What is the Bank Secrecy Act?
Quick answer
The Bank Secrecy Act (BSA) is a 1970 U.S. federal law requiring financial institutions to detect and report suspicious financial activity. Core obligations include Currency Transaction Reports for cash transactions over $10,000 and Suspicious Activity Reports for unusual transactions. FinCEN administers the BSA; federal bank regulators enforce it. ---
What the Bank Secrecy Act requires
The Bank Secrecy Act (BSA) is the primary U.S. anti-money laundering statute. Enacted in 1970 and codified at 31 U.S.C. §§ 5311-5336, it requires banks, credit unions, broker-dealers, money services businesses, and other designated financial institutions to maintain records and file reports that help federal agencies detect money laundering, tax evasion, sanctions evasion, and related financial crimes.
Three filing obligations define day-to-day BSA compliance.
Currency Transaction Reports (CTRs) cover cash transactions, or a series of related cash transactions on the same business day, exceeding $10,000. The filing deadline is 15 days from the transaction date. The $10,000 threshold has not moved since 1970. In inflation-adjusted terms, that's roughly $80,000 in 2025 dollars. The practical result is enormous filing volume: some large banks file several million CTRs per year.
Suspicious Activity Reports (SARs) cover transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect involve funds from illegal activity, are designed to evade BSA reporting, or have no apparent lawful purpose. Banks have 30 calendar days to file a SAR after detecting the suspicious activity, with a 60-day extension when no suspect can be identified at the time of detection.
Foreign Bank Account Reports (FBARs) apply to U.S. persons holding foreign accounts that exceeded $10,000 at any point during the year. This is a Title 31 requirement administered by FinCEN alongside the BSA proper.
Beyond filing, the BSA requires covered institutions to maintain a written AML compliance program. The USA PATRIOT Act (2001) set four minimum pillars: internal controls, independent testing, a designated BSA compliance officer, and ongoing employee training. The PATRIOT Act also added a Customer Identification Program requirement. FinCEN's 2016 Customer Due Diligence rule added ongoing monitoring obligations and beneficial ownership collection for legal entity customers, a requirement that has since been reinforced by the Corporate Transparency Act.
Structuring is a federal crime under the same title. Breaking up cash transactions specifically to stay under the $10,000 CTR threshold, regardless of whether the underlying funds are legitimate, violates 31 U.S.C. § 5324. Banks that detect structuring and fail to file a SAR face liability on both counts.
Why BSA compliance failures are so costly
The penalties are real, and they scale with the severity of the failure. Civil penalties for negligent violations run up to $25,000 per day per violation. Willful violations can reach $1 million per day. Criminal counts carry up to $250,000 in fines and 5 years imprisonment per count.
In major enforcement actions, those numbers become irrelevant compared to negotiated settlements. HSBC's 2012 deferred prosecution agreement with the DOJ and FinCEN totaled $1.9 billion after the bank admitted to systematic AML failures spanning years. TD Bank's October 2024 guilty plea resulted in a $3 billion penalty and, more consequentially, an asset cap that prevents the bank from growing in the United States until regulators are satisfied with its remediation. Neither case was an aberration. Both were the result of documented, repeated failures that examiners had flagged before enforcement action was taken.
Regulatory exams are where BSA failures surface first. Examiners look at whether the bank's AML program has the required elements, whether CDD and EDD processes are working, and whether SAR quality and timeliness hold up under scrutiny. Missed CTRs carry their own separate penalty exposure. A weak exam can escalate to a matter requiring attention, then a formal agreement, then a consent order, then a monitorship.
When a bank fails an AML exam badly enough, the next step is often a court-appointed monitorship: an independent expert with authority to review operations, report to regulators, and require remediation. Monitorships run for years. The indirect costs in staff time, disruption, and constrained business decisions far exceed the direct fines.
Transaction monitoring is where most compliance resources concentrate. AML alert false positive rates run 90-95% across the industry, which means investigators spend nearly all their time clearing noise. Mid-market banks spend $10-50 million annually on AML compliance, the bulk of it on alert review and SAR drafting. AI-based transaction monitoring has begun to shift that ratio, but the BSA's baseline filing obligations remain unchanged regardless of the technology a bank uses.
The BSA also intersects with sanctions law. Sanctions screening is an OFAC obligation rather than a BSA requirement, but the two programs share detection infrastructure and are examined together. FinCEN's definition of suspicious activity explicitly includes transactions that may involve sanctions evasion, so a gap in one program creates exposure in both.
Related questions
- How long do banks have to file a SAR?
- What is the penalty for a missed CTR?
- What triggers a regulatory exam?
- How does FinCEN define suspicious activity?
- What happens when a bank fails an AML exam?
Related concepts and regulations
- What is the difference between AML and CFT?
- What is the difference between a SAR and an STR?
- What is a beneficial owner?
- What is the difference between CDD and EDD?
- What is the FATF Grey List?