BlogAboutSupportSign In
    Governance April 23, 2026 15 min read

    KYC vs. KYV: Why Vendor Vetting Is Not Optional in 2026

    KYC vs. KYV explained: how DORA, NIS2, GDPR Article 28, and CCPA make Know Your Vendor a legal obligation — and why integration vendors are the highest-risk category most operations leaders fail to vet.

    KYC vs. KYV: Why Vendor Vetting Is Not Optional in 2026 — Governance guide by APIWORX

    > TL;DR: Regulated institutions spend millions on Know Your Customer (KYC) compliance — then hand production credentials to unverified offshore developers with zero equivalent diligence. DORA (effective January 17, 2025), NIS2 (October 17, 2024), GDPR Article 28, and CCPA have closed that gap. Know Your Vendor (KYV) and Know Your Partner (KYP) are now legal obligations, not best practices. The liability lands on you, the controller — not the vendor.

    Key takeaways

    • KYC has a single regulator with subpoena power. KYV does not — but the legal obligations are equally binding.
    • DORA, NIS2, GDPR Article 28, and CCPA together create a fragmented but enforceable web of vendor due diligence requirements.
    • Under GDPR Article 28, the controller — not the processor — is fined when a vendor mishandles data.
    • Integration vendors carry the highest risk profile of any vendor category: persistent, programmatic, multi-system access.
    • The Delve scandal proved compliance documentation can be fabricated at scale; verification of the verifier is now table stakes.

    The Compliance Asymmetry No One Wants to Talk About

    Every regulated financial institution in the United States is legally required to know its customers. Before a bank opens an account, before a broker-dealer executes a trade, before a money services business processes a transfer, the institution must verify identity, assess risk, and document what it found. The regulatory apparatus behind this obligation — the Bank Secrecy Act, FinCEN rules, FATF standards, and a cascade of state-level mandates — is detailed, enforced, and expensive to comply with. Companies spend millions on KYC programs because the alternative is criminal liability, license revocation, and reputational destruction.

    Then those same companies hand production database credentials to an offshore developer hired through a freelance marketplace. No background check. No beneficial ownership verification. No sanctions screening. No contractual audit rights. No incident notification clause. The developer has access to customer PII, payment data, and connected third-party systems — and the company's vendor file contains a signed NDA and a PayPal receipt.

    This is not a hypothetical. It is standard practice across mid-market operations, and it represents one of the most significant unmanaged risk exposures in enterprise technology today. The asymmetry is not a gap in awareness. It is a gap in enforcement: KYC has a regulator with subpoena power, and vendor vetting does not — at least not a single, unified one.

    That is changing. The Digital Operational Resilience Act (DORA), effective January 17, 2025, the NIS2 Directive, effective October 17, 2024, GDPR Article 28, and the CCPA collectively create a fragmented but legally binding web of vendor due diligence obligations. The companies that treat vendor vetting as optional hygiene are operating under a compliance illusion.

    What KYC Actually Requires

    The Statutory Foundation

    KYC is rooted in the U.S. Bank Secrecy Act (BSA), implemented through FinCEN regulations codified at 31 C.F.R. Chapter X. It applies to banks, broker-dealers, money services businesses, fintechs, insurance companies above revenue thresholds, casinos, and mutual funds. The framework is a three-tier structure that escalates with risk.

    Customer Identification Program (CIP) is the baseline. At minimum, every covered institution must collect name, date of birth, address, and a government-issued identification number. These are not just collected — they must be verified, recorded, and screened against government lists including OFAC's Specially Designated Nationals list.

    Customer Due Diligence (CDD) goes further. For legal entities, institutions must identify beneficial owners — individuals holding 25% or more of equity interest, plus one controlling individual. CDD also requires the institution to understand the nature and purpose of the relationship and to conduct ongoing monitoring for transactions that appear inconsistent with the customer's risk profile.

