BSA: What It Requires and Who It Applies To

What is BSA?

The Bank Secrecy Act (BSA) is the foundational U.S. anti-money laundering statute, signed into law on October 26, 1970, and codified at 31 U.S.C. §§ 5311–5336. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, administers and enforces the BSA. Implementing regulations appear at 31 C.F.R. Chapter X.

Congress passed the BSA after recognizing that U.S. banks were being used as conduits for drug proceeds, tax evasion, and other financial crimes, particularly through anonymous foreign accounts. The law's original purpose was direct: create a paper trail. By requiring financial institutions to record and report large cash transactions and suspicious activity, the BSA gave law enforcement visibility into money flows that were otherwise invisible.

The BSA has been substantially amended over five decades. The USA PATRIOT Act of 2001 added customer identification requirements and mandatory information-sharing obligations with law enforcement. The Anti-Money Laundering Act of 2020 (AMLA 2020) was the most sweeping revision since the PATRIOT Act. It directed FinCEN to publish national AML/CFT priorities annually, modernized the SAR and CTR regimes, expanded FinCEN's data analytics authorities, and created a new whistleblower program that pays 10–30% of sanctions exceeding $1 million to qualifying informants.

Every other federal AML requirement builds on the BSA. OCC rules, FINRA Rule 3310, and the prudential regulator guidance for state-chartered banks all derive their authority from it. The BSA is the statutory spine of U.S. AML compliance.

Who does BSA apply to?

The BSA applies to "financial institutions" as broadly defined in 31 U.S.C. § 5312. The categories have expanded considerably since 1970 and now include:

Banks and depository institutions:

• National banks, state member banks, state non-member banks, and savings associations
• Federally and state-chartered credit unions
• U.S. branches and agencies of foreign banks
• Edge Act and agreement corporations

Money services businesses (MSBs):

• Currency dealers and exchangers handling more than $1,000 per person per day
• Check cashers handling more than $1,000 per person per day
• Issuers, sellers, and redeemers of money orders or traveler's checks
• Money transmitters (no minimum threshold), including mobile payment apps and digital wallet operators
• Prepaid access card issuers and sellers

Securities and commodities:

• SEC-registered broker-dealers
• CFTC-registered futures commission merchants and introducing brokers
• Mutual funds

Other covered sectors:

• Insurance companies for certain permanent life, annuity, and long-term care products
• Casinos and card clubs with gross annual gaming revenue above $1 million
• Non-bank residential mortgage lenders and originators (covered since 2012)
• Dealers in precious metals, stones, or jewels with annual sales above $50,000 (dealer rules have been suspended pending revision)

The BSA applies based on activity, not charter type. A fintech operating as a money transmitter is a covered MSB regardless of whether it holds a bank charter. A crypto exchange providing money transmission services has been covered since FinCEN's 2013 guidance on convertible virtual currency (FIN-2013-G001). The AMLA 2020 continues to extend BSA coverage to new financial activity types as digital finance expands.

What does BSA require?

The BSA's core obligations fall across five categories: AML program, recordkeeping, reporting, customer identification, and information sharing.

1. AML program: Every covered institution must maintain a written AML compliance program with four minimum elements: internal controls, an independent compliance testing function, a designated BSA/AML compliance officer, and ongoing employee training. Banks covered by the FinCEN CDD Final Rule (effective May 11, 2018) must also add a fifth element: collecting and verifying beneficial ownership information for legal entity customers. That means identifying all natural persons owning 25% or more of equity, plus one control person per entity.

2. Currency Transaction Reports: File a CTR with FinCEN within 15 calendar days for any cash transaction, or series of related transactions, exceeding $10,000 in a single business day. CTRs and all supporting records must be retained for 5 years.

3. Suspicious Activity Reports: File a SAR with FinCEN within 30 calendar days of identifying suspicious activity. If no suspect has been identified, the deadline extends to 60 days. The minimum threshold is $5,000 for banks and $2,000 for MSBs. SAR records and investigation documentation must be retained for 5 years. Disclosing a SAR's existence to the subject of that report is a federal crime under 31 U.S.C. § 5318(g)(2).

