BSA: What It Requires and Who It Applies To

What is BSA?

The Bank Secrecy Act (31 U.S.C. §§ 5311–5336), also known as the Currency and Foreign Transactions Reporting Act, is the primary US federal law requiring financial institutions to assist government agencies in detecting and preventing money laundering and other financial crimes. Congress passed it in 1970 in response to growing use of offshore accounts and cash transactions to hide criminal proceeds.

FinCEN, a bureau of the US Treasury Department established in 1990, now administers the BSA. Before FinCEN existed, the IRS handled enforcement. Today, FinCEN issues binding regulations under 31 CFR Chapter X, collects financial intelligence filings, and coordinates with the FBI, DEA, and IRS Criminal Investigation. The OCC, Federal Reserve, FDIC, and NCUA also enforce BSA compliance at the institutions they supervise, through their own examination cycles.

The law started narrowly in 1970, focused on cash transactions and foreign financial accounts. Over the following decades, Congress added substantially to it. The USA PATRIOT Act (2001) introduced customer identification requirements and information-sharing mechanisms between financial institutions and law enforcement. The Anti-Money Laundering Act of 2020 brought the most sweeping reforms in two decades. It directed FinCEN to overhaul its examination priorities and modernize AML effectiveness standards. It also introduced a corporate beneficial ownership reporting regime through the Corporate Transparency Act and authorized US institutions to share BSA information with foreign affiliates in certain circumstances.

The law's basic architecture is unchanged from 1970: collect financial intelligence from private institutions, aggregate it at FinCEN, and make it available to law enforcement. Whether that architecture produces results proportionate to its compliance burden is debated actively. The legal obligation is not.

Who does BSA apply to?

The BSA defines "financial institution" broadly. Any entity that fits the definition must comply, regardless of asset size or transaction volume.

Covered entity types include:

• Depository institutions: federally and state-chartered banks, savings banks, savings associations, and their US branches. Covers institutions supervised by the OCC, Federal Reserve, FDIC, and NCUA.
• Credit unions: federally insured credit unions under NCUA supervision and most state-chartered credit unions.
• Money services businesses (MSBs): currency dealers and exchangers, check cashers, money transmitters, issuers and sellers of money orders and traveler's checks, prepaid access providers, and dealers in foreign exchange. Any business providing MSB services above $1,000 to a single person in a single day must register with FinCEN under the MSB Registration requirement.
• Broker-dealers: registered with the SEC; subject to both BSA and FINRA Rule 3310.
• Casinos and card clubs: any casino with annual gaming revenues above $1 million, including tribal gaming operations.
• Mutual funds: registered investment companies under the Investment Company Act of 1940.
• Insurance companies: those that issue or underwrite covered products, primarily permanent life insurance, annuities, and long-term care products.
• Futures commission merchants and introducing brokers: under CFTC jurisdiction.

There's no asset-size exemption for banks or credit unions. A $50 million community bank carries the same core BSA obligations as JPMorgan Chase. The practical difference is operational complexity and resources, not legal requirement. Foreign branches of US banks operating abroad are generally outside US BSA jurisdiction; US branches and subsidiaries of foreign banks are fully in scope.

What does BSA require?

The BSA and its implementing regulations at 31 CFR Chapter X impose six core obligations on covered institutions:

1. AML Program: Maintain a written anti-money laundering program with four minimum pillars: internal controls, independent testing, a designated BSA compliance officer, and ongoing staff training. The FinCEN CDD Rule added a fifth pillar in 2018: customer due diligence and beneficial ownership verification for legal entity customers, requiring collection and verification of information on any individual owning 25% or more of the entity and one individual who controls it.

2. Currency Transaction Reports: File a CTR within 15 calendar days for any cash transaction, or series of related cash transactions on the same business day, that exceeds $10,000. The $10,000 threshold has not moved since 1970. CTRs go directly to FinCEN's database and are accessible to law enforcement.

