Manual KYB takes 19-26 days and still misses UBO risk. KYB software done right automates business due diligence across 190+ countries.
Table of contents
TL;DR
Know Your Business (KYB) is the regulatory process for verifying corporate customers, their ownership structures, and their risk exposure before onboarding. The average manual KYB cycle runs 19 to 26 days (Refinitiv/LSEG, 2024) and still leaves shell companies undetected, as the Danske Bank Estonia case showed when roughly EUR 200 billion in suspicious flows moved through one branch between 2007 and 2015. Manual KYB is a data architecture problem masquerading as a staffing problem. KYB software done right is the only durable fix.
Most companies treat KYB as a manual checklist. That is why it takes 3 weeks and still misses things.
The compliance lead at a Series B fintech told us last quarter that her team had been onboarding 40 corporate clients per week with a four-person KYB pod. By Q4 the pod was 11 people, the queue was longer, and shell companies still slipped through. Headcount scaled. Throughput did not.
The reason is structural. A KYB review needs registry data from 30 different jurisdictions, sanctions feeds that update twice an hour, and beneficial ownership trees that branch four levels deep. Humans pulling that data through browser tabs and PDFs cannot ship faster than the slowest registry response. KYB software is the architecture answer to a problem that hiring more analysts cannot solve. Architecture is the bottleneck. Analysts sit downstream of it.
The strong version of the argument: KYB software is not "automation of a manual process." Manual KYB and automated KYB are different products. The manual workflow optimises for analyst checkboxes. KYB software optimises for an immutable, machine-readable case file that a regulator can audit cryptographically. Treating one as the slow version of the other is the procurement mistake fintechs make in their first 18 months and pay for in their second.
What does KYB software actually have to do under FATF Recommendation 24, the Corporate Transparency Act, and 6AMLD?
KYB software is the implementation layer for the obligation to verify the legal existence, ownership structure, and risk profile of every business customer you onboard. FATF Recommendation 24 sets the international floor. The four major regimes that KYB software has to satisfy in 2026 each cite slightly different numbers, but the workflow is the same.
In the United States, FinCEN's Beneficial Ownership Information (BOI) reporting rule under the Corporate Transparency Act took effect on January 1, 2024 and was originally projected to capture roughly 32 million reporting companies. In March 2025, following litigation and a Treasury announcement, the rule was narrowed to apply only to foreign reporting companies registered to do business in the US, with US domestic companies and their owners no longer required to file. KYB software in 2026 has to handle both pre- and post-narrowing data: companies that filed before March 2025 are in the BOI database; companies that did not are not. Operator language for this on a recent call: "the BOI database is now half-full and you cannot tell which half from the API."
The European Union's Sixth Anti-Money Laundering Directive applies a 25% beneficial ownership threshold across member states, with the new EU AMLA single rulebook (operational from 2025) tightening per-decision defensibility. The UK's Economic Crime and Corporate Transparency Act 2023 added identity verification at Companies House registration for the first time in the registry's 180-year history, with phased rollout through 2026. KYB software has to integrate with each of these, in their native data formats, at the freshness cadence the regulator expects.
A complete KYB workflow has four components.
UBO identification at the 25% threshold
Ultimate Beneficial Owner (UBO) identification means tracing the natural persons who own or control 25% or more of a corporate entity, directly or indirectly. The 25% threshold appears in 4AMLD, 5AMLD, the FinCEN BOI rule, and most major jurisdictions. Indirect ownership multiplies through layered structures, so a UBO trace must walk every branch until it reaches a natural person, a publicly traded parent, or a regulated entity. KYB software that stops the trace at the first corporate match is the design flaw that kept Danske Bank's Estonia branch alive for nine years.
