Bank Secrecy Act (BSA): Requirements & Compliance Guide

The Bank Secrecy Act (BSA), enacted in 1970, is the primary U.S. law governing anti-money laundering (AML) compliance. Officially known as the Currency and Foreign Transactions Reporting Act, the BSA requires financial institutions to assist government agencies in detecting and preventing money laundering by maintaining certain records and filing specific reports.

The BSA is enforced primarily by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. The Crimes Enforcement Network FinCEN works in coordination with federal banking regulators, the Internal Revenue Service, and law enforcement agencies to ensure compliance. Violations can result in severe civil and criminal penalties, including fines of up to 500,000 dollars per violation and imprisonment.

Key Requirements of the Bank Secrecy Act

Currency Transaction Reports (CTRs)

Financial institutions must file a Currency Transaction Report for any cash transaction exceeding 10,000 dollars in a single business day. This includes deposits, withdrawals, exchanges, and other transfers of currency. Multiple cash transactions by or on behalf of the same person that aggregate to more than 10,000 dollars in a day must also be reported. CTRs are filed electronically with FinCEN and provide law enforcement with a record of significant cash movements.

Suspicious Activity Reports (SARs)

Financial institutions must file a Suspicious Activity Report when they detect a transaction or pattern of transactions that they know, suspect, or have reason to suspect involves funds from illegal activity, is designed to evade BSA reporting requirements, has no apparent lawful purpose, or involves the use of the institution to facilitate criminal activity. SARs must be filed within 30 days of the initial detection of the suspicious activity. The institution must maintain confidentiality and cannot disclose to the subject of the SAR that a report has been filed.

Customer Identification Program (CIP)

The BSA, as amended by the USA PATRIOT Act, requires financial institutions to establish a Customer Identification Program. The CIP must include procedures for verifying the identity of any person seeking to open an account, maintaining records of the information used to verify identity, and determining whether the person appears on any list of known or suspected terrorists or terrorist organizations.

Recordkeeping Requirements

Financial institutions must maintain records of certain transactions including wire transfers of 3,000 dollars or more, purchases of monetary instruments (money orders, cashier's checks) between 3,000 and 10,000 dollars, and other transactions as specified by regulation. Records must be retained for five years and be available for examination by regulators and law enforcement.

AML Program Requirements

Every covered financial institution must establish and maintain a written AML program that includes at minimum internal policies, procedures, and controls designed to ensure compliance, designation of a BSA officer responsible for day-to-day compliance, an ongoing employee training program, and independent testing (audit) of the program.

Who Must Comply With the BSA?

The BSA applies broadly to financial institutions, which FinCEN defines to include banks, credit unions, and savings associations, broker-dealers and securities firms, mutual funds, insurance companies, money services businesses (MSBs) including money transmitters, check cashers, and dealers in foreign exchange, casinos and card clubs, dealers in precious metals and stones, and housing government-sponsored enterprises.

The scope continues to expand. Recent regulatory developments have extended BSA obligations to investment advisers and are increasing scrutiny of virtual asset service providers including cryptocurrency exchanges.

The Role of FinCEN

The Financial Crimes Enforcement Network serves as the administrator of the BSA. FinCEN's responsibilities include collecting, analyzing, and disseminating financial intelligence from BSA reports, issuing regulations that implement the BSA's requirements, imposing civil penalties for violations, and supporting law enforcement investigations through financial intelligence.

FinCEN maintains the BSA E-Filing System through which institutions submit CTRs, SARs, and other required reports. The data collected through these filings forms a critical resource for law enforcement. FinCEN reports indicate that SARs have contributed to thousands of criminal investigations and convictions.

