KYB verification: beneficial ownership, corporate onboarding and ongoing refresh

What is KYB?

Know Your Business is the corporate counterpart to KYC. It is the process of verifying that a business customer is who it says it is, mapping the people who own or control it, screening the entity and those people against sanctions, PEP, and adverse media data, and reassessing the whole picture on a schedule that reflects the risk. The headline ingredients are familiar: entity verification, director identification, beneficial ownership verification, screening, risk scoring. The difficulty sits in how those ingredients combine.

KYB is harder than KYC for three reasons. First, legal entities can hide behind layers. A trading company might be owned by a holding company, which is owned by another holding company, which is owned by a trust whose beneficiary is the person you actually need to identify. Second, the data sources are fragmented. There is no single registry of the world's companies. You stitch together Companies House in the UK, national registries across the EU, OpenCorporates, and a tail of specialist sources for jurisdictions where official data is thin. Third, corporate data changes. Directors leave, ownership shifts, registered offices move, trading activity pivots. The KYB file you opened at onboarding starts decaying immediately.

The moment most teams realise their KYB stack is brittle is when a regulator asks for evidence that a customer's beneficial ownership is currently accurate, not just that it was collected at onboarding. Or when a customer's UBO turns out to be different from the one declared on the form. Or when a refresh cycle that was supposed to run quarterly has not actually run for fourteen months.

The UBO verification gap

We audit corporate onboarding processes regularly. The single most common point of failure is beneficial ownership verification. The firm has verified the company. The directors have been screened. And then, for the UBO question, they have accepted whatever the customer wrote on a form.

Self-declared beneficial ownership is data collection, not verification. The gap between the two is where the most serious AML risks hide. There are four reasons self-declaration fails, and only one of them involves deliberate deception:

• Complex structures. The beneficial owner sits behind multiple layers across multiple jurisdictions. Even an honest declarant may not actually know who the ultimate controller is.
• Nominee arrangements. The registered shareholder holds shares on behalf of someone else. The declaration captures the nominee, not the real owner.
• Trust structures. Trust deeds are not public. Identifying the beneficiary requires documents that are not in any registry.
• Deliberate concealment. The true beneficial owner has a sanctions or adverse media history and is intentionally hidden. Self-declaration cannot detect this by design.

Central registers help, but they do not close the gap on their own. UK Companies House Persons with Significant Control data is moving towards verified status under the Economic Crime and Corporate Transparency Act 2023, but the transition is still underway. Until then, PSC filings are self-reported by the company. Using them as your sole UBO source is not independent verification. EU member states are bringing central beneficial ownership registers into interconnection through BORIS, but data quality and access standards still vary.

The 25% threshold is the standard floor under FATF Recommendation 24 and EU AML rules: a person holding or controlling, directly or indirectly, more than 25% of shares, voting rights, or ownership interest is treated as a beneficial owner. AMLA confirms this baseline and permits lower thresholds in higher-risk sectors. Where no natural person meets the threshold, you must identify the senior managing official exercising effective control. Either way, the threshold is a starting point, not a finishing line. Closing the gap means corroborating declarations against multiple independent sources, not relying on the threshold alone.

When we cross-reference UBO declarations against three independent data sources, we typically find discrepancies in 15% to 20% of corporate applications in the first month. Most are innocent. Some are material. The point is that a single-source process would have missed all of them.

Corporate data decay: KYB is not a one-time event

Companies change. Directors leave. Beneficial owners shift. Registered addresses move. Trading activity pivots. A KYB file captured at onboarding is a snapshot of a moving target, and the longer the file sits untouched, the less it reflects reality.

In 2025, a mid-market payment processor in continental Europe received a EUR 3.2 million fine. Not for onboarding failures. Not for missing a sanctions hit. For stale KYB data. Their corporate customer records had not been refreshed in over three years. During that period, one merchant's beneficial ownership had changed twice, its registered address had moved to a high-risk jurisdiction, and its trading activity had shifted entirely. The compliance file still showed the original onboarding snapshot. The regulator's view: if you cannot demonstrate that your business customer information is current, you cannot demonstrate that you are managing the risk.

This is not an isolated case. Enforcement actions across the EU and UK increasingly cite outdated corporate customer data as a standalone failure, not just an aggravating factor. KYB is a continuous obligation. Most compliance teams are not meeting it.

Regulatory drivers

Three regulatory regimes sit behind modern KYB expectations. They do not all use the same language, but they point in the same direction: independent verification of beneficial ownership, documented risk-based onboarding, and ongoing refresh that reflects the customer's risk band.

