United States Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in the United States?

FinCEN, the Financial Crimes Enforcement Network, is a bureau of the US Treasury Department and the country's designated Financial Intelligence Unit. It writes BSA regulations, collects and analyzes SAR data, administers the beneficial ownership registry, and coordinates with foreign FIUs and law enforcement agencies. Every BSA compliance question in the US starts at fincen.gov.

Prudential supervisors enforce BSA compliance within their respective charter types. The Office of the Comptroller of the Currency supervises national banks, federal savings associations, and US branches of foreign banks operating under federal licenses. The FDIC supervises state-chartered banks that aren't Federal Reserve members. The Federal Reserve oversees bank holding companies, financial holding companies, and state-chartered banks that are Fed members.

Capital markets fall to the SEC and FINRA. The SEC regulates broker-dealers, investment advisers, and registered funds under the Securities Exchange Act. FINRA operates as a self-regulatory organization and conducts day-to-day AML examinations for its member broker-dealers, bringing AML-related enforcement actions regularly and independently of federal regulators.

OFAC administers US sanctions programs. Its civil penalties carry no intent requirement, which means an institution can face liability even without knowledge that a transaction violated sanctions. The DOJ prosecutes money laundering and sanctions crimes under 18 U.S.C. §§ 1956-1957 and the Bank Fraud Act, with authority to seek criminal forfeiture.

There's no single unified regulator here. A national bank operating in New York can simultaneously face examination from the OCC, FinCEN, OFAC, and the New York Department of Financial Services in the same calendar year. That's the design, and foreign banks entering the US market need to account for it.

What are the key AML and fraud laws in the United States?

The Bank Secrecy Act of 1970 (31 U.S.C. §§ 5311-5332) is the foundation. It requires financial institutions to keep records and file reports that help identify and deter money laundering. FinCEN implements the BSA through its regulations at 31 CFR Chapter X. The BSA's risk-based framework aligns directly with FATF Recommendation 1 on the risk-based approach, which the FATF assessed in its 2016 Mutual Evaluation of the United States.

The Anti-Money Laundering Act of 2020 (AMLA 2020), enacted as Division F of the National Defense Authorization Act, is the most substantial reform since the USA PATRIOT Act. AMLA 2020 directed FinCEN to issue national AML/CFT priorities, expanded FinCEN's subpoena authority over foreign banks maintaining US correspondent accounts, raised the maximum whistleblower award to 30% of sanctions above $1 million, and authorized the beneficial ownership registry that now operates under the Corporate Transparency Act.

The USA PATRIOT Act of 2001 added three provisions that remain daily compliance realities: Section 326 (customer identification programs), Section 312 (enhanced due diligence for foreign correspondent accounts), and Section 319 (expedited asset forfeiture for correspondent accounts held by foreign banks under investigation).

Suspicious Activity Reports must be filed for transactions at or above $5,000 (or $2,000 for money services businesses) where the institution knows, suspects, or has reason to suspect the transaction involves proceeds of crime. Currency Transaction Reports go to FinCEN for all cash transactions above $10,000.

Data protection comes from two statutes. The Gramm-Leach-Bliley Act governs financial institutions' handling of customers' nonpublic personal information and requires published privacy notices and documented information-security programs. CCPA applies to institutions meeting California's revenue or data-volume thresholds and adds consumer access and deletion rights that intersect with BSA record-keeping obligations.

For virtual assets, FATF Recommendation 15 on new technologies is already US policy in substance. FinCEN treats cryptocurrency exchanges and virtual asset service providers as money services businesses. They must register with FinCEN, implement customer identification programs, and file SARs for suspicious activity.

What controls do United States regulators expect?

The FFIEC BSA/AML Examination Manual is the supervisory benchmark. It's not law, but examiners use it to evaluate whether a program is adequate. A bank that can't map its controls to the manual's requirements will have a difficult examination.

The four-pillar program is mandatory: written AML policies and procedures, a designated BSA/AML compliance officer with real authority and resources, ongoing employee training, and independent testing by internal audit or a qualified third party at a frequency consistent with the institution's risk profile.

Customer due diligence requirements are codified in FinCEN's CDD Rule (31 CFR § 1010.230), which took effect in May 2018. Covered institutions must identify and verify the beneficial owners of legal entity customers at onboarding: any natural person owning 25% or more, plus one control-purpose individual. Risk-based enhanced due diligence applies to higher-risk relationships, including foreign correspondent accounts.

Transaction monitoring must be tailored to the institution's size, complexity, and customer base. Regulators don't mandate specific systems, but a decade of consent orders makes clear what's unacceptable. Backlogs of tens of thousands of unreviewed alerts, combined with inadequate staffing to resolve them, have drawn multi-billion dollar penalties. The expectation is tuned systems, documented alert-disposition rationale, and timely SAR filings where warranted.

Sanctions screening against OFAC's Specially Designated Nationals list and country-based programs is mandatory on an ongoing basis. Civil OFAC liability requires no proof of intent, so real-time screening at onboarding and during transaction processing is the baseline.

SARs must be filed within 30 days of detection, extendable to 60 days where additional investigation is needed. Record retention for filed SARs is five years.

What is unique about compliance in the United States?

The dual banking system is the first thing foreign entrants need to understand. Banks can hold a federal charter (supervised by the OCC) or a state charter (supervised by state regulators plus either the FDIC or the Federal Reserve). Each path carries different examination exposure. There's no single national template.

