12 CFR Part 21: What It Requires and Who It Applies To

What is 12 CFR Part 21?

12 CFR Part 21 is a federal regulation issued by the Office of the Comptroller of the Currency (OCC) that sets minimum security standards and AML reporting obligations for national banks in the United States. Its authority derives from the Bank Protection Act of 1968 (12 U.S.C. 1882), which directed federal banking regulators to prescribe rules requiring insured depository institutions to install and maintain security systems. The regulation has been in continuous effect since 1969, with significant amendments following the Money Laundering Control Act of 1986 and the USA PATRIOT Act of 2001.

The regulation has three operative subparts. Subpart A covers physical security: every national bank must designate a security officer, maintain a written security program, install minimum security devices at all banking premises, and test those devices at least annually. Subpart B covers Suspicious Activity Reports, requiring banks to file SARs with FinCEN when transactions of $5,000 or more show signs of criminal activity. Subpart C covers Currency Transaction Reports for cash transactions exceeding $10,000 in a single business day.

The physical security requirements draw from the Bank Protection Act. The SAR and CTR obligations implement the Bank Secrecy Act for national banks specifically. State member banks have a parallel rule under Federal Reserve Regulation H; state non-member banks follow FDIC rules. The OCC coordinates with FinCEN on BSA/AML program standards but retains independent examination authority over Part 21 compliance.

Examiners treat all three subparts as a single compliance program. A bank with perfect SAR filing but no documented security officer designation will still receive findings.

Who does 12 CFR Part 21 apply to?

12 CFR Part 21 applies to all national banks chartered and supervised by the OCC, as well as federal savings associations (FSAs) that came under OCC supervision after the Dodd-Frank Act abolished the Office of Thrift Supervision in 2011.

Covered entities include:

• Large national banks: JPMorgan Chase Bank, N.A.; Bank of America, N.A.; Wells Fargo Bank, N.A.; Citibank, N.A.; U.S. Bank National Association.
• Midsize regional national banks operating across multiple states under national charters.
• Community national banks with a single-state or metropolitan footprint. A $50 million community bank has identical obligations to a $2 trillion money-center bank.
• Federal savings associations chartered under the Home Owners' Loan Act, now supervised by the OCC.
• US branches of foreign banking organizations (FBOs) operating under an OCC national charter.

The regulation does not cover state-chartered banks (supervised by the FDIC or state regulators), credit unions (supervised by the NCUA), or broker-dealers (regulated by FINRA). Those entities operate under parallel rules: state member banks follow 12 CFR Part 208; credit unions follow NCUA Part 748.

There are no asset-size exemptions and no phase-in provisions. Every covered institution must designate a security officer, maintain a written security program, and file SARs and CTRs as required. The OCC applies risk-based examination intensity, so larger institutions tend to face more frequent scrutiny, but the legal obligations don't scale with asset size.

National banks with foreign branches must comply with Part 21 for US operations. Host-country AML requirements apply separately to any overseas branches.

What does 12 CFR Part 21 require?

The regulation's three subparts produce distinct, mandatory obligations across security, SAR filing, and CTR reporting.

Subpart A: Security Program

1. Designate a security officer. The board of directors must formally appoint an individual responsible for developing, administering, and auditing the security program. This is a board-level obligation, not a management discretionary one.

2. Write and maintain a security program. The program must be in writing and address: the installation and maintenance of security devices; procedures for opening and closing banking premises; training requirements for all personnel; and procedures for responding to and reporting criminal incidents to law enforcement.

3. Install minimum security devices. The OCC's Comptroller's Handbook specifies required device categories: time locks, vault doors, cameras, alarm systems, and tamper-resistant locks at a minimum.

4. Test security devices at least annually. Written records of every test, including failures and corrective actions, must be retained.

