What is the Bank Secrecy Act (BSA)?

The Bank Secrecy Act (BSA) is a US federal law that contains measures to combat money laundering and other financial crimes. It is a central piece of legislation in the overall US anti-money laundering and countering the financing of terrorism (AML/CFT) regime, and banks and other financial institutions (FIs) are legally obliged to meet its compliance requirements. 

The BSA, previously known as the Currency and Foreign Transactions Reporting Act, was introduced in 1970 and has been amended on multiple occasions since then, including – significantly – by the USA Patriot Act. Compliance with the BSA is enforced by regulators, notably the Financial Crimes Enforcement Network (FinCEN), and law enforcement agencies. 

BSA compliance requirements 

The BSA contains a comprehensive list of requirements for FIs across the following areas: 

• Internal controls: FIs must have compliance programs in place, consisting of written policies and procedures to help their employees recognize and prevent financial crime. They should appoint compliance officers (often known as BSA Officers) to oversee these programs and train all employees to follow them. The BSA requires compliance programs to be on a regular schedule of independent audits to review their strength. 
• Customer due diligence (CDD): Every firm must have a customer identification program as part of its compliance framework, enabling it to establish and verify its customers’ identities with appropriate documentation. Firms must also implement ongoing monitoring to detect suspicious transactions and continually update customer data to maintain accuracy. 
• Beneficial ownership: The ‘CDD Final Rule’ is an amendment to the BSA that stipulates firms must establish the ultimate beneficial owners (UBOs) of companies. This effectively extends existing customer identification requirements to corporate structures to prevent their misuse. 
• Reporting: Any transaction firms have reason to believe may be connected to money laundering or terrorist financing should be reported to FinCEN via a suspicious activity report (SAR), while currency transaction reports (CTRs) must be filed for cash transactions, single or cumulative, exceeding $10,000 in 24 hours. Additionally, businesses must use Form 8300 whenever they receive a cash payment of more than $10,000. 
• Record-keeping: FIs must keep records relating to their compliance policies, customer accounts, and transaction reports for five years after a given transaction or the closure of a given customer account. They must also keep records of certain transactions, such as purchases of monetary instruments over $3000, international payments over $10,000, and credit extensions over $10,000. 

Penalties for BSA non-compliance 

Violations of the BSA can result in both civil and criminal penalties. FinCEN can impose civil monetary penalties of up to $278,000 for a single breach. On a criminal level, willful breaches of the BSA or its implementing regulations can lead to fines of up to $250,000 or prison sentences of up to five years (or both) for an individual offender. Institutions can be fined up to whichever is greater out of $1 million or twice the value of the transactions responsible for the breach. Firms found to have breached the BSA may lose their license or charter, while individual employees can be barred from working in the industry. 

These penalties are not just theoretical: firms have been fined sums reaching billions of dollars for BSA compliance failures. Beyond the financial consequences of non-compliance, firms can also incur reputational damage for failures. A loss of consumer trust can severely restrict any growth a firm hopes to experience. With this in mind, FIs should ensure they are prepared to demonstrate compliance. 

A Guide to the Essentials of Anti-Money Laundering

Our expert guide explains how firms of all sizes can create effective AML programs, build trust with regulators, and turn compliance into a business advantage.

Download your copy

Who has to comply with the BSA? 

The BSA applies to all FIs in the US. An appendix to the BSA containing its statutory definition of an FI specifically names the following: 

• Banks, including commercial banks, investment banks, private banks, and US-based branches of foreign banks. 
• Credit unions. 
• Thrift institutions. 
• Brokers and dealers.
• Currency exchanges. 
• Issuers, redeemers, or cashiers of checks, traveler’s checks, money orders, and other financial instruments.
• Credit card operators. 
• Insurance companies.
• Dealers in precious metals, stones, or jewels.
• Pawnbrokers.
• Loan and finance companies.
• Travel agencies. 
• Futures commission merchants and commodity trading advisors. 
• Informal or non-conventional financial businesses. 
• Telegraph companies. 
• Vehicle retailers. 
• Real estate firms.  
• Casinos. 
• The United States Postal Service. 

