Know Your Supplier (KYS): Vendor Verification Checklist for US Procurement
US-specific KYS guide: FinCEN, BSA, OFAC, and CTA compliance for procurement teams. 12-step vendor verification checklist, federal and state requirements, red flags.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokKnow Your Supplier (KYS) is the structured due diligence process used by US procurement and compliance teams to verify the legal identity, beneficial ownership, sanctions profile, and bank account details of suppliers before and during a commercial relationship. In the United States, supplier verification obligations stem from a layered federal and state framework โ not a single statute โ making compliance more complex than in jurisdictions with unified anti-money laundering laws.
The primary federal drivers are the Bank Secrecy Act (BSA, 31 USC ยง5311 et seq.), enforced by FinCEN (Financial Crimes Enforcement Network), the OFAC sanctions programs, the Corporate Transparency Act (CTA) 2021 โ which took effect for most companies on January 1, 2024 โ and the Foreign Corrupt Practices Act (FCPA) for companies with international supply chains. State-level requirements vary significantly; California's Transparency in Supply Chains Act and New York State regulations add additional obligations for companies operating in those states.
US procurement teams that automate their KYS verification process reduce manual processing time by 83% and cut the cost per supplier dossier by 67% (CheckFile platform data, internal analysis 2026).
What Is Know Your Supplier (KYS) in the US Context?
KYS in the United States is the procurement-side equivalent of the Customer Due Diligence (CDD) rule enforced by FinCEN under the BSA. While banks must apply CDD to their customers, all companies benefit from applying similar rigor to their vendors โ both to manage fraud risk and to comply with the FCPA, OFAC sanctions, and emerging supply chain transparency laws.
A complete US KYS programme covers:
- Legal entity verification (state of incorporation, registered agent, active status)
- Beneficial ownership identification per CTA 2021 BOI reporting requirements
- OFAC screening (SDN list, consolidated sanctions, sectoral sanctions)
- PEP checks for company officers and beneficial owners
- Adverse media screening for FCPA violations, DOJ investigations, and financial crime
- Bank account ownership verification (EIN match, ACH pre-note verification)
As of January 1, 2024, the Corporate Transparency Act requires most US companies (and foreign companies registered to do business in the US) to report beneficial ownership information to FinCEN โ making accurate BOI data a federal legal obligation (FinCEN โ CTA Beneficial Ownership Information Reporting).
US Federal and State Regulatory Framework for KYS
Bank Secrecy Act (BSA) / 31 USC ยง5311: financial institutions must implement customer due diligence programmes under FinCEN's CDD Rule (31 CFR 1010.230). For non-bank companies, the BSA creates de facto compliance obligations through the banking relationships of their vendors. The FinCEN website publishes guidance, advisories, and red flag indicators applicable to vendor relationships.
Corporate Transparency Act (CTA) 2021: requires most US entities to report beneficial ownership information to FinCEN's BOI database. Procurement teams should verify that their vendors are either registered in the BOI system or fall within an exemption (large operating companies, registered issuers, etc.). Non-compliance penalties reach $591 per day and up to $10,000 in criminal fines.
OFAC Sanctions Programs: the Office of Foreign Assets Control administers over 30 sanctions programmes. Every US company must screen vendors and their beneficial owners against the OFAC SDN list, consolidated non-SDN lists, and sectoral sanctions. Violations can result in civil penalties of up to $1.3 million per transaction.
Foreign Corrupt Practices Act (FCPA): companies are liable for the corrupt acts of their agents, consultants, and distributors. The DOJ and SEC hold companies responsible for failing to conduct adequate due diligence on third parties, including suppliers. The DOJ FCPA Resource Guide specifies the expected elements of a third-party due diligence programme.
State-Level Requirements: California's Transparency in Supply Chains Act (SB 657) requires retail sellers and manufacturers with over $100M in global revenue to disclose supply chain due diligence efforts. New York State's Fashion Act (2023) extends similar obligations to fashion retailers. Illinois, Colorado, and other states are adding comparable requirements.
| Regulation | Threshold | Primary KYS Obligation |
|---|---|---|
| BSA / FinCEN CDD Rule | Financial institutions; all companies via banking | CDD on vendors in financial services scope |
| CTA 2021 (BOI reporting) | Most US entities, few exceptions | Beneficial ownership verification |
| OFAC sanctions | All US persons and companies | Vendor screening vs. SDN and consolidated lists |
| FCPA | US companies with international supply chains | Third-party due diligence programme |
| CA Transparency in Supply Chains Act | >$100M global revenue | Supply chain disclosure and due diligence |
KYS Verification Checklist: 12 Required Steps
Steps 1โ4: Legal Entity Verification
| Document | Official Source | Review Frequency |
|---|---|---|
| State certificate of good standing | Secretary of State / state registry (varies by state) | On onboarding + annually |
| Articles of incorporation / operating agreement | Secretary of State filing | On onboarding |
| FinCEN BOI report or CTA exemption confirmation | FinCEN BOI database | On onboarding + on ownership change |
| EIN (Employer Identification Number) verification | IRS or W-9 form | On onboarding before first payment |
Steps 5โ6: Bank Account Verification
ACH pre-note verification and bank account ownership checks (matching EIN/SSN to account holder) are the most effective defences against Business Email Compromise (BEC) fraud. The FBI's IC3 reported $2.9 billion in BEC losses in 2023. Verification must be repeated for every communicated banking change. Never update banking details based solely on an email request โ always confirm via a separate, independently verified communication channel.
