KYB for cross-border buyers: a practical playbook
What a robust buyer KYB process looks like across the major exporter corridors, the data sources that matter, and where to draw the human-review line.
What Is KYB and Why Does It Matter for Exporters?
Know Your Business verification confirms that the company you're about to ship goods to actually exists, operates legitimately, and isn't controlled by sanctioned parties. For cross-border exporters, KYB determines whether you get paid, stay compliant, and avoid shipping goods into a sanctions black hole.
The stakes are straightforward: verify properly and you'll see default rates between 0.01% and 0.24% on trade finance transactions, according to the ICC Trade Register Report 2023. Skip verification and you're gambling with payment defaults, BIS penalties, and potential criminal liability for sanctions violations.
KYB vs. KYC: Why Business Verification Is Different
Verifying a company is harder than verifying a person. A person has a passport. A company has layers.
When you verify an individual buyer, you check one identity document against one face. When you verify a business buyer, you're untangling:
- Legal entity structure: Parent companies, subsidiaries, holding companies across multiple jurisdictions
- Ownership layers: Shareholders who are themselves companies, trusts, or nominees
- Control vs. ownership: Directors and authorized signatories who may differ from beneficial owners
- Jurisdictional complexity: A buyer incorporated in Singapore, owned by a BVI holding company, controlled by individuals in three different countries
FATF Recommendation 10 requires verification of legal persons precisely because this complexity creates hiding places. Nominee shareholders, bearer shares (still legal in some jurisdictions), and multi-layered structures can obscure who actually controls a company.
There's no passport equivalent for companies. A certificate of incorporation proves a company was registered. It doesn't prove the company is still active, who controls it today, or whether it's a shell for sanctioned parties.
The Real Cost of Getting Buyer Verification Wrong
Three categories of risk compound when KYB fails:
Payment default and fraud: The buyer doesn't exist, can't pay, or never intended to pay. You've shipped goods to an address that receives them and disappears. Recovery is expensive and usually unsuccessful across borders.
Sanctions and export control violations: You shipped dual-use goods to an entity on the BIS Entity List or controlled by someone on the OFAC SDN list. BIS Know Your Customer Guidance makes clear that "I didn't know" is not a defense. Penalties include denial of export privileges, criminal prosecution, and fines that dwarf the transaction value.
Trade-based money laundering exposure: Your transaction becomes part of a money laundering scheme through over-invoicing, under-invoicing, or phantom shipments. Even if you're an unwitting participant, the compliance costs and reputational damage are real.
The ICC Trade Register data shows that proper buyer and supplier risk management correlates with default rates at the low end of that 0.01-0.24% range. The exporters seeing higher defaults are the ones cutting corners on verification.
The Cross-Border KYB Document Stack: What You Actually Need
Document requirements scale with risk. Not every buyer needs the same verification depth. Here's what you need at each tier.
Tier 1: Non-Negotiable Documents for Every Buyer
These documents are required for every new buyer relationship, regardless of jurisdiction or transaction size:
| Document | What It Proves | Red Flags |
|---|---|---|
| Certificate of Incorporation | Company legally exists and was validly formed | Recent incorporation date inconsistent with claimed business history; certificate from jurisdiction different than claimed operating location |
| Articles of Association / Bylaws | Company's legal structure and governance rules | Unusual provisions allowing rapid ownership changes; bearer share provisions |
| Proof of Registered Address | Physical location for legal service | Virtual office addresses; addresses that don't match business type (warehouse company at residential address) |
| Director/Signatory Identification | Who can legally bind the company | Directors in high-risk jurisdictions different from company location; nominee director services |
Collect certified copies, not photocopies. Verify the certifying authority is legitimate. Cross-reference against the company registry in the jurisdiction of incorporation.
Tier 2: Beneficial Ownership Verification
Beneficial ownership verification identifies who actually controls the company, not just who appears on paper.
The standard threshold is 25% ownership, per FATF guidance and FinCEN's Beneficial Ownership Information requirements. Anyone holding 25% or more of the company, directly or indirectly, must be identified and verified.
