US Crypto KYC and Identity Verification Rules in 2026
US crypto compliance in 2026: FinCEN BSA obligations, SEC enforcement actions, state money transmitter licenses, NYDFS BitLicense
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokThe United States has no single crypto-asset regulation equivalent to the EU's MiCA. Instead, crypto businesses operating in the US face a layered framework of federal and state requirements: FinCEN's Bank Secrecy Act (BSA) obligations, SEC enforcement actions, CFTC oversight for crypto derivatives, state money transmitter licensing in all 50 states, and the New York Department of Financial Services (NYDFS) BitLicense. In 2026, the regulatory pressure has intensified. The Anti-Money Laundering Act of 2020 (AMLA) expanded BSA obligations to virtual asset service providers. The Corporate Transparency Act (CTA) of 2021 introduced beneficial ownership reporting to FinCEN. And state regulators continue to tighten licensing requirements for crypto exchanges, custodians, and wallet providers. If your platform onboards US customers, processes crypto transfers, or custodies digital assets, the compliance obligations are substantial and growing.
The US Crypto Regulatory Framework: A Multi-Agency Landscape
Unlike the EU's harmonized MiCA framework, US crypto regulation is fragmented across multiple federal agencies -- FinCEN for AML/BSA compliance, the SEC for securities enforcement, the CFTC for derivatives, and 50 individual state regulators for money transmitter licensing -- creating a compliance burden that requires crypto businesses to satisfy overlapping and sometimes conflicting requirements simultaneously.
Federal Agencies and Their Roles
The US approach to crypto regulation distributes authority across several agencies, each with distinct jurisdiction:
| Agency | Jurisdiction | Key Obligations |
|---|---|---|
| FinCEN (Financial Crimes Enforcement Network) | AML/BSA compliance for money services businesses (MSBs) | MSB registration, SAR filing, CTR filing, Travel Rule compliance, CDD/KYC |
| SEC (Securities and Exchange Commission) | Crypto assets classified as securities | Registration of exchanges and broker-dealers, disclosure requirements, enforcement actions |
| CFTC (Commodity Futures Trading Commission) | Bitcoin and crypto derivatives, spot market fraud | Registration of futures commission merchants, anti-manipulation enforcement |
| IRS (Internal Revenue Service) | Tax reporting for digital asset transactions | Form 1099-DA reporting (effective 2026), Form 8300 for cash transactions over $10,000 |
| OFAC (Office of Foreign Assets Control) | Sanctions compliance | SDN list screening, sanctions compliance programs |
This multi-agency structure means that a single crypto exchange may need to register with FinCEN as a money services business, potentially register with the SEC if it lists tokens classified as securities, comply with CFTC rules for any derivatives products, file tax reporting forms with the IRS, and screen all transactions against OFAC sanctions lists -- all before addressing state-level requirements.
State Money Transmitter Licensing
Beyond federal requirements, crypto businesses that transmit or exchange virtual currency must obtain money transmitter licenses (MTLs) in most states. As of 2026, 49 states plus the District of Columbia require some form of money transmitter licensing for crypto businesses (Montana remains the sole exception with no MTL requirement).
The licensing process varies significantly by state but typically requires:
- Surety bonds: ranging from $25,000 to $2 million depending on the state and transaction volume
- Minimum net worth: typically $100,000 to $500,000
- Background checks: FBI fingerprint-based checks for all control persons and directors
- BSA/AML compliance program: written policies and procedures, designated BSA officer, independent testing
- Financial statements: audited financial statements for the most recent fiscal year
The NMLS (Nationwide Multistate Licensing System) provides a centralized platform for state license applications, but each state conducts its own review. A typical multi-state licensing effort takes 12 to 18 months and costs $500,000 to $1.5 million in legal fees, surety bonds, and application costs.
The NYDFS BitLicense
New York's BitLicense, administered by the New York Department of Financial Services (NYDFS), remains the most stringent state-level crypto license in the United States. Introduced in 2015, the BitLicense requires:
- Minimum capital requirements based on the licensee's risk profile
- A comprehensive BSA/AML compliance program with a dedicated compliance officer
- Cybersecurity program meeting 23 NYCRR 500 requirements
- Consumer protection disclosures and complaint handling procedures
- Quarterly and annual financial reporting to NYDFS
- Prior approval for new products, services, and material changes to the business
The BitLicense application process typically takes 12 to 24 months. Alternatives include obtaining a New York trust company charter (as Gemini and Paxos have done) or partnering with a licensed entity. Operating in New York without a BitLicense or charter carries penalties of up to $5,000 per day per violation.
KYC Obligations for US Crypto Businesses
BSA Customer Due Diligence Requirements
FinCEN's Customer Due Diligence (CDD) Rule requires all covered financial institutions, including crypto businesses registered as MSBs, to implement a risk-based CDD program. The four pillars of the CDD Rule are:
- Customer identification: verifying the identity of each customer using government-issued identification (driver's license, state ID, US passport, or passport card)
- Beneficial ownership identification: identifying and verifying the identity of any individual who owns 25% or more of a legal entity customer, or who controls the entity
- Understanding the nature and purpose of the customer relationship: determining the expected pattern of activity to develop a customer risk profile
- Ongoing monitoring: conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintaining and updating customer information
For individual customers, identity verification at onboarding requires collecting and verifying the customer's full legal name, date of birth, residential address, and a government-issued identification number (Social Security Number for US persons, or passport number and country of issuance for non-US persons).
