Know Your Supplier (KYS): Vendor Verification Checklist 2026
Complete KYS guide for procurement teams: 12-step vendor verification checklist, UK/EU regulatory requirements (MLR 2017, Modern Slavery Act), red flags, and automation.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokKnow Your Supplier (KYS) is the structured due diligence process used by procurement and compliance teams to verify the legal identity, financial standing, sanctions profile, and bank account details of suppliers before and during a commercial relationship. Originating in financial services alongside KYC (Know Your Customer) and KYB (Know Your Business), KYS has become a cross-industry procurement standard driven by increasingly demanding regulatory requirements.
In the United Kingdom, supplier verification sits at the intersection of four regulatory frameworks: the Modern Slavery Act 2015, the Bribery Act 2010, the Money Laundering Regulations 2017 (MLR 2017) as amended by the 2022 regulations, and the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Companies that fail to verify their supply chain face civil fines, reputational damage, and potential criminal liability for complicity in tax evasion or modern slavery.
Procurement teams that automate their KYS verification process reduce manual processing time by 83% and cut the cost per supplier dossier by 67% (CheckFile platform data, internal analysis 2026). This guide sets out the 12-step checklist, regulatory framework, and risk scoring model used by compliance-ready procurement functions.
What Is Know Your Supplier (KYS)?
KYS is a three-dimensional due diligence process: verifying legal identity, authenticating bank account details, and continuously monitoring the supplier's risk profile throughout the commercial relationship. It differs from a one-off onboarding check by being an ongoing programme with scheduled review cycles tied to each supplier's risk tier.
A complete KYS programme covers:
- Legal entity verification (incorporation, status, registered address)
- Ultimate Beneficial Owner (UBO) identification (Persons with Significant Control in UK terminology)
- Screening against international sanctions lists (UK OFSI, EU consolidated list, OFAC SDN, UN Security Council)
- Politically Exposed Person (PEP) checks for directors and beneficial owners
- Adverse media screening for criminal, regulatory, and reputational risk
- Bank account ownership verification against Companies House-registered details
As of March 2026, the Economic Crime and Corporate Transparency Act 2023 (ECCTA) requires companies to verify the identity of persons with significant control (PSCs) โ making accurate UBO data a legal obligation, not just a risk management best practice (ECCTA 2023, Part 1).
UK Regulatory Framework for KYS
Four key pieces of UK legislation drive supplier verification obligations:
Modern Slavery Act 2015: businesses with global annual turnover above ยฃ36 million must publish an annual slavery and human trafficking statement, which requires supply chain due diligence. The Home Office guidance on supply chain transparency specifies the expected depth of supplier verification.
Bribery Act 2010: companies can mount an "adequate procedures" defence against bribery charges โ but only if they have documented due diligence procedures covering third parties including suppliers. The Ministry of Justice guidance lists supplier risk assessment as a core element of adequate procedures.
MLR 2017 (as amended 2022): regulated entities (banks, accountants, lawyers, estate agents, crypto asset firms) must apply customer due diligence to suppliers providing services related to their regulated activities. Enhanced due diligence is required for high-risk third-party relationships (MLR 2017, Regulations 28โ33).
ECCTA 2023: tightens Companies House requirements and mandates identity verification for company directors and PSCs โ increasing the baseline standard for what constitutes adequate KYS documentation.
| Regulation | Threshold | Primary KYS Obligation |
|---|---|---|
| Modern Slavery Act 2015 | >ยฃ36M global turnover | Annual supply chain due diligence statement |
| Bribery Act 2010 | All companies | Adequate procedures for third-party bribery risk |
| MLR 2017 (as amended) | Regulated entities | CDD/EDD on suppliers in regulated service scope |
| ECCTA 2023 | All UK companies | PSC identity verification on Companies House |
| EU CSDDD (for EU supply chains) | >1,000 employees, >โฌ450M turnover | Value chain due diligence from 2027 |
KYS Verification Checklist: 12 Required Steps
Compliance and procurement professionals consistently flag two steps most commonly skipped in practice: UBO verification and sanctions screening. Both can expose the company to significant regulatory penalties if overlooked.
Steps 1โ4: Legal Identity Verification
| Document | Official Source | Review Frequency |
|---|---|---|
| Companies House confirmation statement | Companies House | On onboarding + annually |
| Articles of association | Companies House | On onboarding |
| PSC register extract (beneficial owners) | Companies House | On onboarding + on any change |
| VAT registration certificate | HMRC VAT checker | On onboarding |
Steps 5โ6: Bank Account Verification
Bank account authentication is the most effective protection against Business Email Compromise (BEC) fraud โ a payment diversion attack that accounted for 31% of supplier fraud cases tracked on our platform in 2025. Verification must be repeated every time a supplier communicates a banking change, regardless of the communication channel. Verbal or email-only notifications should never be acted upon without independent verification.
