KYB and partner checks

1) Why KYB

KYB (Know Your Business) is the identification and risk assessment of legal entities and transaction organizers: affiliates, game providers and aggregators, PSPs/banks, payment orchestrators, KYC/AML providers, marketing agencies, call centers, B2B distributors, white-label and resellers. Purpose: to prevent sanctions and AML/CFT risks, fraud with traffic and payments, IP/license violations, data leaks and reputational incidents.

2) RBA Principles and Model

Risk-Based Approach: The depth of verification depends on the counterparty's risk profile (geo, role in the chain, access to money/data, incident history, volumes).
Proportionality: CDD for low-risk suppliers, EDD for high-risk (PSP, affiliates with aggressive traffic, cross-border resellers).
Ongoing Monitoring: Primary inspection without continuous monitoring is useless.
Four-Eyes & Segregation: Onboarding/blocking solutions - minimum by two employees.

3) Roles and responsibilities

Board/Exec: asserts KYB policy, risk appetite, escalation matrix.
MLRO/Compliance: Owner of ESC/Sanctions Process, Adverse Media/PEP Methodology, SAR/STR if required.
Risk/Analytics: risk scoring, behavioral rules for affiliates/PSPs.
Commercial/BD: collecting documents, monitoring contract terms, partner KPIs.
Legal: contractual guarantees, IP/licenses, penalties, right of unilateral termination in AML/sanction events.
Security/IT: access, encryption, activity log, vendor-security assessment.
Finance/Payments: payment control, registers of beneficiaries, verification of details.

4) KYB levels (example)

CDD (basic): registration documents, directors, UBO ≥25%, sanctions/PEP/Adverse Media, site/contacts, tax number, confirmation of the address of the legal entity.
ID + EDD (extended): full chain of ownership to individuals, financial statements, bank letters/references, licenses/permits, description of the business model and sources of income, verification of operating sites, verification of domains/traffic channels, security technical audit.
Continuous: review of events (sanctions, change of UBO/directors, traffic surges/chargebacks), annual revision of the dossier.

5) Collection of data and documents

• Incorporation Certificate, Articles of Association/Master Agreement, Register of Shares/Members.
• List of directors and UBOs (with shares and citizenship).
• Legal address and actual address, tax number/VAT.
• Licenses/permits (iGaming/payment/advertising), sub-supplier agreements.
• Bank details (letter from the bank/void cheque), confirmation of account ownership.
• AML/KYC/KYB policies, company sanctions screening, GDPR/security, DPIA (if access to PD is available).
• For the affiliate: description of traffic sources, domains/landings, accounts in social networks/adsets, geo and advertising formats, CRM/trackers.

• Personal document + livnes, address (≤3 months), sanctions/PEP/Adverse Media.
• Confirmation of communication with the company (appointment as director, ownership of shares).

6) Sanctions, PEP, Adverse Media

Screening of legal entity, all trade names, related domains and directors/UBOs.
Fuzzy search, aliases and transliteration; manual clearing of boundary matches.
Periodic rescreening (daily list updates) and event-triggered when changes are made to the partner profile.
Adverse Media: topics - corruption, fraud, drug trafficking, gambling without a license, laundering.

7) Assessment of technical and regulatory maturity

Licenses and compliance: validity and volume of licenses (gaming, payment, advertising), reporting, fines in the past.
Security & Privacy: encryption, RBAC/ABAC, key/secret management, access logs, data retention policy, incident-response.
Reliability of operations: SLA/uptime, backups, continuity plan, DDoS protection.
Integrations: secure APIs, audit logs, SDK versions, PI/PCI DSS rules (if working with cards).

8) Specificity by partner type

8. 1 Affiliates (KYA - Know Your Affiliate)

Traffic profile: sources (SEO/ASO, PPC, teasers, social networks, streams), white/gray practices, geo eligibility and age targeting.
Quality marks: CR→FTD, FTD→depozitor, depozit→vyvod, abnormal peaks, share of multi-accounts/bonus abuse.
Content and brand safety: no false promises, compliance with local advertising rules.
Financial side: reconciliation of payment details, absence of third parties as beneficiaries of payments.
Monitoring: regular "crawl" domains/creatives, underground redirects/doorways - stop factors.

8. 2 Game providers/aggregators

IP distribution rights: RNG/game licenses, brand/music/art asset rights.
Accessibility jurisdictions: market matrix (what can be shown where), geo-filtering mechanisms.
Fair play: RNG certification, laboratories, reporting, incident history (rigging/leaks).
Payments: royalty model (RevShare/flat), reconciliation of reports, anti-manipulation with GGR/tags.

8. 3 PSPs/banks/orchestrators

Payment licenses (EMI/PI/banking), KYC/AML processes, limits, MCC classes.
Blocking risks: chargebacks, returns, blacklists; Incident Bypass Plan (Failover).
Payment tracing: account holder verification, same method rules, reporting.

