KYB vs KYC Explained: What Product Teams Actually Need to Build
KYB vs KYC Explained: What Product Teams Actually Need to Build
Your product onboards businesses. Someone from legal just asked "Are we doing KYB?" This guide gives developers and product managers everything they need — without the compliance jargon.
Your Product Onboards Businesses. Now What?
Your platform signs up companies. Maybe it's merchants. Maybe it's suppliers, partners, or corporate clients. At some point, someone from legal or compliance walks over and asks:
"Are we doing KYB?"
And suddenly you're Googling acronyms, reading regulation summaries written for bank examiners, and wondering how this affects your sprint backlog.
This guide is not for compliance officers. They already know what KYB is. This guide is for the developer or product manager who needs to understand KYB well enough to spec a feature, evaluate an API, or push back on a vendor who's overcharging for basic registry lookups.
We'll cover what KYB actually requires you to build, what data you get from government registries (and where the gaps are), and how to decide whether to roll your own verification or plug into an API.
No sales pitch. No regulatory wall of text. Just the parts you need to ship.
KYC vs KYB: The 60-Second Version
KYC (Know Your Customer) verifies individuals. KYB (Know Your Business) verifies companies.
That's the textbook answer. Here's the one that matters for your architecture:
| KYC | KYB | |
|---|---|---|
| What you're verifying | A person is who they say they are | A business exists, is active, and is controlled by who they claim |
| Core data inputs | ID document, selfie, address proof | Registration number, company name, jurisdiction |
| Where the data lives | Government ID databases, credit bureaus | Company registries (per-country, often per-state) |
| Complexity driver | Document fraud, biometric matching | Multi-layered ownership, cross-border structures, registry inconsistency |
| Regulatory trigger | FATF Recommendation 10 | FATF Recommendation 24 |
| Who owns it in your org | Identity / fraud team | Compliance + product (it touches onboarding) |
| API integration pattern | Upload image → get verification result | Submit company identifier → get structured entity data |
The critical difference for builders: KYC is mostly a document processing problem. KYB is a data infrastructure problem. You're not scanning a passport. You're querying fragmented government databases across dozens of jurisdictions, normalizing the output, and making programmatic decisions based on company status, ownership chains, and risk signals.
That's why KYB is harder to build — and why most teams underestimate it.
The 5 Components of KYB (What You Actually Need to Build)
Every KYB implementation, whether homegrown or API-driven, has five components. Skip any of them and your compliance team will send it back.
1. Entity Verification
Confirming the company legally exists and is currently active. Submit company name, registration number, and jurisdiction to a registry (or an API that connects to registries) and get back: legal name, registration date, current status, registered address, and legal form.
Company statuses aren't standardized. The UK says "Active." Germany says "eingetragen." Singapore says "Live." Your code needs a mapping layer — or a provider that normalizes this for you.
If you only operate in one country, you can connect to that registry directly. The moment you add a second jurisdiction, you need a normalization layer.
2. Ownership & UBO Identification
Mapping who owns the company — and who ultimately controls it. A UBO (Ultimate Beneficial Owner) is typically any individual who holds 25%+ ownership or significant control.
Most registries only give you one level of ownership. The traversal — following the chain across multiple entities, potentially across jurisdictions — is the hard part. Some jurisdictions don't publish ownership data at all.
UBO resolution is where most DIY KYB projects stall. It requires recursive lookups, cross-border data, and logic to handle circular ownership, nominee directors, and trust structures.
3. Sanctions & PEP Screening
Checking the company, its directors, and its UBOs against sanctions lists (OFAC, EU, UN) and Politically Exposed Persons databases.
Name matching across languages and transliterations is notoriously unreliable. "Mohammed Al-Rahman" can appear in dozens of variants. You'll generate false positives constantly without good matching logic.
Don't build this yourself. Sanctions screening is a solved problem with dedicated vendors (ComplyAdvantage, Dow Jones, Refinitiv). Your job is to feed them clean entity and director data from your KYB flow.
4. Document Collection
Gathering supporting documents — articles of incorporation, shareholder registers, proof of address for directors, financial statements.
