FIGHT AGAINST FRAUD

KYS (Know Your Supplier): the practical guide to verifying your suppliers

KYS covers all the checks that ensure a supplier is reliable: identity, financial health, compliance and bank details. Here is how to structure the process, from onboarding to continuous monitoring.

TRY IBANTRACK

Verify the owner
of a bank account
in a few seconds.

Direct bank inquiry.
International coverage.

Start free trial ->

Key takeaways:

  • KYS (Know Your Supplier) means verifying the identity, legitimacy and bank details of your suppliers, at onboarding and throughout the relationship.
  • It combines three levels of control: identity, compliance, bank details. The last one is the only check that directly blocks a payment diversion.
  • An effective KYS process covers the entire supplier lifecycle and remains workable at scale: automated checks for the bulk of the supplier base, enhanced due diligence for critical suppliers.

What is KYS (Know Your Supplier)?

KYS, or Know Your Supplier, is the process by which a company verifies the identity, legitimacy and reliability of its suppliers before working with them, and then throughout the business relationship.

The term echoes KYC (Know Your Customer), the regulatory obligation financial institutions have towards their clients. KYS applies the same logic in the other direction: it covers the third parties you send money to: suppliers, subcontractors, service providers. The distinction matters: your outgoing payments carry a direct risk of diversion, even though KYS is not, for most companies, a legal obligation as such.

In practice, KYS answers three questions: does this company really exist? Is it reliable and financially sound? And does the bank account it provided actually belong to it?

Why KYS has become essential

Payment fraud, starting with vendor fraud, remains the number one fraud affecting businesses. Three shifts explain why the topic has moved up the priority list of finance and procurement teams:

Document forgery has become industrial. A bank statement, a registry extract or an invoice can be forged in minutes with AI tools available to anyone. A perfectly authentic-looking document no longer proves anything.

Fraudsters target the payment chain, not the systems. Rather than hacking an ERP, it is easier to impersonate an existing supplier and get their bank details changed through a convincing email. The exploited weakness is human and organisational.

On the supplier bases our clients clean up, we find an average of 17% anomalies, ranging from simple format errors to genuine mismatches on the account holder. The rate varies with how well the base has been maintained and the controls applied in the past, and not every anomaly signals fraud: many simply cause payment disruptions, failed or rejected transfers.

On top of the financial stakes, the regulatory framework keeps tightening: duty of vigilance for large companies, AML obligations for regulated sectors, international sanctions screening, and growing expectations from auditors on the quality of the supplier master data. Third-party bank detail controls are now a standard checkpoint in procurement and treasury audits.

What should you verify? The three levels of control

1. Company identity

The foundation: verifying that the company legally exists and that your contact is authorised to represent it. In practice: registration number and registry extract (or national equivalent), address, directors, beneficial owners for sensitive cases, and consistency between the contact person and the company they claim to represent. This information should be cross-checked against official registers, not only against the documents provided by the supplier itself.

2. Financial health and compliance

Depending on the supplier's criticality: solvency, ongoing insolvency proceedings, presence on sanctions lists, reputation. This level is essential for strategic suppliers, those whose failure would halt your operations, and can remain lighter for the rest. It keeps the effort focused on high-stakes suppliers.

3. The bank account holder

This is the control most directly linked to fraud, and the most frequently neglected. Verifying that the IBAN provided really belongs to the supplier company is the only check that physically blocks a payment diversion: all the others can be defeated with forged documents, this one cannot, provided it relies on querying the bank rather than checking a format or a document.

This check must happen at three moments: at supplier onboarding, at every change of bank details (the most frequent fraud scenario), and during clean-up campaigns on the existing supplier base.

How to implement a KYS process: 4 steps

Step 1: Map and segment your supplier base

Not all suppliers carry the same risk. Segmentation follows the classic third-party risk axes: payment volumes, operational criticality, geographic and sector exposure. It lets you scale the effort: automated checks for the long tail of the base, enhanced due diligence for strategic or sensitive suppliers. This is what makes the process sustainable at scale.

Step 2: Define mandatory checks per segment

For each segment, set the list of verifications required before the first payment. The non-negotiable, whatever the segment: verifying the IBAN holder. It is the control with the best protection-to-effort ratio: a few seconds per check to close the door on the most common fraud scenario.