Corporate registry checks across 190+ jurisdictions
Registry verification confirms the entity exists, is in good standing, and matches the customer-submitted data. Over 190 corporate registries operate globally, and they speak different schemas. Companies House (UK) returns JSON. OpenCorporates aggregates many but trails on freshness. Germany's Handelsregister requires PDF parsing. France's Infogreffe is paywalled per query. Many emerging-market registries return scanned images that need OCR before any field is usable. KYB software that treats this as a "200 country coverage" line item without naming which connectors are live and which are aggregated is the procurement red flag the rest of this piece is about.
Sanctions and watchlist screening at the entity, director, and UBO layers
Screening must run against the entity itself, every director, every UBO, and any politically exposed person (PEP) connections. OFAC's SDN list, the EU consolidated list, the UK OFSI list, and the UN consolidated list update on irregular schedules and require fuzzy matching to handle name variations, transliteration, and aliases. KYB software has to screen at every layer. Most fintechs have adverse media screening switched on but functionally useless because the noise floor is 95% and they have no triage logic. (See our adverse media screening guide for the AMLA reframe.)
Adverse media screening and configurable risk scoring
Adverse media screening scans regulatory enforcement actions, court records, and trusted news sources for negative signals. Risk scoring then aggregates jurisdiction risk, industry risk, ownership opacity, sanctions proximity, and adverse media into a single risk band that drives the level of customer due diligence applied. The scoring logic has to be transparent. Black-box risk scores are a regulator-relations liability and a procurement red flag.
The order matters. Skipping the UBO trace because the registry returns a clean entity name is the design flaw that kept Danske Bank's Estonia branch alive for nine years. KYB software that does not enforce the order is not KYB software.
KYB vs KYC: what is the difference?
KYC verifies a person. KYB verifies a business and the people behind it.
KYB vs KYC at a glance
The procedural overlap is real. Both apply identity checks. Both screen against sanctions and PEP lists. Both produce risk scores. The difference is the entity surface area. A KYC review is a single natural person and a small handful of documents. A KYB review is a corporate entity, its registration documents, its directors (each requiring a KYC layer), its UBOs (each requiring a KYC layer), its operating jurisdiction, and the layered ownership structures that connect them. KYB software is what makes the recursion tractable.
Most fintech compliance teams use the same vendor for both, and the workflows still behave differently. KYC is fast and high-volume: thousands of consumer onboardings per day, each finishing in seconds with document plus selfie. KYB is slow and low-volume: hundreds of corporate onboardings per week, each finishing in days because the data sources are slower and the verification is recursive. Treating KYB as KYC-with-extra-fields is the most common architectural mistake fintechs make in the first 18 months after launch, and the most common reason a KYB software procurement gets re-opened in year two. For the deeper KYB vs KYC breakdown, see our KYB vs KYC differences guide.
The regulatory citation differs too. KYC duties trace to FATF Recommendation 10. KYB duties trace to Recommendation 24, the FinCEN BOI rule, and beneficial ownership directives across 5AMLD and 6AMLD. They share enforcement teeth. They do not share statutory text.
Where does manual KYB actually break, and how does each break show up in enforcement?
Manual KYB fails on four reproducible failure modes. Each maps to an enforcement action a regulator has already cited in 2024 or 2025. KYB software is the architectural fix for each one.
Latency turns onboarding into a customer acquisition tax
A 19-to-26-day onboarding cycle is a CAC math problem before it is a compliance problem. Corporate prospects abandon mid-flow, sales pipelines age out, and competitors with same-week onboarding capture the deal. The fintech that called us last quarter had a 38% mid-KYB drop-off rate. Their CAC was being miscounted by a factor of two because finance was attributing the drop to top-of-funnel marketing. KYB software changes this from a sales-finance argument into an architecture decision.
Inconsistency creates regulatory exposure
When 11 analysts run the same KYB review, you get 11 risk decisions. Some apply enhanced due diligence at the same risk band where others apply standard CDD. Some pull the German Handelsregister directly; others lean on aggregators and miss the most recent filings. The FCA's 2024 enforcement against Starling Bank (GBP 29 million) and the 2025 Monzo penalty (GBP 21 million) both cited "control framework inconsistency" as a contributing factor. That phrase is regulator code for: your humans were doing it differently. KYB software with deterministic, configurable risk logic is the fix.
