KYC vs KYB: What’s the Difference and Why It Matters
| Quick Answer | KYC (Know Your Customer) is the process of verifying the identity of an individual customer — collecting and authenticating personal details such as name, date of birth, and residential address. KYB (Know Your Business) is the equivalent process for corporate entities — verifying the legal existence of a company, the identity of its directors, and the ultimate beneficial owners (UBOs) who control it. Both are mandatory components of AML compliance, but they apply to different counterparty types and require fundamentally different verification workflows. |
Financial institutions and regulated firms regularly onboard two distinct types of clients: individual people and corporate entities. While both require identity verification before a business relationship can begin, the processes are not interchangeable. KYC and KYB each have their own regulatory requirements, data sources, risk indicators, and — critically — their own failure modes when not performed correctly.
Confusing or conflating the two is one of the most common compliance gaps regulators identify during supervisory visits. Applying an individual KYC process to a corporate client leaves UBO identification undone. Applying a KYB-only process to an individual misses the personal risk indicators — PEP status, sanctions exposure, adverse media — that Customer Due Diligence requires.
This guide explains precisely what KYC and KYB each require, where they differ, which regulations govern each, and how compliance technology automates both processes to remove the risk of manual error.
1. What Is KYC (Know Your Customer)?
| DEFINITION | KYC — Know Your Customer — is the mandatory process by which a regulated firm verifies the identity of an individual customer, assesses their risk profile, and determines the appropriate level of due diligence to apply. It is required under the FCA's Money Laundering Regulations 2017 in the UK, the Bank Secrecy Act in the US, and FATF Recommendation 10 globally. |
KYC sits at the heart of Customer Due Diligence (CDD) — the broader obligation to understand who a customer is, what they do, and whether the business relationship poses a money laundering or terrorist financing risk. At its most fundamental level, KYC for individuals requires three things:
| KYC Requirement | What Must Be Verified | Typical Sources |
|---|---|---|
| Identity | Full legal name, date of birth | Government-issued photo ID — passport, driving licence, national ID card |
| Address | Residential address | Utility bill, bank statement, or official government correspondence dated within three months |
| Risk Screening | PEP status, sanctions exposure, adverse media | Global PEP databases, OFAC / OFSI / UN sanctions lists, adverse media monitoring feeds |
Beyond verification of identity, KYC also requires an assessment of the purpose of the business relationship, the expected nature and volume of transactions, and the source of funds — particularly for higher-risk customers.
The Three Tiers of KYC Due Diligence
Not all customers are treated identically. The FCA's MLR 2017 and FATF's risk-based approach require firms to calibrate the intensity of due diligence to the customer's risk profile:
- Simplified Due Diligence (SDD): Permitted for demonstrably low-risk customers in certain circumstances — for example, customers of regulated financial institutions in equivalent jurisdictions.
- Standard CDD: Applied to the majority of customers. Full identity verification, address verification, and initial risk screening.
- Enhanced Due Diligence (EDD): Mandatory for Politically Exposed Persons (PEPs), customers from FATF high-risk jurisdictions, and complex or high-value relationships. Requires senior management approval, deeper source-of-funds investigation, and more frequent ongoing reviews.
| REGULATION | Under FCA MLR 2017 Regulation 28, firms must apply CDD measures when establishing a business relationship, carrying out an occasional transaction above €15,000, suspecting money laundering or terrorist financing, or doubting the accuracy of previously obtained identification information. KYC is not a one-time exercise — ongoing monitoring throughout the relationship is equally required. |
2. What Is KYB (Know Your Business)?
| DEFINITION | KYB — Know Your Business — is the process of verifying the legal identity of a corporate entity, the authority of the individuals acting on its behalf, and the ultimate beneficial owners (UBOs) who own or control it. KYB is required when onboarding any corporate customer: limited companies, LLPs, partnerships, SPVs, trusts, fund vehicles, and other non-individual legal structures. |
Corporate entities introduce a layer of complexity that individual KYC does not encounter. A company can be owned by another company, which may be owned by a trust, which may be controlled by an individual who sits several layers removed from the entity your firm is actually dealing with. Regulators are explicit: this complexity does not reduce the due diligence obligation — it intensifies it.