Steps 7โ9: OFAC, PEP, and Adverse Media Screening
OFAC screening must cover the SDN list, the Consolidated Non-SDN Entities list (NS-MBS, NS-IC, etc.), and sectoral sanctions. PEP checks must extend to officers, directors, and beneficial owners. Adverse media searches should cover DOJ enforcement actions, SEC and FinCEN civil money penalties, FCPA investigations, and state-level regulatory actions.
Steps 10โ12: Sectoral and Operational Checks
Depending on the supplier's sector: professional licences (state-level), industry certifications (SOC 2, ISO 27001), general liability and professional indemnity insurance, and I-9 / E-Verify compliance for labour-supply vendors.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRisk Scoring Model
| Risk Tier | Criteria | Review Cycle |
|---|---|---|
| Low | US-registered, <$50K/year, non-regulated sector | Annual |
| Medium | Foreign-registered or $50Kโ$500K/year, or regulated sector | Semi-annual |
| High | >$500K/year, FATF grey/black-list jurisdiction, or FCPA-risk sector | Quarterly + EDD |
| Critical | Strategic supplier, OFAC-designated country exposure | Continuous monitoring |
The CheckFile Document Risk Index scores supplier dossiers in high-transaction sectors at an average of 6.2/10, justifying systematic automation to maintain completeness across large US vendor portfolios.
KYS vs KYC vs KYB: Key Differences in the US
| Process | Target | Primary US Context |
|---|---|---|
| KYC (Know Your Customer) | Customers, account holders | Banks (FinCEN CDD Rule), broker-dealers |
| KYB (Know Your Business) | Business partners, distributors | B2B onboarding, FCPA third-party diligence |
| KYS (Know Your Supplier) | Vendors, subcontractors, service providers | Procurement, accounts payable, OFAC compliance |
For the complete business entity verification process, see our guides on KYB business document verification and the vendor due diligence checklist.
Red Flags in US Vendor Verification
Procurement and compliance professionals identify these as the highest-priority warning signals:
- Banking change notification received by email only, without a follow-up phone confirmation to a number on file
- Vendor registered in a state with minimal disclosure requirements (Wyoming, Delaware shell) with no business presence there
- Beneficial owners located in OFAC-designated countries or on the SDN list
- EIN does not match the entity name on the W-9 form
- Refusal to provide a Certificate of Good Standing or FinCEN BOI confirmation
- Invoice address differs from the state registration address
- Multiple vendor records under similar names suggesting identity layering
Automating Your US KYS Process
Manual KYS management for a portfolio of 100 active vendors means 200โ300 individual verifications per year โ a number that grows faster than headcount in scaling procurement functions.
CheckFile automates the full KYS workflow: document collection, verification against official registries (Secretary of State databases, FinCEN BOI, IRS EIN), OFAC and PEP screening, and audit trail generation that meets BSA and FCPA documentation standards. See the document verification guide for the full methodology.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice under US federal or state law. Consult a qualified US compliance attorney for advice specific to your situation.
Frequently Asked Questions
What is Know Your Supplier (KYS) in the US?
Know Your Supplier (KYS) is the due diligence process by which US procurement teams verify the legal identity, beneficial ownership, OFAC sanctions profile, and bank account details of their vendors. In the US, it intersects with the Bank Secrecy Act (FinCEN CDD Rule), the Corporate Transparency Act (BOI reporting), OFAC sanctions compliance, and the FCPA third-party diligence requirement.
Is KYS mandatory under US law?
Directly mandatory for financial institutions under the FinCEN CDD Rule. For non-bank companies, KYS is de facto required by: (1) OFAC regulations โ all US persons must screen vendors against the SDN list; (2) the FCPA โ DOJ/SEC expect documented third-party due diligence; (3) the CTA โ requires BOI verification for vendor entities; (4) state supply chain laws (California, New York). Failure creates regulatory, financial, and reputational exposure.
What is the Corporate Transparency Act (CTA) and how does it affect KYS?
The CTA (effective January 1, 2024) requires most US companies โ and foreign companies registered to do business in the US โ to report their beneficial owners to FinCEN's BOI database. For KYS, this means procurement teams can now verify whether a vendor has complied with BOI reporting (or qualifies for an exemption), making beneficial ownership verification more accessible and enforceable than before.
How does OFAC compliance relate to KYS?
Every US person (including companies) is prohibited from doing business with OFAC-designated individuals and entities on the SDN list and consolidated sanctions lists. KYS requires screening every vendor โ and their beneficial owners โ against OFAC lists before onboarding and on a continuous basis thereafter. Violations are strict liability offences with civil penalties up to $1.3 million per transaction regardless of intent.
What documents should I collect for vendor KYS in the US?
The core US KYS document set includes: state certificate of good standing, articles of incorporation, W-9 form (EIN verification), FinCEN BOI confirmation (or CTA exemption), voided check or bank letter for account verification, general liability insurance certificate, and any sector-specific licences or authorisations. Each document must be verified against the authoritative source.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.