Industry

24 KYB risk factors you should consider

Gauging KYB risk can be tricky. Here are 24 KYB risk factors to incorporate into your KYB process.

Green rectangle with outlines of people in the middle
Last updated:
8/21/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Your Know Your Business (KYB) processes should help you gauge the risk of working with another business or entity.
  • It’s important not to gauge KYB risk with only a small number of signals. The more risk factors you can evaluate, the more thorough a picture you can paint about a potential business partner or customer.
  • Persona’s KYB platform can help you perform the important KYB checks, including sanctions list checks, adverse media reports, Secretary of State (SOS) checks, and more.

Know Your Business (KYB) is about two things:

  • verifying that a business and its owners actually exist, and
  • verifying that it’s safe (from a regulatory standpoint) for your company to do business with them 

Whether you’re a fintech or not, you’ll see that a way to meet these requirements is via risk assessment. Even when it’s not explicitly required, organizations operating in any industry can benefit from performing a thorough risk analysis on business partners and customers. 

But what risk factors should be included as a part of this process? And how can businesses actually perform these checks at scale?

Below, we’ve highlighted 24 KYB risk factors that you should be incorporating into your due diligence processes. We also outline overarching strategies that you can use to evaluate a business’s risk. 

KYB risk factors

It’s important to note that the presence of one or more of these risk factors does not necessarily indicate that you shouldn’t be working with a given company. It simply means that a degree of risk exists, which you might consider as you decide whether or not you want to be doing business with the entity. 

It’s also important to cross-check some of these risk signals. For instance, an address that you verify from a company’s Secretary of State (SOS) document should also match what is listed and verified from their record on the SOS filings. This provides additional assurance that the information being evaluated is indeed true and ensures that you can see the whole picture. 

Below, we’ve listed some important KYB risk signals that you should consider as a part of your processes, grouped by type:

  • General risk signals
  • Beneficial owners risk signals
  • Financial history risk signals
  • Online presence risk signals
  • Other risk signals

General risk signals

These risk signals are the ones that most businesses will want to check as a general best practice, especially if you are subject to Know Your Business or Anti-Money Laundering laws and regulations. These will typically involve information that you can verify about a company — i.e., where you can get a definitive “yes” or “no” from an authoritative source like a government database. As a result, these signals help you answer basic questions around a business’s existence or legitimacy. 

1. TIN number

What it means: In the United States, businesses must have a valid taxpayer identification number (TIN). Existence of a valid TIN indicates that the business or individual has registered with the IRS. Likewise, the type of TIN — a Social Security number vs. an EIN — offers additional context that can help you understand the corporate structure of a business. 

2. Corporate registration status

What it means: A legitimate business should be actively registered with the Secretary of State (SOS) in at least one state, and ideally in any state that it does business in. With this in mind, an inactive corporate registration status may indicate that a company does not actually exist, or that it has not properly completed the requirements to operate in a given state. 

3. Business registration number

What it means: In registering with a country’s business registry, a company will typically be assigned a business registration number. You can then search that provided number against an official registry to ensure it’s legitimate and matches the given business name or address. The lack of a valid business registration number may indicate that a business is not legitimate, or that they are not properly registered. It’s important to note, however, that registry coverage can vary from country to country. 

4. Sanctions list

What it means: A number of regulatory bodies maintain sanctions lists and watchlists, which detail individuals, businesses, and states that are involved in or suspected of being involved in some kind of illegal activity — most commonly money laundering or the financing of terrorist activities. If a business or one of its ultimate beneficial owners (UBOs) appears on a sanctions list, it indicates significant KYB risk.

5. Adverse media

What it means: Adverse media refers to negative news coverage about a business or individual, often tied to some type of crime or other scandal. Depending on the type of coverage, adverse media may mean that a business you are considering working with is risky. A company that has engaged in financial crimes in the past, for example, may bear money-laundering risk for your business; a business working through a scandal of some sort may represent reputational risk for your business. 

