KYC Obligations in the United States — Complete 2026 Guide

Regulatory Framework

The United States has a complex, multi-layered AML framework reflecting the country's federal structure. The foundational text is the Bank Secrecy Act (BSA) of 1970, strengthened by the USA PATRIOT Act of 2001 (post-9/11) and, more recently, by the Anti-Money Laundering Act of 2020 (AMLA), incorporated into the National Defense Authorization Act. The Corporate Transparency Act (CTA) of 2021, whose first obligations took effect in 2024, introduced a federal beneficial ownership registry, addressing a historic gap in the US system.

FinCEN (Financial Crimes Enforcement Network), within the Department of the Treasury, is the central authority of the US AML framework. FinCEN administers the BSA, collects and analyses transaction reports (CTRs, SARs), maintains the CTA beneficial ownership registry, and promulgates AML regulations. It works closely with federal banking regulators (OCC, Federal Reserve, FDIC), the SEC (for capital markets), and the DOJ (for criminal prosecutions).

Federal banking regulators — the OCC for national banks, the Federal Reserve for bank holding companies and state member banks, the FDIC for state non-member banks — incorporate BSA/AML compliance into their prudential supervision and conduct regular examinations. OFAC (Office of Foreign Assets Control), also within Treasury, administers economic sanctions programmes and mandates sanctions list screening.

The US framework is characterised by overlapping federal and state requirements. Certain states (notably New York with its Department of Financial Services — DFS) impose additional AML obligations that go beyond federal requirements.

Who Must Comply

The BSA and its implementing regulations define financial institutions subject to obligations:

Banks and credit unions: commercial banks, savings institutions, credit unions
Broker-dealers: securities brokers, supervised by the SEC and FINRA
Insurance companies: insurers for life insurance and annuity products
Mutual funds: investment funds
Money services businesses (MSBs): money transmitters, currency exchangers, traveller's cheque issuers, registered with FinCEN
Casinos and card clubs: land-based and online gaming establishments (in states where online gaming is legal)
Dealers in precious metals, stones, or jewels: high-value goods dealers
Housing Government Sponsored Enterprises: Fannie Mae, Freddie Mac
Non-bank residential mortgage lenders and originators: non-bank mortgage lenders

Unlike the European approach, lawyers, accountants, and real estate agents are not formally subject to BSA/AML obligations at the federal level, although certain sectoral regulations and legislative proposals aim to expand the scope. The Corporate Transparency Act has, however, broadened beneficial ownership reporting obligations to companies themselves.

Customer Due Diligence Requirements

Standard Due Diligence (CDD)

The CDD Rule (Customer Due Diligence Requirements for Financial Institutions), effective since 2018 (31 CFR Section 1010.230), imposes four pillars of due diligence:

Customer Identification Program (CIP): under Section 326 of the USA PATRIOT Act, each financial institution must maintain a CIP that collects, at minimum, the name, date of birth, address, and identification number (SSN for US citizens, passport/foreign identification number for non-residents). Verification may be documentary (driver's licence, passport, government-issued photo ID) or non-documentary (verification via databases, credit bureaus, etc.).

Beneficial owner identification: any natural person who directly or indirectly holds 25% or more of the equity of a legal entity customer, as well as any natural person exercising significant control over the entity (principal executive officer, chief financial officer, etc.). Under the Corporate Transparency Act, companies must themselves report their beneficial owners to FinCEN (Beneficial Ownership Information — BOI), creating a federal database accessible to financial institutions and law enforcement.

Understanding the nature and purpose of the relationship: determination of the customer's risk profile, activity, and expected nature of transactions.

Ongoing monitoring: updating customer information and monitoring transactions to detect suspicious activity, consistent with the customer profile.

Enhanced Due Diligence (EDD)

Enhanced Due Diligence applies in the following situations:

Private banking accounts for non-US persons: Section 312 of the USA PATRIOT Act imposes specific EDD for private banking accounts of non-US persons.
Correspondent accounts for foreign financial institutions: US institutions must assess the AML risk of the foreign correspondent and implement proportionate measures.
Senior foreign political figures (equivalent to PEPs): institutions must identify and apply enhanced due diligence to foreign political figures and their associates.
Shell banks: US institutions may not maintain correspondent accounts with shell banks (banks with no physical presence in any jurisdiction).
High-risk countries: countries identified by FinCEN via advisories, or listed by the FATF as deficient jurisdictions.
High-risk customers: identified by the institution within its risk-based BSA/AML programme.

Required Documents

For natural persons (US citizens):

Valid state-issued driver's licence
US passport
Social Security Number (SSN)
Where applicable, Military ID or Government-issued photo ID

For natural persons (non-residents):

Valid foreign passport
Foreign identification number or Individual Taxpayer Identification Number (ITIN)
Proof of address in country of residence

For legal persons:

Articles of incorporation or certificate of formation
Employer Identification Number (EIN)
Operating agreement or bylaws
Beneficial Ownership Information (BOI) filed with FinCEN under the CTA
Identity documents of all beneficial owners (25%+) and the person exercising significant control
Where applicable, certificate of good standing

For trusts:

Trust agreement or declaration of trust
Identification of trustees, grantors, and beneficiaries
Trust EIN

Retention period: 5 years after account closure or transaction execution.

