Operating a business in the United States requires compliance with a layered regulatory framework that spans federal, state, and local jurisdictions. Unlike countries with centralized business regulation, the US system distributes authority across multiple levels of government, with different agencies responsible for different aspects of business operations. A small business selling products online may need to comply with FTC advertising rules, state consumer protection laws, sales tax requirements in multiple states, FinCEN beneficial ownership reporting, OSHA workplace safety standards, and local business licensing requirements -- simultaneously.
The consequences of non-compliance range from modest fines for late filings to criminal prosecution for willful violations. The Corporate Transparency Act's Beneficial Ownership Information (BOI) reporting requirement, which took effect in recent years, added a significant new federal compliance obligation that applies to virtually every LLC and corporation in the country. Employment law violations can result in class action lawsuits, and data privacy failures can trigger enforcement actions from the FTC and state attorneys general.
This guide provides a comprehensive overview of the major compliance requirements that US businesses face at the federal, state, and local level. It covers business registration, BOI reporting, employment law basics, workplace safety, disability compliance, consumer protection, data privacy, and industry-specific regulations.
Federal Business Registration Requirements
Employer Identification Number (EIN)
Every business with employees, or any LLC with more than one member, must obtain an EIN from the IRS. Even single-member LLCs without employees should obtain an EIN because banks typically require one to open a business bank account, and it avoids using your personal Social Security Number on business documents.
The EIN is free and can be obtained online at irs.gov. See our company registration guide for details on the application process.
Beneficial Ownership Information (BOI) Reporting
The Corporate Transparency Act (CTA) requires most companies to report their beneficial owners to the Financial Crimes Enforcement Network (FinCEN). This is one of the most significant new compliance requirements for US businesses.
| Requirement | Details |
|---|---|
| Who must file | Most LLCs, corporations, and similar entities |
| What is reported | Beneficial owners (25%+ ownership or substantial control) |
| Information required | Full legal name, date of birth, address, ID number, image of ID |
| New companies | Must file within 90 days of formation (for companies formed in 2024+) |
| Existing companies | Must file by applicable deadline |
| Updates | Must be filed within 30 days of any change in beneficial ownership |
| Penalties | Up to $591/day civil penalty; up to $10,000 and 2 years imprisonment for willful violations |
Exempt Entities
Twenty-three categories of entities are exempt from BOI reporting, including:
- Large operating companies (20+ full-time US employees, $5M+ gross receipts, physical US office)
- Publicly traded companies
- Banks, credit unions, and other financial institutions already regulated
- Insurance companies
- Tax-exempt organizations (501(c) entities)
- Inactive entities (existed before 2020, no assets, no ownership changes, no money sent/received)
BOI reporting represents a fundamental shift in US business privacy. For the first time, the federal government requires the disclosure of the individuals behind LLCs and corporations. The information is not publicly available -- it is maintained in a secure FinCEN database accessible only to law enforcement, financial institutions (with consent), and certain regulatory agencies. Nevertheless, the reporting obligation and the severe penalties for non-compliance make this a critical compliance item for every qualifying business. If you are unsure whether your company must file, consult the FinCEN website or a legal professional.
State Registration Requirements
State of Formation
Every business entity must register with the secretary of state (or equivalent office) in the state where it is formed. This is done through the articles of organization (LLC) or articles of incorporation (corporation) filed during the formation process.
Foreign Qualification
If your business operates in any state other than its state of formation, it must "foreign qualify" in that state. This involves:
- Filing a certificate of authority or registration
- Appointing a registered agent in that state
- Paying the state's filing fee ($100 to $500 typically)
- Filing annual reports and paying applicable taxes in that state
Determining whether you need to foreign qualify depends on the state's definition of "doing business." Common triggers include having employees in the state, maintaining a physical office, regularly soliciting customers, or owning property.
Annual Reports
Most states require businesses to file annual or biennial reports to maintain their good standing. These reports update the state on basic information such as the company's address, registered agent, and management. Failure to file annual reports can result in administrative dissolution of the entity, which revokes its legal existence and liability protections.
Employment Law Compliance
If your business has employees, compliance with employment law becomes one of the most complex and important areas of regulation. Requirements vary based on the number of employees.
