When a platform first onboards its sub-merchants, the compliance flow feels manageable. The first ten merchants get reviewed manually, documentation is collected over email, and the team develops a feel for what a legitimate sub-merchant looks like in their vertical. By merchant 50, cracks appear. By merchant 200, the manual review process is a bottleneck that is delaying activations by days, creating churn at the onboarding step, and consuming compliance staff time that was supposed to be spent on exception handling, not routine reviews.
Building a compliant sub-merchant onboarding workflow that scales to hundreds of active merchants — without becoming an activation bottleneck — requires understanding what the compliance stack actually requires, what can be automated, and where human review is genuinely necessary versus where it's a holdover from a process designed for 10 merchants.
The KYC/KYB Waterfall
Sub-merchant onboarding under a payment facilitation structure requires two parallel tracks: Know Your Customer (KYC) for the individuals associated with the business, and Know Your Business (KYB) for the legal entity itself. These are distinct but interdependent: a clean KYB on a shell LLC can still fail KYC on its beneficial owner, and a legitimate individual who owns a high-risk business category may pass KYC but fail underwriting.
The KYB track starts with business entity verification: confirming the legal name, formation state, business type (LLC, S-corp, sole proprietor), and EIN against the IRS and state secretary of state records. For LLCs and corporations, an active registration status is the minimum — a business that has been administratively dissolved cannot onboard as a sub-merchant without remediation. Industry category matters: certain business types (adult content, firearms dealers, money services businesses) are prohibited or restricted by card network rules, and the platform's underwriting guidelines need to map to those restrictions.
The KYC track runs on the individuals behind the business — specifically, the beneficial owners. Under the FinCEN Customer Due Diligence (CDD) Rule (31 CFR § 1010.230), covered financial institutions and their downstream partners are required to identify and verify the identity of individuals who own 25% or more of a legal entity, plus at least one control person (typically the CEO, president, or equivalent). For a PayFac onboarding sub-merchants, this means collecting name, date of birth, address, and identifying number (SSN or ITIN for US persons) for each beneficial owner meeting the 25% threshold, plus the control person if different.
OFAC SDN Screening
Every sub-merchant onboarding must be screened against the OFAC Specially Designated Nationals (SDN) list before activation. OFAC SDN screening is not optional — facilitating transactions with a sanctioned entity or individual is a strict-liability violation, and the penalties are severe. The screening needs to cover not just the business name but also all associated individuals: beneficial owners, control persons, and any other natural persons in the application.
OFAC matching is more complex than a simple name lookup. The SDN list uses name variations, transliterations from non-Latin scripts, and aliases. A phonetically similar name is not necessarily a match, and a platform that blocks legitimate merchants based on false-positive OFAC hits creates friction that damages activation rates. Production OFAC screening uses fuzzy matching algorithms with tunable thresholds: a match score above 85% might trigger automatic decline; a score between 65% and 85% might route to manual review; below 65% clears automatically.
OFAC screening is also an ongoing obligation, not just an onboarding checkpoint. The SDN list updates frequently — sometimes multiple times per week. A sub-merchant who passed OFAC screening at onboarding may appear on the list 18 months later. The compliance infrastructure needs to run ongoing batch re-screening against active sub-merchant portfolios and generate alerts when a previously cleared merchant now appears as a potential match.
Sole Proprietors vs LLCs: Different Friction, Different Risk
The KYC/KYB waterfall is not uniform across business types. Sole proprietors — common in field service (individual contractors, one-person HVAC operators) and healthcare staffing (individual nurse contractors) — have simpler entity structures but higher identity verification sensitivity. There is no EIN to verify (or the sole proprietor may use their SSN as their TIN), no separate business registration to confirm, and the individual's identity is the primary risk signal.
For a healthcare staffing platform onboarding registered nursing contractors as individual sub-merchants, the KYC process involves license verification (state nursing board) in addition to standard identity checks. A contractor whose nursing license has lapsed or been disciplined is not just a KYC risk — they're a regulatory risk for the platform that's processing their contractor payments. Integrating professional license verification into the onboarding waterfall for licensed-professional verticals is a platform-specific enhancement that goes beyond the standard PayFac compliance baseline.
