KYC and AML for Crowdfunding Platforms: US Compliance 2026

US crowdfunding platforms sit at the intersection of some of the most demanding compliance frameworks in global finance. Unlike the European Union's unified European Crowdfunding Service Provider (ECSP) regulation, the United States has no single crowdfunding compliance law. Instead, platforms must navigate a multi-regulator environment: the Securities and Exchange Commission (SEC) governs securities offering rules, the Financial Crimes Enforcement Network (FinCEN) enforces anti-money laundering (AML) obligations under the Bank Secrecy Act (BSA), and the Financial Industry Regulatory Authority (FINRA) oversees funding portals as a self-regulatory organization. Add state-level licensing requirements, OFAC sanctions screening, and an evolving patchwork of data privacy laws, and the compliance burden for US equity crowdfunding platforms becomes clear.

This guide breaks down the key Know Your Customer (KYC) and AML obligations that US crowdfunding platforms must meet in 2026, covering investor verification, business issuer due diligence, suspicious activity reporting, and data privacy requirements.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date (June 2026). Consult a qualified professional for advice tailored to your specific situation.

---

US Crowdfunding Regulation: Reg CF, SEC, and FINRA

The primary federal framework for equity crowdfunding in the United States is Regulation Crowdfunding (Reg CF), codified at 17 CFR Part 227 and enacted under Title III of the Jumpstart Our Business Startups (JOBS) Act. Reg CF became effective in May 2016 and was significantly expanded by SEC amendments that took effect in March 2021, raising the maximum amount an issuer can raise in a 12-month period from $1.07 million to $5 million.

Under Reg CF, any platform that facilitates securities-based crowdfunding offerings must register with the SEC and FINRA. Platforms have two registration options:

• Funding Portal: a lighter-touch registration category created by the JOBS Act, exclusive to Reg CF transactions, with restrictions on activities such as providing investment advice or holding investor funds directly.
• Broker-Dealer: full SEC and FINRA registration, allowing a broader range of activities but subject to the complete set of broker-dealer rules, including comprehensive BSA/AML program requirements.

FINRA oversees all funding portals as their designated examining authority, setting conduct rules, reviewing AML programs, and conducting examinations. Non-compliance can result in FINRA sanctions, SEC enforcement action, or both.

Reg CF is one of three main exemptions US platforms use for crowdfunding raises. The table below compares the most commonly used frameworks:

Regardless of which exemption a platform relies on, BSA AML obligations apply whenever the platform meets the definition of a covered financial institution. Platforms using Rule 506(b) or 506(c) privately typically operate as registered investment advisers or broker-dealers rather than funding portals, and face their own set of compliance requirements.

For a practical overview of how these document requirements translate into operational workflows, see our document compliance guide.

---

KYC Requirements: CIP, CDD, and Customer Identification

The foundation of US KYC law for financial institutions is the Customer Identification Program (CIP), required under BSA Section 352 and implemented through FinCEN's regulations at 31 CFR 1020.220. For broker-dealers — including crowdfunding platforms that register as broker-dealers — CIP is a mandatory, codified obligation. Funding portals occupy a gray area: the JOBS Act exempted them from most broker-dealer rules, so the formal CIP requirement does not apply directly. However, FINRA has made clear that funding portals must adopt AML programs that include customer identification procedures as a matter of good practice, and examinations assess whether those programs are robust.

For individual investors and issuers, CIP requires collecting and verifying:

• Full legal name
• Date of birth
• Residential address (not a P.O. box, unless the individual has no residential address)
• Social Security Number (SSN) — or Individual Taxpayer Identification Number (ITIN) for foreign nationals without an SSN

Acceptable identity documents include a US passport, a state-issued driver's license, a state-issued photo ID card, or a military ID. Electronic verification using data from credit bureaus or government databases is also acceptable under FinCEN rules, and is increasingly the standard approach for digital-first platforms.

