Know Your Business, or KYB, is one of those compliance obligations that sounds straightforward until you are actually doing it. Verifying that a business is who it says it is, understanding who ultimately controls it, and assessing the risk it presents to your organisation is a process that sits at the intersection of legal obligation, operational capacity, and regulatory scrutiny. And in the EU right now, that process is being reshaped by the most significant overhaul of the AML/CFT framework in a generation.

This guide is written for compliance teams, MLROs, and senior managers at regulated financial services businesses across the EU, including payment service providers, e-money institutions, credit institutions, and trust and company service providers. It covers what KYB actually requires under EU law, how those requirements are changing under the new AML framework, and what the practical implications are for how you onboard and monitor corporate clients.

What KYB Is and Why It Exists

KYB is the process by which a regulated business verifies the identity, ownership, and legitimacy of a corporate customer before entering into a business relationship with it. It is, in regulatory terms, the application of customer due diligence measures to a legal entity rather than a natural person.

The distinction matters because legal entities introduce a layer of complexity that individual verification does not. A natural person either is who they say they are or they are not. A corporate entity, on the other hand, can have multiple layers of ownership, holding structures spanning several jurisdictions, nominee directors, and ultimate beneficial owners who may be deliberately obscured behind legitimate-looking intermediary companies. The entire point of KYB is to see through that structure to the natural persons who ultimately own or control the business, and to assess whether that picture presents an acceptable risk.

KYB requirements in the EU are grounded in the AML/CFT regulatory framework, and the obligations they create sit primarily within the customer due diligence chapter of the applicable legislation. What counts as adequate KYB, what documents you need to collect, how you verify what you are told, and what you do when the information does not add up are all defined, at least in outline, by law.

The Legal Framework: What Requires KYB in the EU

The substantive KYB obligations for EU-regulated businesses are currently governed by the AML/CFT framework, which is in the process of a significant transition. For most financial services businesses, the operative requirements today flow from the transposition of the Fourth Anti-Money Laundering Directive into national law, alongside sector-specific requirements from regulators such as the EBA.

That framework is being replaced. Regulation (EU) 2024/1624, known as the Anti-Money Laundering Regulation (AMLR), is the first directly applicable EU AML/CFT rulebook. Unlike previous directives, it does not require transposition into national law. As confirmed on the EUR-Lex summary page for the regulation, it will apply uniformly across all 27 EU Member States from 10 July 2027. The practical implication is that the KYB standards you will be assessed against from 2027 onwards will be the same regardless of which Member State you are regulated in, and regardless of which Member State your corporate customer is established in.

Alongside the AMLR, Regulation (EU) 2024/1620 established the Anti-Money Laundering Authority (AMLA), which commenced operations on 1 July 2025 and is progressively assuming supervisory responsibilities. And Directive (EU) 2024/1640, the sixth AML Directive (AMLD6), updates the institutional framework at national level, including the rules governing beneficial ownership registers, their interconnection, and access for obliged entities.

These three instruments together reshape the environment in which KYB sits. They do not invent new obligations from scratch, but they raise the floor, increase the consistency of how standards are applied, and create a supervisory architecture that is more capable of identifying where KYB is being done poorly.

The Core KYB Requirements Under the AMLR

Under Regulation (EU) 2024/1624, obliged entities must apply customer due diligence measures when establishing a business relationship with a corporate entity. For legal entities, this means the following components must be addressed.

Verification of the Legal Entity Itself

You must verify that the corporate entity you are dealing with actually exists in the form it presents itself. This means obtaining and verifying the legal name, legal form, registered address, and, where applicable, the registration number and registration authority of the entity. For entities incorporated in EU Member States, this information should be obtainable from official corporate registries.

The quality of this verification matters. Accepting self-certified documentation from the customer without checking it against an authoritative source is not adequate CDD. The expectation under the AMLR, and one that AMLA's draft Regulatory Technical Standards on customer due diligence are refining further, is that obliged entities use reliable and independent sources to verify the information they collect. For corporate verification, this means primary-source registry data rather than documents the company itself provides.

Understanding the Ownership and Control Structure

Beyond verifying the legal entity, you must understand and document its ownership and control structure. Regulation (EU) 2024/1624 requires that, in situations where the customer's ownership and control structure contains more than one legal entity or legal arrangement, obliged entities take risk-sensitive measures to obtain and assess the relevant information at each layer. This is the part of KYB that creates the most operational difficulty for businesses onboarding customers with complex or multi-jurisdictional structures.

