KYC for Payment Service Providers in the USA: BSA, FinCEN and State Rules 2026

Payment service providers (PSPs) operating in the United States must navigate a dual federal and state regulatory structure for Know Your Customer (KYC) and anti-money laundering (AML) compliance. At the federal level, the Bank Secrecy Act (BSA), 31 USC §§ 5311–5336, enforced by the Financial Crimes Enforcement Network (FinCEN), is the primary framework. PSPs that qualify as Money Services Businesses (MSBs) must register with FinCEN, implement a written AML program, conduct Customer Due Diligence (CDD), file Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs), and maintain records for five years. At the state level, money transmission is separately licensed in most states, creating a complex multi-jurisdictional compliance environment.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for your specific situation.

Which PSPs Are Subject to KYC Requirements in the USA?

Under 31 CFR Part 1010.100, Money Services Businesses include:

MSBs that transmit more than $1,000 in currency, funds, or value in any form through any one transaction for any one person on any one day must register with FinCEN under 31 CFR § 1022.380. Registration must be renewed every two years. Failure to register is a federal crime under 18 USC § 1960.

Depository institutions (national banks, state banks, savings associations) are not classified as MSBs but are subject to equivalent BSA/AML requirements enforced by their prudential regulators (OCC, Fed, FDIC, NCUA).

State money transmitter licenses are separate from FinCEN MSB registration. As of 2026, 49 states plus the District of Columbia require money transmitter licenses for PSPs transmitting funds on behalf of others. The Nationwide Multistate Licensing System (NMLS) facilitates multi-state licensing.

The Regulatory Framework: BSA, FinCEN CDD Rule, and OFAC

Bank Secrecy Act (BSA) / 31 USC §§ 5311–5336 The BSA requires MSBs to establish and implement an AML program with four minimum components: (1) policies, procedures, and controls; (2) designation of a compliance officer; (3) ongoing training; and (4) independent testing. Source: BSA program requirements, fincen.gov

FinCEN Customer Due Diligence (CDD) Final Rule (31 CFR § 1010.230) FinCEN finalized CDD rules requiring covered financial institutions — including certain PSPs — to identify and verify beneficial owners of legal entity customers. The rule requires collecting beneficial owner information at account opening. As of 2026, there is no ongoing duty to re-verify beneficial ownership information, but institutions must update their records when they detect changes. Source: FinCEN CDD Final Rule

Corporate Transparency Act (CTA) 2021 The CTA, implemented through FinCEN's Beneficial Ownership Information (BOI) reporting rule (31 CFR Part 1010), requires certain legal entities to report their beneficial owners to FinCEN's BOI database. PSPs should cross-reference this database when onboarding business customers. Source: FinCEN BOI reporting, fincen.gov

OFAC Sanctions Compliance All US PSPs must screen customers and transactions against Office of Foreign Assets Control (OFAC) sanctions lists — the Specially Designated Nationals (SDN) list and country-based restrictions. There is no de minimis exception for OFAC screening — a single prohibited transaction can result in civil penalties of up to $1,423,284 per violation (2025 adjusted figure) or criminal penalties up to $1 million. Source: OFAC, treasury.gov

For an overview of sanctions screening best practices, see our sanctions screening compliance guide.

CDD Requirements for US PSPs: What FinCEN Expects

Customer Identification Program (CIP)

Under 31 CFR § 1020.220 and equivalent MSB rules, PSPs must implement a Customer Identification Program (CIP) that, at a minimum, collects and verifies:

For individual customers:

• Legal name
• Date of birth
• Address (residential, or business address for legal entities)
• Identification number: Social Security Number (SSN) for US citizens, Individual Taxpayer Identification Number (ITIN) for resident aliens, or passport number for non-resident aliens

For legal entity customers:

• Legal name, address, and EIN (Employer Identification Number)
• Identity of the beneficial owners (under the CDD Rule): natural persons who own 25% or more of equity interests, and a single "control prong" individual with significant management responsibility

Verification methods for individuals must include reviewing either a government-issued photo ID (US driver's license, US passport, state ID) or other documentary or non-documentary methods sufficient to establish identity.