For legal entities, platforms must comply with FinCEN's Customer Due Diligence (CDD) Rule at 31 CFR 1010.230. The CDD Rule requires identifying and verifying:

• Any natural person who owns 25% or more of the equity interests in the entity (the beneficial ownership prong)
• At least one individual with significant managerial control over the entity (the control prong), even if no single person owns 25% or more

The Corporate Transparency Act (CTA), effective January 1, 2024, adds a parallel layer: most US LLCs, corporations, and similar entities must file Beneficial Ownership Information (BOI) reports directly with FinCEN. Platforms performing KYB can use BOI filings as an additional cross-check, although FinCEN's authorized access program for financial institutions remains in rollout as of mid-2026.

CheckFile supports over 3,200 document types across 32 jurisdictions for KYC workflows on crowdfunding platforms, enabling platforms to verify US and international investors and issuers through a single integration.

---

Investor Eligibility and Non-Accredited Investor Limits

One of the defining features of Reg CF is that it opens securities investments to non-accredited investors — ordinary retail investors who do not meet the SEC's income or net worth thresholds for accredited investor status. However, to protect retail investors from overexposure, Reg CF caps the amount a non-accredited investor can invest across all Reg CF offerings in any 12-month period.

The current limits (as of the 2021 SEC amendments) work as follows:

• If an investor's annual income and net worth are both below $124,000: the maximum investment is the greater of $2,500 or 5% of the lesser of annual income or net worth.
• If an investor's annual income or net worth is $124,000 or more: the maximum investment is 10% of the lesser of annual income or net worth, capped at $124,000 across all Reg CF investments in a 12-month period.

These limits are aggregate — they apply to the investor's total Reg CF investments across all platforms, not per platform. Platforms are required to communicate these limits clearly but are permitted to rely on investor self-certification of their income and net worth under Reg CF. This is a meaningfully lighter burden than the EU's ECSP framework, which requires more active suitability assessments.

For accredited investors, the limits do not apply under Reg CF. However, under Rule 506(b), platforms may accept up to 35 non-accredited investors (who must be sophisticated); under Rule 506(c), all investors must be verified as accredited. Accredited investor verification under 506(c) requires actual documentary evidence — tax returns, W-2s, bank statements, or a letter from a licensed professional — not merely self-certification.

Platforms should also be aware that operating as a Reg CF funding portal does not make a platform an investment adviser under the Investment Advisers Act of 1940. However, some state securities laws may impose investment adviser registration requirements on platforms that provide certain guidance or recommendations to investors, and state-by-state analysis is essential.

---

KYB: Verifying Business Issuers

For equity crowdfunding platforms, Know Your Business (KYB) — verifying the companies raising capital on the platform — is as important as investor KYC. Issuers raising capital under Reg CF must file Form C with the SEC through EDGAR, disclosing financial statements, use of proceeds, officer and director information, and beneficial ownership data. Platforms are required to review these filings as part of their issuer onboarding process.

Beyond Form C review, platforms should conduct their own issuer due diligence:

• Beneficial ownership verification: Under the FinCEN CDD Rule (31 CFR 1010.230), platforms that are covered financial institutions must identify any person owning 25%+ of the issuer and one control person. The Corporate Transparency Act reinforces this: as of January 2024, most US entities must file BOI reports with FinCEN identifying beneficial owners.
• State incorporation documents: Issuers should provide Articles of Incorporation (for corporations) or Articles of Organization (for LLCs), filed with the Secretary of State in the state of formation. Unlike the UK's Companies House, there is no single national US corporate registry — each state maintains its own.
• EIN confirmation: The Employer Identification Number (EIN), issued by the IRS, is the US equivalent of a company tax number. Platforms should obtain the IRS Form CP 575 (EIN confirmation letter) to verify the issuer's tax identity.
• Good standing certificate: A certificate of good standing from the Secretary of State confirms the entity is validly formed and in compliance with state filing requirements.
• Operating Agreement or Bylaws: These documents confirm the governance structure and identify signatories authorized to bind the entity.

