KYC AML Compliance

Domain Overview

KYC/AML compliance in U.S. banking operates under a layered regulatory architecture rooted in the Bank Secrecy Act of 1970 (codified at 31 USC 5311-5336 and 12 USC 1829b, 1951-1960), as amended by the USA PATRIOT Act of 2001, the AML Act of 2020, and the Corporate Transparency Act. FinCEN serves as the primary administrator of BSA regulations (31 CFR Chapter X), while prudential regulators—the OCC, Federal Reserve, FDIC, and NCUA—examine institutions for compliance and bring enforcement actions. Global AML/KYC penalties reached $4.5 billion in 2024, with the TD Bank $3.1 billion settlement alone representing the largest BSA penalty in history. The enforcement environment is intensifying: federal banking agencies announced more than three dozen enforcement actions in 2024 against banks and individuals for BSA/AML/CFT failures.

A compliant BSA/AML program requires four statutory pillars plus a fifth added by the CDD Rule: (1) internal policies, procedures, and controls; (2) a designated BSA/AML compliance officer; (3) ongoing employee training; (4) independent audit/testing; and (5) risk-based customer due diligence procedures including beneficial ownership identification for legal entity customers. The AML Act of 2020 further inserted "countering the financing of terrorism" (CFT) into program requirements, mandated a government-wide AML/CFT priorities framework, and established FinCEN's beneficial ownership information (BOI) registry under the Corporate Transparency Act.

The FFIEC BSA/AML Examination Manual structures the supervisory approach around a risk-focused methodology. Examiners evaluate whether a bank's compliance program is commensurate with its risk profile across four dimensions: products/services, customers, geographic locations, and transaction volumes. Banks have flexibility in program design, but the program must demonstrably manage—not merely document—money laundering, terrorist financing, and other illicit financial activity risks. The 2025 regulatory environment reflects a dual trend: enforcement of willful violations remains aggressive (FinCEN's "first-of-its-kind data-driven enforcement operation" targeting 100+ MSBs), while regulators simultaneously ease low-value compliance burdens (FinCEN's February 2026 exceptive relief from per-account beneficial ownership re-verification under FIN-2026-R001).

Internationally, FATF's 40 Recommendations establish the global baseline. The U.S. is rated "compliant" or "largely compliant" with 31 of 40 FATF Recommendations but remains "non-compliant" on Recommendations 22, 23, and 28 (designated non-financial businesses and professions). FATF Recommendation 1 mandates the risk-based approach as the organizing principle for all AML/CFT measures, and Recommendation 10 specifies CDD requirements including beneficial ownership identification.

Core Decision Framework

Risk-Based Approach Decision Tree

The practitioner's mental model operates across three tiers of escalating scrutiny:

Tier 1 — Standard Due Diligence (SDD/CDD): Applied to all customers at onboarding. Collect CIP minimum data (name, address, DOB, TIN/SSN per 31 CFR 1020.220). Screen against OFAC SDN list, 314(a) requests, and PEP databases. Assign initial risk rating based on customer type, geography, product mix, and expected activity. For legal entity customers, identify and verify beneficial owners per 31 CFR 1010.230 (≥25% equity owners plus one individual with significant management responsibility).