KYB verification typically proceeds in three stages:
| KYB Stage | What Is Verified | Data Sources |
|---|---|---|
| 1. Entity Verification | Legal name, registration number, jurisdiction of incorporation, registered address, legal status (active / dissolved) | Companies House (UK), SEC EDGAR (US), national company registries, commercial data providers |
| 2. Authorised Signatories & Directors | Identity of directors, company secretary, and authorised individuals transacting on the entity's behalf | Certificate of Incorporation, Articles of Association, individual director KYC |
| 3. UBO Identification | Any individual owning 25% or more of shares or voting rights, or otherwise exercising ultimate control | Share register, PSC register (UK), company accounts, Shareholder Agreements, supplementary KYC on each identified UBO |
What Is a UBO — and Why Does It Matter?
The Ultimate Beneficial Owner is the natural person who ultimately owns or controls a company — even when that ownership or control is exercised indirectly through a chain of entities. Identifying UBOs is the core challenge in corporate due diligence and the primary source of financial crime risk in corporate structures.
Shell companies, nominee arrangements, and multi-jurisdictional holding structures are frequently used to obscure the true identity of who controls assets. The entire architecture of KYB regulation — from FATF Recommendation 24 to the EU's 5th AMLD requirements on beneficial ownership registers — is designed to pierce these structures and identify the individual in whose interest the business is ultimately operating.
| IMPORTANT | Once UBOs are identified through the KYB process, each UBO must be subject to individual KYC screening — including identity verification, PEP checks, sanctions screening, and adverse media monitoring. KYB identifies who the beneficial owners are. KYC then verifies their identities and assesses their individual risk profiles. The two processes are sequential dependencies, not alternatives. |
3. KYC vs KYB: Side-by-Side Comparison
| Dimension | KYC (Know Your Customer) | KYB (Know Your Business) |
|---|---|---|
| Applies to | Individual natural persons | Corporate entities, legal structures, trusts, funds |
| Primary verification data | Government-issued ID, proof of address | Certificate of Incorporation, company registry data, share register, Articles of Association |
| Ownership / control check | Not applicable — the individual is the counterparty | Mandatory — UBO identification to the 25% ownership threshold |
| Risk screening | PEP status, sanctions lists, adverse media on the individual | Entity-level sanctions screening + individual KYC on each identified UBO and director |
| Complexity | Lower — one person, one identity to verify | Higher — multi-layer ownership chains, cross-border structures, complex corporate vehicles |
| Regulatory trigger | Any individual establishing a business relationship with a regulated firm | Any corporate client, regardless of size — from SMEs to global funds and SPVs |
| FATF Reference | Recommendation 10 — Customer Due Diligence | Recommendation 24 — Transparency of Legal Persons |
| Key UK Regulation | MLR 2017, Regulation 28 | MLR 2017, Regulation 28; PSC Register — Companies Act 2006 |
4. When Does Each Process Apply?
The choice between KYC and KYB is not discretionary — it is determined by the legal nature of the counterparty. In practice, many firms must operate both processes simultaneously, because the same onboarding workflow may service both individual and corporate clients.
Scenarios Requiring KYC Only
- Retail banking customers opening individual current accounts
- Individual investors subscribing to investment funds in their own name
- Individual clients of a law firm or wealth manager acting in a personal capacity
- Individual merchants onboarding to a payment platform
Scenarios Requiring KYB (and Subsequent KYC on UBOs)
- Corporate clients of banks opening business accounts
- Fund managers onboarding corporate investors — SPVs, family offices, and institutional vehicles with multi-layer ownership structures
- Law firms taking on corporate clients for M&A advisory, commercial transactions, or trust work
- Payment processors onboarding business merchants
- Transfer agencies processing subscriptions from corporate fund investors
- Fintech platforms serving both business and personal customers
Scenarios Requiring Both KYC and KYB in Parallel
Many regulated firms operate mixed onboarding environments. An investment platform may onboard both individual retail investors (KYC) and corporate institutional investors (KYB). A law firm's new client intake may include both individuals and companies. A bank serves both personal and business customers.
