Neobank and Digital Bank KYC/AML Compliance in the US 2026: BSA, FinCEN, and CIP Requirements

US neobanks and digital banks must meet the same KYC and AML obligations as traditional financial institutions — in many cases under more operationally demanding conditions because every customer interaction happens remotely. The primary federal framework is the Bank Secrecy Act (BSA, 31 U.S.C. §5318), administered by FinCEN (Financial Crimes Enforcement Network) within the Department of the Treasury. The OCC (Office of the Comptroller of the Currency) supervises federally chartered banks, while state-chartered institutions answer to state banking regulators — and both are subject to FinCEN's program requirements. Enforcement actions against neobanks are no longer exceptional: Wise received a $4 million FinCEN consent order in 2022 for BSA violations, Silvergate Bank settled for $63 million in 2023, and Chime faced a CFPB consent order in 2024 — confirming that compliance infrastructure must scale with customer growth, not trail it.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

For a broader view of document verification in banking onboarding workflows, see how banks structure their KYC processes.

Regulatory Framework for US Neobanks in 2026

The US regulatory landscape for digital banks is more fragmented than in most other jurisdictions. Federal rules from FinCEN, OCC, the Federal Reserve, and the FDIC layer with state-level requirements from the New York Department of Financial Services (NYDFS), the California Department of Financial Protection and Innovation (DFPI), and others. Every neobank must identify which rules apply based on its charter type and operational model before designing its compliance program.

FinCEN published proposed rulemaking on April 7, 2026 to revise AML/CFT program requirements under 31 U.S.C. §5318, emphasizing a risk-based approach, program effectiveness measurement, and clearer documentation of the risk assessment process. Final rules are expected to increase the operational rigor that examiners will apply when evaluating neobank compliance programs.

For a complete overview of AML compliance principles, see the AML compliance guide for obliged entities.

How US Neobanks Are Structured for Regulatory Purposes

Three structural models are common for US neobanks, and the compliance obligations differ between them:

• Licensed bank or credit union: Full BSA obligated entity. All FinCEN rules apply directly. Subject to examination by OCC (national charter), state banking regulator (state charter), FDIC (insured institutions), or Federal Reserve (Fed member banks).
• OCC special purpose charter applicant: Subject to BSA obligations from charter grant. Several neobanks have applied for fintech charters from the OCC, with mixed results to date.
• Banking-as-a-Service (BaaS) partner model: The neobank is not itself a bank but operates through a sponsor bank. The neobank bears AML/KYC obligations under its agreement with the sponsor bank — the sponsor bank provides the charter, not a delegation of compliance responsibility. Both parties can be examined and cited for deficiencies.

KYC Requirements for Digital Onboarding

Remote digital onboarding creates specific compliance obligations that branch-based banks do not face at the same scale. When no human agent is present during identity verification, the risk of synthetic identity fraud, document manipulation, and deepfakes is materially higher.

Customer Identification Program (CIP): 31 CFR §1020.220

The CIP Rule is the foundational KYC requirement for US financial institutions. It requires collection and verification of four data elements for every individual customer:

• Name (legal name)
• Date of birth
• Address (residential or business)
• Identification number: Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN) for US persons; passport number or other government-issued document number for non-US persons

For legal entity customers, the CIP Rule requires name, address, and an Employer Identification Number (EIN) or equivalent. The CDD Rule (31 CFR §1020.210) then layers on the beneficial ownership requirement — identification of all natural persons who own 25% or more of the legal entity, plus one person with significant management control.

Verification of CIP data must use documentary methods (government-issued photo ID), non-documentary methods (credit bureau data, public records), or a combination of both. For digital-only neobanks, non-documentary verification is common — but must be documented and defensible in an examination.

Liveness Detection: An Emerging Mandatory Control

No US federal regulation explicitly mandates biometric liveness detection for remote onboarding as of June 2026. However, EBA/GL/2021/21 (updated October 2023) has become the global benchmark standard, and US examiners are increasingly treating the absence of liveness detection as a gap in the risk control framework for digital-only institutions.

Neobanks operating across the US and EU must implement liveness detection to satisfy EU supervisory expectations. For US-only neobanks, the practical risk is that synthetic identity fraud — where a fraudster assembles a fake identity using real data from data breaches — is not detectable by document review alone. Passive and active liveness checks meeting ISO/IEC 30107-3 (Presentation Attack Detection) criteria are the accepted technical standard.

The FTC has taken enforcement action against identity verification failures in the financial services context under Section 5 of the FTC Act. While not liveness-specific, this regulatory posture reinforces that inadequate verification is a consumer harm under federal law.

Risk-Based Approach to CDD

Standard CDD applies to most retail customers. Enhanced due diligence (EDD) is mandatory for:

• Politically exposed persons (PEPs) and their associates
• Customers from FATF high-risk jurisdictions (FATF High-Risk Jurisdictions list)
• Customers whose transaction patterns are inconsistent with their stated account purpose
• Foreign correspondent banking relationships

Simplified procedures are permissible in lower-risk situations, but the BSA risk-based approach places the burden of documentation on the institution: examiners will expect a written risk assessment explaining why reduced procedures are appropriate for a given customer or product segment.

