How AML Compliance Officers Screen Business Entities Using Public Records

I spent a year building data pipelines for a fintech that processed business payments. The compliance team's KYB workflow was: check OFAC, check the sanctions list, maybe Google the company name, approve. They were clearing 200 applications a week and felt good about their throughput.

Then a bank examiner asked them to demonstrate how they verified the legal existence of the entities they were approving. Silence.

That's when we rebuilt the screening workflow using public records. Here's what that looks like.

Why Sanctions Screening Isn't Enough

BSA/AML compliance requires that financial institutions "know your business" -- verify that a business customer is who they claim to be, that the entity legally exists, and that the beneficial ownership structure is transparent.

Most compliance teams treat KYB as a checkbox: run the name against OFAC's SDN list and a commercial sanctions database. If nothing comes back, approve.

The problem is that shell companies, front entities, and stale registrations don't show up on sanctions lists. They show up in state filings that nobody checks.

A proper entity screening workflow pulls from multiple public sources:

1. State Secretary of State filings -- Does the entity legally exist? Is it in good standing?
2. SEC filings -- Is there beneficial ownership or insider transaction data?
3. FDIC records -- Is the claimed bank actually FDIC-insured?
4. Domain registration -- When was the company's website registered? By whom?

None of these are sanctions checks. All of them are red-flag generators that a good compliance program should be running.

Step 1: Verify Entity Registration in State Filings

The most basic KYB check -- and the one most often skipped -- is confirming the entity is registered and active in the state it claims to operate from.

Secretary of State business filings tell you:

• Entity status -- Active, Dissolved, Revoked, Suspended. A business applicant whose entity is dissolved in its home state is an immediate escalation.
• Formation date -- an entity formed last week that claims 10 years of operating history is a discrepancy worth investigating.
• Officer and registered agent information -- does it match what the applicant provided? Mismatches are a flag.
• Entity type -- LLC, Corp, LP. Does it match the application? A sole prop claiming to be a Corp is either confused or misrepresenting.

I built scrapers for the states where most business entities are registered:

• Texas SOS Business Search
• California Secretary of State
• Florida Business Filings
• New York SOS Business Search

Search by entity name or filing number. You get back status, formation date, registered agent, and officer details. Run this on every business applicant as part of intake -- it takes seconds per entity via API.

Step 2: Check SEC Filings for Ownership and Disclosure

If the entity or its parent is publicly traded, SEC filings provide a layer of verification that's hard to fabricate:

• Beneficial ownership filings (Schedule 13D/13G) -- who holds significant positions
• Insider transaction reports (Form 4) -- recent buying or selling by officers and directors
• Annual reports (10-K) -- subsidiary lists, related party transactions, legal proceedings

SEC EDGAR Company Filings Search -- search by company name or CIK. For business applicants that claim to be subsidiaries of public companies, pull the parent's 10-K and verify the subsidiary is actually listed.

This catches a specific type of fraud: entities that claim affiliation with well-known companies but have no actual relationship.

Step 3: Verify Banking Relationships with FDIC Records

If a business applicant claims to hold accounts at a specific bank, or if the applicant itself claims to be a bank or financial institution, FDIC BankFind data provides verification.

FDIC BankFind Search -- search by institution name or FDIC certificate number. Confirm the institution is active, FDIC-insured, and that the charter type matches what was represented.

This matters especially for money service businesses and payment processors that claim banking relationships as part of their compliance posture.

Step 4: Check Domain Registration History

This is the check that catches the most blatant red flags. A business applicant with a 10-year operating history whose website domain was registered 3 weeks ago is worth a conversation.

WHOIS Domain Lookup -- input the applicant's website domain. You get registration date, registrant information (when not privacy-protected), and nameserver details.

What to look for:

• Registration date vs. claimed operating history -- large gaps are a flag
• Registrant country -- if the applicant claims to be a US company but the domain is registered through a foreign registrar with privacy protection, that's context worth having
• Recent registration changes -- a domain that changed hands recently may indicate the entity was recently created or acquired

The Screening Workflow

For every business entity application:

1. State SOS check -- verify the entity exists, is active, and formation date matches the application.
2. SEC check (if applicable) -- verify any claimed public company affiliations.
3. FDIC check (if applicable) -- verify any claimed banking relationships.
4. WHOIS check -- verify domain registration date against claimed operating history.
5. Flag discrepancies for manual review. Pass clean applications.

Steps 1-4 can run in parallel via API calls. Total screening time per entity: under 30 seconds. Total cost: a few cents per entity.

This doesn't replace sanctions screening. It supplements it with the kind of entity verification that examiners actually ask about -- and that most compliance programs skip until it's too late.