Crypto KYB: How Businesses Verify Corporate Clients and VASPs

In its most recent horizontal review of beneficial ownership transparency, the Financial Action Task Force (FATF) reported that the misuse of legal persons — companies, trusts, and similar corporate vehicles — remains one of the most consistently exploited weaknesses in global Anti-Money Laundering systems, with the majority of assessed jurisdictions receiving only "moderate" or "low" effectiveness ratings on Recommendation 24.

For crypto businesses, that finding is not abstract. When an exchange opens a corporate account for a payment processor, when an OTC desk integrates with another VASP, when a custodian onboards a treasury management firm — the customer is a company, not a person. And companies hide things that individuals cannot: layered ownership, nominee directors, dormant subsidiaries, undisclosed counterparties, and operations that look legitimate on paper but generate transaction patterns that do not.

This is where crypto KYB matters. KYC answers the question "Who is the person?" KYB answers a harder question: "What is this company, who really controls it, and what kind of risk does the business relationship create?" In practical terms, KYB is the discipline of verifying the entity itself — not just the human who signed the application.

What Is KYB in Crypto?

KYB, or Know Your Business, is the process of verifying a legal entity before onboarding it as a customer, merchant, partner, or counterparty. The objective is not only to confirm that the company exists on paper, but to understand who controls it, what it actually does, where it operates, and whether the people and activity behind it match the profile that has been presented. A complete crypto KYB record collects and verifies:

• Company Registration Data. Legal name, registration number, jurisdiction of incorporation, registered office address, and date of incorporation as recorded in the official register.
• Legal Status. Whether the company is active, dormant, suspended, struck off, or in liquidation at the moment of onboarding.
• Business Activity and Licensing. The declared nature of the business, industry codes, and — where the activity is regulated — the licences or registrations that authorise it.
• Directors and Authorised Persons. The individuals who manage the company and the individuals who can act on its behalf with the crypto business.
• Ultimate Beneficial Owners. The natural persons who ultimately own or control the entity, identified through the layers of any holding structure.
• Sanctions, PEP, and Adverse Media Checks. Screening of the company and its key persons against relevant lists and open-source signals, both at onboarding and on an ongoing basis.
• Expected Transaction Behaviour. The declared volume, frequency, source of funds, and typical counterparties that should describe normal activity for this customer.

Conceptually, this is the same exercise that banks have performed for decades on corporate clients. The difference in crypto is that the company profile cannot be treated in isolation.  It needs to be linked to on-chain reality:

• Wallet Infrastructure. The addresses the company will use to send, receive, or custody assets.
• Expected On-Chain Volumes. The declared throughput against what the wallets actually do once activity begins.
• Counterparty Exposure. The on-chain entities the company transacts with, including exchanges, mixers, sanctioned addresses, scam clusters, or darknet markets.
• Source of Funds and Jurisdictions. Where the assets actually originate and which jurisdictions they touch — which may differ from the jurisdictions in the declared profile.

A bank can usually rely on the fact that funds move through regulated rails. A crypto VASP cannot. A perfectly registered company can still receive deposits from a sanctioned exchange or a darknet market — and that is a KYB issue, not just a transaction monitoring issue.

When Do Crypto Businesses Need KYB?

The trigger is structural rather than situational: the moment the customer is a legal entity rather than a natural person, KYB enters the picture. In practical terms, that covers a recognizable set of relationships:

• Onboarding Corporate Clients. Opening trading, custody, or wallet accounts for any company customer — from small operating businesses to large treasury operations.
• Merchant and Payment Provider Relationships. Onboarding entities that will accept crypto from end-users on behalf of a service, where transaction volume and reputational risk can be substantial.
• OTC Desk and Broker Relationships. Counterparties moving large or irregular volumes outside of public order books, where source of funds and end-customer identity become harder to see.
• VASP-to-VASP Integrations. Liquidity arrangements, custody partnerships, white-label flows, or Travel Rule peer connections with another crypto business.
• Custody, Liquidity, and Crypto Payment Services. Any case where the company is providing financial infrastructure to another company on top of crypto rails.
• High-Volume Business Customers. Corporate clients whose declared expected volumes alone would justify enhanced scrutiny, regardless of their stated activity.
• Cross-Border Crypto Transfers. Counterparty assessments before transfers that cross jurisdictions with materially different AML regimes or sanctions exposures.