5. Train all employees annually on security awareness and robbery response procedures. Attendance must be documented.

Subpart B: Suspicious Activity Reports

6. File a SAR within 30 calendar days of initial detection of any transaction of $5,000 or more where the bank knows, suspects, or has reason to suspect: the funds derive from illegal activity; the transaction is designed to evade BSA requirements; the transaction lacks a lawful purpose; or the transaction involves criminal conduct by a bank insider. If no suspect has been identified at the time of initial detection, the window extends to 60 days. See the SAR filing requirements for FinCEN's Electronic Filing System submission process.

7. Retain SAR records for 5 years from filing date, including all supporting investigation documentation.

8. Maintain SAR confidentiality. Banks are prohibited from disclosing to the subject of a SAR that a report has been filed.

Subpart C: Currency Transaction Reports

9. File a CTR for every cash transaction exceeding $10,000 by or on behalf of the same person in a single business day, including aggregated transactions across multiple tellers and branches. See Currency Transaction Report requirements for the full aggregation rules.

10. Retain CTR records for 5 years.

What evidence do regulators expect?

OCC examiners conducting a 12 CFR Part 21 review expect specific documentary evidence across all three subparts. Here's what should be immediately accessible before an examination:

Security Program (Subpart A)

• Board resolution designating the current security officer, with meeting date and vote record
• Current written security program, signed by the security officer and formally approved by the board within the past 12 months
• Device inventory: a complete listing of every security device at every banking premise, including installation dates, last test date, and documented test results
• Training records: signed attendance logs and training materials for every employee covering the past three years
• Incident log: all robberies, burglaries, and criminal attempts, with documentation of law enforcement notification timelines

Suspicious Activity Reports (Subpart B)

• Alert-to-case conversion records showing every transaction monitoring alert that was opened, investigated, and resolved
• Documented SAR decision rationale for every reviewed case, whether a SAR was filed or not. Examiners scrutinize no-SAR decisions as closely as filings.
• SAR filing timestamps demonstrating the 30-day (or 60-day) deadline was met, measured from the date of initial detection
• Board and senior management SAR reporting, at least quarterly, covering volumes, trends, and program effectiveness
• Case management system logs with investigator activity and supervisory sign-off

Currency Transaction Reports (Subpart C)

• CTR filing records with FinCEN confirmation numbers
• Documented exemption procedures for cash-intensive businesses, with current annual reviews of each exemption on file
• Aggregation system records demonstrating same-person, same-day cash transactions are captured across all branches and tellers

A well-prepared institution can produce all of this within 48 hours. Examiners treat slow document production as a process control gap, not just an administrative inconvenience.

Common failure modes

Most 12 CFR Part 21 examination findings cluster around the same recurring breakdowns. They're not exotic; they're operational.

• Security programs that aren't current. A written program last reviewed 18 months ago, or one approved by management rather than the board, is an automatic finding. The regulation requires board approval, not just management sign-off.

• Missing device test records. Cameras and alarms get installed, then forgotten. When examiners ask for annual test logs and find none for the past two years, it's a direct Subpart A violation.

• SAR deadline misreads. The 30-day clock starts at initial detection, meaning when the transaction monitoring system flags the activity, not when the investigator finishes reviewing it. Banks that measure from case closure routinely file late.

• Undocumented no-SAR decisions. Filing a SAR is only half the obligation. If a suspicious alert is closed without a filing, the rationale must be documented. Closed alerts with no decision notes are treated as a control failure.

• CTR aggregation blind spots. Multi-branch institutions without centralized aggregation regularly miss same-day cash transactions from the same customer across different locations. It's one of the most common community bank findings.

• New-hire training gaps. Banks complete annual training for existing staff but don't enroll employees hired mid-year until the next cycle. A roster gap of even a few employees produces an examiner finding.

In 2021, Capital One, N.A. received an $80 million OCC civil money penalty for BSA/AML program failures. The OCC's formal order documented that the bank's AML transaction monitoring program had flagged thousands of suspicious transactions that were not escalated to SAR filings within the required window, across multiple years. (OCC Order No. 2021-002, January 15, 2021.)

Penalties for non-compliance

The OCC's penalty authority for 12 CFR Part 21 violations runs from informal Matters Requiring Attention through formal agreements to civil money penalties and, in extreme cases, charter termination.