    Enhanced Due Diligence (EDD) applies to elevated-risk relationships: Politically Exposed Persons (PEPs), foreign correspondent bank accounts, private banking relationships. EDD includes more frequent reviews, additional documentation requirements, and senior management approval before the relationship proceeds.

    Ongoing Monitoring and Refresh Cadence

    KYC is not a one-time event. High-risk customers must be refreshed annually; low-risk customers every three years. Event-driven triggers — a sanctions list hit, a suspicious transaction, a change in ownership — override the scheduled cadence and require immediate reassessment. The FinCEN Beneficial Ownership Rule, which entered into force in January 2025 under the Corporate Transparency Act, tightened these requirements further.

    The 2025 standard practice is Continuous KYC (cKYC): dynamic risk uplifts triggered by real-time monitoring rather than periodic calendar reviews. The FATF Travel Rule additionally mandates transmission of originator and beneficiary data for cryptocurrency transfers above threshold amounts.

    What Failure Looks Like

    KYC enforcement results in criminal penalties for individuals, regulatory fines that have reached nine figures for large institutions, license revocation, and reputational consequences that cannot be quantified. The framework works — not because companies voluntarily embrace it, but because the consequences of non-compliance are existential.

    What Know Your Vendor / Know Your Partner Actually Requires

    A Framework Without a Single Home

    KYV, KYP, KYS (Know Your Supplier), and KYTP (Know Your Third Party) are variants of the same underlying principle: the obligations you accept when you invite a third party into your operational perimeter. The umbrella is sometimes called KYB — Know Your Business — applied to the vendor relationship rather than the customer relationship.

    Unlike KYC, there is no single statute that says "you must conduct KYV." This is precisely what makes it more dangerous. The absence of a unified enforcement regime creates a compliance illusion — the belief that because no single regulator is sending examination letters about vendor vetting, none of it is required. That belief is incorrect.

    The Regulatory Mosaic

    GDPR Article 28 is the most direct vendor obligation in global data law. Controllers must ensure that processors provide "sufficient guarantees" of technical and organizational compliance. Controllers are expected to conduct vendor audits. Critically, vendor non-compliance does not transfer liability to the vendor — it transfers the fine to the controller. If your data processor violates GDPR, the supervisory authority fines you.

    CCPA imposes parallel liability on California businesses for their vendors' handling of consumer data. Service provider agreements must be in place, and companies cannot disclaim responsibility for downstream misuse simply by contracting it out.

    DORA (Digital Operational Resilience Act), effective January 17, 2025, represents the most comprehensive ICT vendor due diligence mandate to date. EU financial entities must conduct pre-contractual assessments of all ICT third-party providers, include specific contractual provisions covering audit rights and incident notification, and maintain ongoing monitoring. The statute is explicit: financial entities remain fully responsible for regulatory obligations even when those functions are outsourced.

    NIS2 Directive, effective October 17, 2024, extends cybersecurity requirements across supply chains. Covered organizations must assess and verify their third parties' security practices. Fines for non-compliance reach €10 million or 2% of global annual turnover.

    SEC Regulation S-P extends identity theft safeguard requirements into vendor relationships for covered broker-dealers and investment advisers.

    What KYV/KYP Covers

    A complete KYV/KYP program addresses: financial stability and solvency verification, beneficial ownership and ultimate parent identification, sanctions and adverse media screening, operational capability assessment, cybersecurity posture and certifications (and the validity of those certifications), data residency and cross-border transfer compliance, regulatory compliance history, ESG alignment, and jurisdictional legal risk for offshore providers. Continuous monitoring is required — not just at onboarding.