AML Obligations: Transaction Monitoring, SARs, and CTRs

Transaction monitoring is the operational core of a US AML program. For neobanks processing high volumes of real-time ACH, wire, and card payments, the challenge is building alert logic that produces actionable intelligence without generating an unmanageable false-positive rate.

Transaction Monitoring Program Design

An effective transaction monitoring program for a US neobank must cover:

1. Rule-based alerts: velocity rules (multiple cash deposits below the $10,000 CTR threshold — a structuring red flag), unusual geographic payment patterns, and high-frequency transfers to new payees
2. Behavioral analytics: deviations from a customer's established transaction pattern, accounts that suddenly transact with OFAC-sanctioned jurisdictions or counterparties
3. Sanctions screening: real-time matching against OFAC's Specially Designated Nationals (SDN) list, the UN Consolidated List, and other applicable lists
4. PEP and adverse media screening: ongoing monitoring, not only at onboarding

NYDFS Part 504 requires that New York-licensed institutions maintain a transaction monitoring program and OFAC filtering program that meet specific minimum standards, including annual certifications of compliance by a senior officer. This is the most prescriptive state-level AML rule currently in force in the US and serves as a de facto national benchmark for sophisticated institutions.

Suspicious Activity Reports (SARs) Under 31 CFR §103.18

In the US, SARs are filed with FinCEN electronically via the Bank Secrecy Act E-Filing System. The filing deadlines are:

• 30 calendar days from the date of initial detection of a known or identified suspect
• 60 calendar days from the date of initial detection if no suspect has been identified at the time of detection

There is no minimum dollar threshold for filing a SAR — the trigger is suspicion. However, FinCEN guidance identifies transactions below $5,000 as generally not warranting a SAR unless the institution elects to file.

The filing institution's BSA Officer is responsible for reviewing internal escalations, making filing decisions, and maintaining a defensible audit trail. SARs are filed in confidence and are protected from disclosure under 31 U.S.C. §5318(g)(2).

Currency Transaction Reports (CTRs)

CTRs are a distinctly US requirement with no direct EU equivalent. Any cash transaction — or series of related cash transactions — exceeding $10,000 in a single business day must be reported to FinCEN on FinCEN Form 112 within 15 calendar days. This includes deposits, withdrawals, and currency exchanges. Structuring — deliberately breaking up transactions to avoid the $10,000 threshold — is itself a federal crime under 31 U.S.C. §5324.

Enforcement Record: What Neobank Failures Look Like in Practice

The US enforcement record against neobanks and fintech-adjacent financial institutions demonstrates that regulatory actions typically stem from program design gaps, not isolated failures.

Wise (TransferWise): $4 Million FinCEN Consent Order (2022)

FinCEN entered a consent order against Wise for $4 million in 2022 for violations of the BSA. The order identified failures in Wise's transaction monitoring program and inadequate controls for certain high-risk customer segments. The practical lesson: money services businesses operating at scale must build transaction monitoring that keeps pace with product growth, not lag it.

Silvergate Bank: $63 Million Settlement (FRB/DFPI/DOJ, 2023)

Silvergate Bank, a crypto-focused neobank that became a key correspondent for crypto exchanges, paid $63 million to settle BSA failures with the Federal Reserve Board, the California DFPI, and the Department of Justice. The bank's AML program failed to monitor approximately $1 trillion in transactions processed through its Silvergate Exchange Network. The settlement — and Silvergate's subsequent voluntary liquidation — illustrates the catastrophic consequences of scaling product revenue without proportional compliance investment.

Chime: CFPB Consent Order (2024)

The CFPB entered a consent order against Chime in 2024 for misleading account closure practices, in which customers faced difficulty accessing their funds after account closure. While not primarily an AML enforcement action, this case demonstrates that neobanks face scrutiny across multiple regulatory dimensions simultaneously — AML from FinCEN and prudential examiners, consumer protection from the CFPB and FTC.

Structural Patterns in US Neobank Enforcement

Building a Compliant US Neobank Compliance Program

A compliant program integrates onboarding verification, ongoing monitoring, alert triage, and regulatory reporting into a defensible system with documented ownership and testing.

Program Components

1. Written AML/CFT program The BSA requires every covered financial institution to establish and maintain a written AML program with four pillars: internal controls, independent testing, a designated BSA Officer, and ongoing training. FinCEN's proposed April 2026 rulemaking adds a fifth pillar: a risk assessment process that is documented, periodically updated, and used to inform control decisions.

2. Customer due diligence workflow The CDD workflow must be documented and tested. It must specify: acceptable identity documents for each customer type, how document authenticity is verified, what triggers EDD, and how decisions are recorded. CheckFile's document verification platform — covering 3,200+ document types across 32 jurisdictions, including US passports, state-issued driver's licenses, and US military IDs — supports consistent CDD execution at scale. See CheckFile for banking KYC.