Regulated industries often require original documents or certified copies, not just API-confirmed data. Document requirements vary by risk tier and jurisdiction.
This is a workflow and UX problem, not a data problem. You need a way to request, collect, and store documents tied to each entity — and escalate to manual review when needed.
5. Ongoing Monitoring
KYB isn't a one-time check. Company statuses change. Directors resign. Ownership transfers happen. Your system needs to detect these changes and trigger re-verification.
Most registries don't offer webhooks or push notifications. You need to poll or use a provider that monitors changes and pushes alerts to your system.
Monitoring is where the operational cost of DIY KYB gets expensive. Polling hundreds of registries on a schedule requires infrastructure most teams don't want to maintain.
What Registry Data Actually Looks Like Across Jurisdictions
This is where most "KYB explained" articles stop. They tell you what KYB is but not what the data looks like when it comes back from a real registry. Here's what you'll actually encounter:
| Field | UK | Germany | USA | Singapore | Brazil |
|---|---|---|---|---|---|
| Reg. number | 8-digit numeric | HRB 12345 | Varies by state | 9-digit UEN | 14-digit CNPJ |
| Status | Active, Dissolved | Eingetragen, Gelöscht | Active, Revoked (state-dependent) | Live, Struck Off | Ativa, Inapta, Baixada |
| Legal form | Ltd, PLC, LLP | GmbH, AG, KG | LLC, Inc, Corp | Pte Ltd, Ltd | LTDA, S.A. |
| Directors | Name, DOB, nationality | Managing directors only | Varies — some states list officers | Name, ID, nationality | Name, CPF (tax ID) |
| Shareholders | PSC register (25%+) | Not always public | Generally not public | Public above threshold | Full partner list with % |
| Financials | Annual accounts filed | Depends on size | No (private tax filings) | Annual returns | Limited |
| API access | Free (Companies House) | Limited | No unified API — 50 states | Paid (BizFile+) | Limited (CNPJ lookup) |
The takeaway for product teams: There is no universal schema. Every jurisdiction returns different fields, in different formats, with different levels of completeness. If your product operates in more than one country, you need a normalization layer between the raw registry data and your application logic.
This is exactly what Zephira.ai's API handles. We pull from 150+ government registries, normalize the output into a consistent JSON schema, and let your code treat a UK Ltd and a German GmbH the same way.
KYB Workflow Architecture
Here's how a production KYB flow typically works. This is the diagram your engineering team needs.
Company name + jurisdiction → Registry API → Structured entity data (registration number, status, legal form, address)
Is the company active? If no → Flag, reject, or request documents.
Pull officers and ownership from registry. Fields vary by jurisdiction.
Traverse ownership chain → Identify individuals with 25%+ control.
Directors + UBOs → Sanctions/PEP API → Match results
Registry change alerts → Re-trigger verification on status changes, director updates, ownership transfers.
Sample API Flow
# Step 1: Search for company POST https://api.zephira.ai/v2/companies/search Body: { "name": "Acme Holdings", "country": "GB" } → Returns: company_id, registration_number, status, legal_form # Step 2: Get full company profile GET https://api.zephira.ai/v2/companies/{company_id} → Returns: registered address, directors, shareholders, financials # Step 3: Get ownership structure GET https://api.zephira.ai/v2/companies/{company_id}/ownership → Returns: shareholder tree with parent entities and UBO candidates # Step 4: Start monitoring for changes POST https://api.zephira.ai/v2/companies/{company_id}/watch/start → Triggers alerts on status changes, director updates, ownership transfers
Build vs Buy: When to Roll Your Own KYB
This is the decision your team is actually making. Here's a framework:
| Factor | Build In-House | Buy (API Provider) |
|---|---|---|
| Time to production | 6–12 months (per jurisdiction) | 2–4 weeks |
| Upfront cost | Engineering time + registry fees + legal review | API subscription ($99–$1,000/mo) |
| Ongoing maintenance | Registry format changes, downtime, data mapping updates | Provider handles it |
| Coverage | 1–5 countries realistically | 100–150+ countries from day one |
| Data normalization | You build and maintain the mapping logic | Pre-normalized |
| UBO traversal | You build the recursion + cross-border logic | Handled (depth varies by provider) |
| Compliance audit trail | You build the logging | Usually included |
| Best for | Single-country, high volume, deep customization | Multi-country, fast-moving teams, startups to mid-market |
The honest answer: If you operate in one country (say, UK only), connecting directly to Companies House is free and straightforward. The moment you add a second jurisdiction — Germany, the US, Singapore — the normalization burden grows exponentially.