    KYC vs. KYV: Side-by-Side Comparison

    Dimension KYC KYV / KYP
    Regulatory basis U.S. BSA, 31 C.F.R. Chapter X; FinCEN; FATF GDPR Art. 28; CCPA; DORA; NIS2; SEC Reg S-P
    Who is subject Banks, broker-dealers, MSBs, fintechs, insurers, casinos Any organization sharing data or system access with third parties
    Trigger Establishing a customer relationship Onboarding a vendor; granting system or data access
    Identity verification Name, DOB, address, government ID Entity identity, jurisdiction, operating addresses, UBO
    Beneficial ownership Mandatory under FinCEN CDD Rule and CTA Required under GDPR and DORA; often omitted
    Ongoing monitoring Transaction monitoring; periodic refresh Required under DORA and GDPR; continuous is best practice
    Refresh cadence High-risk: annual; low-risk: 3 years No universal standard; DORA mandates documented cycles
    Audit rights Regulator examination authority Must be contractually negotiated; often absent
    Penalties Criminal charges, nine-figure fines, license loss GDPR: 4% global turnover; NIS2: €10M; civil liability
    Who bears liability The regulated financial institution The company that engaged the vendor — not the vendor

    The Risk Asymmetry Problem

    The Compliance Illusion

    Companies subject to KYC requirements treat them as existential obligations. Compliance teams, BSA officers, sophisticated AML software, and periodic regulatory examinations make KYC non-negotiable. The same company will conduct zero equivalent diligence on the software vendor with read/write access to its core banking platform.

    The asymmetry is structural. KYC has a named regulator with examination authority and a predictable enforcement cycle. Vendor diligence has a mosaic of overlapping frameworks, no dedicated enforcement body, and consequences that arrive not as regulatory fines but as data breaches, ransomware events, and supply chain compromises — which the company will almost certainly attribute to something other than inadequate vendor vetting.

    The Integration Vendor Paradox

    Consider the specific case of a KYC-compliant community bank. Before opening a $500 checking account, that institution collects two forms of ID, runs the applicant against OFAC and FinCEN watchlists, and documents the beneficial ownership of any business account. It will decline the account if anything appears inconsistent.

    That same institution then onboards an integration developer to connect its core banking platform to a fintech data aggregator. The developer receives API keys, OAuth credentials, and access to the production environment. The vendor file contains a W-9 and a signed contract. No sanctions screening. No background check. No verification that the offshore subcontractor who will actually do the work is not a sanctioned individual operating through a shell company. The $500 deposit received more scrutiny than the developer with access to the accounts of 40,000 customers.

    The Delve Case: What Fake Compliance Looks Like

    In March 2026, it emerged that Delve, a Y Combinator-backed startup that had raised $32 million, had fabricated 494 SOC 2 audit reports. The certifications were produced by Indian certification mills — Accorp, Glocert, and DKPC — operating through U.S. shell companies and mailbox addresses. Across all 494 reports, 99.8% of the content was boilerplate text pre-written before any data was submitted to the auditor. More than 400 companies accepted these reports as valid third-party attestations and integrated Delve into their data stacks.

    Those 400+ companies now hold invalid certifications. For those subject to HIPAA, criminal liability is possible. For those subject to GDPR, the controller liability chain runs directly to the companies that accepted fabricated compliance documentation without verification.

    The Delve case illustrates the core failure mode: accepting a document is not the same as verifying what the document represents. SOC 2 reports can be fabricated. ISO certifications can be purchased. A vendor vetting program that does not verify the verifier is not a program — it is paperwork. (For the full breakdown, see our analysis of offshore integration developer risks.)

    The GDPR Article 28 Liability Chain

    GDPR is explicit on this point. When a controller engages a processor, the controller must ensure the processor provides "sufficient guarantees." If the processor fails — if it breaches data subjects' rights, mishandles data, or subcontracts without authorization — the supervisory authority fines the controller. The vendor is not the regulated party. You are.

    What a Rigorous KYV/KYP Program Actually Looks Like

    Stage 1: Pre-Engagement Screening

    Before any contract is signed or any access is granted, the prospective vendor must be verified — not evaluated. Verification means confirming the legal entity exists in the jurisdiction it claims, identifying ultimate beneficial owners against sanctions lists and adverse media databases, and reviewing financial stability indicators. For vendors that will handle personal data, assess GDPR or CCPA compliance documentation and the validity of any certifications offered.

