Know Your Customer (KYC)? What About Know Your Business (KYB)?
First published: 24/01/2023
SCA is not enough to secure a transaction on its own. You also have to know who you're identifying, which is where "know your customer" (KYC) comes into play. But what about its younger sibling, "know your business" (KYB)? In this post, we expand on this lesser-known form of payment identification, yet just as critical for financial companies looking to remain compliant.
The process of onboarding new customers for financial services varies significantly across the world. In many countries, the required procedure is filling in your details on a website and then going through a camera session with a company representative or AI-based system. Usually, you have to present your ID card or passport to show that you're a living, breathing human being.
But what if you wanted to do this same thing for a company? What if you wanted confirmation that the business you were looking to partner with was just as legitimate as a single person (or customer)? That the people behind the scenes were just as trustworthy?
This is where KYB comes into play.
What is KYB?
KYC is where companies identify their customers by verifying their identities to prevent money laundering, terrorist financing, and tax crimes. KYB shares similar features but is used for business verification instead of customer verification.
In sum, KYB is the process of vetting organisations you are considering or are currently doing business with, whether they're a supplier, customer, or partner. Moreso, this includes the people running them. And while KYB is becoming essential for industries working within the world of fintech, any company that serves or works with another business (like a B2B supplier) can benefit from deploying KYB.
Why is KYB Important?
KYB is relatively new within fraud mitigation because business relationships were not subject to the same scrutiny as individuals. This led to many criminals setting up fake companies to defraud other businesses or, more commonly, leveraging legitimate businesses to hide their identities. In addition, since business records were hardly assessed before the introduction of KYB, fraudsters could launder money, commit fraud, or fund terrorism without being personally screened or creating a paper trail.
In 2016, nearly 15 years after the introduction of KYC, the US Financial Crimes Enforcement Network (FINCEN) addressed this problem by launching new KYB regulations within its Customer Due Diligence Requirements. So now, any company working with another business has access to a standardised method that verifies the company itself is legitimate! What better way to weed out businesses that are high-risk, illegitimate, or associated with criminal black market activity!?
Not a One-and-Done Kinda Deal
Just like KYC, you can't verify business customers once during onboarding and think the process is complete, as that only gives you a single snapshot of the company. What about in 6 months or one year? Will they still pass an authentication check, then?
To remain compliant, you need to check each business you work with continuously. This means ongoing monitoring, periodically checking that your partners have not appeared on sanctions lists and watchlists, and maintaining updated customer information.
However, KYB is not as easy as KYC, as you must verify the business entity and its ultimate beneficial owners. Moreso, if the business has multiple owners, you'll need to KYC each individual.
"Businesses are significantly more complex to verify than individuals, as they can span multiple geographic borders, tax regimes, and regulatory environments. Often, verifying these entities requires you to either ask the business to submit information or manually search for disparate data and official documents in different public and private systems, like state or national business records. This is particularly difficult in the United States, where there is no singular source of official business data." (Fintech Times)
What happens when a person is responsible for investigating, cross-checking, and examining complex legal documents? Mistakes. This is why the automatisation of Know Your Business procedures is increasing, shifting the processes from humans to computers and reducing errors.
A Note on Embedded Finance Providers
What do you do if you don't trust your customers?
If you are a regulated entity, you're required by PSD2 to secure transactions and GDPR to limit access to customer information. Some embedded finance providers might avoid dealing directly with the final service provider and therefore have to use a different company in between (typically an integrator or tech platform). This relationship looks like a B2B2B2C offering:
regulated embedded finance provider
the corporate customer
So what is the issue? There is no direct relationship between the embedded finance provider and the company providing the final service. Here is where KYB can offer a valuable service. Without it, a malicious corporate customer can in theory:
- Fake transactions on behalf of customers
- Sign up fake or impersonated customers
- Access information such as transaction records and balances for end users not signed on to their service
Note that the final responsibility for fraud is still the embedded finance provider, as they're the regulated company. While implementing SCA and KYC can help significantly here, it would make life easier if they also executed KYB.
In a perfect world, KYB would help catch 100% of fraudulent businesses and those running them. But without 24/7 monitoring or intense follow-up actions that require massive amounts of resources, this perfect-world scenario won't be possible.
As such, while the KYB space grows and improves, we recommend practising due diligence through a risk-based approach to onboarding and working with companies. Eventually KYB standards across the globe, combined with KYB automation, will maximise risk protection while minimising friction for the businesses you decide to work with. And this is, in part, already supported by hefty anti-money laundering regulations that are in place (most recently AMLD4, AMLD5, and AMLD6).
If you're interested in reading more about what we're doing related to securing the embedded finance space, check out this blog post.