Civil money penalty tiers under 12 U.S.C. 1818:

• Tier 1: Up to $5,000 per day per violation, for simple violations without evidence of a pattern
• Tier 2: Up to $25,000 per day, for violations that form a pattern or involve reckless disregard for the rules
• Tier 3: Up to $1 million per day (or twice the amount gained through the violation), for knowing or willful violations

Documented enforcement actions:

• U.S. Bank National Association (February 2018): $613 million in combined penalties from the OCC, FinCEN, DOJ, and the Federal Reserve for multi-year BSA/AML program failures, including systematic delays in SAR filings and the failure to terminate a relationship channeling drug proceeds through the bank's check cashing network. (OCC Press Release NR 2018-18.)

• Capital One, N.A. (January 2021): $80 million OCC civil money penalty and a separate $290 million FinCEN penalty for a BSA/AML program the OCC found was inadequate relative to the bank's growth, with missing SAR filings identified across multiple years. (OCC Order No. 2021-002; FinCEN Assessment FIN-2021-EA101.)

• Rabobank, N.A. (2018): $369 million in combined criminal and civil penalties after examiners found the bank had deliberately dismantled its compliance program. The OCC revoked Rabobank's US national bank charter.

Parallel FinCEN, DOJ, and OFAC referrals are standard in serious AML cases. A single Part 21 program failure can generate multiple simultaneous enforcement actions across agencies. Formal agreements short of monetary penalties also carry real costs: they typically require quarterly board reporting, external audits, and OCC pre-approval for certain business activities, running two to four years.

Related regulations and frameworks

12 CFR Part 21 is the OCC's implementing rule within a broader AML statutory and international structure. Managing it in isolation produces compliance gaps.

Bank Secrecy Act: Part 21's SAR and CTR obligations directly implement the BSA for national banks. The BSA is the parent statute; Part 21 is the OCC's bank-specific rule. Violations of Part 21 SAR requirements are simultaneously BSA violations, which is why enforcement actions consistently cite both in the same order.

Anti-Money Laundering Act of 2020: The AMLA 2020 amended the BSA and directed FinCEN to establish formal national AML/CFT priorities. FinCEN published those priorities in June 2021 (Notice FIN-2021-A005), identifying corruption, cybercrime, human trafficking, and fentanyl trafficking as top concerns. SAR narrative quality and alert threshold calibration should reflect these priorities.

FinCEN CDD Rule: The Customer Due Diligence Rule (effective May 2018) requires national banks to collect beneficial ownership information on legal entity customers at account opening. A bank filing accurate SARs without knowing who controls its business accounts has a material program gap that examiners will flag.

FATF Recommendation 20: The Financial Action Task Force's Recommendation 20 on suspicious transaction reporting sets the international standard that Part 21's SAR requirement implements domestically. OCC examiners reference FATF mutual evaluation methodology when assessing whether a bank's SAR program meets the substance of the rule, not just the filing count.

State bank equivalents: State-chartered banks supervised by the Federal Reserve follow 12 CFR Part 208. FDIC-supervised state non-member banks follow 12 CFR Part 353. The substantive SAR and CTR obligations are materially the same across all three, but the examination authority differs.

EU and UK equivalents: The EU's Anti-Money Laundering Regulation and the UK's Money Laundering Regulations 2017 impose parallel suspicious transaction reporting obligations on EU and UK credit institutions. National banks with overseas branches must manage Part 21 for US operations alongside the local AML regime.

How FluxForce supports 12 CFR Part 21 compliance

FluxForce's AI agents address the three areas where institutions struggle most under Part 21. Nova Sentinel monitors transaction activity in real time, identifies SAR candidates with full decision audit trails, and tracks the 30-day filing window from initial detection. Aiden Flux flags same-day cash aggregation across branches before the CTR deadline. Both agents generate examiner-ready documentation: timestamped investigation logs, no-SAR decision rationales, and device testing records. All documentation is retained for the required five-year period. Book a demo at fluxforce.ai to see the full Part 21 workflow mapped to your OCC examination schedule.