    Documents to require: Certificate of Incorporation or equivalent, beneficial ownership register, most recent financial statements, proof of business insurance (E&O and cyber liability), and security certifications. Documents to verify: independently confirm the issuing authority for any certification. Do not rely on self-certification.

    Stage 2: Contractual Requirements

    The contract is the legal instrument for risk transfer and audit rights. At minimum, it must include:

    • Data processing agreement language satisfying GDPR Article 28 requirements
    • Specific data residency and cross-border transfer provisions
    • Mandatory incident notification timelines (72 hours is the GDPR standard)
    • Contractual audit rights — your right to examine, not just to ask
    • Restriction on subcontracting without prior written approval
    • IP ownership and data deletion upon termination
    • Jurisdiction and governing law with meaningful enforceability

    Stage 3: Operational Onboarding

    Access provisioning should follow least-privilege principles. Credentials should be scoped to the minimum required for the engagement. All programmatic credentials should be logged, rotated on a defined schedule, and revocable in under one hour. For integration vendors specifically, a network segmentation review should precede the first production access event.

    Stage 4: Continuous Monitoring

    Ongoing monitoring is not a nice-to-have — it is legally required under DORA for ICT third parties and functionally required under GDPR for any processor relationship. Monitor for: sanctions list changes against identified beneficial owners, adverse media coverage, security incident disclosures, regulatory actions, changes in ownership or corporate structure, and performance SLA deviations that could indicate operational instability.

    Stage 5: Offboarding

    Termination events carry their own risk. Offboarding must include immediate credential revocation with documented confirmation, data deletion and certification of deletion, post-termination confidentiality obligations, and a review of any residual access paths created during the engagement (API connections, OAuth grants, webhook endpoints). An incomplete offboarding can leave production access active for months after a vendor relationship ends.

    The Integration Vendor Is the Highest-Risk Category

    Why Integration Vendors Are Different

    Most vendor relationships carry some risk. An office supply vendor can overbill you. A marketing agency can produce poor work. An integration vendor can expose your entire customer dataset, exfiltrate your IP, introduce malware into your production environment, and do it programmatically — at scale, in real time, with minimal forensic evidence.

    Integration vendors have a risk profile unlike any other vendor category: persistent production access measured in months or years, programmatic credentials that do not require human authentication to activate, simultaneous access to multiple connected systems, and continuous data processing without human intervention. A single compromised integration can traverse every system it touches. (See why operations leaders choose APIWorx for the architectural answer to this risk profile.)

    The Offshore Dimension

    Offshore integration development introduces a jurisdictional layer that fundamentally alters the risk calculus. IP agreements signed under foreign law have limited enforceability in U.S. courts. Audit rights in a contract with an entity in a jurisdiction with no treaty relationship with the United States are effectively unenforceable. Criminal referrals for data theft require coordination that rarely materializes at the operational level.

    This is not an argument against international collaboration. It is an argument for knowing with specificity who you are collaborating with, where they are legally constituted, who ultimately owns and controls the entity, and what recourse exists in the event of harm.

    The Appropriate Standard

    The appropriate standard for integration vendors is the same standard KYC applies to high-risk customers: rigorous initial verification, documented beneficial ownership, ongoing monitoring, documented refresh cycles, and audit rights with teeth. For vendors that operate in multiple jurisdictions, have U.S. legal entities, and welcome this level of scrutiny, the due diligence process is faster, not slower. Resistance to diligence is itself a data point.

    U.S.-based integration platforms with established compliance postures, documented security certifications, and verifiable platform architecture represent the appropriate model for production system access. The alternative — anonymous programmatic credentials issued to unverified parties — is not a cost savings. It is a deferred liability.

    Closing: The Question Is Not Whether You Can Afford To

    The same legal and ethical principles that justify KYC — the idea that access to critical systems requires verified, documented accountability — apply with equal force to the vendor relationships that define modern operations. The regulatory framework may be fragmented, but the liability is not. GDPR Article 28, DORA, and NIS2 together create a legally binding obligation to know your vendors the way you know your customers.

