Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance10 min read

Due diligence explained: complete checklist for US businesses

A practical guide to due diligence for US businesses: BSA/AML requirements, FinCEN CDD Rule, OFAC screening, and a complete checklist covering legal, financial, and ESG domains.

Michael Torres, Compliance Director
Michael Torres, Compliance Directorยท
Illustration for Due diligence explained: complete checklist for US businesses โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Due diligence is the structured process of investigating a counterparty, acquisition target, or business partner before committing to a transaction or relationship. In the United States, due diligence obligations arise from multiple federal and state sources: the Bank Secrecy Act (BSA), 31 U.S.C. ยงยง 5311โ€“5336, FinCEN's Customer Due Diligence (CDD) Final Rule (31 CFR ยง 1010.230), OFAC sanctions regulations, and applicable state money transmission laws.

This article is for compliance officers, BSA/AML officers, and legal teams at US financial institutions and businesses. It is informational only and does not constitute legal, financial, or regulatory advice.

What is due diligence and why does it matter for US businesses?

Due diligence is a risk assessment carried out before a business decision. It confirms a counterparty's identity, beneficial ownership, financial health, regulatory standing, and reputation. For financial institutions, the BSA and FinCEN's implementing regulations make customer due diligence a statutory requirement โ€” not a best practice.

FinCEN's CDD Final Rule (effective May 11, 2018) codified four core requirements for covered financial institutions: (1) customer identification and verification; (2) beneficial ownership identification for legal entity customers above the 25% threshold; (3) understanding the nature and purpose of the relationship; and (4) ongoing monitoring for suspicious activity (31 CFR ยง 1010.230).

The regulatory landscape continues to evolve. On February 13, 2026, FinCEN issued Order FIN-2026-R001 granting exceptive relief to covered financial institutions from certain beneficial ownership re-verification requirements at new account opening. Institutions should review this Order alongside any forthcoming CDD Rule revisions expected in mid-2026 (FinCEN Guidance FIN-2026-R001).

The 5 types of due diligence for US businesses

Due diligence is not a single exercise. The scope depends on the context: M&A transactions, new client onboarding for regulated entities, vendor qualification, or investment appraisal.

Type Primary focus Key documents
Legal Corporate structure, litigation, IP, contracts State SOS filings, articles of incorporation, UBO records
Financial Profitability, cash flow, liabilities 3โ€“5 years audited financials, management accounts
Tax IRS compliance, hidden tax liabilities Federal/state tax returns 5 years, transfer pricing docs
BSA/AML/OFAC Sanctions, PEP status, beneficial ownership KYC documents, source of funds, OFAC screening results
ESG Human rights, environmental, anti-bribery ESG disclosures, supply chain audit reports, FCPA documentation

The complete due diligence checklist

Legal due diligence confirms that a business exists, operates lawfully, and carries no undisclosed liabilities. In the US, corporate information is maintained at the state level.

Documents to collect:

  • Secretary of State (SOS) filings: articles of incorporation/organization, registered agent, current status (active/dissolved), and officer/director information
  • Operating agreement or bylaws and shareholder/member agreements
  • Material contracts โ€” customer, supplier, and employment โ€” including change-of-control provisions
  • Schedule of current and threatened litigation, including PACER federal court search
  • Intellectual property: USPTO trademark and patent registrations, copyright notices, domain ownership
  • Corporate Transparency Act (CTA) compliance: since January 1, 2024, most US companies must report beneficial owners to FinCEN under the CTA (31 U.S.C. ยง 5336)

Under the Corporate Transparency Act, non-exempt companies that fail to file or update beneficial ownership information with FinCEN by the applicable deadline face civil penalties of $591 per day and criminal penalties of up to $10,000 and 2 years imprisonment (31 U.S.C. ยง 5336(h)).

Financial and tax due diligence

Financial due diligence validates the proposed valuation and uncovers hidden liabilities. US M&A practice requires a minimum three-year financial review for smaller transactions and five years for larger deals.

