AMLA 2020: What It Requires and Who It Applies To

What is AMLA 2020?

The Anti-Money Laundering Act of 2020 is the most sweeping reform to US anti-money laundering law since the USA PATRIOT Act of 2001. Enacted as Division F of the National Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283), it was signed into law on January 1, 2021, and amends the Bank Secrecy Act (BSA) that has governed US AML compliance since 1970.

FinCEN, the Financial Crimes Enforcement Network within the US Treasury, is the primary regulator. The law was introduced in direct response to two converging pressures. First, Congress had watched the BSA's compliance framework calcify into checkbox exercises that generated tens of millions of Suspicious Activity Reports (SARs) annually, the majority of which law enforcement couldn't effectively use. Second, the September 2020 "FinCEN Files" investigation by BuzzFeed News and the International Consortium of Investigative Journalists documented how US banks had continued processing transactions for clients they'd already flagged as suspicious in SARs. Congress had seen enough.

The structural changes AMLA 2020 introduces are real and far-reaching: publication of national AML/CFT priorities by FinCEN, a centralized beneficial ownership registry through the embedded Corporate Transparency Act, expanded information-sharing safe harbors for banks, a new whistleblower award program, and explicit statutory authorization for technology-based compliance tools including artificial intelligence and machine learning. The law also adds foreign corruption as a predicate offense to money laundering under 18 U.S.C. § 1956 and expands the definition of "financial institution" under the BSA.

Who does AMLA 2020 apply to?

AMLA 2020 applies to "financial institutions" as defined under the Bank Secrecy Act, 31 U.S.C. § 5312. The covered population includes:

• Banks and credit unions (commercial banks, savings associations, federal credit unions, state-chartered thrifts)
• Broker-dealers and registered investment advisers supervised by the SEC and FINRA Rule 3310
• Money services businesses (MSBs), including money transmitters, check cashers, currency dealers, and prepaid access providers
• Casinos with annual gaming revenue above $1 million
• Loan and finance companies above specified transaction thresholds
• Insurance companies for covered insurance products
• Mutual funds
• Any entity FinCEN has designated by regulation as a financial institution under the BSA

The Corporate Transparency Act provisions (Title LXIV of AMLA 2020) impose separate obligations on "reporting companies," meaning most US-incorporated or registered legal entities. Twenty-three exempt categories exist, covering SEC-reporting companies, banks, regulated insurance companies, and large operating companies (defined as entities with more than 500 employees, more than $5 million in US gross revenue, and a US physical office).

There's no minimum asset threshold for core BSA/AML program requirements. A community bank with $50 million in assets faces the same five-pillar program obligations as JPMorgan Chase. For national banks and federal savings associations, 12 CFR Part 21 carries OCC examination authority on top of FinCEN oversight. State-chartered member banks answer to the Federal Reserve; non-member state-chartered banks to the FDIC.

What does AMLA 2020 require?

The law's core obligations fall into nine distinct requirements:

1. Incorporate FinCEN's national AML/CFT priorities. FinCEN published its first set of eight national priorities on June 30, 2021, covering corruption, cybercrime, foreign and domestic terrorist financing, fraud, human trafficking and smuggling, drug trafficking, and proliferation financing. Covered institutions had 180 days (until December 27, 2021) to review, update, and document how their AML/CFT risk assessments and programs address each priority. The priorities document is available directly from FinCEN.

2. Collect and verify beneficial ownership information. The FinCEN CDD Rule requires banks to identify and verify the beneficial owners of legal entity customers at account opening. The CTA BOI registry established under AMLA 2020 now gives banks a centralized FinCEN database to cross-reference against.

3. Maintain a risk-based AML/CFT program. Programs must reflect the institution's specific risk profile. AMLA 2020 explicitly authorizes innovative compliance technology, including AI and machine learning tools. This is a statutory green light that the BSA previously lacked.

4. File Suspicious Activity Reports. The SAR filing obligation under the BSA continues unchanged. Banks must file within 30 calendar days of detection, or 60 days if no suspect is identified when the suspicious activity is detected.

