stated form: registered name, registration number, legal form (GmbH, Ltd, BV, SRL), registered address, and active status. In Europe, this means querying national company registries — the Handelsregister in Germany, Companies House in the UK, the Kamer van Koophandel in the Netherlands, and over 200 equivalent registries across other jurisdictions. Where registry data is incomplete or unreliable, documentary verification (articles of incorporation, certificates of good standing) provides the fallback.
Ultimate Beneficial Owner (UBO) identification is where complexity concentrates. Regulators require institutions to identify and verify the natural persons who ultimately own or control the business — typically anyone with a direct or indirect stake above 25%, though stricter thresholds (10%) apply in some contexts. For simple structures this is straightforward. For businesses with layered holding companies, trust structures, or nominee arrangements, tracing the chain requires both data and judgement. Each UBO is then verified through government-issued identity documents and, where required, biometric checks.
Sanctions screening checks the business and its controllers against the EU Consolidated List, the OFAC Specially Designated Nationals list, the UK OFSI register, and the UN Security Council lists. A match is a hard stop. Sanctions lists change daily; a customer who cleared screening at onboarding may appear on a list at any point afterwards.
Politically Exposed Person (PEP) checks identify whether any associated individual holds or has recently held a significant public position: heads of state, senior government officials, members of parliament, senior executives of state-owned enterprises, and their immediate family members and close associates. PEPs are not prohibited customers, but they present elevated corruption risk and require enhanced due diligence.
Adverse media screening extends the search to open-source information: news coverage, regulatory enforcement actions, court records, and other public-domain signals. It captures risks that do not appear on structured watchlists — fraud investigations that have not yet resulted in sanctions, environmental or labour violations, reputational risks a compliance team would want to know about before opening a relationship.
Business activity verification confirms that the business does what it says it does. A company registered as a retail merchant should have the commercial footprint of one. Discrepancies between stated activity and observable evidence — website, trading history, sector classification — are a risk signal. This check is particularly important for platforms onboarding third parties at scale.
Ongoing monitoring is the final element, and the one most often treated as an afterthought. A customer who passes today will not necessarily pass tomorrow. Sanctions lists update. Beneficial owners change. Adverse media emerges. Regulated institutions are required to maintain an ongoing view of their customer base, not to verify it once and file it away.
How does the KYB verification process work?
For most institutions today, KYB is a multi-step process combining automated data retrieval and human review.
The journey begins with data collection: the business provides its basic details through an onboarding form or portal, submits the required documents, and — for companies with complex structures — provides information about its beneficial owners. The quality of this first step sets the ceiling for everything that follows. Ambiguous form design, unnecessary fields, and poor localisation all generate downstream errors and follow-up requests.
Data verification cross-checks the submitted information against external sources: company registries, identity verification providers, sanctions databases, and adverse media feeds. Much of this is automated. The output is a set of verified data points alongside any exceptions — unresolvable mismatches, potential watchlist hits, missing documents — that require human review.
Risk assessment uses the verified profile to assign a risk rating: low, medium, or high. The criteria are determined by the institution's own risk appetite and compliance policies, within the constraints set by regulators. High-risk customers require enhanced due diligence: deeper investigation, additional documentation, more senior sign-off. Low-risk customers may qualify for simplified due diligence.
Approval and decision is where the compliance function makes its determination: approve the relationship, approve it subject to conditions, or decline. The decision and the evidence supporting it must be documented in a way that would withstand regulatory scrutiny.
Periodic review closes the loop. Existing customers are subjected to fresh checks at intervals determined by their risk rating — typically annually for high-risk customers, every three years for standard-risk customers. Any material change in a customer's circumstances should trigger an out-of-cycle review. This is sometimes called re-KYB.
Why do KYB processes fail?
Most institutions understand what KYB requires. The gap is in execution.
The most common failure point is follow-up loops. Onboarding flows that collect the minimum upfront and rely on email follow-up to gather the rest lose roughly 15% of submissions per round-trip, compounding across multiple requests. The first-time-right rate — the proportion of submissions that contain everything needed for a decision in a single pass — is one of the most important metrics a KYB team can track, and one of the least commonly measured. Where fields are pre-populated from registry data, follow-up rates on those same fields drop to near zero.
Collaboration bottlenecks are a structural problem specific to business onboarding. The information required for KYB is rarely held by a single person. UBOs may be unrelated to the primary contact. Legal representatives may need to sign off. Directors may need to submit identification. Systems that route the entire onboarding through a single login create waiting, confusion, and drop-off. The onboarding of a business requires multiplayer infrastructure, not a single-user form.
Point-in-time verification is the central weakness of most KYB programmes. Checking a customer once and then reviewing them every three years leaves a significant window of exposure. Beneficial ownership changes. Directors are added. Sanctions lists are updated. Continuous monitoring — watching for signals in real time rather than relying on scheduled reviews — addresses this directly. The regulatory expectation exists; the implementation often does not. (See: how Duna approaches ongoing monitoring.)
Fragmentation is the operational reality for most compliance teams. Identity verification, sanctions screening, adverse media, registry data, and case management typically run through separate tools with no shared data layer. Analysts navigate between systems, screenshot outputs for audit trails, and reconcile information manually. Two analysts processing identical cases with the same information may reach different conclusions, not because the decision is genuinely ambiguous but because the process gives them no common framework.
Finally, the analytics gap compounds all of the above. Most compliance teams cannot tell you their onboarding completion rate by customer type, their false positive rate on adverse media screening, or their average time from case creation to decision. Without that visibility, there is no baseline from which to improve.
How does KYB affect customer conversion?
Framing KYB as purely a regulatory obligation misses a significant part of the economics. For platforms that onboard business customers — payment facilitators, embedded finance providers, marketplace operators, B2B lenders — KYB is the first substantive interaction a customer has with the product. How that experience feels determines not just whether the customer completes the process, but how they engage afterwards.
