KYC: The Complete Guide for US Businesses in 2026
What is KYC in the USA? FinCEN requirements, BSA obligations, CIP rules and AML best practices for American businesses. Updated compliance guide for 2026.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokKYC โ Know Your Customer โ is the regulatory framework requiring financial institutions and other covered businesses in the United States to verify the identity of their customers, assess the associated money laundering and terrorist financing risks, and monitor business relationships on an ongoing basis. In the US, KYC requirements are primarily established by the Bank Secrecy Act (BSA), 31 U.S.C. ยง 5311 et seq., enforced by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury.
The stakes are high. In 2023, US financial institutions paid over $6.4 billion in BSA/AML fines, with KYC deficiencies cited as a leading cause in the majority of enforcement actions. FinCEN's Customer Identification Program (CIP) rule โ codified at 31 CFR Part 1020.220 โ mandates specific minimum standards that every covered institution must meet before onboarding any customer.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified compliance attorney or regulatory specialist for guidance specific to your situation.
What Is KYC in the United States?
KYC in the US is the collection of policies, procedures, and controls that financial institutions implement to identify their customers, understand the nature of their business, and assess whether their transactions are consistent with their stated purpose. The term "KYC" is often used interchangeably with Customer Due Diligence (CDD), which FinCEN formalized in its CDD Rule, effective May 11, 2018.
As of February 2026, FinCEN's Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program Rule โ finalized in September 2024 โ requires all covered institutions to adopt a risk-based approach, moving beyond checkbox compliance to genuine risk assessment (FinCEN AML/CFT Program Rule, 89 Fed. Reg. 73924, Sept. 12, 2024).
The US KYC framework rests on four pillars established by the CDD Rule:
- Customer Identification Program (CIP): verify the identity of every customer opening an account
- Customer Due Diligence (CDD): understand the nature and purpose of customer relationships
- Beneficial Ownership identification: identify and verify individuals owning 25% or more of a legal entity
- Ongoing monitoring: detect and report suspicious activity on a continuous basis
Which US Businesses Must Comply with KYC?
The BSA defines "financial institutions" broadly. FinCEN regulations apply to a wide range of covered businesses.
| Category | Examples of Covered Entities |
|---|---|
| Banks and credit | Commercial banks, savings associations, credit unions |
| Securities | Broker-dealers, investment advisers, mutual funds |
| Insurance | Life insurance companies issuing certain products |
| Money services | Money transmitters, check cashers, currency exchangers |
| Casinos | Land-based and tribal casinos meeting revenue thresholds |
| Dealers | Dealers in precious metals, stones, or jewels (cash transactions > $10,000) |
| Real estate | Settlement agents (as of 2024 FinCEN proposed rules) |
| Crypto | Virtual asset service providers (VASPs) subject to FinCEN registration |
Since August 2024, FinCEN has expanded its real estate reporting rules under the Geographic Targeting Orders (GTOs), requiring reporting of non-financed residential real estate transactions in targeted markets. Additional final rules covering broader real estate KYC obligations are expected to take effect in 2026.
The Four Components of US KYC Compliance
Customer Identification Program (CIP)
Every bank, broker-dealer, and other covered institution must implement a written CIP as part of its AML program. The CIP must, at minimum, collect four data points from individual customers: name, date of birth, address, and Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN). For non-US persons, a passport number with country of issuance or other government-issued document number is acceptable.
For legal entity customers, institutions must collect: full legal name, street address, Employer Identification Number (EIN), and โ critically since May 2018 โ beneficial ownership information under the CDD Rule.
The CDD Rule requires financial institutions to identify and verify any individual who owns, directly or indirectly, 25% or more of a legal entity customer, plus one individual who controls the entity, even if their ownership is below 25%. This requirement applies to corporations, limited liability companies, and general partnerships (31 CFR Part 1010.230).
Customer Due Diligence (CDD)
Beyond identification, institutions must understand the nature and purpose of the customer relationship. This means profiling expected transaction patterns, understanding the customer's source of funds, and establishing a baseline against which future activity is monitored. The FFIEC BSA/AML Examination Manual โ the authoritative reference for bank examiners โ provides detailed expectations for CDD implementation across different product and service lines.
Enhanced Due Diligence (EDD)
EDD is mandatory for higher-risk customers and relationships. Under FinCEN guidance, EDD applies when:
| Risk Factor | EDD Trigger | Required Action |
|---|---|---|
| Foreign correspondent banks | High-risk jurisdictions | Payable-through account scrutiny, wire transfer review |
| Politically Exposed Persons (PEPs) | Foreign government officials | Source of wealth investigation, senior management approval |
| Private banking customers | High-net-worth international clients | Enhanced ongoing monitoring, at least annual review |
| Shell companies | Complex ownership structures | UBO identification, purpose verification |
| Jurisdictions on FATF lists | High-risk or non-cooperative countries | Countermeasures per OFAC guidance |
The Office of Foreign Assets Control (OFAC) maintains sanctions lists โ including the Specially Designated Nationals (SDN) list โ that all US businesses must screen customers against before establishing any financial relationship. OFAC violations can result in civil penalties of up to $1.2 million per violation or twice the value of the transaction, whichever is greater.
