Skip to main content
Learn more about the latest security and privacy threats
Back to Glossary

Bank Secrecy Act (BSA)

What Is the Bank Secrecy Act (BSA)?

The Bank Secrecy Act is the foundational anti-money laundering law in the United States. It's been on the books since 1970, which makes it older than most of the compliance professionals who enforce it. The law requires financial institutions to assist government agencies in detecting and preventing money laundering, terrorist financing, and other financial crimes.

At its core, the BSA is about creating paper trails. It established the framework for recordkeeping and reporting requirements that remain central to AML compliance today. When you file a CTR for a cash transaction over $10,000, that's the BSA. When you file a SAR because something looks wrong, that's the BSA. When you keep records of transactions and customer information, that's the BSA. These requirements create audit trails that help law enforcement track down criminals using the financial system.

The law started out focused on detecting unreported income and tax evasion, but its scope has expanded dramatically over the decades. The USA PATRIOT Act of 2001 was the big one, adding major new requirements in response to 9/11. Subsequent legislation has continued to strengthen the framework. Today, BSA compliance is a critical obligation for virtually every financial institution operating in the United States.

If you're in compliance, you need to understand the BSA because violations carry severe penalties. Civil fines can reach millions of dollars, and criminal prosecution is possible for willful violations. Regulators examine financial institutions regularly for BSA compliance, and deficiencies can result in enforcement actions, consent orders, and the kind of reputational damage that takes years to repair.

History and Evolution of the BSA

The Bank Secrecy Act has changed a lot since 1970. Understanding this history gives you context for why the requirements look the way they do today.

The Beginning: 1970

Congress enacted the BSA in response to concerns about criminals using secret foreign bank accounts to hide illegal income from U.S. tax authorities. The goal was straightforward: create documentation trails that would help law enforcement track illicit funds.

The original requirements included Currency Transaction Reports for cash transactions over $10,000, records of transactions over $10,000, reports of foreign bank accounts (now called FBARs), and microfilming of checks over $100. Compared to today's requirements, it was relatively simple.

Major Amendments

Money Laundering Control Act of 1986. This one made money laundering a federal crime in its own right, established criminal penalties for BSA violations, and extended requirements beyond banks to other financial institutions.

Annunzio-Wylie Anti-Money Laundering Act of 1992. This act required Suspicious Activity Reports, strengthened civil and criminal penalties, and established what's sometimes called the "death penalty" provision for BSA violations.

Money Laundering Suppression Act of 1994. Required money services businesses to register with FinCEN, streamlined SAR reporting requirements, and enhanced penalties again.

USA PATRIOT Act of 2001. This was the big expansion. After 9/11, the PATRIOT Act dramatically increased BSA's scope. It required Customer Identification Programs, enhanced due diligence for correspondent accounts, prohibited accounts for foreign shell banks, created Section 314 information sharing provisions, and extended BSA coverage to many more financial institutions. The PATRIOT Act transformed BSA compliance from a relatively narrow focus on large cash transactions into the broad anti-money laundering and counter-terrorist financing framework it is today.

Customer Due Diligence Final Rule (2016). This rule required identification of beneficial owners for legal entities, formalized ongoing monitoring requirements, and strengthened CDD program requirements. It took effect in May 2018 and added what many consider a "fifth pillar" to BSA compliance.

Anti-Money Laundering Act of 2020 (AMLA). The most significant BSA reform since the PATRIOT Act. It established beneficial ownership reporting to FinCEN, modernized whistleblower protections, enhanced information sharing provisions, and required regulatory modernization and innovation. The effects of AMLA are still rolling out.

YearDevelopmentImpact
1970BSA enactedEstablished basic reporting framework
1986Money laundering criminalizedCreated criminal penalties
1992SAR requirement addedEnhanced suspicious activity detection
1994MSB registration requiredExtended coverage beyond banks
2001PATRIOT ActMajor expansion post-9/11
2016CDD Rule finalizedBeneficial ownership requirements
2021Anti-Money Laundering ActModernization and enhanced reporting

What Is BSA/AML Compliance?

You'll see these terms used together constantly. BSA/AML compliance refers to the combined framework of requirements, policies, and procedures that financial institutions implement to meet Bank Secrecy Act obligations and prevent money laundering.

