Navigating KYC and AML Compliance After FinCEN’s Beneficial Ownership Updates

Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements form the foundation of the United States’ framework for preventing money laundering, terrorist financing and other forms of financial crime. For banks, fintech companies, broker-dealers, and other regulated entities, these obligations are not simply regulatory formalities. They are core operational requirements that demand continuous oversight and board-level attention.

Recent updates issued by the Financial Crimes Enforcement Network (FinCEN), particularly revisions affecting beneficial ownership reporting under the Corporate Transparency Act (CTA), have narrowed certain reporting obligations while leaving core Bank Secrecy Act (BSA) requirements intact. Financial institutions should understand how these changes intersect with existing customer due diligence and AML program expectations.

These obligations arise primarily under the Bank Secrecy Act of 1970 (BSA), as amended by subsequent legislation including the USA PATRIOT Act of 2001, and are implemented through regulations promulgated by the Financial Crimes Enforcement Network (FinCEN). Enforcement activity and regulatory scrutiny have intensified in recent years, making proactive compliance essential rather than reactive.

KYC and AML are closely related but distinct concepts. KYC focuses on identifying and understanding customers at onboarding and throughout the customer relationship. AML encompasses broader institutional obligations, including transaction monitoring, reporting, recordkeeping, internal controls and cooperation with law enforcement. Together, these requirements are designed to protect the integrity of the U.S. financial system and to ensure transparency regarding the ownership and movement of funds.

Statutory and Regulatory Framework

Bank Secrecy Act

The BSA, codified primarily at 31 U.S.C. §§ 5311–5336, establishes the core AML obligations applicable to U.S. financial institutions. The statute authorizes the U.S. Department of the Treasury to require financial institutions to:

• Maintain records with a high degree of usefulness in criminal, tax and regulatory investigations
• File reports on certain transactions
• Implement AML programs reasonably designed to prevent misuse of the financial system

In practice, the BSA serves as the backbone of AML compliance in the United States and provides regulators with broad authority to examine institutions and enforce violations.

Implementing Regulations

FinCEN’s implementing regulations are set forth at 31 C.F.R. Chapter X. These regulations define which financial institutions are covered, establish AML program requirements, establish customer due diligence obligations, and mandate reporting such as Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs).

Additional regulatory guidance and enforcement authority are exercised by federal functional regulators, including the Office of the Comptroller of the Currency (OCC), Federal Reserve, Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). For many institutions, this means AML compliance is subject to layered oversight and examination.

Entities Required to Comply in the United States

Financial Institutions Covered

Under the BSA and FinCEN regulations, AML and KYC obligations apply to entities defined as “financial institutions.”  Covered entities include, but are not limited to:

• Banks, savings associations, and credit unions
• Broker-dealers in securities
• Mutual funds
• Futures commission merchants and introducing brokers
• Money services businesses (MSBs), including money transmitters and virtual currency administrators/exchangers
• Casinos and card clubs meeting revenue thresholds
• Insurance companies offering certain products

Fintech companies and digital asset businesses may also fall within these definitions depending on the nature of their activities, particularly where they transmit value, custody funds or exchange virtual currency.

Extraterritorial Reach

Non-U.S. entities may be subject to U.S. AML requirements if they conduct business in the United States or engage in transactions involving U.S. customers or the U.S. financial system, particularly through correspondent banking relationships or U.S.-based MSB activity.

Core KYC Requirements

Customer Identification Program (CIP)

Covered institutions must implement a written Customer Identification Program.  At a minimum, CIP requires institutions to:

• Collect identifying information (name, date of birth, address, and identification number)
• Verify customer identity using documentary or non-documentary methods
• Maintain records of verification
• Screen customers against government lists where applicable

CIP applies at account opening and is a foundational element of KYC compliance. Failure to implement consistent onboarding controls remains one of the most common sources of regulatory findings.

Customer Due Diligence (CDD)

FinCEN’s Customer Due Diligence Rule requires institutions to:

• Identify and verify beneficial owners of legal entity customers
• Understand the nature and purpose of customer relationships
• Conduct ongoing monitoring to identify and report suspicious transactions

CDD establishes a risk-based framework that aligns customer onboarding with ongoing monitoring. Institutions must be able to demonstrate that risk assessments meaningfully inform monitoring and escalation decisions.

Enhanced Due Diligence (EDD)

For higher-risk customers, including politically exposed persons (PEPs), foreign correspondent accounts, and private banking relationships, institutions must apply enhanced due diligence measures. EDD may include more frequent reviews, additional documentation and senior management approval.

