Executive Summary: Business verification APIs have become the backbone of modern lending operations. Alternative lenders processing thousands of applications per month cannot afford to verify each business manually across 50 Secretary of State databases, IRS records, and lien registries. The global KYB (Know Your Business) market reached $3.7 billion in 2024, growing at 18.2% CAGR, and is projected to reach $10.6 billion by 2033.[1] This guide compares 10 business verification API providers, explains what each does well, and helps risk leaders and technical evaluators choose the right solution for their lending stack.
What Is a Business Verification API and Why Do Lenders Need One?
A business verification API is a programmatic interface that retrieves and validates business entity data from authoritative sources: Secretary of State registries, the IRS, sanctions lists, court records, and lien databases. Lenders use these APIs to confirm that a business applying for funding actually exists, is legally active, and is operated by the people who claim ownership.
Why Can't Lenders Just Use Manual Verification?
Manual verification worked when lenders processed a few hundred applications per month. At scale, it breaks down. One MCA provider calculated their team spent 175+ hours per month on Secretary of State lookups alone, processing 10,000 applications at roughly five minutes each. Each of the 50 states has a different website, different data formats, and different search interfaces. Staff must be trained on state-specific terminology: Ohio calls a dissolved entity "Dead," California uses "Suspended-FTB" for franchise tax issues, and Georgia distinguishes between "Active/Compliance" and "Active/Noncompliance."[2]
The result is a bottleneck that slows underwriting, introduces human error, and creates gaps that fraudsters exploit. Fraud losses in auto lending alone hit $9.2 billion in 2024, up 16.5% year over year.[3] Shell company fraud, synthetic identity schemes, and stacking (borrowing from multiple lenders simultaneously using the same collateral) all thrive when verification is slow and inconsistent.
What Data Points Should a Business Verification API Return?
At minimum, a business verification API for lending should return:
• Entity registration status. Active, inactive, dissolved, suspended, revoked, or state-specific variations
• Filing date / formation date. Determines "time in business," a core underwriting signal
• Registered agent. Name and address of the entity's registered agent
• Officers and directors. Names, titles, and addresses for ownership verification and UBO compliance
• Physical and mailing addresses. For cross-referencing with the loan application
• Entity type. Corporation, LLC, partnership, sole proprietorship
• State of formation. Identifies where the entity was originally organized vs. where it operates
• Confidence score. A numerical indicator of match quality to support automated decisioning
• Audit trail documentation. Timestamped proof of verification for compliance files
The best APIs also return normalized data across all jurisdictions, so "Active" in Texas and "In Good Standing" in Delaware are translated into a consistent status format.
How Do the Top 10 Business Verification APIs Compare?
The market for business verification APIs breaks into three categories: primary data sources (pull directly from government registries), aggregated data providers (compile from secondary sources), and orchestration platforms (route requests across multiple data vendors). Understanding this distinction is critical because it determines data freshness, accuracy, and cost.
Provider Comparison Matrix
[TABLE-1]
What Are the Coverage Limitations You Should Know Before Integrating?
Before evaluating the detailed differences between provider types, here is what each category cannot do. Building a verification stack on assumptions about coverage leads to expensive surprises post-integration.
Where Does Cobalt Intelligence Have Gaps?
• UCC filing data covers 11 states. If your portfolio has significant exposure in states outside that coverage, you need a supplementary UCC source like CT Corporation or CSC Global for full collateral visibility.
• Court records cover New York and Miami-Dade County only. For nationwide litigation risk screening, you need LexisNexis, PACER, or a specialized litigation database.
• No credit scores, PAYDEX, or trade payment history. Cobalt is a verification layer, not a credit bureau. You still need D&B or Experian for credit modeling.
• No compliance workflows or case management. Cobalt returns structured data via API. It does not provide a dashboard for compliance teams to manage KYB cases, unlike Middesk or Alloy.
• Async response times vary by state. Oregon can take up to 5 minutes. Delaware charges $15-$20 per status check (a state-imposed fee). Plan your underwriting workflow around these edge cases.
Where Does Middesk Have Gaps?
• Higher per-verification cost than raw API access. The bundled platform model means you pay for compliance workflows and monitoring whether you use them or not.
• Less granular data control. Middesk returns structured verification results; Cobalt returns raw state data with screenshots, giving engineering teams more flexibility in how they process and store results.
Where Do Aggregated Providers (D&B, Experian) Have Gaps?
