RZ
← Essays
Merchant Onboarding

KYB Automation Without Blowing Up Risk

May 24, 2026·9 min read·By Rizwan Zafar

The promise of automated KYB is that activation goes from weeks to minutes. The risk of automated KYB is that fraud and default rates explode while no one is watching. The teams that get this right do not automate everything, they automate the right things.

What KYB actually is

KYB is the verification that the business exists, the people signing for it have authority, the beneficial owners are who they claim, and none of them are on sanctions or PEP lists. In practice that decomposes into:

  1. Entity verification, does this company exist in the registry?
  2. Beneficial ownership, who actually owns it?
  3. Authorised signatory, does the applicant have authority?
  4. Sanctions and PEP screening, on all individuals and the entity
  5. Adverse media, is there a public record of fraud or financial crime?
  6. Risk scoring, given everything above, what tier?

Each step has a different automation ceiling.

The automation gradient

  • Entity verification, fully automatable in jurisdictions with API-accessible registries. Manual in markets where the registry is a PDF.
  • Beneficial ownership, partially automatable via registry data and identity providers. Manual review for complex ownership structures (>3 layers, foreign holding companies, trusts).
  • Authorised signatory, automatable when the applicant matches a registered director. Manual when delegated through a power of attorney.
  • Sanctions and PEP, fully automatable with periodic re-screening. Manual only on hits, never on clears.
  • Adverse media, automation-assisted, human-decided. Models surface candidates; humans judge severity.
  • Risk scoring, fully automatable as a deterministic rule set, with a model layer for edge cases.

A working onboarding flow uses the maximum automation on each step, then routes anything that cannot clear to a single, tiered review queue.

Tier the review queue, not the merchant

Most teams tier merchants and forget to tier the queue. The result is a single firehose where senior compliance analysts manually clear simple registry mismatches.

Tier the queue:

  • L1, clears simple verification gaps (registry timing, name typos, missing UBO doc)
  • L2, complex ownership, partial sanctions hits, jurisdiction mismatches
  • L3, adverse media, high-risk vertical, escalations from L2

Move analysts between tiers based on performance. Promote on quality, not volume.

Data sources

Three categories of data make modern KYB work:

  1. Authoritative registries, Companies House, SECP, DED, equivalents. Free or cheap, slow to update, sometimes incomplete.
  2. Aggregator APIs, Dun & Bradstreet, Middesk, Trulioo, equivalents. Faster, broader, abstract away registry differences. Pay per query.
  3. Sanctions and PEP lists, Refinitiv, Dow Jones, ComplyAdvantage, equivalents. Continuously updated. Subscription cost.

Use registries as the source of truth, aggregators as the fast lookup, sanctions providers as a continuous overlay. Never let one source be the only check.

Re-screening

Onboarding is the first check, not the last. Production-grade KYB requires:

  • Daily sanctions re-screening on every active merchant
  • Quarterly UBO re-validation
  • Event-triggered re-review (jurisdiction change, ownership change, sudden volume change, chargeback spike)

Skip this and you ship a system that is compliant on day one and quietly non-compliant by month six.

What to instrument

  • % of applications auto-cleared
  • Mean and p95 time to activation, per tier
  • False positive rate on sanctions hits
  • Manual review queue depth, per tier
  • Post-onboarding default rate, by acquisition month
  • Chargeback rate by onboarding tier, by month

The last two are the only metrics that matter for whether the automation is calibrated. If they trend up, the automation is too loose.

Operator lens

Compliance leaders fear automation because they fear losing the audit narrative. The fix is to over-instrument, not to under-automate. A fully automated decision with a complete, queryable evidence trail is more defensible to a regulator than a manual decision with a sticky note.

Related: Merchant Onboarding: Growth, Risk and Compliance · Risk Tiering Merchants as a Product Decision

Tags
KYBmerchant onboardingcomplianceautomation

Related reading

Cross-Border Payments
SWIFT Payment Delays: What Actually Causes Them

Most SWIFT 'delays' are not network delays. They are compliance reviews, cut-offs, or bad data.

Cross-Border Payments
SWIFT, AML/CFT, and Sanctions Screening in Practice

Sanctions screening is where compliance theory meets throughput reality. The product decisions live in the list overlay, the matcher, and the review queue.

Cross-Border Payments
ISO 20022 Migration: What Payment Product Teams Must Know

MT messages truncated reality to fit a 1980s field length. MX (ISO 20022) finally gives payments room to be structured.