Understanding the Terminology

BSA compliance refers specifically to meeting the legal requirements of the Bank Secrecy Act and its implementing regulations. That means the reporting, the recordkeeping, and the program requirements that the law mandates.

AML compliance refers more broadly to anti-money laundering efforts. This includes BSA requirements plus additional controls designed to detect and prevent money laundering that may go beyond what the statute strictly requires.

BSA/AML compliance as a combined term recognizes that these two concepts are intertwined. Your compliance program addresses both the specific regulatory requirements under the BSA and the broader objective of preventing financial crime.

What Goes Into a BSA/AML Compliance Program

A BSA/AML program includes regulatory requirements like filing CTRs and SARs, maintaining required records, implementing Customer Identification Programs, conducting Customer Due Diligence, and screening against sanctions lists.

It also includes program infrastructure like written policies and procedures, a designated BSA Officer, employee training, independent testing, and risk assessment.

And it includes operational controls like transaction monitoring, alert investigation, case management, SAR decision-making, and audit and quality assurance.

The Risk-Based Approach

Regulators expect BSA/AML programs to be risk-based. That means your controls should be proportionate to the risks your institution actually faces. A community bank serving local customers has different risks than a correspondent bank handling international wire transfers. The controls should reflect those differences.

Risk categories to consider include customer risk (who are your customers, what do they do, where are they located), product risk (which of your products and services present higher risk), geographic risk (do you have exposure to high-risk jurisdictions), and transaction risk (what types and volumes of transactions do you process).

A risk-based approach means higher-risk areas get more intensive controls while lower-risk areas get appropriate but less intensive controls. You allocate resources based on your risk assessment. And you adjust the program as risks change over time.

Who Must Comply with the BSA?

The BSA applies to a wide range of financial institutions. Requirements vary based on what type of institution you are.

Covered Financial Institutions

Banks and Depository Institutions includes national banks, state member banks, state non-member banks, credit unions, savings associations, and branches and agencies of foreign banks.

Securities and Investment includes broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. Investment advisers have requirements pending.

Insurance includes companies offering certain products like life insurance and annuities.

Money Services Businesses includes money transmitters, currency exchangers, check cashers, issuers and sellers of money orders and traveler's checks, and prepaid access providers.

Gaming includes casinos and card clubs.

Other Financial Businesses includes dealers in precious metals, stones, or jewels; operators of credit card systems; loan or finance companies; and housing GSEs.

Primary Regulators

Institution TypePrimary BSA Examiner
National banksOCC
State member banksFederal Reserve
State non-member banksFDIC
Credit unionsNCUA
Broker-dealersSEC/FINRA
MSBsState regulators + FinCEN
CasinosState gaming regulators + FinCEN

Exemptions

There are exemptions for certain transaction types and customer categories. Phase I exemptions are mandatory and cover transactions between domestic banks, transactions with federal, state, and local governments, and transactions with publicly traded companies.

Phase II exemptions are discretionary and cover non-listed business customers meeting certain criteria. These must be documented and periodically reviewed. You can't just decide someone's exempt and forget about it.

BSA Reporting Requirements

Financial institutions must file several types of reports under the BSA. These reporting requirements are fundamental to the entire framework.

Currency Transaction Reports (CTRs)

A CTR is triggered by cash transactions exceeding $10,000 in a single business day. "Cash" means currency and coin. You must aggregate transactions across the business day, so multiple transactions by or on behalf of the same person count together. CTRs are filed for both deposits and withdrawals.

Filing requirements: Use FinCEN Form 112 electronically. File within 15 calendar days of the transaction. Identify all parties to the transaction. Include customer identification information.

One important prohibition: structuring. It's illegal for anyone to structure transactions or help structure transactions to avoid CTR filing. Structuring means breaking up transactions specifically to evade the reporting threshold. If you see a customer making multiple deposits of $9,500 across different branches, that's structuring.

Suspicious Activity Reports (SARs)

SARs are different. They're triggered by known or suspected violations of law, or by suspicious transactions. The dollar thresholds vary by institution type:

Institution TypeThreshold
Banks$5,000+ (or $25,000+ if no suspect identified)
MSBs$2,000+
Broker-dealers$5,000+
Casinos$5,000+

When deciding whether to file, consider whether the activity involves funds from illegal activity, whether it's designed to evade BSA requirements, whether it lacks a business or lawful purpose, and whether it's inconsistent with the customer's profile.