It is not enough to verify one layer of ownership and stop. If your corporate customer is owned by a holding company, which is in turn owned by a trust in a third country, you need to understand that entire chain well enough to identify the natural persons at the end of it. The depth of that investigation should be proportionate to the assessed risk of the relationship, but it cannot be superficial even in standard-risk cases.

Identifying and Verifying Beneficial Owners

The identification and verification of beneficial owners is arguably the most critical element of the KYB process and the one most consistently identified as inadequate during regulatory inspections. Under the AMLR's summary provisions on EUR-Lex, beneficial owners are defined as the natural persons who directly or indirectly hold an ownership interest of 25% or more of the shares or voting rights in a corporate entity, or who otherwise exercise control over it.

This threshold has been a feature of the EU AML framework since the Fourth Anti-Money Laundering Directive, but the AMLR tightens how verification must be conducted and what you must do when you cannot identify a beneficial owner within the ownership structure. Under Directive (EU) 2024/1640, obliged entities must have timely access to the information held in the interconnected central beneficial ownership registers when conducting customer due diligence, and they must report any discrepancies they find between the information they collect from the customer and what the central register holds.

That discrepancy reporting obligation is important. It means KYB is not just a data-collection exercise. It is a verification exercise that actively contributes to the integrity of the beneficial ownership register system across the EU.

Verifying Beneficial Owners' Identities

Identifying who the beneficial owners are is one step. Verifying their identities is another. For each individual identified as a beneficial owner, you must verify their identity using reliable and independent sources, which typically means obtaining certified copies of government-issued identity documents and, where the risk level warrants it, conducting additional checks to confirm the individual is who they claim to be.

AMLA's ongoing consultation on draft RTS on customer due diligence is developing the detailed technical standards that will specify exactly what information must be collected and what sources are considered reliable and independent for this purpose. Until those standards are finalised, the baseline expectation from the EBA's response to the Commission's call for advice continues to apply: verification must be based on documentary evidence obtained from sources independent of the customer.

Understanding the Purpose and Nature of the Business Relationship

KYB also requires you to understand why the corporate customer wants to do business with you, what products or services they need, what kind of transaction volume you should expect, and whether any of that is inconsistent with what you know about the nature of the business. This is sometimes treated as a box-ticking exercise during onboarding, but it serves a genuine risk function. If you later observe transactions that are inconsistent with the stated purpose, that inconsistency is a trigger for investigation and potentially for enhanced due diligence or suspicious activity reporting.

Risk-Based Calibration: What Level of KYB Does Each Customer Need?

One of the defining features of the EU AML framework is that it is risk-based. This means the depth and intensity of KYB should be proportionate to the risk the corporate customer presents. Regulation (EU) 2024/1624 makes clear that obliged entities must at all times be able to demonstrate to their supervisors that the measures taken are appropriate in view of the risks identified.

This calibration operates at three levels. Standard due diligence applies to customers where no particular risk factors are present. Simplified customer due diligence applies where the risk is clearly limited based on customer, product, or geographical factors set out in the Annexes to the AMLR, noting that simplified due diligence is a reduced set of scrutiny measures, not an exemption from due diligence altogether. Enhanced due diligence applies to higher-risk relationships, including customers with complex or opaque ownership structures, customers from high-risk third countries identified by the European Commission, and customers where a transaction is complex, unusually large, or does not appear to have an obvious economic or lawful purpose.

The practical challenge of calibration is that it requires both good initial risk scoring at onboarding and a system for updating that scoring as circumstances change. A corporate customer who presents a standard risk profile at onboarding may become a higher-risk customer six months later if their beneficial owner is added to a sanctions list, their jurisdiction of incorporation appears on a new high-risk list, or the transactions you see are inconsistent with what you were told to expect.

Ongoing Monitoring: KYB Is Not Just an Onboarding Exercise

One of the most important shifts in how regulators are thinking about KYB is the insistence that it is not a point-in-time exercise completed at onboarding. Regulation (EU) 2024/1624 requires that obliged entities ensure the relevant documents, data, and information of the customer are kept up to date throughout the business relationship, with the frequency of updates dependent on the risk level of the relationship.

What this means operationally is that you need a system for identifying when a refresh of customer information is due, when a trigger event (such as a change in beneficial ownership, an adverse media result, or a sanctions screening hit) requires immediate review, and when the information you hold has become stale and needs to be proactively updated. A KYB process that collects the right information at onboarding and then does nothing with it until the next scheduled review is not adequate, that's why using automated KYB and compliance management software like SpeedyDD is beneficial.

The Discrepancy Reporting Obligation

The obligation to report discrepancies between the beneficial ownership information you collect and what is held in the national beneficial ownership register deserves specific attention because it is genuinely new in scope and creates active compliance responsibilities rather than passive ones.