New York operates in its own category. NYDFS is an independent regulator, and its 2016 Part 504 regulation imposes specific minimum requirements on transaction monitoring programs and OFAC filtering programs for all DFS-licensed institutions. Annual board-level certifications are required, signed by a senior compliance officer. A bank with a New York license faces DFS scrutiny on top of its federal prudential supervisor, and DFS has demonstrated the will to act independently. In 2017, NYDFS fined Deutsche Bank $425 million for the mirror-trade scheme through which approximately $10 billion in suspicious transactions moved out of Russia without adequate AML controls.

FinCEN published its first-ever national AML/CFT priorities in June 2021, identifying eight threat categories: corruption, cybercrime, foreign and domestic terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking, and proliferation financing. Institutions must incorporate these priorities into their written risk assessments and document how controls address each one. This isn't optional guidance. Examiners treat failure to address the priorities as a program deficiency.

Beneficial ownership rules changed materially in January 2024. The Corporate Transparency Act, implemented through FinCEN's Beneficial Ownership Information reporting rule, created the first centralized US registry of ultimate beneficial owners. Most domestic and foreign companies operating in the US must now report their beneficial owners to FinCEN's BOI database. Financial institutions still collect beneficial ownership under the CDD Rule, but the BOI registry will be available to them as a verification resource once access opens.

Cryptocurrency businesses registered as money services businesses face full BSA obligations, including compliance with FATF's Travel Rule (mapped in FATF Recommendation 16) for virtual asset transfers above $3,000.

Geographic Targeting Orders give FinCEN power to impose enhanced reporting requirements on specific sectors or geographic areas without notice-and-comment rulemaking. GTOs have applied to luxury real estate purchases in major metropolitan areas since 2016.

Recent enforcement actions in the United States

The US sets the global benchmark for AML enforcement severity.

The 2012 HSBC enforcement action resulted in a $1.9 billion deferred prosecution agreement with the DOJ and FinCEN. Prosecutors found HSBC had moved $881 million in drug trafficking proceeds for the Sinaloa Cartel and Norte del Valle Cartel, and had stripped identifying information from transactions to evade OFAC filters. The bank's US compliance function was chronically understaffed and lacked authority to escalate problems effectively. It remains one of the defining AML cases globally.

In 2014, BNP Paribas agreed to pay $8.97 billion and enter a criminal guilty plea for processing approximately $8.8 billion in transactions that violated US sanctions against Sudan, Iran, and Cuba. The criminal conviction itself was as consequential as the fine: the bank temporarily lost the ability to clear certain US dollar-denominated transactions. No financial institution had faced a criminal conviction of this scale for sanctions violations before.

Standard Chartered agreed to pay $1.1 billion in 2019 to US and UK authorities for OFAC sanctions violations related primarily to Iran, along with AML program deficiencies. It was the bank's second major US sanctions settlement within a decade.

In October 2024, TD Bank became the first US bank holding company in history to plead guilty to Bank Secrecy Act violations. The $3 billion settlement with the DOJ, FinCEN, and the OCC followed findings that TD processed more than $670 million in transactions for drug trafficking networks while maintaining a compliance program that prosecutors described as structurally deficient. The OCC imposed an asset cap as a condition of the settlement.

The pattern across all four cases: long-running compliance gaps, documented senior management awareness, and failure to remediate before regulators arrived.

What foreign banks operating in the United States need to know

Entry into the US requires choosing a charter structure. A federal branch or agency license, granted by the OCC, permits most commercial banking activities and is supervised at the federal level. A state-licensed branch is supervised by state banking authorities plus the Federal Reserve. Both structures require a BSA/AML program that meets US law, not just the home-country standard. The home-country program is a starting point, not a substitute.

Every covered institution must appoint a BSA/AML compliance officer. The role isn't nominal. The officer needs direct access to senior management and the board, staff resources appropriate to the institution's risk profile, and authority to escalate without interference. Examiners will interview this person and assess whether the function has genuine operational authority.

Correspondent banking carries specific federal obligations under Section 312 of the USA PATRIOT Act. Enhanced due diligence is required for foreign correspondent accounts, including those of foreign private banking clients with assets above $1 million. US institutions are prohibited from maintaining correspondent relationships with shell banks, defined as foreign banks with no physical presence in any jurisdiction.

Reporting timelines are fixed. Currency Transaction Reports are due within 15 calendar days of the triggering transaction. SARs are due within 30 days of detection, extendable to 60 days where initial investigation is needed. The BSA E-Filing System is the mandatory submission channel.

For New York-licensed institutions, NYDFS Part 504 adds annual board-level certification requirements on top of federal obligations. No equivalent exists at the federal level, so the additional burden catches foreign banks by surprise.

Foreign banks should plan for extraterritorial reach. Section 319 of the PATRIOT Act gives FinCEN and the DOJ authority to subpoena records held by foreign banks that maintain US correspondent accounts. A US correspondent relationship can expose records held outside US borders to American legal process.

How FluxForce supports United States compliance

FluxForce maps directly to BSA/AML program requirements. Real-time transaction monitoring flags suspicious patterns and produces SAR-ready evidence packages for investigator review. OFAC SDN, PEP, and adverse-media screening run continuously against updated watchlists. Beneficial ownership data structures support CDD Rule compliance and cross-referencing with FinCEN's BOI registry. Every decision carries a full audit trail that FinCEN examiners and prudential supervisors can review without manual reconstruction. To see how FluxForce fits your BSA obligations, request a demo.