Compliance

KYC (Know Your Customer)

Know Your Customer (KYC) is the set of procedures US financial institutions and certain other businesses use to identify and verify the people they do business with, anchored in the Customer Identification Program rule at 31 CFR 1020.220 and the broader Customer Due Diligence (CDD) framework under the Bank Secrecy Act.

Know Your Customer (KYC) is the discipline of identifying and verifying the people and entities a business deals with, then using that information to assess and manage risk on an ongoing basis. The US legal core is the Customer Identification Program (CIP) Rule at 31 CFR 1020.220 (for banks, with parallel sections for other institution types), added by section 326 of the USA PATRIOT Act of 2001. On top of the CIP sits the broader Customer Due Diligence (CDD) framework, including the 2018 CDD Rule. For US founders running contractor platforms and payouts, KYC is the gate through which every counterparty must pass.

How KYC Works

KYC has three layered components in US regulation:

  • Customer Identification Program (CIP). The minimum identity-and-verification baseline. Four data elements (name, date of birth or formation, address, taxpayer identification number) must be collected and verified using documentary, non-documentary, or a combination of methods, within a reasonable time after the account is opened. The CIP must be written, risk-based, and approved by the board (or equivalent governance).
  • Customer Due Diligence (CDD). Ongoing understanding of the relationship: nature and purpose, expected activity, and risk profile. Includes the 2018 Beneficial Ownership requirement to identify and verify beneficial owners of legal-entity customers at the 25 percent ownership threshold plus one control person.
  • Enhanced Due Diligence (EDD). Higher-rigor application of CDD to higher-risk customers and relationships. The categories that trigger EDD are defined by each institution’s risk assessment, but commonly include foreign politically exposed persons (PEPs), customers in high-risk jurisdictions, complex ownership structures, and customers in higher-risk industries.

The product of KYC is a risk-tiered view of the customer that drives the rest of the AML program (transaction monitoring sensitivity, SAR detection, and EDD periodic review cadence).

Who Must Run KYC

The direct CIP rule applies to defined financial institutions:

  • Banks and savings associations (31 CFR 1020.220)
  • Broker-dealers (31 CFR 1023.220)
  • Mutual funds (31 CFR 1024.220)
  • Futures commission merchants and introducing brokers (31 CFR 1026.220)
  • Money services businesses (31 CFR 1022)
  • Casinos and card clubs (31 CFR 1021)
  • Certain investment advisers (under the 2024 final rule, phased in)

The CDD Rule and Beneficial Ownership requirement apply to “covered financial institutions” (banks, broker-dealers, mutual funds, and futures commission merchants).

Non-financial businesses run KYC-equivalent processes for several adjacent reasons:

  • OFAC compliance. All US persons must screen counterparties against the SDN list and the comprehensive-sanctions jurisdictions.
  • FCPA third-party due diligence. US issuers and domestic concerns must vet third parties (distributors, agents, consultants) to manage FCPA risk.
  • Form 8300 recordkeeping. Trades and businesses receiving large cash payments must record payer identity and TIN.
  • Tax information returns. Form W-9 or W-8 collection is itself a KYC-equivalent step for the IRS reporting regime.

Required Information

The CIP minimum for a US individual:

  • Full legal name
  • Date of birth
  • Residential or business address
  • Taxpayer Identification Number (SSN, ITIN, or EIN for sole proprietors)

For a non-US individual:

  • Full legal name
  • Date of birth
  • Residential or business address
  • One of: US taxpayer identification number, passport number with country of issuance, alien identification card number, or other government-issued document number with country of issuance

For a legal-entity customer (under the 2018 CDD Rule):

  • Identity of beneficial owners at the 25 percent equity threshold
  • Identity of one control person (CEO, managing partner, or similar)

Verification can be documentary (passport, driver’s license, articles of incorporation) or non-documentary (database checks, public records, contacting the customer).

Penalties

KYC failures rarely produce a single per-violation fine. They produce systemic enforcement actions:

  • BSA civil penalties under 31 USC 5321. Up to 25,000 dollars per violation for negligent failures, up to the greater of the transaction or 100,000 dollars for willful failures, with higher amounts for pattern violations.
  • BSA criminal penalties under 31 USC 5322. Up to 250,000 dollars and 5 years of imprisonment per violation, doubled in aggravating circumstances.
  • Consent orders and enforcement actions. OCC, Federal Reserve, FDIC, FinCEN, and SEC commonly cite KYC and beneficial-ownership failures in supervisory orders, with seven- and eight-figure civil money penalties.
  • License risk. Banking and MSB licenses can be restricted or revoked for systemic KYC failures.
  • Personal accountability. Compliance officers and senior managers have faced personal enforcement actions for systemic KYC and CDD failures.

Common Pitfalls

  • Stale CIP. A customer file built once at onboarding and never refreshed. The CDD Rule requires ongoing maintenance of accurate customer information.
  • Form-over-substance beneficial ownership. Accepting a control-person attestation without verifying that the person actually has authority. Examiners now expect documentary or non-documentary verification of the control person, not just self-attestation.
  • Missing PEP screening. Foreign PEP status raises FCPA and corruption risk and triggers EDD. A KYC program without PEP screening is incomplete.
  • One-size-fits-all risk rating. Treating all customers the same defeats the risk-based purpose of KYC. Risk tiering must drive monitoring sensitivity and refresh cadence.
  • Confusing KYC with identity-fraud prevention. Identity-fraud tools detect that the document is real and belongs to the person presenting it. KYC also asks who that person is in the AML risk sense (PEP, sanctioned, high-risk jurisdiction).
  • AML: the broader compliance regime KYC supports.
  • BSA Reporting: the specific reports (CTR, SAR, FBAR, Form 8300) that depend on accurate KYC.
  • OFAC Sanctions Screening: the parallel screening regime that uses KYC output as input.
  • FCPA: third-party due diligence regime that overlaps with KYC for PEP and high-risk-jurisdiction screening.