Most teams that start by building in-house end up buying within 12 months. The registry maintenance cost alone justifies the switch.
Edge Cases That Break KYB at Scale
Your happy path works. Here's what breaks it:
Dormant companies. A company can be legally registered but operationally inactive. Some registries mark this; most don't. You need business activity signals (web presence, financial filings, employee count) to distinguish real businesses from paper entities.
Nominee directors. In some jurisdictions, the listed director isn't the real decision-maker. They're a professional nominee — a placeholder. Your UBO logic needs to account for this, especially in offshore jurisdictions like BVI, Cayman, and Cyprus.
Jurisdictions with no digital registry. Not every country has an API or even a searchable database. Parts of Africa, the Middle East, and Central Asia still require manual document requests. Your workflow needs a fallback for these.
Name mismatches. "Société Générale S.A." in the French registry vs. "Societe Generale" in your CRM. Transliterations, abbreviations, accent marks, and legal form suffixes all create matching problems. Fuzzy matching helps, but registration numbers are the only reliable identifier.
Circular ownership. Company A owns 60% of Company B. Company B owns 40% of Company A. Your UBO traversal logic needs a cycle detection mechanism or it will loop forever.
Recently dissolved entities. A company that was active last week might be dissolved today. Point-in-time checks miss this. You need monitoring — or at minimum, re-verification at key transaction moments.
Frequently Asked Questions
It depends on your industry and jurisdiction. Financial institutions are required to perform KYB under AML regulations (FATF Recommendation 24, EU AMLD, US BSA/CDD Rule). Non-regulated businesses aren't legally required but increasingly adopt KYB to manage counterparty risk.
KYB is the baseline verification: does this company exist, who owns it, is it sanctioned? EDD is the deeper investigation triggered when KYB flags elevated risk — additional document requests, source-of-funds checks, and senior management sign-off.
With an API like Zephira.ai, entity verification takes seconds. Full KYB including UBO resolution and sanctions screening typically takes minutes. Manual processes — document collection, human review — can add days or weeks.
OpenCorporates provides basic company search across 140+ jurisdictions. But it's not designed for production KYB workflows. API access is limited to 500 calls/month, and it doesn't provide UBO data, normalized financials, or real-time monitoring. For compliance-grade KYB, you need a purpose-built provider.
At minimum: company legal name, registration number, jurisdiction, current status, and at least one director or officer. For regulated industries, add UBO identification and sanctions screening.
In Europe, company registries are centralized per country (Companies House in UK, Handelsregister in Germany). In the US, registration is state-level — 50 states, 50 different formats and APIs. The Corporate Transparency Act is introducing federal beneficial ownership reporting, but state registries remain the primary source for entity data.
UK Companies House API is free. For multi-country coverage, Zephira.ai starts at $99/month with 100 full company profiles. For a single jurisdiction, direct registry access is often the most cost-effective starting point.
Yes, if you onboard businesses. KYC verifies the individual. KYB verifies the entity they claim to represent. A person can pass KYC and still be operating through a fraudulent or dissolved company.
Fallback to document-based verification. Request incorporation certificates, shareholder registers, and director ID documents manually. Flag these jurisdictions as higher-risk in your onboarding flow and apply enhanced review.
Zephira handles the data layer — entity verification, company profiles, ownership structures, and monitoring. You'll still need sanctions screening (ComplyAdvantage, Dow Jones, etc.) and a case management tool for human review. Zephira is the data foundation your KYB stack is built on.
Search your first company in seconds
Zephira.ai connects to 150+ government registries and delivers normalized company data through a single API.
Request a Demo