In these environments, the onboarding system must be capable of routing customers into the correct verification workflow at the outset — and of triggering KYC on UBOs automatically once the KYB entity verification is complete.
| FACT | The FCA's 2023–24 financial crime supervisory review found that failures in beneficial ownership identification — specifically, incomplete UBO chains on corporate clients — were among the three most common AML weaknesses identified across supervised firms. The gap is not awareness: firms know KYB is required. The gap is execution — manual KYB processes consistently fail to resolve complex or multi-jurisdictional ownership structures to the required depth. |
5. Regulatory Requirements for KYB by Jurisdiction
KYB obligations are set internationally by FATF and implemented through national legislation. For firms operating across multiple jurisdictions, understanding the overlap — and the differences — between these frameworks is essential.
| Jurisdiction | KYB / UBO Requirement | UBO Threshold | Regulatory Reference |
|---|---|---|---|
| United Kingdom | Full KYB required for all corporate clients. The Persons of Significant Control (PSC) register must be consulted. Each identified UBO is subject to individual KYC. | 25% ownership or control | MLR 2017; Companies Act 2006 (PSC Register); FCA Financial Crime Guide |
| United States | FinCEN's CDD Rule requires beneficial ownership identification for all legal entity customers of covered financial institutions, plus identification of one individual with significant managerial control. | 25% ownership; plus one managerial control person | 31 CFR Part 1010 (FinCEN CDD Rule); BSA; USA PATRIOT Act Section 326 |
| European Union | 5th and 6th AMLD introduced mandatory UBO registers in all member states. Regulated firms must consult the register and conduct independent verification. | 25% ownership or control | 4th AMLD (2015/849/EU); 5th AMLD (2018/843/EU); 6th AMLD (2018/1673/EU) |
| Middle East (DFSA / ADGM) | Both the DFSA (DIFC) and FSRA (ADGM) require full KYB and UBO identification aligned to FATF standards. Complex corporate structures common in the region require careful UBO chain resolution. | 25% ownership or control | DFSA Anti-Money Laundering Module; FSRA AML Rulebook |
| Singapore (MAS) | MAS AML Notices require KYB and UBO identification for corporate customers, with enhanced obligations for complex structures and cross-border ownership chains. | 25% ownership or control | MAS Notice SFA04-N02; MAS Notice SFA04-N03 |
6. KYC and KYB in Specific Regulated Verticals
The relative frequency of KYC versus KYB varies significantly by sector. Understanding how the two processes apply within your specific industry is essential for building an onboarding programme that is both compliant and operationally efficient.
Investment Managers and Fund Managers
Fund managers must perform KYC on individual investors and KYB on corporate investors — which may include SPVs, family offices, pension funds, and institutional vehicles with complex multi-layer ownership structures. Under AIFMD and UCITS regulations, a complete audit trail per investor per fund is required. The transfer agent — if used — is responsible for executing this verification at the point of subscription.
Transfer Agencies
Transfer agencies process thousands of investor subscriptions across multiple funds. Each subscription may involve an individual investor (KYC) or a corporate investor (KYB). At scale, manual execution of both processes is operationally impossible — bulk KYC and KYB via API is the only viable approach. One failed UBO identification on a corporate subscription creates regulatory exposure for the fund itself.
Law Firms
Law firms are legally classified as regulated entities under SRA AML Guidance 2023, EU AMLD, and FinCEN's CDD Rule. They must perform KYC on individual clients and KYB — including full UBO chain resolution — on corporate clients before acting. M&A advisory, commercial conveyancing, and trust work all routinely involve corporate counterparties. Incomplete KYB is specifically cited in SRA enforcement decisions.
Wealth Managers and Private Banks
High Net Worth clients frequently hold assets through corporate structures — family holding companies, trusts, foundations, and offshore vehicles. What appears to be an individual relationship at first contact may require both KYC on the individual and KYB on the underlying entities. PEP exposure identified during KYC may then trigger EDD across the entire corporate structure.
