KYC & KYB for Fraud Prevention
On this page
Before building a KYC/KYB program, understand:
- Identity verification methods - Passive, documentary, biometric
- Fraud types especially synthetic identity and account fraud
- Risk scoring for step-up triggers
- AML basics if you have regulatory obligations
- Most merchants under $1M/year don't need dedicated KYC tools. Your processor's built-in fraud tools and 3DS handle it.
- Already on Stripe? Stripe Identity is your easiest on-ramp - first 50 verifications free, then $1.50/verification, no new vendor relationship.
- Passive KYC ($0.02-0.50/check) uses data signals - phone, email, SSN, device. Start here when you outgrow processor tools.
- Documentary KYC ($0.80-5.00/check) adds ID scan + selfie + liveness. Step up to this for high-risk cases only.
- KYB (Know Your Business) matters if you onboard sellers, sub-merchants, or B2B vendors.
- Build proportionally: verify at the level your risk requires, not the level your vendor sells.
KYC vs. KYB: What's the Difference
Most merchants hear "KYC" and think "compliance paperwork for banks." But if you've ever had someone create a fake account on your site to abuse a promo, test stolen cards, or sell prohibited goods on your marketplace - that's the problem KYC solves. It's your first line of defense against fake account signups, synthetic identities, and onboarding-stage losses.
| KYC (Know Your Customer) | KYB (Know Your Business) | |
|---|---|---|
| Who | Individual customers or account holders | Businesses, sellers, sub-merchants |
| What you verify | Name, DOB, address, SSN/ID, face match | Business registration, beneficial owners, EIN, operating status |
| When | Account opening, high-value transactions, step-up triggers | Seller onboarding, sub-merchant boarding, B2B vendor approval |
| Why (fraud angle) | Stop synthetic identities, stolen credentials, underage users | Stop shell companies, money laundering fronts, banned merchants |
| Typical cost | $0.02-5.00/check depending on depth | $2-15/check (more data sources, manual review often needed) |
| Who needs it | Fintechs (always), marketplaces (for buyers), high-risk e-commerce | Marketplaces, payment facilitators, B2B platforms |
The compliance vs. fraud distinction matters. AML regulations require KYC for financial institutions (see AML basics). But even if you're not regulated, KYC as a fraud prevention tool can pay for itself by blocking bad actors at the door instead of eating chargebacks downstream.
What You're Defending Against
Identity fraud isn't one problem - it's a stack of different attacks targeting different layers of your verification process. Understanding which attacks you're exposed to determines which KYC tools you actually need.
| Attack | What Happens | Who's Exposed | What Catches It |
|---|---|---|---|
| Fake account signups | Bots or humans create accounts with throwaway emails and prepaid phones to abuse promos, test stolen cards, or commit refund fraud. | Everyone with public signup flows | Email/phone verification, device fingerprinting, rate limiting |
| Synthetic identities | Fabricated identities built from a mix of real and fake data (real SSN + fake name). Pass basic checks because parts are real. Build credit, then cash out. | Fintechs, lenders, BNPL, any business extending credit | Synthetic fraud scoring (Socure, SentiLink), multi-signal passive KYC |
| Stolen identities | A real person's complete identity used by someone else. Obtained from breaches, phishing, or dark web. Passes database checks because data is accurate. | Everyone, but especially high-value account creation | Bank account verification (Plaid), carrier tenure checks (Prove), documentary step-up |
| Forged/deepfake documents | Fake government IDs generated with AI, or deepfake selfies used to pass biometric verification. Injection attacks feed fake video directly into the verification pipeline. | Anyone using documentary verification | Liveness detection, injection attack detection (iProov, Jumio), document forensics |
| Shell company onboarding | Fraudulent businesses created to launder money, sell prohibited goods, or commit bust-out fraud on your marketplace. | Marketplaces, payment facilitators, B2B platforms | KYB verification (Middesk, Persona), beneficial ownership checks |
| Credential sharing | A real person willingly passes verification on behalf of a fraudster. Everything checks out technically. | Account-based businesses, fintechs | Behavioral analytics, ongoing monitoring, velocity checks |
The practical takeaway: Most SMB e-commerce merchants are primarily dealing with fake account signups and stolen card data - problems solved by processor tools, 3DS, and basic email/phone verification. You only need dedicated KYC vendors when you're seeing synthetic identities, regulatory requirements, or marketplace seller fraud. For the full technical breakdown of how each attack works and which vendors defend against each, see Identity Verification: What It's Up Against.
