KYC Compliance Checklist 2026: 25 Steps Every US Business Must Follow
Use this 25-point KYC compliance checklist to benchmark your program against 2026 BSA, FinCEN and OFAC expectations before the next regulatory exam.
A KYC compliance checklist is the fastest way to find the gaps an examiner will find first. In 2026, US regulators are aligning expectations across FinCEN, the OCC, the FDIC, state banking departments and NYDFS — and they expect every covered business to demonstrate a written, risk-based and tested Know Your Customer program, not a vendor invoice.
This article walks through the 25 controls every US financial institution, crypto exchange, fintech, money services business, regulated marketplace and high-risk merchant should have documented, tested and evidenced. Use it as a pre-audit self-assessment, a new-hire onboarding doc or a board-level reporting framework.
Section 1: Written Program Foundations (Steps 1–5)
Start with the paperwork regulators always ask for first. (1) A written Customer Identification Program approved by the board and reviewed annually. (2) A written AML policy that names a qualified BSA/AML Officer. (3) A documented risk assessment covering customers, products, geographies and channels. (4) An EDD policy that defines who is high risk and what additional steps apply. (5) A retention schedule that keeps KYC records for at least five years after account closure.
If any of these five documents are missing, undated or have not been refreshed in the last 12 months, you have a finding waiting to happen. Examiners open every exam with a documents request, and a stale policy file is the cheapest possible deficiency to cite.
Section 2: Customer Identification Program (Steps 6–10)
(6) Collect the FinCEN four for every natural person — full legal name, date of birth, residential address and a government identifier such as SSN or ITIN. (7) Verify identity through documentary or non-documentary methods, and document which you used. (8) For non-US persons, accept passport plus an additional identifier. (9) Run an OFAC SDN screen at onboarding and store the evidence. (10) Capture device, IP and geolocation telemetry to support fraud rules without violating privacy law.
Documentary vs. Non-Documentary
Documentary means a government ID plus selfie liveness. Non-documentary uses authoritative data sources such as credit bureaus, telcos and government databases. High-risk customers should always receive documentary verification.
Section 3: Customer Due Diligence and Beneficial Ownership (Steps 11–15)
(11) For every legal-entity customer, identify and verify every beneficial owner with 25% or more ownership plus one control person. (12) Validate the entity itself against the secretary of state and IRS EIN letter. (13) Cross-check the entity and every UBO against OFAC, UN, EU, UK HMT and PEP lists. (14) Capture expected account activity, source of funds and purpose of the relationship. (15) Apply Corporate Transparency Act reporting where applicable and reconcile your records against the FinCEN BOI database.
Section 4: Enhanced Due Diligence and High-Risk Reviews (Steps 16–20)
(16) Trigger EDD automatically for PEPs, high-risk geographies, cash-intensive businesses, MSBs, gambling, crypto, defense, precious metals and shell-like structures. (17) Require documented source of funds and source of wealth evidence for high-risk customers. (18) Obtain senior management approval before opening or maintaining a high-risk relationship. (19) Set a shorter review cycle — annual rather than triennial — for the high-risk book. (20) Document adverse media findings and the disposition decision in the case file.
Section 5: Ongoing Monitoring, Testing and Training (Steps 21–25)
(21) Run continuous sanctions and PEP rescreening at least daily against the full customer base. (22) Operate risk-tuned transaction monitoring with documented thresholds, alert triage SLAs and SAR filing workflows. (23) Schedule independent testing of the AML program at least every 12–18 months and remediate findings on a tracked plan. (24) Deliver role-based AML and KYC training to every employee annually with attestation. (25) Report key risk indicators — alert volumes, SAR counts, EDD backlog, false-positive rate — to the board on a quarterly cadence.
Putting the Checklist to Work
Print the 25 steps, assign each one to a named owner, attach evidence and rate maturity from 0 to 4. Anything below a 3 becomes a remediation ticket with a due date. This single exercise typically surfaces three to five exam-ready findings within an hour and gives the BSA Officer a defensible roadmap to present to the board.
Key Takeaways
- A checklist is the cheapest pre-exam tool you have — use it quarterly.
- Most findings cluster in policy freshness, EDD documentation and independent testing.
- Continuous sanctions rescreening and beneficial ownership are 2026 hot buttons.
- Board reporting and training attestation close the loop examiners look for.
Related Verification Services
Review existing AML compliance programs.
Annual/quarterly recertification of customer data.
Screen against US Treasury sanctions lists.
Identify individuals with 25%+ ownership.
Frequently Asked Questions
How often should the KYC checklist be reviewed?
Quarterly at minimum, and after any material change in products, geographies, leadership or regulation.
Who should own the checklist?
The BSA/AML Officer owns the program, but each step should have a named operational owner with evidence attached.
Is a vendor SOC 2 report enough evidence?
No. SOC 2 covers vendor controls; you still need to evidence your own decisions, thresholds and reviews.
What is the most commonly missed step?
Independent testing on a fixed cadence with tracked remediation — examiners cite this constantly.
Does the checklist apply to crypto businesses?
Yes. FinCEN treats most crypto platforms as MSBs, and state regulators add their own KYC expectations.
Want us to grade your KYC program?
Our analysts will benchmark your controls against the 25-point checklist and deliver a prioritized remediation plan within five business days.