Filing requirements: Use FinCEN Form 111 electronically. File within 30 calendar days of detection. Include all known information about the activity. Continuing activity may require follow-up SARs.

SARs are confidential. You cannot tell the customer that a SAR has been filed. This confidentiality requirement is strict.

Report of Foreign Bank and Financial Accounts (FBAR)

FBARs must be filed by U.S. persons with financial interest in or signature authority over foreign financial accounts if the aggregate value exceeds $10,000 at any time during the year.

File FinCEN Form 114 electronically. It's due April 15, with an automatic extension to October 15. Report each foreign account. Penalties for non-filing are severe.

Currency and Monetary Instrument Report (CMIR)

CMIRs are triggered by physical transportation of currency or monetary instruments exceeding $10,000 into or out of the United States. File FinCEN Form 105 at the time of transport. The person physically transporting files the report.

BSA Recordkeeping Requirements

Beyond reporting, the BSA requires financial institutions to create and maintain specific records.

Transaction Records

For transactions over $3,000, you need records showing identification of the person conducting the transaction, the method used to verify that identity, and transaction details.

For wire transfers of $3,000 or more, you need records of the originator's name and address, the amount, the date and payment instructions, and the beneficiary's institution. There are specific data elements required.

For funds transfers generally, you must retain records with five-year retention.

Customer Identification Records

You need to keep records of customer identifying information, descriptions of documents you relied upon, methods used for verification, and results of verification.

Retention period: Five years after the account is closed. Not five years from account opening. Five years after the account closes.

General Standards

The general retention period is five years from the date the record was created. Records can be maintained in any format as long as they're retrievable within a reasonable time and available for regulatory examination. They may be maintained in the United States or made available in the United States within specified timeframes.

BSA/AML Program Requirements

Every covered financial institution must establish and maintain a BSA/AML compliance program. The requirements are commonly referred to as the "Five Pillars."

Pillar 1: Internal Controls

This pillar covers your policies and procedures. You need written policies covering all BSA/AML requirements, procedures for implementing those policies, clear roles and responsibilities, and escalation procedures.

You also need systems and processes for transaction monitoring, customer identification and verification, sanctions screening, and SAR decision-making.

And you need oversight and governance from your board of directors, management reporting, and committee structures if applicable.

Pillar 2: Designation of a BSA Officer

Every institution must designate an individual responsible for BSA/AML compliance. This person handles day-to-day program management, coordinates compliance activities, has SAR decision-making authority, and reports to senior management and the board.

The BSA Officer needs appropriate experience and knowledge, authority to implement the program, and access to necessary resources. You can't designate someone with no compliance background and no authority to make decisions.

Pillar 3: Training Program

All relevant employees must receive training. The training should be appropriate to the employee's role. You need initial training and ongoing training thereafter, with documentation of who completed what and when.

Training topics should cover BSA/AML regulations and requirements, your institution's policies and procedures, red flags and suspicious activity detection, and reporting and escalation procedures.

Pillar 4: Independent Testing

Your program needs periodic independent testing. This can be internal audit or an external party, but it must be independent from the BSA/AML compliance function. You can't test yourself.

Testing scope should include effectiveness of policies and procedures, compliance with regulatory requirements, transaction monitoring effectiveness, training program adequacy, and quality of SAR decisions.

Frequency is generally annual for most institutions. Higher-risk institutions may need more frequent testing.

Pillar 5: Customer Due Diligence (CDD)

The 2016 CDD Rule added this as a formal pillar. Requirements include customer identification and verification, beneficial ownership identification for legal entities, understanding the nature and purpose of relationships, and ongoing monitoring and updating of information.

The CDD pillar also requires a risk-based approach, meaning risk profiles for customers, appropriate due diligence based on risk, and enhanced due diligence for high-risk customers.

The Role of a BSA Officer

The BSA Officer is central to the entire compliance program. Some institutions call this role Compliance Officer or AML Officer. Whatever the title, this person carries significant responsibility.

