Know-Your-Business — KYB — is the commercial counterpart to consumer KYC. Where Know-Your-Customer verifies individual identity, KYB verifies the legal existence, ownership, and risk profile of a business entity. When a vertical SaaS platform holds funds on behalf of the businesses it serves, KYB is not optional compliance theater. It is the gating requirement that determines whether the platform can legally operate its financial products at all.
Most vertical SaaS teams come to this with some intuition from consumer identity verification — document upload, SSN check, selfie matching — and assume the business version is similar. It is not. The data model is different, the failure modes are more expensive, and the regulatory framework is layered in a way that catches platforms by surprise.
The Regulatory Foundation: FinCEN's CDD Rule
The applicable regulatory requirement is FinCEN's Customer Due Diligence rule, codified at 31 CFR 1020.220 and finalized in 2016 with compliance required from 2018. The rule applies to "covered financial institutions" — banks, credit unions, broker-dealers, futures commission merchants, and mutual funds — and requires them to collect and verify a standard set of information about the legal entities they open accounts for. Critically, the rule includes a beneficial ownership prong: for any legal entity customer, the institution must identify and verify the identity of individuals who own 25% or more of the equity interest, plus the individual with significant managerial control (the "control prong"), regardless of ownership percentage.
A vertical SaaS platform is not itself a covered financial institution. But the bank partner whose FBO structure the platform uses is — and the bank's BSA/AML program extends through to the platform's KYB process by contractual obligation. The bank requires the platform to collect CDD data on every business with a sub-account, because the bank's examiner will ask for it and the bank will not want to be the one explaining gaps.
This is the practical effect: whatever the bank's CDD standard is, that standard flows downstream to the platform's KYB onboarding. The platform is running KYB not just because it is good practice, but because the bank's charter depends on the platform's KYB program being real.
What the KYB Data Collection Actually Requires
At minimum, for every business entity onboarding to a platform's embedded finance product, the platform needs to collect and verify:
- Legal entity name — as registered with the state, not a DBA. A "Smith's HVAC" that is legally registered as "Smith Environmental Services LLC" needs the LLC name, not the trade name.
- Employer Identification Number (EIN) — and this needs to be validated against IRS TIN Matching, not just accepted as input. An EIN that does not match the entity name in the IRS database is a significant red flag and needs manual review before account opening.
- State of formation and registration status — the entity should be active in its state of formation. Dissolved or administratively dissolved entities should be flagged and held.
- Physical business address — not a PO box. USPS address validation is a reasonable baseline check.
- Business type classification — entity type (LLC, S-corp, sole proprietor, partnership), plus a business category for purposes of assessing the risk profile of the business activity.
- Beneficial ownership — the names, SSNs, dates of birth, and addresses of all individuals owning 25% or more, plus the control prong individual. This is where sole proprietors are handled differently than multi-member LLCs.
For sole proprietors — which constitute a substantial share of the SMB population on most vertical SaaS platforms — the beneficial ownership and control prong are the same individual: the owner themselves. The KYB flow for a sole proprietor is essentially a KYC check on the individual, combined with TIN matching for the business's EIN (or SSN if the sole proprietor uses their SSN as their TIN). This is a simpler path than multi-entity LLC onboarding, but it still requires identity verification on the individual, not just acceptance of their name and EIN.
OFAC Screening and Ongoing Monitoring
Every business entity and beneficial owner collected during KYB needs to be screened against OFAC's Specially Designated Nationals (SDN) list before account opening — and on an ongoing basis thereafter. OFAC screening is not a one-time event. The SDN list is updated frequently, sometimes daily, and a business or individual can be added at any time. The platform's BSA/AML program needs to include a process for re-screening the entire customer base when the list is updated, and for acting on hits — which means account restriction pending investigation, not just a logged flag.
The practical implementation question is whether to integrate a dedicated OFAC/sanctions screening vendor (several are available in the market, with pricing that makes sense at scale) or to rely on the KYB platform provider's built-in screening. The advantage of a dedicated screening vendor is configurability: you can set match thresholds, review workflows, and audit trail requirements to your bank partner's specifications rather than accepting another vendor's defaults.
Enhanced Due Diligence Triggers
Standard CDD applies to most businesses. Enhanced Due Diligence (EDD) applies to higher-risk customers, and the definition of "higher-risk" needs to be documented in the platform's BSA/AML program. Common EDD triggers in vertical SaaS contexts include:
- Cash-intensive business categories (car washes, nail salons, used car dealers, pawn shops) where the expected transaction pattern includes significant cash-to-ACH conversion
- Businesses with significant international transaction activity that falls outside the expected pattern for their vertical
- High-volume onboarding from a geographic concentration that does not match the platform's normal distribution
- Businesses that fail initial TIN matching but provide alternative documentation
- Individuals with a partial match on OFAC screening that did not resolve to a confirmed hit but warrants documentation
EDD typically means collecting additional documentation (business licenses, bank statements, additional beneficial owner information), taking additional time before account activation, and documenting the rationale for proceeding after review. The platform's BSA/AML policy needs to specify what EDD looks like and who can approve the account opening decision.
The Failure Modes Are Expensive
We are not saying that KYB implementation is simple or that every platform gets it perfectly on the first pass — the edge cases are genuinely hard. What we are saying is that the failure modes are consequential in a way that most software bugs are not.
An incomplete KYB program that allows accounts to open without complete beneficial ownership data puts the bank partner at regulatory risk. If the bank's examiner finds systematic gaps in the platform's CDD files during an examination, the bank's response will likely be to restrict or terminate the FBO arrangement — which means the platform's entire treasury product goes offline for every customer, not just the ones with gaps. That is a business continuity event, not a compliance paperwork problem.
The failure mode that actually bites most often is not a dramatic fraud scenario but a mundane process gap: the KYB flow has a field marked optional that the bank's program marks required. Or the TIN matching step times out on 2% of submissions and the retry logic silently skips it. Or the EDD trigger logic has a gap for a specific business type that the bank's examiner specifically asks about. These are solvable problems, but they require treating KYB as a real compliance function from day one, not a checkbox to be refined after launch.
Vertical-Specific Considerations
The vertical your platform serves affects the shape of KYB in non-obvious ways. A veterinary practice management platform onboarding licensed veterinary practices has a natural business legitimacy signal — a valid state veterinary license — that can be incorporated into the KYB documentation as additional verification. A beauty salon platform might prioritize state cosmetology licensing as a supplementary document. A fitness platform onboarding gym operators might accept fitness facility permits or liability insurance certificates as business verification supplements.
These vertical-specific document types do not replace the core CDD requirements, but they are appropriate additions that make the KYB record more complete and give the bank's BSA team more confidence in the business population the platform is onboarding. They also reduce friction for legitimate businesses, who are more likely to have a professional license handy than a certified copy of their articles of incorporation.
KYB is also not a finished state. Business ownership changes. Key owners exit and new ones join. Businesses are acquired. A KYB program needs a defined refresh cycle — typically annual or triggered by specific change events — and a process for collecting updated beneficial ownership when changes occur. A platform that collects KYB at onboarding and never looks at it again has a CDD program that degrades over time.
Getting KYB right is operationally heavy at the outset. But a well-designed KYB flow, calibrated to your specific vertical's business population, becomes an asset: it produces a clean, well-documented customer file that your bank partner trusts and that your compliance team can defend. That trust is what keeps the FBO arrangement — and the treasury products built on top of it — running without interruption.