The Bank Secrecy Act (BSA) remains the primary legislative tool for the United States government in its efforts to detect and prevent money laundering, terrorist financing, and other financial crimes. For banking professionals, maintaining a robust BSA compliance program is not merely a regulatory requirement but a fundamental component of institutional risk management and operational integrity. As financial crimes become more sophisticated and globalized, the expectations for internal controls, reporting accuracy, and proactive monitoring continue to rise across the financial services sector.

The Five Pillars of a BSA Compliance Program

A functional BSA compliance program is built upon five essential pillars that serve as the foundation for a bank’s anti-money laundering (AML) efforts. The first pillar requires a system of internal controls to ensure ongoing compliance. These controls must be documented and approved by the board of directors, providing a clear framework for identifying and reporting suspicious activity. The second pillar is the designation of a qualified individual as the BSA compliance officer. This individual must possess the authority and resources necessary to manage the program effectively and report directly to senior management and the board. The third pillar involves independent testing of the BSA program, typically conducted by internal audit or an external third party. This testing must be performed on a periodic basis to verify the effectiveness of the program and identify any deficiencies that require remediation.

The fourth pillar focuses on training for appropriate personnel. This training must be tailored to the specific roles of employees and updated regularly to reflect changes in regulations and emerging threats. The fifth and most recent pillar, codified by the Customer Due Diligence (CDD) Rule in 2016, requires banks to maintain appropriate risk-based procedures for conducting ongoing customer due diligence. This includes identifying and verifying the identity of beneficial owners of legal entity customers. By establishing these five pillars, financial institutions create a structured environment capable of detecting illicit financial flows before they can compromise the integrity of the institution or the broader financial system.

Reporting Obligations and Recordkeeping Standards

Central to the BSA are the reporting and recordkeeping requirements that provide law enforcement with a paper trail for criminal investigations. The most common of these is the Currency Transaction Report (CTR). Financial institutions must file a CTR for every deposit, withdrawal, or exchange of currency that exceeds $10,000. This threshold applies to a single transaction or multiple transactions that appear to be related and occur within a single business day. Accuracy in these filings is paramount, as errors can lead to regulatory scrutiny and potential fines. In addition to CTRs, banks are required to file Suspicious Activity Reports (SARs) when they detect a transaction that involves or aggregates at least $5,000 and the institution knows, suspects, or has reason to suspect that the funds are derived from illegal activity or are intended to hide or disguise funds derived from illegal activity.

The SAR filing process is a critical component of the public-private partnership in law enforcement. Banks generally have 30 days from the date of initial detection to file a SAR, though this can be extended to 60 days if a suspect has not been identified. Maintaining the confidentiality of SARs is a strict legal requirement. Financial institutions and their employees are prohibited from disclosing to the subject of a SAR that a report has been filed. Beyond reporting, the BSA mandates extensive recordkeeping for various types of transactions, including funds transfers of $3,000 or more. These records must be retained for at least five years and be readily accessible to regulators and law enforcement upon request. The administrative burden of these requirements is significant, but the data generated is vital for mapping criminal networks and preventing the movement of illicit capital.

The Impact of the Anti-Money Laundering Act of 2020

The Anti-Money Laundering Act of 2020 (AMLA) represented the most significant update to the BSA since the USA PATRIOT Act of 2001. This legislation sought to modernize the AML framework to address 21st-century threats, including the use of virtual currencies and the proliferation of shell companies. One of the most impactful components of the AMLA is the Corporate Transparency Act (CTA), which requires many legal entities to report beneficial ownership information to the Financial Crimes Enforcement Network (FinCEN). This shift aims to reduce the burden on financial institutions by creating a centralized database of beneficial owners, although banks still maintain their own CDD obligations. The AMLA also increased the penalties for certain BSA violations and established a whistleblower program that provides financial incentives for individuals who report original information leading to successful enforcement actions.