Core Responsibilities

The BSA Officer oversees day-to-day program operations, ensures policies and procedures get implemented, manages compliance resources and budget, and coordinates with other departments.

For reporting and decision-making, the BSA Officer reviews and approves SAR filings, makes determinations on suspicious activity, reports to senior management and the board, and responds to regulatory requests.

For risk management, the BSA Officer conducts or oversees BSA/AML risk assessments, identifies emerging risks, recommends program enhancements, and monitors regulatory developments.

For training and awareness, the BSA Officer oversees the training program, ensures employees understand their responsibilities, and promotes compliance culture throughout the organization.

What Makes a Good BSA Officer

Knowledge requirements include BSA/AML regulations and requirements, money laundering typologies, the regulatory examination process, your institution's products and services, and risk assessment methodologies.

Experience generally means several years in compliance or related fields, understanding of financial services operations, and investigation and analysis skills.

Common certifications (not legally required, but common) include Certified Anti-Money Laundering Specialist (CAMS) and Certified BSA/AML Professional (CBAMLP).

Authority and Independence

The BSA Officer needs direct access to senior management and the board, authority to implement compliance measures, authority to file SARs, and access to information across the organization.

Independence matters. The BSA Officer shouldn't have conflicting responsibilities. They need to be able to make decisions without improper influence. And they should have an appropriate reporting structure that doesn't create conflicts.

BSA Examinations and Enforcement

Financial institutions face regular BSA/AML examinations by their primary regulators. Understanding how these examinations work helps you prepare.

The Examination Process

Examiners look at your BSA/AML program adequacy, your compliance with regulatory requirements, the effectiveness of your controls, the quality of your SAR decisions, and your customer due diligence processes.

Examination procedures include document requests and reviews, transaction testing, SAR review, interviews with staff, and system testing.

Examination cycles run generally 12-18 months for banks, with risk-based frequency adjustments. Problem institutions get examined more frequently.

Common Findings

Deficiencies that get cited regularly include inadequate transaction monitoring, insufficient customer due diligence, poor SAR quality or late filings, weak independent testing, training deficiencies, and inadequate documentation.

Enforcement Actions

When examiners find problems, responses can range from informal to severe:

Action TypeDescriptionTypical Use
Matters Requiring Attention (MRA)Informal concerns requiring responseMinor issues
Memorandum of Understanding (MOU)Informal agreement to address issuesModerate issues
Written AgreementFormal public agreementSignificant issues
Cease and Desist OrderMandatory compliance requirementsSerious violations
Civil Money PenaltyFinancial penaltyWillful violations
Removal/ProhibitionBan from banking industryIndividual misconduct

BSA Penalties and Consequences

BSA violations have severe consequences for both institutions and individuals. The penalty framework has teeth.

Civil Money Penalties

You're looking at up to $500,000 per negligent violation. For willful violations, it's up to $1,000,000 per violation or the amount involved, whichever is greater. And there's no cap on aggregate penalties. Multiple violations can stack up to enormous sums.

Recent examples give you a sense of scale:

YearInstitutionPenaltyPrimary Violations
2020Capital One$390MAML program failures
2022Deutsche Bank$186MAML monitoring failures
2023TD Bank$1.3BAML program failures
2024Various MSBs$10M-50MRegistration and AML failures

Criminal Penalties

For individuals, penalties can include up to $500,000 in fines and up to 10 years imprisonment for willful violations.

For institutions, criminal consequences can include fines, prosecution as an organization, and deferred prosecution agreements.

Other Consequences

Beyond the direct penalties, regulatory consequences can include enhanced supervision, growth restrictions, license revocation for non-bank institutions, and management removal.

Business consequences hit hard too. Reputational damage. Loss of correspondent banking relationships. Customer attrition. Stock price impact. Increased regulatory scrutiny going forward. A major BSA violation can affect an institution for years.

BSA Compliance Best Practices

Effective BSA/AML compliance requires continuous attention and improvement. Here's what works.

Program Design

Take a risk-based approach and align controls with assessed risks. Establish clear accountability with defined roles and responsibilities. Maintain documented policies that are current and complete. Ensure adequate resources with sufficient staffing and budget.

Technology and Operations

Your monitoring systems should be appropriate to your transaction volumes and complexity. Alert management needs efficient review and disposition processes. Case management should be systematic. And documentation of decisions and rationale needs to be thorough.