3. Suspicious Activity Reports: File a SAR within 30 calendar days (60 days if no suspect is initially identified) for transactions of $5,000 or more where the institution knows, suspects, or has reason to suspect the funds derive from illegal activity, the transaction is structured to evade BSA requirements, or there is no lawful purpose. Informing the subject of a SAR filing is prohibited.

4. Customer Identification Program (CIP): Verify customer identity at account opening. Minimum data collected: name, date of birth, address, and identification number. Know Your Customer procedures must include both documentary and, where necessary, non-documentary verification methods.

5. Recordkeeping: Retain all CTRs, SARs, CIP documentation, funds transfer records for transfers of $3,000 or more, and monetary instrument purchase records for purchases between $3,000 and $10,000 for a minimum of five years from the date the record was made.

6. Information sharing: Respond to Section 314(a) requests from FinCEN within two weeks, and optionally participate in Section 314(b) voluntary sharing with other financial institutions to identify money laundering and terrorist financing patterns.

What evidence do regulators expect?

When BSA examiners arrive from the OCC, Federal Reserve, FDIC, NCUA, or FinCEN, they come with a standard information request. Here's what they expect to find:

• Written BSA/AML Policy and Program: dated, board-approved, current. A policy last revised in 2020 that doesn't address the institution's current product suite is an immediate finding.
• Risk Assessment: institution-wide and product-level documentation showing how the institution identifies its specific money laundering risks and calibrates monitoring thresholds accordingly. Examiners test whether rules actually reflect the stated risk profile.
• BSA Compliance Officer Designation: formal appointment documentation, a job description with explicit BSA authority, and evidence the officer has direct access to the board or audit committee.
• Training Records: attendance logs, training materials, and completion records. Front-line staff, back-office operations, and compliance teams need different curricula. Examiners check whether training covers the institution's actual product and customer risk, not just generic AML concepts.
• Independent Testing Reports: the most recent BSA audit, management responses, and evidence of remediation. Unresolved findings from a prior exam cycle are cited as repeat violations.
• CTR and SAR Filing Logs: complete filing history with review dates, approver names, reasons for any late filings, and evidence the institution monitors its own filing patterns.
• Transaction Monitoring Documentation: the rules or models in production, alert threshold rationale, tuning history, alert disposition records, and false-positive rates. Examiners now routinely ask for evidence that rules are periodically tested and adjusted.
• CIP and CDD Records: identity verification records, beneficial ownership certifications, and the rationale for any enhanced or simplified due diligence decisions.

One pattern examiners flag repeatedly: good policies, no evidence they're actually followed. Procedures in a binder no one reads are not controls.

Common failure modes

Most BSA enforcement actions trace to a short list of recurring failures. Here's what actually gets institutions cited:

• Inadequate transaction monitoring: alert rules too broad (analysts drowning in low-quality alerts) or too narrow (missing real typologies). Capital One's 2021 FinCEN consent order cited failure to file timely SARs on a check-cashing business customer despite 50,000 flagged alerts that had remained unresolved. FinCEN assessed a $390 million civil money penalty. (FinCEN enforcement action, January 2021)

• SAR filing failures: filing late, filing on small-dollar transactions while missing larger structured patterns, or not filing at all on known high-risk customers.

• Inadequate CDD for high-risk customers: opening or maintaining accounts for money services businesses, cannabis-related businesses, or politically exposed persons without enhanced due diligence documentation or periodic reviews.

• Structuring detection failures: missing customers who deliberately split transactions below $10,000 to avoid CTR reporting, a federal crime under 31 U.S.C. § 5324. TD Bank's 2024 guilty plea included findings that employees actively assisted customers in structuring cash deposits. FinCEN and DOJ assessed a combined $3 billion penalty, the largest BSA enforcement action in US history. (DOJ Press Release, October 2024)

• Stale risk assessments: a risk assessment written before the institution launched a new product line, entered a new geographic market, or added a high-risk customer segment.