The compliance angle is the most visible reason, but it is not the only one. A poorly verified business client is also a commercial liability. Shell companies have been used to launder funds through licensed exchanges. Front companies have onboarded as "merchants" while actually operating high-risk gambling or scam platforms. Unlicensed VASPs have requested integrations to access liquidity they could not lawfully obtain themselves. KYB is what allows a compliance team to detect these patterns before the funds move, not after.

For VASP-to-VASP relationships in particular — where one crypto business opens a corporate account for another, or integrates Travel Rule data exchange with a peer — KYB overlaps with counterparty due diligence. The Travel Rule itself focuses on sharing originator and beneficiary information at the point of transfer, but the underlying question of who are we actually transacting with is a KYB question.

What Information Should Be Verified During Crypto KYB?

This is the practical core of the exercise. KYB is not a checklist completed once — it is a layered verification that starts with public records and ends in business judgment.

Company Registration and Legal Status

The first layer is the most basic: does the company exist, and is it currently in good standing?

This means pulling data from official company registries — Companies House in the UK, the Delaware Division of Corporations, ACRA in Singapore, the EU's BRIS network of business registers, and equivalent registers elsewhere. The aim is to confirm a small set of facts that anchor everything that comes next:

• Legal Name and Registration Number. The exact name as registered, matched against the application, and the unique identifier issued by the register.
• Jurisdiction of Incorporation. The country and, where applicable, the state or sub-jurisdiction where the company was incorporated — which dictates which legal regime governs it.
• Current Legal Status. Whether the entity is active, in good standing, dormant, struck off, or in liquidation. Dissolved companies sometimes continue to present themselves as active.
• Date of Incorporation. Very recent incorporation paired with very high declared volumes is one of the most reliable warning signs in KYB.
• Registered Office Address. The official address on file, which can later be compared against the operating address and the address used in the application.
• Declared Business Activity. Industry classification codes and stated activity, which form the baseline for the business-model assessment performed later.

A surprising number of "compliance failures" turn out to be the result of skipping this step. Companies registered in one jurisdiction may claim to operate from another. Shelf companies — incorporated years ago, dormant since, recently activated — can look perfectly legitimate at first glance and require closer inspection. Entities that exist only as registered office addresses, without any operational footprint, can pass a casual look and fail any serious one.

Directors, Authorized Persons, and UBOs

This is where KYB becomes substantially harder than KYC, and where it earns its existence as a separate discipline.

A legal entity acts through people. KYB has to identify all of them in their relevant capacities:

• Directors and Officers. The individuals formally appointed to manage the company, as recorded in the official register.
• Authorised Representatives. The individuals who can act on the company's behalf in the relationship with the crypto business — open accounts, sign agreements, initiate transfers.
• Shareholders Above the Relevant Threshold. Direct holders of equity or voting rights above the threshold that triggers identification in the applicable jurisdiction.
• Ultimate Beneficial Owners. The natural persons who ultimately own or control the entity through any chain of legal vehicles, including holding companies, trusts, and foundations.

The concept of the UBO matters because legal ownership and real control are not always the same thing. A company may be owned by another company, which is owned by a trust, which is administered for the benefit of a third party. KYB has to trace ownership through these layers until it reaches a natural person.

Thresholds vary by jurisdiction, and that is one of the few areas where direct regulatory reference helps:

• European Union. Under the EU AML framework, a UBO is generally a natural person holding more than 25% of shares or voting rights, or otherwise exercising control over the legal person.
• United States. The FinCEN Customer Due Diligence Rule at 31 CFR 1010.230 — in effect for covered financial institutions since 11 May 2018 — requires identification of any individual owning 25% or more of a legal entity customer, plus one individual exercising significant managerial control. Crypto businesses operating as money services businesses fall within scope.
• International Standard. FATF Recommendation 24, revised in March 2022, requires jurisdictions to ensure that adequate, accurate, and up-to-date beneficial ownership information on legal persons is available to competent authorities.