Required documents:
- UBO Declaration Form: Signed statement from the company identifying all beneficial owners above the threshold
- Shareholder Register: Official record of share ownership, certified current
- Ownership Structure Chart: For multi-layered structures, a diagram showing the chain from the buyer entity up to natural persons
The challenge: many jurisdictions don't have public beneficial ownership registries. The EU's 6th Anti-Money Laundering Directive created interconnected registers across member states, but coverage outside Europe is inconsistent.
FinCEN's Corporate Transparency Act creates a US beneficial ownership registry, but implementation is ongoing. The rule includes 23 entity categories exempt from reporting, including publicly traded companies and regulated financial institutions.
When registries don't exist or are unreliable, you need the buyer to provide documentation directly. Verify what they provide against available public records, corporate filings, and third-party data sources.
Tier 3: Enhanced Due Diligence Documents
Enhanced due diligence applies when risk factors exceed your standard threshold. Triggers include:
- Buyer in a FATF high-risk or grey-list jurisdiction
- Complex ownership structures with multiple layers or offshore entities
- Politically exposed persons in the ownership or control structure
- Transaction patterns inconsistent with the buyer's stated business
- Payment terms that create unusual risk exposure
Additional documents for EDD:
| Document | Purpose |
|---|---|
| Audited Financial Statements | Verify business scale matches transaction size; identify financial distress |
| Bank Reference Letter | Confirm banking relationship and account standing |
| Source of Funds Declaration | Explain where payment will originate |
| Site Visit Report | Physical verification of business operations |
| Third-Party Intelligence Report | Independent verification of company and principals |
EDD takes longer and costs more. That's the point. You're applying proportionate resources to higher-risk situations.
Regional Document Availability: A Reality Check
Document availability varies dramatically by region. No vendor will tell you this clearly because it undermines their "global coverage" marketing.
| Document Type | EU/UK | United States | Latin America | Africa | Asia |
|---|---|---|---|---|---|
| Incorporation Certificate | Readily available | Readily available | Available with effort | Often requires in-country verification | Jurisdiction-specific |
| UBO Registry Access | Readily available (interconnected) | Pending CTA implementation | Rarely available | Rarely available | Singapore/HK available; others limited |
| Audited Financials | Readily available for larger companies | Readily available | Variable quality | Often unavailable | Variable by jurisdiction |
| Director Identification | Readily available | Readily available | Available with effort | Often requires in-country verification | Readily available in major markets |
| Shareholder Register | Readily available | Available for corporations | Variable | Often unavailable | Variable by jurisdiction |
EU/UK: Strong registry infrastructure. Companies House (UK), interconnected EU registers, and mandatory UBO disclosure make verification straightforward for most buyers.
United States: Corporate records available through state registries, but beneficial ownership has historically been opaque. The Corporate Transparency Act changes this, but implementation is ongoing.
Latin America: Variable quality. Brazil and Mexico have functional registries. Other jurisdictions require more manual verification and in-country contacts.
Africa: Often requires in-country verification partners. Registry infrastructure is limited in many jurisdictions. Don't assume documents that exist are current or accurate.
Asia: Jurisdiction-specific. Singapore and Hong Kong have strong registries. Mainland China requires understanding of the specific registration system. India has improving but still inconsistent registry access.
The OECD Global Forum on Transparency evaluates jurisdictions on information exchange standards. Use their ratings as one input to your jurisdiction risk assessment.
Building a Risk-Tiered Verification Framework
The ICC Trade Register data shows SME exporters spend $15,000-50,000 annually on KYC/KYB compliance. You can't apply maximum diligence to every buyer. Risk-tiering lets you match verification depth to actual risk.
How to Score Buyer Risk Before You Start Verification
Score each new buyer across five factors before determining verification depth:
| Factor | Lower Risk | Higher Risk |
|---|---|---|
| Jurisdiction | FATF compliant, strong rule of law | FATF grey/black list, weak enforcement |
| Transaction Value | Below your standard threshold | Above threshold or unusual for buyer size |
| Product Sensitivity | Standard commercial goods | Dual-use items per BIS Commerce Control List |
| Payment Terms | Prepayment or confirmed LC | Open account, extended terms |
| Relationship History | Repeat buyer with clean record | New relationship, no track record |
A simple scoring approach: assign 1-3 points per factor. Total score determines verification tier:
- 5-8 points: Simplified due diligence (if other criteria met)
- 9-12 points: Standard due diligence
- 13-15 points: Enhanced due diligence
Adjust thresholds based on your risk appetite and transaction volumes.
