KYB101
If you’re a fintech that operates a B2B business (i.e., your customer is a business and not an individual), then you likely need to operate a KYB, or Know Your Business, program.
Like a KYC program, your KYB program requires getting to know your customer not just at account opening but throughout the relationship.
It’s like inviting a stranger off the street to your house.
You want to know who they are before they enter your home and you also want to keep a (reasonably) close eye when they’re roaming around inside.
But, let’s start with account opening. What exactly do you need to do to onboard your business customer?
Like a KYC program, there are two parts:
(1) Collecting information; and
(2) Verifying that Information.
Collecting Information:
At a minimum, you need to collect from your customer:
- Legal entity documentation (e.g., certificate of incorporation/registration, articles of association/bylaws, licenses/permits, etc.)
- Address of primary place of business
- Employer identification number (EIN) or Tax identification number (TIN)
- Ultimate Beneficial Ownership Information: this includes individuals who own 25% or more of the entity or those who control the entity.
The part that gives fintechs the most trouble is the UBO, or Ultimate Beneficial Ownership, requirement.
Why? Because many customers may not want to give up details of their individual owners or officers, and this produces some friction. However, if you’ve ever opened up a business bank account, you know this is a fairly standard practice.
So, what is a UBO?
There are two criteria.
Ownership: The first one is simple. If you own 25% or more of the equity of a company, you are a UBO
Control: The second is a bit more subjective. If you are in control of the day to day operations of a company, you are a UBO. This is typically your customer’s CEO, CFO, or COO.
If you don’t have any UBOs from the first criteria (you could have, say, 10 owners at 10% equity each), you need at least one UBO from the second criteria. Someone has to be running the company, right?
But you can also have the same UBOs from the first and second criteria. This is typical for smaller businesses where the primary equity owners are also management.
So, in summary, you will need at least one UBO for each business customer, and and you could possibly have more.
Ultimate UBOs
One additional caveat on the ownership criteria. What if the 25% or more owner is another business or legal entity, or more commonly, say an investor’s fund vehicle. Are you required to go up the chain and verify the owner of that business, legal entity, or fund?
Unfortunately, the answer is yes. You need to keep going up the chain until you get to the ultimate ultimate beneficial owner. In other words, you need to find the individual person calling the shots behind the legal entities.
Verifying Information:
Great. Now that you’ve collected the information, you need to verify it.
This involves using documentary or non-documentary means to verify the information.
Non-documentary is the most common in fintech. It involves relying on a third party database to confirm the information provided by your customer is accurate.
For example, if you collect name and date of birth of your UBO, you would compare that information against the information at, say, a credit reporting agency.
For the entity, you would verify that the entity is active and in good standing.
Finally, you want to do a sanctions check on the company and the UBOs which means checking against the required U.S. sanctions lists, like OFAC.
There are a handful of vendors who can automate this process now through a simple API integration.
Bonus Points:
Some bank sponsors may require you to collect more information on your business customer, such as:
- Nature of business
- Source of funds
- Adverse media screening
Some businesses are inherently high risk, and so you may be required to do additional diligence on those customers.
How does transaction monitoring work with your KYB program?
Remember, the KYB program is not just about knowing your customer at account opening but also throughout the relationship.
There are a couple ways you would do this.
First, you would monitor any updates to the customer’s information, such as a new CEO or a change in ownership. If that happens, you need to run through the diligence process again.
Second, you would have a transaction monitoring process in place. Transaction monitoring simply means looking for suspicious activity like fraud.
Let’s look at an example.
Say you are a fintech that issues credit cards to companies to help employees pay for everyday business expenses (like Brex or Ramp).
Your customer is the business issuing these cards to its employees. Let’s call them Acme Corp. So, like any good fintech, you do basic account verification of Acme Corp and its UBOs before onboarding them as a customer
However, Acme Corp will be distributing your credit card to its individual employees. Do you need to do verification of each individual card user as well? The answer (with some caveats) is no.
The customer is the business itself, and not each individual card user.
However, you do want to do transaction monitoring down to the individual level.
This means monitoring each card swipe and transaction. Let’s say you identify one rogue employee of your customer who used the company credit card to buy a $1,000 gift card in a country outside of Acme’s principal place of business. Sounds a bit suspicious. No problem, you notify Acme Corp and place a hold on the individual card.
(Tip: Using a credit card to buy any item of stored value, like a gift card or a digital currency, is almost always suspicious. Stored value can be converted to cash easily).
But let’s say you onboard Acme Corp, and within a week, you see unusual spending activity for each of the individual cards. Well, now you may have an issue with your customer, Acme Corp.
This then all becomes part of your transaction monitoring program.
While we hope you found this post helpful, please note that the information in this post is not intended to be legal or regulatory advice.