Enhanced Due Diligence Triggers
Crypto businesses must apply enhanced due diligence (EDD) in specific situations:
- Customers from jurisdictions identified by the FATF as having strategic AML/CFT deficiencies
- Politically exposed persons (PEPs) and their close associates
- High-value accounts or unusual transaction patterns
- Customers operating in higher-risk business segments (mixing services, privacy coins, peer-to-peer trading)
- Transactions involving jurisdictions subject to OFAC sanctions
The AMLA 2020 expanded the definition of "financial institution" under the BSA to explicitly include businesses dealing in virtual currencies, eliminating any ambiguity about whether crypto businesses are subject to BSA obligations.
Corporate Transparency Act and Beneficial Ownership Reporting
The Corporate Transparency Act (CTA) requires most US companies to report their beneficial ownership information to FinCEN. While this is a separate obligation from KYC, it directly impacts crypto businesses in two ways:
- As reporting companies: crypto businesses themselves must file beneficial ownership reports with FinCEN
- As verification tools: crypto businesses conducting KYB (Know Your Business) verification can cross-reference customer-provided beneficial ownership information against FinCEN's beneficial ownership database (access is restricted to authorized users)
For corporate clients using crypto platforms, KYB verification now includes verifying the entity's CTA filing status and cross-referencing beneficial ownership information.
The Travel Rule: US Implementation
FinCEN's Travel Rule Requirements
The US Travel Rule predates the EU's implementation by decades. FinCEN's Travel Rule (31 CFR 1010.410) requires financial institutions, including MSBs, to collect and transmit specific information for funds transfers of $3,000 or more.
For crypto transactions meeting the $3,000 threshold, the originating institution must collect and transmit:
| Data Element | Originator | Beneficiary |
|---|---|---|
| Full name | Required | Required |
| Account number / wallet address | Required | Required |
| Address | Required | Required (if available) |
| Financial institution identity | Required | Required |
| Amount of the transfer | Required | Required |
Unlike the EU's Travel Rule under MiCA (which applies to all transfers regardless of amount), the US Travel Rule applies only to transfers of $3,000 or more. However, FinCEN has proposed lowering this threshold for virtual currency transactions, and crypto businesses should design their systems to accommodate potential future threshold reductions.
Suspicious Activity Reporting
All MSBs, including crypto businesses, must file Suspicious Activity Reports (SARs) with FinCEN for transactions of $2,000 or more that the business knows, suspects, or has reason to suspect involve funds derived from illegal activity, are designed to evade reporting requirements, or lack a lawful purpose. For crypto businesses, common SAR triggers include:
- Transactions structured to avoid the $3,000 Travel Rule threshold
- Rapid movement of funds through multiple wallets (layering)
- Transactions involving wallets associated with known darknet markets, ransomware, or sanctioned entities
- Use of mixing or tumbling services
- Inconsistencies between declared source of funds and transaction patterns
CheckFile's platform has processed over 92,000 enhanced KYC verifications for crypto clients, flagging 11.3% as high-risk -- more than double the 5.1% rate observed in traditional banking KYC (CheckFile platform data, March 2026). The elevated flagging rate reflects the cross-border nature of crypto operations, pseudonymous transfers, and the rapid pace of regulatory change across federal and state jurisdictions.
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesDocumentary Requirements: What US Crypto Businesses Must Collect and Retain
Customer Onboarding Documents
| Document Type | Individual Customers | Business Entities |
|---|---|---|
| Identity document | US passport, driver's license, or state-issued ID | N/A |
| Proof of address | Utility bill, bank statement (< 3 months) | Registered agent/office documentation |
| SSN or tax ID | Social Security Number (US persons) or passport + country | EIN (Employer Identification Number) |
| Corporate formation documents | N/A | Articles of incorporation, certificate of good standing |
| Beneficial ownership | N/A | FinCEN BOI report or equivalent declaration (25%+ owners) |
| Director/officer identification | N/A | Government-issued ID for all control persons |
| Source of funds | Supporting evidence for high-risk profiles | Financial statements, funding documentation |
Record Retention Requirements
Under the BSA, crypto businesses must retain all customer identification records for five years after the account is closed. Transaction records, including SARs and CTRs (Currency Transaction Reports), must be retained for five years from the date of the report. State requirements may impose longer retention periods -- New York's BitLicense requires retention of records for at least seven years, and California requires 10 years for certain transaction records.
How Automation Addresses US Crypto Compliance
The documentary obligations across federal and state jurisdictions make manual verification unsustainable for any crypto business operating at scale. Every new user requires identity document verification, address confirmation, sanctions screening, and risk classification. Every state license imposes its own audit and reporting requirements. And FinCEN expects BSA/AML programs to be risk-based and documented, with independent testing at least annually.