Human error compounds across a layered ownership tree
A four-level UBO trace involves dozens of name comparisons, address matches, and date-of-birth confirmations. Human accuracy on this kind of repetitive matching task degrades after the third hour of a shift. The Danske Bank Estonia case was traced in part to KYB analysts who stopped tracing UBOs once a corporate name returned a match in the local registry, leaving the layered shell structures untouched. The Wirecard collapse (EUR 1.9 billion missing, 2020) was the same pattern at a different layer: corporate-level verification clean, ownership and operating-entity verification fictional. KYB software designed around recursive ownership trees, not flat entity records, is the architectural countermeasure.
No audit trail means no defensible answer to the regulator
When FinCEN or the FCA arrives, every KYB decision must be reproducible. Manual workflows scattered across email threads, screenshot folders, and analyst notes do not reproduce. The TD Bank 2024 enforcement, USD 1.3 billion FinCEN penalty (USD 3.1 billion combined), included findings that the bank could not produce contemporaneous evidence for monitoring decisions made years prior. Reproducibility is the audit-trail bar, and it is invisible until the moment you need it. KYB software that does not produce an immutable case file as the side effect of running the workflow is selling the appearance of compliance, not the substance.
Recent enforcement that should be in your KYB software business case
What should KYB software actually deliver in 2026?
Buying KYB software in 2026 means buying a data integration layer, not a UI. The differences that matter sit below the surface. Five buying criteria, ranked by how often they are the procurement-decision regret in year two.
1. API-first architecture, not API as an afterthought
API-first means the platform was built to be called by your onboarding system, not for analysts to log into a portal and click. Every action a human can take in the dashboard must be available as an API call your engineers can wire into the underwriting flow. Vendors that gate features behind the UI are extracting per-seat margin, not solving onboarding latency. The procurement test: ask for the API reference, not the demo video. If the API reference is shorter than the dashboard tour, the KYB software is a UI product with API hooks bolted on, not an API product with a dashboard.
2. Live coverage across 190+ jurisdictions, with named registry connectors
Coverage breadth matters less than coverage depth. A vendor claiming "200+ countries" while running OpenCorporates aggregation in 70% of them is selling stale data with a freshness lag of 6 to 18 months. Verify which connectors are live, which are aggregated, and what the median data freshness is per jurisdiction. Companies House (UK), Handelsregister (Germany), Infogreffe (France), US state Secretary of State APIs, ACRA (Singapore), DIFC, the Hong Kong Companies Registry, Australia's ASIC, and Brazil's CNPJ should be live, not aggregated. KYB software that cannot answer "which connector, what freshness, what failure mode" for each tier-1 jurisdiction is not the KYB software you want.
3. Automated registry pulling with parsing of unstructured returns
Many registries return PDFs or scanned images. Real automation means OCR, structured field extraction, and schema normalisation happening inside the platform, not a queue of "manual review required" tickets your team works through every Monday. The pulled data should land in the case file as structured fields, ready for risk scoring. KYB software that relies on the customer's own analyst team to read the PDF is selling a queueing system, not automation.
4. Configurable risk scoring tied to your policy, not the vendor's
Your risk appetite is not the vendor's. The platform must let you configure jurisdiction weights, industry weights, UBO opacity weights, and sanctions proximity logic to match the policy your CCO has approved. Black-box risk scores are a regulator-relations liability and a procurement red flag. AMLA's per-decision defensibility framing makes the configurability requirement structural, not stylistic.
5. Immutable, regulator-ready audit trail as a side effect of running the workflow
The case file should be the workflow, not a separate artefact teams assemble after the fact. Every input, every API call, every analyst override, and every risk-band decision should be logged immutably with timestamps and policy versions. KYB software that produces audit logs only when an admin clicks "export" is one click away from non-reproducibility. The TD Bank pattern is what regulators learned to look for after October 2024.
