KYB Automation Without Blowing Up Risk
Automate KYB well and activation drops from weeks to minutes; automate it badly and fraud and default rates climb while nobody watches. The teams that win automate each step to its ceiling and route the rest to a tiered queue.
How to automate KYB onboarding for merchants without inflating fraud, sanctions, or default rates, tiering, data sources, and the review queue that scales.
The promise of automated KYB is that activation goes from weeks to minutes. The risk of automated KYB is that fraud and default rates explode while no one is watching. The teams that get this right do not automate everything, they automate the right things.
What KYB actually is
KYB is the verification that the business exists, the people signing for it have authority, the beneficial owners are who they claim, and none of them are on sanctions or PEP lists. In practice that decomposes into:
- Entity verification, does this company exist in the registry?
- Beneficial ownership, who actually owns it?
- Authorised signatory, does the applicant have authority?
- Sanctions and PEP screening, on all individuals and the entity
- Adverse media, is there a public record of fraud or financial crime?
- Risk scoring, given everything above, what tier?
Each step has a different automation ceiling.
The automation gradient
- Entity verification, fully automatable in jurisdictions with API-accessible registries. Manual in markets where the registry is a PDF.
- Beneficial ownership, partially automatable via registry data and identity providers. Manual review for complex ownership structures (>3 layers, foreign holding companies, trusts).
- Authorised signatory, automatable when the applicant matches a registered director. Manual when delegated through a power of attorney.
- Sanctions and PEP, fully automatable with periodic re-screening. Manual only on hits, never on clears.
- Adverse media, automation-assisted, human-decided. Models surface candidates; humans judge severity.
- Risk scoring, fully automatable as a deterministic rule set, with a model layer for edge cases.
A working onboarding flow uses the maximum automation on each step, then routes anything that cannot clear to a single, tiered review queue.
Tier the review queue, not the merchant
Most teams tier merchants and forget to tier the queue. The result is a single firehose where senior compliance analysts manually clear simple registry mismatches.
Tier the queue:
- L1, clears simple verification gaps (registry timing, name typos, missing UBO doc)
- L2, complex ownership, partial sanctions hits, jurisdiction mismatches
- L3, adverse media, high-risk vertical, escalations from L2
Move analysts between tiers based on performance. Promote on quality, not volume.
Data sources
Three categories of data make modern KYB work:
- Authoritative registries, Companies House, SECP, DED, equivalents. Free or cheap, slow to update, sometimes incomplete.
- Aggregator APIs, Dun & Bradstreet, Middesk, Trulioo, equivalents. Faster, broader, abstract away registry differences. Pay per query.
- Sanctions and PEP lists, Refinitiv, Dow Jones, ComplyAdvantage, equivalents. Continuously updated. Subscription cost.
Use registries as the source of truth, aggregators as the fast lookup, sanctions providers as a continuous overlay. Never let one source be the only check.
Re-screening
Onboarding is the first check, not the last. Production-grade KYB requires:
- Daily sanctions re-screening on every active merchant
- Quarterly UBO re-validation
- Event-triggered re-review (jurisdiction change, ownership change, sudden volume change, chargeback spike)
Skip this and you ship a system that is compliant on day one and quietly non-compliant by month six.
What to instrument
- % of applications auto-cleared
- Mean and p95 time to activation, per tier
- False positive rate on sanctions hits
- Manual review queue depth, per tier
- Post-onboarding default rate, by acquisition month
- Chargeback rate by onboarding tier, by month
The last two are the only metrics that matter for whether the automation is calibrated. If they trend up, the automation is too loose.
Operator lens
Compliance leaders fear automation because they fear losing the audit narrative. The fix is to over-instrument, not to under-automate. A fully automated decision with a complete, queryable evidence trail is more defensible to a regulator than a manual decision with a sticky note.
Related: Merchant Onboarding: Growth, Risk and Compliance · Risk Tiering Merchants as a Product Decision

Chief Product Officer · Payments, Fintech & AI
Payments product & program leader — scaled a regulated multi-rail platform from $0 to $1B+ GTV across five frontier markets. These essays are the public version of how I think through the work.
This writing is the public version of how I think through product, programme and payment-infrastructure decisions in regulated markets.
Contact RizwanRizwan Zafar — Chief Product Officer · Payments, Fintech & AI.
One operator email a week. No filler.
Payment acceptance, settlement and product delivery notes from running $1B+ annual GTV across frontier markets — written for founders and payment leaders.
Weekly at most. Unsubscribe with one reply.
Essays in the same operating context.
Merchant Onboarding: Where Growth, Risk and Compliance Collide
Three teams own onboarding. The merchant only sees one experience. That gap is the product.
Risk Tiering Merchants Is a Product Decision
Tiering is the single most leveraged product decision in a payments platform. Most teams hand it to risk and never recover.
KYC and Conversion Designed Together
Splitting KYC from conversion produces the worst of both: friction that does not reduce risk, and risk that does not justify the friction.