Inside Bank KYB: How Financial Institutions Actually Verify Your Business — And Why Applications Get Rejected

What This Guide Covers

When you submit a business bank account application, you see a clean form and a "Submit" button. Behind that button is a verification pipeline that evaluates your application across six dimensions simultaneously — often before a human ever looks at it.

This guide explains each dimension in detail, why applications get rejected, what has changed in 2024–2026, and how to present your business in a way that passes automated and human review.

Part 1: The Six Dimensions of KYB Verification

Every bank and fintech evaluates business applications across these six areas. Failure in any one can trigger rejection or enhanced review.

Dimension 1: Entity Verification

What they check:

• Does your LLC/Corporation actually exist in the state registry?
• Is the entity in "Good Standing" (not dissolved, revoked, or administratively closed)?
• Does the registered agent match what is on file?
• When was the entity formed? (Entities formed within the last 30 days receive extra scrutiny)
• Does the EIN match the entity name in IRS records?

How they check it:

• Middesk (used by Stripe, Mercury, Relay, Shopify): Automated query to Secretary of State database + IRS EIN lookup
• LexisNexis: Cross-references entity records across all 50 states
• Manual SOS lookup: Some traditional banks (Chase, BofA) have compliance staff manually check the state website

Common rejection reasons:

• Entity not found in state registry (name mismatch, wrong state)
• Entity is "Not in Good Standing" (missed annual report or franchise tax)
• EIN letter name does not exactly match the SOS registration name
• Entity formed same day as application (fraud signal)

How to prevent rejection:

• Verify your entity is in Good Standing before applying (check your state's SOS website)
• Ensure your EIN letter (CP 575 or 147C) shows the exact legal name on file with the state
• Wait at least 7–14 days after formation before applying for banking
• File your BOI report with FinCEN before applying — some banks now check this

Dimension 2: Beneficial Ownership Verification

What they check:

• Who owns 25%+ of the company?
• Who has significant control (signing authority, management)?
• Does each beneficial owner have a verifiable identity?
• Are any owners on sanctions lists (OFAC SDN, EU sanctions, UN lists)?
• Are any owners Politically Exposed Persons (PEPs)?

How they check it:

• OFAC SDN List: Real-time screening against the US Treasury's Specially Designated Nationals list
• Dow Jones Risk & Compliance: Global sanctions, PEP, and adverse media screening
• World-Check (Refinitiv): Used by larger banks for enhanced due diligence
• FinCEN BOI Database: Banks cannot yet directly query this, but they cross-reference your self-reported ownership against other sources
• Persona / Veriff / Onfido: Identity verification (government ID + selfie liveness check) for each beneficial owner

Common rejection reasons:

• Beneficial owner's name matches a sanctions list entry (even partial matches trigger review)
• Owner cannot be identity-verified (expired ID, name mismatch, failed liveness check)
• Ownership percentages do not add up to 100%
• Nominee directors or shell ownership structures detected
• Owner is from a high-risk jurisdiction (Iran, North Korea, Russia, Myanmar, etc.)

How to prevent rejection:

• Use your exact legal name as it appears on your government-issued ID
• Ensure your ID is not expired
• If your name is common and might match sanctions entries, prepare a letter explaining you are not the sanctioned individual
• Be transparent about ownership structure — banks detect nominee arrangements

Dimension 3: Address Verification

What they check:

• Is the business address a real, deliverable location?
• What type of address is it? (Commercial, Residential, CMRA, PO Box)
• How many other businesses are registered at this address?
• Does the address match the entity's SOS registration?
• Are there utility accounts active at this address in the business name?

How they check it:

• USPS Address Management System (AMS): Returns address type (Commercial/Residential/CMR) and deliverability status
• LexisNexis / Melissa Data: Address standardization + historical occupancy data
• Middesk: Checks address type and compares against SOS registration address
• Utility verification services: Some banks (particularly for larger accounts) verify whether an active utility account exists at the stated address

Address scoring (internal risk model):

Common rejection reasons:

• Address is a known CMRA (flagged in USPS AMS database)
• Address is the same as the registered agent (not an operating address)
• Hundreds of other entities registered at the same address
• No utility account exists at the address (suggests non-occupancy)
• Address is in a state different from where the entity is registered, with no explanation

How to present your address correctly:

• Use your actual operating address, not your registered agent
• If you operate from a different state than where your LLC is registered (common with Wyoming LLCs), be prepared to explain this
• Have a commercial lease agreement ready to upload
• Have a utility bill (broadband, electric) in your business name dated within 90 days
• If you use a co-working space, have the membership agreement and a utility bill showing the space's address

Dimension 4: Network Environment Analysis

This is the dimension most international founders do not know about. Banks and fintechs analyze your digital environment during the application process.