3. Technology controls for remote onboarding Automated document verification and sanctions screening must be integrated at onboarding. For digital-only neobanks, this is not optional infrastructure — it is the primary control environment. Non-documentary CIP verification methods must be supported by vendor agreements with documented accuracy and coverage standards.

4. BSA Officer and governance The BSA requires designation of a BSA Officer with sufficient seniority, independence, and resources to administer the program. The BSA Officer must have direct reporting access to senior management and the board. The April 2026 FinCEN proposed rule reinforces that BSA Officer roles must be adequately resourced — examiners will scrutinize whether the officer has the authority and budget necessary to implement program improvements.

5. Training All staff who interact with customers, process transactions, or have AML-relevant responsibilities must receive annual BSA/AML training. Training content must be updated when regulations, FinCEN guidance, or the institution's risk profile changes. Training records must be retained and available for examination.

6. Independent testing The BSA requires independent testing of the AML program — conducted by internal audit or an external party — at a frequency consistent with the institution's risk profile. Testing must cover CIP/CDD quality, SAR process, transaction monitoring rule effectiveness, training completion, and OFAC screening accuracy.

For guidance on structuring document verification within a compliance program, see the document compliance guide.

Choosing a KYC/AML Technology Partner

When evaluating technology vendors for a US neobank compliance program, compliance teams should assess:

• Document type coverage for the institution's actual customer geography, including US passports, state driver's licenses, and military IDs, plus foreign documents for non-US persons
• Non-documentary verification integrations for credit bureau and public records matching
• API integration capability with existing onboarding, core banking, and case management platforms
• Audit trail and data retention functionality meeting the BSA's five-year recordkeeping requirement (31 CFR §1020.220(a)(3))
• CheckFile provides structured verification workflows for financial institutions, with coverage across 3,200+ document types in 32 jurisdictions

The CheckFile platform maintains robust data security controls aligned with financial sector requirements. For pricing and program design consultation, see CheckFile pricing.

Frequently Asked Questions

What KYC documents must a US neobank collect during onboarding?

Under the CIP Rule (31 CFR §1020.220), neobanks must collect name, date of birth, address, and an identification number — typically a Social Security Number (SSN) for US persons. Collection of a copy of the underlying identity document (US passport, state-issued driver's license) is not strictly required by the CIP Rule but is best practice and supports non-documentary verification. For business accounts, the CDD Rule (31 CFR §1020.210) adds a beneficial ownership certification covering all natural persons owning 25% or more of the entity and one person with significant management control.

Is liveness detection required by US law for neobanks?

No US federal statute or FinCEN rule explicitly mandates biometric liveness detection as of June 2026. However, the absence of liveness controls for digital-only onboarding is increasingly viewed by examiners as a risk gap, particularly for institutions with elevated synthetic identity fraud exposure. EBA/GL/2021/21 is the international standard, and neobanks with EU operations must implement liveness detection to satisfy EU supervisory expectations regardless of US law. Domestic US neobanks implementing liveness detection demonstrate a stronger risk control posture to OCC and state banking examiners.

What are the SAR and CTR filing deadlines for US neobanks?

SARs must be filed with FinCEN within 30 calendar days from the date the institution first detects a reportable suspicious transaction if a suspect is known, or within 60 calendar days if no suspect has been identified. CTRs must be filed within 15 calendar days of a cash transaction — or series of related cash transactions — exceeding $10,000 in a single business day. Both are filed electronically via FinCEN's BSA E-Filing System at fincen.gov.

What does the Corporate Transparency Act require for neobank business customers?

The Corporate Transparency Act (CTA, effective January 2024) requires most domestic reporting companies to file beneficial ownership information (BOI) with FinCEN's BOI IT system. This is an obligation on the company itself, not on the neobank. However, neobanks can reference a customer's FinCEN BOI filing when satisfying the beneficial ownership requirements of the CDD Rule, provided the filing is current and the institution verifies that it has not lapsed. Neobanks should update their business onboarding workflows to collect and record CTA filing confirmation numbers where applicable.

Can a US neobank apply simplified due diligence to lower-risk retail customers?

The BSA framework permits a risk-based approach that allows reduced verification procedures for demonstrably lower-risk customer segments. However, there is no bright-line SDD regime equivalent to what the EU AMLR provides. Simplified procedures must be documented in the institution's written risk assessment with a clear rationale. Examiners will assess whether the rationale is credible and whether the procedures actually reduce risk exposure rather than simply reduce compliance effort. Standard retail accounts with no geographic or transaction restrictions do not typically qualify for materially simplified procedures.

How does NYDFS Part 504 affect neobanks with New York customers?

NYDFS Part 504 applies to New York-licensed banks, branches of foreign banking organizations, and other NY-licensed financial institutions. It requires a transaction monitoring program and an OFAC filtering program that meet specific minimum standards — including annual board-level or senior management certification of compliance. Neobanks that are not NY-licensed but accept NY customers are not directly subject to Part 504, but they remain subject to FinCEN's BSA program requirements. Neobanks that hold a NY banking license must satisfy both FinCEN and NYDFS requirements, which are additive.