Standard Due Diligence: The 80% Case
Standard due diligence applies to most buyers. Target completion: 3-5 business days.
Minimum verification checklist:
- Collect Tier 1 documents (incorporation, articles, address proof, director ID)
- Collect Tier 2 documents (UBO declaration, shareholder register)
- Verify documents against company registry in jurisdiction of incorporation
- Screen buyer entity against sanctions lists (OFAC SDN, BIS Entity List, EU Consolidated List)
- Screen all identified directors and beneficial owners against same lists
- Document verification steps and findings
- Approve or escalate based on findings
Standard due diligence is not cursory. It's proportionate verification for buyers that don't present elevated risk factors.
Enhanced Due Diligence: When and How to Escalate
EDD triggers per FATF guidance and Wolfsberg Trade Finance Principles:
- Buyer or beneficial owner in high-risk jurisdiction
- Complex ownership structure with three or more layers
- PEP involvement in ownership or control
- Adverse media findings during screening
- Transaction inconsistent with buyer's apparent business
- Unusual payment routing or terms
Additional EDD steps:
- Collect Tier 3 documents (audited financials, bank references, source of funds)
- Conduct or commission site visit to verify physical operations
- Obtain third-party intelligence report on company and principals
- Interview buyer management (video call minimum)
- Establish ongoing monitoring triggers
EDD extends verification timeline to 2-3 weeks. Build this into deal timelines for high-risk buyers.
Simplified Due Diligence: When You Can Move Faster
Reduced verification is acceptable for buyers presenting lower inherent risk:
Authorized Economic Operator certified buyers: The WCO SAFE Framework establishes AEO programs in over 100 countries. AEO certification means the buyer has already passed government vetting for customs compliance and supply chain security. Verify the certification is current, then apply reduced document requirements.
Publicly listed companies: Subject to securities regulation, audited financials, and public disclosure requirements. Ownership is transparent through public filings. Verify listing status and collect basic incorporation documents.
Regulated financial institutions: Banks, insurers, and licensed financial services firms are already subject to regulatory oversight and their own KYB requirements. Verify regulatory status and licensing.
Repeat buyers with clean history: After 12+ months of transactions without payment issues, adverse findings, or ownership changes, you can streamline re-verification. Still screen against sanctions lists on each transaction.
Simplified due diligence is not no due diligence. You're relying on verification already performed by regulators or through prior transactions.
Sanctions and Export Control Screening: The Non-Negotiable Layer
Sanctions screening is not optional. It's not "nice to have." It's the layer that keeps you out of prison and your company in business.
Which Lists You Must Screen Against
Mandatory screening for US-nexus transactions:
- OFAC SDN List: Specially Designated Nationals and Blocked Persons
- OFAC Sectoral Sanctions: Industry-specific restrictions
- BIS Entity List: Export restrictions for specific foreign parties
- BIS Denied Persons List: Individuals denied export privileges
- BIS Unverified List: Parties where end-use verification was not possible
For EU-nexus transactions, add:
- EU Consolidated List: All EU restrictive measures
- UN Security Council Consolidated List: Global sanctions
Screening the buyer entity alone is insufficient. You must screen:
- The buyer company name and any known aliases
- All directors and authorized signatories
- All beneficial owners above the 25% threshold
- Parent companies and significant subsidiaries
- The ultimate consignee if different from buyer
For deeper guidance on screening requirements, see our article on sanctions screening requirements.
Red Flags That Should Stop a Shipment
BIS Know Your Customer Guidance identifies these red flags:
Buyer behavior red flags:
- Reluctance to provide end-user information or business references
- Evasive responses about product end-use
- Willingness to pay cash for high-value orders
- Little or no business background verifiable through normal channels
Transaction red flags:
- Order inconsistent with buyer's stated business
- Unusual shipping routes (especially through transshipment hubs)
- Packaging or labeling inconsistent with stated destination
- Request to avoid normal documentation or procedures
Documentation red flags:
- Freight forwarder listed as final destination
- Reluctance to provide end-user certificates
- Vague or inconsistent product descriptions
Wolfsberg TBML typologies add:
- Significant over-invoicing or under-invoicing versus market prices
- Multiple invoices just below reporting thresholds
- Payments from third parties unrelated to the transaction
When red flags appear, stop. Investigate. Document your findings. Don't ship until you've resolved the concern or decided to walk away.
