Oct 31, 2022
5 min read

AML/KYC Guide to the USA—How Businesses Can Stay Compliant

Learn how financial institutions can stay AML-compliant in the United States and ensure a smooth onboarding process.

The United States is a leader in the fight against money laundering and the financing of terrorism. Still, up to $300 billion is laundered in the US annually, with AML compliance costing US firms up to $25.3 billion per year. 

The US was one of the first countries in the world to make money laundering a federal crime with its Money Laundering Control Act of 1986 (Public Law 99-570). Today, the US is a member of the Financial Action Task Force (FATF) and has a strong AML/CFT framework that imposes heavy penalties for noncompliance. One recent example is the $29m fine imposed on crypto exchange Bittrex for violating the Bank Secrecy Act. 

To avoid severe penalties, financial institutions must know the relevant AML requirements in the US and understand how to stay compliant. We’ve come up with the following guidelines to help.

Who’s affected?

Financial institutions must comply with AML rules in the US and maintain risk-based AML programs. This includes:

  • Banks
  • Money-service businesses (currency dealers or exchangers, check cashers, issuers of traveler’s checks or money orders, sellers or redeemers of traveler’s checks or money orders, money transmitters)
  • Insurance companies
  • Brokers/dealers in securities
  • domestic financial institutions
  • US branches of foreign financial institutions
  • non-US operations of foreign financial institutions due to their relationship with their US-based operations, particularly through correspondent banking relationships
  • financial institutions operating exclusively outside the US if their transactions are processed through a US financial institution, or if US sanctions affect the financial institutions or the countries in which they operate
  • US persons, defined as “an individual, a corporation, a partnership, a trust or estate, a joint stock company, an association, a syndicate, joint venture, or other unincorporated organization or group, an Indian Tribe (as that term is defined in the Indian Gaming Regulatory Act), and all entities cognizable as legal personalities.”

Foreign subsidiaries of US financial institutions must also comply with United States anti-money laundering laws. 

Who’s the regulator?

The Financial Crimes Enforcement Network (FinCEN)

The main US financial regulator and Financial Intelligence Unit (FIU) is the Financial Crimes Enforcement Network (FinCEN) which operates under the authority of the US Department of the Treasury. 

FinCEN oversees all financial institutions in the US to prevent money laundering and the financing of terrorism. Its responsibilities involve the collection of transaction data from local companies and distribution of that data for law enforcement purposes. FinCEN can partner with law enforcement agencies at the state and federal levels to assist in criminal investigations. The watchdog also cooperates with its international counterparts in order to fight global financial crimes.

The Office of Financial Assets Control (OFAC)

The Office of Financial Assets Control (OFAC) works to identify already known criminals. The watchdog oversees US sanctions programs to ensure that companies comply with the trade prohibitions on targets inscribed in the relevant sanctions lists.

There are a number of sanctions lists in the US, but the main one is the Specially Designated Nationals and Blocked Persons List (SDN). The SDN list includes the names of persons designated for economic sanctions within a US global sanctions program. 

What are the main regulations?

The Bank Secrecy Act

The primary AML legislation in the US is the Bank Secrecy Act (BSA). Implemented in 1970, the BSA imposes reporting and record-keeping obligations on US financial institutions (including banks, brokerage firms, insurance companies, etc.) in order to prevent criminals using their products and services to launder the proceeds of their crime.

Under the Bank Secrecy Act (BSA) and related anti-money laundering laws, financial institutions must:

  • Establish effective BSA compliance programs;
  • Establish effective customer due diligence systems and monitoring programs;
  • Screen Office of Foreign Assets Control (OFAC) and other government lists;
  • Establish an effective suspicious activity monitoring and reporting process;
  • Develop risk-based anti-money laundering programs.

In most cases, financial institutions are obliged to collect tax identification numbers of US citizens or residents, such as social security numbers (SSNs), together with their full name, date of birth, and address.

An SSN is a unique 9-digit number directly linked to an individual’s identity. If stolen or forged, a criminal can gain illegitimate access to a person’s bank accounts, credit cards, tax and employment history, and other private information.

If you need KYC for US, use Sumsub — a full-cycle verification platform that secures the whole user journey.

The Patriot Act

After 9-11, the US passed the USA Patriot Act as an amendment to the BSA. The Patriot Act empowered US law enforcement agencies with further authorities when investigating suspected terrorism financing.

In particular, the Patriot Act imposes a range of Customer Due Diligence (CDD) and screening responsibilities on US companies, with a focus on international transactions. The Patriot Act imposes criminal and financial penalties for persons found to be in violation of CFT compliance regulations.

