AMLA 2020: What It Requires and Who It Applies To

What is AMLA 2020?

The Anti-Money Laundering Act of 2020 is a US federal statute enacted on January 1, 2021, as Division F of the National Defense Authorization Act for Fiscal Year 2021. It directly amends the Bank Secrecy Act (BSA) and is the most substantial AML reform since the BSA's original passage in 1970.

Congress acted after years of criticism that US AML compliance had become a volume exercise: institutions filed millions of SARs and CTRs annually, generating limited law enforcement value relative to the compliance cost. The FATF 2016 Mutual Evaluation of the United States gave the US a non-compliant rating on beneficial ownership transparency and cited the absence of effectiveness focus in program oversight. AMLA 2020 addresses both directly.

FinCEN administers the law. Examination authority is shared with the prudential banking regulators: the OCC, the Federal Reserve, the FDIC, and the NCUA.

Three structural changes define the Act. First, FinCEN must publish national AML/CFT priorities every four years. The first set, published June 30, 2021, named nine threat categories: corruption, cybercrime and ransomware, terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking and smuggling, proliferation financing, and environmental crimes. Covered institutions had 180 days to incorporate those priorities into their risk assessments.

Second, the Corporate Transparency Act (CTA), enacted simultaneously in the same legislation, created a federal beneficial ownership registry at FinCEN. AMLA 2020 directs FinCEN to align bank CDD obligations with that registry once it's operational.

Third, the law introduced a FinCEN whistleblower award program with financial incentives that rival those under securities law, creating meaningful internal-reporting infrastructure for BSA violations.

Who does AMLA 2020 apply to?

AMLA 2020 applies to "financial institutions" as defined in 31 U.S.C. § 5312 of the Bank Secrecy Act. That definition is broad:

• Depository institutions: All federally insured commercial banks, savings banks, thrift institutions, and credit unions. There's no size exemption. A $150 million community bank carries the same core AML obligations as a $2 trillion global bank. The risk-based approach means program complexity scales with risk, but the obligation to have a program doesn't change with asset size.
• Broker-dealers: SEC-registered broker-dealers in securities.
• Money services businesses: Money transmitters, currency dealers, check cashers, issuers of money orders and traveler's checks, and prepaid card issuers. This includes fintechs operating as MSBs under state licenses.
• Casinos and card clubs: Licensed gaming establishments with annual gaming revenue above $1 million.
• Insurance companies: Those issuing certain life, annuity, or investment-linked products.
• Mutual funds: Open-end investment companies registered under the Investment Company Act.
• Futures commission merchants and introducing brokers: CFTC-regulated commodity firms.
• Non-bank residential mortgage lenders and originators.
• Virtual asset service providers: Where they operate as money transmitters under existing FinCEN guidance. AMLA 2020 directed FinCEN to clarify the regulatory treatment of digital assets; that process was ongoing as of 2024.

Foreign branches and US agencies of foreign banks are covered where they process transactions subject to US jurisdiction. Law firms, accountants, and real estate professionals don't currently face full BSA program requirements, though FinCEN has proposed extending AML obligations to certain real estate transactions and investment advisers.

What does AMLA 2020 require?

1. Incorporate FinCEN's AML/CFT priorities into the risk assessment: Within 180 days of FinCEN publishing its priorities, every covered institution must update its written risk assessment to address each named threat category. The assessment must be board-approved, dated, and show clear mapping between the institution's business profile and the priority areas.

2. File Suspicious Activity Reports on time: Banks must file a Suspicious Activity Report within 30 calendar days of detecting suspicious activity, or 60 days if the subject hasn't been identified. AMLA 2020 explicitly permits institutions to share SAR information with foreign affiliates in FATF-member jurisdictions, provided a board-approved information-sharing framework is in place and sharing is subject to confidentiality agreements.

3. File Currency Transaction Reports within 15 days: Cash transactions of $10,000 or more require a CTR filed within 15 days of the transaction date. AMLA 2020 preserves the $10,000 threshold but grants FinCEN authority to adjust it by regulation. Structuring transactions to stay below the threshold remains a federal crime under 31 U.S.C. § 5324.