Step 3: Build the checks into the workflow

A control that relies on individual vigilance survives neither workload peaks nor team turnover. Verifications must be built into the process: supplier record creation blocked until checks are passed, segregation of duties and four-eyes validation for any change of bank details, and API automation in the ERP or procurement system when volumes justify it.

In the processes we observe among our clients, the weak link is rarely the onboarding of a new supplier: it is the change of bank details handled urgently on a payment run day. The fraudster impersonates a known supplier, which lowers the guard. Record creation still needs systematic control: posing as a new supplier requires no knowledge of the targeted company, which makes it the easiest fraud to set up.

Step 4: Monitor over time

KYS does not stop at onboarding. Two mechanisms cover most of the need: a systematic check at every change of bank details, and a periodic re-verification of active suppliers, for example an annual campaign on the full base, which can be run in bulk with the right tools.

The 3 mistakes that make a KYS ineffective

Mistake #1: relying entirely on documents. Registry extracts, bank statements, certificates: these documents are necessary but do not constitute verification. They state information, they do not prove it, and they can be forged in minutes. A KYS built solely on document collection is a facade.

Mistake #2: checking at onboarding, then never again. Most vendor fraud exploits the modification of an existing supplier, not its creation. A process that does not lock down bank detail changes protects the front door while leaving the window open.

Mistake #3: a process that is exhaustive on paper, unworkable at scale. A framework designed for the in-depth due diligence of a few strategic suppliers does not hold up against a base of several thousand active third parties. Without automating the high-volume checks, starting with bank detail verification, the process degrades into sampling, and the net widens exactly where fraud slips through.

Which tools for your KYS?

For identity and financial health, official registers and business data providers cover most of the need.

For verifying the bank account holder, the decisive control, the most reliable method is querying the bank that holds the account directly: you submit the IBAN and the supplier's name, and the bank confirms or denies the match, in real time. This is what a supplier bank account verification solution like Ibantrack provides: one-off checks via a web portal, bulk verification of an existing base, or API automation, across the entire Eurozone, without involving the supplier.

For a base of several hundred or several thousand suppliers, verification runs in bulk: an initial clean-up campaign on the base, then ongoing checks on creations and modifications, via portal or API.

To compare all the methods for verifying an account holder, see our guide: How to verify a bank account owner: the 5 methods.

Frequently asked questions

What is the difference between KYS, KYC and KYB?

KYC (Know Your Customer) refers to verifying your customers, a regulatory obligation for banks and insurers. KYB (Know Your Business) is its variant applied to business customers. KYS (Know Your Supplier) applies the same logic to your suppliers, with one major difference: it primarily protects your outgoing payments, whereas KYC responds to legal obligations.

Is KYS mandatory?

For most companies, no: it is a protective measure, not an obligation. Large companies and regulated sectors are indirectly bound (duty of vigilance, AML, sanctions), and auditors increasingly scrutinise supplier master data quality. But the primary stake remains financial: preventing payment diversions.

What is the most important check in a KYS process?

Verifying the bank account holder, because it is the only one that directly blocks a diversion of funds. A company can be perfectly registered and solvent: if the IBAN stored in your system belongs to a fraudster, all the other checks will have been useless.

How do you scale a KYS process to a base of several thousand suppliers?

Through segmentation and automation: in-depth due diligence reserved for strategic and sensitive suppliers, systematic automated checks for the entire base. Bank detail verification, which can run in bulk and via API, belongs to the checks that can be automated across the full base, whatever the volume.

How do you verify a supplier's IBAN?

The most reliable method is querying the bank that holds the account directly: it confirms in real time that the IBAN belongs to the supplier company. Unlike document checks, it relies on no forgeable document and requires no action from the supplier.

Conclusion

KYS is not one more constraint: it is the most direct protection against the number one fraud affecting businesses. Three principles make it effective and sustainable: segment to scale the effort, lock down changes of bank details, and base account verification on bank queries rather than documents.

This is exactly what Ibantrack enables: verifying the IBAN holder of your suppliers, within seconds, directly with the bank, one by one, in bulk or via API. Try it for free or discover our supplier bank account verification solution.

Related articles