KYC/KYB Design for Vietnam-Based Businesses: What Works and What Fails Diligence

The Difference Between KYC and KYB — and Why Both Matter in Vietnam

KYC — Know Your Customer — and KYB — Know Your Business — are treated as interchangeable in many compliance discussions. They are not. KYC refers to the identification and verification of individual customers: natural persons who open accounts, initiate transactions, or otherwise engage with a regulated business. KYB refers to the identification and verification of corporate counterparties: legal entities, their ownership structures, their beneficial owners, and the nature of their business activities.

In Vietnam, the distinction matters for practical reasons. The Law on Anti-Money Laundering (Law No. 14/2022/QH15, effective March 2023) and its implementing regulations establish customer identification obligations that apply to both individuals and legal entities, but the verification pathways differ significantly. Verifying a Vietnamese individual involves checking a citizen identification card (CCCD) against the national population database maintained by the Ministry of Public Security. Verifying a Vietnamese legal entity requires obtaining and reviewing the enterprise registration certificate issued under the Law on Enterprises (Law No. 59/2020/QH14), cross-referencing against the National Business Registration Portal, and — critically — identifying and verifying the beneficial owners behind the corporate structure.

For businesses operating across both retail and institutional client bases, the KYC and KYB workflows need to be designed as distinct processes with different data requirements, verification sources, and risk assessment criteria. A single undifferentiated process that treats individual and corporate counterparties the same way will produce gaps that surface during banking partner reviews, regulatory examinations, or investor diligence.

Vietnam's Regulatory Expectations vs. International Standards

Vietnam's AML framework, anchored in Law No. 14/2022/QH15 and the implementing guidance issued by the State Bank of Vietnam, establishes baseline customer identification requirements that are broadly consistent with FATF Recommendation 10 on customer due diligence. The requirements include identifying and verifying the customer's identity, identifying the beneficial owner and taking reasonable measures to verify their identity, understanding the nature and purpose of the business relationship, and conducting ongoing due diligence.

Where Vietnam's practical expectations diverge from what international businesses may be accustomed to is in the verification infrastructure. Vietnam does not yet have a mature ecosystem of commercial identity verification providers comparable to what exists in Singapore, Hong Kong, or the EU. Electronic verification services are developing, but many verification steps still rely on document review and manual cross-referencing. Businesses that design their KYC workflows around the assumption that automated identity verification will be available for Vietnamese individuals and entities will find gaps in their operational processes.

At the same time, the standard that actually determines whether a KYC/KYB framework is adequate is frequently set not by the Vietnamese regulator but by the business's banking partners. Correspondent banks — particularly those headquartered in jurisdictions with mature AML enforcement — apply their own CDD standards when assessing Vietnamese counterparties. Those standards reflect FATF guidance, the bank's home jurisdiction requirements, and the bank's own risk appetite. A KYC/KYB framework that meets Vietnam's published requirements but falls short of what the banking partner expects will result in account restrictions, enhanced monitoring, or relationship termination — outcomes that are operationally disruptive regardless of local regulatory compliance.

Building a Risk-Tiered Customer Verification Workflow

A risk-tiered approach to customer verification is not optional — it is a structural requirement under both Vietnamese law and international best practice. The tiering determines what level of due diligence is applied to each customer or counterparty relationship based on an assessment of the risk that relationship presents.

The risk factors that drive tiering in a Vietnam context include: the customer's or counterparty's country of incorporation or nationality (with heightened risk for jurisdictions identified by FATF or subject to international sanctions); the nature of the business activity (with elevated risk for sectors prone to money laundering, including real estate, gambling, and certain categories of cross-border trade); the expected transaction profile (volume, frequency, cross-border flows); and whether the customer is a politically exposed person or a legal entity with a PEP as a beneficial owner.

Simplified due diligence — reduced verification requirements for lower-risk relationships — should be defined explicitly in the framework, with clear criteria for when it applies and what it includes. Standard due diligence forms the baseline for the majority of relationships. Enhanced due diligence — more extensive verification, more frequent review, senior management approval — applies to higher-risk relationships and must be documented thoroughly enough that the basis for the risk assessment and the additional measures taken are auditable.

The workflow itself needs to be documented as a step-by-step process that any trained staff member can follow: what information is collected at onboarding, what sources are used for verification, what triggers a higher risk classification, what additional steps are required for enhanced due diligence, who approves the relationship, and how frequently the relationship is reviewed. A workflow that exists as a general description rather than an operational procedure will produce inconsistent outcomes and will not survive a detailed compliance review.

Common KYC Failures in Investor and Banking Diligence

The KYC failures that surface most consistently in diligence are not failures of policy — they are failures of implementation and evidence. The policy document exists. What does not exist is the evidence that the policy is applied consistently.

The most frequent failure is incomplete or inconsistent customer files. A diligence team reviewing a sample of customer records expects to find: identification documents, verification records, risk classification with documented rationale, approval records, and evidence of periodic review. When customer files are incomplete — missing verification records, risk classification applied without documented rationale, no evidence of periodic review — the diligence team cannot confirm that the KYC framework operates as designed. The conclusion drawn is that it does not.