When You Need KYC (and When You Don't)
Not every merchant needs dedicated KYC tools. Here's when you do and don't:
| Business Type | Volume | KYC Recommendation |
|---|---|---|
| Standard e-commerce (physical goods) | Under $1M | No dedicated KYC. Processor tools + 3DS + AVS/CVV are enough. |
| Standard e-commerce | $1M-$10M | Maybe. Only if you see repeat fake account patterns or high first-order fraud. Try Stripe Identity first if you're on Stripe, otherwise start with passive checks. |
| Digital goods, gift cards, crypto | Any | Yes. High-risk categories attract fraud. At minimum, passive KYC on new accounts. |
| Subscription/SaaS | Under $5M | Light. Email + phone verification at signup. Step up for plan upgrades or payment method changes. |
| Fintech, lending, BNPL | Any | Required. Regulatory obligation plus high fraud exposure. Full KYC waterfall. |
| Marketplace (buyer side) | Any | Light. Passive signals at registration. Step up for high-value first purchases. |
| Marketplace (seller side) | Any | KYB required. You're liable for seller behavior. Verify business identity before they can list or receive payouts. |
| Payment facilitator | Any | KYB required. Network rules mandate sub-merchant due diligence. |
Stripe Identity is the fastest path to documentary verification for Stripe merchants. First 50 verifications free, then $1.50/verification (plus $0.50 for optional SSN lookup). No new vendor relationship, no separate integration. It handles ID document capture, selfie matching, and liveness detection using the same dashboard you already use. If you're on Stripe and considering documentary KYC, start here before evaluating standalone vendors.
The ROI Math
KYC pays for itself when fraud prevention savings exceed verification costs plus friction losses.
Example: You process 10,000 new accounts/month. Fraud rate on new accounts is 2%. Average fraud loss is $150. Monthly fraud cost: 200 accounts x $150 = $30,000.
- Passive KYC at $0.15/check = $1,500/month. If it catches 40% of fraud = $12,000 saved. Net benefit: $10,500/month.
- Documentary KYC on all accounts at $2.00/check = $20,000/month plus 10% abandonment (~$X in lost revenue). Often not worth it at this stage.
- Documentary KYC on flagged accounts only (top 10% risk) at $2.00/check = $2,000/month. If it catches an additional 30% = $9,000 saved. Net benefit: $7,000/month.
The right answer is almost always: passive KYC on everyone, documentary KYC on the high-risk subset.
Passive KYC: Data-First Verification
Passive KYC verifies identity without requiring the customer to do anything beyond entering their normal signup information. No document uploads, no selfies, no added friction. You send the customer's data to a verification API and get back a risk score or pass/fail.
