Bank of America 2024: $225M Enforcement Action

What happened?

Bank of America, headquartered in Charlotte, North Carolina and one of the largest financial institutions in the United States by assets, was assessed a $225 million civil money penalty by FinCEN in December 2024 for violations of the Bank Secrecy Act.

According to FinCEN's public announcement, the bank's failures were systemic rather than isolated. The assessment focused on the bank's anti-money laundering program, which regulators found fell short of the requirements established under the BSA and its implementing regulations. The failures were not new. They accumulated across multiple examination cycles, suggesting that prior supervisory feedback had not translated into durable remediation.

The action came to a head after regulators identified persistent weaknesses in how the bank identified and reported suspicious activity. According to FinCEN, the bank processed transactions that should have triggered review and filing obligations under the BSA but did not. The volume and duration of these lapses, spanning years rather than months, indicated a program that was under-resourced, inadequately supervised, or both.

FinCEN's civil money penalty assessment was separate from any concurrent OCC or Federal Reserve supervisory actions, though large-scale BSA enforcement actions at institutions of this size typically involve coordination across federal regulators. The official FinCEN press release is available at https://www.fincen.gov/news/news-releases. Compliance teams should read the full assessment alongside the bank's response for a complete picture of what the record establishes.

What did regulators say?

FinCEN's assessment characterized the violations as a failure to maintain an effective AML program as required under 31 U.S.C. § 5318. The regulator's position, as reflected in the civil money penalty assessment, was that Bank of America failed to implement and maintain adequate controls to detect and report suspicious activity.

Regulators alleged that the bank's transaction monitoring systems were not calibrated appropriately for the risk profile of its customer base and product lines. The assessment found that the bank failed to file Suspicious Activity Reports as required, or filed them late, in a significant number of cases. FinCEN's public language described the failures as violations of the BSA's program requirements, recordkeeping provisions, and reporting obligations.

The press release stated that FinCEN took this action in coordination with other federal banking regulators, consistent with how the agency handles systemic BSA failures at systemically important financial institutions. Enforcement actions of this scale are not undertaken lightly. The $225 million figure reflects both the severity of the underlying violations and the institution's size, which gives it correspondingly larger compliance obligations.

For compliance teams, the regulator's framing is instructive: the violation was not a one-time miss but a program failure. That distinction matters for how peer institutions frame their own internal reviews and board reporting.

What controls failed?

The control failures identified in this enforcement action fall into several categories that will be familiar to any compliance officer who has sat through a BSA examination.

Transaction monitoring. The bank's automated monitoring systems did not generate alerts at the rate or accuracy required for its business volume and customer risk profile. When a tier-one bank processes tens of millions of transactions daily, even a small gap in alert coverage produces a large absolute number of missed suspicious transactions. Regulators alleged that thresholds were set too high, scenario coverage was incomplete, or alert disposition was inadequate.

SAR filing obligations. Under 31 CFR § 1020.320, banks must file a SAR within 30 calendar days of initially detecting a reportable transaction, with a 60-day extension available in some cases. The assessment found that the bank failed this obligation across a meaningful number of cases. Whether the root cause was inadequate alert triage, under-staffed investigation teams, or poor escalation protocols, the outcome was the same: reportable activity went unfiled.

Customer due diligence. The FinCEN CDD Rule requires banks to collect and verify beneficial ownership for legal entity customers and to maintain current risk profiles. Gaps in this area mean that transaction monitoring operates on incomplete customer context, which degrades alert quality across the board.

Governance and escalation. Large institutions can fail at the program level even when individual business lines operate in good faith. When compliance findings don't escalate properly to the board, when remediation commitments aren't tracked, and when audit findings recur across cycles, it signals a governance failure as much as a technical one.

Resourcing. Sustained BSA program failures at a bank of this size almost always implicate staffing. Investigation backlogs grow when case volumes exceed analyst capacity. Alert queues age. SARs get filed late or not at all.

Which regulations were violated?

The core statutory violation is the Bank Secrecy Act, codified at 31 U.S.C. §§ 5311-5336 and implemented through FinCEN's regulations at 31 CFR Chapter X. The BSA requires covered financial institutions to maintain a written AML program, file Currency Transaction Reports for cash transactions over $10,000, and file Suspicious Activity Reports for transactions involving $5,000 or more where the bank knows, suspects, or has reason to suspect that a transaction involves illicit funds or lacks a lawful purpose.

The Anti-Money Laundering Act of 2020 strengthened these requirements by expanding BSA's definition of financial institution, increasing penalties, and requiring Treasury to establish national AML/CFT priorities. Banks are now explicitly required to align their programs with those published priorities, which include corruption, cybercrime, and human trafficking in addition to traditional drug-trafficking-related laundering.

The FinCEN CDD Final Rule (effective May 2018) codified a fifth pillar of AML compliance: ongoing monitoring and beneficial ownership identification for legal entity customers. Failures in this area directly contributed to the monitoring gaps regulators alleged.