The second most frequent failure is absence of ongoing monitoring. Initial onboarding may be well-documented, but the framework stops there. Customer risk profiles are not updated. Changes in customer activity or beneficial ownership are not captured. Trigger events that should prompt re-assessment — changes in transaction patterns, adverse media, changes in regulatory status — do not result in any documented action. A KYC framework without ongoing monitoring is a snapshot, not a program.

The third failure is inconsistent application of enhanced due diligence. Higher-risk customers are identified but the additional measures required are not consistently applied — or applied but not documented. When a diligence team finds that EDD was required for a particular relationship but cannot locate the evidence of what additional measures were taken, the framework's credibility is undermined for all relationships, not just the one with the gap.

How to Document Your Process for Regulatory Inspection

Documentation is not a secondary compliance activity. It is the compliance activity. A compliance framework that operates effectively but cannot demonstrate that it operates effectively is indistinguishable, from a regulatory perspective, from one that does not operate at all.

The documentation that Vietnamese regulators, banking partners, and investor diligence teams expect includes: a written KYC/KYB policy that describes the framework's design, risk criteria, and operational procedures; individual customer and counterparty files that contain the identification documents, verification records, risk assessments, and approval records for each relationship; transaction monitoring records that demonstrate alerts are generated, investigated, and resolved; STR records where applicable; training records showing that staff have been trained on the relevant procedures; and governance records — compliance reports to senior management, board minutes reflecting compliance discussion, audit findings and remediation tracking.

The format matters less than the completeness and accessibility. Whether records are maintained in a compliance management system, a document management platform, or structured file storage, the requirement is that they can be retrieved promptly and completely when requested. A regulatory examination or banking partner review that requests customer files and receives an incomplete or delayed response creates an impression of operational weakness that is difficult to overcome, regardless of the underlying quality of the program.

One practical consideration specific to Vietnam: the State Bank of Vietnam's inspection procedures may require documents to be presented in Vietnamese. Businesses operating with English-language compliance documentation should assess whether translation of key documents is necessary and plan for it in advance rather than scrambling during an inspection.

KYB for Corporate Counterparties: Beneficial Ownership Challenges

KYB in Vietnam presents verification challenges that are structurally different from those in jurisdictions with more mature corporate transparency infrastructure. Vietnam does not have a publicly accessible beneficial ownership register. The enterprise registration system maintained by the Ministry of Planning and Investment records legal ownership — the shareholders listed on the enterprise registration certificate — but does not systematically capture the ultimate beneficial ownership chain behind those legal owners.

For businesses conducting KYB on Vietnamese corporate counterparties, this means that beneficial ownership verification cannot be accomplished through a registry search alone. It requires obtaining the enterprise registration certificate, reviewing the shareholder structure, requesting documentation from the counterparty that identifies the natural persons who ultimately own or control the entity, and conducting reasonable verification of that information through available sources.

The challenge is compounded by common Vietnamese corporate structures. Layered holding companies, cross-ownership arrangements between related entities, and nominee shareholder arrangements create opacity that requires careful analysis to resolve. The Law on Enterprises requires disclosure of beneficial owners to the business registration authority, but enforcement of this requirement has been uneven, and the information may not be readily available to third parties conducting verification.

For businesses that need to conduct KYB on a significant number of Vietnamese counterparties — financial institutions, trading platforms, investment funds — building a standardized KYB workflow that accounts for these structural challenges is essential. The workflow should specify what documents are requested, what verification steps are taken, what constitutes acceptable evidence of beneficial ownership, and what escalation occurs when beneficial ownership cannot be determined to a satisfactory standard. A workflow that stops at legal ownership and does not pursue beneficial ownership will fail every serious diligence review.

Practical Steps to Strengthen Your Framework Now

For businesses that have a KYC/KYB framework in place but have not tested it against the standards that banking partners and investors actually apply, the first step is a structured gap assessment. Review a representative sample of customer and counterparty files against the documentation standards described above. Identify where files are incomplete, where risk classifications lack documented rationale, where ongoing monitoring has not been conducted, and where enhanced due diligence was required but not evidenced.

The second step is to update the written policy and procedures to reflect the actual operational workflow — not an idealized version. If the current workflow deviates from the written policy, either the workflow needs to change or the policy does. The gap between documented procedure and actual practice is one of the first things a diligence review identifies, and it is one of the most damaging findings because it suggests that the compliance program is not under effective management control.

The third step is to address the beneficial ownership verification gap. For existing counterparty relationships where beneficial ownership has not been verified to an adequate standard, a remediation program is necessary. This may involve requesting additional documentation from counterparties, conducting additional verification steps, and in some cases re-assessing the risk classification of relationships where beneficial ownership remains unclear.

For businesses that do not yet have a KYC/KYB framework — or that have a framework that is materially inadequate — the design and build process should be treated as a priority program, not a background compliance task. The framework needs to be designed for the most demanding audience the business will face, whether that is a correspondent bank, a regulatory examiner, or an institutional investor's diligence team. Designing for the minimum standard is a strategy that produces the minimum outcome.

Krysos Trust advises businesses across financial services, fintech, and digital assets on the design, implementation, and remediation of KYC/KYB frameworks. The firm's approach is grounded in the practical requirements that banking partners and regulators in Vietnam actually assess — not the published minimum, but the standard that determines whether a business can open and maintain the institutional relationships it needs to operate. For businesses facing a banking review, investor diligence, or regulatory examination, the time to assess and strengthen the framework is before the event — not during it.