What to Do When You Get a Potential Match
Sanctions screening produces three outcomes: clear, potential match, or confirmed match.
Potential match resolution:
- Gather additional identifying information (full legal name, date of birth for individuals, registration numbers for entities)
- Compare against the specific list entry
- Document your analysis and conclusion
- If you cannot rule out a match, treat as confirmed
Confirmed match procedures:
- Stop the transaction immediately
- Do not inform the buyer of the reason
- Escalate to your compliance officer and legal counsel
- For OFAC matches, blocking requirements may apply
- Document everything
Voluntary self-disclosure: If you discover a past violation, BIS and OFAC both have voluntary self-disclosure programs. Disclosure typically results in significantly reduced penalties. Consult legal counsel before disclosing.
The rule is simple: when in doubt, don't ship.
The Verification Workflow: From Inquiry to Shipment
A structured workflow keeps verification moving without sacrificing thoroughness. Target: standard verification complete in 5-7 days.
Day 1-2: Initial Screening and Document Request
Day 1 activities:
- Receive buyer inquiry with basic company information
- Run preliminary sanctions screen on company name
- Conduct initial jurisdiction risk assessment
- Assign preliminary risk tier based on available information
Day 2 activities:
- Send tailored document request based on risk tier
- Explain why each document is needed (buyers respond faster when they understand the purpose)
- Set clear deadline for document submission
- Provide template forms where applicable (UBO declaration, authorized signatory form)
Sample document request language:
"To complete verification of [Company Name], we require the following documents within 5 business days: [list]. These documents allow us to confirm your company's legal status, ownership structure, and authorized signatories. This verification is required for all new buyer relationships and enables us to establish appropriate credit terms."
Day 3-5: Document Review and Registry Verification
Document authenticity checks:
- Verify certifications and notarizations are from legitimate authorities
- Cross-reference document dates against registry records
- Check for inconsistencies between documents (different addresses, director names)
- Verify company registration number matches registry records
Registry verification:
- Access company registry in jurisdiction of incorporation
- Confirm company status (active, in good standing)
- Verify registered address matches provided documents
- Confirm directors match provided identification
- Check for any filed charges, liens, or insolvency proceedings
UBO identification:
- Map ownership structure from provided documents
- Identify all beneficial owners above 25% threshold
- Verify UBO identities against provided identification
- Screen all identified UBOs against sanctions lists
Common rejection reasons:
- Documents expired or not current
- Missing required certifications
- Ownership structure unclear or incomplete
- UBO identification documents insufficient
- Registry records don't match provided documents
When documents are rejected, communicate specific deficiencies and request corrections promptly.
Day 5-7: Decision and Ongoing Monitoring Setup
Approval workflow:
- Compile verification file with all documents and screening results
- Document any concerns and how they were resolved
- Assign final risk tier based on completed verification
- Determine credit limit based on verification depth and trade credit risk assessment
- Obtain appropriate approval (front-line for standard, compliance officer for EDD)
Ongoing monitoring setup:
- Add buyer to sanctions screening watchlist for daily/weekly updates
- Set calendar reminder for periodic re-verification (annually for standard, semi-annually for EDD)
- Document triggers for ad-hoc re-verification: adverse media alerts, ownership change notifications, payment issues
The three lines of defense model applies: front-line sales owns initial verification, compliance provides oversight and EDD decisions, internal audit reviews the process periodically.
When Verification Stalls: Escalation Paths
Common blockers and solutions:
Unresponsive buyer: Send reminder at day 3. Escalate to buyer's management contact at day 5. If no response by day 7, close the verification as incomplete. Document that you cannot proceed without required information.
Missing documents: Identify which documents are truly unavailable versus which the buyer is reluctant to provide. For genuinely unavailable documents (no UBO registry in jurisdiction), document the gap and compensate with additional verification steps.
