TL;DR: Terminology mismatches between compliance vendors cause real integration failures. This glossary defines 47 KYB terms your compliance team actually uses, organised by workflow stage, with enough regulatory context to stop you shipping broken configurations. Bookmark it. You will need it.
Three weeks lost to a string mismatch
A compliance team we work with spent three weeks debugging a KYB workflow failure last year. Alerts were firing on every single entity check. The root cause was not a code defect. Their sanctions provider and their entity verification vendor used the term "enhanced screening" to mean completely different things. One meant risk-scored PEP matching. The other meant document-level verification with source-of-funds checks. The integration layer treated them as interchangeable. They were not.
This is not an edge case. When technology now handles 100% of identity checks and transaction monitoring in modern KYB frameworks, inconsistent terminology does not just confuse people. It breaks pipelines.
I have compiled the 47 terms that actually come up in implementation conversations, mapped to the regulations that mandate them and the workflow stages where they matter. If you are building compliance integrations, or configuring a platform that orchestrates multiple providers, this is the reference you keep open in a tab.
Core entity and identity terms
These are the foundations. Get these wrong and every downstream check inherits the confusion.
1. Know Your Business (KYB)
The process of verifying the legitimacy of a company before entering a business relationship. Distinct from KYC, which focuses on individuals. KYB covers entity existence, ownership structure, regulatory status, and risk profile.
2. Know Your Customer (KYC)
Identity verification for individuals. In a KYB context, KYC applies to the natural persons behind the entity: directors, shareholders, UBOs.
3. Ultimate Beneficial Owner (UBO)
The natural person who ultimately owns or controls the legal entity. Most jurisdictions set a threshold (commonly 25%) above which a person must be identified and verified. Getting UBO identification wrong is one of the fastest ways to fail an audit.
4. Legal Entity Identifier (LEI)
A 20-character alphanumeric code assigned to legal entities participating in financial transactions. Useful for unambiguous entity resolution across data sources.
5. Corporate Registry
The government-maintained database where companies are incorporated and file statutory documents. In the UK, that is Companies House. Under ECCTA 2023, March 2026 reports show companies expanding digital verification services to integrate directly with these registries at scale.
6. Authorised Signatory
An individual with legal authority to sign documents and enter agreements on behalf of the entity. Not always the same as a director or UBO.
7. Nominee Shareholder
A person or entity holding shares on behalf of the real owner. Nominee structures are not inherently suspicious, but they require deeper investigation to identify the true beneficial owner.
8. Shell Company
A legal entity with no active business operations or significant assets. Often legitimate (holding structures, SPVs), but a common vehicle for money laundering when layered.
9. Person of Significant Control (PSC)
UK-specific term for individuals who hold significant influence or control over a company. Filed with Companies House and a key data point in any UK-focused KYB workflow.
10. Certificate of Incorporation
The official document confirming that a company has been legally registered. The starting point for entity verification.
11. Articles of Association
The internal rules governing a company's operations. Relevant for KYB because they define decision-making authority and share structures.
Due diligence terms
This is where most terminology confusion lives. The gap between CDD and EDD is not academic. It maps directly to different API calls, different data requirements, and different regulatory obligations.
12. Customer Due Diligence (CDD)
The standard verification of customer and beneficial owner identities before establishing a business relationship. Mandated by UK MLR 2017 Regulation 27, which covers core KYB entity checks. CDD is your baseline.
13. Enhanced Due Diligence (EDD)
Additional checks triggered by high-risk scenarios. Under MLR 2017 Regulation 33, high-risk clients like PEPs trigger mandatory EDD procedures. EDD is not "more CDD". It involves different data sources, different risk thresholds, and different approval workflows. Teams that conflate CDD and EDD waste time running the wrong checks on the wrong entities.
14. Simplified Due Diligence (SDD)
Reduced checks permitted for demonstrably low-risk situations. Rare in practice, because most compliance teams default to CDD as a safety net.