Reporting Obligations

Currency Transaction Reports (CTRs): mandatory automatic reporting of any cash transaction of USD 10,000 or more (or multiple related transactions totalling USD 10,000 or more in a single business day for the same customer). CTRs must be filed with FinCEN within 15 days of the transaction.

Suspicious Activity Reports (SARs): financial institutions must file a SAR with FinCEN for any suspicious transaction of USD 5,000 or more (USD 2,000 for MSBs). The SAR must be filed within 30 days of initial detection of suspicious activity (60 days if no suspect is identified). There is no obligation to notify law enforcement in addition to the SAR.

Beneficial Ownership Information (BOI) reports: under the Corporate Transparency Act, companies (reporting companies) must report their beneficial owners to FinCEN. Companies formed before 2024 had until 1 January 2025 to make their initial filing. New companies must file within 90 days of formation.

OFAC screening: while technically separate from BSA/AML obligations, OFAC sanctions list screening (SDN List, Sectoral Sanctions Identifications List) is a parallel requirement for all US financial institutions. Any match must result in fund blocking and an OFAC report.

Tipping off prohibition: informing a customer or third party that a SAR has been filed constitutes a federal violation, subject to civil and criminal penalties.

In 2024, FinCEN received more than 4.6 million SARs and 18 million CTRs, substantial volumes reflecting the size of the US financial market.

Penalties for Non-Compliance

Civil penalties (FinCEN and banking regulators):

Civil fines of up to the greater of double the transaction amount involved and USD 1 million per violation for BSA violations
Consent orders: compliance agreements under supervision
Cease and desist orders: orders to stop non-compliant practices
Removal of officers: dismissal of directors

Notable examples: US fines are among the highest in the world. TD Bank accepted a settlement of USD 3 billion in 2024 for systemic BSA/AML failures. Wachovia paid USD 160 million, HSBC USD 1.9 billion. OFAC sanctions are added to BSA/AML penalties.

Criminal penalties:

Money laundering (18 USC Sections 1956-1957) is punishable by 20 years' imprisonment and a fine of up to USD 500,000 or double the amount laundered
Wilful BSA violations (structuring, failure to file CTR/SAR) are punishable by 10 years' imprisonment and USD 500,000 fine
Terrorist financing is punishable by 20 years to life depending on circumstances

OFAC sanctions: sanctions violations can result in civil fines of approximately USD 350,000 per violation (adjusted annually for inflation) or double the transaction amount, whichever is greater.

How CheckFile Helps

The US BSA/AML framework is one of the most demanding and closely supervised in the world. Record fines imposed on financial institutions — including TD Bank's USD 3 billion settlement — illustrate the considerable risks of non-compliance. CheckFile offers an AI-powered document verification solution designed to meet CIP, CDD Rule, and Corporate Transparency Act requirements.

The platform automatically verifies the authenticity of US identity documents (driver's licences from all 50 states, US passports, Military IDs) and more than 6,000 international document types. The AI analyses security features specific to each state (driver's licences vary considerably between states), performs biographical data validation, and detects document fraud with an accuracy rate exceeding 99%.

For Corporate Transparency Act compliance, CheckFile facilitates the collection and verification of beneficial owner and significant control person identity documents. The complete audit trail — timestamped, detailed, and archived for 5 years — meets the requirements of federal examiners (OCC, Federal Reserve, FDIC) during BSA/AML examinations. API integration enables smooth automation compatible with US banking systems and onboarding platforms. Processing complies with US data protection requirements and the GDPR for international operations.

FAQ

What documents are required for KYC in the United States?

For US citizens, a valid state-issued driver's licence or passport and the Social Security Number are the reference documents. For non-residents, a foreign passport and foreign identification number or ITIN. For legal persons, articles of incorporation, EIN, BOI filing with FinCEN, identity documents of beneficial owners (25%+), and the person exercising significant control are required. Retention is 5 years.

What are the penalties for KYC non-compliance in the United States?

US penalties are among the most severe in the world. Civil fines can reach USD 1 million per violation or double the transaction amount. TD Bank paid USD 3 billion in 2024. Money laundering carries up to 20 years' imprisonment and USD 500,000 in fines. OFAC violations result in additional penalties.

How often must KYC checks be updated in the United States?

The CDD Rule requires ongoing monitoring without a prescribed review frequency. In practice, regulators expect an annual review for high-risk customers, every 3 years for medium risk, and every 5 years for low risk. Trigger events — change in beneficial ownership, unusual transaction activity, adverse information — require an immediate update. Federal examiners systematically assess monitoring quality during BSA examinations.