Priority checks:

  • Adjusted EBITDA and normalized free cash flow analysis
  • IRS compliance: federal corporate income tax returns (Form 1120 or 1120-S), state income tax filings, sales and use tax returns, and payroll tax filings (Form 941)
  • Pending IRS audits or state tax department examinations
  • Outstanding liens or judgments โ€” search UCC filing records at the Secretary of State and federal tax lien records at the IRS
  • Employee benefits and pension obligations under ERISA

IRS audit statistics show that large corporations (over $250 million in assets) face an examination rate of approximately 8.8%, while pass-through entities have rates of 0.2โ€“0.5% (IRS Data Book 2024, Table 9).

BSA/AML and OFAC due diligence for covered institutions

For businesses regulated under the BSA โ€” including banks, credit unions, money services businesses (MSBs), broker-dealers, and mutual funds โ€” customer due diligence is a statutory requirement enforced by the Financial Crimes Enforcement Network (FinCEN) and federal banking regulators (OCC, FDIC, Federal Reserve).

The five pillars of a BSA/AML compliance program:

  1. Internal controls and written policies: documented AML/CFT program approved by senior management and updated for current operations
  2. Designated compliance officer: qualified BSA/AML officer with appropriate authority and resources
  3. Ongoing employee training: role-based, documented annually, updated for regulatory changes
  4. Independent testing: periodic audit by internal audit or external third party
  5. Customer due diligence: identification, beneficial ownership verification (โ‰ฅ25% threshold), purpose of relationship, and ongoing monitoring

OFAC screening is legally distinct from BSA/AML obligations but operationally integrated in most compliance programs. All US persons and entities must screen customers, transactions, and counterparties against OFAC's Specially Designated Nationals (SDN) and Consolidated Sanctions List prior to transaction execution. Ongoing screening (monthly or quarterly) is required โ€” not just at onboarding.

Three tiers of customer due diligence apply under FinCEN's risk-based approach:

  1. Standard CDD: baseline for most business relationships โ€” verify identity, beneficial ownership (for legal entities), and understand the relationship purpose (31 CFR ยง 1010.220)
  2. Simplified procedures: for demonstrably low-risk products or customers โ€” documented risk rationale required
  3. Enhanced Due Diligence (EDD): mandatory for correspondent accounts for foreign financial institutions (31 CFR ยง 103.176), private banking accounts, and high-risk customers including Politically Exposed Persons (PEPs) โ€” foreign PEPs trigger mandatory EDD under 31 U.S.C. ยง 5318(i)

Automated document verification reduces KYC processing time by 60โ€“80% compared to manual review. CheckFile automates identity document verification, corporate record cross-checks, and address verification in compliance with FinCEN CDD requirements.

For a broader overview of AML program requirements, see our anti-money laundering compliance guide.

ESG and supply chain due diligence

ESG due diligence in the US is driven by a combination of federal disclosure requirements and voluntary frameworks, alongside market pressure from institutional investors.

Checklist:

  • Foreign Corrupt Practices Act (FCPA) compliance documentation: anti-bribery policies, third-party due diligence records, training logs (DOJ/SEC FCPA Resource Guide, 2nd ed.)
  • Conflict Minerals Rule (SEC Rule 13p-1): for issuers, annual disclosure on Dodd-Frank Section 1502 conflict mineral sourcing from DRC and adjoining countries
  • Modern Slavery compliance: voluntary statement or supply chain audit (required for UK-listed subsidiaries under the Modern Slavery Act 2015, s.54)
  • SEC Climate Disclosure Rule: for public companies, climate-related disclosures per the SEC's rule finalized in March 2024 (though implementation timeline is subject to ongoing litigation)
  • GDPR/US state privacy law compliance (CCPA, CPRA, state equivalents): data processing agreements, privacy impact assessments

The DOJ and SEC brought 26 FCPA enforcement actions in 2024, with total corporate fines exceeding $1.9 billion โ€” underscoring that anti-bribery due diligence is not optional for US businesses with international operations (DOJ FCPA 2024 Year in Review).