15. Source of Funds (SoF)
Verification of where the money in a transaction originates. A core EDD requirement.
16. Source of Wealth (SoW)
Verification of how the individual or entity accumulated their overall wealth. Broader than SoF and typically required for high-net-worth or PEP-connected entities.
17. Risk Assessment
A written evaluation of money laundering and terrorist financing risks, required under MLR 2017 Regulation 21. This is not a one-time exercise. It should inform every configuration decision in your compliance platform.
18. Risk Appetite
The level of risk an organisation is willing to accept. Defined by the business, not the regulator. Your risk appetite determines your CDD/EDD thresholds, your screening sensitivity, and your auto-approve criteria.
19. Risk Scoring
The algorithmic or rule-based assignment of a risk level to an entity based on multiple data points. The output of risk scoring determines whether the entity proceeds through CDD or escalates to EDD.
Screening and monitoring terms
Screening is where multi-vendor terminology gaps cause the most integration damage. ComplyAdvantage, Sumsub, and other providers use varying definitions for the same concepts, creating training complications and configuration errors for teams using multiple vendors.
20. Politically Exposed Person (PEP)
An individual who holds or has held a prominent public function. PEP status is a primary trigger for EDD. Modern frameworks automate 100% of PEP screening, but the definition of "prominent public function" varies by jurisdiction and provider.
21. Sanctions Screening
Checking entities and individuals against government-maintained sanctions lists (OFAC, EU, UN, UK HMT). A hard block: sanctioned entities cannot be onboarded. Period.
22. Adverse Media Screening
Searching news and media sources for negative information about an entity or its connected persons. Sometimes called "negative news screening". The scope and freshness of media sources vary significantly between providers.
23. Watchlist
A consolidated list of sanctioned individuals, entities, and PEPs maintained by a screening provider. Not the same as a government sanctions list; watchlists aggregate multiple source lists.
24. Fuzzy Matching
An algorithm that returns results for approximate, not just exact, name matches. Essential for catching transliterated names, aliases, and misspellings. Also the primary driver of false positives.
25. False Positive
A screening alert that, upon investigation, does not represent an actual match. Industry data consistently shows false positives are the dominant compliance cost driver. Reducing them without increasing false negatives is the core screening optimisation problem.
26. True Positive
A screening alert that, upon investigation, confirms an actual match. The signal in the noise.
27. Ongoing Monitoring
Continuous review of business relationships to ensure data currency and transaction alignment with risk profiles. Mandated by UK MLR 2017 Regulation 28. Not a periodic review. Ongoing means ongoing: triggered by events, not calendars.
28. Transaction Monitoring
Automated analysis of financial transactions to detect patterns indicative of money laundering, terrorist financing, or fraud. Runs continuously and generates alerts for analyst review.
29. Threshold-based Alerts
Alerts triggered when a transaction exceeds a predefined value or frequency. Simple, high false-positive rate, but still a regulatory expectation.
30. Suspicious Activity Report (SAR)
A formal report filed with the relevant Financial Intelligence Unit (FIU) when suspicious activity is detected. In the UK, filed with the NCA. Non-negotiable obligation with strict timelines.
Workflow and orchestration terms
This is where implementation meets regulation. If you are building or configuring compliance workflows, these terms map directly to your architecture decisions.
31. Workflow Orchestration
The coordination of multiple compliance checks (identity, screening, risk scoring, document verification) into a single, sequenced flow. This is the layer where terminology consistency matters most, because orchestration platforms must translate between different provider vocabularies. It is the exact problem that leads teams to platforms like Zenoo, which unify different provider terminologies into a consistent framework.
32. Multi-vendor Integration
Connecting two or more third-party compliance providers into a single workflow. The source of most terminology confusion, because each vendor defines and labels their checks differently.
33. API Orchestration
Using APIs to sequence and coordinate calls to multiple compliance services. Distinct from simple API integration because orchestration involves conditional logic, error handling, and data mapping between providers.