Evolution of the BSA

The BSA has been amended and expanded significantly since its original enactment. The Money Laundering Control Act of 1986 made money laundering a federal crime. The USA PATRIOT Act of 2001 strengthened customer identification requirements, expanded the definition of financial institution, and introduced enhanced due diligence requirements for correspondent and private banking accounts. The Anti-Money Laundering Act of 2020 (AMLA), part of the National Defense Authorization Act, represented the most significant update to the BSA in two decades. AMLA established FinCEN as the lead agency for a national AML strategy, expanded whistleblower protections, required the creation of a beneficial ownership reporting framework (the Corporate Transparency Act), and modernized the regulatory approach to reflect evolving threats.

Building a BSA Compliance Program

Risk Assessment

A BSA compliance program begins with a comprehensive risk assessment that identifies and evaluates the money laundering and terrorist financing risks specific to the institution. The risk assessment should consider the institution's products and services, customer types, geographic locations served, transaction types and volumes, and delivery channels.

Policies and Procedures

Written policies and procedures translate the risk assessment into actionable controls. They should address each BSA requirement, define roles and responsibilities, establish escalation paths, and be updated whenever risks, regulations, or business activities change.

BSA Officer

The institution must designate a qualified individual as the BSA officer (also called the compliance officer) with day-to-day responsibility for the program. The BSA officer should have sufficient authority, resources, and access to information to carry out their responsibilities effectively. They should report directly to the board of directors or a board-level committee.

Training

All relevant employees must receive BSA/AML training tailored to their roles. Front-line staff need training on how to identify and report suspicious activity. Compliance staff need detailed training on regulatory requirements, investigation procedures, and emerging threats. The board and senior management should receive training on their oversight responsibilities. Training should be conducted at least annually and whenever significant regulatory changes occur.

Independent Testing

The independent test, conducted at least every 12 to 18 months, provides assurance that the program is functioning as designed. It should cover all components of the program, test samples of transactions and customer files, and result in documented findings and recommendations.

Board Oversight

The board of directors is ultimately responsible for the institution's BSA compliance. The board must approve the BSA/AML program, receive regular reports on its effectiveness, ensure adequate resources are allocated, and oversee remediation of identified deficiencies.

Consequences of Non-Compliance

BSA violations can result in civil money penalties of up to 500,000 dollars per violation, criminal penalties including imprisonment for willful violations, cease and desist orders, formal enforcement actions and consent orders, and significant reputational damage.

Recent enforcement trends show that regulators are imposing increasingly large penalties and holding individual officers personally accountable for compliance failures. Several institutions have faced penalties exceeding hundreds of millions of dollars for systemic BSA deficiencies.

Automate this process: Our Compliance Risk Assessment Tool helps you evaluate regulatory compliance across frameworks including BSA/AML requirements with automated risk scoring.

Frequently Asked Questions

What is the Bank Secrecy Act?

The Bank Secrecy Act is the primary U.S. anti-money laundering law. It requires financial institutions to maintain records of certain transactions, file Currency Transaction Reports and Suspicious Activity Reports, and maintain comprehensive AML compliance programs.

What is the difference between a CTR and a SAR?

A CTR is filed automatically for cash transactions exceeding 10,000 dollars; it is a reporting obligation triggered by a specific threshold. A SAR is filed when the institution identifies suspicious activity regardless of the dollar amount; it requires judgment and analysis to determine that the activity is potentially illicit.

What is FinCEN?

FinCEN, the Financial Crimes Enforcement Network, is a bureau of the U.S. Department of the Treasury that administers the BSA. It collects and analyzes financial intelligence, issues regulations, and enforces compliance. FinCEN serves as the U.S. financial intelligence unit.

Who is the BSA officer?

The BSA officer is the individual designated by the institution to have day-to-day responsibility for BSA/AML compliance. They oversee the compliance program, ensure regulatory requirements are met, and serve as the primary point of contact for regulators and law enforcement on BSA matters.

Does the BSA apply to cryptocurrency?

Yes. FinCEN has clarified that businesses engaged in money transmission involving convertible virtual currency are money services businesses subject to BSA requirements. This includes cryptocurrency exchanges, certain wallet providers, and other virtual asset service providers. They must register with FinCEN, implement AML programs, and file CTRs and SARs as applicable.