Steps 7โ9: Sanctions, PEP, and Adverse Media Screening
Screening must cover the UK OFSI consolidated list, the EU consolidated sanctions list, the OFAC SDN list, and the UN Security Council list. PEP checks must extend to directors, PSCs, and senior management. Adverse media searches should cover criminal convictions, FCA enforcement actions, HMRC civil investigations, money laundering allegations, and involvement in organised crime.
Steps 10โ12: Sectoral and Operational Checks
Depending on the supplier's sector: professional authorisations and licences, ISO certifications (9001, 27001, 14001), public liability and professional indemnity insurance certificates, and right-to-work compliance documentation for labour-only supply contracts.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRisk Scoring Model
Applying a uniform verification level to every supplier is operationally unsustainable. A risk-tiered model concentrates enhanced due diligence where it matters most.
| Risk Tier | Criteria | Review Cycle |
|---|---|---|
| Low | UK/EEA registered, <ยฃ50K/year, non-regulated sector | Annual |
| Medium | Non-EEA registered, ยฃ50Kโยฃ500K/year, or regulated sector | Semi-annual |
| High | >ยฃ500K/year, FATF grey/black-list jurisdiction, or regulated services | Quarterly + EDD |
| Critical | Strategic supplier, operations in sanctioned territories | Continuous monitoring |
The CheckFile Document Risk Index scores supplier dossiers in high-transaction sectors at an average of 6.2/10, justifying systematic automation to maintain verification completeness across large portfolios.
KYS vs KYC vs KYB: Key Differences
| Process | Target | Primary Context |
|---|---|---|
| KYC (Know Your Customer) | Customers, investors, individuals | Banking, insurance, financial services |
| KYB (Know Your Business) | Business partners, distributors | B2B onboarding, public procurement |
| KYS (Know Your Supplier) | Suppliers, subcontractors, service providers | Procurement, supply chain, accounts payable |
For the full business entity verification process, see our guide on KYB business document verification and onboarding. The vendor due diligence checklist provides a complementary framework for evaluating supplier financial and reputational risk.
Red Flags in Supplier Verification
Procurement and compliance teams identify these warning signals as the most common indicators requiring enhanced due diligence:
- Bank account change notification communicated by email or phone before a payment run
- No traceable online presence (no website, no Companies House entry, no professional profile)
- Ownership structure involving nominee directors or shell companies in secrecy jurisdictions
- Mismatch between the company registration number provided and the legal name at Companies House
- Refusal to provide a current Companies House confirmation statement or PSC register extract
- Invoice address that differs from the registered office and business address
- Disproportionately low paid-up share capital relative to the contract value proposed
Automating Your KYS Process
Managing KYS manually for a supplier portfolio of 100 active vendors means 200โ300 individual verifications per year, with error risk increasing exponentially as the portfolio grows. At 300+ suppliers, manual processes create regulatory blind spots that are difficult to defend in an audit.
CheckFile automates the full KYS workflow โ document collection, verification against official registries (Companies House, HMRC, OFAC, EU sanctions lists), PEP and adverse media screening, and tamper-evident audit trail generation. For the full verification methodology, see the document verification guide.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance professional for advice specific to your situation.
Frequently Asked Questions
What is Know Your Supplier (KYS)?
Know Your Supplier (KYS) is the due diligence process by which an organisation verifies the legal identity, financial standing, sanctions profile, and bank account details of its suppliers before and during a commercial relationship. It extends KYC principles from the customer side to the supply chain side of the business.
Is KYS mandatory in the UK?
Partially. KYS is explicitly required for regulated entities under MLR 2017 in relation to suppliers providing regulated services. The Modern Slavery Act creates supply chain due diligence obligations for companies with global turnover above ยฃ36 million. The Bribery Act creates a de facto obligation to have adequate procedures covering supplier risk for all companies. ECCTA 2023 imposes PSC verification requirements on all UK companies. Full value chain due diligence obligations under CSDDD will apply from 2027.
What documents should I collect for supplier KYS?
The core KYS document set includes: a current Companies House confirmation statement, PSC register extract, VAT registration certificate, bank account letter on company letterhead, professional liability insurance certificate, and any sector-specific licences or authorisations. Each document must be verified against the authoritative source โ not just collected from the supplier.
How often should supplier verification be repeated?
Review frequency depends on risk tier. Low-risk suppliers should be reviewed annually. Medium-risk suppliers require semi-annual checks. High-risk suppliers require quarterly enhanced due diligence plus continuous sanctions monitoring. Any change in ownership, bank details, or registered address triggers an immediate out-of-cycle review.
What is the difference between KYS and KYB?
KYB (Know Your Business) typically refers to due diligence performed on a business partner or client in a B2B context โ particularly during client onboarding in regulated sectors. KYS specifically refers to due diligence performed on suppliers โ the companies from whom you purchase goods or services. The verification steps overlap significantly, but the direction of the commercial relationship and the associated regulatory obligations differ.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.