KYS (Know Your Supplier): Complete Guide to Verifying and Securing Your Suppliers

KYS, or Know Your Supplier, is the process by which an organisation systematically verifies the identity, legitimacy and reliability of its suppliers before entering into a commercial relationship with them. While KYC applies to individual customers and KYB to business customers, KYS focuses on the other end of the chain: your suppliers, subcontractors and service providers, to whom your outgoing payments are directed.

‍

In 2025, supplier-related fraud cost European businesses more than €3.5 billion, according to estimates from the Association of Certified Fraud Examiners (ACFE). These losses stem from practices ranging from the creation of fictitious suppliers to falsified bank account details (IBAN), through to sophisticated shell company structures. Faced with this risk, a rigorous KYS process is no longer optional for organisations managing significant volumes of outgoing payments.

‍

What is KYS?

KYS is a set of due diligence procedures applied to your suppliers. Its purpose is to answer simple but critical questions: does this supplier exist as a legal entity? Are they genuinely who they claim to be? Do the bank account details they provided actually belong to them?

‍

Unlike KYB, which is primarily aimed at assessing the regulatory risk of a business customer, KYS is more focused on preventing financial fraud and managing operational risk. It covers three main dimensions: verifying the supplier's legal identity, authenticating their bank account details, and continuously assessing risk throughout the commercial relationship.

‍

KYS also sits within a clear regulatory framework. The UK Bribery Act, the EU Anti-Money Laundering Directives (AMLD), the Corporate Sustainability Due Diligence Directive (CSDDD) and the Corporate Sustainability Reporting Directive (CSRD) all impose obligations on organisations to assess their commercial partners and supply chains. For entities subject to AML/CFT obligations, due diligence requirements apply equally to outgoing payment flows.

‍

Supplier Fraud Typologies

‍

Supplier fraud takes many forms. Understanding its most common manifestations is the first step towards effective protection.

‍

Fictitious supplier fraud is one of the most widespread. A fraudster creates a fictitious entity or impersonates a legitimate supplier in order to submit fraudulent invoices. By exploiting weak validation processes, they succeed in getting paid for services that were never rendered. In 2024, Euler Hermes estimated that this form of fraud accounted for 30% of internal fraud losses across European businesses.

‍

Bank account detail fraud (IBAN hijacking) is perhaps the most sophisticated. An attacker intercepts or falsifies a bank account update request, substituting the supplier's genuine IBAN with one linked to an account under their control. Subsequent payments are redirected to that account before the fraud is detected. This attack typically exploits a fraudulent email or a compromised mailbox.

‍

CEO fraud (or Business Email Compromise, BEC) targets payment processes directly. An attacker impersonates a company executive and requests an urgent transfer to a new supplier account. The combination of time pressure and the apparent authority of the sender reduces the vigilance of the staff being solicited.

‍

Shell companies and fraudulent structures represent a more complex category. An apparently legitimate business conceals illicit activities: money laundering, circumvention of international sanctions, or financing of criminal networks. For organisations subject to AML/CFT obligations,

contracting with this type of supplier without prior due diligence creates direct regulatory liability.

‍

Internal collusion fraud is often underestimated. An employee creates a fictitious supplier in the ERP system and validates the corresponding invoices themselves. This attack vector exploits insufficient segregation of duties controls.

‍

‍

The KYS Process: Key Steps

‍

An effective KYS programme covers the entire supplier lifecycle, from onboarding through to ongoing monitoring.

‍

Legal identity verification is the entry point: company registration numbers, official registry extracts, articles of association, and identification of beneficial owners. This information must be cross-referenced against official registries — such as Companies House (UK), the European Business Register, or national commercial registries — to detect any inconsistencies or ongoing insolvency proceedings.

‍

Bank account verification is the step most directly linked to fraud prevention. Confirming that an IBAN corresponds to the declared account holder cannot rely on a simple format check. It requires active verification: via open banking or through confirmation with a contact identified independently from the channel used to submit the original request.

‍

Sanctions list screening is mandatory for any organisation processing international payments. Suppliers must be screened at onboarding and regularly thereafter, as the OFAC, EU and UN lists are updated frequently.

‍

Risk assessment and scoring synthesise all collected information. A supplier score takes into account the country of incorporation, industry sector, age of the entity, and any detected risk signals. It guides the level of due diligence to apply: standard, enhanced, or rejection.

‍

Ongoing monitoring closes the loop. A supplier's information can change over time: legal status, directors, bank account details. A mature KYS programme integrates automated alerts triggered by any significant change.

‍

The KYS Regulatory Framework in Europe

‍

Across Europe, several legislative frameworks directly govern organisations' obligations with respect to their suppliers.

‍

The UK Bribery Act requires organisations operating in the UK to have adequate procedures to prevent bribery across their supply chain. Failure to do so can expose companies to criminal liability.

‍

The EU Anti-Money Laundering Directives (AMLD) — including the 6th AMLD — impose due diligence obligations on entities subject to AML/CFT requirements, covering both incoming and outgoing payment flows and the identification of third-party counterparties.

‍

The Corporate Sustainability Due Diligence Directive (CSDDD), adopted in 2024, requires large companies to identify, prevent and mitigate adverse human rights and environmental impacts throughout their supply chains — including at the level of suppliers and subcontractors.

‍

The Corporate Sustainability Reporting Directive (CSRD), progressively applicable from 2024 onwards, extends reporting obligations to the supply chain across environmental, social and governance dimensions.

‍

Finally, for entities subject to AML/CFT obligations, the AML framework applies equally to outgoing flows: any payment made to an unidentified third party may constitute a breach of due diligence obligations.

‍