6. Business documents like Articles of Incorporation

What it means: When a business registers with the Secretary of State in their state of domicile, they must submit articles of incorporation (also called articles of organization). This document includes a variety of information about the business, including its name, address, and ownership structure. You can request this document or other similar documents related to incorporation like a Certificate of Good Standing during KYB as a way to confirm whether or not the business legitimately exists. 

7. VAT number

What it means: Businesses operating in the European Union (EU) are assigned a VAT (Value-Added Tax) number, which is tied to a member nation’s value-added tax scheme. It’s similar to the Employer Identification Number (EIN) issued to businesses in the US. If a European business does not have a valid VAT number but claims to do business around the EU, it’s a red flag that bears further investigation.

8. Business address type

What it means: There are a number of different kinds of address checks that you can perform to gauge whether a business is legitimate or not. Generally speaking, in most cases you would expect a well-established business or organization to operate out of an address that is commercial. That being said, a small business or sole proprietorship may legitimately operate out of a residential location.

9. Business entity type

What it means: In order to understand the ownership structure of a business — which is a requirement of a KYB program — you must first have a clear sense of what type of legal entity it is: Sole proprietorship, limited liability company (LLC), partnership, corporation, etc. A sole proprietorship, for example, is owned by an individual while a partnership or corporation is owned by multiple people.

Beneficial owners risk signals

On top of assessing the risk of the business itself, you’ll also want to take into account the riskiness of the beneficial owners behind that business. UBOs can undergo any type of KYC verification like Gov ID or selfie verification, but there are also other signals that are helpful to assess during KYB to ensure that you’re verifying someone associated with the business. 

10. KYC verification

What it means: One of the main requirements of any KYB program is that a business’s ultimate beneficial owners (UBOs) must be identified and KYCed. Any instance where a UBO’s identity cannot be verified is a red flag that introduces significant risk.

It’s important to note that in some countries like the United States, there are no public databases of the beneficial owners of a business so you will need to rely on businesses to disclose the identities of their beneficial owners by submitting a document like a shareholder’s agreement.  

11. Employment verification

What it means: Employment verification for any individual going through your flow can be a way of confirming that they are indeed associated with the business you’re trying to KYB. If an individual can’t demonstrate they are employed by the right business, that may be a sign that they are trying to impersonate as a UBO. 

Financial history risk signals

These risk signals involve looking at information regarding a company’s financial history and activities. As they give you greater insight into the financial health and business performance of a company, they are especially relevant if you are in the business of underwriting or extending a line of credit.

12. Appearance in third-party financial data

What it means: Sometimes you may want confirmation that a consumer-facing business has actually engaged in transactions. If a business appears in transactions aggregated by credit card companies, it can lend credence to a business’s legitimacy. This financial and transactional data can also sometimes be used as a proxy for corporate registration. 

13. Business liens

What it means: If a company has a lien filed against it, it means that a debtor has a legal claim to the company’s assets, which can potentially be seized and sold to pay back the debt. This may indicate that a business has a track record of failing to honor its obligations. It can also indicate that a business may have difficulty meeting its obligations to you, especially in the event that assets are indeed seized and sold. 

14. Business credit report

What it means: Businesses have credit reports just like individuals do, and these reports contain valuable information that you can use to gauge the risk associated with working with a business. On the one hand, you can crosscheck the basic information contained within a business credit report (business name, address, etc.) with the information that the business provides to you directly. On the other, you may decide that you don’t want to work with a business that has a low credit score, as this may indicate a level of credit risk or bankruptcy risk that you are not comfortable with.

15. Presence on a public stock exchange

What it means: In order for shares of a business’s stock to be listed on a public stock exchange like the New York Stock Exchange (NYSE) or NASDAQ, it must typically submit extensive documentation proving it is a legitimate business. Knowing whether or not a company is publicly listed can therefore serve as a helpful measure of its legitimacy.