International standards mirror these domestic requirements. FATF Recommendation 20 requires member jurisdictions to mandate STR filing for institutions that know or suspect funds are proceeds of crime or linked to terrorist financing. The U.S. SAR framework is the domestic implementation of this standard. FATF Recommendation 10 sets out CDD requirements that directly parallel the FinCEN CDD Rule obligations at issue here.

Which typologies were involved?

BSA enforcement actions at large banks typically involve a mix of financial crime typologies. Based on FinCEN's public characterization, the Bank of America action centered on failures to detect and report suspicious activity across the bank's broad customer base and product lines.

At institutions that operate extensive retail, commercial, and correspondent banking relationships, the most common typologies implicated in monitoring failures include: cash-intensive business accounts used to commingle proceeds, funnel accounts moving funds through multiple domestic accounts before wire transfer, and structuring patterns where customers deliberately keep transactions below CTR thresholds.

Correspondent banking relationships, governed by FATF Recommendation 13, are a particular vulnerability for large U.S. banks. These relationships create significant exposure to activity by respondent banks' customers, and monitoring the full transaction flow requires both strong due diligence on the respondent bank and ongoing transaction surveillance at the correspondent level.

The failure to maintain adequate records, as required under FATF Recommendation 11, compounds monitoring gaps. When investigation teams can't reconstruct transaction histories or trace the source of funds, SAR quality degrades even when the underlying alert fires correctly. The result is SARs filed without adequate supporting evidence, or cases abandoned because investigators lack the documentation to reach a reasonable conclusion.

Aftermath and remediation

A $225 million civil money penalty at this scale carries consequences well beyond the financial hit. For an institution with Bank of America's balance sheet, the dollar amount is manageable. The reputational and operational consequences are not.

Following the assessment, Bank of America was subject to the standard remediation requirements that accompany large-scale BSA enforcement actions. These include formal commitments to remediate identified program deficiencies, enhanced supervisory oversight, and in some cases, independent testing or audit requirements to verify that remediation is effective. FinCEN civil money penalty assessments typically require the institution to acknowledge the violations and commit to specific corrective measures.

The bank's leadership and board were expected to demonstrate direct engagement with the remediation program. In recent years, regulators have been explicit that board-level accountability for AML program failures is not optional. The OCC's Guidance on Responsible Innovation and FinCEN's own examination procedures both require institutions to demonstrate that AML governance is a board-level matter, not just a compliance department function.

Publicly, large BSA enforcement actions tend to prompt immediate internal reviews at peer institutions. Compliance officers across the sector will examine the FinCEN assessment for specifics about what monitoring scenarios were missing, what customer segments were under-surveilled, and whether their own programs have analogous gaps. That secondary effect is, in part, the point.

The $225 million penalty joins a pattern of major BSA actions against U.S. banks in 2024, a year that also saw TD Bank's record $3 billion resolution. Regulators have been explicit that the era of modest BSA fines is over.

Lessons for other institutions

The Bank of America action offers several concrete takeaways for compliance teams at peer institutions.

Validate your monitoring coverage, not just your alert rates. A low false-positive rate looks good on a dashboard but tells you nothing about what your system is missing. Scenario coverage audits, where you map your typology library against known industry red flags and test whether your system would generate an alert, are more useful than raw alert volume statistics. If you haven't done one in the past 18 months, schedule it.

Treat SAR backlog as a risk indicator, not an ops problem. When case queues grow, SAR timeliness degrades. That's a compliance failure with regulatory consequences, not a staffing inconvenience. Board-level reporting should include SAR timeliness metrics alongside coverage rates.

Don't let beneficial ownership gaps compound. If your CDD refresh cycles are running behind, the downstream effect is that your transaction monitoring is working from stale risk profiles. Alert quality suffers. Investigate and resolve the backlog before the next examination.

Test your escalation paths. Regulators cited governance failures alongside technical ones. Run a tabletop: if a relationship manager identifies suspicious activity, can they escalate it within the required timeframe? Does the chain from frontline staff to compliance to SAR filing work under real-world conditions?

Resource your program for your actual transaction volume. The gap between what a bank processes daily and what its compliance team can actually review is where regulatory exposure lives. Headcount and technology investment have to track the business. If the bank has grown, the compliance program has to grow proportionally.

Review your AMLA 2020 alignment. The Anti-Money Laundering Act of 2020 and FinCEN's national AML/CFT priorities create a new basis for examining whether your program reflects current threat typologies. If your monitoring scenarios were designed before 2021, they may not reflect the priorities regulators are now using as a benchmark.

How FluxForce helps prevent similar failures

FluxForce's AI agents run continuous transaction monitoring across all customer segments, flagging behavioral anomalies in real time rather than waiting for batch processing cycles. Automated SAR drafting captures investigation context at case creation, so filings meet the 30-day deadline without compressing analyst review. Behavioral baselines update as customer risk profiles change, keeping CDD current without manual refresh cycles. Every alert, disposition, and escalation decision generates a full evidence trail, which means examiners see a complete audit log, not a reconstructed narrative. Book a demo to see how this maps to your program.