Signal Types
| Signal | What It Checks | Fraud It Catches | Cost Range |
|---|---|---|---|
| SSN/Identity match | Does the SSN match the name + DOB + address? Was the SSN issued to a living person? | Synthetic identity, stolen identity, deceased SSN usage | $0.05-0.30 |
| Identity correlation | Does this phone/email/address actually belong to this person, not just "exist"? | Stolen identities (valid elements that don't belong to the same person) | Typically bundled with element-level checks |
| Phone/carrier verification | Line type (postpaid, prepaid, VoIP), carrier tenure, port history, SIM swap detection | Burner phones, SIM swap, VoIP fraud | $0.05-0.25 |
| Email risk scoring | Email age, domain reputation, deliverability, social presence, gibberish detection | Disposable emails, bot signups, auto-generated accounts | $0.05-0.15 |
| Device intelligence | Device fingerprint, emulator detection, proxy/VPN, behavioral analytics | Device farms, spoofing, scripted applications | $0.01-0.10 |
| Synthetic fraud scoring | Probabilistic model combining credit file velocity, inquiry patterns, SSN analysis, name gibberish detection | Synthetic identity | $0.02-0.15 |
| Address verification | Is this a real address? Residential or commercial? Correctional facility? PO box? Does the applicant actually live here? | Fake addresses, drop shipping, addresses tied to fraud rings | $0.01-0.05 |
| Deceased check | Is the SSN/identity associated with a deceased person? | Synthetic identities built on deceased persons' data | $0.02-0.10 |
| Bank account verification | Does this person own this bank account? What's the account history? | Stolen bank credentials, fabricated identities | $1.00-3.00 |
How Passive KYC Actually Works
When you send a customer's data to a passive KYC vendor, three things happen behind the scenes:
1. Entity resolution (identity matching). The vendor tries to match the PII you submitted against known records. This isn't just an exact-match lookup - it uses fuzzy matching for names (handling nicknames, typos, hyphens), address normalization (St. = Street, Apt = Apartment), and weighted scoring across all elements. The system finds the best-matched identity and tells you how confident it is.
2. Element-level risk scoring. Each element is scored independently. Is this email deliverable? Is this phone prepaid? Was this address recently associated with fraud? A high-risk phone number paired with a low-risk email and a medium-risk address creates a risk profile.
3. Correlation scoring. This is what separates real KYC from basic data checks. The system measures whether the identity elements actually belong to the same person. A stolen identity might have a valid SSN, a valid phone, and a valid email - but the SSN belongs to one person, the phone to another, and the email to a third. Correlation scoring catches this by checking name-to-phone, name-to-email, and name-to-address relationships across multiple data sources.
Data sources behind the curtain: Vendors pull from credit bureaus, alternative credit headers (utility and telecom records), government databases (SSA, IRS, DMV), deceased databases, educational institution records, and (with consent) banking data. More data sources generally means better accuracy, but also higher cost per check. When evaluating vendors, ask what data sources they use - it's the biggest differentiator between a $0.05 check and a $0.50 check.
Passive KYC Vendors
| Vendor | Strength | Coverage | Est. Cost/Check | Notes |
|---|---|---|---|---|
| Socure | Synthetic fraud detection, multi-signal scoring | US-centric | $0.10-0.50+ | Strongest synthetic ID model in the market. Used by 4 of top 5 US banks. |
| SentiLink | Synthetic ID scoring specialist | US only | $0.02-0.15 | Does one thing extremely well. Often used alongside other vendors. |
| Prove | Phone-centric identity (carrier signals, SIM tenure, number history) | Global | $0.05-0.25 | Zero-friction - customer doesn't do anything beyond entering their phone number. |
| Ekata (Mastercard) | Lightweight API checks - phone, email, address, IP, identity | Global | $0.05-0.30 | Good for adding identity signals without a heavy integration. Acquired by Mastercard in 2021. |
| Trulioo | Global identity verification (KYC + KYB + AML) | Global (195+ countries) | $0.50-2.00+ | Strong international coverage. Good for cross-border merchants. |
| LexisNexis | Largest identity data network (Emailage, ThreatMetrix, ID Analytics) | Global | $3.00-8.00+ | Enterprise pricing. Most comprehensive data but expensive. Best when you need the full stack. |
Plaid: Bank + Identity Combined
Plaid deserves a separate callout because it does something different from pure identity vendors. When a customer links their bank account through Plaid, you get:
- Account ownership verification - Is this person's name on the bank account?
- Account history - How old is the account? What's the balance pattern?
- Identity data - Name, address, phone, email from the bank's records
- Income signals - Transaction patterns that indicate real economic activity
This is powerful because bank data is hard to fake. You can create a synthetic identity with a fabricated SSN and a burner phone, but you can't easily create a fake bank account with years of transaction history. The signal quality is higher than any database check.
