The B2B KYC attack surface

Business KYC is more complex than individual KYC. An individual has a BVN, a NIN, and a face. A business has a CAC registration, a TIN, a business address, one or more directors with their own identities, and a beneficial ownership structure that may span multiple levels of holding companies. Verifying all of this correctly requires integrating multiple data sources and binding the results together correctly. Each integration point is an attack surface, and the binding logic between them is where most of the exploitable vulnerabilities live.

The fraud incentive is also higher in B2B. A synthetic individual identity enables a consumer loan worth tens or hundreds of thousands of naira. A synthetic business identity enables a trade finance facility, a merchant acquiring account, or a business banking account with significantly higher transaction limits — potentially worth millions of naira. The reward for a successful business KYC bypass scales with the financial product the attacker is targeting.

1. CAC registration number substitution in KYC request

The most direct test: does the CAC verification API call use the registration number submitted by the user in the application form, or does it independently derive the registration number from a verified source? If an attacker can submit any CAC registration number in their business onboarding application and the backend queries the CAC database with the submitted number, the attacker can claim to be any registered Nigerian company simply by knowing its registration number — a six to eight digit number that is part of the public record.

The correct implementation: the backend accepts the registration number from the user's form, queries CAC to retrieve the company details, and then requires the user to confirm multiple pieces of returned data that they should know if they own the company — the registered director names, the registered address, the date of incorporation. An attacker who found the registration number on a public source but does not own the company cannot confirm these details correctly.

2. Director identity verification binding

After verifying the company with CAC, the platform must verify the individual who is acting on behalf of the company — typically a director or authorized signatory. We test whether the director verification is correctly bound to the CAC verification: the individual verified must appear in the CAC register as a director of the company being onboarded. If the director verification and the CAC company verification are conducted as independent checks without binding, an attacker can verify as the legitimate director of Company A while onboarding the account as Company B — creating an account where the verified director has no actual authority over the company.

3. Unauthorized CAC data lookups via the fintech API

Some fintechs expose a company search endpoint that their relationship managers or business development team use to look up companies during sales calls. We test whether this endpoint is accessible to regular authenticated users and whether it has rate limiting. An unprotected CAC lookup endpoint is a business intelligence tool for competitors and a director data harvesting tool for attackers — returning director names, addresses, and contact details for any company they search.

4. TIN verification and tax compliance bypass

Some platforms require a Tax Identification Number as part of business KYC. The TIN is issued by FIRS and linked to the CAC registration. We test whether the TIN verification is correctly bound to the CAC registration being verified — a TIN from a different company should not satisfy the TIN check for the company being onboarded — and whether the TIN verification can be skipped entirely by calling the account activation endpoint without completing the TIN step.

5. Beneficial ownership disclosure bypass

CBN requires verification of beneficial owners — individuals who hold 25% or more of a business. We test whether the platform enforces beneficial ownership disclosure before account activation, whether the threshold check can be manipulated (claiming 24.9% ownership for each of multiple controllers to avoid triggering the verification requirement), and whether the beneficial ownership data collected is actually verified against BVN records or merely collected as a form field without verification.

Real finding from a B2B fintech engagement

Any CAC registration number accepted regardless of company ownership evidence

During a penetration test of a Nigerian SME lending platform, we submitted a business loan application using the CAC registration number of a well-known Nigerian company that we had found in a public news article. The platform queried the CAC database, received the company details, and displayed them for our confirmation. We confirmed the displayed company name (a single click in the UI) without being required to provide any evidence that we were authorized to act for the company — no director verification, no confirmation of the registered address, no FIRS TIN match, no director's BVN verification. The loan application proceeded to credit assessment in the name of the legitimate company. Fix priority: critical. Remediated by adding a mandatory director verification step that requires the director to provide their BVN, verifies it against the BVN database, and confirms that the BVN holder appears in the CAC director register for the company being onboarded.

Running a B2B fintech or SME lending platform in Nigeria? Book a security audit of your corporate KYC integration before a business identity fraud losses your first large enterprise customer's trust.

Book a B2B KYC Security Audit

Frequently asked questions

What data does the CAC company verification API return?

A successful CAC company verification returns the company's registered name, registration number, registration date, registered address, company status (active, struck off, dissolved), and a list of directors including their full names, addresses, and in some cases their identification numbers. This director data is sensitive personal information of individuals who did not specifically consent to its disclosure through the verifying fintech's platform.

What is business identity fraud using CAC data?

Business identity fraud using CAC data involves registering a company with a name closely resembling a legitimate company, using the legitimate company's CAC registration number in a verification API call, and then using the returned successful verification to open financial accounts or obtain credit in the name of the legitimate business. The attacker uses a real CAC number — belonging to a real company they do not own — to pass business KYC on a B2B fintech platform.

Are there CBN requirements for business KYC that mandate CAC verification?

Yes. CBN's Customer Due Diligence Regulations require that financial institutions verify the legal existence of business customers, which includes confirming incorporation with CAC. The regulations also require verification of beneficial ownership — identifying individuals who ultimately own or control the business — which goes beyond the CAC registration check to require BVN and identity verification of directors and significant shareholders.

Related reading

Blog: KYC and BVN data security · Business banking security audit · NIN verification API security

Services: Penetration testing · API security