Banks are required to gather KYC documents to comply with regulations, but they must also validate the documents are authentic, accurate, and associated with the actual real people or businesses involved.
Banks need to establish and validate each customer’s identity, address, financial transactions, and, if the customer is a business, beneficial ownership structure. Banks must also avoid hidden risks, such as shell companies, fake identities, and connections to sanctioned individuals.
This article covers the key types of KYC documents and the steps in verifying them, when to request additional documentation under Enhanced Due Diligence (EDD) and how open-source intelligence (OSINT) tools like ShadowDragon Horizon™ can be used to verify whether the paper trail matches the facts on the ground.
Core KYC Document Categories
KYC documents help financial institutions establish a customer is genuine, traceable, financially legitimate, and not covertly owned by a sanctioned party or other high-risk network. Jurisdictions and customer types vary, but most document requirements fall into five core categories.
The documentation, however, only tells part of the story. OSINT (especially when powered by platforms like ShadowDragon Horizon™) helps verify whether those documents reflect reality or conceal something beneath the surface.
Identity Proof
The first stage in the KYC process is to establish that a customer exists and can be legally identified.
In the case of an individual, the institution may ask for government-issued ID like a passport or driver’s license. These can be used to verify a person’s legal name, date of birth, nationality and biometrics (photo and/or signature). This is essential information for sanctions screening and identity matching. Fraud detection tools and biometric verification systems help identify forged passports, altered photos, or digital identity manipulation.
Proof of identity for a business or other organization is different. It must be able to prove that it exists as a legal entity by producing documentation such as:
- Certificate of incorporation
- Articles of Association or Memorandum of Association
- Business or trade license (or whatever is relevant in local law)
Such documentation can be used to verify the company’s details of formation, legal status and the jurisdiction where it’s registered. Without it, a business might just be a shell company on paper.
ShadowDragon helps uncover fake, stolen, or synthetic identities by cross-referencing official documents with traces of digital activity. This is also the first checkpoint for fraud detection, identifying forged passports, altered identity numbers, or synthetic identities before they enter the system.
Address Proof
Identity is just one part of the equation. Institutions also need to verify a customer’s residence or place of business. This gives them a jurisdiction trail, an association to a fixed location, and also cross-checks to see if there is a mismatch in the level of activity they claim versus what they actually do.
Proof of address for individuals generally include:
- Recent utility bills (not older than 3 months)
- Bank or credit card statements
- Lease or rental agreements for residence
- Financial Information
Businesses are verified by providing proof of the registered office or business location. This can be in the form of:
- Corporate lease agreement
- Certificate of registered office address
- Tax registration with business address
OSINT can help to assess whether that address is verifiable, consistent and makes sense within the business context (whether the individual or business leaves any trace of being there in public records, digital platforms, property databases, or business registrations). If the paperwork says London but every online indicator points to Dubai, ShadowDragon helps flag that inconsistency.
Financial Information
After identity and address are confirmed, banks begin their financial legitimacy due diligence. This is the part of the KYC verification process that focuses on money trails, sources of wealth and transaction behavior.
Financial information for individuals may include:
- Recent bank statements
- Tax returns or pay slips
- Proof of source of funds or wealth, such as sale agreements, inheritance documents, or investment portfolios.
Financial information for businesses is scrutinized more deeply. Banks may ask for:
- Audited financial statements (balance sheet, income statement, cash flow)
- Shareholder capital or investment contribution records
- Documents verifying the source of business funds or revenue streams.
These records help banks to see if a customer’s transactions are in line with their income or business model, or if something raises suspicion. ShadowDragon Horizon™ adds another layer by checking whether those financial claims align with public information, court filings, media reports, procurement records, or leaked financial data. It helps reveal and determine business legitimacy and visible business presence or if the customer is named in fraud-related news.
Ownership and Corporate Structure (Businesses Only)
In addition to identity and an address, financial institutions must know who has ultimate control of a company. Layers of corporate ownership, offshore accounts, or nominee directors are all tactics criminal organizations use to disguise beneficial ownership.
That’s why banks request information such as:
- Ultimate Beneficial Owner (UBO) declarations
- Shareholding structure diagrams
- Director and senior management lists
- Board resolutions approving account opening or assigning signing authority
- Additional Documents (Risk-Based Requirements).
OSINT verifies whether the declared owners actually match real-world identity. ShadowDragon Horizon™ maps relationships between people, companies, email addresses, and historical corporate filings, often exposing hidden owners, nominee directors, or links to sanctioned individuals that never appear in official documents.
UBO identification is one of the most heavily scrutinized aspects of AML (Anti-Money Laundering) regulation today. Banks are expected to know if ownership points to sanctioned individuals, high-risk countries, or politically exposed persons (PEPs). PEPs are individuals who hold a prominent public role with influence (and their family members or close associates) that can make them more vulnerable to corruption or financial crime.