Where FinCEN's BOI database becomes available through authorized financial institution access, platforms will be able to cross-reference issuer declarations against FinCEN records directly. Until broad access is established, issuer-provided BOI certifications and state formation documents remain the primary verification tools.

Explore CheckFile's verification solutions for automated KYB workflows tailored to financial platforms.

---

AML: Bank Secrecy Act, PATRIOT Act, and FinCEN SARs

The Bank Secrecy Act, as amended by the USA PATRIOT Act of 2001, is the backbone of US AML compliance. For broker-dealers — including crowdfunding platforms registered as broker-dealers — a written AML program is required under 31 CFR 1023.210. The four pillars of a BSA-compliant AML program are:

1. Written policies and procedures reasonably designed to achieve compliance with BSA requirements
2. Designated compliance officer responsible for day-to-day AML oversight
3. Ongoing employee training on AML obligations and red flags
4. Independent testing (audit) of the AML program at regular intervals

Funding portals that are not registered broker-dealers are not formally subject to 31 CFR 1023.210, but FINRA's rules for funding portals require AML programs that include the same core elements. FINRA examinations assess whether funding portal AML programs are adequate, and deficiencies can result in sanctions.

OFAC Screening is a mandatory, non-negotiable obligation for all US persons and entities, regardless of entity type. Platforms must screen all investors, issuers, and relevant beneficial owners against the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list and applicable sectoral sanctions lists before onboarding and on an ongoing basis. Violations of OFAC sanctions can result in civil monetary penalties and, in egregious cases, criminal prosecution — there is no good-faith safe harbor for sanctions violations the way there is for some BSA filings.

Suspicious Activity Reports (SARs) must be filed with FinCEN via the BSA E-Filing system at https://www.fincen.gov/ within 30 days of detecting suspicious activity involving $5,000 or more (for broker-dealers). Common SAR triggers on crowdfunding platforms include:

• Structured transactions designed to stay below reporting thresholds
• Investors or issuers with no apparent lawful source of funds
• Transactions inconsistent with the investor's stated investment purpose or risk profile
• OFAC SDN list matches or connections to sanctioned jurisdictions
• Unusual patterns of account creation, investment, or withdrawal activity

The BSA's tipping-off prohibition is critical: once a SAR is filed or is being contemplated, the platform must not alert the subject of the report. Internal escalation procedures must ensure that frontline staff know not to disclose SAR activity to customers.

Currency Transaction Reports (CTRs) apply to cash transactions exceeding $10,000. For online crowdfunding platforms processing electronic payments, CTRs are rarely triggered — but platforms that accept any form of cash or cash equivalents must have CTR procedures in place.

AML programs must be reviewed and updated at least annually, with more frequent updates when regulations change or the platform expands its product or geographic footprint.

---

CCPA and Data Privacy for US Crowdfunding Platforms

Unlike the EU's General Data Protection Regulation (GDPR), the United States has no single federal privacy law governing how private companies handle consumer data. Instead, platforms must navigate a growing patchwork of state laws alongside federal financial privacy requirements.

Gramm-Leach-Bliley Act (GLB Act): The primary federal privacy law applicable to financial institutions — including registered broker-dealers and funding portals — the GLB Act requires covered entities to provide customers with an annual privacy notice explaining what data is collected, how it is shared, and customers' opt-out rights. The GLB Act's Safeguards Rule (enforced by the FTC at 16 CFR Part 314, with significant updates effective 2023) requires non-bank financial institutions to implement a comprehensive information security program that includes:

• A designated qualified individual (information security officer) responsible for the security program
• Risk assessments covering data storage, processing, and transmission
• Encryption of customer information in transit and at rest
• Access controls, multi-factor authentication, and penetration testing

California Consumer Privacy Act (CCPA) and CPRA: For platforms with significant California user bases, the CCPA (as amended by the California Privacy Rights Act) imposes data subject rights including access, deletion, correction, and portability. The law applies to for-profit businesses that process data of California residents and meet at least one of: $25 million or more in annual gross revenue; processing data of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling consumer personal information.