4. Maintain a risk-based AML program with four core elements: Written policies and procedures, a designated BSA compliance officer, employee training, and independent testing. AMLA 2020 adds an explicit requirement that programs be reasonably designed to achieve compliance. That wording shift matters: examiners can now cite a program as deficient even if all four elements are technically present, if the program demonstrably doesn't work.

5. Collect and verify beneficial ownership on legal entities: The FinCEN CDD Rule (31 CFR § 1010.230) requires identifying any natural person owning 25% or more of a legal entity customer, plus one control person. AMLA 2020 directs FinCEN to review this threshold and align it with the CTA registry, which also uses 25% as its standard.

6. Retain AML records for five years: SAR supporting documentation, CDD files, CTR transaction records, and transaction monitoring evidence must all be retained for five years from the date of the filing or transaction.

7. Comply with the whistleblower program: Tips to FinCEN that lead to successful enforcement actions with sanctions above $1 million entitle whistleblowers to 10-30% of the collected amount. Retaliation against a whistleblower is prohibited.

8. Seek no-action letters for novel activities: FinCEN may now issue written no-action letters confirming that a specific product or service won't trigger enforcement. This is a meaningful change for institutions testing compliance-adjacent innovations.

What evidence do regulators expect?

On exam day, FinCEN and the prudential regulators will want to see:

• A current, board-approved risk assessment: Dated after June 30, 2021, explicitly mapping the institution's products, services, customer types, and geographies against each of the nine national priority threat categories. The document must show who approved it and when it was last reviewed.
• Board and senior management oversight records: Board minutes showing annual AML program review and approval. Quarterly management reports covering SAR volumes, CTR volumes, open investigations, and monitoring system performance.
• SAR files and supporting documentation: Five years of complete filings with full investigative narratives. Examiners pull samples and check whether narratives explain why the activity is suspicious, not just what happened. "Multiple transactions with no apparent business purpose" without any analysis doesn't pass.
• CTR filings and transaction documentation: Five years of records, plus structuring alerts and the institution's documented response to each.
• CDD and KYC files: Customer identification program records, beneficial ownership certifications for legal entity customers, and evidence that high-risk accounts received enhanced review. Examiners check whether certifications were actually verified, not just collected.
• Training records by role: Completion logs with content documentation. Frontline staff, BSA officers, and board members each need role-appropriate content; a single generic online module for everyone won't satisfy an examiner.
• Independent testing documentation: Annual test scope, findings, and management's written remediation responses with completion evidence.
• Transaction monitoring system logs: Alert volumes by rule, SAR conversion rates, and documented rationale for every threshold adjustment. Systems where alerts are suppressed above 90% without written justification attract close scrutiny.

Common failure modes

• Ignoring the 180-day priority incorporation deadline: FinCEN published its nine priorities on June 30, 2021. Institutions that couldn't show a documented priority-based risk assessment review at their next exam were cited. This is a pure timing failure with no technical complexity to hide behind.

• SAR narratives that describe rather than analyze: Filing a SAR that says "multiple large cash transactions with no apparent business purpose" gives law enforcement nothing to work with. A compliant narrative explains the specific red flags, what the institution investigated, and why the pattern was judged suspicious.

• Beneficial ownership gaps at onboarding: The 25% threshold is well understood. The recurring failure is collecting the certification form without verifying it against independent sources, or not refreshing ownership records when a customer entity restructures or changes control.

• Undocumented transaction monitoring adjustments: Tuning alert thresholds is expected and legitimate. But every threshold change needs documented rationale, testing data, and management sign-off. Undocumented rule changes are a standard finding across exam sizes.

• SAR sharing with foreign affiliates without a governance framework: AMLA 2020 permits sharing, but only under a documented board-approved program. Institutions that began sharing after January 2021 without the governance structure in place created exposure rather than reducing it.