• No real-time SOS verification. They report what they last collected, not what the state says right now. Individual records may go weeks between refreshes.
• No timestamped screenshots. Audit trails rely on report dates, not verification-moment proof.
• Enterprise pricing is opaque. Contract negotiations, minimum commitments, and per-call fees create unpredictable costs for high-volume operations.
Understanding these limitations up front lets you design a multi-provider stack that covers your actual risk exposure, rather than discovering gaps after integration.
What Makes Primary Source Data Different from Aggregated Data?
This is the most important distinction for lenders evaluating business verification APIs. It determines whether you are seeing what the state says right now or what a database recorded days or weeks ago.
How Do Primary Source APIs Work?
Primary source APIs connect directly to the official Secretary of State websites and retrieve data in real time with each request. When a business dissolves on Monday and you run a verification on Tuesday, a primary source API reflects the dissolution. This matters for fraud prevention because fraudsters count on the lag between a state action and when aggregated databases update their records.
Cobalt Intelligence operates as a primary source data provider. Every live lookup (`liveData=true`) queries the actual state SOS website, and the response includes a timestamped screenshot of the state's page at the moment of verification.[4] This screenshot serves as audit-grade proof that verification occurred at a specific date and time, a critical requirement for compliance files.
Middesk also maintains direct connections to Secretary of State offices and IRS records.[5] The difference is in the product model: Middesk is a full-service KYB platform that bundles verification with compliance workflows, risk scoring, and monitoring. Cobalt is a data layer that returns raw, structured data for lenders to feed into their own risk models and decisioning engines.
What Are the Limitations of Aggregated Data?
Dun and Bradstreet, Experian, and similar providers maintain large databases that are updated periodically. D&B reports five million updates per day across 270+ million business records.[6] That sounds like a lot, but when you divide 270 million records by five million daily updates, any individual record may go weeks or months between refreshes. For lending underwriting, this gap creates risk.
Consider a scenario: a business in California gets suspended by the Franchise Tax Board on March 1. D&B may not reflect that suspension until their next batch update for that entity. A lender pulling D&B data on March 5 would see "Active" when the state says "Suspended-FTB." A primary source API would return the correct status in seconds.
Aggregated data providers compensate with breadth. D&B offers credit scores, trade payment data, PAYDEX scores, and firmographic intelligence that primary source APIs do not provide. Experian blends consumer and commercial data for small business lending decisions.[7] The right approach for most lenders is to use both: primary source data for entity verification and freshness-sensitive decisions, and aggregated data for credit modeling and historical trend analysis.
How Should a VP of Risk Evaluate Business Verification APIs?
Risk leaders evaluating business verification APIs should focus on five factors: data freshness, coverage, auditability, integration complexity, and total cost of ownership.
Which Factors Matter Most for Fraud Prevention?
• Data freshness. How recently was the data retrieved from the authoritative source? Real-time lookups catch dissolved entities, suspended businesses, and recent status changes that batch-updated databases miss. Shell companies often show brief periods of activity before dissolution. If your verification data is even a week stale, you may approve a loan to a business that no longer legally exists.
• Status normalization. Fifty states use different terminology for similar concepts. Without normalization, your underwriting team needs to know that Ohio's "Dead" equals California's "Terminated" equals Delaware's "Void."[2] APIs that return a normalized status field (e.g., `active`, `inactive`, `pending`, `unknown`) enable automated rules without state-by-state lookup tables.
• Officer and UBO data. FinCEN's Customer Due Diligence (CDD) Final Rule requires covered financial institutions to identify and verify beneficial owners of legal entity customers.[8] APIs that return officer names, titles, and addresses support this requirement directly. Cobalt's SOS API returns officer data where states make it available. Middesk and Alloy offer similar capabilities, often enriched with additional identity data from partner sources.
• Confidence scoring. Automated decisioning requires a numerical match quality indicator. Cobalt's confidence score ranges from 0.0 to 1.0; scores above 0.8 indicate high-confidence matches suitable for auto-approval, while scores below 0.5 flag likely mismatches for human review.
• Audit trail. Regulators expect documentation proving verification occurred at the time of the lending decision. Timestamped screenshots from Cobalt and verification reports from Middesk both serve this purpose. D&B and Experian provide dated reports, though without real-time state source screenshots.
How Do You Calculate ROI on a Verification API?
Labor savings alone do not justify an API integration. The real ROI comes from what a missed verification costs you.