Businesses that receive a compliance decision within 24 hours of applying activate at materially higher rates than those that wait longer. A business using the product the day it applies is in a different state than one that waited a week. The latter has had time to look at alternatives, lose the original context, and deprioritise the integration. In markets where the underlying product is commoditised, the experience of getting started is often the differentiator.
Faster, smoother onboarding also affects lifetime value, not just initial conversion. As David Schreiber, Duna's co-founder, has put it: "It's really a structural shift — the LTV goes up, not just the addressable LTV with conversion rate, but the total LTV actually went up." The relationship is explored further in Compliance is a conversion problem.
How is AI changing KYB?
AI is entering KYB through several vectors.
The most immediate is document processing. AI models can read and extract information from incorporation documents, UBO declarations, identification documents, and proof of address more reliably and faster than manual review. The gains are real; the challenge is auditability. Every AI-assisted decision must be explainable and repeatable. The compliance team must be able to show a regulator exactly why a particular document was accepted or rejected. Systems that deploy AI without the audit infrastructure to support it introduce regulatory risk as they remove operational cost.
Registry enrichment is the second vector. Rather than asking customers to provide information that exists in a public registry, AI systems can retrieve it automatically — legal form, address, directors, ownership structure — and use it to pre-populate the onboarding form. The customer confirms or corrects; they do not re-enter.
Adverse media intelligence is where AI's capabilities extend furthest beyond what was previously practical. Natural language processing can distinguish between a business named in passing in a news article and one that is the subject of a regulatory enforcement action. False positive rates in adverse media screening — historically a perennial drain on analyst workload — are directly reducible with well-designed AI filtering.
The direction of travel points toward evidence-based compliance systems in which a business's identity information is verified once and stored as structured, reusable evidence. A business that has onboarded with one institution on a shared network does not need to re-verify from scratch when it onboards with another. Onboarding becomes a consent action.
What metrics prove a KYB programme is working?
Most compliance functions are not measured. The ones that are tend to track four to six numbers:
First-time-right rate — share of submissions complete enough to decide in a single pass.
Average time to decision — case creation to approval, broken down by risk tier.
Onboarding completion rate — share of started applications that reach a decision, by funnel stage.
False positive rate — share of sanctions, PEP, and adverse media hits that turn out to be irrelevant.
Re-KYB cycle time — time taken to refresh a periodic review.
Analyst throughput — decisions per analyst-day, by case complexity.
A KYB programme without these numbers is operating on intuition. With them, the cost of compliance becomes a function that can be optimised rather than a fixed line on the budget.
What does KYB look like when it works?
The institutions that have moved beyond the fragmented, manual model share several characteristics.
They treat first-time-right collection as a design principle. Before building an onboarding form, they ask what information is genuinely required for a compliance decision and what can be retrieved automatically from registries. Every field that can be pre-filled and is not represents friction with no corresponding compliance benefit.
They build multiplayer onboarding flows. UBOs, directors, and legal representatives receive direct, private invitations to provide their portion of the information. The coordinating party has real-time visibility into what has and has not been submitted. Nothing waits in an email chain.
They separate policy from process. Compliance policies are encoded in a system rather than stored in a document and interpreted anew by each analyst. When a regulator changes a requirement, they update the system once. When they enter a new market, they deploy the relevant policy configuration without rebuilding the underlying infrastructure. This is what a policy engine makes possible.
They have continuous monitoring, not just periodic review. Sanctions alerts, registry change notifications, and adverse media hits feed into a case management system that can trigger re-verification automatically when something material changes.
And they measure it.
How does Duna support KYB?
Duna is an AI-native business identity platform built for the full KYB lifecycle. Onboard handles business onboarding with registry pre-fill, adaptive question logic, and multiplayer UBO flows. Decide automates case management and risk-based decision-making. Lifecycle manages ongoing monitoring, periodic review, and re-KYB.
In production, Duna customers — including Plaid, CCV (Fiserv), Moss, and Bol — see 10.6x faster onboarding, 37% higher conversion, and approximately 70% reduction in screening false positives using Duna AI. Banks commonly assign up to 10–15% of their full-time equivalents to KYC/AML alone, with automation rates remaining low amid fragmented data resources. That cost is not fixed. It is a function of how the KYB programme is designed.
Frequently asked questions
Is KYB legally required? Yes. KYB is a statutory obligation for "obliged entities" under the EU AMLDs (and now the AMLA single rulebook), the US Bank Secrecy Act and FinCEN's Customer Due Diligence rule, the UK Money Laundering Regulations, and equivalent regimes worldwide. Banks, payment firms, lenders, insurers, crypto asset service providers, and marketplaces are typically in scope.
What is the difference between KYB and KYC? KYC verifies a person. KYB verifies a business, traces its ownership through any holding structures, and then runs KYC on each ultimate beneficial owner and key controller. KYB always includes KYC as a sub-process.
What is a UBO? An Ultimate Beneficial Owner is the natural person who ultimately owns or controls a business — typically anyone holding more than 25% of shares or voting rights, directly or indirectly. Some sectors and jurisdictions apply stricter thresholds.
How long should KYB onboarding take? Best-in-class providers complete straightforward KYB in minutes to hours rather than days. The variable is not the law — which sets no maximum — but the design of the onboarding flow and the quality of registry pre-fill.
How often does a business need to do re-KYB? Periodic review is typically annual for high-risk customers and every three years for standard-risk customers, with out-of-cycle reviews triggered by material changes (ownership change, sanctions hit, regulatory action). Continuous monitoring shortens that gap to real time.
Continue reading
Industries
Customers
Company
Industries
Customers
Company
Industries
Customers
Company