12 CFR Part 21: What It Requires and Who It Applies To

What is 12 CFR Part 21?

12 CFR Part 21 is a federal regulation issued by the Office of the Comptroller of the Currency that establishes minimum security device requirements, suspicious activity reporting obligations, and BSA/AML compliance program standards for national banks and federal savings associations operating in the United States. The regulation divides into three subparts: Subpart A governs physical security devices and procedures, Subpart B sets out Suspicious Activity Report filing rules, and Subpart C requires a formal BSA compliance program.

The physical security roots go back to the Bank Protection Act of 1968 (12 U.S.C. § 1882), which gave federal banking regulators authority to require security standards at supervised institutions. The OCC codified those requirements at 12 CFR Part 21. SAR filing obligations came later, layered in under the Bank Secrecy Act as amended by the Money Laundering Control Act of 1986 and subsequent FinCEN rulemaking. The BSA compliance program requirement follows from FinCEN's 2002 rulemaking at 31 CFR 1020.210.

Compliance officers at national banks treat Part 21 as the OCC's primary operational AML rulebook. It doesn't replace the Bank Secrecy Act or FinCEN's own implementing regulations at 31 CFR Chapter X, but the OCC is the direct examination authority for national banks. Part 21 deficiencies appear in OCC Matters Requiring Attention and civil money penalty orders, not abstract FinCEN citations.

There's no size threshold. A $200 million community bank in Nebraska faces the same legal obligations under Part 21 as JPMorgan Chase, N.A. The OCC scales examination intensity through its Large Bank Supervision and Midsize/Community Bank Supervision programs, but the statutory bar is identical for both.

Who does 12 CFR Part 21 apply to?

Part 21 covers institutions directly chartered and supervised by the OCC:

• National banks: Commercial banks whose charter includes "National" in the name or carries an "N.A." or "Nat'l Assn" suffix. This includes community banks, regional banks, and large complex financial institutions.
• Federal savings associations: Formerly supervised by the Office of Thrift Supervision, federal savings associations came under OCC supervision after the Dodd-Frank Act merged OTS functions into the OCC in 2011. Look for "FSB" or "Federal Savings Bank" in the legal name.
• Federal branches and agencies of foreign banks: Foreign banks with federally licensed U.S. branches are subject to OCC supervision and must comply with Part 21's BSA program requirements.
• Edge Act corporations: Entities chartered under the Edge Act (12 U.S.C. § 611) for international banking operations, where the OCC is the primary federal regulator.

Part 21 does NOT cover:

• State-chartered banks supervised by the FDIC (subject to 12 CFR Part 353) or the Federal Reserve (subject to Regulation H)
• Credit unions (NCUA)
• Broker-dealers (subject to FINRA Rule 3310)
• Money services businesses regulated directly by FinCEN

There's no asset-size carve-out. A de novo national bank with $50 million in assets carries the same SAR filing obligations as a $2 trillion institution. Examination frequency and scope vary by risk profile, but the legal requirements are identical.

One practical nuance: national bank subsidiaries and affiliates generally aren't directly covered unless they hold their own national bank charter. But a parent bank remains responsible for BSA risks introduced through affiliate relationships and third-party arrangements. Examiners don't accept "that activity lives in a non-bank subsidiary" as a clean response to program gaps.

What does 12 CFR Part 21 require?

Part 21 breaks into three distinct sets of obligations.

Subpart A: Physical Security Program (§§ 21.2–21.4)

1. Appoint a security officer (§ 21.3(a)): Each bank must designate an individual responsible for administering the written security program.
2. Written security program (§ 21.3(a)): The program must address physical security devices (cameras, vaults, alarm systems), employee procedures for opening and closing, and response protocols for robbery and burglary.
3. Annual program review: The security officer must review and update the program at least annually, with documentation retained.
4. Report crimes to the OCC (§ 21.4): Institutions must file crime reports for losses above defined thresholds. The reporting vehicle is FinCEN SAR Form 111, which replaced the older SAR-SF form.