2026 Updates to Beneficial Ownership and CTA Reporting

Domestic Entities Are No Longer Required to Report BOI

In March 2025, FinCEN, the U.S. Treasury bureau that administers anti-money laundering and beneficial ownership information (BOI) programs, adopted an interim final rule revising the definition of a “reporting company” under the CTA so that only foreign entities registered to do business in the U.S. are subject to BOI filing requirements under the CTA.  This means that domestic entities are fully exempt from the CTA’s reporting requirements, and U.S. persons no longer need to report beneficial ownership of foreign companies (or be included in the BOI reporting of a foreign entity), which represents a significant narrowing of the scope from the original CTA implementation.

New Deadlines for Foreign Reporting Companies

For entities that remain subject to BOI reporting:

• Entities registered to do business in the U.S. before March 26, 2025 are required to file BOI by April 25, 2025.
• Entities registered after March 26, 2025 have 30 calendar days to file after receiving notice of effective registration.

These deadlines reflect FinCEN’s attempt to provide predictability for affected foreign companies while limiting reporting to higher-risk, non-U.S. entities.

FinCEN Eases Beneficial Owner Identification Rules for Banks

FinCEN announced additional changes to customer due diligence requirements under the Bank Secrecy Act (BSA).  While banks will still be required to identify and verify beneficial owners of all legal entities when they first open an account, there will be no ongoing duty to update or re-verify this information, or to reconcile it with information reported under the CTA.

Importantly, banks must still comply with other anti-money laundering and know your customer rules, including ongoing risk assessments and suspicious activity monitoring and reporting.

Why This Matters for Banks

With domestic companies exempt from the CTA’s BOI reporting, banks will no longer find themselves reconciling FinCEN BOI submissions for domestic entity customers.  Although existing customer due diligence practices remain intact, the recent changes should result in more streamlined reporting, and an overall reduction in burdens tied to beneficial ownership information.

At the same time, institutions should not interpret these revisions as a relaxation of AML enforcement. Regulators continue to expect robust monitoring, documentation and governance.

AML Program Requirements

Written AML Program

Most covered financial institutions are required to establish a written AML program that includes, at a minimum, the following elements:

1. Internal policies, procedures and controls
2. Designation of a compliance officer
3. Ongoing employee training
4. Independent testing of the program

These pillars form the baseline expectations regulators evaluate during examinations.

Transaction Monitoring

Institutions must monitor customer activity to identify transactions that are inconsistent with the customer’s known risk profile. Monitoring systems may be automated or manual but must be reasonably designed to detect suspicious patterns indicative of money laundering, fraud or terrorist financing. Institutions should periodically reassess whether monitoring thresholds and alert parameters align with their current risk exposure.

Suspicious Activity Reporting

Covered institutions are required to file SARs when they know, suspect or have reason to suspect that a transaction involves illicit activity or is designed to evade BSA requirements. SAR filings must be timely, complete, and confidential. Inadequate documentation of SAR decision-making frequently draws regulatory criticism.

Currency Transaction Reporting

Institutions must file CTRs for cash transactions exceeding specified thresholds, unless an exemption applies.

Recordkeeping Requirements

Financial institutions must retain records related to customer identification, transactions and reports for prescribed periods, typically five years. Document retention policies should align with both regulatory requirements and internal audit expectations.

Compliance Implementation and Governance

To ensure compliance, financial institutions typically adopt a risk-based governance framework that includes:

• Enterprise-wide AML risk assessments
• Board and senior management oversight
• Periodic policy updates based on regulatory changes
• Use of technology for sanctions screening and monitoring
• Independent audits and regulatory examinations

Regulators increasingly expect institutions to demonstrate not only technical compliance but also a strong culture of compliance and effective risk management. Boards and executive leadership are expected to understand the institution’s AML risk profile and ensure adequate resourcing of compliance functions.

Conclusion

KYC and AML obligations under U.S. law impose comprehensive and ongoing responsibilities on banks and financial institutions. Anchored in the Bank Secrecy Act and implemented through FinCEN regulations, these requirements mandate robust customer identification, due diligence, transaction monitoring, reporting and governance controls.

Although recent FinCEN updates have narrowed certain beneficial ownership reporting requirements under the CTA, these changes do not diminish core AML obligations under the BSA. Financial institutions should evaluate whether their onboarding, documentation and monitoring practices reflect both the revised CTA framework and ongoing BSA compliance expectations.

Institutions that fail to comply face significant civil and criminal penalties, reputational harm and potential loss of licensure. As financial products and technologies evolve, maintaining a strong, adaptable AML and KYC framework remains a legal and operational imperative for all covered financial institutions.

Contact

To ensure your organization remains compliant with evolving KYC and AML requirements, financial institutions should periodically evaluate and strengthen their compliance frameworks in light of evolving regulatory expectations.

For guidance, contact KJK partner Jessica Groza (JLG@kjk.com).