Data retention: The BSA requires covered financial institutions to retain CIP records for five years after account closure. SEC rules require broker-dealers to retain most records for six years. Platforms must align their data retention schedules with both sets of requirements and ensure that deletion requests under state privacy laws do not conflict with mandatory retention obligations — BSA and SEC retention requirements generally override CCPA deletion requests for regulated records.

For more on how CheckFile handles data security and retention, see our security page and pricing for fintechs.

---

Automating Compliance for US Crowdfunding Platforms

Manual KYC and AML workflows are increasingly untenable as crowdfunding platforms scale. A platform processing thousands of investor onboardings and dozens of issuer raises per year needs automated document verification, real-time sanctions screening, and audit-ready record-keeping to meet BSA, FINRA, and SEC expectations without unsustainable operational overhead.

CheckFile's API enables crowdfunding platforms to automate KYC document collection and verification across more than 3,200 document types in 32 jurisdictions — covering US domestic investors and issuers as well as international participants. Automated OFAC and sanctions screening, beneficial ownership capture, and SAR workflow support reduce the time and cost of compliance while improving consistency and auditability.

For a practical framework on structuring your due diligence process by investor and issuer type, see our due diligence checklist by sector.

---

Frequently Asked Questions

Does a US crowdfunding platform need to comply with both the BSA and SEC rules?

Yes. Crowdfunding platforms that register as funding portals with FINRA under Reg CF must comply with FINRA's AML program rules, which are grounded in the BSA. Platforms that register as broker-dealers face the full BSA/FinCEN AML program requirements under 31 CFR 1023.210. In both cases, OFAC screening is mandatory as a matter of US sanctions law regardless of entity type.

What documents are required for KYC of an individual investor under US Reg CF?

Under SEC Reg CF, platforms may rely on investor self-certification of eligibility (income and net worth), reducing the KYC burden for investor onboarding. However, for CIP purposes (if the platform is a registered broker-dealer or follows best practices), platforms must collect: full legal name, date of birth, residential address, and SSN or ITIN. Acceptable identity documents include: US passport, state driver's license, or state-issued photo ID. Electronic verification is accepted.

What is the investor annual investment limit under Reg CF?

For non-accredited investors: if both annual income and net worth are below $124,000, the maximum is the greater of $2,500 or 5% of the lesser of annual income or net worth. If either annual income or net worth is $124,000 or more, the maximum is 10% of the lesser of annual income or net worth, up to $124,000 across all Reg CF investments in a 12-month period. These limits apply per investor across all Reg CF platforms combined, not per platform.

When must a US crowdfunding platform file a SAR with FinCEN?

A Suspicious Activity Report (SAR) must be filed with FinCEN via the BSA E-Filing system within 30 days of detecting suspicious activity involving $5,000 or more (or $2,000 for money service businesses). Common triggers include: structuring transactions to avoid reporting thresholds, users with no apparent lawful source of funds, transactions inconsistent with stated investment purposes, or OFAC sanctions matches. The tipping-off prohibition under BSA means the customer must not be alerted.

How does the Corporate Transparency Act (CTA) affect crowdfunding issuer verification?

The Corporate Transparency Act (effective January 1, 2024) requires most US corporations, LLCs, and similar entities to file Beneficial Ownership Information (BOI) reports with FinCEN identifying any individual who owns 25%+ or exercises substantial control. Crowdfunding platforms performing KYB can leverage FinCEN's BOI database (when available via authorized access) to cross-check issuer beneficial ownership declarations. Until database access is broadly available, platforms should require BOI certification from issuers and cross-verify with state formation documents.

---

Regulatory information in this article is based on rules in force as of June 2026. Check FinCEN, the SEC, and FINRA regularly for updates to crowdfunding rules and AML guidance.