Know Your Business (KYB) compliance has always been about trust: verifying that a business is real, legally structured, and safe to work with. But in 2025, “trust” is harder to gauge than ever.
We’re entering an era where business identities are fluid, entity creation is automated, and fraudsters use AI to mimic legitimacy. Add new regulatory expectations (like FinCEN’s Beneficial Ownership Information reporting), and the stakes of poor KYB decisions multiply.
Whether you’re onboarding customers, underwriting loans, or building B2B partnerships, these 25 KYB risk factors will help you evaluate who you’re really doing business with in 2025, and avoid being caught off guard this year and beyond.
Verify legitimacy with foundational business checks
1. Business registration mismatch
Cross-check business names, entity types, and addresses across Secretary of State (SOS) filings, onboarding forms, and EIN documents. Discrepancies may point to sloppy filings—or attempts to mislead.
2. Missing or invalid EIN/TIN
An Employer Identification Number (EIN) or Tax Identification Number (TIN) is the anchor of U.S. business legitimacy. Invalid or missing numbers should be treated as high-risk indicators.
3. Lapsed or revoked corporate status
Even previously approved businesses can fall out of good standing. Look for dissolution notices or revoked registrations in state records.
Consider building in periodic reviews to detect changes in standing, entity details, or risk profiles over time, like new addresses, UBOs, liens, or adverse media hits. Staying current isn’t just a best practice, it’s a regulatory expectation.
4. Suspicious incorporation timing
If a business was formed days before onboarding, or right before Tax Day, it may be a shell entity created to pass compliance checks.
5. Unusual entity structure
Layered LLCs, holding companies, or trusts can obscure beneficial ownership. These don’t always indicate fraud, but they require deeper scrutiny.
Understand who’s behind the business
6. Unverifiable UBO identities
If a business can’t—or won’t—provide information on its ultimate beneficial owners (UBOs), you’re dealing with incomplete risk visibility. In 2025, this is especially critical given Beneficial Ownership Information (BOI) requirements under the Corporate Transparency Act.
7. Reused UBOs across multiple entities
One person linked to dozens of businesses with the same address or phone number? This pattern can be an indicator of fraud rings or synthetic identity usage.
8. UBOs on sanctions/watchlists
Run UBOs against global sanctions databases, such as Office of Foreign Assets Control (OFAC), and politically exposed persons (PEPs) lists.
And don’t stop there — screen the business entity itself as well. A company can be listed for regulatory, reputational, or geopolitical reasons, even if its owners aren't individually flagged.
9. Adverse media on businesses or owners
Reputation risk matters. Use tools that monitor for criminal charges, lawsuits, or financial scandals tied to business owners or the business itself.
10. Use of nominee directors or shell ownership
Nominee arrangements, where third parties act as directors, can be used to mask the true controllers of a business. Legitimate in some jurisdictions, but often a red flag.
Assess financial and operational health
11. Outstanding tax liens or judgments
Public filings showing unpaid debts or legal claims can signal financial distress or a pattern of noncompliance.
12. Poor business credit rating
A weak credit profile can signal financial instability or poor payment history. Use business credit reports to assess delinquencies, legal filings, and overall creditworthiness, especially when onboarding for lending or vendor relationships.
13. No verifiable business revenue
Claims of large revenue should be backed by some form of third-party validation—transactional data, bank verification, or industry benchmarks.
14. Irregular banking behavior
Anomalies in linked bank account activity—like round-dollar transactions or high velocity for a new business—can signal suspicious activity.
15. Rapid revenue growth with no online presence
Sudden scale without corresponding digital footprint may indicate inflated performance claims or fabricated operations.
Check address and location risk signals
16. High-risk address types
Residential addresses, virtual offices, or shared coworking spaces aren't automatically suspicious—but if the address hosts multiple businesses, it could indicate a fraud ring.
17. Undeliverable or unverifiable address
Use address verification tools to confirm the address is real and active.
18. Address reuse in your own ecosystem
Fraud rings often use the same address across multiple applications. Look for internal duplication signals to catch these patterns early.
Review digital and reputational signals
19. Mismatched email domains
Generic domains (like Gmail or ProtonMail) aren't always red flags, but when the address doesn’t align with the business website, it's worth a closer look.
20. Shallow or templated websites
One-page sites with stock images and no contact info may indicate a hastily spun-up front. Domain age and metadata can provide additional risk context.
21. Lack of social media presence
Most real businesses—especially in consumer-facing industries—maintain some form of social presence. Absence isn’t a dealbreaker, but it should prompt additional review.
22. Poor or absent business reviews
No presence on review sites like Yelp, Better Business Bureau (BBB), or Trustpilot could mean the business is brand new—or not operating at all.
Watch for emerging risks in 2025
23. High-risk industry classification
Businesses in sectors like crypto, cannabis, payday lending, or adult content may require enhanced due diligence due to regulatory or reputational risk.
24. Synthetic business identities
Fraudsters are now using synthetic techniques to fabricate business profiles—mixing real EINs, fake UBOs, and AI-generated websites to appear legitimate.
25. AI-generated business data
As generative AI becomes more accessible, fraudsters are using it to fabricate realistic websites, spoof documents, and auto-fill business applications.
Be cautious of perfectly polished but shallow online footprints, and use cross-verification with official data sources to spot inconsistencies.
Risk doesn’t mean “no” — it means “know”
Not all risk is disqualifying. A home-based business might be completely legitimate. A missing social media presence could reflect an early-stage company. The goal of KYB isn’t to eliminate all risk—it’s to understand it, document it, and decide if it falls within your tolerance.
At Middesk, we surface the right KYB risk signals—faster and with more clarity—by connecting directly to government sources, matching identity signals across datasets, and helping you automate the hard parts of due diligence.
Want to see how Middesk can modernize your KYB process in 2025?
Middesk helps leading fintechs and financial institutions modernize and streamline their KYB workflows, without sacrificing compliance. Request a demo or explore our KYB solutions.