AMLA 2020

In 2021, the US introduced the Anti-Money Laundering Act (AMLA) 2020, the most notable reform to the country’s AML/CFT legislation since the Patriot Act. Its purpose is to manage the threats posed by new technologies and criminal methodologies. The regulatory measures introduced by the AMLA include broadened international information sharing rules, increased penalties for money laundering, new beneficial ownership requirements to prevent the misuse of shell companies, and new whistleblower protections.

How to stay compliant

As a FATF member state, the US requires financial institutions to take a risk-based approach to AML/CFT. This means that they must conduct a Know Your Customer (KYC) assessment to identify clients at the onboarding process, establish the level of compliance risk they represent, and deploy AML/CFT measures in proportion to that risk. As a result, companies may subject higher risk customers to enhanced monitoring and screening measures.

A proper US AML program

A good US AML compliance program must include the following procedures:

  • Customer identification. Firms in the US must establish and verify the identities of their customers in order to conduct  effective risk assessment. The Customer Due Diligence (CDD) process should involve the collection of names, addresses, dates of birth, tax identification number and beneficial ownership information.
  • Ongoing monitoring. Businesses must refresh KYC data held on customers in order to ensure it is complete and up to date, and reflects current circumstances.
  • Transaction screening. US institutions must screen their customers’ transactions for signs of suspicious activity, including unusual transactions, transactions with high-risk customers and jurisdictions, or transactions involving sanctions targets.
  • Politically Exposed Persons (PEPs). High-ranking officials represent an increased risk of money laundering. US firms should therefore screen customers against PEP lists to determine the level of compliance risk they present.
  • Sanctions screening. US companies must screen their customers against relevant sanctions lists, including the SDN list, and the UNSC sanctions list. 

Enhanced due diligence

Under the risk-based approach to AML/CFT, the US requires firms to subject higher risk customers to Enhanced Due Diligence (EDD) measures. The EDD process includes a larger degree of AML/CFT scrutiny, stronger identity verification measures, and checks into the sources of customer funds.

Adverse media checks

Criminal cases may be reported in the news before official sources confirm them. Accordingly, the EDD process may also include adverse media screening, which require financial institutions to search news sources for the customer’s involvement in negative stories (including terrorism, terrorist financing, financial crime, organized crime, kidnapping, corruption, and tax crime).

Suspicious activity reports

Financial institutions must submit a Suspicious Activity Report (SAR) using a special Bank Secrecy Act BSA E-Filing System no later than 30 calendar days after the date when  signs of money laundering were initially detected. 

Further reporting obligations

  • Financial institutions are required to assist US government bodies in detecting and preventing money laundering by keeping records of cash purchases of negotiable instruments;
  • Filing reports of cash transactions exceeding $10,000 (daily aggregate amount);
  • Reporting suspicious activity that might signal criminal activity (e.g., money laundering, or tax evasion).


Criminal penalty

The maximum BSA-related criminal penalty is $250,000 and up to five years’ imprisonment. However, if the violation is part of a pattern of conduct involving more than $100,000 over a 12-month period and involves the violation of another US criminal law, the penalty increases to $500,000 and up to 10 years’ imprisonment.

Civil penalty

The maximum BSA-related civil penalty may also differ. For example, federal banking regulators have the authority to impose penalties from $5,000 per violation to $1,000,000, or 1% of the assets of a financial institution, whichever is greater, for every day that the violation occurs.

Other federal watchdogs and self-regulatory organizations have independent civil penalty authorities. Penalties are mainly assessed for AML compliance program deficiencies, failures to file suspicious activity reports (SARs), and the presence of other BSA violations.


  • What is considered money laundering in the US?

    According to the US Department of the Treasury, money laundering means financial transactions in which criminals, including terrorist organizations, attempt to disguise the proceeds, sources or nature of their illicit activities.

  • Who regulates AML in the US?

    The Financial Crimes Enforcement Network (FinCEN) and the Office of Financial Assets Control (OFAC) are the country’s main AML watchdogs.

  • What is the US Anti-Money Laundering law?

    The key AML laws are the Bank Secrecy Act and the Patriot Act.

  • How should money laundering be reported in the US?

    Financial institutions must submit suspicious activity reports via the BSA E-Filing System within 30 calendar days from the moment of detecting ML signs.

  • What is KYC in the USA?

    KYC verification is the process of verifying a customer’s identity to help comply with the AML regulations in the US.

  • Is KYC required in the USA?

    Yes. The US Financial Crimes Enforcement Network (FinCEN) requires financial institutions to comply with KYC standards to prevent criminal activity.

AMLBank Secrecy ActFATFFinancial InstitutionsKYCPenaltiesRisk-Based ApproachSanctionsUS