KYB Compliance in the US: A Guide to FinCEN, CDD & CTA Rules

When TD Bank failed to maintain an adequate Bank Secrecy Act compliance program, the Financial Crimes Enforcement Network (FinCEN) assessed a record $1.3 billion civil penalty in October 2024, the largest the agency had ever imposed against a depository institution. Business verification gaps were central to the findings.

Know Your Business (KYB) compliance in the United States is the process by which financial institutions verify a business entity’s legal registration, ownership structure, and controlling individuals before and after onboarding a corporate client.

US business verification regulations sit across three federal frameworks. The Bank Secrecy Act (BSA), FinCEN’s Customer Due Diligence (CDD) Final Rule, and the Corporate Transparency Act (CTA) each carry distinct compliance obligations on covered institutions. This guide explains what each one requires, what the March 2025 CTA interim rule changed, and how state registry verification works in practice across different US jurisdictions.

The Three Frameworks That Define KYB Compliance in the US

US KYB compliance is built from three federal frameworks that were enacted in different eras but now operate simultaneously on any financial institution that onboards business clients. The BSA laid the AML foundation. The CDD Final Rule specified what beneficial ownership data institutions must collect. The CTA created a federal registry for company-reported ownership data. Understanding how the three interact is the starting point for any defensible KYB program.

Bank Secrecy Act Business Verification

The Bank Secrecy Act, enacted in 1970, is the primary US anti-money-laundering statute. It requires covered financial institutions to maintain written AML programs, file Currency Transaction Reports (CTRs) for cash transactions above the federal threshold, and submit Suspicious Activity Reports (SARs) when they detect unusual or potentially illicit activity. Bank Secrecy Act business verification obligations include confirming a business entity’s legal existence, its principal business activity, and the identity of persons authorised to transact on the account. The BSA applies to banks, broker-dealers, money services businesses, and a growing range of fintech and payment platforms regulated under the same framework.

FinCEN’s Customer Due Diligence Final Rule

The CDD Final Rule, effective May 2018, layered explicit beneficial ownership requirements onto the BSA. It covers banks, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers. The Rule requires these institutions to collect and verify beneficial ownership information for legal entity customers at the point of account opening, understand the nature and purpose of the customer relationship to build a risk profile, and maintain ongoing monitoring to detect changes in ownership structure or risk level. As of February 2026, FinCEN issued exceptional relief on one requirement, adjusting how institutions handle beneficial ownership at each new account opening, but the core collection obligation remains.

What FinCEN’s CDD Final Rule Requires Financial Institutions to Collect?

The FinCEN KYB CDD rule sets four core requirements for covered institutions, two of which directly concern US beneficial ownership FinCEN disclosure and two of which govern the ongoing relationship once an account is open. Compliance teams that focus only on the onboarding stage and treat ongoing monitoring as an afterthought are the ones that surface in enforcement actions.

The 25% Ownership Threshold and the Controlling Person

As of May 2018, covered financial institutions must identify and verify any individual who owns 25% or more of a legal entity customer. They must also identify and verify at least one individual who holds significant managerial control over the entity, even if that person owns less than 25%. This dual-prong structure is what defines US UBO disclosure requirements under federal law. The FinCEN FAQ specifies that institutions must collect, at a minimum, the name, date of birth, address, and an identification number for each beneficial owner identified. For a fuller breakdown of what beneficial ownership means at each tier of a corporate structure, this UBO guide covers the ownership traversal mechanics in detail.

Understanding the Nature and Purpose of Customer Relationships

Beyond ownership, covered institutions must document why a business needs the account and what activity it expects to conduct. This is the “nature and purpose” requirement, and it feeds directly into the institution’s risk rating for the entity. A holding company, a professional services firm, and a cash-intensive retail business may all open corporate accounts, but each presents a different risk profile that shapes how deep the verification must go. The Rule also requires ongoing monitoring on a risk-sensitive basis, meaning that ownership data collected at onboarding must be refreshed when the institution detects material changes in the customer’s business or behaviour.

How the Corporate Transparency Act Changed KYB Obligations in 2025?

The Corporate Transparency Act (CTA), enacted in 2021, introduced a separate federal obligation: certain companies were required to file Beneficial Ownership Information (BOI) reports directly with FinCEN. The March 2025 interim final rule fundamentally changed who that applies to, and every compliance team working on Corporate Transparency Act KYB strategy needs to understand the current state of the law, not the version that existed at launch.

The 2025 Domestic Exemption

In March 2025, FinCEN issued an interim final rule that removed BOI filing obligations for all US domestic companies and their beneficial owners. The revised definition of “reporting company” now applies only to entities formed under the law of a foreign country that have registered to do business in a US state or tribal jurisdiction. FinCEN estimates that approximately 12,000 foreign reporting companies remain subject to the requirement, a reduction from the original estimate of 32.6 million companies in the Federal Register. Domestic companies should still maintain internal ownership records, since the CDD Final Rule independently requires financial institutions to collect that information at account opening.

The FinCEN Beneficial Ownership Database

The FinCEN beneficial ownership database, formally the BOI E-Filing System, went live in January 2024. Financial institutions that gain access to the database can cross-reference ownership data submitted by foreign reporting companies against what those companies disclose during account opening. For institutions onboarding foreign-registered businesses operating in the US, the BOI reporting portal is a supplementary reference point. It does not replace the institution’s own CDD Rule verification procedures, which apply regardless of what a company has or has not filed with FinCEN.

KYB State Registry Verification and AML Compliance for US Fintechs

KYB state registry verification USA is where the regulatory framework meets the operational reality of business onboarding. Every US state maintains a Secretary of State registry (or equivalent) that records business entity registration, officers, and registered agents. For KYB verification, a financial institution must check the specific state where a business is incorporated and any state where it holds foreign qualifications to operate across state lines.

LLC KYB verification Delaware is a common scenario because a large share of US LLCs and corporations register in Delaware regardless of where they operate. The Delaware Division of Corporations registry confirms legal existence, registered agent, and formation date. Delaware’s registry does not publish beneficial ownership data, which is why the CDD Final Rule’s separate identification procedure exists and cannot be substituted by a registry lookup alone.

For AML compliance in US fintech businesses, the BSA’s SAR obligations apply to any platform that onboards business customers and detects suspicious activity, not only to traditional banks. Payment processors, crypto exchanges, and money services businesses operating under FinCEN’s money services business framework must maintain AML programs that include entity-level monitoring, not only transaction-level screening. The OCC’s BSA/AML guidance and the FFIEC BSA/AML Examination Manual are the primary references examiners use to assess whether a KYB program meets the standard.

How Shufti helps fintech compliance teams meet US KYB obligations?

Most compliance teams running KYB against US business clients describe the same operational bottleneck. Registry verification, ownership identification, UBO identity checks, and business AML screening each sit in separate tools with manual handoffs between them. Each gap in that chain is a gap in the audit trail, and it is where the 4-5 hours per business onboarding that compliance operations consistently report gets consumed.

Shufti’s business verification connects entity registry lookups, UBO identification at the 25% threshold, identity verification of each beneficial owner, and business AML screening against global sanctions lists, PEP profiles, and adverse media in a single API workflow. Coverage spans 240+ countries, including US state registry data. When a business opens an account, the platform traverses the full ownership chain to the natural person level and returns a complete audit trail from the first request. Compliance teams get a verified, screened decision rather than a stack of outputs to reconcile manually.

To see how Shufti handles end-to-end US business verification, book a demo.