What they check:

• What IP address are you applying from?
• Is the IP address from a datacenter, VPN, proxy, or residential connection?
• What country does the IP geolocate to?
• How far is the IP location from your stated business address?
• What is the IP reputation score?

How they check it:

• IPQS (IP Quality Score): Fraud score 0–100. Datacenter IPs typically score 75+. VPN IPs score 85+. Residential IPs score 0–20. Scores above 30 trigger review.
• MaxMind GeoIP: Geolocation accuracy to city level. Distance calculation between IP and business address.
• Sift Science / Sardine: Behavioral analytics — session duration, mouse movement patterns, typing cadence. Automated bot detection.
• Fingerprint.js / FingerprintPro: Browser and device fingerprinting for fraud detection.

What triggers network-based flags:

The international founder problem:

If you are applying from Tokyo, Shanghai, or Seoul for a Wyoming LLC bank account, your IP will be flagged as geographically inconsistent. This alone does not cause rejection, but it increases scrutiny on every other dimension. If your address is also a CMRA and your entity was formed yesterday, the combination is almost certainly a rejection.

How to mitigate network flags:

• Do NOT use a VPN when applying. Your foreign residential IP is better than a VPN IP.
• If you have a US-based hardware device (RDP, Mac Mini at your physical address), apply through it — the session will originate from a Wyoming IP on a commercial broadband connection.
• Be consistent: if your IP is in Japan, acknowledge in your application materials that you are an international founder operating a US entity. Banks expect this pattern from legitimate cross-border businesses.
• Never use browser automation or headless browsers to complete applications.

Dimension 5: Device and Browser Fingerprinting

What they check:

• What device are you using? (Make, model, OS version)
• What browser? (Version, installed plugins, language settings)
• Screen resolution, timezone, and system fonts
• Has this device been associated with other applications?
• Has this device been associated with previously rejected or fraudulent accounts?

How they check it:

• FingerprintPro: Creates a unique device identifier based on 70+ browser signals. Persists across incognito mode, VPN changes, and cookie clearing.
• Sardine: Device intelligence platform used by fintechs. Tracks device reputation across the Sardine network.
• Socure: Device risk scoring combined with identity verification.

What triggers device-based flags:

The fingerprint persistence problem:

If a previous application was rejected from your device, your device fingerprint may be flagged. Clearing cookies does not help — fingerprinting uses canvas rendering, WebGL, audio context, and other hardware-level signals that persist across sessions.

How to handle device fingerprinting:

• Use your primary personal device, not a shared or public computer
• Do not switch between multiple devices during the application process
• If your browser language is zh-CN or ja-JP, that is fine — it is consistent with being an international founder. Do not change it to en-US to appear domestic; inconsistency is worse than foreignness.
• Complete the entire application in one session if possible

Dimension 6: Business Logic and Narrative Coherence

This is the human review dimension. When automated checks pass but flags exist, a compliance analyst reviews the overall "story" of your application.

What they evaluate:

• Does the business description make sense?
• Is the stated revenue range plausible for the business type?
• Does the business model match the stated industry?
• Is there a logical reason for a foreign individual to own a Wyoming LLC?
• Does the business have a website? Does the website look legitimate?
• Are the stated products/services consistent with the business address?

Common narrative failures:

• Business description is vague ("general commerce," "consulting services," no specifics)
• Stated revenue is $0 for a company that has been registered for 6+ months
• No website, no social media presence, no Google results for the business name
• Business model involves high-risk categories (crypto, adult content, weapons, pharmaceuticals) without clear compliance documentation
• The application materials feel "templated" — as if copied from a formation agent's boilerplate

How to build a coherent narrative:

• Business description: Be specific. "Cross-border e-commerce selling Japanese stationery products through Amazon FBA and Shopify, targeting US consumers" is dramatically better than "import/export business."
• Website: Even a simple one-page site with your business name, description, and contact information significantly improves your application.
• Revenue honesty: If you are pre-revenue, say so. "Pre-revenue, launching Q2 2026, initial inventory investment of $15,000" is credible. "$100,000/month" for a company formed last week is not.
• Address explanation: If you are an international founder with a Wyoming LLC, explain why. "I chose Wyoming for its business-friendly LLC laws and zero state income tax. My US operations hub is at [address] in Cheyenne, WY, where I have a commercial sublease and utility accounts. I manage the business remotely from [your country]." This is a perfectly legitimate arrangement that banks see regularly.