Registry access issues: Some registries require in-country access or paid subscriptions. Build relationships with verification partners in key markets. Budget for registry access fees as a cost of doing business.
Ambiguous ownership: When ownership structures are complex, request a call with the buyer to walk through the structure. If they can't explain it clearly, that's a red flag.
Decision framework for walking away:
- Buyer refuses to provide required documents after multiple requests
- Ownership structure cannot be verified to your satisfaction
- Sanctions screening produces matches that cannot be resolved
- Red flags accumulate without satisfactory explanation
- Your gut says something is wrong
Walking away from a deal is a legitimate verification outcome. Document your reasons and move on.
Technology and Partners: Building Your KYB Stack
Technology accelerates verification but doesn't replace judgment. Build your stack around this principle.
What to Automate vs. What Requires Human Judgment
Automate these tasks:
- Sanctions list screening (daily batch and real-time transaction screening)
- Company registry lookups (API connections to major registries)
- Document OCR and data extraction
- Watchlist monitoring for existing buyers
- Workflow routing based on risk scores
Human judgment required for:
- Interpreting complex ownership structures
- Assessing whether red flags are explainable
- EDD decisions and escalations
- Evaluating document authenticity when questions arise
- Deciding when to walk away from a deal
Warning: automated approval systems create risk. A system that auto-approves based on sanctions screening alone misses document verification, ownership analysis, and red flag assessment. Use automation to accelerate human review, not replace it.
Evaluating KYB Data Providers by Region
No single data provider covers all markets adequately. Most exporters with significant cross-border volume need 2-3 providers plus manual verification capability.
Evaluation criteria:
| Factor | Questions to Ask |
|---|---|
| Registry Access | Direct API access or scraped data? How current? |
| UBO Data | Source of beneficial ownership data? Coverage by jurisdiction? |
| Update Frequency | Real-time, daily, weekly, or static? |
| Sanctions Coverage | Which lists? How quickly after list updates? |
| Document Verification | Can they verify document authenticity? |
| Regional Strength | Where is coverage strongest? Where are gaps? |
Test providers against your actual buyer jurisdictions before committing. Request sample reports for companies in your key markets.
Building Internal Verification Capability
For exporters doing significant volume (50+ new buyers annually), internal capability makes sense.
Compliance officer role: Someone owns the verification process end-to-end. They set standards, train front-line teams, handle escalations, and maintain relationships with external verification partners.
Documentation standards: Every verification produces a file that could withstand regulatory examination. Documents, screening results, analysis, decisions, and approvals are all documented and retained.
Audit trail requirements: Who did what, when, and why. Timestamps on all verification steps. Approval records with approver identification.
Front-line training: Sales teams need to understand why verification matters, what documents to request, and when to escalate. They're your first line of defense against red flags.
Measuring KYB Effectiveness: Metrics That Matter
Verification that doesn't improve outcomes is compliance theater. Measure what matters.
Operational Metrics: Speed Without Sacrificing Quality
Time-to-verification by risk tier:
- Simplified: 1-2 days
- Standard: 3-5 days
- Enhanced: 10-15 days
Track actual performance against these targets. Investigate outliers in both directions (too fast may mean corners cut; too slow means process problems).
Document rejection rates: What percentage of initial document submissions require follow-up? High rejection rates indicate unclear document requests or buyer quality issues.
False positive rates on sanctions screening: What percentage of potential matches resolve as false positives? High rates indicate screening is too broad; low rates may indicate screening is too narrow.
Risk Metrics: Is Your KYB Actually Preventing Losses?
Default rates by KYB tier: Track payment outcomes by verification depth. You should see lower default rates for buyers that received more thorough verification.
Fraud detection rates: How many fraudulent buyers did verification catch before shipment? This requires tracking both caught fraud and fraud that slipped through.
Near-miss tracking: Document cases where verification identified concerns that led to deal modification (reduced credit, prepayment required) or termination. These are verification successes even though they don't show up in default statistics.
The ICC Trade Register shows that trade finance products with proper due diligence see default rates at the low end of the 0.01-0.24% range. Your KYB program should produce similar results. If your default rates are higher, your verification isn't working.