• TD Bank (2024): FinCEN assessed a $1.3 billion civil money penalty against TD Bank as part of a $3.09 billion coordinated resolution with the DOJ and OCC. Failures included monitoring gaps covering $18.3 trillion in transactions over a decade, with drug trafficking proceeds flowing through unchecked.

• Capital One (2021): FinCEN assessed a $290 million civil money penalty for systemic BSA failures in a check-cashing subsidiary. The OCC issued a separate action. Total exposure exceeded $390 million.

Penalties for non-compliance

Civil penalties under the BSA, as amended by AMLA 2020, fall into three tiers:

• Negligent violations: Up to $1,000 per violation, capped at $10,000 per examination period for isolated failures.
• Willful violations: The greater of $250,000 per violation or twice the amount of the transaction. No aggregate cap.
• Pattern of negligence: Where FinCEN identifies a continuing pattern, up to $50,000 per day.

AMLA 2020 also expanded FinCEN's subpoena authority over foreign bank records in correspondent banking investigations, which significantly increases exposure for international institutions with US operations.

Real enforcement shows where the numbers actually land:

• TD Bank (2024): FinCEN's civil money penalty was $1.3 billion, part of a $3.09 billion total resolution with DOJ and OCC. The bank admitted to willful BSA violations over a decade, including failure to monitor $18.3 trillion in transactions. The DOJ called it the largest BSA/AML corporate resolution in US history.
• Capital One (2021): A $290 million FinCEN civil money penalty for BSA program failures in a check-cashing subsidiary, plus a separate OCC action. Combined total exceeded $390 million.

Criminal liability applies to individuals. Under 31 U.S.C. § 5322, willful BSA violations carry up to five years imprisonment, rising to ten years where the violation connects to another federal crime. BSA officers and compliance directors have faced personal indictment in cases involving willful SAR suppression.

Enforcement authority is distributed: FinCEN issues civil money penalties, the OCC and Federal Reserve issue cease-and-desist orders and can require management replacement, and DOJ prosecutes criminal referrals.

Related regulations and frameworks

AMLA 2020 sits inside a layered compliance stack, and program design has to account for the full structure.

The BSA is still the foundation. AMLA 2020 amends and modernizes it without replacing it. Every SAR filing obligation, CTR requirement, recordkeeping rule, and program standard in the original BSA remains in force.

Beneficial ownership requirements run through two parallel frameworks. The FinCEN CDD Rule governs bank-side collection today. The Corporate Transparency Act, enacted in the same legislation as AMLA 2020, established the government-side registry. FinCEN is directed to integrate the two once the registry is fully operational.

Internationally, AMLA 2020's effectiveness-over-compliance model mirrors the standard in FATF Recommendation 1. FATF's 2016 US evaluation was a direct driver of the legislation; the nine priorities FinCEN published in June 2021 map closely to FATF's designated high-risk threat areas. FATF published updated risk-based approach guidance for the banking sector in 2021 that complements AMLA 2020's framework.

The EU's Anti-Money Laundering Regulation (AMLR) and Sixth Anti-Money Laundering Directive (6AMLD) pursue similar objectives through the EU's multilateral structure. Both draw from the same FATF standards. The supervisory models differ: US enforcement is federal agency-led; the EU is building a new supranational AML authority to sit above member state supervisors.

For broker-dealers, FINRA Rule 3310 sets sector-specific AML program requirements running parallel to AMLA 2020 obligations. For OCC-supervised banks, 12 CFR Part 21 formalizes BSA/AML program standards that align with the AMLA 2020 effectiveness mandate.

How FluxForce supports AMLA 2020 compliance

FluxForce maps directly to AMLA 2020's effectiveness mandate. Aiden Flux automates customer due diligence and beneficial ownership verification at onboarding, with checks against the CTA registry and global watchlists built in. Nova Sentinel monitors transactions in real time against FinCEN's nine national priority threat categories. Every alert includes a full audit trail and decision rationale. Examiners get the documentation they need on day one. The Regulatory Compliance Automation platform is built for BSA/AML exam readiness. Book a demo to see how it works in your environment.