34. Decisioning Engine
The rules or ML-based system that takes inputs from screening, verification, and scoring and produces a pass/fail/refer outcome. The final step before an entity is onboarded or escalated.
35. Case Management
The system for tracking, investigating, and resolving compliance alerts and escalations. Where analysts spend most of their time.
36. Audit Trail
A complete, timestamped record of every check, decision, and action taken during a compliance process. MLR 2017 Regulation 40 requires 5-year record retention, meaning your audit trail must be durable, immutable, and queryable for at least five years after the business relationship ends.
37. Four-eyes Principle
A control requiring two independent reviewers to approve high-risk decisions. Common in EDD workflows and SAR filing.
38. Straight-through Processing (STP)
An entity passes all checks and is onboarded without manual intervention. The goal for low-risk entities. Your STP rate is one of the best indicators of how well your workflow is configured.
39. Manual Review Queue
The backlog of entities that failed STP and require human analyst investigation. The size of this queue is directly proportional to your false positive rate and your screening sensitivity settings.
Regulatory and framework terms
These are the three critical regulations that come up in almost every KYB implementation conversation, plus the broader frameworks they sit within.
40. MLR 2017 Regulation 27
The UK regulation mandating core KYB entity checks, including CDD. The starting point for any UK-focused compliance workflow.
41. MLR 2017 Regulation 33
The risk escalation regulation. Triggers mandatory EDD procedures for high-risk clients, including PEPs. Clear understanding of the risk threshold terminology in Reg 33 is essential for correct workflow configuration.
42. MLR 2017 Regulation 47
Requires firms to maintain documented policies, controls, and procedures for mitigating ML/TF risks. This is the regulation that demands procedure standardisation, and it is the regulatory basis for having a consistent glossary in the first place.
43. MLR 2017 Regulation 40
The 5-year record retention requirement. Every check, every assessment, every record: retained for at least five years post-relationship.
44. MLR 2017 Regulation 28
Mandates ongoing monitoring. Not periodic. Ongoing. Your platform configuration must reflect this.
45. ECCTA 2023 (Economic Crime and Corporate Transparency Act)
UK legislation that expands Companies House verification powers and introduces new identity verification requirements for directors and PSCs. March 2026 reports show this is driving significant expansion of digital verification services.
46. FATF Recommendations
The 40 recommendations from the Financial Action Task Force that form the global baseline for AML/CFT frameworks. Most national regulations (including MLR 2017) are implementations of FATF guidance.
47. AML Directive (AMLD)
The EU's Anti-Money Laundering Directives. Currently on the sixth iteration (6AMLD). Relevant for UK firms with EU clients or operations, and a common source of cross-jurisdictional terminology differences.
Why this glossary exists as a technical problem
The head of compliance engineering at a UK challenger bank put it to us this way: "We spent more time in the first quarter mapping field names between providers than we did writing business logic. Every vendor calls the same check something different, and our orchestration layer has to translate all of it."
That is not a training problem. It is an architecture problem. When your sanctions provider calls something "enhanced screening" and your entity verification vendor uses the same label for a completely different process, your integration layer needs an explicit mapping. And that mapping needs to be maintained, versioned, and tested.
With technology now handling 100% of PEP and sanctions screening in modern frameworks, inconsistent terminology does not just slow down onboarding. It corrupts your automated decisioning. A misconfigured label means the wrong check runs, the wrong risk score is assigned, and the wrong decision is made. All without a human ever seeing the error.
Keeping this useful
Bookmark this page. Share it with your compliance team and your engineering team. When you are configuring a new provider integration or debugging a workflow that is producing unexpected results, check the definitions here against what your vendors actually mean.
If you are building compliance flows that orchestrate multiple providers, check out zenoo.com. It is built to solve exactly the terminology and orchestration problem this glossary documents.
30 minutes. Your data. No slides.
Stuart Watkins is CEO of Zenoo, the compliance orchestration platform for fintechs and regulated businesses.
Top comments (0)