Ongoing Monitoring and SAR Filing
US institutions must monitor customer transactions for suspicious activity and file Suspicious Activity Reports (SARs) with FinCEN when they identify transactions involving at least $5,000 that may involve money laundering, BSA violations, or other specified illegal activity. FinCEN received 4.6 million SAR filings in 2023, a 19% increase from 2022.
SARs must be filed within 30 days of detecting a suspicious transaction, or within 60 days if additional investigation is needed to identify a subject. The existence of a SAR is strictly confidential โ disclosing it to the subject of the SAR is a federal crime under 31 U.S.C. ยง 5318(g)(2).
OFAC Sanctions Screening: A Distinct KYC Obligation
Sanctions screening is separate from, but closely integrated with, KYC. Every US person โ individual or business โ is prohibited from engaging in transactions with entities or individuals on OFAC's SDN list and other sanctions lists. Financial institutions must screen customers at onboarding and on an ongoing basis, particularly after OFAC list updates.
In 2024, OFAC imposed over $1.5 billion in civil penalties for sanctions compliance failures, underscoring the severity of inadequate screening controls. Our AML compliance guide covers OFAC screening in greater detail.
The Corporate Transparency Act (CTA) and FinCEN's BOI Registry
The Corporate Transparency Act โ effective January 1, 2024 โ created a new federal beneficial ownership information (BOI) registry administered by FinCEN. Most US corporations, LLCs, and similar entities formed or registered in the US must file BOI reports identifying their beneficial owners directly with FinCEN. This registry supplements (but does not replace) the CDD Rule's customer-level beneficial ownership collection requirements.
As of February 2026, the CTA enforcement landscape is subject to ongoing litigation. Entities should monitor FinCEN's official guidance for the current filing status requirements.
KYC for Cryptocurrency and Virtual Assets
FinCEN's 2019 guidance confirmed that most businesses engaged in virtual currency exchange or transmission are money services businesses (MSBs) subject to full BSA/AML requirements. This includes crypto exchanges, DeFi platforms where a person or entity facilitates transactions, and NFT platforms in certain circumstances.
All registered MSBs must maintain a written AML program, conduct CIP at account opening, file SARs and Currency Transaction Reports (CTRs), and maintain records of transactions over $3,000. For more on evolving KYC requirements in 2026, see our 2026 KYC requirements guide.
Automating KYC in the US Market
US financial institutions are under increasing pressure to reduce the cost and time burden of KYC while maintaining regulatory rigour. Manual KYC processes for high-risk corporate clients can take 60 to 100+ days and cost $500 to $3,000 per client. Automated eKYC solutions cut these figures dramatically.
CheckFile's document verification platform supports US government-issued ID documents โ driver's licenses from all 50 states, US passports, and green cards โ with AAMVA standard compliance and OFAC/SDN list integration. View our pricing plans for US businesses.
For comprehensive guidance on building a robust KYC programme within a broader compliance framework, our documentary compliance guide provides actionable best practices applicable to US regulated businesses.
Frequently Asked Questions
What is KYC in the USA?
KYC (Know Your Customer) in the US is the regulatory framework under the Bank Secrecy Act requiring covered financial institutions to verify customer identities, understand their business relationships, and monitor for suspicious activity. FinCEN's CDD Rule (2018) established the four core elements: CIP, CDD, beneficial ownership identification, and ongoing monitoring.
What documents are required for KYC in the US?
For individuals: name, date of birth, address, and a Social Security Number (SSN) or ITIN. Acceptable verification documents include a US passport, driver's license, state ID card, or a foreign passport with proof of US address. For legal entities: full legal name, EIN, principal business address, and beneficial ownership information for all individuals owning 25% or more.
What is FinCEN and what role does it play in KYC?
FinCEN (Financial Crimes Enforcement Network) is a bureau of the US Department of the Treasury that administers the Bank Secrecy Act. It issues regulations, collects BSA filings (SARs, CTRs), maintains the BOI registry under the Corporate Transparency Act, and coordinates with law enforcement to combat money laundering and terrorist financing. FinCEN's examination manual is the de facto standard for KYC compliance in US financial institutions.
What happens if a US business fails to comply with KYC requirements?
Penalties for BSA/KYC violations can be severe: civil money penalties up to $1 million per willful violation, criminal fines up to $500,000 per violation, imprisonment of up to 10 years for individuals, and deferred prosecution agreements requiring costly monitorship. In addition, regulators can issue cease-and-desist orders, require changes in management, or revoke banking charters.
What is the difference between KYC, CDD, and AML in the US context?
KYC is the broad framework for knowing who your customers are. CDD (Customer Due Diligence) is FinCEN's specific regulatory standard for implementing KYC โ including CIP, risk-based due diligence, beneficial ownership, and monitoring. AML (Anti-Money Laundering) encompasses the full BSA compliance programme: KYC/CDD, SAR filing, CTR filing, staff training, independent testing, and designated AML officer requirements.