In August 2024, FinCEN issued two new regulations clarifying the AML/CFT obligations of real estate businesses and investment advisers (IAs). Though mentioned in the BSA, real estate firms were previously not regulated as comprehensively as other types of business; the new rule addresses this gap with reporting requirements on high-risk real estate transfers, namely non-financed residential property transfers to trusts or legal entities. The IA rule added certain types of IAs to the BSA’s definition of FIs, extending the Act’s obligations to them.  

Recent updates to the BSA/AML Examination Manual 

Agencies like FinCEN, the Office of the Comptroller of the Currency (OCC), or the Securities and Exchange Commission (SEC) frequently review firms’ compliance programs. The BSA/AML Examination Manual guides examiners on assessing a program’s compliance with the BSA and is therefore an important resource for firms, who should note any changes to the Manual and adapt their policies accordingly. The most recent update was in August 2023 and reworked the section on foreign correspondent account record-keeping, reporting, and due diligence to include new standalone sections on: 

• Due diligence for correspondent accounts for foreign FIs. 
• Reporting obligations on Iran-linked foreign bank relationships. 
• Prohibitions on correspondent accounts for foreign shell banks. 
• Summonses or subpoenas for foreign banking relationships and terminations of correspondent relationships. 

It also updated sections on special AML/CFT information-sharing measures, and due diligence requirements for private banking accounts. 

Firms should note that updates to the Manual are not new rules in themselves, nor are they indicators of increased regulatory scrutiny on particular areas. They do, however, provide clarity into how the examination process works in practice and support risk-focused compliance measures. 

How can firms comply with the BSA?

To comply with the BSA, US firms must create, implement, and maintain a compliance program (often referred to by many firms as a BSA/AML compliance program). To cover all the requirements of the BSA, FIs should take the following actions: 

• Implement dynamic customer screening: FIs should screen customers against sanctions, politically exposed persons (PEP), and adverse media data. This should happen when onboarding new customers and on an ongoing basis after onboarding. The data firms use for this should be updated to reflect any changes from their sources, ideally in near-real time. 
• Optimize transaction monitoring tools: To file SARs, CTRs, and Form 8300 reports accurately and in good time, firms should have a transaction monitoring solution that flags all transactions over reporting thresholds. In addition to more obviously suspicious transactions, firms must be able to detect unexplained patterns that develop over time. Powering transaction monitoring with artificial intelligence (AI) can uncover new layers of insight for firms, bringing more transactions that need investigating into the light. 
• Store documents and case decisions centrally: Given the multiple transaction reporting requirements on US firms, records relating to customers, payments, policies, and case decisions should be stored in a centralized, easily accessible location. This helps to create a straightforward audit trail and avoids siloed data, often a major blocker for compliance teams. 
• Create a strong culture of compliance: Firms must appoint an experienced BSA Officer with the knowledge and authority to implement internal controls and educate colleagues on compliance best practices. Compliance programs are only as strong as their weakest points, so FIs should ensure all relevant staff members receive regular, comprehensive AML training. 
• Take advantage of AML tech solutions: Effective AML processes require firms to collect, update, and analyze a vast amount of data, which makes manual processes unworkable. Factors to consider when choosing an AML vendor to partner with include their software’s specific compliance features, data coverage, integration possibilities, data security, and user-friendliness. 

AI-powered solutions for BSA compliance 

ComplyAdvantage supports US organizations in meeting their compliance obligations, providing a range of AML software solutions to give them a 360-degree view of their risks and maximize their ability to detect and prevent financial crime. Firms that partner with ComplyAdvantage can access: 

• Award-winning proprietary data: Screen customers against market-leading sanctions, watchlist, PEP and RCA, and adverse media data. Our information is sourced straight from all multiple reliable sources and updated ahead of competitors – in minutes, not days. 
• Automatic risk scoring: Make the most of fully configurable and dynamically updated event and customer risk scoring for a true, data-driven understanding of your customer base. Tackle the most important cases first with smart alert prioritization. 
• API-based integration with ongoing support: Streamline AML compliance processes with configurable cloud solutions in UI or API form, able to seamlessly integrate into existing workflows.