    The Delve case is not an isolated scandal. It is a preview. As compliance documentation becomes easier to fabricate and certification markets become more accessible to bad actors, the only meaningful defense is verification: confirming that the documents your vendors provide represent real organizational capabilities, not purchased paperwork.

    The question is not whether you can afford to vet your vendors. It is whether you can afford not to.

    APIWorx operates as the kind of integration platform this framework describes: U.S.-incorporated, identifiable, auditable, and prepared to meet the due diligence requirements of regulated industries. We welcome the scrutiny. We think every integration partner should. Book a free assessment and we will return a written integration plan within 24 hours.

    Frequently Asked Questions

    What is the difference between KYC and KYV?

    KYC (Know Your Customer) is a U.S. regulatory framework rooted in the Bank Secrecy Act that requires regulated financial institutions to verify the identity and risk profile of their customers. KYV (Know Your Vendor) — sometimes called KYP, KYS, or KYTP — is the equivalent diligence applied to the third parties an organization grants data or system access to. KYC has a single regulator with examination authority. KYV is governed by a mosaic of frameworks including GDPR Article 28, DORA, NIS2, and CCPA, but the legal obligation is equally binding.

    Is Know Your Vendor legally required?

    Yes — through several overlapping regimes. GDPR Article 28 requires data controllers to ensure their processors provide "sufficient guarantees" of compliance. DORA, effective January 17, 2025, mandates ICT third-party due diligence for EU financial entities. NIS2, effective October 17, 2024, extends cybersecurity vendor obligations across supply chains. CCPA imposes parallel liability for California consumer data. The penalties for failure include fines of up to 4% of global turnover under GDPR and €10 million under NIS2.

    Who is liable if a vendor causes a data breach under GDPR?

    The controller — the company that engaged the vendor — is the primary regulated party under GDPR Article 28. The supervisory authority fines the controller, not the processor. This is the most consequential structural difference between GDPR and consumer-side regulations: vendor failure does not transfer liability to the vendor. It crystallizes liability with the company that hired them.

    Why is SOC 2 not sufficient proof of vendor compliance?

    A SOC 2 certificate is only meaningful if the auditing firm is genuine. The Delve case in March 2026 exposed 494 fabricated SOC 2 reports produced by certification mills operating through U.S. shell companies. Verification means confirming the auditing firm is AICPA-accredited, the audit scope covers the systems your integration touches, and the audit letter — not just the badge — reviews cleanly. Accepting a certificate is not the same as verifying what it represents.

    Why are integration vendors considered the highest-risk vendor category?

    Integration vendors hold persistent, real-time, programmatic access to multiple production systems simultaneously — ERP, storefront, CRM, payment processor, customer database. Their credentials operate without human authentication, often for years, and a single compromised integration can traverse every system it touches. No other vendor category combines this depth of access with this duration of exposure.

    What should be in an integration vendor due diligence checklist?

    At minimum: verified SOC 2 Type II from an AICPA-accredited firm, verified U.S. legal entity, errors-and-omissions insurance from a U.S. carrier, beneficial ownership disclosure, GDPR Article 28-compliant data processing agreement, documented data residency, written credential provisioning and revocation process, enforceable IP assignment, personnel vetting policies, and direct reference checks. For the full 10-point checklist, see The Hidden Cost of Cheap Integration.

    ---

    *This article is intended for informational purposes and does not constitute legal advice. Organizations subject to DORA, GDPR, CCPA, or other compliance frameworks should engage qualified legal counsel for jurisdiction-specific guidance.*

    See the APIWORX platform in action

    Tell us about your systems and we'll build a tailored automation plan within 24 hours.

    Related Articles

    See the platform behind trustworthy operations

    Tell us about your systems and challenges — our team will build a tailored automation plan within 24 hours.