Fintech and Payment Processors
Platforms onboarding business customers — SME merchants, corporate account holders, or B2B payment clients — must execute full KYB, including director verification and UBO identification, before the account can be activated. Accelerated digital onboarding expectations from business customers mean KYB must be automated to be commercially viable.
7. How Automation Transforms KYC and KYB
Manual KYC and KYB processes are not just slow — they are structurally prone to the specific failures that regulators penalise. Manual document collection misses expiry dates. Manual UBO identification stops at the first layer of corporate ownership rather than tracing the full beneficial ownership chain. Manual sanctions screening cannot keep pace with the frequency of list updates.
Modern compliance platforms automate the most critical elements of both processes:
| Compliance Function | What Automation Delivers |
|---|---|
| KYC — Document Verification | AI-powered document authentication checks ID validity, expiry, and authenticity against issuing authority specifications in seconds. Biometric verification confirms the document holder is present. |
| KYC — PEP & Sanctions Screening | Real-time screening against continuously updated global PEP databases, OFAC, OFSI, UN, and EU sanctions lists — with fuzzy matching to catch name variations and aliases. |
| KYB — Entity Verification | Automated retrieval from national company registries confirms legal existence, status, and registered details in real time — covering Companies House (UK), SEC EDGAR (US), and 200+ global registries. |
| KYB — UBO Identification | Automated ownership chain traversal resolves multi-layer corporate structures to the natural person level — tracing through holding companies, SPVs, and cross-border entities that manual processes routinely fail to resolve. |
| KYB — Director KYC | Once directors and UBOs are identified, individual KYC workflows are automatically triggered — document collection, identity verification, and PEP/sanctions screening — without manual handoff. |
| Risk Scoring | Automated risk classification at both the individual and entity level — assigning a risk rating that determines the level of due diligence applied and drives ongoing monitoring frequency. |
| Audit Trail | Every verification step, decision, and screening result is captured in a structured audit trail per customer or entity — ready for regulatory inspection at any time. |
| BEST PRACTICE | Best-in-class KYB platforms do not simply retrieve first-layer shareholder information from a company registry and stop there. Effective UBO identification traverses the full ownership chain — recursively retrieving and verifying each intermediate entity until natural persons are identified at every branch. This recursive traversal is precisely what manual processes fail to complete consistently, and what regulators expect to see documented in your audit trail. |
8. Common KYC and KYB Failures — and How to Avoid Them
Regulatory enforcement actions and supervisory findings consistently identify the same failure patterns across both KYC and KYB processes. Understanding these failures is as important as understanding the regulatory requirements themselves.
| Failure Mode | Where It Occurs | Regulatory Consequence |
|---|---|---|
| Incomplete UBO identification | KYB — stops at first-layer ownership without tracing the full beneficial ownership chain | FCA MLR 2017 breach; AIFMD investor KYC failure; FinCEN CDD Rule violation |
| Outdated customer records | KYC & KYB — CDD performed at onboarding but never refreshed as customer risk profiles change | Ongoing CDD failure under FATF Recommendation 10; FCA supervisory criticism |
| Missed PEP connections | KYC — PEP status not identified because screening is limited to the individual rather than extended to family members and close associates | Failure to apply mandatory EDD; inadvertent facilitation of corruption proceeds |
| Accepting corporate documents at face value | KYB — company registry data retrieved but not cross-referenced with Articles of Association, shareholder agreements, or direct entity confirmation | UBO misidentification; regulatory scrutiny during inspection |
| Sanctions screening at onboarding only | KYC & KYB — initial screening performed but no real-time ongoing monitoring against updated lists | Exposure to sanctioned counterparties; OFSI / OFAC penalty risk |
| No audit trail for KYB decisions | KYB — UBO identification completed verbally or in unstructured files without a timestamped, structured record | Inability to demonstrate compliance during regulatory inspection; FCA fine risk |
Automate KYC and KYB with One Constellation
One Constellation's Customer Onboarding platform handles KYC and KYB within a single, unified workflow — individual identity verification, corporate entity verification, automated UBO chain resolution, and PEP & sanctions screening, all with a complete audit trail per customer. Built for banks, investment managers, fund managers, transfer agencies, law firms, and fintech platforms across the UK, EU, US, and Middle East.