For the broader vendor-evaluation framework, see our top compliance tools evaluation guide.
How does Zyphe KYB software walk the ownership tree in one API call?
Zyphe KYB runs as a single API call against a verify-then-shred architecture. You send a corporate entity reference. Zyphe returns a structured KYB case file. The source data clears from our infrastructure once the verification completes.
The flow has four steps. A registry pull across 190+ jurisdictions surfaces entity status, registration documents, and current directors. A UBO trace then walks the ownership tree to natural persons or regulated parents, surfacing intermediate corporate entities along the way. Sanctions, PEP, and adverse media screening runs at the entity, director, and UBO layers in parallel. A configurable risk score lands in the case file with the underlying signals exposed, so the audit trail is the workflow, not a separate document teams assemble after the fact.
Median completion time is under 8 minutes for entities in tier-1 jurisdictions and under 24 hours for tier-3 jurisdictions where a slow registry response is the rate-limiting step. Every input, every API call, and every analyst override is logged immutably in the case file. When a regulator asks what you knew and when you knew it, you produce the case file.
The verify-then-shred design means Zyphe holds verified attestations rather than raw documents. Source documents are sharded across 60,000+ decentralised storage nodes using a 29-of-100 threshold scheme, with the customer holding the encryption key. When a UBO updates an identity attribute, the attestation stays valid without a fresh document collection cycle. The KYB software stack and the decentralised KYC stack share the same architectural commitment: do not hold the breach surface.
What does a real KYB workflow look like for a B2B marketplace?
A B2B marketplace onboarding 200 merchant partners per week ran the manual workflow until Q3 2025. Their compliance team was 7 analysts deep, the median KYB cycle was 14 days, and merchants were churning to faster competitors before activation.
The replacement workflow has three stages. At signup, the merchant submits a registration number and operating jurisdiction. KYB software runs the full stack in the background while the merchant completes catalog setup. By the time the merchant tries to publish their first listing, the KYB case file is in the marketplace's underwriting system and a risk band has been assigned.
Low-risk merchants (clean registry, single jurisdiction, named UBO, no sanctions proximity) auto-approve and publish within the same business day. Medium-risk merchants route to a 30-minute analyst review with the structured case file pre-populated, so the analyst is checking work, not assembling it. High-risk merchants route to enhanced due diligence with adverse media context already pulled and ownership opacity flagged.
The marketplace's median onboarding cycle dropped from 14 days to 4 hours. Analyst headcount stayed flat as merchant volume tripled. The audit trail is reproducible per merchant, which is exactly what the marketplace's banking partner asked for in its 2025 program review. Charlene Wang, Zyphe's CRO, framed the operator-side story on a customer call this March: "every marketplace that has scaled past 1,000 merchants has hit the same wall. The wall is not bad analysts. The wall is a workflow that does not produce structured data. KYB software is the wall coming down."
What are the real edge cases KYB software still struggles with?
Five edge cases worth flagging in your procurement diligence. KYB software vendors that handle these tend to handle the rest. Vendors that hand-wave on these will hand-wave when your regulator emails you.
BVI, Cayman, and other opaque jurisdictions
Trust structures terminating in BVI, Cayman, certain Liechtenstein vehicles, and similar jurisdictions can hide UBOs behind nominee directors and corporate trustees. KYB software cannot conjure ownership data that the registry does not publish. What it can do is flag the opacity, surface every available signal (regulator filings, related-entity adverse media, sanctions proximity at adjacent layers), and route to enhanced due diligence with the residual gap documented for audit purposes. "We could not see the UBO" is a defensible answer when documented; "we did not check" is not.
Recently filed amendments not yet indexed
Most registries have a lag between filing and indexing. Companies House currently runs 24 to 72 hours. Some EU registries run weeks. KYB software has to know which connector is which and surface the lag in the case file. The procurement question: how does the platform handle a UBO change filed today but not yet indexed? Answer "we will catch it on next refresh" is the wrong answer. Right answer: "we cache the customer-submitted data, flag the staleness, and re-screen on a defined cadence."