16. Better Business Bureau (BBB) rating

What it means: The Better Business Bureau (BBB) assigns ratings to businesses based on a number of different factors, including customer complaints and other public data about the business. These ratings are meant to represent the BBB’s opinion of how a business will interact with its customers, and can be thought of as something like a reputation score. In this way, a BBB rating can help you decide whether or not you want to do business with a given company.

17. CFPB complaints

What it means: The Consumer Finance Protection Board (CFPB) maintains a complaints database on businesses serving US citizens. Checking this database allows you to get a sense of a business’s reputation amongst consumers and determine whether or not you want to associate with a business. If customer complaints accuse a business of fraud, it may pose a high KYB risk compared to businesses without such complaints.

18. 501(3)c status

What it means: In the US, having 501(3)c status is a highly privileged status that bestows tax exemptions and reputational benefits, amongst many other things. You can verify this status by checking several different databases like the IRS Business Master File or state-specific registries such as California Attorney General's Registry of Charities and Fundraisers.  

Online presence risk signals

A business’s online presence (or lack thereof) can provide additional context to help you gauge their risk profile. The risk signals below can help you establish and understand this online presence, especially if the business in question doesn’t sell physical goods.  

19. Email risk

What it means: A business’s email address can provide helpful information and context that you can use to better gauge their risk. An email address whose domain name matches the business’s website, for example, points to a more well-established business than one using a Gmail (or similar) email service. Likewise, the age of an email address and its overall reputational score can help you decide whether you want to associate with the business. 

20. Social media profile

What it means: Not all businesses will have a social media presence. But for some businesses — especially consumer-facing businesses — a certain level of activity is to be expected. Likewise, a lack of such activity, or a very young profile age, can be a risk factor. 

21. Business website verification 

What it means: If it exists, a business’s website can provide additional context about the business risk. For instance, an invalid or recently created domain may indicate that the business hastily created its website, while the presence of a terms of service page may indicate that it is legitimate. You can use these digital signals during your KYB process to help answer questions about business risk. 

Other risk signals

Depending on your company’s risk tolerance, industry, and the specific use case of your products or platform, you may want to look at additional risk signals that do not fit neatly into the categories above. This can include things like:

22. Suspicious links to other businesses

What it means: If a business shares attributes with other businesses or individuals already in your database, it can be indicative of a fraud ring. Examples may include when multiple businesses or entities share the same physical address, contact information, UBOs, identification numbers, and more.

23. Industry classification

What it means: It can be risky to do business with companies operating in certain industries. Cash intensive businesses may carry a higher risk of money laundering, for example, while businesses operating in sensitive industries — such as the cannabis industry, pornography industry, and gun industry — may be risky from a regulatory approach. Financial institutions often refuse to associate with these businesses, and may in some cases be prohibited from engaging with them. 

24. General firmographic information

What it means: As a business, you may want to engage with another organization only if they meet certain criteria. Examples include only working with companies that meet a certain minimum headcount of employees, or that earn a certain amount of revenue per year. This firmographic data can be collected from the business and cross-checked against third-party data providers.

Persona powers KYB evaluation and risk assessment

As you can see, getting a clear sense of KYB risk requires you to consider a number of different factors. Building your own solution from scratch to achieve this goal will, for most businesses, prove to be an uphill battle. A better option? Work with a KYB platform capable of performing as many of these checks as possible — a platform like Persona.

With Persona, you can pick and choose the KYB risk signals that matter most to your business to build a KYB verification flow tailored to your needs. Just some of the reports and screenings available include:

Need help with UBO verification? Look no further than Persona’s Verifications solution, designed to handle all of your KYC needs. Worried about fraud rings establishing a foothold on your platform? Consider deploying Persona’s link analysis tool Graph, which can quickly surface potential fraud rings and help you investigate risky connections.

Ready to see how Persona can help your business with all of its KYB needs? Request a custom demo today or get in touch with any questions.

Published on:
8/21/2024

Frequently asked questions

No items found.

Ready to get started?

Get in touch or start exploring Persona today.