Due diligence by transaction type in the US context

Transaction Due diligence level Recommended timeline Key specialists
New regulated customer (BSA-covered) Standard to Enhanced 2โ€“5 business days BSA officer, compliance
SME acquisition Comprehensive 4โ€“8 weeks Attorneys, CPAs, tax advisers
Strategic supplier (critical vendor) Standard 1โ€“2 weeks Procurement, legal, compliance
Minority investment Comprehensive 3โ€“6 weeks M&A counsel, finance
Standard vendor onboarding Simplified 24โ€“48 hours Procurement, compliance

How to automate your due diligence process

The most common question from US compliance teams is: How do we scale due diligence without adding headcount?

The answer combines secure virtual data rooms with automated document verification. CheckFile verifies document authenticity (fraud detection, intelligent OCR, cross-document consistency checks) and integrates with existing workflows via API, reducing compliance team burden on high-volume onboarding.

An internal benchmark across 150 due diligence files processed via CheckFile showed an average 72% reduction in document collection and verification time compared to a standard manual process.

For an overview of documentation standards in compliance programs, see our document compliance guide. Additional resources on program structure are available on our security page.

FAQ

What is the difference between BSA/AML due diligence and M&A due diligence?

BSA/AML due diligence is a regulatory obligation for covered financial institutions focused on identifying the beneficial owners, verifying identity, and monitoring for suspicious activity in ongoing business relationships. M&A due diligence is a broader commercial investigation โ€” covering legal, financial, tax, and operational factors โ€” undertaken by an acquirer before a transaction. The two overlap when a regulated entity acquires another business and must apply CDD to the new entity's customer base.

Does the Corporate Transparency Act replace FinCEN's CDD Rule?

No. The CTA created FinCEN's Beneficial Ownership Information (BOI) registry for companies to self-report their UBOs. FinCEN's CDD Rule requires covered financial institutions to independently collect and verify beneficial ownership from customers at the time of account opening. The two regimes operate in parallel, though FinCEN has indicated it will update the CDD Rule to allow institutions to rely on BOI registry data in certain circumstances.

What triggers Enhanced Due Diligence (EDD) in the US?

EDD is triggered by: (1) correspondent banking accounts for foreign financial institutions (mandatory under 31 CFR ยง 103.176); (2) private banking accounts for non-US persons (31 U.S.C. ยง 5318(i)); (3) any customer deemed high-risk by the institution's risk assessment, including foreign PEPs, customers in high-risk jurisdictions, and those with complex or opaque ownership structures; and (4) suspicious activity patterns identified through transaction monitoring.

How long must BSA/AML records be retained?

Under the BSA, covered financial institutions must retain records of customer identification for 5 years from the date the account is closed, and records of beneficial ownership for 5 years from the date the information is last obtained (31 CFR ยง 1010.230(i)). SAR-related records must be retained for 5 years from the filing date. AML program documentation, training records, and audit reports: 5 years.

What are the penalties for OFAC violations?

Civil penalties for OFAC violations range from $325,000 per count to over $1 million per transaction, depending on the sanctions program. Criminal penalties can include up to 20 years imprisonment and fines up to $1 million per violation for willful violations (OFAC Civil Penalties and Enforcement Information). In 2024, OFAC issued over $1.5 billion in civil penalties.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For jurisdiction-specific guidance, consult a qualified attorney, CPA, or BSA/AML compliance specialist. CheckFile supports compliance teams with automated document verification โ€” visit our pricing page or contact us to learn more.

Explore further

Discover our practical guides and resources to master document compliance.

Related articles

Compliance11 min

Third-Party Risk Management (TPRM): Complete US Guide 2026

Complete US guide to third-party risk management (TPRM): FinCEN, BSA, OCC guidance, vendor risk assessment, continuous monitoring and federal compliance requirements 2026.

Read
Compliance18 min

Compliance Risk Assessment: A Practical Guide for US Financial Institutions

How to identify, evaluate, and mitigate regulatory risks under BSA, FinCEN, and OFAC requirements. Step-by-step compliance risk management guide for US firms in 2026.

Read
Compliance10 min

Governance Risk Management Compliance (GRC): US Guide 2026

What is GRC in the US? FinCEN, BSA, OFAC requirements explained. Learn how to build a governance risk management compliance framework that meets federal and state standards.

Read