A mature KYB programme does not apply a single threshold globally. It applies the threshold that fits the entity's jurisdiction and the risk of the relationship. For higher-risk corporate clients, many crypto businesses verify owners down to 10% or lower — well below the statutory floor — because the legal threshold is a minimum, not a ceiling.

Particular care is warranted when KYB surfaces:

• Nominee Directors. Directors listed in the register but with no operational role — typically employed by corporate service providers and used to obscure real control.
• Frequent Director Changes. A pattern of replacements shortly before onboarding, which can indicate restructuring intended to clear a record or distance the entity from past activity.
• Layered Ownership Across Jurisdictions. Multiple holding companies stacked across countries with no clear commercial rationale.
• Trusts, Foundations, and Holding Vehicles. Legitimate in many contexts, but always requiring additional documentation to trace control to natural persons.

None of these is automatically disqualifying — many legitimate corporate structures use holding companies. But each pushes the file toward enhanced due diligence rather than standard onboarding.

Sanctions, PEP, and Adverse Media Screening

Screening converts the KYB record into a live risk view. 

Every name surfaced — the company itself, directors, authorised signatories, UBOs, and often close relatives or business associates of UBOs — needs to be checked against:

• Global Sanctions Lists. OFAC's Specially Designated Nationals (SDN) list, the EU Consolidated List, UK HM Treasury, UN Security Council sanctions, plus relevant regional and national lists.
• Politically Exposed Person Databases. Coverage of current and former PEPs, their family members, and known close associates.
• Adverse Media Sources. Court records, regulatory enforcement actions, investigative reporting, and credible open-source signals that connect the entity or its people to financial crime, fraud, or material misconduct.

The response to each type of hit is different — and this is where many first-generation KYB programmes get it wrong. A PEP match is not an automatic refusal. PEPs are higher risk, not prohibited risk. The right response is typically enhanced due diligence: deeper source-of-funds verification, senior approval for the relationship, and more frequent reviews. The same logic applies to adverse media — a press article connecting a UBO to a fraud allegation requires investigation, not a reflex denial.

Sanctions are different. A confirmed match against an OFAC, EU, UK, or UN sanctions list is a hard stop. Even an indirect link — a company majority-owned by sanctioned individuals through a holding vehicle — triggers OFAC's "50 percent rule" in the U.S. context, and equivalent treatment in most other major jurisdictions.

What most KYB programs underestimate at first is that screening cannot be one-time. People become PEPs after onboarding. Companies get sanctioned mid-relationship. Adverse media surfaces years after a customer has been active. Continuous re-screening is the standard.

Business Model and Expected Activity

This is the layer where KYB stops being administrative and starts becoming analytical. 

The questions here are softer but more consequential than anything that came before:

• Actual Business Activity. What the company really does — and whether that answer is consistent across the website, the application, the register, and any third-party sources.
• Products and Services. The services offered and the assets used — payments, exchange, custody, lending, staking, tokenisation, OTC — each of which carries a distinct risk profile.
• Customer Markets and Operating Jurisdictions. Both where the business is established and where its customers are located, since these may diverge in ways that create authorisation issues.
• Expected Transaction Volume and Pattern. Stated volume, frequency, ticket size, and timing — the baseline that transaction monitoring will later use to detect anomalies.
• Source of Funds. Where the assets actually come from — operating revenue, investor capital, customer deposits, treasury balances — and whether documentation supports the answer.
• Typical Counterparties. The other VASPs, fiat payment processors, on-chain liquidity providers, or end-customers that the company expects to transact with.

The key point of this layer is simple but easily missed: a verified company can still be high-risk. A merchant might have impeccable paperwork and still operate in a category — unlicensed gambling, adult content, certain forms of cross-border remittance — that elevates its AML risk regardless of how clean its KYB file looks. A licensed VASP may hold the right paperwork in one jurisdiction while serving customers in jurisdictions where it is not authorised. A consultancy may declare a $50,000 monthly volume and then move $5 million through its wallets in the first week.