Liveness checks fail for older users with NFC passports
A specific edge case our partner banks see frequently. Older users (60+) with NFC-equipped passports have higher liveness check failure rates because the camera angles, the holding distance, and the chip-read timing assume a younger user's reflexes. The result is a director or UBO who genuinely passes paper-document KYC but fails the biometric layer. KYB software that fails these users hard is shipping a discrimination problem disguised as a security control. Right pattern: graceful fallback to alternate verification (in-person notarisation, video KYC with a human reviewer), with the case file flagging the alternate path.
Sanctioned entities laundered through clean intermediaries
A sanctioned UBO can be hidden by interposing a clean intermediary between the entity and the UBO. KYB software with shallow trace logic stops at the clean intermediary. KYB software with deep trace logic walks until it reaches a natural person or a regulated parent. The OFAC enforcement actions of 2024-2025 (notably the OKX USD 504M settlement) cite this exact pattern.
"We have adverse media on, but it is functionally useless"
Operator language from a head of compliance at a large neobank, on a March 2026 call: "we have adverse media screening turned on, but the noise floor is so high that nobody triages the alerts." The fix is not turning it off. The fix is upstream filtering with risk-band routing, source weighting, and false-positive feedback loops baked into the KYB software, not bolted on by the customer's analyst team. The AMLA per-decision defensibility framing made this a regulator-relations issue, not just a workflow issue. See our adverse media screening AMLA reframe.
How do you evaluate KYB software in the next 30 days?
Five concrete moves. Lands in 30 days for a focused procurement team, 60 if legal review is the bottleneck.
- Inventory your current KYB cycle time, drop-off rate, and cost per onboarded business. If you do not have these numbers, KYB software's value proposition is a guess. The fintech we mentioned at the top did not know its drop-off was 38% until we asked.
- Map your jurisdiction mix. Tier-1 (US, UK, EU, Singapore, Australia) drives the live-connector requirement. Emerging markets drive the OCR and aggregator-fallback requirements. KYB software that wins for tier-1 may lose for tier-3, and vice versa.
- Run the API-first procurement test. Ask each vendor for their API reference, their connector freshness table per jurisdiction, and their median end-to-end completion time. The vendor that cannot answer in writing is the vendor whose dashboard hides the answer.
- Pilot two vendors against your real onboarding queue. Two weeks per vendor. Same input set. Compare median time, drop-off, false-positive rate, and case-file completeness. KYB software procurement decisions made on demos are the procurement decisions that get re-opened in year two.
- Update your KYB policy and DPIA. The Data Protection Impact Assessment is the artefact your DPO needs. KYB software that holds verified attestations rather than raw documents is materially easier to defend in a DPIA than legacy KYB platforms.
For the longer technical walkthrough, see how it works and our KYB software product page.
The bottom line
KYB software in 2026 is not a faster version of manual KYB. It is a different product. The manual workflow optimises for analyst checkboxes. KYB software optimises for an immutable, machine-readable case file that a regulator can audit cryptographically. The fintechs and marketplaces that scaled past 1,000 corporate customers without melting their compliance team did the architecture work in year one. The ones that did not are running 11-person KYB pods at the back of a 19-day queue and still missing shell companies.
Run your first KYB check free, book a demo or see the product.
Related resources
- KYB vs KYC, The differences fintechs miss in year one
- Decentralised KYC primer, What it is, how it works in 2026
- Perpetual KYC, Why one-time verification fails
- Adverse media screening, The AMLA noise-floor reframe
- CFT screening for financial institutions, Five breakdown points
- Top compliance tools, The 10-question vendor evaluation scorecard
- Fintech KYC industry view, KYC for fintech
- Neobank KYC industry view, KYC for neobanks
- KYB software product page, Zyphe KYB
Michelangelo Frigo(Co-Founder at Zyphe)Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.