Subpart B: SAR Filing (§ 21.11)

1. Dollar thresholds: File a SAR for any transaction of $5,000 or more where a suspect can be identified; $25,000 or more regardless of whether a suspect is identified; any amount involving a suspected federal law violation (structuring, terrorism financing, and similar offenses).
2. Filing deadline: 30 calendar days from the date of initial detection of the facts. If no suspect is identified at detection, the deadline extends to 60 calendar days from that date.
3. Tipping-off prohibition: The bank may not disclose to the transaction subject, or to any person involved in the transaction, that a SAR was or may be filed. No exceptions, no sunset.
4. Retention: Retain a copy of every SAR and all supporting documentation for 5 years from the filing date.
5. No-file decisions: Written documentation supporting the decision not to file must also be retained. Examiners routinely pull these records and treat gaps as evidence of inadequate review.

Subpart C: BSA Compliance Program (§ 21.21)

1. Four program pillars: Internal controls, independent testing (audit), a designated BSA compliance officer, and training for applicable personnel.
2. Customer identification procedures: Banks must maintain a written Customer Identification Program meeting 31 CFR 1020.220, cross-referenced to Section 326 CIP requirements under the USA PATRIOT Act.
3. Risk-based calibration: The program must match the bank's actual size, complexity, and risk profile. Generic off-the-shelf templates routinely draw exam findings when they don't reflect the institution's real product mix or customer base.
4. Board approval: The BSA compliance program must be approved by the board of directors or a board-level committee. Annual re-approval after completing the BSA risk assessment is standard practice.

What evidence do regulators expect?

OCC examiners follow the BSA/AML Examination Procedures published jointly by the Federal Financial Institutions Examination Council. The FFIEC BSA/AML Examination Manual (updated 2021) is the practical preparation guide, even though it isn't a regulation itself. On exam day, banks should expect requests for:

• Written policies and procedures: The full BSA/AML compliance program, current and board-approved. Programs not reviewed in the past 12 months without annotation are an immediate flag.
• Security program documentation: Written security program, security officer appointment letter, most recent annual review, and staff training records.
• SAR filing log: A complete record of SARs filed, including the date of initial detection, the filing date, and FinCEN case reference numbers. Examiners compare detection-to-filing timelines directly against the 30-day window.
• No-file rationale: Written records for every piece of suspicious activity reviewed but not escalated to a SAR. Missing documentation is treated as evidence the activity wasn't properly evaluated.
• Transaction monitoring records: Alerts generated, disposition decisions (cleared vs. escalated), analyst notes, and time-to-clear metrics. Chronic alert backlogs trigger Matters Requiring Attention.
• Training completion records: Documentation showing all relevant staff completed BSA/AML training, including new-hire training and annual refreshers. Examiners check whether training addresses current typologies, not just static regulatory text.
• Independent testing reports: Most recent BSA/AML audit, management responses, and remediation evidence for prior findings.
• CIP records and sampling: Customer identification documentation under 31 CFR 1020.220, plus file samples for recently onboarded accounts.
• Board meeting minutes: Evidence that the board reviewed BSA risk assessment results, approved the compliance program, and completed director-level AML training.

A recurring OCC observation is that banks treat SAR documentation as a form-filing exercise. Examiners want the investigative narrative, the underlying transaction data, and the analyst's reasoning. The filed form alone won't satisfy them.

Common failure modes

OCC enforcement history shows consistent patterns across exam cycles:

• Late SAR filing: The most common citation. Alert queue backlogs and unclear escalation paths push filings past the 30-day window. In its 2022 consent order against USAA Federal Savings Bank, the OCC cited systemic failure to file SARs on time due to inadequate transaction monitoring infrastructure. The OCC assessed a $60 million civil money penalty; FinCEN assessed a concurrent $140 million penalty on the same deficiencies (OCC Enforcement Actions 2022).
• Inadequate transaction monitoring: Alert rules that don't match the institution's actual product and customer risk profile. Community banks frequently inherit generic rule sets that miss cash-intensive local business typologies.
• Weak no-file documentation: Banks that can't produce written rationale for declining to file SARs on reviewed activity. Examiners treat missing records as evidence the bank avoided filing rather than evaluated it.
• Training gaps: BSA training that covers regulatory text without addressing the institution's specific products, customers, or FinCEN's current typology advisories.
• BSA officer without real authority: Appointing a BSA officer who lacks budget control, direct board access, or independence from revenue-generating business units. The OCC has flagged this structural deficiency in multiple MRAs.
• CDD documentation failures: Missing or incomplete records for beneficial owners, particularly since the FinCEN CDD Rule became effective in May 2018. Examiners pull legal entity customer files specifically to test compliance with the beneficial ownership prong.
• Stale risk assessments: BSA/AML risk assessments not updated after material product, customer, or geographic changes. An assessment completed in 2021 doesn't address crypto on-ramp services added in 2023.