The tradeoff: Plaid charges a ~$500/month platform fee plus per-verification costs ($1-5+ for a full Identity + Auth flow). The customer also has to go through a bank-linking flow, which adds friction. Best when you already need bank connectivity (ACH payments, balance checks) and want to layer identity verification on top.
| Use Case | Plaid Worth It? |
|---|---|
| You already use Plaid for ACH | Yes - add Identity for minimal incremental cost |
| High-value accounts (lending, investing) | Yes - bank signal quality justifies friction |
| Standard e-commerce checkout | Probably not - too much friction for a purchase |
| Marketplace seller onboarding | Maybe - depends on payout method |
Documentary Verification: ID + Selfie
When passive checks aren't enough - or when your risk model flags someone - step up to documentary verification. The customer uploads a government ID (passport, driver's license) and takes a selfie. The system checks that the document is real, unaltered, and matches the person holding it.
When to Use Documentary Verification
- Passive KYC returned an unclear or high-risk result
- First transaction exceeds your risk threshold
- Account change on a high-value account (new device, new address)
- Regulatory requirement (fintech, lending, crypto)
- Manual review queue - documentary verification can resolve cases faster than analyst investigation
The Friction Cost
Documentary verification adds real friction. Industry benchmarks:
| Metric | Typical Range |
|---|---|
| Drop-off rate | 5-15% of users abandon during document upload (varies widely by implementation) |
| Completion time | 30-90 seconds for document + selfie (some vendors under 10 seconds) |
| Auto-approval rate | 70-90% (rest go to manual review or retry; top vendors exceed 90%) |
| False rejection rate | 1-5% (real customers incorrectly rejected; leading vendors target under 2%) |
This is why you don't put documentary verification on every customer. The ROI only works when the fraud risk justifies the conversion loss.
Documentary Verification Vendors
| Vendor | Est. Cost/Check | Self-Serve? | Best For | Notable |
|---|---|---|---|---|
| Stripe Identity | $1.50/verification (first 50 free) | Yes | Stripe merchants wanting zero new vendors | Built into Stripe. ID scan + selfie + liveness. No separate integration needed. |
| Veriff | $0.80-1.89 | Yes (published pricing) | SMBs wanting transparent pricing | Most transparent pricing in the market. Video-based verification option. |
| Sumsub | $1.35+ | Yes (Basic plan) | All-in-one KYC/KYB/AML | 2025 Gartner Leader. 220+ countries. Also offers no-code verification links (no engineering needed). |
| Persona | $1.50+ (Essential plan) | Yes | Developers, custom workflows | 2025 Gartner Leader. Strong orchestration layer. Also does KYB. |
| Jumio | $1-5+ | No | Global document coverage | 5,000+ document types across 200+ countries. Enterprise-focused. |
| Onfido (now Entrust) | $0.50-4+ | No | Fintech, workflow builder | Acquired by Entrust in 2024. Strong AI-based document analysis. |
| Incode | $1-4+ | No | Latin America, speed | 2025 Gartner Leader. 1.5-second average verification time. |
| Mitek | $1-4+ | No | Enterprise, strong growth | Named market leader by Datos Insights (Jan 2026). MiPass 4D biometric (face + voice + liveness). |
| Au10tix | $1-3+ | No | Speed, consortium attack detection | 4-8 second fully automated verification. Consortium of 60+ companies detects coordinated attacks. |
| iDenfy | $0.50-2+ | Yes | Mid-market, competitive pricing | 3,000+ document types. Includes KYB and AML screening. |
| iProov | $0.50-2+ | No | Deepfake/liveness specialist | Biometric-only (no document verification). Best injection attack detection in market. |
The Deepfake Threat
AI-generated deepfakes are the fastest-growing attack vector against documentary verification:
- US lenders faced $3.3B in exposure to synthetic identity fraud in 2024 (TransUnion)
- Injection attacks (feeding fake video directly into the verification pipeline) are up 40% year-over-year (Entrust 2026 Identity Fraud Report)
- Roughly 1 in 20 IDV attempts in financial services is fraudulent (Veriff, 2025)
- Injection attacks now outnumber presentation attacks (holding up a screen) and bypass basic liveness checks entirely (iProov)
What to look for in a vendor: Ask specifically about injection attack detection, not just presentation attack (photo/video replay) detection. Vendors like iProov and Jumio have invested heavily here. Cheaper vendors may only catch presentation attacks.