Part 2: The Regulatory Landscape — What Changed in 2024–2026

FinCEN Corporate Transparency Act (CTA) — January 2024

What changed:

• All LLCs and corporations must file a Beneficial Ownership Information (BOI) report with FinCEN
• Reports must include: legal name, date of birth, residential address, and government ID number for each 25%+ owner
• Filing deadline: existing companies had until January 1, 2025; new companies must file within 90 days of formation (changed to 30 days starting January 2025)
• Non-compliance: up to $500/day civil penalty + $10,000 criminal fine + 2 years imprisonment

Impact on bank KYB:

Banks now cross-reference your self-reported ownership information against what they expect to see in the FinCEN database. While banks cannot yet directly access the BOI database (as of April 2026), they will ask whether you have filed. Failure to file, or inconsistency between your banking application and your BOI report, is a red flag.

AMLA (Anti-Money Laundering Act of 2020) — Ongoing Implementation

What changed:

• Expanded the definition of "financial institution" to include more fintechs
• Increased emphasis on beneficial ownership transparency
• Mandated that banks update their KYB procedures to incorporate new data sources
• Whistleblower protections and incentives expanded

Impact:

Mercury, Relay, Wise, and other fintechs now face the same KYB obligations as traditional banks. The regulatory gap that previously allowed easier account opening at fintechs has largely closed.

FATF Recommendations — 2023 Update

What changed:

• The Financial Action Task Force updated its guidance on virtual assets and virtual asset service providers
• Enhanced due diligence requirements for cross-border correspondent banking
• Emphasis on "risk-based approach" — but in practice, this means more scrutiny on international founders

State-Level Changes

Wyoming (2024–2025):

• Wyoming DAO LLC legislation updated — banks remain cautious about DAO structures
• Annual report now requires additional information about principal office address

Delaware (2025):

• Increased franchise tax for LLCs with high assumed par value
• Additional reporting requirements for Series LLCs

Part 3: Platform-Specific KYB — What Each One Actually Checks

Stripe

KYB provider: Middesk (automated) + internal review

What Stripe checks that others do not:

• Website content analysis: Stripe crawls your website and categorizes your business. If your website content does not match your stated business category, the application is flagged.
• MCC (Merchant Category Code) validation: Your business type must match an appropriate MCC. Mismatches cause holds.
• Processing history: If you have had a previous Stripe account (even under a different entity), Stripe knows. Inconsistencies between old and new applications are flagged.

Stripe-specific rejection patterns:

• Website is "under construction" or shows placeholder content → reject
• Business category is "other" with no clarifying description → enhanced review
• IP address is in a high-risk country with no US presence documentation → reject
• Previous account was closed for policy violations → permanent ban (applies to the individual, not just the entity)

Amazon

KYB approach: Internal + Accenture (outsourced review team)

Amazon's unique checks:

• UPC/ASIN ownership verification: If you are selling branded products, Amazon checks whether you have authorization
• Video Verification: Live video call where you must show your physical business location, address signage, utility bills, and government ID. This cannot be faked.
• Behavioral analysis: Amazon tracks seller behavior patterns. An account that was created, immediately listed 10,000 SKUs, and started selling high-value electronics from a newly formed LLC at a CMRA address will be flagged within hours.

Amazon-specific rejection patterns:

• Failed video verification → permanent suspension
• Address does not match between seller account, bank account, and LLC registration → suspension pending review
• Multiple seller accounts detected (device fingerprint, bank account, address, or name match) → all accounts suspended

Mercury

KYB approach: Internal compliance team + LexisNexis + Middesk

Mercury's focus areas:

• Mercury puts extra weight on business narrative coherence. They read your business description carefully.
• Mercury checks your LinkedIn profile and the LinkedIn profiles of your beneficial owners. Having a professional LinkedIn presence with work history significantly improves approval rates.
• Mercury is more lenient on international founders than traditional banks, but requires clear documentation of US physical presence.

Mercury-specific rejection patterns:

• No LinkedIn presence for any beneficial owner → enhanced review
• Business description matches common fraud patterns ("dropshipping," "Amazon automation," "forex trading" without specifics) → reject
• Address is a registered agent address → reject with recommendation to use an operating address

PayPal Business

KYB approach: Internal + Emailage (now LexisNexis) + device fingerprinting

PayPal's unique checks:

• Email reputation: PayPal acquired Emailage specifically for this. Your email address has a reputation score based on how long it has existed, what services it is associated with, and whether it has been involved in chargebacks or fraud.
• Phone number verification: PayPal calls or texts your phone number. If the phone number is a VoIP number (Google Voice, Skype), it receives a lower trust score than a carrier-issued number.
• Transaction pattern analysis: PayPal monitors your first 30 days of transactions closely. Unusual patterns (high volume, high value, international transfers) trigger holds.

