Global Regulations and Requirements for KYC Onboarding
(powered by KYCC small icon KYC-Chain)

Contact us

namedate of birthaddressidentification numberresidential address
namedate of birthidentification number
nameidentification numberprincipal place of business
no true national identity card
1) In 1970 the United States Congress passed the Currency and Foreign Transactions Reporting Act, commonly known as the Bank Secrecy Act (“BSA”) 2) Money Laundering Control Act (1986); 3) Anti-Drug Abuse Act of 1988; 4) Annunzio-Wylie Anti-Money Laundering Act (1992); 5) Money Laundering Suppression Act (1994); 6) Money Laundering and Financial Crimes Strategy Act (1998); 7) Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act); 8) Intelligence Reform & Terrorism Prevention Act of 2004; 9) Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (“CISADA”); and 10) Iran Threat Reduction and Syria Human Rights Act of 2012. The USA PATRIOT Act of 2001 is the most significant of the enhancements and amendments to the BSA. Section 312 of the USA PATRIOT Act, requires US financial institutions to obtain beneficial ownership/enhanced due diligence (“EDD”) information in certain situations as delineated under §312 for US correspondent accounts held by certain foreign financial institutions, and private banking accounts held by foreign persons (including politically exposed persons).
Board of Governors of the Federal Reserve System (“FRB”) ; Office of the Comptroller of the Currency (“OCC”) ; Federal Deposit Insurance Corporation (“FDIC”) , ,
other financial services: a. credit unions: National Credit Union Administration (“NCUA”) (; b. broker dealers: US Securities and Exchange Commission (“SEC”) (; Financial Industry Regulatory Authority (“FINRA”) (; and New York Stock Exchange (“NYSE”), which is a SRO for exchange members (; c. registered mutual funds: SEC (; d. commodity and futures firms: US Commodities Futures Trading Commission (“CFTC”) ( and the National Futures Association (“NFA”) (; e. Money Services Businesses (“MSB”): FinCEN ( and the Internal Revenue Service (“IRS”) (; f. insurance companies: FinCEN and IRS; g. non-bank residential mortgage lenders and originators as loan or finance companies: IRS (; and h. consumer protection for financial products and services: Consumer Financial Protection Bureau (“CFPB”) ( , , , , , , , , , ,
a) banking: Federal Financial Institutions Examination Council (“FFIEC”) (; FRB’s Supervision and Regulation Letters (“SR Letters”): (; and the FFIEC’s information technology examination handbook (IT handbook) ( (note: The FFIEC manual was updated on 17 Nov 2014 for the first time since 2010 – which indicates that 2015 regulatory exams in the US will follow the updated BSA/AML requirements delineated in the new FFIEC guidance manual); b) MSBs: FinCEN’s BSA/AML Examination Manual for Money Services Businesses (; c) broker dealers: SEC’s AML source tool for broker-dealers ( and; d) registered mutual funds: SEC’s AML source tool for mutual funds (; and e) commodity and futures firms ( and (
Section 326 of the USA Patriot Act requires banks, savings associations, credit unions and certain non-federally regulated banks (“banks”) to have a Customer Identification Program (“CIP”). Broker-dealers in securities are subject to similar regulations. In January 2004, FinCEN published Guidance on the CIP regulations that clarify that the CIP rule applies for customers that establish new accounts after 1 Oct 2003 and do not apply retrospectively unless the bank establishing a new relationship does not have a reasonable belief that it knows the true identity of the customer:
No. Basic CIP information and customer due diligence (“CDD”) is required for all accounts / customers regardless of activity level or transaction amounts. Specific CDD and EDD requirements can vary based on an institution’s unique risks and internal policy requirements.
a) name; b) date of birth; c) residential or business address (an army or fleet post office box number or residential address of next of kin may be substituted); and d) identification number (can be determined by the institution, but should typically be a Taxpayer Identification Number (“TIN”) for both individuals and entities (e.g., social security number or employer identification number)
a) name; b) principal place of business; office location; or other physical location of operations / presence; and c) identification number.