Federal Employment Law Thresholds
| Number of Employees | Federal Laws That Apply |
|---|---|
| 1+ | FLSA (wage and hour), EPPA (polygraph), IRCA (I-9 verification), USERRA (military leave), OSHA (safety) |
| 11+ | OSHA recordkeeping requirements |
| 15+ | Title VII (discrimination), ADA (disability), GINA (genetic information), Pregnant Workers Fairness Act |
| 20+ | ADEA (age discrimination), COBRA (health insurance continuation) |
| 50+ | FMLA (family and medical leave), ACA employer mandate (health insurance) |
| 100+ | WARN Act (plant closing/mass layoff notice), EEO-1 reporting |
Key Employment Obligations
Form I-9 Verification: Every employer must verify the identity and employment authorization of every employee hired. Form I-9 must be completed within three business days of the employee's start date. Employers must retain I-9 forms for three years after the date of hire or one year after the date of termination, whichever is later.
Wage and Hour Compliance: The Fair Labor Standards Act (FLSA) sets the federal minimum wage ($7.25/hour), overtime requirements (1.5x regular rate for hours over 40 per week), child labor restrictions, and recordkeeping requirements. Many states have higher minimum wages and additional requirements. See our detailed employment law guide for state-by-state wage information.
Anti-Discrimination: Title VII prohibits discrimination based on race, color, religion, sex (including sexual orientation and gender identity), and national origin. The ADA prohibits disability discrimination and requires reasonable accommodations. The ADEA protects employees aged 40 and older.
Workers Compensation: Almost all states require employers to carry workers compensation insurance. Requirements and rates vary by state and industry. See our employment law guide for details.
Employment law is the area where small businesses face the greatest liability risk. A single wrongful termination lawsuit can cost $50,000 to $500,000+ to defend, even if the employer prevails. Wage and hour class actions are among the most common types of employment litigation. Every business with employees should have a basic employee handbook, consistent documentation of employment decisions, and either an employment attorney on retainer or access to HR compliance resources. Prevention is far cheaper than litigation.
Workplace Safety (OSHA)
The Occupational Safety and Health Administration (OSHA) sets and enforces workplace safety standards for most private-sector employers. Key requirements include:
- Maintaining a safe workplace free from recognized hazards
- Complying with OSHA standards specific to your industry
- Providing required safety training
- Maintaining OSHA 300 logs (injury and illness records) for businesses with 11+ employees
- Displaying the OSHA "Job Safety and Health" poster
- Reporting workplace fatalities within 8 hours and hospitalizations within 24 hours
OSHA penalties for serious violations can reach $16,131 per violation (2024 rate, adjusted annually). Willful or repeated violations can reach $161,323 per violation. OSHA conducts both planned inspections (targeting high-hazard industries) and complaint-driven inspections.
Americans with Disabilities Act (ADA)
The ADA affects businesses in two primary ways:
Employment (Title I)
Employers with 15 or more employees must:
- Not discriminate against qualified individuals with disabilities
- Provide reasonable accommodations unless doing so creates undue hardship
- Keep medical information confidential
- Not make pre-employment inquiries about disabilities
Public Accommodations (Title III)
Businesses that serve the public must:
- Ensure physical facilities are accessible
- Provide auxiliary aids and services for effective communication
- Remove architectural barriers where readily achievable
- Comply with ADA standards for new construction and alterations
ADA compliance for websites and digital services is an evolving area. While there are no specific federal regulations for website accessibility, the DOJ has taken the position that websites of public accommodations must be accessible, and numerous lawsuits have been filed against businesses with inaccessible websites.
FTC Compliance
The Federal Trade Commission regulates advertising, marketing, and consumer protection at the federal level. Key requirements include:
Truth in Advertising: All advertising claims must be truthful, not deceptive, and substantiated by evidence. This includes claims on websites, social media, email marketing, and all other channels.
Endorsement Guidelines: If your business uses endorsements, testimonials, or influencer marketing, disclosures of material connections must be clear and conspicuous. Affiliates and influencers must disclose when they are compensated for reviews or recommendations.
CAN-SPAM Act: Commercial email must include a valid physical address, clear identification as an advertisement, and an opt-out mechanism that is honored within 10 business days.
Online Privacy: If your website collects personal information, you should have a privacy policy that accurately describes your data practices. The Children's Online Privacy Protection Act (COPPA) imposes additional requirements for websites that collect information from children under 13.