5. File Currency Transaction Reports. The CTR requirement for cash transactions above $10,000 remains in place, as does the structuring prohibition under 31 U.S.C. § 5324.

6. Implement information-sharing procedures. AMLA 2020 expanded the safe harbor for banks sharing SAR information with foreign branches and subsidiaries. Section 314(b) voluntary sharing between institutions continues and was reinforced.

7. Operate a Customer Identification Program. Know Your Customer (KYC) and Customer Due Diligence (CDD) requirements from Section 326 CIP remain fully in force.

8. Protect and reward whistleblowers. AMLA 2020 Section 6314 establishes a BSA whistleblower program modeled on the SEC's. Individuals who voluntarily provide original information leading to a successful enforcement action with sanctions over $1 million may receive 10% to 30% of the amount collected.

9. Retain records. Five-year retention applies to most BSA-related records, including SAR decision logs, CDD documentation, and transaction monitoring alert dispositions.

What evidence do regulators expect?

Examiners from FinCEN, the OCC, Federal Reserve, FDIC, NCUA, and state regulators arrive with a specific checklist. What they want is documentation, not verbal assurances.

Board and senior management oversight:

• Board resolution or meeting minutes formally approving the AML/CFT policy
• Annual BSA/AML officer report presented to the board, with evidence the board received and reviewed it
• Management's written responses to independent audit findings, with completion dates

Risk assessment:

• Written BSA/AML risk assessment updated after June 30, 2021, explicitly addressing each of FinCEN's eight national priorities
• Documented rationale for any priority assessed as low risk to your institution
• Customer risk-rating methodology with documentation showing how ratings are applied and periodically reviewed

Program components:

• Written policies and procedures covering all five BSA/AML program pillars
• Dated training completion records for every employee with AML responsibilities. The score matters less than the record; examiners routinely ask for individual-level completion dates
• Independent audit report from within the past 12 months, conducted by someone with actual AML expertise

Transaction monitoring:

• System documentation showing which rules are active, their rationale, and the tuning history
• Alert disposition records with analyst names, decision dates, and elapsed time from alert creation to closure
• SAR decision log, including cases where a SAR was considered but not filed. This is often the first thing a skilled examiner requests.

Customer due diligence:

• CDD and EDD procedure documentation with version history
• Beneficial ownership collection records for legal entity customers, cross-referenced against the FinCEN BOI registry where applicable
• High-risk customer review schedule with evidence of completed periodic reviews

Alert backlogs above 30 days draw immediate scrutiny. So do CDD files for legal entity customers that are missing beneficial ownership certifications.

Common failure modes

Most AMLA 2020 citations don't come from intentional wrongdoing. They accumulate from program gaps that nobody fixed because the old approach "worked" until it didn't.

• Stale risk assessments. Institutions that completed their AML risk assessment before June 2021 and never documented how they evaluated FinCEN's eight national priorities have been cited in virtually every examination cycle since. Examiners treat a pre-2021 risk assessment as prima facie evidence of a program gap.

• Transaction monitoring backlogs. FinCEN's October 2024 consent order against TD Bank remains the defining enforcement case of the AMLA era. The bank processed $18.3 trillion in transactions annually while its monitoring system went years without meaningful updates. Alert backlogs reached tens of thousands of unreviewed cases. The resulting penalties totaled over $3 billion across FinCEN, DOJ, and OCC.

• Inadequate beneficial ownership collection. Gaps between policy and practice are common, particularly for complex legal entities with multi-layered ownership structures involving trusts or foreign holding companies. Examiners look at actual account files, not the procedure manual.

• Weak independent testing. Community banks using general-purpose internal auditors who lack AML credentials face criticism even when an "audit" was technically conducted. Examiners assess whether the auditor had the expertise to find real problems.

• Missing training records. Banks that can't produce individual completion records get cited even when training happened. The documented record is the only evidence that counts.