Furthermore, the AMLA emphasized a risk-based approach to supervision, encouraging regulators to focus on high-priority threats rather than technical compliance alone. It mandated that FinCEN establish national AML and countering the financing of terrorism (CFT) priorities, which financial institutions must incorporate into their risk assessments. These priorities currently include corruption, cybercrime, and various forms of fraud. By aligning institutional efforts with national priorities, the Treasury Department aims to make the BSA framework more effective at producing highly useful information for law enforcement. For banking professionals, this means that compliance programs must be dynamic and capable of evolving as new priorities are identified and as the regulatory landscape shifts toward a more data-driven and outcome-oriented model.

Enforcement of the BSA is handled by a combination of federal agencies, including FinCEN, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve. In recent years, enforcement actions have focused on systemic failures in AML programs rather than isolated reporting errors. Penalties for non-compliance can be substantial. For instance, in the last three years, several major financial institutions have faced fines exceeding $100 million for failing to maintain adequate transaction monitoring systems or for ignoring red flags associated with high-risk jurisdictions. These enforcement actions often include "cease and desist" orders that require banks to hire independent consultants to oversee the remediation of their compliance programs, adding significant operational costs and reputational damage.

There is also a growing trend toward individual accountability in BSA enforcement. Regulators and the Department of Justice have increasingly targeted compliance officers and senior executives who willfully ignore compliance failures or participate in the concealment of suspicious activity. This shift underscores the importance of a strong compliance culture that starts at the board level and permeates the entire organization. Regulators are also paying closer attention to the integration of technology in compliance. While the use of automated monitoring systems is encouraged, banks must demonstrate that these systems are properly calibrated and that the underlying data is accurate. A failure to validate models or address "false negatives" in transaction monitoring can lead to regulatory findings and enforcement actions. As a result, many institutions are increasing their investment in data governance and model risk management to ensure their BSA programs meet the rigorous standards of federal examiners.

Technological Integration and Risk-Based Monitoring

The transition from manual oversight to sophisticated technological solutions has redefined how banks meet their BSA obligations. Modern transaction monitoring systems now utilize machine learning and artificial intelligence to identify patterns of behavior that may indicate money laundering, such as "structuring" or "layering" of funds. These systems allow banks to move beyond simple rules-based alerts to more nuanced, behavior-based analysis. However, the implementation of such technology requires careful management. Regulators expect banks to have a deep understanding of how their algorithms work and to provide clear documentation of the logic used to flag or clear transactions. The use of technology does not replace the need for human judgment. Compliance analysts must still investigate alerts and make the final determination on whether to file a SAR.

A risk-based approach is now the standard for BSA compliance. This means that banks must allocate their resources according to the specific risks posed by their customer base, geographic footprint, and product offerings. For example, a bank with a high volume of international wire transfers or a significant number of non-resident alien customers will face higher scrutiny and must implement more stringent controls than a small community bank with a localized customer base. This approach allows for greater efficiency but requires a continuous and thorough risk assessment process. As financial products like decentralized finance (DeFi) and stablecoins gain traction, banks must also assess how these innovations impact their BSA risk profile. The integration of new technologies and the refinement of risk-based models are essential for maintaining a compliant and effective AML program in an increasingly complex financial environment.

What to Watch

The financial services industry should monitor the ongoing implementation of the Beneficial Ownership Information registry, as it will fundamentally change how institutions verify customer data. Additionally, there is significant discussion regarding the potential adjustment of the $10,000 CTR threshold, which has remained unchanged since 1970 despite decades of inflation. Finally, the industry should expect increased regulatory focus on the "travel rule" as it applies to digital asset transfers, requiring more detailed information sharing between financial institutions for cryptocurrency transactions.

The Bankers Bulletin delivers banking and financial services intelligence to your inbox every weekday morning.

Upgrade and download The Senior Banker's Regulatory Survival Guide — our 17-page registration bonus.

Keep Reading