What is KYB?
KYB — Know Your Business — is the legal-entity counterpart to KYC. Where KYC asks "is this person who they claim to be," KYB asks "is this company real, is it actively registered, who actually owns it, and is any of that risky?" Every Indian regulated entity that onboards companies, LLPs, partnerships, trusts, or sole proprietorships runs KYB — banks, NBFCs, payment processors, escrow platforms, MSME-credit fintechs, and any business-to-business SaaS that touches money flows.
India's version is uniquely well-instrumented. MCA21 holds the authoritative company register; the GST council runs the live GSTIN registry; UDYAM holds the MSME register; the Director Identification Number (DIN) ties individuals to entities; PAN ties everyone to tax records. A KYB stack built on those four registries plus PAN can produce a complete picture of a legal entity in under a minute — legal name, status, directors, paid-up capital, MSME classification, GST registration, and beneficial ownership.
The hard part isn't pulling the data. It's reconciling it. The legal name on MCA may not match the trade name on GST may not match the customer-claimed name. Two of three directors may be on a sanctions list. The UDYAM registration may be self-declared with no MCA cross-reference. The UBO chain may dead-end in a foreign shell entity that requires offshore-registry follow-through. KYB is a data-reconciliation problem disguised as a verification problem.
India regulatory map for KYB
Four regulators set KYB rules. The RBI Master Direction on KYC, 2016 (last amended 2024) §16 is the load-bearing document for legal-entity customers. It specifies the document set, the risk categorisation, the periodic-refresh cadence, and the CDD/EDD framework extended to entities. Any RBI-regulated entity (bank, NBFC, payment-system operator) building business onboarding is bound by §16.
The Ministry of Corporate Affairs (MCA) owns MCA21 — the master register of companies and LLPs, the DIN system, the Director KYC (DIR-3) annual filing, and the Companies Act compliance machinery. MCA isn't a fintech regulator per se, but its data is the source of truth every KYB check ultimately ties back to. The GST Council (via CBIC) runs the GSTIN registry — live, queryable, and treated as canonical for active-business existence by every fintech that handles B2B flows.
The Securities and Exchange Board of India (SEBI) adds market-conduct rules for capital-markets KYB — broker onboarding, mutual-fund AMC platforms, REIT/InvIT entity verification. SEBI mostly mirrors RBI §16 with extra beneficial-ownership disclosure rules. And the Financial Action Task Force (FATF) shapes the international beneficial-ownership standards that PMLA + RBI translate into domestic rules. FATF's 2024 Mutual Evaluation of India flagged beneficial-ownership transparency as an area to tighten through 2026–27.
Two further registries shape practice. The UDYAM portal holds MSME registrations; many credit products are restricted to UDYAM-classified enterprises, so verification matters. And FEMA + cross-border rules add an extra layer for entities with foreign ownership or foreign-currency exposure — tighter EDD, additional disclosures, restricted product eligibility.
The 5 KYB document sources in India
There isn't one canonical KYB document. There are five, each authoritative for a different facet of the entity.
1. CIN (Corporate Identification Number) — via MCA
21-character identifier issued by MCA at incorporation. Encodes listed/unlisted, industry code, state, year of incorporation, public/private classification, and the serial registration number. A CIN lookup returns registered name, current status (Active / Strike-off / Dormant / Liquidation), registered-office address, paid-up capital, current directors with DINs, and recent filings. Cost: ₹1–5 per call. Latency: 2–6 seconds. The authoritative source for company-existence claims.
2. GSTIN (Goods and Services Tax Identification Number)
15-character identifier issued at GST registration. Encodes state, PAN, entity number, and a check digit. A GSTIN lookup returns the registered legal name, trade name (if different), registration status (Active / Cancelled / Suspended / Provisional), business type (regular / composition / casual), and principal place of business. Cost: ₹0.50 per call. Latency: under 2 seconds. The fastest source-of-truth for active-business existence, including unincorporated entities.
3. DIN (Director Identification Number) — via MCA
8-digit identifier assigned to every director in MCA21. DIN-KYC must be filed annually via DIR-3 KYC; a lapsed filing renders the director invalid for signing. A DIN lookup returns the director\'s name (as on MCA), DOB, list of current companies, DIN-KYC currency, and DSC (Digital Signature Certificate) status. Every authorised signatory in a KYB flow must be checked for DIN-KYC currency.
4. UDYAM Registration Number
Issued by the UDYAM portal to MSMEs. Format: UDYAM-XX-NN-NNNNNNN (state code, district code, 7-digit registration). A UDYAM lookup returns the enterprise name, classification (micro / small / medium), date of registration, principal activity (NIC code), and contact details. UDYAM is self-declared at source — for high-stakes products, treat UDYAM as one of two sources, not the only source. Cross-match with GST and PAN.
5. Business PAN (Permanent Account Number)
10-character PAN issued by the Income Tax department. PAN-only doesn\'t verify the business exists today (only that it was once tax-registered), but every other KYB register ties back to PAN as a primary key. PAN verification produces a name match and a tax-status check. For sole proprietorships, the proprietor\'s PAN is the business PAN; KYC of the proprietor IS the KYB of the business.