The KYB file should produce a clear "expected profile" — a description of what normal activity for this customer looks like — that transaction monitoring can later compare against actual behaviour. Without that baseline, all subsequent monitoring is essentially noise.

For crypto businesses building or upgrading this layer of their onboarding workflow, Automated KYC/KYB Verification platforms now combine registry lookups, UBO mapping, sanctions and PEP screening, adverse media checks, and risk scoring into a single onboarding flow — which is what most teams need to make the analytical layer above operationally viable at scale.

KYB for VASPs and Crypto Counterparties

VASP-to-VASP relationships deserve special treatment, because the counterparty is itself a regulated (or, sometimes, an unregulated) crypto business — which means its compliance failures become your compliance exposure.

When a VASP onboards another VASP — as a corporate customer, a liquidity counterparty, or a Travel Rule peer — the KYB review reaches beyond standard company verification. 

In practical terms, the questions include:

• Licensing and Registration Status. Whether the counterparty holds the authorisations required in each jurisdiction where it operates. In the EU, this means MiCA authorisation as a crypto-asset service provider (CASP) under Regulation (EU) 2023/1114, whose CASP regime entered application on 30 December 2024. In the United States, FinCEN MSB registration plus relevant state licences. In Singapore, MAS authorisation under the Payment Services Act. In Japan, FSA registration as a crypto-asset exchange service provider.
• Stated Business Model. Whether the counterparty operates as exchange, broker, OTC desk, custodian, payment processor, or wallet provider — and which lines of activity it actually performs versus what it is licensed for.
• AML, KYC, KYT, and Travel Rule Controls. The compliance programme the counterparty operates, with any published policy, attestation, or independent audit available for review.
• Customer Markets and Geographic Footprint. Whether the counterparty serves customers in countries where it is not authorised — a recurring pattern in enforcement cases across multiple jurisdictions.
• Enforcement and Reputation History. Past supervisory actions, regulatory warnings, or appearances on "unauthorised firms" lists published by authorities (FCA, AMF, BaFin, MAS, and others).
• Wallet Infrastructure. Whether the counterparty's on-chain addresses are identifiable and can be screened against the same risk indicators used for any other wallet.

A company can be legally registered and still create a high compliance risk if it operates as an unlicensed or poorly controlled crypto intermediary. This is one of the most persistent patterns in enforcement actions across jurisdictions: an entity incorporated in one country, providing crypto services to customers in another, without the local authorizations required there.

How KYB Connects With Wallet Screening and KYT

KYB is the start of the customer story, not the whole story. After onboarding, two more disciplines come into play. Wallet screening checks the addresses the customer will use against known risk indicators — mixers, sanctioned addresses, scam clusters, darknet markets. KYT — Know Your Transaction — monitors actual transaction behavior in real time once the relationship is live.

The textbook example that compliance teams use most often is straightforward. A company onboards as a low-risk payment processor with a moderate declared volume. KYB clears it. Three months later, wallet screening detects that one of its addresses has been exposed by a mixer cluster, and KYT shows a sudden spike in volume to 10 times the declared baseline. None of those signals alone is conclusive — but the combination should reopen the KYB file rather than just generate a transaction alert.

This is what is meant by ongoing KYB. The corporate risk profile is not frozen at onboarding. It updates when ownership changes, when sanctions status changes, when wallet exposure shifts, and when transaction behavior diverges from the declared profile.

Common KYB Red Flags in Crypto

No single red flag is decisive on its own. What matters is the pattern. 

