Know Your Supplier (KYS): Vendor Verification and Compliance in the US

Know Your Supplier (KYS) is the structured due diligence framework that companies apply to vendors, contractors, and supply chain partners before and throughout a business relationship. In the United States, the Bank Secrecy Act (BSA, 31 USC §5311), FinCEN's Customer Due Diligence (CDD) Rule (31 CFR §1010.230), and the Corporate Transparency Act (CTA) of 2021 together create layered obligations for businesses to scrutinise third-party relationships. Beyond federal requirements, the Foreign Corrupt Practices Act (FCPA) and sector-specific regimes extend these obligations to virtually all large US companies.

According to the FBI's Internet Crime Report 2025, Business Email Compromise (BEC) — the most common vector for false supplier fraud — caused over $2.9 billion in losses to US businesses in 2024. A structured KYS programme is among the most effective controls to close this exposure.

What KYS Covers and Why It Is Required in the US

A robust KYS programme addresses three risk dimensions: legal identity (EIN, Secretary of State filing, beneficial ownership), financial standing (Dun & Bradstreet or similar credit check, court records), and regulatory reputation (OFAC SDN list, FBI's FinCEN 314(b) programme, adverse media, PEP screening).

The FinCEN CDD Rule (effective 2018) requires covered financial institutions to collect beneficial ownership information for legal entity customers — and, by extension, to verify the identity of controlling persons of third-party vendors receiving payments. Under 31 CFR §1010.230(b), financial institutions must identify and verify the identity of each beneficial owner who owns 25% or more of a legal entity.

The Corporate Transparency Act (CTA), enforced by FinCEN effective January 1, 2024, requires most US companies (except large public companies and certain regulated entities) to file a Beneficial Ownership Information (BOI) report identifying beneficial owners and company applicants. This creates a searchable federal database that can be accessed by law enforcement and, under certain conditions, by financial institutions for compliance purposes — significantly strengthening the KYS ecosystem. Access the FinCEN BOI reporting portal for submission and verification.

The Foreign Corrupt Practices Act (FCPA) imposes anti-bribery obligations on US issuers and domestic concerns, including criminal liability for corruption by third-party agents, suppliers, and sub-contractors. The DOJ and SEC have repeatedly prosecuted FCPA violations arising from inadequate third-party due diligence.

The 5-Step KYS Verification Process

Step 1 – Document collection. Before engaging a new vendor, collect: a current Certificate of Good Standing from the Secretary of State (SOS) in the state of incorporation, Employer Identification Number (EIN) verified via the IRS TIN Matching Program, the most recent tax filings (Form 10-K for public companies; signed tax return or CPA-prepared financials for private), the BOI disclosure filed with FinCEN, and ACH/wire transfer details with a void check or bank confirmation letter.

Step 2 – Identity and registration verification. Search the vendor's corporate status on the relevant state Secretary of State portal. For the excluded parties screening required under FAR 9.405, check the System for Award Management (SAM.gov). Verify EIN through IRS TIN Matching before issuing the first payment.

Step 3 – OFAC and federal sanctions screening. Mandatory for all US financial institutions and recommended for all businesses with any nexus to the US financial system. Screen against the OFAC Specially Designated Nationals (SDN) List, the Non-SDN sectoral sanctions programmes, and the Consolidated Sanctions List. Violations of OFAC sanctions carry civil penalties of up to $1,078,705 per violation (2024 adjusted figure) regardless of intent.

Step 4 – Adverse media and FCPA due diligence. For vendors with government connections, international operations, or in high-risk sectors (construction, defence, healthcare), supplement identity verification with structured adverse media screening and a third-party questionnaire aligned with the DOJ-SEC FCPA Resource Guide, 2nd Edition (2020). State-level equivalents — such as California's Unfair Competition Law and New York's anti-bribery statutes — may require additional disclosures.

Step 5 – Ongoing monitoring. Configure automated alerts for SAM.gov exclusion updates, OFAC list additions, state SOS status changes (dissolutions, revocations), and court filings via PACER for litigation involving key vendors. Any request to change ACH/wire routing or account numbers must trigger an independent callback verification — the number one fraud vector in US B2B transactions.

False Supplier Fraud: The Most Costly KYS Failure Point

On r/compliance, r/fintech, and procurement forums, the recurring concern is: "Our vendor is asking us to update their bank details. How do we do this safely?"

Fraud investigators document a consistent pattern: attackers study organisational charts on LinkedIn, identify key AP and treasury staff, and then send invoice or bank-change requests from domains that differ from the legitimate vendor's domain by one character (typosquatting). The request often arrives just before a large scheduled payment.

Three controls prevent most US false-supplier fraud cases:

1. Independent callback. Any bank detail change request received by email must be confirmed by calling a phone number retrieved independently from your ERP — not one provided in the email.
2. Dual approval. Payment routing changes require sign-off from two authorised approvers, including a member of Finance leadership.
3. Automated account verification. An automated document verification service that cross-checks account holder identity against entity data is the most scalable control. CheckFile supports over 3,200 document types in 32 jurisdictions, including US federal and state-level business documents.