Omnivoo Contract Management runs CIP-grade contractor identification, beneficial-ownership verification for entity contractors, PEP and sanctions screening, and ongoing risk-tier maintenance, with a documentation trail aligned to US AML examiner expectations.

Frequently asked questions

What is the Customer Identification Program (CIP)?
The CIP is the rule, codified at 31 CFR 1020.220 (for banks), 31 CFR 1023.220 (for broker-dealers), and equivalent sections across financial-institution categories, that requires institutions to obtain and verify four pieces of identifying information for each customer: name, date of birth (for individuals), address, and taxpayer identification number. The CIP must be written, board-approved, and risk-based. It was added by section 326 of the USA PATRIOT Act of 2001.
What is Customer Due Diligence (CDD)?
CDD is the broader, ongoing process of understanding a customer relationship beyond initial identity verification. It includes understanding the nature and purpose of the relationship, monitoring transactions, updating customer information, and identifying and verifying beneficial owners of legal-entity customers under FinCEN's 2018 CDD Rule. CDD is the operating layer of an AML program.
What is Enhanced Due Diligence (EDD)?
EDD is the elevated form of CDD applied to higher-risk customers. Triggers commonly include politically exposed persons (PEPs), customers in or doing business with high-risk jurisdictions (including FATF grey- and black-listed countries), customers in high-risk industries, and customers exhibiting unusual transaction patterns. EDD requires additional information, more frequent monitoring, and often senior-management approval of the relationship.
What is the Beneficial Ownership Rule?
FinCEN's 2018 CDD Rule requires covered financial institutions to identify and verify the beneficial owners of legal-entity customers at account opening. A beneficial owner is any individual who owns 25 percent or more of the equity interests of the entity, plus one individual who controls the entity (such as a CEO or managing partner). The Corporate Transparency Act, enacted as part of the AML Act of 2020, added a separate filing obligation directly on most US entities to file beneficial-ownership information with FinCEN, though the implementation has been subject to ongoing litigation and rule changes.
Does KYC apply to non-financial businesses?
Direct KYC obligations under 31 CFR Chapter X primarily apply to defined financial institutions. However, non-financial businesses often run KYC-equivalent processes for other reasons: OFAC sanctions screening (which applies to all US persons), Form 8300 cash-payment recordkeeping, contractor and vendor due diligence under FCPA, and customer-identification under specific sector rules (such as dealers in precious metals).

How Omnivoo handles KYC (Know Your Customer)

SOLUTIONS

Omnivoo Contract Management

Compliant agreements, IP assignment, and audit-ready records in one place.

Related Terms

Compliance

AML (Anti-Money Laundering)

Anti-Money Laundering (AML) is the body of US laws, regulations, and supervisory practices, anchored in the Bank Secrecy Act, that requires financial institutions and certain businesses to detect, prevent, and report the use of the financial system for money laundering, terrorist financing, and other illicit activity.
Compliance

BSA Reporting (Bank Secrecy Act)

BSA reporting is the set of forms US financial institutions and certain non-financial businesses must file under the Bank Secrecy Act (31 USC 5311 et seq.) to record currency transactions, suspicious activity, foreign financial accounts, and cross-border movements of monetary instruments.
Compliance

FCPA (Foreign Corrupt Practices Act)

The Foreign Corrupt Practices Act, codified at 15 USC 78dd-1 et seq., is the US law that prohibits US persons and US-listed issuers from corruptly paying foreign officials to obtain or retain business, and requires public companies to maintain accurate books and adequate internal accounting controls.
Compliance

OFAC Sanctions Screening

OFAC sanctions screening is the process US persons use to check counterparties, contractors, and payees against the lists administered by the Office of Foreign Assets Control to ensure that funds and services do not flow to blocked persons or sanctioned jurisdictions.

Related articles

COMPLIANCE

AB5 California Contractor Law: A US Company Compliance Guide

California's AB5 codified the ABC test for nearly every contractor relationship in the state. The exemptions in Labor Code 2778 to 2784 are narrow. Misclassification penalties under Labor Code 226.8 reach $25,000 per violation. Here is what every US company paying California contractors needs to know.

May 15, 2026 11 min read
GUIDE

Arbitration vs Litigation for International Contractor Disputes

The single biggest reason to arbitrate cross-border contractor disputes is the New York Convention. Here is how the Federal Arbitration Act, the AAA, JAMS, ICC, SIAC, and LCIA stack up, what they cost, and when each one wins.

May 15, 2026 12 min read
COMPLIANCE

Backup Withholding 24% Rule: When US Companies Must Withhold from Contractor Payments

The four triggers for backup withholding under IRC 3406, the 24% rate, the B-notice and C-notice procedures, and how US companies stop backup withholding correctly.

May 15, 2026 11 min read

Omnivoo handles this for you

Stop worrying about Indian payroll and compliance terms. Omnivoo manages everything (PF, ESI, TDS, professional tax, and more) across all 28 states.

Get started