Business Verification Basics

This guide serves as an introduction to the most important concepts of business verification.

We will cover:

• KYC vs. KYB: Understanding the Distinction
• How Businesses are Registered in the United States
• Tax Identification Numbers (TINs)
• Business Age and "Months in Business"
• Business Verification vs. Credit Assessment
• Regulatory Context and Compliance Requirements
• Why Modern Business Verification Exists

---

The Key Concepts section of our documentation includes other detailed entries that are also essential for achieving a fundamental understanding of KYB and the US business identity landscape.

---

KYC vs. KYB: Understanding the Distinction

Know Your Customer (KYC)

KYC focuses on verifying individual identities. In the United States, this process is relatively straightforward because individuals exist at the federal level with consistent identifiers:

• Social Security Number (SSN) serves as a universal identifier
• A person's identity remains consistent across all states
• Centralized databases (SSA, IRS) provide authoritative verification

Know Your Business (KYB)

KYB verifies business identities and assesses their legitimacy and risk. This process is significantly more complex in the US because:

• Businesses exist only at the state level - there is no federal business registry
• A business registered in California is fundamentally different from one registered in Delaware, even if they share the same name
• Each of the 50 states maintains its own Secretary of State (SoS) database with different formats, update frequencies, and data quality standards
• No single authoritative source exists for comprehensive business information

This fragmentation creates the core challenge that modern business verification platforms address: aggregating and standardizing data from 50+ disconnected state registries, federal databases, and supplementary sources into a unified, actionable dataset.

Global KYB Context

While this guide focuses on US business verification, it's important to note that KYB is a global regulatory requirement. Financial institutions operating internationally must verify business entities in every jurisdiction they serve, each with its own:

• Company registries (Companies House in the UK, company registrars in EU nations, etc.)
• Business structures and legal frameworks
• Regulatory requirements and compliance standards

Baselayer's focus: While KYB is universally necessary, Baselayer's core expertise and differentiation lies in US business verification - solving the unique complexity of the 50-state US system with real-time data, AI-powered enrichment, and proprietary fraud intelligence networks.

---

How Businesses are Registered in the United States

The Secretary of State Registry System

Every business entity in the US must register with at least one state's Secretary of State office. This registration establishes the legal existence of the business and provides:

• Legal business name (as filed with the state)
• Business structure (LLC, Corporation, Partnership, etc.)
• Registration date (date of incorporation or formation)
• File number (state's internal identifier)
• Registered agent, officers, and business address
• Status (active, inactive)

Domestic vs. Foreign Registration

• Domestic Registration: The state where the business was originally formed or incorporated. This is the business's "home state" and primary legal identity.
• Foreign Registration: When a business wants to conduct business in states other than its home state, it must register as a "foreign entity" in those additional states. Despite the name, this has nothing to do with international operations - it simply means "foreign to that particular state."

Example: A Delaware LLC that operates in California and New York would have:

• One domestic registration (Delaware)
• Two foreign registrations (California and New York)

Update Frequency and Data Freshness

State registries update at different cadences:

• Some states provide real-time or daily updates
• Others update weekly, monthly, or even less frequently
• Data can be 6-12 months old in legacy commercial databases

Modern verification platforms such as Baselayer establish direct pipelines to each state for maximum freshness, updating their database every day.

---

Tax Identification Numbers (TINs)

What is a TIN?

A Tax Identification Number is issued by the IRS to identify taxpayers. For businesses, this is typically an Employer Identification Number (EIN).

EIN (Employer Identification Number)

• Federal tax ID for businesses
• Nine-digit number (format: XX-XXXXXXX)
• Required for corporations, partnerships, and most LLCs
• Used for tax filing, banking, hiring employees

When Businesses Use SSN Instead of EIN

Sole proprietorships without employees may use the owner's Social Security Number rather than obtaining a separate EIN. This is legal but creates verification challenges since:

• The business identity and owner identity are the same
• Secretary of State registries typically don't track sole proprietorships
• TIN verification becomes the primary method of confirming business legitimacy

TIN Verification

Modern business verification platforms can validate TINs in real-time with the IRS to confirm:

• The TIN exists and is valid
• The business name matches IRS records

This real-time verification provides ~99.9% coverage compared to cached databases that may only cover 15-25% of businesses.

---

Business Age and "Months in Business"

The age of a business is a fundamental risk indicator used across underwriting models:

How it's calculated: Time since the business's incorporation/formation date as recorded with the domestic Secretary of State.

Why it matters:

• Newer businesses (<6 months) have higher risk profiles
• Many fraud schemes use very recently incorporated entities
• Age thresholds vary by product and risk tolerance (common thresholds: 6 months, 12 months, 24 months)

---

Business Verification vs. Credit Assessment

Business verification is the foundation of risk assessment - confirming identity, legitimacy, and detecting fraud signals. However, comprehensive credit underwriting typically requires multiple data sources working together. Here's how business verification fits into a complete underwriting stack:

What Business Verification Covers

• Identity confirmation: Does this business exist legally?
• Registration validation: Is it in good standing with the state?
• Officer verification: Are the claimed officers associated with the business?
• Basic risk signals: Age, structure, watchlist hits, lien activity
• Digital presence: Does the business appear legitimate online?
• Fraud indicators: Is this entity flagged in fraud networks?