The cost of a false negative by deal size:
[TABLE-2]
Industry data shows that business lending fraud losses reached $9.2 billion in 2024, with shell company and synthetic identity fraud growing fastest.[3] The Federal Trade Commission reports that businesses lose a median of $150,000 per fraud event when entity verification fails.[15] For high-volume MCA operations processing 5,000+ applications per month, even a 0.1% fraud rate on a $50,000 average deal size means $250,000 in annual losses from five missed fraudulent entities.
The full ROI equation:
• False negative prevention. At $1.00-$2.00 per API verification, screening 10,000 applications per month costs $10,000-$20,000/month. Preventing a single $75,000 loss per quarter pays for that spend 3-4x over.
• Labor reallocation. Manual verification at $25/hour and 5 minutes per lookup costs $2.08 per check. But the real cost is not the $2.08; it is the 3-5 hours your underwriters spend per day on state website lookups instead of analyzing deals. That is capacity, not just cost.
• Speed-to-fund advantage. In MCA lending, the first funder wins. Reducing verification from 30 minutes (manual) to 30 seconds (API) means your offer hits the merchant first. At a 15% improvement in close rate on speed-sensitive deals, the revenue impact dwarfs the API cost.
• Stacking detection. Cross-entity searches reveal borrowers operating multiple LLCs to stack funding from multiple lenders against the same revenue stream. A single stacking loss can exceed $500,000 when multiple positions are funded before the scheme surfaces.
What Should a CTO Consider When Integrating a Business Verification API?
Technical evaluators care about integration complexity, reliability, and operational overhead. The differences between providers on these dimensions are significant.
How Complex Is the Integration?
Integration complexity varies by provider:
• Cobalt Intelligence. RESTful API with JSON responses. Single endpoint for SOS lookups (`GET /v1/search`), one for full 50-state verification (`POST /fullVerification`). API key authentication. Supports async callbacks for slow states (Oregon can take up to 5 minutes). Typical integration time: 3-5 days. Test mode available at no charge.[9]
• Middesk. RESTful API with a dashboard option for non-technical teams. Richer integration surface with compliance workflows, monitoring, and risk scoring. Integration time: 1-2 weeks depending on feature scope.[10]
• Alloy. Orchestration platform that requires configuring data vendor connections, building decision workflows, and mapping data fields. More powerful but more complex. Integration time: 2-4 weeks.[11]
• D&B Direct+. Extensive API documentation with multiple endpoints for different data products (credit, compliance, firmographics). Enterprise-grade but heavy integration footprint.[6]
• Trulioo. RESTful API supporting both person and business verification. Global coverage adds complexity in handling country-specific requirements. Supports 500 business registration number formats.[12]
How Should You Handle Asynchronous Responses?
Not all Secretary of State databases respond in seconds. Oregon's system can take up to 5 minutes. Delaware charges $15-$20 per status check (a state-imposed fee, not a vendor surcharge). Any API that queries live state data must handle these edge cases.
Cobalt supports two async patterns: polling with a `retryId` (check back until results are ready) and callback URLs (results are POSTed to your endpoint when ready). For a typical lending workflow, the recommended approach is to initiate verification early in the underwriting process and let it run in parallel with bank statement analysis and credit checks. By the time the underwriter reaches the entity verification step, results are already available.
curl --location 'https://apigateway.cobaltintelligence.com/v1/search?searchQuery=Acme%20Corp&state=california&liveData=true&screenshot=true' \
--header 'x-api-key: Your_API_Key' \
--header 'Accept: application/json'The response returns entity status, formation date, officers, registered agent, and a timestamped screenshot URL, all in a single JSON payload.
What About Uptime and Reliability?
Business verification APIs depend on upstream state systems. When California's SOS website is down, no API can retrieve California data. The differentiator is how providers handle these failures:
• Cobalt returns a cached response (from the most recent successful lookup) when live data is unavailable, with a clear indicator that the data is from cache rather than a live query. The waterfall strategy (`liveData=false` first for sub-second cached response, then `liveData=true` for fresh data) balances speed and freshness.
• Middesk similarly maintains cached data and flags freshness in its responses.
• D&B and Experian are less affected by individual state outages since they maintain their own databases, but their data is inherently less fresh as a result.
How Do Business Verification APIs Fit into a Lending Tech Stack?
Business verification is one component of a broader underwriting workflow. Where it sits in the stack and how it interacts with other systems determines its value.