• EU AMLA and the AML Regulation. From mid-2027, AMLA enforces a single EU rulebook on KYB. Harmonised verification of beneficial ownership beyond self-declaration, expanded EDD triggers for complex ownership structures, mandatory ongoing review cadences (annual for high-risk, triennial for standard, six-yearly for low), and central register obligations. See our AMLA pillar for the full readiness picture.
• 5AMLD and 6AMLD. The existing EU framework already requires central beneficial ownership registers and risk-based ongoing monitoring. AMLA hardens these obligations rather than replacing them, so firms that have implemented 5AMLD/6AMLD properly already have most of the foundations in place.
• US Corporate Transparency Act (CTA) and FinCEN. Most companies formed or registered in the US must report beneficial ownership information to FinCEN. Beneficial owners are individuals who exercise substantial control or own 25% or more. The rule has been through significant scope changes during recent litigation, so firms with US exposure should track current enforcement and reporting expectations carefully. Either way, US corporate customers should be ready to provide CTA-aligned ownership data.
• UK Economic Crime and Corporate Transparency Act 2023. Companies House is moving towards verified ownership data with new powers to challenge filings. Until that transition completes, PSC data should be treated as a starting point, not as independent verification.
• FATF Recommendation 24 and 25. The international baseline. Beneficial ownership information must be available, accurate, and accessible to competent authorities. The 25% threshold is the global standard floor.
• DORA. Indirect but relevant. Once you are running KYB through a technology vendor, that vendor is an ICT third-party service provider under DORA. Contracts, oversight, exit strategies, and incident reporting all apply.

The KYB process Zenoo runs

A defensible KYB workflow combines entity-level checks, people-level checks, and ongoing monitoring into one orchestrated process. The pieces look like this:

1. Business entity verification. Confirm the legal entity exists, is in good standing, and is registered as the customer claims. Pull data from the relevant company registry (Companies House for UK, national registries across the EU, equivalents elsewhere), check status, registered address, incorporation date, and filing history. Flag dormant, dissolved, or under-investigation statuses immediately.
2. Director and shareholder identification. Identify the natural persons in the corporate structure. Capture directors, secretaries, and significant shareholders. Verify their identity using the same KYC standards you apply to individual customers (IDV, document checks, biometrics where appropriate). Screen them against sanctions, PEP, and adverse media data.
3. Beneficial ownership mapping. Trace the ownership chain. Identify natural persons who ultimately own or control the entity, applying the 25% threshold or lower thresholds where the sector requires. Cross-reference the customer's UBO declaration against central registers, corporate structure data providers (OpenCorporates, Dun & Bradstreet, and equivalents), shareholder registers, and, for higher-risk cases, supporting documentation. Investigate discrepancies before they become enforcement findings.
4. Sanctions and adverse media on entity AND UBOs. Screen the legal entity itself and every identified UBO against sanctions, PEP, and adverse media. The entity screening catches sanctioned companies and asset freezes. The UBO screening catches the cases where the company is clean but its owner is not.
5. Source of wealth and source of funds. For higher-risk customers, document where the business's funds come from and how the UBOs accumulated their wealth. Required under EDD for complex ownership structures, high-risk jurisdictions, and PEP-connected entities.
6. Structured risk scoring. Apply a documented risk methodology across customer, country, product, and channel dimensions. Output a risk band that drives review frequency and EDD requirements. FATF-aligned. Auditable.
7. Ongoing refresh. Schedule the next review based on the risk band, and run event-driven monitoring in parallel for ownership changes, sanctions hits, adverse media, and material changes to the registered structure.

Each step depends on the right data source. No single provider covers every jurisdiction and entity type with equal depth. Orchestration matters because it lets you route each query to the best provider for that specific case, through one integration.

Refresh cycles: risk-tiered, automated, defensible

The instinct, once a firm recognises corporate data decay, is to mandate annual refresh for the entire customer base. It feels thorough. It looks defensible. It is almost always the wrong approach. Annual cycles treat every customer as equally likely to change, so analysts spend weeks re-verifying stable entities while genuinely high-risk customers wait in the queue.

For a firm with 2,000 corporate customers, a flat annual refresh consumes 3,000 to 5,000 analyst hours per year. That is 1.5 to 2.5 full-time equivalent roles spent confirming that nothing has changed. A risk-tiered model cuts that workload by around 40% while strengthening coverage of the customers that actually carry risk.

The tiering is not static. A customer's tier should be recalculated whenever new information arrives, whether from a scheduled refresh, a monitoring event, or an external trigger. A low-risk customer whose parent company is acquired by an entity in a high-risk jurisdiction does not wait 36 months for its next review.

Event-driven refresh runs alongside the scheduled cycles. A change in ownership, a change in registered office, a sanctions hit, a piece of adverse media, a filing irregularity at Companies House, any of these should pull the customer's next review forward immediately. Without event-driven refresh, the cycles alone leave a window of exposure between scheduled reviews.

