Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements form the foundation of the United States’ framework for preventing money laundering, terrorist financing and other forms of financial crime. These obligations arise primarily under the Bank Secrecy Act of 1970 (BSA), as amended by subsequent legislation including the USA PATRIOT Act of 2001, and are implemented through regulations promulgated by the Financial Crimes Enforcement Network (FinCEN).
KYC and AML are closely related but distinct concepts. KYC focuses on identifying and understanding customers at onboarding and throughout the customer relationship. AML encompasses broader institutional obligations, including transaction monitoring, reporting, recordkeeping, internal controls and cooperation with law enforcement. Together, these requirements are designed to protect the integrity of the U.S. financial system and to ensure transparency regarding the ownership and movement of funds.
Statutory and Regulatory Framework
Bank Secrecy Act
The BSA, codified primarily at 31 U.S.C. §§ 5311–5336, establishes the core AML obligations applicable to U.S. financial institutions. The statute authorizes the U.S. Department of the Treasury to require financial institutions to:
- Maintain records with a high degree of usefulness in criminal, tax and regulatory investigations
- File reports on certain transactions
- Implement AML programs reasonably designed to prevent misuse of the financial system
Implementing Regulations
FinCEN’s implementing regulations are set forth at 31 C.F.R. Chapter X. These regulations define covered financial institutions, prescribe AML program requirements, establish customer due diligence rule and mandate reporting obligations such as Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs).
Additional regulatory guidance and enforcement authority are exercised by federal functional regulators, including the Office of the Comptroller of the Currency (OCC), Federal Reserve, Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC).
Entities Required to Comply in the United States
Covered Financial Institutions
Under the BSA and FinCEN regulations, AML and KYC obligations apply to entities defined as “financial institutions.” Covered entities include, but are not limited to:
- Banks, savings associations, and credit unions
- Broker-dealers in securities
- Mutual funds
- Futures commission merchants and introducing brokers
- Money services businesses (MSBs), including money transmitters and virtual currency administrators/exchangers
- Casinos and card clubs meeting revenue thresholds
- Insurance companies offering certain products
Fintech companies and digital asset businesses may also fall within these definitions depending on the nature of their activities, particularly where they transmit value, custody funds or exchange virtual currency.
Extraterritorial Reach
Non-U.S. entities may be subject to U.S. AML requirements if they conduct business in the United States or engage in transactions involving U.S. customers or the U.S. financial system, particularly through correspondent banking relationships or U.S.-based MSB activity.
Core KYC Requirements
Customer Identification Program (CIP)
Covered institutions must implement a written Customer Identification Program. At a minimum, CIP requires institutions to:
- Collect identifying information (name, date of birth, address, and identification number)
- Verify customer identity using documentary or non-documentary methods
- Maintain records of verification
- Screen customers against government lists where applicable
CIP applies at account opening and is a foundational element of KYC compliance.
Customer Due Diligence (CDD)
FinCEN’s Customer Due Diligence Rule requires institutions to:
- Identify and verify beneficial owners of legal entity customers
- Understand the nature and purpose of customer relationships
- Conduct ongoing monitoring to identify and report suspicious transactions
CDD establishes a risk-based framework that aligns customer onboarding with ongoing monitoring.
Enhanced Due Diligence (EDD)
For higher-risk customers, including politically exposed persons (PEPs), foreign correspondent accounts, and private banking relationships, institutions must apply enhanced due diligence measures. EDD may include more frequent reviews, additional documentation and senior management approval.
AML Program Requirements
Written AML Program
Most covered financial institutions are required to establish a written AML program that includes, at a minimum, the following elements:
- Internal policies, procedures and controls
- Designation of a compliance officer
- Ongoing employee training
- Independent testing of the program
Transaction Monitoring
Institutions must monitor customer activity to identify transactions that are inconsistent with the customer’s known risk profile. Monitoring systems may be automated or manual but must be reasonably designed to detect suspicious patterns indicative of money laundering, fraud or terrorist financing.
Suspicious Activity Reporting
Covered institutions are required to file SARs when they know, suspect or have reason to suspect that a transaction involves illicit activity or is designed to evade BSA requirements. SAR filings must be timely, complete, and confidential.
Currency Transaction Reporting
Institutions must file CTRs for cash transactions exceeding specified thresholds, unless an exemption applies.
Recordkeeping Requirements
Financial institutions must retain records related to customer identification, transactions and reports for prescribed periods, typically five years.
Compliance Implementation and Governance
To ensure compliance, financial institutions typically adopt a risk-based governance framework that includes:
- Enterprise-wide AML risk assessments
- Board and senior management oversight
- Periodic policy updates based on regulatory changes
- Use of technology for sanctions screening and monitoring
- Independent audits and regulatory examinations
Regulators increasingly expect institutions to demonstrate not only technical compliance but also a strong culture of compliance and effective risk management.
Conclusion
KYC and AML obligations under U.S. law impose comprehensive and ongoing responsibilities on banks and financial institutions. Anchored in the Bank Secrecy Act and implemented through FinCEN regulations, these requirements mandate robust customer identification, due diligence, transaction monitoring, reporting and governance controls. Institutions that fail to comply face significant civil and criminal penalties, reputational harm and potential loss of licensure. As financial products and technologies evolve, maintaining a strong, adaptable AML and KYC framework remains a legal and operational imperative for all covered financial institutions.
Contact
To ensure your organization remains compliant with evolving KYC and AML requirements, now is the time to evaluate and strengthen your internal frameworks. For guidance, contact KJK partner Jessica Groza (JLG@kjk.com).