Know Your Supplier (KYS): Vendor Verification and Compliance Guide

Know Your Supplier (KYS) refers to the structured due diligence process organisations apply to their vendors, contractors, and supply chain partners before and throughout a commercial relationship. Borrowed from financial services' Know Your Customer (KYC) framework, KYS has become a standalone compliance discipline driven by UK and EU supply chain legislation. For UK businesses, the Modern Slavery Act 2015, the Bribery Act 2010, and the Money Laundering Regulations 2017 (MLR 2017) together create a layered obligation to scrutinise third parties.

Supplier fraud is a growing threat: according to UK Finance's Annual Fraud Report 2025, authorised push payment (APP) fraud losses linked to false supplier scams exceeded £250 million in 2024. A structured KYS programme is one of the most effective controls to close this exposure.

What KYS Covers and Why It Is Required in the UK

A robust KYS programme addresses three risk dimensions: legal identity (company number, registered address, beneficial ownership), financial standing (credit profile, insolvency checks), and regulatory reputation (sanctions lists, adverse media, PEP connections).

The UK Modern Slavery Act 2015 requires commercial organisations with an annual turnover of £36 million or more to publish an annual transparency statement setting out steps taken to ensure their supply chain is free from modern slavery. Failure to publish a compliant statement is enforced by the Home Office and can result in civil penalties under the Modern Slavery Act statutory guidance.

The Bribery Act 2010 creates corporate criminal liability for organisations that fail to prevent bribery by associated persons, which includes suppliers and sub-contractors. The only defence is demonstrating "adequate procedures" — which explicitly requires third-party due diligence proportionate to the assessed risk (Ministry of Justice guidance, Section 5).

MLR 2017 (as amended by MLR 2019 and MLR 2022) imposes KYS-equivalent obligations on regulated firms: under Regulation 28, enhanced customer due diligence applies to high-risk third parties, and Regulation 19 requires ongoing monitoring of business relationships.

The 5-Step KYS Verification Process

Step 1 – Document collection. Before engaging a new supplier, request: a Companies House certificate of incorporation (verify at find-and-update.company-information.service.gov.uk), VAT registration number, most recent filed accounts, a list of persons with significant control (PSC register), and bank account details with a void cheque or bank confirmation letter.

Step 2 – Identity and registration verification. Cross-check the company number against Companies House to confirm active status, filing history, and registered office. For overseas suppliers, use the equivalent national registry. For sole traders and partnerships, verify identity documents against HMRC's guidance on acceptable ID.

Step 3 – Sanctions and PEP screening. Mandatory for FCA-regulated entities under MLR 2017; recommended best practice for all commercial organisations. Screen against the HM Treasury Consolidated Sanctions List, EU sanctions, UN Security Council lists, and the OFAC SDN list for US-dollar transactions. The Office of Financial Sanctions Implementation (OFSI) provides guidance on obligations under UK sanctions regulations post-Brexit.

Step 4 – Adverse media and ESG screening. Run structured adverse media checks covering corruption, labour violations, and environmental incidents. For supply chains with sustainability reporting obligations under the Companies Act 2006 (Strategic Report Regulations 2018) or CSRD (for large UK-listed entities), integrate an ESG questionnaire aligned with ISO 20400:2017 (Sustainable Procurement).

Step 5 – Ongoing monitoring. Configure automated alerts for Companies House filings (director changes, filing defaults), insolvency filings via the Insolvency Service, and sanctions list updates. Critically, any request to change bank details must trigger immediate re-verification through an independent channel — never via a reply to the requesting email.

False Supplier Fraud: The Most Common KYS Failure Point

Users on compliance and procurement forums consistently raise the same question: "How do we safely validate a bank account change request from a supplier?"

Three operational controls prevent most false supplier fraud:

1. Callback verification. When receiving any bank detail change request by email, call back the supplier on the phone number registered in your ERP system — not a number provided in the email.
2. Dual authorisation. Any bank detail modification must be approved by two separate staff members, one of whom should be from finance or treasury.
3. Automated IBAN/account validation. Use an automated bank account verification service that cross-references account holder identity against legal entity data. CheckFile's multi-layer document verification approach supports this cross-referencing across more than 3,200 document types in 32 jurisdictions.