KYB: Verifying Businesses
If you onboard sellers, sub-merchants, or B2B vendors, KYB is not optional - it's how you prevent your platform from being used for money laundering, fraud, or selling prohibited goods.
When You Need KYB
| Scenario | KYB Requirement |
|---|---|
| Marketplace seller onboarding | Required. You're liable for seller behavior under network rules. |
| Payment facilitator sub-merchants | Required. Visa/Mastercard mandate sub-merchant due diligence. |
| B2B vendor approval | Recommended. Verify legitimacy before extending terms or access. |
| Affiliate/partner onboarding | Light check. Business registration + basic identity of owner. |
What to Verify
| Check | Why | How |
|---|---|---|
| Business registration | Is this a real, active company? | Secretary of State records, commercial databases |
| Beneficial ownership | Who actually controls this business? | UBO verification (25%+ owners + control person) |
| EIN/Tax ID | Does the tax ID match the business? | IRS verification, commercial databases |
| Operating history | How long has this business existed? | Formation date, web presence, transaction history |
| Sanctions/watchlist | Is this business or its owners on any lists? | OFAC, PEP, adverse media screening |
| Industry/MCC check | Is this a prohibited or high-risk business type? | Self-reported + verification against business description |
KYB Tools
| Vendor | Strength | Est. Cost/Check | Notes |
|---|---|---|---|
| Middesk | Business verification specialist | $5-15+ | Purpose-built for KYB. Checks registration, EIN, Secretary of State, liens, bankruptcies. |
| Persona | KYC + KYB in one platform | $3-10+ | Flexible workflows covering both individual and business verification. |
| Alloy | Orchestration + KYB | $2-8+ | Combines multiple data sources into unified decisioning. Strong in fintech. |
| Sardine | Fraud + compliance + KYB | Bundled | KYB is part of broader fraud/compliance platform. Best when you need the full stack. |
Manual vs. Automated KYB
| Volume | Approach |
|---|---|
| Under 50 sellers/month | Manual review is fine. Pull Secretary of State records yourself. |
| 50-500 sellers/month | Automate the standard checks, manual review for edge cases. |
| Over 500 sellers/month | You need automated KYB. Manual doesn't scale. |
Building a Proportional Program
The biggest mistake merchants make with KYC/KYB is over-building. You don't need enterprise-grade identity verification at $3M in annual volume. Build for where you are, not where you might be in three years.
Verification Waterfall
Start with the cheapest, lowest-friction checks. Only step up when the signal warrants it.
By Business Stage
| Stage | What to Use | Estimated Monthly Cost |
|---|---|---|
| Under $500K/year | Processor tools + email/phone verification. No dedicated KYC vendor. | $0 (included in processor) |
| $500K-$2M/year | If on Stripe, try Stripe Identity for documentary step-up on high-risk accounts (first 50 free). Otherwise, add passive KYC (Prove or Ekata for lightweight checks). | $0-500/month |
| $2M-$10M/year | Passive KYC on all new accounts + documentary step-up for flagged accounts. Consider Socure or SentiLink for synthetic fraud scoring. Sumsub or Veriff for documentary. | $500-3,000/month |
| $10M+ /year | Full KYC waterfall. Dedicated vendor relationship. Possibly Plaid for bank+ID if ACH is part of your model. KYB if you have sellers. | $3,000-15,000+/month |
Integration Approach
- Start with one vendor. Don't build a multi-vendor KYC stack until you've exhausted what one vendor can do.
