KYB for partners and merchants

1) KYB in iGaming: goals and responsibilities

• compliance with AML/sanction requirements and rules of schemes/banks;
• reduction of operational and reputational risks (fraud, "mule" schemes, cashing out);
• protection of the payment loop (chargeback/fraud-spillover from the partner);
• transparency of rights to content, domains and traffic.

Important: KYB supplements KYC (for individuals) and applies to the company, its beneficiaries and decision makers.

2) Data and documents: basic package (CDD)

Legal entity

Registration documents: charter/incorporation certificate/extract from the register (with date and number).
Ownership structure: ownership scheme before UBO (usually UBO is an individual with a significant share/control; define thresholds by policy, often 25%).
Register of directors/officers, appointment of AML/compliance officer.
Legal address and address of actual activity (proof of address).
Licenses/permits (gaming, aggregator, payment, medical), if applicable.
Bank details (IBAN/SWIFT), confirmation of account ownership (bank letter/statement).
Tax number/VAT registrations, tax residency certificate (if necessary).
Domain/hosting contracts, proof of site/application ownership.

UBO/directors (personal files)

Document with photo (passport/ID), selfie/shower if necessary.
PEP/sanction/adverse media check.
Verification contact details.

Commercial and operational

Description of business model and geo (country of traffic/players/customers).
AML/KYC/KYB policies, responsibilities and processes.
Traffic sources (for affiliates): channels, domains, social networks, buy-side strategies.
For merchants/operators: payment methods, PSP, returns/chargeback policy.

3) In-depth inspection (EDD) - when and what to add

EDD triggers: complex ownership structure, offshore links, high-risk jurisdictions, PEP links, negative publications, document inconsistencies, unusual financial flows, bans/sanctions, high turnover/payment limits.

Additionally requested

Decipher ownership chains (notarization/apostille if necessary).
Accounting/audited reports/simplified P & L.
Contracts with key suppliers/payment partners.
Bank statements for the period (dox-preferred masked).
AML/KYC policies and journals (training, screening, reporting).
Information on sources of funds/wealth UBO (SoF/SoW) - point, by risk.

4) Screening and negative indicators

Sanctions: legal entity, UBO, directors - daily/batch rescreening.
PEP: owners/directors and related persons - increased control and limits.
Adverse Media: fraud, laundering, corruption, "kitchens" and pseudo-financial services.
Domain/App store watch: compliance of domains/applications with the declared business.
Payment health: complaints about non-payment, high CBR% at the partner, "endless" trackers.
Traffic risks: incent/spam, mislead/brand bidding without permission, porn/adalt, prohibited content.

5) Counterparty risk scoring (example)

• Jurisdiction of registration (risk category)
• Jurisdiction of business/target markets
• UBO transparency (− if "layered" structure without intelligible ultimate beneficiaries)
• Sanctions/PEP/adverse media (tough fines as soon as possible)
• Business model (high risk: gray traffic arbitrage, rebill cascades; low - understandable B2B)
• Payment profile (history of chargeback, refusals, returns)
• Operational maturity (availability of AML/KYC policies, DPOs, logs, training)

Threshold logic

'score ≤ T1 '→ CDD-approve, standard limits.
'T1 <score ≤ T2 '→ EDD + reduced limits/sample.
'score> T2 '→ Reject/pause until risks are eliminated.

6) Onboarding process and state-machine

1. Application: questionnaire + document upload.
2. CDD checks: register, sanctions/POP, addresses, bank details.
3. UBO/Directors KYC: identity verification, list checks.
4. EDD (if necessary): additional documentation and clarifications.
5. Agreement and limits: financial thresholds, countries, traffic/payment channels, list of allowed domains.
6. Go-Live & Monitoring: Inclusion, Quality Metrics, Periodic Reviews.

Idempotence and audit: record every decision, who/when/on the basis of what, store file versions and audit results.

7) SLAs and priorities

CDD (basic package): auto-screening ≤ 15-30 min p95; manual check ≤ 8 working hours.
EDD: request/receive/review documents ≤ 2-5 working days, with status updates every 24 hours.
Rescreening (sanctions/REP): daily quick launches; reaction to a positive match ≤ 24 hours.
Conclusions/payments to partners: with a "green" status - T + 0/T + 1, with flags - until clarification.