KYB vs KYC — same skeleton, different audit trail
KYB and KYC share infrastructure (PAN, biometrics, sanctions screening, audit logs) but ask different questions and produce different artifacts. Engineers conflate the two; auditors keep them on separate review tracks.
| Dimension | KYC | KYB |
|---|---|---|
| Subject | Individual person | Legal entity + authorised signatories + UBOs |
| Primary registry | UIDAI (Aadhaar), Income Tax (PAN), CKYC | MCA21, GST, UDYAM, PAN |
| Identity check | Aadhaar OTP, V-CIP, face match, OVD | CIN / GSTIN / UDYAM lookup + name match |
| Document base | 1 person × 1 OVD | 1 entity × 4–6 registries × N signatories |
| Beneficial ownership | n/a (the person IS the subject) | UBO walk to natural persons (≥25% threshold) |
| Sanctions screening | 1 name | Entity + every signatory + every UBO |
| Refresh cadence | 2 / 8 / 10 years (RBI risk-tier) | Same cadence + adverse-media monitoring continuous |
Build them as one stack with two views — the same identity infrastructure (face match, sanctions, audit log) serves both. The difference is the data graph: KYC is one node; KYB is a graph of entity + signatories + UBO chain, all of which need to be watched together.
UBO and the ownership chain
A Ultimate Beneficial Owner (UBO) is the natural person who ultimately owns or controls a legal entity, directly or through a chain of intermediate entities. PMLA + RBI Master Direction require UBO identification above defined thresholds — typically 25% ownership or control, dropped to 10% for high-risk entities, sectors, or geographies. The audit expects a documented ownership chain that terminates in natural persons (or in regulated/listed entities with no further UBO obligation), with KYC + sanctions screening on each terminus.
The walk is mechanical: start at the customer entity, pull its shareholder list from MCA, examine every shareholder above the threshold, classify each as natural person or entity, and recurse into entity shareholders until every chain terminates. The trick is handling the recursion correctly. Foreign-owned entities can chain through 4–6 jurisdictions; trust structures introduce settlors and beneficiaries that aren\'t on the shareholder list; listed-company subsidiaries terminate cleanly but private-equity intermediates often don\'t.
What breaks in practice: teams collect "directors" as a proxy for UBO. Directors are authorised signatories, not owners. A company can have non-shareholder directors (independent directors), shareholder directors (the common case), or distant directors whose ownership is hidden behind a holding entity. Treat directors and UBOs as separate concepts, with separate KYC tracks.
What also breaks: refresh. UBO chains change — share transfers, new investors, dilutions. A KYB done at onboarding and not re-walked at refresh becomes stale faster than the entity itself does. Refresh re-walks the chain, not just the entity.
Re-KYB cadence — the 2/8/10 rule applied to entities
RBI Master Direction extends the same risk-based refresh cadence to legal entities. High-risk entities refresh every 2 years, medium every 8, low every 10. Risk is set by combination of industry (high-cash, high-trade, certain sectors), geography (offshore exposure, FATF grey-listed jurisdictions), product (high-value cross-border vs domestic payments), and entity complexity (multi-layered ownership, trusts, partnerships with foreign partners).
The operational difference vs. individual re-KYC: KYB refresh is multi-source. Each refresh re-runs:
1. Entity validity check. CIN/GSTIN/UDYAM all re-queried; status flagged if any have moved to Strike-off, Cancelled, Suspended, or Dormant.
2. Director currency check. Every authorised signatory\'s DIN-KYC re-validated; lapsed signatories blocked from signing pending DIR-3 refresh.
3. UBO re-walk. Shareholder lists re-pulled from MCA; chains re-examined for new layers, exits, dilutions; new UBOs added to monitoring; departed UBOs marked inactive.
4. Adverse-media + sanctions re-screen. Entity + every signatory + every UBO re-screened against the current sanctions / PEP / adverse-media corpus.
Between refreshes, run adverse-media as continuous monitoring — not point-in-time. The most material business risks (regulatory action, fraud allegations, criminal charges against directors) surface as news before they ever show up in MCA filings.
Implementation pitfalls — the 5 that bite
Every KYB team hits the same five.
1. Trusting UDYAM as a single source. UDYAM is self-declared at source — there's no verification at registration. A "UDYAM-classified MSME" can be a recently self-declared shell with no actual operations. Cross-match every UDYAM claim against GST registration + PAN; if either is missing, treat the UDYAM at lower confidence.
2. Conflating directors with UBOs. Directors are authorised signatories; UBOs are owners. A company with three professional non-shareholder directors and a foreign-owned single shareholder has zero director UBOs and one entity-shareholder that requires further walking. Audit logs that record "UBO = directors" fail FATF beneficial-ownership review.
3. Letting lapsed DIN-KYC sign. A director whose DIR-3 KYC isn't current for the year cannot validly sign on behalf of the entity. Onboarding the entity with a lapsed director as the signatory invalidates the entity\'s KYC. Check DIN-KYC currency at every onboarding, not just at first contact.
4. Not re-walking UBO at refresh. Shareholder structures change far more often than entities do. A KYB done at onboarding and not re-walked at the 2/8/10 refresh cycle is stale by year 2 in any active business. Make the UBO re-walk a mandatory step in the refresh job, not an optional one.
5. Skipping cross-registry name reconciliation. Legal name on MCA, trade name on GST, name on PAN, name claimed by the customer — rarely all identical, and the differences matter. Build name-match tolerance rules explicitly (substring, abbreviation, suffix elision) and log every reconciliation decision. The audit will ask how you handled the mismatches.
How Deepvue ships KYB
Every API in the catalog below sits on the same auth, the same SLA, the same audit log. GST, CIN, DIN, UDYAM, PAN, bank account — one contract for the entire KYB stack, with the UBO walk orchestrated through the same decisioning layer. Refresh cadence, adverse-media monitoring, and signatory currency checks are built in.
Sub-3-second response on the full entity-existence check (CIN + GST + UDYAM in parallel). RBI Master Direction-aligned, MCA-sourced, FATF-ready out of the box. Live across 60+ businesses processing 5M+ KYB decisions per quarter.