• Failure to file SARs on priority typologies. After FinCEN publishes guidance on a specific typology (such as virtual asset transactions or real estate structuring), institutions that can't demonstrate they monitor for that typology face heightened scrutiny. The Binance DOJ enforcement action in November 2023, resulting in $4.3 billion in combined penalties, illustrates the scale of consequences when monitoring systematically fails.

Penalties for non-compliance

AMLA 2020 amended 31 U.S.C. § 5321 to remove the prior cap on civil money penalties for willful violations. The current framework is:

Civil penalties:

• Willful violations: up to $1 million per day per violation, with no aggregate cap
• Non-willful violations: up to $25,000 per day
• Both figures are adjusted annually under the Federal Civil Penalties Inflation Adjustment Act

Criminal penalties:

• Individuals face up to 10 years imprisonment and fines up to $250,000 per willful BSA violation
• Institutional criminal fines are calculated under the Alternative Fines Act, which permits fines equal to twice the amount of proceeds derived from the violation

Named enforcement actions:

• TD Bank (2024): FinCEN assessed $1.3 billion, the DOJ assessed $1.8 billion, and the OCC assessed $450 million, for a combined total exceeding $3 billion. At the time of the consent order, it was the largest BSA/AML penalty in US history. Full details at FinCEN's enforcement page.

• Binance (2023): DOJ and FinCEN assessed $4.3 billion combined for systemic BSA/AML failures including failure to implement a compliant AML program and processing transactions for sanctioned jurisdictions. This now stands as the largest AML enforcement action in US history.

• Western Union (2017): $586 million for AML program failures predating AMLA but establishing the penalty range for non-bank financial institutions.

OFAC SDN list violations compound BSA penalties. Institutions that fail on both fronts face parallel sanctions exposure with no coordination discount.

Related regulations and frameworks

AMLA 2020 is an amendment to, not a replacement of, the BSA. Every institution that was subject to the BSA before 2021 remains subject to all prior BSA requirements, now augmented by AMLA.

Domestic:

• Bank Secrecy Act: The foundational US AML statute since 1970. AMLA 2020 modernizes it without replacing it.
• Corporate Transparency Act (CTA): Title LXIV of AMLA 2020. Establishes the FinCEN beneficial ownership registry and imposes BOI filing obligations on reporting companies.
• PATRIOT Act Section 314(a) and 314(b): Information-sharing provisions that AMLA 2020 expanded, particularly the safe harbor for sharing with foreign affiliates.
• FinCEN CDD Rule: The 2016 rule requiring collection of beneficial ownership at account opening for legal entity customers. AMLA 2020 builds on this with the centralized BOI registry.

International:

• FATF Recommendation 20: The global standard for suspicious transaction reporting that US SAR obligations implement. AMLA 2020's reforms bring US practice closer to FATF's risk-based approach.
• FATF Recommendation 24: The FATF beneficial ownership standard. The CTA's BOI registry directly implements this recommendation at a national level.
• EU AMLA Regulation: The EU is building a parallel AML supervisory authority with its own beneficial ownership registry requirements under 6AMLD. The two frameworks are structurally convergent but not harmonized.
• UK MLR 2017: The UK's primary AML legislation. Global institutions operating in both jurisdictions need programs that satisfy both regimes' risk assessment and customer due diligence standards.

For any institution with a global footprint, AMLA 2020 is the US pillar in a compliance architecture that also includes the EU's AMLA framework, UK MLR 2017, and jurisdiction-specific laws in Singapore, the UAE, and Australia.

How FluxForce supports AMLA 2020 compliance

FluxForce's AI agents map directly to AMLA 2020's highest-friction requirements: continuous transaction monitoring calibrated to FinCEN's eight national priorities, automated SAR narrative drafting that cuts analyst time per case, beneficial ownership verification against the FinCEN BOI registry, and full decision audit trails for every alert disposition. Configurable autonomy lets compliance teams set human-in-the-loop thresholds for sensitive filing decisions. Every automated action is fully documented for examiner review. Book a demo to see how FluxForce addresses your specific AMLA program gaps.