Additional Documents (Risk-Based Requirements)
Not every customer presents the same level of risk. A local retail store typically doesn’t require the same level of due diligence as a PEP (politically exposed person, an individual who holds a prominent public position, such as government officials, and their close family members and associates) or a crypto exchange operating internationally.
Banks take a risk-based approach and request additional documentation when necessary, such as:
- Politically Exposed Person declarations
- Sanctions or compliance questionnaires
- Enhanced Due Diligence (EDD) packages (this can include more in-depth source of wealth documentation, legal opinions, adverse media, or ongoing monitoring plans)
EDD is required when a customer is operating in a high-risk industry, has associations with complex jurisdictions, or exhibits inconsistencies during onboarding. OSINT makes these checks meaningful by scanning news, court databases, social media, darknet forums, and global sanctions sources to uncover undisclosed red flags. ShadowDragon Horizon™ also enables ongoing monitoring, so risk doesn’t stop being assessed once the documents are approved.
In short, documents confirm what a customer declares. OSINT and ShadowDragon confirm whether those declarations hold up in the real world.
The following table outlines the KYC documentation differences between individuals and corporate entities.
| Category | Individual Clients | Business/Corporate Clients |
|---|---|---|
| Identity Proof | Passport, driver’s license | Certificate of Incorporation, Articles of Association |
| Address Proof | Utility bill, lease agreement | Business address certificate, corporate tax registration address |
| Financial Proof | Bank statements, tax returns | Audited financials, proof of source of capital |
| Ownership | N/A | UBO declarations, shareholding structure |
| Additional Documents (Risk-Based Requirements) | PEP self-declaration, source of wealth statement (for high-risk individuals) | Proof of source of funds, licenses for regulated industries, documentation of compliance and governance |
| OSINT Use | Verify identity/aliases via OSINT | Map corporate networks, identify shell companies, verify UBO claims |
The Document Verification Process
Document verification should provide confidence that the information presented is not only authentic (matches to a real-life source) but also accurate (belongs to the person in question) and truthful (represents reality). Banks use a two-tiered approach: standard verification to confirm authenticity and OSINT-supported analysis to validate reality.
Basic Verification
In this phase, the bank verifies the authenticity of the documents the customer submitted. For example, the details of the passport and the national ID are verified against official government sources or the identity-issuing agency database.
Photos on IDs are subjected to biometrics and liveness checks (a security method used to verify that the photo is of a live person, not a deepfake or artificially generated image). This method is used to prevent the use of stolen, deepfaked or photoshopped pictures, and ensure that the individual is actually in front of the camera. Facial recognition and motion prompt capabilities can also be used for this purpose. Motion prompt capabilities are systems that ask the user to take specific actions, such as blinking or turning their head, to verify that the individual is a real person
The documents are scanned for obvious details, such as compliance information, which includes expiry dates, holograms, signatures, watermarks, and document layout, as well as for minor differences between multiple documents (wrong fonts, misspelled issuing authorities’ names, altered serial numbers, etc.) that can reveal an attempt to create a counterfeit document. At this stage, everything may look correct on paper, but paper doesn’t reveal intent, history, or hidden risk.
OSINT-Powered Verification
OSINT provides the contextual intelligence that the traditional KYC document checks cannot.
ShadowDragon Horizon™ uses information about an identity (name, email address, phone number, business names, website registrations, etc.) and probes to see if this information exists, makes sense, and connects to other verified information in the real world.
It’s easy to see if an email address or username listed on an application was ever used by the client or associated with other aliases or has been used in different contexts. If an applicant claims to have no social media footprint, but dozens of sketchy profiles associated with their email are linked to underground forums, the alarm bells should be ringing.
Identity intelligence is a core part of this process. ShadowDragon Horizon™ uses identity intelligence by linking names, emails, usernames, corporate records, website ownership, and online behavior to verify whether an identity is legitimate or if it’s synthetic, stolen, or part of a fraudulent network.
Horizon™ uncovers and reveals the relationships between people, shell companies, leaked registries, and company beneficial ownership. You can now see that a seemingly legitimate director listed on a business’s Articles of Association is connected to a sanctioned logistics provider, or that an alleged investor is also listed as a director of numerous offshore entities with no operational presence.
The document may pass basic screening, but through OSINT, you can uncover what isn’t on the document, like a director alleged to have committed bankruptcy fraud in foreign press, or a beneficial owner listed in breach data sets.
Turning KYC Documents into Real Intelligence
KYC documents establish identity, address, ownership, and financial legitimacy, but they’re limited to what a customer chooses to present. Criminals can create false documents, conceal ownership through multiple shell entities, or present a clean history and be a part of a high-risk network.
This is why OSINT matters. ShadowDragon Horizon™ takes the data contained in those documents and verifies it against real-world information. It searches for names, emails, addresses, and entities across public records, social media, breach data, corporate registries, and the deep and dark web. It reveals undisclosed owners, aliases, discrepancies, and connections to sanctioned or high-risk parties that a stack of documents alone can’t uncover.
Talk to our team and learn how ShadowDragon enables analysts to verify what documents don’t show.