Enhanced Due Diligence Triggers in the US

While the US does not use the EU term "Enhanced Due Diligence" in statute, comparable heightened scrutiny is required for:

Ongoing Transaction Monitoring

US PSPs must continuously monitor transactions to detect suspicious activity. The FinCEN SAR rule (31 CFR § 1022.320) requires MSBs to file a SAR when they know, suspect, or have reason to suspect a transaction involves:

• Funds derived from illegal activity
• Transaction designed to evade reporting requirements
• Transaction with no lawful purpose

State Money Transmitter Licensing

Unlike the EU's single PSD2/PSR authorization regime, the US requires state-by-state money transmitter licenses (MTLs). As of 2026:

• 49 states + DC require MTLs for money transmission (Montana exempts MTL for some activities)
• Each state has its own application, net worth requirements, surety bond requirements, and examination schedule
• License costs range from hundreds to tens of thousands of dollars per state
• New York BitLicense (23 NYCRR 200) applies specifically to virtual currency businesses and imposes additional AML requirements

The Money Transmission Modernization Act (MTMA) — proposed model legislation supported by CSBS (Conference of State Bank Supervisors) — aims to harmonize state MTL requirements, but full adoption across states remains in progress as of 2026.

CTR and SAR Filing: Key Federal Reporting Obligations

Currency Transaction Reports (CTRs) PSPs must file a CTR with FinCEN within 15 days of a transaction involving more than $10,000 in cash (31 CFR § 1022.310). Multiple transactions by the same person in the same business day are aggregated. Structuring — breaking transactions into smaller amounts to avoid the $10,000 threshold — is a federal crime under 31 USC § 5324.

Suspicious Activity Reports (SARs) SARs must be filed within 30 days of discovering suspicious activity, with a 60-day extension permitted when the suspect is unknown. Once a SAR is filed, the MSB is prohibited from disclosing the SAR or its contents to the subject of the report ("safe harbor" and "no tipping off" under 31 USC § 5318(g)).

Source: FinCEN SAR reporting guidance

FinCEN Enforcement: Penalties for Non-Compliance

FinCEN can assess civil money penalties (CMPs) under 31 USC § 5321:

• Willful violations: up to $250,000 per violation, or the greater of $100,000 or twice the amount of the transaction
• Failure to implement AML program: up to $1,000 per day per violation
• Criminal penalties (18 USC § 1960): up to $250,000 fine and/or 5 years imprisonment for operating an unlicensed MSB
• OFAC violations: up to $1,423,284 per violation (2025 inflation-adjusted)

Automating KYC for US Payment Service Providers

Automated document verification is essential for US PSPs processing high volumes of customer onboarding. CheckFile offers a compliant solution for US KYC requirements:

• Verification of US passports, state driver's licenses, and state IDs against FinCEN CIP requirements
• Automated SSN validation workflow integration with Social Security Administration confirmation pathways
• OFAC sanctions screening integration
• Document fraud detection including detection of AI-generated identity documents
• BSA-compliant audit trails retained for five years

To strengthen your risk-based approach to AML customer segmentation, CheckFile assigns risk indicators to each verified profile. See our pricing guide for API access options.

For a comprehensive framework, see our document compliance guide.

Frequently Asked Questions

Does every payment company in the US need to register with FinCEN?

Not every payment company qualifies as an MSB. If your PSP transmits less than $1,000 per person per day, you may fall below the registration threshold. However, state licensing obligations may still apply. Companies that process card-present transactions as payment facilitators typically are not MSBs but may have other compliance obligations.

How does the CTA affect PSP customer onboarding?

The Corporate Transparency Act requires many US companies to report their beneficial owners to FinCEN's BOI database. As a PSP, you should cross-check your business customer onboarding against FinCEN's BOI database once it is publicly accessible — expected in late 2026 — to verify the beneficial ownership information provided by customers.

What is the difference between a money transmitter license and FinCEN MSB registration?

They are separate and both may be required. FinCEN MSB registration is a federal requirement under the BSA. State MTLs are state-level licenses required in each state where you transmit money. Operating without either (when required) is a criminal offense.

Are fintech payment apps subject to the same AML rules as banks?

Fintech apps that qualify as money transmitters are subject to BSA/AML requirements via FinCEN's MSB rules, which differ somewhat from bank-specific rules but require the same core components: a written AML program, CDD, CTR/SAR filing, and OFAC screening.

What should PSPs do about structuring by customers?

PSPs must monitor for and report structuring (breaking up transactions to stay under the $10,000 CTR threshold). A SAR must be filed if structuring is detected. Employees who structure transactions can be subject to criminal prosecution; PSPs have an obligation to train staff and implement system controls to detect this pattern.