Financial institutions do not currently have explicit regulatory requirements to obtain and retain information on the beneficial owners of a customer entity except as required by Section 312 of the USA PATRIOT Act, where identification of beneficial owners of certain high risk correspondent accounts is mandated as part of the EDD requirements associated with correspondent accounts. Currently U.S. financial institutions have adopted risk-based approaches to CDD and the collection of beneficial ownership information. The level of ownership in a customer entity that triggers beneficial owner identification and due diligence should be determined by the AML risk rating of the customer. It is generally considered that at a minimum, any beneficial owner holding greater than 25% interest in the customer entity should be subject to due diligence, and many institutions collect beneficial ownership information at 10% for high risk entities. As a matter of good practice, the percentage of ownership that triggers due diligence should be lower as the AML risk of the customer / account increases. Note: FinCEN issued a Notice of Proposed Rulemaking (“NPRM”) on CDD requirements for banks, broker dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities on 4 Aug 2014 ( This followed the issuance of an Advance Notice of Proposed Rulemaking (“ANPRM”) related to CDD and beneficial owner requirements in February 2012. Final comments from industry on the NPRM were due on 3 Oct 2014. The proposed rule would come under the BSA to clarify and strengthen CDD requirements for: (i) banks; (ii) brokers or dealers in securities; (iii) mutual funds; and (iv) futures commission merchants and introducing brokers in commodities. The proposed rule would contain explicit CDD requirements and would include a new requirement to identify beneficial owners of legal entity customers, subject to certain exemptions. FinCEN has stated that, “proposing clear CDD requirements is the most effective way of clarifying, consolidating, and harmonising expectations and practices across all covered financial institutions.” As of November 2015, a final rule has not yet been promulgated.
Section 312 of the USA PATRIOT Act requires financial institutions to conduct enhanced due diligence when establishing private banking accounts in the U.S. for a non U.S. person and for certain high risk foreign correspondent accounts.. Typically, customers classified as high risk based on an institution's customer risk rating methodology are also subject to EDD. Factors that would be considered in determining a customer's risk rating would include, at a minimum: geography, nature of business / employment, products / services / channels utilised and potentially legal entity structure among other factors. The FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual also provide guidance on products, services, customers and entities that pose inherent higher risks and thus may require EDD that include but are not limited to: a) Politically Exposed Persons (“PEPs”); b) third party payment processors; c) embassy, foreign consulate and foreign mission accounts; d) Money Services Businesses (“MSBs”); e) professional services providers; f) non-governmental organizations and charities; and g) cash intensive businesses. The KYC program should also include periodic risk-based monitoring of the customer information to determine if there are any substantive changes to the original customer information. High risk customer relationships are generally reviewed annually
Section 312 of the USA PATRIOT Act requires financial institutions in the U.S. providing private banking services to non-U.S. persons to identify those accounts associated or linked to PEPs and conduct EDD to reasonably ensure the funds in the account are not derived from corruption or other illegality. Institutions are expected to take similar steps as part of risk management to identify PEPs in other areas of the institution. This should include collecting sufficient information from each customer to allow for the determination of PEP status (including relatives and close associates).
Section 312 of the USA PATRIOT ACT directs covered US financial institutions to establish a due diligence program for correspondent banking that at a minimum: a) determines whether the account is subject to enhanced due diligence under section 312; b) assesses the money laundering risk posed, based on a consideration of relevant risk factors; and c) applies risk-based policies, procedures, and controls to each correspondent account reasonably designed to detect and report known or suspected money laundering activity, including a periodic review of the correspondent account activity. The rule itself provides guidance in assessing the risks posed by a correspondent relationship. Section 312 contains a provision requiring U.S. financial institutions to apply EDD when establishing or maintaining a correspondent account for a foreign bank that is operating: a) under an offshore banking license; b) in a jurisdiction found to be non-cooperative with international anti-money laundering principles; or c) in a jurisdiction found to be of primary money laundering concern under §311 of the USA PATRIOT Act. In cases where EDD is required, the institution is required to take reasonable steps to: a) conduct appropriate enhanced scrutiny; b) determine whether the foreign bank itself offers correspondent accounts to other foreign banks (i.e., nested accounts) and, as appropriate, identify such foreign bank customers and conduct additional due diligence on them; and c) identify the owners of such foreign bank, if its shares are not publicly traded (most institutions have a list of approved stock exchanges) ( Generally, enhanced scrutiny of the transactions associated with any correspondent accounts should be performed to guard against the increased risk of money laundering, in order to identify and report any suspicious transactions / activity as required by US regulations and law.