LLCs and corporations introduce the beneficial ownership layer. A single-member LLC where the owner is also the operator is straightforward: one beneficial owner, one control person, same individual. A multi-member LLC with a complex ownership structure may require collecting and verifying several individuals. The disclosure form should collect ownership percentage for each member, allowing the platform's compliance engine to identify which members meet the 25% beneficial ownership threshold. The form also needs to cover the case where no individual owns 25% or more — in that case, the CDD Rule requires collection on the control person only.
Tiered Review Architecture
At 50 sub-merchants, a manual review queue is manageable. At 500, it isn't. The solution is not to remove human review — it's to structure the onboarding flow so that automated verification handles the straightforward cases, and human review is reserved for exceptions that automated systems cannot resolve.
A tiered review architecture looks like this: Tier 1 is fully automated — the application passes business entity verification, individual identity verification (name/DOB/address/SSN matching against identity bureau data), OFAC screening, and underwriting rules checks without any manual touchpoint. The merchant activates automatically, typically within minutes to hours. Tier 1 should handle 70–85% of applications in a clean vertical SaaS portfolio.
Tier 2 applications have one or more automated check results that require human review: a soft OFAC hit above the automatic-clear threshold, a discrepancy between stated business address and verification results, a beneficial owner whose identity data partially but doesn't fully match bureau records. These applications route to a review queue where a compliance analyst reviews the specific exception and either clears the application with documentation or requests additional information from the merchant.
Tier 3 applications have hard blocks: automatic OFAC decline, prohibited business category, identity verification failure on a beneficial owner, or a business entity with a negative regulatory history (prior PayFac termination, Mastercard MATCH list appearance). These applications are declined or suspended pending significant additional documentation and compliance team review.
Bank Account Authentication
Before the first ACH disbursement to a sub-merchant's bank account, the account needs to be authenticated. The two primary methods are micro-deposit verification (two small deposits, typically $0.01–$0.99, with the sub-merchant confirming the amounts) and instant verification via bank connection APIs (Plaid or equivalent), where the sub-merchant authenticates directly with their bank and account ownership is confirmed in real time.
Micro-deposit verification has a completion rate problem. Sub-merchants who need to return to the platform 1–3 days later to confirm deposit amounts often don't — the activation flow is interrupted, and a significant share don't complete the verification step. Instant verification via bank connection resolves this by completing authentication in a single session, but requires the sub-merchant's bank to participate in the instant verification network, and some sub-merchants are unwilling to grant read access to their bank account data.
Offering both options — instant verification as the primary path, micro-deposit as the fallback — maximizes completion rates. Failed ACH disbursements (because the bank account on file has changed or was incorrectly entered) are operationally expensive: the disbursement returns as an ACH return code R03 (no account) or R04 (invalid account number), requires manual investigation, and delays the sub-merchant's payout. Pre-disbursement bank account authentication at onboarding is the cheapest point to catch this problem.
Ongoing Monitoring Obligations
This is not to say that compliance ends at onboarding. The BSA (Bank Secrecy Act) and its implementing regulations require financial institutions — and payment facilitators operating under a sponsoring bank's program — to maintain ongoing transaction monitoring for suspicious activity. Specifically, the platform is expected to identify and file Suspicious Activity Reports (SARs) when transaction patterns suggest money laundering, structuring, or other financial crimes.
Ongoing monitoring means the compliance infrastructure needs to flag anomalous transaction patterns: a sub-merchant whose transaction velocity suddenly spikes 10x with no corresponding business explanation, a pattern of transactions just below reporting thresholds (structuring), or a sub-merchant who begins accepting payments in transaction categories inconsistent with their stated business type. These flags don't automatically constitute SAR-reportable events, but they need to be reviewed and documented.
At 200-500 active sub-merchants processing meaningful GMV, the volume of transaction data flowing through the monitoring system is significant. Automated pattern detection — comparing each sub-merchant's current period behavior against their own historical baseline and against the platform's portfolio baseline — is the practical approach. Manual transaction review across an entire active sub-merchant portfolio is not a scalable compliance posture.
The compliance stack described here — KYC/KYB waterfall, OFAC screening, tiered review, bank account authentication, and ongoing monitoring — is the minimum operating standard for a PayFac acting responsibly under its acquiring bank's program. Platforms that build this infrastructure properly from the start are also building the data foundation that makes underwriting decisions, reserve management, and fraud prevention more accurate over time. The compliance investment compounds.
