.webp)
What is the penalty for a missed CTR?
Quick answer
Missing a required CTR carries civil penalties up to $25,000 per violation under the Bank Secrecy Act. Willful failures add criminal exposure: fines up to $250,000 and five years in prison under 31 U.S.C. § 5322. Systemic failures have drawn penalties exceeding $390 million.
The full answer
A missed CTR (Currency Transaction Report) is a federal violation under the Bank Secrecy Act. The filing obligation under 31 U.S.C. § 5313 is not discretionary: any cash transaction over $10,000 triggers a 15-day filing window, and missing it is a chargeable offense.
The penalty structure splits into civil and criminal tracks.
Civil penalties (31 U.S.C. § 5321):
| Violation type | Penalty ceiling |
|---|---|
| Negligent, isolated failure | Up to $500 per day |
| Single willful violation | Up to $25,000 per violation |
| Pattern of willful violations | Cumulative per-violation penalties; DOJ referral |
Criminal penalties (31 U.S.C. § 5322):
| Violation type | Penalty |
|---|---|
| Willful BSA violation | Up to $250,000 fine and/or 5 years imprisonment |
| Pattern involving $100K+ in 12 months | Up to $500,000 fine and/or 10 years imprisonment |
The per-violation ceilings become less relevant at scale. Capital One's FinCEN enforcement action in January 2021 totaled $390 million across CTR and SAR failures spanning six years. TD Bank's 2024 guilty plea to conspiracy to commit money laundering produced a $3 billion combined DOJ and FinCEN penalty, with CTR-related monitoring failures cited among the core deficiencies. That's the current benchmark for what systemic non-compliance costs.
What regulators mean by "willful"
You don't need proof of intent to defraud. Courts and FinCEN treat willfulness as knowing non-compliance, conscious disregard, or deliberate ignorance.
An institution is generally treated as willful if it:
- Received audit findings about CTR gaps and didn't remediate within a reasonable timeframe
- Disabled or bypassed automated transaction monitoring to reduce workload
- Had written BSA/AML policies but built no controls to enforce them
- Received internal warnings from compliance staff and took no documented action
Negligence, by contrast, means a systemic failure without evidence of awareness. A single missed CTR from a software bug, caught internally and reported proactively to FinCEN, often results in no penalty or a supervisory letter. The key word is "proactively." Self-disclosure before an examination or third-party referral is treated very differently from disclosure after a subpoena.
CTR and SAR failures compound each other
Missed CTRs rarely travel alone. When customers structure transactions below the $10,000 threshold to avoid detection, an institution faces simultaneous exposure: it should have filed a CTR on the original large transaction and a suspicious activity report for the structuring pattern. Structuring is a federal crime under 31 U.S.C. § 5324. An institution that detects both and files neither accumulates penalties on two tracks.
Regulatory compliance automation that monitors threshold transactions and behavioral patterns in the same workflow closes both gaps at once, rather than treating CTR monitoring and SAR monitoring as separate queues.
International equivalents
The BSA framework applies to US-chartered institutions and US branches of foreign banks. Outside the US, similar reporting obligations exist under different names: the UK uses Suspicious Activity Reports under POCA 2002, the EU's AMLD framework includes transaction reporting requirements, and Australia's AUSTRAC requires Threshold Transaction Reports (TTRs) with a AUD 10,000 threshold.
FATF Recommendation 11 requires member jurisdictions to mandate that financial institutions keep records sufficient to reconstruct transactions for at least five years. A missed CTR is a direct failure against that standard and is flagged in FATF mutual evaluations.
Remediation timeline matters
An institution that discovers CTR filing gaps has options, but the window for favorable treatment is short. FinCEN's approach rewards early self-disclosure, credible remediation plans, and evidence of executive accountability. Waiting for examiners to find the gap first is almost always the more expensive path.
Identity verification and KYC/AML automation that builds cash-transaction monitoring into customer onboarding workflows reduces CTR gaps at the source, before any filing deadline is in play.
Why this matters
A missed CTR is evidence of a monitoring failure, not just a paperwork gap.
When FinCEN or DOJ investigators review a CTR failure, the first question is: did the institution have the controls to catch this transaction? If yes, why didn't they fire? If no, why didn't the institution build them? Both answers are uncomfortable.
The practical consequence is scope expansion. A single missed CTR can trigger a full BSA/AML program examination. Examiners will pull the institution's written policies, test whether customer due diligence procedures are actually enforced, and run the institution's transaction monitoring system against historical data. What starts as a question about one filing becomes a review of the entire compliance program.
Compliance teams at institutions that still rely on manual review for large-cash-transaction flagging are running a structural risk. Manual processes depend on an analyst noticing a deposit, which means they fail silently during high-volume periods, staff turnover, and system changes. Regulators have said explicitly that automated monitoring is the expected standard, and enforcement history has made the cost of the gap visible.
AI-powered fraud detection systems that flag threshold transactions before the filing deadline give compliance teams lead time to file accurately. That's the operational difference between a clean exam and a $390 million enforcement action.
Related questions
- What is a CTR (Currency Transaction Report)?
- What is a SAR (Suspicious Activity Report)?
- What is an STR (Suspicious Transaction Report)?
- What is Customer Due Diligence (CDD)?
- What is Know Your Customer (KYC)?