KYB Explained: What Banks Must Verify When Onboarding a Company
What KYB (Know Your Business) means in practice — the entity, ownership, and activity facts a bank must verify before opening a company account, and how to capture them digitally.
Know Your Business, or KYB, is the discipline of establishing who a corporate customer really is before a bank lets it transact. It extends the familiar individual checks of Know Your Customer to the harder problem of a legal entity that can hold assets, sign contracts, and obscure the people behind it. For banks, SACCOs, microfinance institutions, and fintechs across East Africa, getting KYB right is both a regulatory expectation under Central Bank of Kenya prudential guidance and a practical defence against fronting, shell companies, and accounts opened for purposes the institution never sanctioned.
What KYB is and how it differs from individual KYC
A natural person presents themselves, a national ID, and a verifiable address, and the bank can largely complete due diligence against that one identity. A company is not so simple. It is an abstraction created by registration, controlled by directors, owned by shareholders who may themselves be other companies, and operated by signatories who need not own a single share. KYB therefore has to look through the entity to the humans who direct and benefit from it, while also confirming that the entity itself legally exists and is in good standing.
The practical difference is one of layers. Individual KYC verifies one identity; KYB verifies an entity, a set of people, and a pattern of activity, and then has to reconcile all three into a coherent picture. A registration certificate that names directors who do not appear among the declared signatories, or a stated nature of business that does not match the expected turnover, is exactly the kind of inconsistency KYB exists to surface. This is why KYB sits at the front of any sound customer due diligence for business accounts programme rather than alongside it — you cannot assess risk until you know what you are assessing.
Pillar one: verifying the entity
The first task is to establish that the company is a real, registered legal person. In Kenya this means confirming the entity against the records held by the Business Registration Service through eCitizen: the Certificate of Incorporation that proves the company exists, the CR12 that lists its directors and shareholders, and the KRA PIN that ties it to the tax system. Supporting constitutional documents — the Memorandum and Articles of Association, and where relevant annual returns — confirm how the company is permitted to act and that it has kept its filings current.
A digital onboarding journey captures these facts deliberately rather than leaving them buried in an email thread. In the Creodata Business Account Opening System, the opening step of the nine-step wizard collects entity and company details, the KRA PIN, the date of incorporation, the registration and business type, and the registered and physical addresses, while a checklist-driven document step requires the Certificate of Incorporation, CR12, KRA PIN certificate, and Memorandum and Articles of Association to be uploaded before the application can be reviewed. Because the checklist is configurable per tenant, an institution can mandate exactly the entity evidence its policy demands, and staff verify each document inside a structured workflow rather than against an ad hoc mental list.
Pillar two: verifying the people
Once the entity is established, KYB turns to the people who control and operate it. There are two distinct populations here, and conflating them is a common source of weak onboarding. Signatories are the individuals authorised to operate the account; beneficial owners are the individuals who ultimately own or control the company. They overlap sometimes, but never assume it.
The bank must identify each authorised signatory with appropriate identification and a passport photo, and record how they are permitted to act through the signing mandate — singly, jointly, on an either-or-survivor basis, or under a special instruction. Separately, it must look through the share register to the natural persons who sit behind it. Where shares are held by another company or a nominee, the institution has to keep tracing until it reaches a human, a process explored in depth in beneficial ownership and significant stakeholders at onboarding. For complex structures, the AML-cluster treatment of beneficial ownership and entity resolution covers the layered-ownership and look-through problem in greater technical detail.
BAOS captures both populations in dedicated wizard steps. The compliance step records the significant stakeholders — directors, shareholders, partners, or a sole proprietor — alongside PEP and FATCA declarations, while a separate step captures up to four authorised signatories with their identification and passport photos, and the signing-mandate step records the operating instruction and terms acceptance. Keeping ownership and operating authority in distinct steps means the people who benefit and the people who transact are documented separately, exactly as KYB requires. Identifying a politically exposed person among those people then feeds the screening discussed in PEP and sanctions screening at account opening.
Pillar three: verifying the activity
The third pillar is the one most often treated as a formality, and it is where many problems hide. KYB is not complete once you know the company and its people; you also have to understand what the business actually does, why it wants the account, and how much money it expects to move. The nature of the industry and key activities, the stated purpose of the account, the expected annual turnover, and the employee range together form a baseline expectation. That baseline is what later monitoring measures behaviour against — without it, an unusual transaction has nothing to be unusual relative to.
This activity profile is also the raw material for risk rating. A locally trading retailer with modest turnover sits in a different risk band from a money-services business or an entity with cross-border flows, and the bank's response — standard or enhanced scrutiny — should follow from that profile. The structured model behind this judgement is set out in the AML-cluster guide to the customer risk assessment model. In BAOS, the first wizard step captures the nature of industry and key activities, the employee range, the annual-turnover range, and the purpose of the account, while the account-selection step records the product, currency, and customer segment — so the activity picture is part of the application record from the outset rather than reconstructed afterwards.
Bringing the three pillars together digitally
The value of digital onboarding is not merely that it replaces paper; it is that it captures the three pillars as connected, verifiable data and refuses to let an application proceed while a pillar is incomplete. The table below maps each pillar to where it is captured and the evidence that supports it.
| KYB pillar | What the bank establishes | Where it is captured in BAOS |
|---|---|---|
| Entity | Legal existence, registration, tax identity | Business information step; Certificate of Incorporation, CR12, KRA PIN certificate, MAA uploads |
| People | Beneficial owners and authorised signatories | Compliance step (stakeholders, PEP/FATCA); signatories and signing-mandate steps |
| Activity | Nature of business, purpose, expected turnover | Business information and account-selection steps |
Because the platform auto-saves to draft between steps and lets an applicant leave and resume, the burden of supplying complete entity, ownership, and activity data does not force the journey to be completed in one sitting. The compliance screening service runs PEP, FATCA, and KYC/AML checks and routes the application into a staff compliance-review workflow, and an append-only audit log records every action taken — so the KYB picture is not only captured but defensible. That every check and decision leaves a durable trail is the subject of audit-ready onboarding trails, and the broader sequence from application to account sits within the corporate account opening process. For the full programme view, see the complete guide to business account opening.
Frequently asked questions
What is the difference between KYB and KYC?
KYC verifies a single natural person against an identity document and address. KYB applies to a legal entity and is broader: it must verify that the company legally exists and is registered, identify both the beneficial owners who ultimately control it and the signatories authorised to operate the account, and establish what the business does and why it wants the account. KYB effectively contains several KYC checks on the people involved, wrapped around entity and activity verification.
Which documents does a bank need to complete KYB in Kenya?
At minimum a bank typically requires the Certificate of Incorporation to prove the entity exists, the CR12 to confirm directors and shareholders, and the KRA PIN certificate for tax identity, supported by the Memorandum and Articles of Association and, where relevant, annual returns and board resolutions. Identification and passport photos are needed for each authorised signatory. The exact list is configurable per institution, and a digital checklist ensures every required item is uploaded before review begins.
Is verifying beneficial owners part of KYB?
Yes. Identifying the natural persons who ultimately own or control the company is one of the three core pillars of KYB, and it cannot be skipped when ownership runs through other companies or nominees. The bank must trace through each layer until it reaches a human being. This is captured at onboarding as part of the significant-stakeholders declaration and is examined in detail in the dedicated beneficial-ownership articles linked above.
KYB only delivers value when its three pillars are captured cleanly, verified, and preserved as evidence. The Creodata Business Account Opening System builds entity, ownership, and activity verification into a single guided journey with configurable document checklists, compliance screening, and an append-only audit trail. To see how it would handle your institution's KYB policy, book a demo.