Compliance teams should treat the following as triggers for closer review rather than automatic refusals:

• Recently Incorporated with Large Expected Volumes. A company incorporated in the last few months is declaring volumes typical of a long-established business.
• Unclear or Layered Ownership Structure. Multiple holding vehicles across jurisdictions with no clear commercial rationale.
• Nominee Directors or Frequent Director Changes. Directors with no operational footprint, or board turnover shortly before onboarding.
• Mismatch Between Stated Activity and Transactions. A declared business model that does not credibly produce the volumes, counterparties, or asset types observed.
• Incorporation or Operations in High-Risk Jurisdictions. Presence in jurisdictions on FATF's grey or black lists, or in jurisdictions with no meaningful AML supervision of crypto businesses.
• No Clear Source of Funds. Inability or unwillingness to document where the company's assets actually come from.
• Links to Sanctioned or High-Risk Entities. Direct or indirect ownership or control connections that trigger sanctions screening, including under OFAC's 50 percent rule.
• Adverse Media Involving Financial Crime. Credible reporting connecting the company or key persons to fraud, money laundering, sanctions evasion, or enforcement actions.
• Wallet Exposure to Illicit Services. Addresses with direct or indirect exposure to mixers, darknet markets, scam clusters, or sanctioned services.
• Refusal to Provide Standard Documentation. Reluctance to share company documents, UBO information, or operational evidence that would normally be expected from a comparable business.

A single red flag may simply call for additional questions. Several together — for example, a recently incorporated entity with nominee directors, a high-risk jurisdiction, and wallet exposure to a mixer — describe a profile that almost always warrants enhanced due diligence at a minimum.

How to Build a Risk-Based KYB Workflow

KYB is most useful when it is risk-based rather than checklist-based. A low-risk merchant should not require the same depth of review as a cross-border OTC desk handling millions per week. In practical terms, a risk-based KYB workflow follows a recognizable sequence — not as 10 rigid steps, but as a layered process where each stage informs the next.

The team begins by collecting standard company information: legal name, registration number, jurisdiction, address, business activity, expected volume, and source of funds. This data is then verified against authoritative registries and, where the entity is from a jurisdiction with limited public registry coverage, against documentary evidence supplied by the customer.

Once the entity is confirmed, the focus shifts to people. The team identifies directors, authorized signatories, and ultimate beneficial owners, then runs each of them — together with the company itself — through sanctions, PEP, and adverse media screening. Hits are categorized: hard stops (confirmed sanctions matches) are escalated immediately; PEPs and adverse media trigger enhanced review rather than automatic refusal.

The next stage is qualitative. The team assesses the business model, the markets served, the asset types involved, and the counterparties expected. The output is a written view of what "normal" activity should look like for this customer — the baseline against which all subsequent transaction monitoring will operate.

The expected profile is then connected to on-chain reality. Wallet screening is performed on the addresses the customer intends to use. When the customer is itself a VASP, this also includes reviewing the counterparty's wallet infrastructure and screening practices, since its compliance posture becomes part of your own.

Based on all of the above, a risk level is assigned — typically low, medium, or high — and a corresponding due diligence path is applied: simplified, standard, or enhanced. Higher-risk customers may require senior compliance approval, additional documentation, or restricted product access until further review is complete.

After onboarding, monitoring continues. Sanctions and PEP lists are re-screened on a defined cadence. Wallet exposure is reassessed. Transaction behavior is compared against the expected profile. Material changes — a new UBO, a sanctions designation, a deviation in transaction patterns, the appearance of adverse media — reopen the KYB file rather than waiting for the next periodic review.

Finally, every step of this process is documented. Data sources, decisions made, the reasoning behind each decision, and the people who approved them are stored as a clear audit trail. Regulators rarely ask whether a decision was perfect; they ask whether the decision was reasoned and documented.

Conclusion

Crypto KYB is not the same exercise as crypto KYC, and it is not solved by a deeper version of the same form. The customer is a different kind of object — a legal entity with people behind it, jurisdictions around it, wallets in front of it, and a business model that may or may not match what is on paper.

For business clients and VASPs in 2026, the questions that matter are consistent across jurisdictions: who owns the company, who controls it, what it actually does, which jurisdictions and counterparties it touches, and how its wallets and transactions behave once the relationship is live. The regulations that define these questions vary in detail, but they converge on the same operational requirement: verify the entity, monitor the relationship, document the reasoning.

Strong KYB does not eliminate risk. It allows crypto businesses to onboard legitimate corporate clients more quickly while applying the depth of review where ownership, business activity, jurisdiction, or transaction risk actually justifies it.

FAQ