Under Directive (EU) 2024/1640, obliged entities must report any discrepancies they find. This means you need to check the register and compare it with what your customer tells you, and if the information does not match, you cannot simply note the discrepancy and carry on. You must report it to the entity responsible for maintaining the central register, and you must continue your own due diligence on the basis of your findings.

Member States are required under AMLD6 to ensure that obliged entities have timely access to the information held in the interconnected central beneficial ownership registers when conducting customer due diligence. The interconnection of these registers across Member States is being built progressively, with the European Commission developing the bank account registers interconnection system (BARIS) to link centralised national mechanisms.

What Changes for KYB Under the New EU Framework

The shift from directive-based to directly applicable regulation brings a number of specific changes for KYB practice that compliance teams should be building for now, even though the AMLR does not apply in full until July 2027.

The most significant change is the removal of national discretion. Under the previous directive framework, Member States implemented AML requirements in slightly different ways, and what was adequate KYB in one jurisdiction was not always identical to what was adequate in another. From July 2027, the standard will be the same across all 27 Member States. For businesses operating cross-border, this is genuinely simplifying in one sense, but it also means there is no longer anywhere to hide behind a more permissive national interpretation.

The AMLR also tightens beneficial ownership transparency more broadly. Non-EU entities that enter into business relationships with EU obliged entities must now submit beneficial ownership information to a Member State's central register, as confirmed in the EUR-Lex summary of the regulation. This extends the reach of beneficial ownership transparency to third-country structures that interact with the EU financial system, which matters significantly for businesses with internationally structured clients.

AMLA is also developing detailed guidance on the specific information that must be collected for standard, simplified, and enhanced due diligence, with its draft Regulatory Technical Standards under Article 28(1) of the AMLR specifying the requirements and documents to be obtained at each level of due diligence. These standards will give compliance teams much more precise guidance on what a complete KYB file looks like, but they also mean there will be much less room for interpretation about whether what you have collected is adequate.

Common KYB Failures That Regulators Find

The most frequently identified weaknesses in KYB across EU-regulated businesses follow a consistent pattern.

• Beneficial ownership information is collected from the customer but not independently verified against a primary source.

• The ownership chain is traced to an intermediate holding company but not further, leaving the ultimate beneficial owners unidentified.

• The KYB file is complete at onboarding but never meaningfully updated during the business relationship.

• Risk scoring is applied generically rather than reflecting the specific characteristics of the individual customer.

• And discrepancies between what the customer reports and what appears in the beneficial ownership register are noted but not acted on or reported.

These are not obscure technical failures. They are the kind of gaps that a well-designed KYB process, supported by access to authoritative registry data, should prevent.

The Source Data Problem

One of the least visible but most consequential aspects of KYB quality is the provenance of the data used to verify what a corporate customer tells you. If you are relying on information the customer provides about itself, supplemented by commercially aggregated databases that may themselves have drawn on secondary or outdated sources, your verification is only as reliable as the weakest link in that chain.

Regulatory expectations across the EU are increasingly focused on the use of reliable and independent sources. For corporate verification, the most authoritative source is the official corporate registry of the jurisdiction where the entity is incorporated. Connecting to that registry directly, rather than relying on aggregated or repackaged data, provides verification evidence that is both more current and more defensible under regulatory scrutiny.

This is one of the core reasons why the quality of the data infrastructure underlying your KYB process matters as much as the process design itself.

About SpeedyDD

SpeedyDD is built around the conviction that good KYB starts with good data. Our platform connects directly to over 3000 corporate registry data sources across more than 200 countries and territories, giving compliance teams the access to primary-source, authoritative information that defensible KYB verification requires.

Our mission is to help complex and regulated businesses maintain continuous audit-readiness, and that starts at onboarding. When you verify a corporate customer against SpeedyDD's data, you are drawing on registry-level sources.

We also integrate directly with partners including The KYB, extending access to a global direct registry network that is particularly valuable for verifying multi-jurisdictional ownership structures. Whether you are onboarding a straightforward SME or working through a complex cross-border holding structure ahead of a high-value relationship, SpeedyDD supports the verification work that keeps your KYB files complete, current, and audit-ready.

Frequently Asked Questions

What is the difference between KYB and KYC?