Yes. Note that a foreign shell bank does not include an entity defined as a regulated affiliate, i.e. the law defines this term to be an entity with an offshore banking license that is: a) an affiliate of a depository institutions that maintains a physical presence in the U.S. or a country other than the U.S.; and b) is subject to supervision by a banking authority in the country regulating the affiliated depository institution.
In circumstances where a financial institution establishes a relationship with a customer remotely, the institution will need to employ non-documentary methods to verify the identity of the client since it will not be able to use a document to compare the customer to the photo identification, or it will need to establish appropriate reliance agreements in order to rely on a third party who will conduct CIP on behalf of the institution. As part of its CIP, a financial institution should define whether it will accept remote account opening, and if so, what documentary and non-documentary methods will be used to verify customer identity. As a general rule, U.S. regulators encourage the use of more than one method to verify identity
FinCEN - Department of the Treasury
Yes. Additional reporting includes: a) Currency Transactions Reports (“CTR”); b) report of international transportation of Currency or Monetary Instruments (“CMIR”) ( c) Foreign Bank Account Report (“FBAR”) (, and d) record keeping for certain funds transfers and funds transfer transparency (the Travel Rule).
Yes. Penalties for non-compliance are noted in the BSA ( Also see the relevant regulations of FinCEN ( Generally, Institutions must ensure that all employees know and understand the rules surrounding SAR confidentiality, safe harbour and whistle blower protections (
No. While there are no explicit legal or regulatory requirements to use an automated monitoring system per se, regulators and independent monitors have placed a tremendous amount of scrutiny on the effectiveness of these systems and the data that are feeding into them. Each institution is expected to tailor and tune their automated transaction monitoring systems based on its own risk profile and business strategy. Furthermore, regulators view automated transaction monitoring systems as models, and require independent validation of these systems.
Yes, but the financial institution should determine which transactions can be monitored outside its jurisdiction on a risk adjusted basis.
Yes. To comply with the USA PATRIOT Act, a financial institution must implement an AML program that includes, at a minimum: a) the development of internal policies, procedures, and controls (e.g. to determine what is unusual or suspicious activity and what steps to take once an unusual activity is identified); b) the designation of a compliance officer; c) an ongoing employee training program; and d) an independent audit function to test the programs. In the US, this independent review can be conducted internally (e.g. by the financial institution’s internal audit function), externally or be co-sourced.
generally BSA/AML audits are conducted every 12 – 18 months. The audit frequency and scope is set by the institution;
AML audit reports are generally submitted to the Audit Committee of the Board of Directors, as well as to the Business Unit and Compliance Head for the business that is the subject of the audit. BSA/AML Audit reports are reviewed by the relevant regulatory agency when examiners come in to examine the institution or as part of ongoing supervision as part of an enforcement action;
Electronic Communications Privacy Act of 1986
Fair Credit Reporting Act of 1970, which was amended by the Fair and Accurate Credit Transactions Act of 2003
On 23 Nov 2010, FinCEN issued guidance, effective 1 Mar 2011, interpreting binding regulations regarding the sharing of SARs by US banks. The guidance provides that a US bank may share a SAR or any information that would reveal the existence of a SAR, with a domestic affiliate, provided the affiliate is subject to a SAR regulation. The guidance defines ‘affiliate’ of a bank to mean any company under common control with, or controlled by, that depository institution. The guidance also provides that a US bank that has filed a SAR may not share the SAR, or any information that would reveal the existence of a SAR, with its foreign branches. Banks and securities and futures industries may, however, share SARs with its head/parent office irrespective of the head / parent office’s location.
non-documentary methods
The U.S. passport card is the de jure national identity card of the United States of America.
The ESIGN Act and most state laws exclude real property transfers, wills and some legally required notices to consumers.