As of 2025, FinCEN's proposed rule on AML programme effectiveness (NPR released February 2024) explicitly lists third-party payment fraud controls as an element of a sound AML compliance programme.

For more on recognising fraudulent document patterns, see our guide to AI-powered document fraud detection.

KYS vs KYC vs KYB: US Context

• KYC: Mandatory for FinCEN-regulated institutions under the BSA. Covers customer identity, beneficial ownership, and SAR filing obligations.
• KYB: Applied during B2B onboarding to verify a business entity's legal existence, TIN, ownership, and regulatory standing. See our KYB business verification guide.
• KYS: Applied to vendors and sub-contractors; covers supply chain risk, FCPA compliance, and modern slavery obligations under the California Transparency in Supply Chains Act (SB 657) and the federal Uyghur Forced Labor Prevention Act (UFLPA) for goods imported from China's Xinjiang region.

A mature Third-Party Risk Management (TPRM) programme integrates all three under a single framework, typically owned by Compliance, Legal, and Procurement functions jointly.

State-Level Requirements: What Federal Rules Don't Cover

Federal KYS obligations set a floor; state law can be significantly more demanding:

• California: SB 657 (Transparency in Supply Chains Act) requires retail sellers and manufacturers with global revenues over $100 million to disclose supply chain due diligence efforts on their websites. The California Privacy Rights Act (CPRA) also imposes data handling obligations on KYS data processors.
• New York: Executive Law §296-e prohibits contracting with suppliers involved in human trafficking; NYC Local Law 144 (automated employment decision tools) creates adjacent obligations for AI used in vendor screening.
• Texas: HB 4174 (Securing Children Online through Parental Empowerment) and similar legislation may affect digital vendor screening for certain industries.

Always conduct state-level legal review before finalising your KYS programme, particularly if operating in California, New York, or Texas.

Building and Retaining the KYS Compliance File

The BSA requires five-year record retention of identity verification records for regulated institutions under 31 CFR §1020.220(a)(3). The CTA requires that BOI information be kept current within 30 days of any change, with FCPA-related documentation typically retained for at least 7 years.

A compliant KYS file should include:

• Collected documents with verification timestamps
• SAM.gov and OFAC screening results with date and system version
• BOI disclosure or CTA exemption documentation
• Identity of approving personnel for each verification
• Change log for all bank routing modifications with callback evidence

CheckFile maintains all verification records in a tamper-evident audit trail meeting ISO 27001 standards. View our pricing plans for supplier verification workflows scaled to US enterprise needs.

Frequently Asked Questions

Does KYS apply to all US businesses, or only financial institutions?

The BSA and FinCEN CDD Rule impose direct KYS-equivalent obligations primarily on covered financial institutions. For other businesses, the FCPA (all US issuers and domestic concerns), the California Transparency in Supply Chains Act (retail/manufacturing ≥$100M global revenue), and the UFLPA (importers of goods from Xinjiang) create mandatory due diligence regimes. Federal contractors face additional requirements under FAR.

How do I access the FinCEN BOI database to verify supplier ownership?

As of 2026, FinCEN's BOI database is accessible to law enforcement, FinCEN-authorised financial institutions (under the CTA's Section 6403 access provisions), and other authorised government agencies. Non-financial-institution businesses cannot directly query the BOI database; they must rely on voluntary disclosure from suppliers, state SOS records, and third-party data providers.

What is OFAC 50% Rule and how does it affect supplier screening?

Under OFAC's 50% Rule, any entity owned 50% or more, directly or indirectly, by an SDN-listed person is itself treated as an SDN regardless of whether it appears on the SDN list by name. This means supplier screening must trace beneficial ownership to verify that no individual SDN holds 50% or more of the supplier entity. Automated screening tools that only check listed names — not underlying ownership — will miss these cases.

How should we handle a supplier that refuses to provide beneficial ownership information?

In most B2B relationships, beneficial ownership disclosure is not yet legally mandated — only required by FinCEN from covered financial institutions for their customers. However, for FCPA compliance purposes, a supplier's refusal to disclose ownership is a significant red flag. Document the refusal, escalate to Legal, and consider whether to proceed with enhanced monitoring, require additional contractual representations, or decline the vendor relationship.

What FCPA red flags should a KYS programme flag in supplier screening?

Key FCPA red flags include: suppliers located in FCPA enforcement hotspots (see DOJ FCPA Resource Guide, Appendix B), requests for unusually high commissions (above industry norm), suppliers whose beneficial owners are or are related to government officials, lack of business presence or legitimacy inconsistent with contract value, and requests for payments to accounts in third countries unrelated to the supplier's operations.

---

This article is for informational purposes only and does not constitute legal advice. US regulatory obligations vary significantly by industry, company size, and state of incorporation. Consult qualified US legal counsel for advice specific to your compliance programme.