SLA vary by risk: strategic B2B - priority 1, mass affiliates - priority 2.

8) Contract and control clauses

• Obligations to provide up-to-date documents and notify the change of UBO/directors/jurisdiction/bank before the changes take effect.
• Permitted geo/channels/payment methods; prohibition of fake domains, resale without consent.
• Right to periodic audit/review and suspension of payments with red flags.
• Requirements for AML/KYC/KYB partner (policy availability, training, logs).
• Restrictions on branding/incident/unethical marketing (for affiliates).
• DPIA/data protection, sub-processors, retention periods, incident-response.

9) Continuous monitoring and review triggers

"Review Now" Events

Changed UBO/Director/Legal Address/Jurisdiction.
There was a sanction/address-fact or trial.
Anomalies in payments (CBR% growth, spike '05/91/96', refunds/payments with a new bank).
Sharp increase in traffic/new domains/applications without coordination.
Player/customer complaints, regulatory complaints.

Scheduled reviews

Annually (CDD) and every 6 months for EDD cases.
Review of quality limits and KPIs once a quarter.

10) KYB for different types of counterparties

Affiliates/Traffic Partners

Focus: traffic origin, domains, social networks, advertising offices, mislead ban.
KPI: valid traffic%, CR→depozit, CBR% by segment, complaints.
Add. control: allow-list of domains/sources, click anti-fraud analytics.

white-label/skin

Focus: licenses, payment architecture, AML/KYC policy, financial stability.
KPI: AR for payments, CBR%, fraud incidents, response rate in disputes.
Add. control: audit of 3DS/AVS/CVV logs, return policies.

Suppliers/Aggregators/Payment Providers

Focus: regulatory status, PCI DSS/SOC reports (if applicable), AoC, data access.
KPI: uptime, webhook speed, SLA responses, security incidents.
Add. control: pentest reports, key/secret management.

11) Metrics and dashboards (KPI/OKR)

Time-to-Approve (CDD/EDD), Auto-approve rate, share of manual cases.
False Positive/Negative on sanctions/REP (quality of matches).
Chargeback rate and fraud rate by counterparty portfolio.
Share of counterparties without relevant documents (delay).
Payments under the block/average defrosting time (for reasons).
Quarterly review results: how many limits ↑/↓, how many contract breaks.

12) Anti-patterns

"One-time" check at the start without monitoring changes.
Adopting "deaf" UBO structures without a reasonable attempt to clarify the beneficiary.
Universal requirements for all in a row (kills the speed of onboarding).
Storage of unnecessary PII/documents without a goal/retention policy.

Ignoring complaints/regulatory letters and continuing payments "as is."

Absence of KYB link ↔ limits/geo/channels/payment policies.

13) Implementation checklist (short)

• KYB policy: risk levels, UBO thresholds, document list, EDD criteria.
• Onboarding questionnaire + document upload portal, electronic signature.
• Integrated screening: sanctions/PEP/adverse media (organizations and individuals).
• Verification of bank account and domain/application ownership.
• Risk scoring + threshold logic (T1/T2) and decision matrix.
• SLA by CDD/EDD/rescreening; alerts and priority queues.
• Contractual clauses: geo/channels/limits/audit/data.
• Continuous monitoring and scheduled reviews; "Review Now" triggers.
• KPI dashboards and decision audit trail; retention policy storage.
• Team training (Sales/AM/Compliance/Payments) and escalation playbooks.

14) Example of questionnaire (fragment)

Yur. name, registration number, date, country, tax number.
Ownership structure (schema) and UBO with shares.
Directors/officers, AML officer contact.
Geo activities and target markets; traffic/client sources.
Licenses and regulators; current fines/investigations?
Bank details and country of the bank; proof of ownership.
PSP/payment methods; returns/chargeback policy.
AML/KYC/KYB policies and reporting procedure.
Domains/applications/social networks (list), the right to use brands.

15) Summary

Effective KYB is not just "collecting documents," but the process of managing counterparty risk throughout the life cycle: transparent UBO, sanctions/RAP screening, risk scoring and EDD "on the case," tough but predictable SLAs, live monitoring and linking KYB status to limits, geo and payment policies. This approach reduces regulatory and payment risks, accelerates onboarding and makes monetization sustainable.