Data Privacy
The US does not have a single comprehensive federal data privacy law comparable to the EU's GDPR. Instead, data privacy is regulated through a combination of sector-specific federal laws and state laws.
| Law | Scope | Key Requirements |
|---|---|---|
| HIPAA | Healthcare data | Privacy and security standards for protected health information |
| GLBA | Financial data | Privacy of consumer financial information |
| FERPA | Education records | Privacy of student education records |
| COPPA | Children's data | Parental consent for collecting data from children under 13 |
| CCPA/CPRA (California) | Consumer data | Right to know, delete, opt out; applies to businesses meeting thresholds |
| CPA (Colorado) | Consumer data | Similar to CCPA with some differences |
| VCDPA (Virginia) | Consumer data | Consumer data protection rights |
State privacy laws are expanding rapidly. California's CCPA/CPRA is the most comprehensive and applies to businesses that meet any of these thresholds: $25 million+ annual revenue, handle data of 100,000+ consumers, or derive 50%+ of revenue from selling personal information.
If your business collects personal data from customers (which includes most businesses with a website), implementing a basic privacy program is prudent regardless of whether you are currently subject to specific privacy laws. The landscape is changing rapidly, and proactive compliance is far less expensive than reactive remediation after a data breach or enforcement action. At minimum, maintain a privacy policy, implement reasonable data security measures, and limit data collection to what is necessary for your business operations.
Industry-Specific Regulations
Certain industries face additional regulatory requirements:
| Industry | Key Regulatory Bodies | Major Requirements |
|---|---|---|
| Food and beverage | FDA, state health departments | Food safety plans, labeling, permits |
| Financial services | SEC, FINRA, state regulators | Licensing, reporting, fiduciary duties |
| Healthcare | HHS, CMS, state medical boards | HIPAA, licensing, billing compliance |
| Real estate | State real estate commissions | Licensing, disclosure requirements |
| Transportation | DOT, FMCSA | CDL requirements, hours of service, insurance |
| Alcohol | TTB, state ABC agencies | Federal and state permits, distribution laws |
| Cannabis | State-level only (federal prohibition) | State licensing, seed-to-sale tracking |
| Construction | OSHA, state licensing boards | Contractor licensing, safety standards |
Compliance Calendar
Maintaining compliance requires tracking multiple deadlines throughout the year:
| Month | Requirement | Applies To |
|---|---|---|
| January 31 | W-2s to employees, 1099s to contractors | All employers/payers |
| March 15 | S-Corp and partnership tax returns due | S-Corps, partnerships |
| April 15 | C-Corp tax returns due, Q1 estimated taxes | C-Corps, all entities |
| April (varies) | Annual report filings (varies by state) | All entities |
| June 15 | Q2 estimated taxes | All entities |
| July 31 | Form 5500 (retirement plan annual report) | Employers with retirement plans |
| September 15 | Q3 estimated taxes | All entities |
| December 15 | Q4 estimated taxes (C-Corps) | C-Corps |
For comprehensive tax compliance information, see our corporate tax guide and sales tax guide. For intellectual property protection requirements, see our IP protection guide.
Entrepreneurs comparing US compliance requirements with other jurisdictions should review our compliance guides for the United Kingdom, Singapore, and UAE/Dubai.
Frequently Asked Questions
What is BOI reporting and who needs to file?
Beneficial Ownership Information (BOI) reporting is a federal requirement under the Corporate Transparency Act administered by FinCEN. Most LLCs, corporations, and similar entities must report their beneficial owners -- individuals who own 25% or more or exercise substantial control. Existing companies must file by the applicable deadline, and new companies must file within 90 days of formation. Certain large companies and regulated entities are exempt.
Do I need a business license to operate in the USA?
There is no single federal business license. Requirements vary by state, county, and city. Most businesses need at least a state business license or registration, and many require local permits. Regulated industries such as food service, healthcare, construction, and financial services require additional professional licenses. Some states like Wyoming have minimal licensing requirements, while others like California have extensive requirements.
What are the main federal compliance requirements for employers?
Employers must comply with multiple federal laws including: FLSA (minimum wage and overtime), FMLA (family and medical leave for 50+ employees), ADA (disability accommodations for 15+ employees), Title VII (anti-discrimination for 15+ employees), OSHA (workplace safety), EEOC regulations, I-9 employment verification, and various tax withholding and reporting requirements. Requirements often scale based on employee count.
What is the penalty for not filing BOI reports?
Failure to file BOI reports can result in civil penalties of up to \(591 per day (adjusted annually for inflation) and criminal penalties of up to \)10,000 and two years imprisonment for willful violations. Providing false information carries the same penalties. These penalties apply to the individual responsible for filing, not just the company.