8. 4 Service Providers (KYS - Know Your Supplier)

Access to PD/accounts/codebase → EDD + data protection contracts, audit rights, incident notification, sub-processors.

9) Contractual guarantees and controls

AML/sanctions clauses: guarantee of compliance with all regimes, right of immediate termination in case of violation.
KYC/KYB obligations: provision of documents upon request, updating when changing UBO/directors.
Advertising standards (for affiliates): mis-selling ban, mandatory disclaimers, local restrictions.
Audit and inspections: the right to checks, access to logs/creatives, fines/deductions for serious violations.
SLA/OLA: uptime, TAT on tickets, incident response times, late fees.
IP/Content: confirmation of rights, liability for claims of third parties.
Data and security: DPIA/DTIA, encryption, breach-notification ≤72 h, prohibition of transfer to "red" jurisdictions without guarantees.

10) Monitoring and review (Ongoing)

• Change of UBO/directors/bank details.
• Sanction Event/Adverse Media.
• Abnormal traffic/chargebacks/payment spikes.
• User complaints/regulatory inquiries.
• Changing business model/geography.

Process: signal → case → request for documents/explanations → decision (save/freeze/terminate) → post-sea and update of rules.

11) Risk matrix (example)

12) KYB Metrics and KPIs

Onboarding TAT (median/95th percentile).
Completeness Score (proportion of complete profiles).
Auto-clear/Manual-review rate by alert.
False Positive rate sanctions/PEP and clearing time.
Traffic Quality (affiliates): CR, FTD-quality, WD-ratio, chargeback-rate.
Incident Rate и Time-to-Contain.
Audit Findings Closed on Time.
Vendor SLA Compliance (uptime/reaction).

13) Architecture and integration

Unified partner dossier: UBO ownership graph, documents, sanctions/PPE statuses, licenses, domains, payment details.
Event bus: changes in details, bursts of traffic/chargebacks, sanctions updates → alerts to the case system.
Decision engine: rules + ML (scoring affiliates, PSP risk, anomalies).
Logs and WORM storage: unchangeable versions of documents, motivations for decisions, traces of access.
Accesses and secrets: RBAC/ABAC, HSM/secret-vault, download restriction.
Degradation: when sanctions providers are unavailable - quorum/retrai, temporary tightening of thresholds.

14) Checklists

• Regulatory documents, articles of association, registration address.
• Directors/UBO ≥25% + ACC/address.
• Sanctions/PEP/Adverse Media (legal entity/persons).
• Licenses, product/content entitlement.
• Bank details and proof of account ownership.
• AML/KYC/KYB policies + data security.
• For affiliate: traffic sources, domains, creatives, geo.
• Contract: AML clauses, audit power, SLAs, penalties.

• Re-sanction screening.
• Check account beneficiary = partner/UBO.
• Report reconciliation (traffic/games/royalties).
• Anti-fraud checks (anomalies, multi-level chains).

• Up-to-date documents/licenses/UBO.
• Summary of incidents/complaints/inquiries.
• Changes in geo/traffic channels/product line.
• Recalibrate risk and limits.

15) Typical risks and how to cover them

A hidden UBO structure through offshore companies → require a chain to individuals, independent registries, and legal confirmation.
"Dirty" traffic of affiliates → contract bans, auto-monitoring of domains, financial fines, stop list.
Sanction/POP risks → daily rescreening, manual clearing, MLRO escalation.
Substitution of payment details (BEC-fraud) → confirmation of details from the contractual channel, two-man rule, change control for 24-48 h quarentin.
Access to PD by third parties → DPIA, minimization, audit of access traces, technical and contractual barriers.

16) FAQ

Where is the threshold for EDD? High risk by geo/role/volume, access to PD/money, complex UBO structure, negative media.
How often to revise the dossier? Minimum annually; plus eventful.
Is it possible to pay an affiliate to a personal account? Undesirable: owner match, UBO link, target check and local rules.
What to do when arguing about the quality of traffic? Include in the contract the right to audit, selection of leads, attribution methodology, retention/chargeback correction.

17) KYB policy structure template (for wiki)

1. Scope and Definitions

2. Role and Responsibility (RACI)

3. RBA methodology and EDD thresholds

4. Document requirements (legal entity/directors/UBO)

5. Sanctions/PEP/Adverse Media and the frequency of rescreening

6. Specificity by partner type (KYA/KYS/PSP/game providers)

7. Contractual requirements (AML, SLA, audit, IP, data)

8. Monitoring and rev-KYB (triggers, case management)

9. Metrics and Reporting for Board/Management

10. Data storage, security, privacy

11. Continuity Plan and Incident Response

12. Appendices: checklists, forms, templates for letters and reports

Result

Strong KYB loop = correct depth of check at input, tight contractual framework, continuous monitoring and transparent metrics. Standardize the dossier, automate the sanction loop, measure traffic quality and SLA compliance, regularly review partner risk rates - and you will reduce regulatory, financial and reputational risks without compromising business pace.