4. Customer Identification Program (CIP): Under Section 326 CIP regulations, covered institutions must verify the identity of every customer opening an account, collecting at minimum: name, address, date of birth, and an identification number. Records must be retained for 5 years after account closure.

5. Recordkeeping: Retain records of wire transfers of $3,000 or more (the "Travel Rule"), monetary instrument purchases with cash of $3,000 or more, and foreign correspondent account information. Retention period: 5 years.

6. Information sharing: Respond to FinCEN Section 314(a) law enforcement requests within 14 days of receipt. Institutions may also voluntarily share information with each other under Section 314(b) to identify potential money laundering or terrorism financing without the usual privacy constraints.

7. FBAR: U.S. persons with foreign financial accounts exceeding $10,000 in aggregate at any point during the calendar year must file FinCEN Form 114 by April 15, with an automatic extension to October 15. This applies to individuals, corporations, partnerships, and trusts.

What evidence do regulators expect?

During a BSA/AML examination by the OCC, FDIC, Federal Reserve, NCUA, or FinCEN directly, examiners follow the FFIEC BSA/AML Examination Manual, most recently updated in 2020. The manual is public. Here's what examiners actually want to see:

Written program and governance:

• Board-approved AML policy, updated within the last 12 months
• BSA officer designation letter with documented authority and organizational seniority
• Independent audit or testing results from the past 12 months, with written management responses to every finding
• Employee training completion records: dates, content covered, and attendee roster

Transaction monitoring:

• Documented transaction monitoring ruleset with threshold settings and the business justification for each rule
• Annual rule-tuning documentation showing that alert outcomes were reviewed and thresholds adjusted accordingly
• Alert review logs: reviewer name, review date, decision made, and escalation path for each alert
• SAR decision logs covering both filed SARs and documented decisions not to file. Examiners review both.

Customer records:

• CIP records with identity verification documentation for all accounts opened, retained 5 years post-closure
• CDD and enhanced due diligence records for higher-risk customers, including source-of-funds documentation
• Beneficial ownership certifications for legal entity customers, refreshed within the past 12 months where material changes occurred
• PEP screening results and documented enhanced monitoring for PEP-linked accounts

CTR and SAR files:

• CTR filings with supporting transaction records for the past 5 years
• SAR filings with supporting investigation documentation for the past 5 years
• FinCEN 314(a) search logs showing timely responses to every request within the 14-day window

Examiners will also pull a transaction sample and trace each one from initial alert through final disposition. Gaps in documentation or timing become examination findings.

Common failure modes

Most BSA citations don't come from dramatic breakdowns. They come from operational failures that look unremarkable until someone looks closely.

• Structuring detection gaps: Deliberately breaking up cash transactions to avoid the $10,000 CTR threshold is a federal crime under 31 U.S.C. § 5324, regardless of whether the underlying funds are illegal. Capital One paid $390 million in January 2021 after FinCEN found it had failed to file thousands of SARs and CTRs on a check-cashing operation that displayed textbook structuring patterns over several years. (FinCEN Assessment, January 2021)

• Late SAR filings: The 30-day clock starts when the institution has enough information to determine that filing is warranted, not when a formal internal investigation is opened. Institutions that treat these as the same event routinely miss deadlines.

• CDD gaps at onboarding: Collecting beneficial ownership certifications from customers without actually verifying the information. U.S. Bank paid $613 million in 2018, partly because its CDD program was inadequate for the risk profile of its MSB customer base. (DOJ, February 2018)

• Stale risk assessments: A risk assessment written in 2019, never updated for new products or the growth of digital channels, won't reflect the institution's actual risk profile in a 2025 exam. Examiners check when it was last revised and whether it covers current business lines.

