What is the Bank Secrecy Act?

The full answer

The Bank Secrecy Act (BSA), signed into law in 1970 as Public Law 91-508, is the foundation of U.S. anti-money laundering and counter-terrorist financing policy. Its formal name is the Currency and Foreign Transactions Reporting Act. Nobody calls it that. It requires financial institutions to keep records and file reports that give law enforcement a trail to follow.

Three reporting obligations define day-to-day BSA work.

1. Currency Transaction Reports (CTRs). Required for any cash transaction over $10,000, or aggregated cash transactions from the same customer that exceed $10,000 in a single business day. Penalties for a missed CTR can reach $10,000 per violation and up to $100,000 for patterns of negligence.

2. Suspicious Activity Reports (SARs). Required when a transaction of $5,000 or more appears to involve money laundering, structuring, fraud, or other criminal activity. Banks have 30 days to file a SAR from the date of detection, or 60 days if the subject hasn't been identified. FinCEN's definition of suspicious activity is broader than most compliance officers initially assume.

3. Customer Due Diligence (CDD). The 2016 FinCEN CDD Rule added a fifth pillar to BSA compliance, requiring verification of beneficial owners for legal entity customers. CDD and EDD sit on a risk spectrum. Higher-risk customers get more intensive review.

FinCEN administers the BSA; the prudential regulators (OCC, Federal Reserve, FDIC, NCUA) run the actual examinations. The FFIEC BSA/AML Examination Manual is the shared playbook. A formal BSA program requires five elements: internal controls, independent testing, a designated BSA officer, training, and a customer identification program.

The Anti-Money Laundering Act of 2020 (AMLA 2020) is the biggest BSA update in two decades. It extended coverage to antiquities dealers, authorized FinCEN to run innovation pilots for AI-based monitoring, and directed creation of a national beneficial ownership registry. That registry went live on January 1, 2024 under the Corporate Transparency Act.

Why this matters

For compliance teams, the BSA is the day-to-day operating framework, not an abstract statute. The filing volumes are real. FinCEN received over 3.6 million SARs in fiscal year 2022, according to FinCEN's published SAR statistics. That volume is why AI-based AML transaction monitoring has become a serious compliance tool rather than a novelty.

The costs are real too. AML compliance at a mid-market bank typically runs $30-50 million annually when you count staff, technology, and third-party services. False positive rates on legacy transaction monitoring systems commonly run 95% or higher. Analysts spend most of their time clearing noise rather than chasing real risk.

Regulatory examinations test every component of the five-pillar program. What triggers a regulatory exam varies: scheduled cycle, supervisory concern, or a specific event like a SAR filing spike. Failing an AML exam can result in a Memorandum of Understanding, a formal agreement, a consent order, or, in severe cases, a monitorship.

Penalties are not hypothetical. HSBC paid $1.9 billion in 2012. TD Bank paid $3.09 billion in 2024. The BSA's civil penalty cap is $1 million per violation, but the DOJ's parallel criminal authority has no such ceiling.

Who actually files a SAR varies by institution size and structure. In U.S. banks, the BSA officer typically signs. The MLRO title is more common at UK institutions operating under POCA 2002; both roles carry personal liability.

Related questions

• How long do banks have to file a SAR?
• What is the penalty for a missed CTR?
• How does FinCEN define suspicious activity?
• What happens when a bank fails an AML exam?
• What is the difference between CDD and EDD?

Related concepts and regulations

• What is the difference between AML and CFT?
• What is a beneficial owner?
• Can AI be used for AML transaction monitoring?
• What is perpetual KYC?
• What is the FATF Grey List?