Part 4: The Application Timeline — What Happens When

Day 0: Application Submitted

0–5 seconds:

• Form data validated
• IP address captured and scored (IPQS, MaxMind)
• Device fingerprint generated (FingerprintPro)
• Browser environment analyzed (timezone, language, plugins)

5–30 seconds:

• Entity verification initiated (SOS database query via Middesk)
• EIN validation (IRS database)
• OFAC/sanctions screening on all named individuals
• Address type determination (USPS AMS query)

30 seconds – 2 minutes:

• Cross-reference checks complete
• Risk score calculated (composite of all six dimensions)
• Decision tree: Auto-approve / Auto-reject / Queue for human review

Day 0–1: Automated Decision

Auto-approve criteria (all must be true):

• Entity exists and is in Good Standing
• EIN matches entity name
• Address is Commercial (not CMR, not PO Box)
• All beneficial owners pass identity verification
• No sanctions matches
• IP is residential (not VPN/datacenter)
• Fraud score below threshold
• Business description is coherent

Auto-reject criteria (any one triggers rejection):

• Entity does not exist in state registry
• Beneficial owner matches sanctions list
• Address is a known CMRA with 100+ registered entities
• IP is from a Tor exit node
• Device previously linked to confirmed fraud
• Previous account with this bank was closed for fraud

Day 1–5: Human Review (if queued)

A compliance analyst reviews the full application package. They have access to:

• All automated check results and scores
• Your uploaded documents
• Your application narrative
• Your online presence (LinkedIn, website, social media)
• Internal notes from previous interactions (if any)

The analyst is looking for one thing: does the totality of evidence suggest this is a legitimate business operated by a real person?

Day 5–14: Additional Documentation (if requested)

If the analyst is uncertain, they will request additional documentation. Common requests:

• Commercial lease agreement
• Utility bill in business name
• Bank reference letter from your home country bank
• Business plan or pitch deck
• Letter explaining the business model and why it is based in Wyoming
• Proof of inventory, supplier agreements, or customer contracts

Critical insight: The documentation request is not a rejection. It is an opportunity. How you respond matters as much as what you provide. Respond promptly (within 48 hours), provide clean documents, and include a brief cover letter explaining the context.

Part 5: How to Build an Application That Passes

The Pre-Application Checklist

Before you click "Apply," verify every item:

Entity readiness:

• [ ] LLC is in Good Standing (check SOS website)
• [ ] EIN letter (CP 575 or 147C) matches exact entity name
• [ ] BOI report filed with FinCEN
• [ ] Operating Agreement signed and dated
• [ ] Articles of Organization on file

Address readiness:

• [ ] Commercial lease agreement in entity name
• [ ] Utility bill in entity name (within 90 days)
• [ ] Address is NOT a CMRA, PO Box, or registered agent address
• [ ] Address matches SOS registration (or you have a clear explanation for why it differs)

Identity readiness:

• [ ] Government-issued photo ID for each 25%+ owner (not expired)
• [ ] Selfie/liveness check capability (camera on device)
• [ ] Residential address for each owner

Digital readiness:

• [ ] Apply from a clean residential IP (no VPN)
• [ ] Use your primary personal device
• [ ] Have a basic business website live
• [ ] LinkedIn profile updated with current business information
• [ ] Email address is professional (not temporary or disposable)

Narrative readiness:

• [ ] Clear, specific business description (2–3 sentences)
• [ ] Realistic revenue estimate with justification
• [ ] Explanation of why Wyoming / why this address (for international founders)
• [ ] Understanding of your business's risk category

The Golden Rule

Consistency across all touchpoints is more important than perfection in any single one.

If your entity name is "Pacific Rim Holdings LLC" on your SOS filing, make sure it is exactly "Pacific Rim Holdings LLC" (not "Pacific Rim Holdings" or "PacificRim Holdings LLC") on:

• Your EIN letter
• Your bank application
• Your commercial lease
• Your utility bill
• Your website footer
• Your BOI report

A single inconsistency in entity naming is the number one preventable reason for KYB delays.

Key Takeaway

Banks are not trying to reject you. They are trying to verify that you are who you say you are, that your business is what you say it is, and that your business operates where you say it operates.

Every rejection is a failure of evidence, not a failure of legitimacy. If your business is real, your address is real, and your identity is real, then the only question is whether you have presented sufficient evidence of those facts in a format that both automated systems and human reviewers can process.

Build the evidence before you need it. Present it clearly when you do. And be consistent across every touchpoint. See our pricing and how-it-works to understand the full process.

Related Reading

• Bank KYB Checklist 2026
• Proof of Address for LLC Bank Accounts — What Banks Accept (2026)
• Mercury Rejected My LLC — Here Are the Fixes That Work
• US Bank Account for Wyoming LLC — Complete 2026 Guide

*Laramie Ledger provides the physical infrastructure that produces bank-ready evidence: commercial sublease, utility accounts, and compliance documentation at a verified Wyoming address. When you apply for a bank account, the evidence already exists.*