KYC for Small Business Owners: A Practical Client Onboarding Guide

You've got a new client ready to sign. They seem legitimate. But "seems legitimate" has ended careers and cost people real money. KYC — Know Your Customer — is how you replace gut feel with a defensible record.

Here's the honest version of what KYC means for a small business, what the law actually requires, and how to do this without hiring a compliance team.

---

What KYC Actually Is (and Isn't)

KYC is a process for verifying that a person or company is who they claim to be and doesn't pose a financial, legal, or reputational risk to you. It originated in banking regulation — the Bank Secrecy Act and subsequent FinCEN rules require banks and money-service businesses to verify customer identity and screen for sanctions — but the underlying logic applies to any business relationship.

For most small businesses, KYC isn't a statutory requirement. You're probably not a bank. But the practical reasons for doing it are just as strong:

• Fraud prevention. Clients who misrepresent themselves are a known vector for invoice fraud, non-payment, and liability exposure.
• Sanctions liability. If you unknowingly do business with a sanctioned individual or entity, OFAC doesn't automatically excuse ignorance. Civil penalties can apply even without intent.
• Reputational risk. Getting publicly tied to a company run by someone with fraud convictions is bad regardless of what the law says.

A handful of sectors do have explicit KYC obligations even when they're small: accountants, real estate professionals, certain money-service businesses, and lawyers handling specific transaction types face FinCEN rules and anti-money-laundering (AML) program requirements. If you're in one of those, talk to counsel about what's mandatory. This post is about what's practical for everyone else.

---

The Four Things You Actually Need to Check

Whether you're a 10-person consulting firm, a boutique law firm, or a two-person financial advisory practice, a workable client KYC process covers four areas.

1. Identity Verification

For an individual client: confirm that the person you're dealing with is who they say they are. At minimum, this means collecting a government-issued ID and cross-referencing it against what you can independently verify — a LinkedIn profile matched to a professional history, a public record, a verified business address.

For a corporate client: confirm the company legally exists. OpenCorporates indexes company registry data from over 140 jurisdictions and is a reasonable first stop. Search the company name, confirm the registered address, and note the incorporation date. A company incorporated last week that claims 20 years of trading history is a red flag.

Also confirm who's actually signing on the company's behalf. Someone signing as "Director" who doesn't appear in the company registry is worth a follow-up question.

2. Beneficial Ownership

Beneficial ownership means figuring out who ultimately owns or controls the entity you're dealing with — not just the legal shell. Shell companies are legal. They're also the primary vehicle for hiding assets and committing fraud.

In the US, the Corporate Transparency Act — which came into force in 2024 — requires most small US companies to report their beneficial owners to FinCEN. The public-facing BOI database is not yet open, but the filing requirement itself has created more documentation: you can ask a corporate client to provide their BOI filing or a letter from their legal counsel confirming ownership. Many won't balk at this if you frame it correctly ("standard onboarding").

Outside the US, beneficial ownership registers vary significantly by country. The UK has a People with Significant Control register that's public and searchable via Companies House. The EU's registers are patchier post-Sovim ruling, but they exist.

For a small team, the practical version of a beneficial ownership check is: ask directly ("Can you tell me who ultimately owns the company?"), cross-reference what you're told against any available public registry, and document both.

3. Sanctions Screening

This one's non-negotiable and it's also the easiest to do badly — which usually means not doing it at all.

The US Treasury's OFAC SDN list is the primary US sanctions list. The UN Security Council has its consolidated sanctions list. The EU publishes the EU Consolidated Sanctions List. The UK has its own OFSI list.

OpenSanctions aggregates these and dozens of other lists — including Interpol red notices, global PEP (Politically Exposed Person) datasets, and national watchlists — into a single searchable database. It's free to search and covers over 200,000 entities across 100+ data sources. For a small business doing occasional client screening, it's the most practical tool available.

Run both the individual contact and the company name. If your client is a corporate entity, run any named directors or owners you've identified. Fuzzy name matching matters here — "Mikhail Petrov" and "Mikhael Petrov" might be the same person.