- Use progressive onboarding. Collect minimal PII at first (name, email, phone), run passive checks on that. Only request SSN, government ID, or selfie when the risk level demands it. This reduces friction for good customers while still catching bad ones. Think of verification as a conversation, not a gate.
- Shadow mode first. Run KYC checks in parallel without blocking customers for 2-4 weeks. Measure what it would have caught.
- Set thresholds before you launch. Decide your pass/fail/review cutoffs before seeing results. Otherwise you'll rationalize whatever happens.
- Measure abandonment. Track signup completion rates before and after KYC. If abandonment spikes more than fraud drops, you've over-verified.
- Build escalation paths, not dead ends. When a customer fails passive verification, offer documentary verification as a step-up rather than a decline. This is especially important for thin-file populations (young adults, recent immigrants) who may fail data-based checks but can pass documentary verification easily.
- Re-evaluate quarterly. Your fraud mix changes. Your KYC program should too.
Common Mistakes
| Mistake | Why It's Wrong | What to Do Instead |
|---|---|---|
| Verifying every customer with documentary KYC | 5-15% abandonment on customers who were never going to defraud you | Passive first, documentary only on high-risk |
| Buying enterprise KYC at SMB volume | LexisNexis at $3-8/check when you process 500 accounts/month is $1,500-4,000/month for a problem that costs you less | Start with Prove ($0.05-0.25) or Ekata ($0.05-0.30) |
| Using KBA as primary verification | Knowledge-based authentication is broken. Data breaches compromised most KBA answers years ago. | Use KBA as a secondary signal at most |
| Skipping ongoing monitoring | Identity verified at onboarding doesn't mean the account stays clean | Periodic re-verification on high-risk accounts, monitor for behavior changes |
| Ignoring KYB for marketplace sellers | You're liable for seller fraud and prohibited goods. Network rules require sub-merchant due diligence. | KYB before first listing goes live |
| Building a multi-vendor stack too early | Three vendors at $2M volume = expensive plumbing, not better fraud detection | One vendor, tuned well, beats three vendors poorly integrated |
| Not measuring friction impact | You blocked $5K in fraud but lost $20K in abandoned signups | Always A/B test KYC flows and track conversion |
| Ignoring false rejections on thin-file populations | Young adults, recent immigrants, and people without credit history fail passive checks at higher rates - you're rejecting real customers | Build documentary step-up paths so thin-file customers can verify via ID + selfie instead of getting declined |
| Checking elements without correlation | "Does this phone exist?" is a different question from "Does this phone belong to this person?" Element-level checks alone miss stolen-identity fraud where every element is valid but belongs to different people | Choose vendors that provide identity correlation (name-to-phone, name-to-email, name-to-address), not just element-level validation |
Next Steps
Starting from zero?
- Measure your current fraud exposure - Know what KYC needs to solve
- Understand identity verification methods - Passive, documentary, biometric
- Check if you have regulatory requirements - AML/BSA obligations
Adding KYC to an existing fraud program?
- Design your verification waterfall - Least to most friction
- Pick your stage - Don't over-build
- Evaluate vendors - Compare options
Need KYB for marketplace/platform?
- Determine what to verify - Registration, UBO, sanctions
- Choose manual vs. automated - Based on volume
- Select a KYB vendor - Middesk, Persona, Alloy, or Sardine
See Also
- Identity Verification - Methods, vendor comparison, and attack vectors
- Synthetic Identity Fraud - What KYC catches
- Account Fraud - Fake signups, multi-accounting, onboarding-stage fraud
- AML Basics - Regulatory KYC/CDD/EDD requirements
- Data Enrichment - Lightweight email, phone, IP signals (cheaper than full KYC)
- Risk Scoring - Step-up triggers for verification
- Fraud Vendors - Full vendor landscape
- Device Fingerprinting - Device-based identity signals
- 3D Secure - Authentication as fraud prevention