• Unmanageable alert backlogs: HSBC's 2012 consent order documented 17,000 alerts pending review. That figure became a standard reference point for what a dysfunctional transaction monitoring program looks like in practice. (DOJ, December 2012)

• Training not documented: The compliance team ran training sessions, but there are no records of attendance, content covered, or completion dates. Examiners treat undocumented training as training that didn't occur. The fix is administrative and costs nothing; the citation it prevents can cost significantly more.

Penalties for non-compliance

FinCEN can impose civil money penalties under 31 U.S.C. § 5321. For negligent violations, the ceiling is $25,000 per day. For willful violations, it's the greater of $100,000 per day or the amount of the transaction involved, with no statutory cap. Criminal penalties under 31 U.S.C. § 5322 run to 5 years imprisonment for standard violations and 10 years for pattern violations or those involving international terrorism financing.

In practice, the largest penalties come from coordinated FinCEN-DOJ-OCC actions:

• TD Bank, 2024: $3 billion in combined penalties from FinCEN, DOJ, OCC, and the Federal Reserve after prosecutors established that systemic AML failures allowed drug trafficking organizations to launder at least $670 million through U.S. accounts. TD Bank pleaded guilty to BSA conspiracy, the first large U.S. bank to do so. (DOJ, October 2024)

• Capital One, 2021: $390 million for failing to file thousands of SARs and CTRs on a check-cashing business whose structuring activity was apparent in the transaction data. (FinCEN Assessment, January 2021)

• U.S. Bank, 2018: $613 million for willfully failing to maintain an adequate AML program across a five-year period. (DOJ, February 2018)

• HSBC, 2012: $1.9 billion deferred prosecution agreement for allowing approximately $881 million in drug-trafficking proceeds to flow through U.S. accounts and for processing transactions on behalf of sanctioned entities. (DOJ, December 2012)

Non-monetary consequences include consent orders, formal agreements requiring specific program remediation, business restrictions, and individual liability for compliance officers and senior executives under 31 U.S.C. § 5321(a)(6).

Related regulations and frameworks

The BSA is the U.S. implementation of the FATF Recommendations, the international AML/CFT standards maintained by the Financial Action Task Force. FATF Recommendation 20 is the direct international analogue to the SAR obligation, requiring financial institutions to file suspicious transaction reports on suspected criminal proceeds. FATF Recommendation 24 maps to the beneficial ownership requirements introduced by the FinCEN CDD Final Rule and reinforced by the Corporate Transparency Act.

Within the U.S. federal framework, BSA obligations are implemented by each prudential regulator through separate rules:

• OCC governs national bank BSA compliance through 12 CFR Part 21
• FINRA governs broker-dealer AML programs through Rule 3310
• The Federal Reserve, FDIC, and NCUA maintain parallel BSA compliance rules for their supervised institutions

The AMLA 2020 updated the BSA most recently, directing FinCEN to establish and publish AML/CFT priorities, which it did in June 2021. Those priorities list corruption, cybercrime, terrorist financing, fraud, human trafficking, drug trafficking, and proliferation financing as the principal U.S. threat areas.

For institutions operating across jurisdictions, BSA obligations run alongside the EU's Anti-Money Laundering Regulation (AMLR 2024) and the Sixth Anti-Money Laundering Directive (6AMLD). In the UK, the equivalent framework is the Money Laundering Regulations 2017. These share the same FATF architecture but differ in scope, penalty structures, and technical requirements for transaction monitoring and customer verification.

OFAC sanctions screening runs alongside BSA compliance but is a distinct legal obligation governed by a separate Treasury bureau, with its own strict-liability penalty framework.

How FluxForce supports BSA compliance

FluxForce's AI agents cover the most time-intensive BSA workflows. Nova Sentinel monitors transactions in real time, drafts SARs with evidence attached, and tracks CTR obligations across complex multi-account customers. Aiden Flux handles CDD and KYC at onboarding and annual refresh, including beneficial ownership verification. Every decision produces a complete audit trail, so examiners see exactly what triggered an alert and why it was resolved the way it was. To see how FluxForce maps to your BSA program, request a demo.