What Does a Typical Verification Stack Look Like?
For alternative lenders, the verification stack typically follows this sequence:
1. Application intake. Business name, address, EIN, owner information collected
2. Pre-screening. Quick cached lookups to filter obviously invalid applications (sub-second via APIs like Cobalt's cached mode)
3. Entity verification. Live SOS lookup confirms the business is active, formation date checks time-in-business requirements, officer data validates ownership claims
4. Identity verification. TIN/EIN verification confirms the business identity matches IRS records; OFAC screening checks sanctions lists
5. Lien and judgment search. UCC filing data reveals existing secured creditors; court records surface litigation risk
6. Credit decisioning. All verification data feeds into a risk model alongside bank statements, credit bureau data, and revenue information
7. Funding. If approved, proceeds to contract and funding
Cobalt covers steps 2-5 with its product suite: SOS API (1 credit), TIN/EIN Verification (3 credits), UCC Filing Data (1 credit), OFAC Sanctions Check (1 credit), and Court Records (1 credit, currently covering New York and Miami-Dade).[9] Providers like Middesk and Alloy offer similar coverage through bundled platform features or partner integrations.
When Should You Use Multiple Verification Providers?
Most sophisticated lending operations use more than one verification provider. The common pattern:
• Primary source API (Cobalt, Middesk) for entity verification and real-time SOS data
• Credit bureau (D&B, Experian) for credit scores, trade payment history, and financial risk indicators
• Identity platform (Socure, Alloy) for fraud scoring, synthetic identity detection, and biometric verification
• Specialty data (Enigma) for revenue estimation and firmographic enrichment
This layered approach ensures no single point of failure in the verification process. If one data source returns inconclusive results, others provide corroborating signals.
Test Cobalt's API in free mode. No credit card, no sales call required.
How Is the Business Verification API Market Changing in 2026?
Several trends are reshaping how lenders approach business verification.
What Regulatory Changes Are Driving API Adoption?
FinCEN's evolving beneficial ownership requirements continue to shape verification needs. In March 2025, FinCEN issued an interim final rule that removed beneficial ownership reporting requirements for U.S. companies under the Corporate Transparency Act, limiting reporting to foreign entities registered in the U.S.[14] However, the CDD Final Rule still requires financial institutions to identify and verify beneficial owners of legal entity customers when opening accounts.[8] This means lenders still need officer and ownership data from Secretary of State records, even as the broader BOI reporting landscape shifts.
State-level regulatory activity is also increasing. California's Department of Financial Protection and Innovation, Texas's Office of Consumer Credit Commissioner, and other state regulators are scrutinizing verification practices during examinations. Lenders that rely on stale data or manual processes face heightened audit risk.[15]
How Is AI Changing Business Verification?
AI is entering the verification space through two channels:
• Fraud detection models. Socure's RiskOS platform and Alloy's decision engine use machine learning to identify synthetic identities, shell company patterns, and stacking risk signals. These models consume verification data (including SOS API results) as inputs.[16]
• Entity linking and stacking detection. Cobalt's Find Related Businesses feature (currently in beta) surfaces other businesses connected to the same officers and registered agents found in an SOS search. This addresses one of the most expensive fraud patterns in alternative lending: stacking.
How Does Cross-Entity Verification Help Detect Stacking?
Stacking occurs when a borrower operates multiple LLCs across states and secures funding from multiple lenders against the same revenue stream. A single stacking scheme can expose lenders to $500,000+ in combined losses before the pattern surfaces. Traditional verification checks each entity in isolation; the fraud only becomes visible when you connect the entities to the same individuals.
Find Related Businesses automates this connection. When you verify "Acme Corp LLC" in Florida and the API returns an officer named John Smith, the related businesses search reveals that John Smith is also listed as an officer on "Smith Holdings LLC" in Texas, "JS Ventures LLC" in California, and "Acme Services Inc" in New York. If all four entities have applied for funding in the past 90 days, that is a stacking signal that manual verification would miss unless an underwriter happened to search all four states for the same name.
The operational impact is significant: lenders using cross-entity searches report catching stacking patterns that single-entity verification misses entirely. The feature adds 1-2 seconds to search time with no additional credit cost during beta, making it a risk-free addition to existing verification workflows.
For AI-powered fraud models (Socure, Alloy, in-house), the related entity graph provides a signal that traditional data inputs do not: the network structure around a borrower, not just the borrower's own entity data. This transforms entity verification from a point-in-time check into a network analysis tool.