• BSA officer without real authority: designating a compliance officer who lacks budget, staff, or board access to escalate findings without going through business line management first.

Penalties for non-compliance

Civil and criminal penalties for BSA violations are set at 31 U.S.C. §§ 5321–5322. The ranges are wide, and the ceiling is high.

Civil penalties:

• Negligent violations: up to $500 per day, capped at $10,000 per calendar year
• Willful violations: the greater of $100,000 or twice the transaction amount, per violation
• Willful failure to maintain a required AML program: up to $1 million per day

Criminal penalties (willful violations):

• Standard: up to five years imprisonment and $250,000 per violation
• Pattern of violations: up to ten years imprisonment and $500,000

In practice, major actions exceed these statutory figures because multiple violations are counted separately and forfeiture orders add to civil penalties. HSBC paid $1.9 billion in 2012 under a deferred prosecution agreement for AML failures that allowed Mexican drug cartel proceeds and transactions with OFAC-sanctioned entities to flow through its US operations for several years. (DOJ, December 2012) Wachovia Bank settled for $160 million in 2010 after failing to apply adequate BSA controls to $378 billion in wire transfers and bulk cash from Mexican currency exchange houses between 2004 and 2007.

TD Bank's 2024 combined $3 billion settlement with FinCEN and DOJ is the largest in BSA history. Beyond fines, FinCEN and prudential regulators can impose cease-and-desist orders, written agreements, and board resolutions requiring specific remediation timelines enforced by ongoing supervisory monitoring.

Related regulations and frameworks

BSA sits at the center of a network of complementary requirements at both the US and international levels.

Domestic:

• PATRIOT Act Sections 311–326: integrated directly into the BSA framework. Section 311 lets FinCEN designate foreign jurisdictions as "primary money laundering concerns" and impose special measures on US institutions with correspondent relationships there. Section 314(a) creates the mechanism for law enforcement to search institution records via FinCEN with a two-week response window.
• AMLA 2020: the most substantial statutory update since the PATRIOT Act. It directed FinCEN to establish formal AML effectiveness priorities, expanded whistleblower protections and rewards for BSA violations, and authorized the Corporate Transparency Act beneficial ownership registry.
• Corporate Transparency Act / CTA BOI: requires most US legal entities to file beneficial ownership information directly with FinCEN. Banks use the FinCEN database to cross-verify customer-provided beneficial ownership data during CDD. Note that CTA reporting requirements are subject to ongoing litigation as of mid-2025.
• 12 CFR Part 21 (OCC): the OCC's implementing regulation for BSA at national banks, setting out examination standards and reporting obligations specific to OCC-supervised institutions.

International:

• FATF Recommendation 20 (suspicious transaction reporting) and FATF Recommendation 10 (customer due diligence) map directly to the BSA's SAR and CDD obligations. The US is a FATF founding member; the BSA predates FATF but is considered broadly compliant with FATF standards.
• The EU AMLR (2024) and 6AMLD are the European counterparts. Multinational institutions operating in both jurisdictions manage both regimes simultaneously; thresholds, typologies, and supervisory structures differ in material ways.
• The UK Money Laundering Regulations 2017 implement FATF standards in the UK with requirements broadly parallel to BSA but under FCA/HMRC supervision rather than FinCEN.

How FluxForce supports BSA compliance

FluxForce's AI agents automate the detection and investigation workflows BSA requires at scale. Aiden Flux handles real-time transaction monitoring and generates full decision audit trails for every alert. Nova Sentinel runs continuous Know Your Customer and beneficial ownership screening at onboarding and on a periodic refresh basis. Both agents produce the documented evidence regulators expect. SAR preparation time drops, and false-positive alert volumes fall. FluxForce operates with configurable autonomy and a kill switch, so compliance officers stay in control of every filing decision. See how it works at our RegTech platform.