Both the ESIGN Act and UETA provide that a signature will not be denied legal effect or enforceability solely because it is in electronic form. Summary of law The federal government adopted ESIGN in 2000. In addition, every state has adopted an electronic signature law, with 47 adopting a version based on UETA. These minimalist, or permissive, laws permit the use of electronic signatures for virtually all types of agreements. However, it is important to obtain the prior consent of all parties to conduct business electronically.
The BSA laws and regulations have not changed dramatically within the past two years. Recently, however there has been a change related to sanctions. The Joint Comprehensive Plan of Action (“JCPOA”), an international agreement, is arguably the most recent significant event to impact the US sanctions environment. It should be noted, however, that the economic landscape for US companies and their foreign subsidiaries or affiliates will experience little to no change as a result of the JCPOA terms. The vast majority of US sanction relief provided by the JCPOA is only applicable to non-US companies and financial institutions, and specified foreign governments. Sanctions relief provided by the JCPOA will only target specified key industries / areas. Additionally on 25 Aug 2015 the Financial Crimes Enforcement Network (“FinCEN”) published a notice of proposed rulemaking (“NPRM”) to impose AML programs and additional reporting requirements on investment advisers registered with the US Securities and Exchange Commission (“SEC”). If adopted, the proposal would require registered investment advisers to: a) develop and maintain written AML programs reasonably designed to prevent money laundering and terrorist financing and to achieve compliance with the BSA; b) include registered investment advisers within the meaning of "financial institutions" for purposes of the BSA's implementing regulations and impose specific reporting requirements; c) require that registered Investment Advisers monitor for suspicious activity and file SARs with FinCEN; and d) delegate examination authority for compliance to the SEC (
non-financial sector: FinCEN and/or IRS also cover the following sectors: casinos; mortgage companies and brokers; and precious metals/jewellery.
Yes. A risk based approach to AML is expected by U.S. regulators. BSA/AML U.S. regulatory guidance is provided in the FFIEC BSA/AML Examination Manual (December 2014):
While US regulations do not go into depth on specific verification or authentication requirements, the rules around CIP set forth the following minimum requirements: Verification through documents: An institution must ensure its CIP includes procedures that set forth the documents that can be used as part of the verification process. These documents may include: a) for an individual, unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver's license or passport; and b) for non-individuals (e.g. corporation, partnership, or trust), documents showing the existence of the entity which can include certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument. Verification through non-documentary methods: An institution must ensure its CIP includes procedures that describe the non-documentary methods that can be used as part of the verification process. It should also cover circumstances in which the institution is unable to verify the true identity of a customer through the documents presented / available (31 C.F.R. §103.121).
Any firm contemplating the transfer of data from a non-US jurisdiction into the US may contemplate that financial records within the US are subject to examination by a wide array of US regulatory and law enforcement bodies.
GLBA generally prohibits a bank from disclosing non-public client data to a non-affiliated third party unless it: a) provides the client with a notice of its policies and procedures regarding its disclosure of and protection of non-public personal client data; and b) provides the client with an opportunity to prevent a bank from sharing his or her non-public client data with non-affiliated third parties. Thus, in contrast to EU banks secrecy laws, most of GLBA's restrictions on the transfer of personal data do not apply unless a client chooses to have them apply. In addition, GLBA does not restrict a bank's ability to share non-public personal client data. Each of the regulators charged with implementing GLBA has issued regulations. The regulations issued by the OCC are at 12 CFR 30 App. B and 12 CFR 40. The Right to Financial Privacy Act (1978) does not apply to cross-border transfers of data. The Fair Credit Reporting Act (1970) does not apply to cross-border transfers of data. The Bank Secrecy Act of 1970 (“BSA”) - Despite the name, this law governs the detection and protection of money laundering rather than the protection of client data. Please note that these laws are the primary federal laws. State laws may also apply. Due to a change made to the pre-emption standard applicable to national banks by the Dodd-Frank Wall Street Reform and Consumer Protection Act, signed into law 21 Jul 2010, national banks may soon be subject to additional state privacy laws. See Public Law No: 111-203 § 1044 (‘State Law Pre-emption Standards for National Banks and Subsidiaries Clarified’)