KYC, or Know Your Customer, refers to the process of verifying the identity of an individual. KYB, or Know Your Business, is the equivalent process applied to a corporate entity. While KYC focuses on confirming who a natural person is, KYB requires you to verify that a legal entity exists and is properly registered, understand its ownership and control structure, identify the natural persons who ultimately own or control it (the beneficial owners), and assess the risk the business relationship presents. In practice, KYB typically incorporates KYC elements because verifying the identity of beneficial owners requires you to apply individual identity verification to the natural persons at the end of the ownership chain.

Who is required to carry out KYB in the EU?

Regulation (EU) 2024/1624 applies to obliged entities, which include credit institutions, financial institutions, payment service providers, e-money institutions, crypto-asset service providers, trust and company service providers, auditors and accountants, tax advisors, notaries and legal professionals involved in certain transactions, and a broadened list of other sectors including real estate agents, crowdfunding platforms, and consumer credit providers. Any of these entities that enters into a business relationship with a corporate customer is required to apply KYB as part of its customer due diligence obligations. The specific depth and intensity of KYB required depends on the risk level of the customer and relationship.

What is a beneficial owner in the EU AML context?

Under Regulation (EU) 2024/1624, a beneficial owner is a natural person who directly or indirectly holds 25% or more of the shares or voting rights in a corporate entity, or who otherwise exercises control over it. Where no natural person can be identified through the ownership and control threshold, or where there is reasonable doubt about the information obtained, obliged entities must take additional steps to identify the natural person exercising effective control. If no natural person can ultimately be identified, the senior managing official of the entity may be recorded as the beneficial owner, but this should be treated as a last resort and documented as such.

What documents are typically required for a KYB check?

The precise requirements will be specified in more detail by the AMLA Regulatory Technical Standards on customer due diligence currently being finalised. In standard-risk cases, a complete KYB file would typically include the certificate of incorporation or equivalent registration document, the articles of association or equivalent constitutional document, a current extract from the relevant corporate registry confirming the legal name, registered address, and directors, a beneficial ownership declaration or shareholder register, identity verification documents for each beneficial owner, and evidence of the nature and purpose of the intended business relationship. For higher-risk relationships, additional documentation such as source of funds or source of wealth evidence, financial statements, and more detailed information about the business's operations may be required.

What does the AMLR change about KYB compared to the current framework?

The most consequential change is the shift from a directive-based system, where Member States had discretion in how they transposed AML requirements into national law, to a directly applicable Regulation that applies uniformly across all 27 EU Member States from 10 July 2027. This eliminates the national variation that has allowed different standards to persist across jurisdictions. The AMLR also tightens beneficial ownership transparency for non-EU entities interacting with the EU financial system, extends the scope of obliged entities to include new sectors, strengthens the obligation to report discrepancies between self-reported and register-held beneficial ownership information, and sets out more detailed ongoing monitoring obligations including risk-based refresh triggers that apply even to lower-risk customer relationships.

What is the discrepancy reporting obligation and how does it affect KYB?

Under Directive (EU) 2024/1640, obliged entities must report to the entity responsible for maintaining the central beneficial ownership register any discrepancy they identify between the information obtained from a customer during KYB and the information held in the register. This means KYB is no longer just about collecting and verifying information from or about the customer. It also requires you to cross-reference that information against the official register and take active steps when the two do not match. If the information the customer provides about its beneficial owners differs from what the register records, you cannot simply proceed. You must report the discrepancy and continue your due diligence on the basis of your own findings.

How does ongoing monitoring connect to KYB?

Ongoing monitoring is an extension of KYB, not a separate process. Under Regulation (EU) 2024/1624, obliged entities must ensure that the information they hold about their corporate customers is kept up to date throughout the business relationship. The frequency of updates must be dependent on the risk level of the relationship. In practice this means having a system to track when periodic refreshes are due, to identify trigger events that require an immediate review (such as a change in ownership, a sanctions hit, or adverse media), and to update the customer risk profile when new information changes the picture. A KYB file that was complete at onboarding but has not been reviewed in two years is a compliance gap, particularly for higher-risk relationships.

What are the consequences of inadequate KYB for financial services businesses in the EU?

Inadequate KYB can result in regulatory enforcement action ranging from formal findings and remediation requirements to significant financial penalties. Under Directive (EU) 2024/1640, serious, repeated, or systematic breaches of AML/CFT requirements, including KYB obligations, can result in pecuniary sanctions and other administrative measures. AMLA will have the power to impose administrative sanctions of up to €10 million or 10% of annual group turnover, whichever is higher, for the most serious violations by entities under its direct supervision. Beyond regulatory penalties, inadequate KYB exposes a business to the reputational risk of being associated with financial crime and to legal liability if a business relationship it failed to properly verify is subsequently linked to money laundering or terrorist financing activity.