Complementary Tools for Credit Underwriting

For comprehensive underwriting, business verification is typically combined with:

• Credit bureau reports (D&B, Experian, Equifax Business)
• Bank account verification (Plaid, Finicity)
• Document verification (tax returns, bank statements)
• KYC for beneficial owners (SSN verification, identity document checks)

---

Regulatory Context and Compliance Requirements

Business verification exists not just as a risk management best practice, but as a legal requirement for financial institutions under US federal law. Understanding these requirements helps frame why thorough KYB processes are essential.

Customer Identification Program (CIP)

Legal basis: Section 326 of the USA PATRIOT Act requires all financial institutions to implement a Customer Identification Program.

Core requirements:

• Verify the identity of customers opening accounts or establishing relationships
• Obtain identifying information: legal business name, address, and Tax ID (EIN/TIN)
• Verify this information using reliable, independent sources - typically Secretary of State registries, IRS validation, and other authoritative databases
• Maintain records of verification methods and results
• Compare customer information against government lists of known terrorists and criminals (OFAC screening)

Why this matters: This is why business verification starts with confirming the business exists in Secretary of State records and validating the TIN with the IRS - these are the authoritative sources regulators expect.

Official resource: FinCEN CIP Rule (31 CFR 1020.220)

Customer Due Diligence (CDD) Rule

Legal basis: FinCEN's Customer Due Diligence Requirements (effective May 2018) go beyond basic identity verification.

The Four Core Requirements:

1. Identify and verify customer identity (covered by CIP)

2. Identify and verify beneficial owners - individuals with 25%+ ownership or significant control (KYB alone isn't sufficient - you also need KYC on the beneficial owners)

3. Understand the nature and purpose of the customer relationship - business activities, expected volume, industry, risk profile

4. Conduct ongoing monitoring - continuous transaction monitoring, periodic information updates, status changes

Why this matters: CDD rules are why business verification needs to go beyond "does this business exist?" to include officers, beneficial owners, digital presence analysis, and ongoing monitoring.

Official resource: FinCEN CDD Final Rule

Bank Secrecy Act (BSA) and Anti-Money Laundering (AML)

Legal basis: The Bank Secrecy Act (1970) and subsequent amendments require financial institutions to assist government agencies in detecting and preventing money laundering.

Key AML Requirements:

• Risk-based AML program with policies, compliance officer, training and audits
• Sanctions screening against OFAC SDN list at onboarding and periodically
• Suspicious Activity Reporting (SAR) within 30 days of detecting potential money laundering or fraud
• Recordkeeping for 5 years including customer identification and verification documentation

Why this matters: This is why watchlist screening (OFAC, PEP lists) is non-negotiable, and why institutions need detailed documentation of their verification process. It also explains why fraud consortiums are valuable - they help identify suspicious patterns that might warrant SARs.

Official resources:

• FinCEN BSA Overview
• FFIEC BSA/AML Examination Manual

Enhanced Due Diligence (EDD)

For higher-risk customers, additional scrutiny is required:

When EDD is triggered:

• Politically Exposed Persons (PEPs) involved as beneficial owners
• Businesses in high-risk industries (money services, gambling, cannabis, cryptocurrency)
• Unusual ownership structures or red flags identified during standard CDD

EDD requirements: More frequent monitoring, additional documentation, senior management approval, enhanced transaction monitoring.

Why This Matters for Business Verification

These regulations explain why comprehensive business verification is mandatory:

1. CIP requires authoritative data sources → Secretary of State registries, IRS TIN validation
2. CDD requires understanding the business → Industry classification, website analysis, business age
3. CDD requires beneficial owner verification → Officer/ownership data, online association research
4. BSA/AML requires sanctions screening → OFAC, PEP watchlists for business and all officers
5. Ongoing monitoring is required → Portfolio monitoring for status changes, liens, bankruptcies, fraud flags
6. Documentation is required → Structured data, audit trails, match quality scores

Business verification isn't optional or a "nice to have" - it's a fundamental compliance requirement with real penalties for failure (fines, enforcement actions, loss of banking relationships).

Note: This guide provides general information for context. Consult with your compliance and legal teams to ensure your specific implementation meets all applicable regulatory requirements for your institution type and jurisdiction.

---

Why Modern Business Verification Exists

Traditional business verification approaches have failed to keep pace with digital-first financial services:

The Legacy Problem

Stale data: Credit bureaus and legacy providers often have data that's 3-12 months old. A business can be dissolved, change ownership, or accumulate liens without this being reflected in cached databases.

Poor coverage: Businesses under 3 years old, small businesses, and sole proprietorships often have thin or non-existent files in traditional databases.

Low match rates: Exact name matching requirements lead to 50%+ manual review rates when businesses provide slight variations of their legal name.

No real-time IRS verification: Cached EIN databases cover only 15-25% of businesses. Modern platforms verify directly with the IRS in real-time.

No fraud intelligence: Traditional data vendors don't share fraud networks or application velocity signals.

The Modern Solution

Next-generation business verification platforms like Baselayer solve these problems through:

• Direct state pipeline access: Real-time or near-real-time data from all 50 Secretary of State registries
• Real-time IRS integration: Live TIN verification with ~99% coverage
• AI-powered enrichment: Finding websites, predicting industries, matching officers using web intelligence
• Network intelligence: Identity networks and fraud consortiums that detect patterns across institutions
• Comprehensive coverage: Handling both registered entities and sole proprietorships through multiple verification methods
• Modern API architecture: Webhook-based async responses, sub-5-second P99 latency, developer-friendly integration