How Zenoo helps

Zenoo orchestrates the whole KYB pipeline through one configurable platform. Multiple registries, corporate structure providers, screening sources, and document verification tools sit behind a single integration. The workflow handles entity verification, director and shareholder identity, UBO mapping with central register cross-checks, sanctions and adverse media on the entity and its UBOs, structured risk scoring, and risk-tiered refresh. The features that matter most for KYB compliance teams:

• Orchestrated data sources. Companies House, OpenCorporates, national EU registries, Dun & Bradstreet, central beneficial ownership registers (where accessible), and specialist providers for higher-risk jurisdictions, all behind one workflow.
• UBO discovery beyond self-declaration. Automated ownership chain mapping, with cross-references against multiple independent sources and discrepancy flags for analyst review. The gap closed.
• Risk-tiered refresh. Schedule reviews by risk band, run event-driven monitoring in parallel, escalate overdue reviews automatically. Ongoing monitoring handles the mechanics.
• Screening on entity AND UBOs. Sanctions, PEP, and adverse media coverage with FATF-aligned matching and configurable false-positive controls. See screening.
• Compliance Hub. Case management, AI alert triage, and audit trails that produce regulator-ready evidence packs. Compliance Hub.
• Marketplace. Swap providers when data quality or pricing changes, without rebuilding your workflow. Zenoo Marketplace is 53 vendors deep.
• KYB use case. Full feature detail on the KYB use case page.
• Implementation in 4 to 6 weeks. Not a 12-month engineering project.

Related reading

• KYB due diligence: the UBO verification gap
• The KYB/AML tender requirements checklist (free template)
• KYB refresh cycles: when and how to re-verify business information
• AMLA compliance: the EU's new AML rulebook
• DORA compliance: what financial entities need from ICT vendors

Frequently asked questions

What is KYB?

Know Your Business (KYB) is the corporate equivalent of KYC. It is the process of verifying a business customer's identity, ownership, control structure, and risk profile before entering a relationship and on an ongoing basis. KYB covers entity verification, director and shareholder identification, beneficial ownership verification, sanctions and adverse media screening, and ongoing refresh.

How is KYB different from KYC?

KYC verifies an individual. KYB verifies a legal entity and the people behind it. KYB is harder because legal entities can sit behind layers of holding companies, nominees, and trusts, and the data sources are fragmented across national registries. A KYC stack designed for individuals does not solve KYB on its own. KYB needs entity verification, ownership chain mapping, and ultimate beneficial owner (UBO) verification, in addition to identifying the natural persons involved.

What is UBO verification?

Ultimate Beneficial Owner verification is the process of identifying and independently confirming the natural persons who ultimately own or control a legal entity. It goes beyond accepting a customer's self-declaration. It requires corroboration against company registries, central beneficial ownership registers, corporate structure data providers, and, for higher-risk relationships, supporting documentation such as share certificates or trust deeds.

What is the 25% beneficial ownership threshold?

Under FATF Recommendation 24 and EU AML rules, a person is generally treated as a beneficial owner if they hold or control, directly or indirectly, more than 25% of the shares, voting rights, or ownership interest in a legal entity. AMLA confirms this 25% threshold as the floor across the EU, with lower thresholds permitted for higher-risk sectors. Where no natural person meets the threshold, you must identify the senior managing official who exercises effective control.

How often should I refresh KYB data?

Refresh frequency should be tied to customer risk. A defensible model uses three tiers: high-risk every 6 to 12 months, medium-risk every 12 to 24 months, low-risk every 24 to 36 months. AMLA hardens this further with mandatory minimums of annual reviews for high-risk and triennial reviews for standard-risk customers. Event-driven refresh runs in parallel, triggered by ownership changes, sanctions hits, adverse media, or material changes to the registered structure.

What are the EU AMLA KYB requirements?

AMLA harmonises KYB across all 27 member states from mid-2027. Key requirements: independent verification of beneficial ownership against central registers (not self-declaration alone), expanded enhanced due diligence triggers for complex ownership structures, mandatory ongoing review cadences, harmonised identity verification of directors and UBOs, and structured documentation that supports the new direct supervision regime. See our AMLA pillar for the full picture.

What is the CTA beneficial ownership rule (US)?

The US Corporate Transparency Act requires most companies formed or registered in the United States to report beneficial ownership information to FinCEN. Beneficial owners under the CTA are individuals who exercise substantial control or own 25% or more of the company. The rule has been through significant scope changes in recent litigation, so firms with US exposure should track the current enforcement position closely. Either way, US corporate customers should expect to provide CTA-aligned beneficial ownership data.

How does Zenoo handle KYB orchestration?

Zenoo orchestrates KYB across multiple registry and data providers through a single configurable workflow. Companies House (UK), national EU registries, OpenCorporates, Dun & Bradstreet, and specialist providers for higher-risk jurisdictions all sit behind one integration. Workflows handle entity verification, director and shareholder identification, beneficial ownership mapping, sanctions and adverse media screening on the entity and its UBOs, and risk-tiered refresh cycles. Implementation in 4 to 6 weeks.