See how Cobalt's verification APIs integrate into your underwriting workflow. Book a demo.
How Do You Choose the Right Business Verification API for Your Lending Operation?
The right choice depends on your volume, workflow complexity, and existing tech stack.
Decision Framework by Lender Type
The right provider depends on your deal economics, state mix, and existing stack. Here is how the math works at different scales.
High-volume MCA providers (5,000+ applications/month, $25K-$75K average deal):
Verification cost as a percentage of deal economics matters at this volume. At $1.00 per SOS lookup via Cobalt, verification costs 0.001% to 0.004% of deal value. A bundled platform at $5-$15 per verification pushes that to 0.007% to 0.06%. The dollar difference seems small per deal, but at 10,000 monthly applications it is the difference between $10,000/month and $50,000-$150,000/month in verification spend.
The decision criteria: Do you have an engineering team that can build verification into your existing workflow? If yes, Cobalt's raw API gives you maximum control at minimum cost. Pair with D&B or Experian for credit scoring. If your team is small and you need compliance workflows out of the box, Middesk's bundled approach trades higher per-verification cost for lower integration effort.
State mix also matters. If 60%+ of your applications come from states where entity fraud is concentrated (Florida, Texas, California, New York), real-time primary source data is non-negotiable. Stale data in those states creates disproportionate risk because that is where shell company formation volume is highest.
Mid-market lenders (500-5,000 applications/month, $75K-$500K average deal):
At higher deal sizes, the cost of a single false negative dwarfs any verification spend. One missed shell company at $250,000 equals 250,000 API lookups at $1.00 each. The decision here is less about verification cost and more about coverage completeness.
Middesk's bundled platform makes sense when your compliance team needs case management, ongoing monitoring, and pre-built audit workflows. The per-verification premium is justified because a compliance failure at this deal size triggers regulatory scrutiny that costs more than the annual platform spend.
If you already have compliance infrastructure (Alloy, an internal case management system), layer in Cobalt for primary source SOS data and D&B for credit. You get fresher entity data at lower cost without paying for workflow features you already have.
Platform companies (lending infrastructure, BaaS, embedded finance):
You are building verification into your product for downstream customers. Direct API access (Cobalt, Enigma) gives you maximum control over the UX, pricing, and data handling. You mark up the per-lookup cost to your customers and control the margin. Orchestration platforms (Alloy) add value if your customers need multi-vendor routing, but they also add a cost layer and a dependency.
Enterprise lenders with global operations:
Trulioo (195+ countries) or Markaaz (200+ countries) provide international coverage. Layer in Cobalt or Middesk for U.S.-specific SOS verification where data freshness matters most. The common pattern: Trulioo for global entity checks, Cobalt for U.S. primary source verification, D&B for global credit intelligence.
For Teams with an Existing Verification Stack
If you already run a verification process and are evaluating whether to add, replace, or augment, here is the decision tree:
Replace your current provider if:
• You are using aggregated data (D&B, Experian) as your primary entity verification source and have experienced a fraud loss where real-time data would have caught the dissolved or suspended status
• Your manual verification team is a bottleneck that delays funding by more than 2 hours per application
• Your current API provider does not return timestamped proof of verification, and your compliance team has flagged this in exam prep
Augment (add alongside your current stack) if:
• Your current provider covers entity verification but you lack UCC, TIN/EIN, OFAC, or court records in the same workflow
• You need primary source SOS data for speed-sensitive decisions but still rely on D&B for credit modeling
• You want stacking detection via cross-entity searches (Find Related Businesses) as a supplementary fraud signal
Keep your current setup if:
• Your fraud loss rate on entity verification failures is below 0.05% and your compliance team has not flagged data freshness concerns
• You process fewer than 200 applications per month and manual verification is not a bottleneck
• Your existing provider already delivers real-time SOS data with audit-grade documentation
Quick Selection Guide
[TABLE-3]
The verification landscape in 2026 rewards lenders who use the right tool for each job rather than trying to find a single provider that does everything. Primary source data for real-time entity verification. Aggregated data for credit modeling. Orchestration platforms for complex, multi-vendor workflows. The lenders winning the most deals are the ones who verify fastest, with the freshest data, at a cost that scales with their volume.
Get started with Cobalt's API. Free test mode, no credit card required.
.jpg){kind=small}
.png)