Governance and Culture

Board engagement matters. Regular reporting and meaningful oversight, not rubber-stamping. Management support needs to be active, not passive. A compliance culture means organization-wide commitment, not just the compliance department caring. And open communication means escalation without fear of retaliation.

Continuous Improvement

Test regularly with at least annual independent review. Monitor regulatory developments to track guidance and enforcement trends. Update your program based on findings and changes. And engage with the industry to learn from peers and industry groups.

About Bank Secrecy Act (BSA)

What is the Bank Secrecy Act?

Bank Secrecy Act (BSA) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What are BSA requirements?

Bank Secrecy Act (BSA) requirements vary by jurisdiction, industry sector, and business model but typically include identity verification capabilities meeting regulatory standards, risk assessment frameworks categorizing customers and transactions, transaction monitoring systems detecting suspicious patterns, suspicious activity reporting procedures, comprehensive record retention protocols, and detailed audit trail maintenance. Requirements apply to financial institutions, money services businesses, cryptocurrency exchanges, payment processors, and any entity handling financial transactions or storing customer funds. Specific obligations depend on transaction volumes, customer risk profiles, geographic footprint, and services offered.

What is BSA compliance?

Bank Secrecy Act (BSA) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What is BSA reporting?

Bank Secrecy Act (BSA) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What is currency transaction report?

Bank Secrecy Act (BSA) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What is suspicious activity report?

Bank Secrecy Act (BSA) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

Who must comply with BSA?

Bank Secrecy Act (BSA) requirements vary by jurisdiction, industry sector, and business model but typically include identity verification capabilities meeting regulatory standards, risk assessment frameworks categorizing customers and transactions, transaction monitoring systems detecting suspicious patterns, suspicious activity reporting procedures, comprehensive record retention protocols, and detailed audit trail maintenance. Requirements apply to financial institutions, money services businesses, cryptocurrency exchanges, payment processors, and any entity handling financial transactions or storing customer funds. Specific obligations depend on transaction volumes, customer risk profiles, geographic footprint, and services offered.

What are the penalties for BSA violations?

Bank Secrecy Act (BSA) requires structured implementation combining technology systems, policy frameworks, and governance controls to satisfy regulatory requirements while protecting users and maintaining operational efficiency. Organizations must balance multiple competing priorities including regulatory compliance across jurisdictions, fraud prevention and risk mitigation, user privacy and data protection, operational efficiency and cost management, and user experience optimization. Success comes from treating compliance as continuous program requiring sustained investment, leveraging automation for routine tasks while maintaining human oversight for complex cases, implementing privacy-preserving architecture, and continuously optimizing based on performance data and evolving regulatory expectations.

What is the purpose of the BSA?

Bank Secrecy Act (BSA) is a fundamental component of modern compliance and risk management frameworks that establishes structured processes for verification, monitoring, and regulatory reporting. It combines technology systems, policy guidelines, and governance controls to satisfy regulatory mandates while protecting organizations from financial crime and operational risk. Implementation requires balancing strict regulatory requirements with operational efficiency and user experience. Organizations deploy automated verification tools integrated with risk assessment frameworks to process cases efficiently while maintaining human oversight for complex scenarios requiring judgment.

What are the reporting requirements under BSA?

Bank Secrecy Act (BSA) requirements vary by jurisdiction, industry sector, and business model but typically include identity verification capabilities meeting regulatory standards, risk assessment frameworks categorizing customers and transactions, transaction monitoring systems detecting suspicious patterns, suspicious activity reporting procedures, comprehensive record retention protocols, and detailed audit trail maintenance. Requirements apply to financial institutions, money services businesses, cryptocurrency exchanges, payment processors, and any entity handling financial transactions or storing customer funds. Specific obligations depend on transaction volumes, customer risk profiles, geographic footprint, and services offered.

Related Terms

Anti-money laundering (AML)
Customer Due Diligence (CDD)
Customer Identification Program (CIP)
Combating the Financing of Terrorism (CFT)
Know Your Customer (KYC)
Money services businesses (MSB)

Secure verifications for every industry

We provide templated identity verification workflows for common industries and can further design tailored workflows for your specific business.

Book a Demo