4. Adverse Media and Public Record Check

Sanctions lists only capture people who've been formally designated. Plenty of bad actors haven't been. Adverse media screening — checking news sources for fraud allegations, civil litigation, regulatory actions, and criminal charges — is how you catch the ones who fell through.

The SEC's EDGAR enforcement database covers SEC actions against individuals and companies. PACER gives access to federal court records. State court records vary, but many are accessible via state judiciary websites or aggregators. For international clients, corporate litigation databases and domestic court portals are the starting points.

A practical adverse media check for a small team looks like: a structured Google search (name + "fraud," name + "lawsuit," name + "SEC," name + company + "settled"), a EDGAR search for any SEC enforcement, and a scan of the first two pages of results. It's not exhaustive, but it's documented. Documentation is what matters when something goes wrong later.

---

What "Good Enough" Looks Like for a Small Team

You don't need an enterprise compliance stack. You need a consistent process you can actually run in under an hour per client.

Here's a repeatable checklist:

1. Collect a government-issued ID (individual) or articles of incorporation/certificate of good standing (company).
2. Confirm the company exists via OpenCorporates or the relevant national registry.
3. Identify beneficial owners — ask directly, document the response, cross-reference against any available registry.
4. Run names through OpenSanctions — contact, company, and named owners/directors.
5. Run a structured adverse media search — at minimum, a news search and EDGAR check for each party.
6. Record what you checked, when, and what you found. A dated note in your CRM is sufficient. A blank document with timestamps is better than nothing.

The point of documentation isn't bureaucracy. It's that if a client later turns out to be fraudulent, your defensible record that you ran a reasonable check matters — to your insurers, your counsel, and potentially a regulator.

---

When to Go Deeper

A basic check is sufficient for a new client who's paying standard rates for a standard service. There are situations that warrant more:

• Large upfront payments or unusual payment terms. Wire transfers from unfamiliar jurisdictions, requests to pay via cryptocurrency, or insistence on paying in cash are all worth treating as signals, not anomalies.
• Complex corporate structures with multiple holding companies. If it takes three layers of explanation to get to the person who actually owns the money, the structure deserves scrutiny.
• Politically Exposed Persons (PEPs). Current or former government officials, their close family, and known associates carry elevated money-laundering risk by definition. OpenSanctions maintains a PEP dataset that's free to query.
• High-risk jurisdictions. The FATF grey list and black list identify countries with significant AML/CFT deficiencies. A client entity incorporated in a jurisdiction on either list warrants a closer look at ownership and source of funds.
• Referrals that don't quite add up. If the referral story is vague, the contact is unusually eager to close fast, or the background details are thin, slow down.

Deeper checks may mean ordering a professional background report, pulling court records, or in some cases retaining a specialist. The right threshold depends on how much is at stake and how unusual the circumstances are. See our methodology page for how Sentinel structures risk-tiered checks.

---

The Biggest Mistake Small Teams Make

Not having a process at all, then scrambling after a problem surfaces.

The second-biggest: treating KYC as a one-time event. People get sanctioned after you sign them. Companies go under investigation after the contract is live. A light annual re-check — rerunning sanctions screening and a quick adverse media search — is worth the hour it takes.

Third: keeping the documentation nowhere. A Google Doc that lives in someone's personal Drive and gets deleted when they leave is not a compliance record. Centralize it, even if "centralized" just means a shared folder with a naming convention.

---

A Note on Proportionality

If you're a five-person agency onboarding a local restaurant as a marketing client, you don't need a 40-point due diligence checklist. You need to confirm they exist, that the person signing is who they say they are, and that they don't show up on a sanctions list. Twenty minutes.

If you're onboarding a new investor or a client sending seven-figure payments through your accounts, the bar is higher. The check should match the risk.

KYC compliance isn't about creating overhead. It's about making sure the effort you put in is proportional to what you're putting on the line. Knowing who you're dealing with before something goes wrong is almost always cheaper than finding out after.

---

Need to run a check on a new client before you sign? Sentinel can screen an individual or company against global sanctions lists, PEP databases, adverse media, and corporate registries — and return a structured report in minutes. No subscription required for occasional checks.