Document Verification at Onboarding
Automated document validation processes identity documents in seconds: extracting data fields (name, date of birth, document number, expiration date), verifying document authenticity (barcode validation on driver's licenses, MRZ validation on passports, security feature detection), and cross-referencing extracted data against declared information. For crypto platforms processing thousands of onboarding applications per month, this is the difference between a 48-hour manual review queue and real-time onboarding.
KYB for Corporate Clients
Corporate onboarding requires verification of articles of incorporation, certificate of good standing, EIN confirmation, beneficial ownership identification, and control person verification. Automated KYB workflows extract and cross-reference data across these documents, flagging inconsistencies (mismatched officer names, expired certificates, beneficial ownership thresholds exceeded) before a compliance officer reviews the file.
Multi-State Compliance Documentation
For crypto businesses holding licenses in multiple states, automated systems maintain and track compliance documentation across jurisdictions: license renewal dates, surety bond expirations, required financial filings, and examination schedules. Manual tracking of these obligations across 30 or 40 state licenses is a guaranteed path to missed deadlines and regulatory action.
Sanctions Screening Integration
Automated systems screen every customer and counterparty against OFAC's SDN list, FinCEN's 311 special measures, and state-specific restricted party lists in real time. When lists are updated, rescreening triggers automatically -- meeting both BSA ongoing monitoring requirements and state examination expectations.
For a comprehensive overview, see our document compliance complete guide.
Go further
To dive deeper into this topic, explore our complete guide on document verification.
FAQ
What federal agencies regulate crypto businesses in the United States?
Crypto businesses in the US face oversight from multiple federal agencies. FinCEN regulates AML/BSA compliance and requires crypto businesses to register as money services businesses. The SEC asserts jurisdiction over crypto assets classified as securities and has brought enforcement actions against exchanges listing unregistered securities. The CFTC oversees crypto derivatives and has enforcement authority over spot market fraud. The IRS requires tax reporting for digital asset transactions. OFAC enforces sanctions compliance. Each agency operates under its own statutory authority, and crypto businesses must comply with all applicable requirements simultaneously.
Do crypto businesses need money transmitter licenses in every state?
In practice, yes. As of 2026, 49 states plus the District of Columbia require some form of money transmitter licensing for businesses that exchange or transmit virtual currency. Montana is the sole exception. The licensing requirements vary by state -- some states have adopted virtual currency-specific licenses, while others apply existing money transmitter statutes. The NMLS provides a centralized application platform, but each state conducts independent reviews. A multi-state licensing effort typically takes 12 to 18 months and costs $500,000 to $1.5 million.
What is the US Travel Rule threshold for crypto transactions?
FinCEN's Travel Rule requires financial institutions, including crypto businesses registered as MSBs, to collect and transmit originator and beneficiary information for funds transfers of $3,000 or more. This is higher than the EU's Travel Rule under MiCA, which applies to all transfers regardless of amount. However, FinCEN has proposed reducing this threshold for virtual currency transactions, and crypto businesses should build their systems to accommodate potential changes.
What are the penalties for BSA/AML violations by crypto businesses?
Penalties for BSA/AML violations are severe. FinCEN can impose civil money penalties of up to $25,000 per day per violation for willful BSA violations, with no statutory maximum for the aggregate penalty. Criminal penalties for willful violations include fines of up to $250,000 and imprisonment of up to five years, or up to $500,000 and 10 years for violations involving other criminal activity. Recent enforcement actions against crypto businesses have resulted in penalties ranging from $29 million (Bittrex, 2023) to $4.3 billion (Binance, 2023).
How does the NYDFS BitLicense differ from a standard money transmitter license?
The BitLicense is significantly more comprehensive than a standard state money transmitter license. It requires specific cybersecurity controls under 23 NYCRR 500, consumer protection measures, prior approval for new products and services, and detailed quarterly and annual reporting. The application process typically takes 12 to 24 months compared to 3 to 6 months for most state MTLs. However, the BitLicense provides a higher level of regulatory credibility and is often cited by institutional partners as a prerequisite for business relationships.
Build Your Compliance Program Before Enforcement Catches Up
The US crypto regulatory environment is tightening on every front. FinCEN is expanding BSA obligations, the SEC continues aggressive enforcement, and state regulators are raising licensing standards. Crypto businesses that delay building robust compliance programs face not only regulatory penalties but also exclusion from banking relationships and institutional partnerships.
CheckFile provides automated document validation purpose-built for crypto platform onboarding: identity document verification, corporate KYB checks, data extraction and cross-referencing, and complete audit trail generation. Our platform processes verification files in seconds with every step logged and traceable, meeting the documentary standards that FinCEN, state regulators, and NYDFS examiners expect from licensed crypto businesses. Explore our pricing to find the plan that fits your transaction volume.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.
Related reading: For the broader KYC framework driving these obligations, see our KYC 2026 requirements guide. For corporate client onboarding, read our KYB business document verification guide. For anti-money laundering compliance fundamentals, see our AML compliance guide.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.