As of June 2026, the Financial Conduct Authority's APP fraud reimbursement rules (Mandatory Reimbursement Requirement, effective October 2024) require Payment Service Providers to reimburse victims of authorised push payment fraud up to £85,000. This regulatory shift creates a direct financial incentive for both payers and PSPs to implement robust payee verification, including KYS checks for business payments.

For a broader view of supplier document fraud patterns, see our analysis of document fraud statistics and trends.

KYS vs KYC vs KYB: Clarifying the Distinctions

All three frameworks address third-party risk but target different relationships:

• KYC (Know Your Customer): Obligatory for FCA-regulated firms under MLR 2017. Covers customer identity, beneficial ownership, and ongoing transaction monitoring.
• KYB (Know Your Business): Applied during B2B customer onboarding to verify a business entity's legal existence, ownership, and compliance standing. See our KYB onboarding guide.
• KYS (Know Your Supplier): Applied to vendors and sub-contractors, covering supply chain risk, anti-bribery compliance, and modern slavery obligations. Not limited to regulated industries.

An integrated third-party risk management (TPRM) programme brings all three together under a single framework, typically managed by the Compliance, Legal, and Procurement functions jointly.

Building a KYS Compliance File

Under the Bribery Act 2010, the "adequate procedures" defence requires documented evidence. A compliant KYS file should include:

• Copies of all documents collected (with collection dates)
• Results of sanctions, PEP, and adverse media screens (with provider and date)
• Identity of the persons who conducted and approved the verification
• A log of all bank detail changes with supporting verification evidence
• Annual review records for active suppliers

Retention: the FCA's record-keeping requirement under MLR 2017 Regulation 40 specifies five years from the end of the business relationship. The Bribery Act provides no specific retention period, but the Ministry of Justice guidance recommends aligning with the firm's general document retention policy (typically 6–7 years).

CheckFile stores all verification records in a tamper-evident audit trail compliant with ISO 27001, supporting your compliance file requirements without additional manual effort. View pricing plans for supplier verification workflows.

Frequently Asked Questions

Does KYS apply to small UK businesses?

The Modern Slavery Act turnover threshold (£36m) excludes most SMEs from mandatory transparency statement obligations. However, any organisation subject to the Bribery Act 2010 — which applies to all UK companies regardless of size — should maintain proportionate supplier due diligence as part of their "adequate procedures" defence.

How do I verify a supplier's beneficial ownership in the UK?

The Companies House Persons with Significant Control (PSC) register is publicly searchable at find-and-update.company-information.service.gov.uk. For limited partnerships and LLPs, similar disclosure requirements apply following the Economic Crime and Corporate Transparency Act 2023.

What is the difference between a supplier audit and KYS?

A supplier audit typically covers operational performance, quality standards, and contractual compliance. KYS focuses specifically on legal identity, financial standing, beneficial ownership, and regulatory risk (sanctions, bribery, modern slavery). Both can form part of a comprehensive vendor management framework, but they address different risk dimensions.

How often should we renew supplier verification?

Best practice is annual re-verification for all active suppliers, plus immediate re-verification at any triggering event: director or ownership changes, bank detail modifications, contract renewals, or adverse media alerts. High-risk suppliers (sensitive sectors, high-risk jurisdictions per FATF classifications) warrant continuous monitoring.

What should we do if a supplier fails a KYS check?

Document the findings, escalate to senior management and legal counsel, and apply a risk-based decision: enhanced due diligence for borderline cases, suspension of payments pending clarification for banking anomalies, and termination of the relationship for confirmed sanctions breaches. In the latter case, report to the National Crime Agency (NCA) via a Suspicious Activity Report (SAR) under POCA 2002 if there is knowledge or suspicion of money laundering.

---

This article is for informational purposes only and does not constitute legal advice. Regulatory obligations vary by sector, company size, and transaction type. Consult qualified legal counsel for advice specific to your circumstances.