Penalties for non-compliance

The OCC's civil money penalty authority under 12 U.S.C. § 1818 operates in three tiers:

• Tier 1 (up to $10,000/day): For violations of any law, regulation, or final order, or unsafe and unsound practices.
• Tier 2 (up to $25,000/day): For knowing violations, or violations causing loss or gain to any person.
• Tier 3 (up to $1 million/day): For knowing violations causing substantial loss, or reckless disregard of applicable law.

Because violations typically persist for months or years before detection, aggregate enforcement totals far exceed the per-day maximums. In October 2024, the OCC assessed a $450 million civil money penalty against TD Bank National Association as part of a coordinated multi-agency action totaling over $3 billion. The OCC's order cited TD Bank's failure to maintain an adequate BSA/AML program over several years, which allowed more than $670 million in illicit funds to flow through the bank for a drug trafficking network (OCC News Release 2024-118).

Beyond financial penalties, the OCC can:

• Issue cease and desist orders with specific remediation timelines
• Remove bank officers and directors
• Impose operating restrictions on specific business lines
• Require heightened board oversight commitments documented in formal consent orders

The Anti-Money Laundering Act of 2020 strengthened whistleblower protections for BSA-related disclosures and authorized new effectiveness standards for AML programs, directly affecting what "adequate" means under Part 21 for institutions using automated monitoring tools.

Related regulations and frameworks

Part 21 doesn't operate in isolation. It's one layer of a broader compliance stack:

• Bank Secrecy Act (31 U.S.C. §§ 5311–5336): The parent statute. Part 21 is the OCC's implementing regulation for BSA obligations at national banks. The BSA article covers the full statutory framework, including FinCEN's role as the primary rule-writing authority.
• FinCEN's 31 CFR Chapter X: Treasury/FinCEN's implementing rules, substantively identical to Part 21 for SAR and CIP requirements. National banks comply with both simultaneously. An OCC exam and a FinCEN examination are separate events with overlapping evidentiary expectations.
• FATF Recommendation 20: The international standard for suspicious transaction reporting. FATF Recommendation 20 requires member jurisdictions to mandate reporting of suspicious transactions; Part 21 is the U.S. national implementation for OCC-chartered institutions.
• FFIEC BSA/AML Examination Manual: Co-published by the OCC, FinCEN, FDIC, and NCUA, the 2021 update added guidance on digital assets and third-party service providers. Exam teams use this manual to scope their reviews, and compliance officers should treat it as equivalent to a regulatory expectation.
• OCC Bulletin 2011-12 (Model Risk Management): The OCC's equivalent to the Federal Reserve's SR 11-7. Transaction monitoring systems are models under this guidance and require independent validation. An AML monitoring model that hasn't been validated creates both a Part 21 program deficiency and a concurrent model risk finding.
• Anti-Money Laundering Act of 2020: Amended the BSA to introduce risk-based examination requirements, new beneficial ownership reporting obligations, and FinCEN innovation authorities. The amendments directly affect what constitutes an "adequate" Part 21 compliance program, particularly for institutions deploying AI-based transaction monitoring.

How FluxForce supports 12 CFR Part 21 compliance

FluxForce's AI agents automate the core operational requirements under Part 21: continuous transaction monitoring against configurable detection rules, automated SAR candidate packaging with narrative drafts and full supporting documentation, and alert queue management to keep filing timelines inside the 30-day window. Every decision produces a complete evidence trail for OCC examiners, including no-file rationale records. Nova Sentinel and Aiden Flux handle the detection-to-escalation workflow. Compliance officers get a documented, auditable process. Book a demo to see how FluxForce maps to your institution's Part 21 obligations.