The Bank Secrecy Act: Understanding U.S. AML Regulations and Laws


Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. It is not intended to provide legal or other professional advice, and should not be relied on as such.



The Currency and Foreign Transactions Reporting Act of 1970 (commonly referred to as the “Bank Secrecy Act” or “BSA”) is the primary U.S. law used to detect, deter and disrupt money laundering and terrorist financing networks. BSA compliance is required for banks and other regulated financial institutions. Specifically, this “anti-money laundering law” requires that these institutions keep records of cash purchases of negotiable instruments, file reports of cash transactions over $10,000, and report suspicious activity that might signify money laundering, tax evasion, or other criminal activities.




The Bank Secrecy Act (BSA): An Overview

The Financial Crimes Enforcement Network (FinCEN) is the bureau within the U.S. Treasury Department that is mandated to implement, administer, and enforce compliance to the BSA. Specific responsibilities of the agency include:


  • Maintain a government-wide data access service with a range of financial transactions information
  • Analyze and disseminate information in support of law enforcement investigatory professionals at the Federal, State, Local, and International levels
  • Determine emerging trends and methods in money laundering and other financial crimes
  • Serve as the Financial Intelligence Unit of the United States
  • Carry out other delegated regulatory responsibilities


As the country’s financial intelligence unit (FIU), FinCEN releases a number of advisories, guidances and FAQs to help financial institutions comply with BSA AML regulations. This article reviews some of the definitions and material provided by FinCEN for effective compliance to anti-money laundering and Bank Secrecy Act regulations.



What is a Regulated Financial Institution?

According to BSA compliance regulations, a financial institution is:


  • An insured bank
  • A commercial bank or trust company
  • A private banker
  • An agency or branch of a foreign bank in the United States
  • Any credit union
  • A thrift institution
  • A broker or dealer registered with the Securities and Exchange Commission under the Securities Exchange Act of 1934 ( 15 USC 78a et seq.)
  • A broker or dealer in securities or commodities
  • An investment banker or investment company
  • A currency exchange
  • An issuer, redeemer, or cashier of traveler’s checks, checks, money orders, or similar instruments
  • An operator of a credit card system
  • An insurance company
  • A dealer in precious metals, stones, or jewels
  • A pawnbroker
  • A loan or finance company
  • A travel agency
  • A licensed sender of money or any other person who engages as a business in the transmission of funds, including any person who engages as a business in an informal money transfer system or any network of people who engage as a business in facilitating the transfer of money domestically or internationally outside of the conventional financial institutions’ system
  • A telegraph company
  • A business engaged in vehicle sales, including automobile, airplane, and boat sales.
  • Persons involved in real estate closings and settlements
  • The United States Postal Service
  • An agency of the United States government or of a state or local government carrying out a duty or power of a business described in this paragraph
  • A casino, gambling casino, or gaming establishment with an annual gaming revenue of more than $1,000,000 that
    • Is licensed as a casino, gambling casino, or gaming establishment under the laws of any state or any political subdivision of any state; or
    • Is an Indian gaming operation conducted under or pursuant to the Indian Gaming Regulatory Act other than an operation that is limited to class I gaming (as defined in section 4 (6) of such act).
  • Any business or agency that engages in any activity that the Secretary of the Treasury determines, by regulation, to be an activity that is similar to, related to, or a substitute for any activity in which any business described in this paragraph is authorized to engage.
  • Any other business designated by the Secretary whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters.
  • Any futures commission merchant, commodity trading advisor, or commodity pool operator registered, or required to register, under the Commodity Exchange Act ( 7 USC 1, et seq.).


BSA requirements apply to the U.S. operations of foreign financial institutions in the same manner as they apply to domestic financial institutions.


When compared to FATF’s (Financial Action Task Force) definition of a financial institution, BSA compliance is not required by professional service providers like lawyers, notaries and accountants. While these professionals are not required to maintain an AML program, they do have reporting requirements and must comply with laws and regulations set forth by the Office of Foreign Assets Control (OFAC).


This differs from Europe’s Third Anti-Money Laundering Directive (3rd AMLD), which has been in effect since 2005. The 3rd AMLD established that in addition to banks and the whole of the financial sector, lawyers, notaries, accountants, real estate agents, casinos and company service providers are also required to follow AML compliance regulations.



Bank Secrecy Act Requirements for Recordkeeping

The Bank Secrecy Act requires financial institutions to record and retain various types of records including customer accounts (e.g., loan, deposit, or trust), BSA filing requirements, and records that document a bank’s compliance with the BSA for at least five years.


Records must be kept in a way that makes them accessible in a reasonable period of time. Transaction records must be retained for five years, while records related to the identity of a bank customer must be maintained for five years after the account is closed. In some cases, a financial institution may be ordered or requested to maintain some of these records for longer periods.


The FFIEC provides detailed information on what kind of information must be kept for each record type, as well as exceptions. Here are some examples of the information that must be recorded for each record type for proper BSA compliance:


  • International Transactions in Excess of $10,000: A record of any request made or instructions received or given regarding a transfer of currency or other monetary instruments, checks, funds, investment securities, or credit greater than $10,000 to or from any person, account, or place outside the United States.
  • Account Statements: A statement, ledger card, or other record on each deposit account showing each transaction in, or with respect to, that account.
  • Checks in Excess of $100: Each check, draft, or money order drawn on the bank or issued and payable by it that is in excess of $100.
  • Deposits in Excess of $100: Each deposit slip or credit ticket reflecting a transaction in excess of $100. Must be the amount of any currency involved.
  • Purchase of Monetary Instruments of $3,000 or More: If the purchaser has a deposit account with the bank, the name of the purchaser, date of purchase, type(s) of instrument purchased, amount in dollars, serial number(s) of the instrument(s) purchased. If the purchaser does not have a deposit account with the bank, name, address, date of birth, social security number of the purchaser, date of purchase, type(s) of instrument purchased, amount, serial number(s) of the instrument(s) purchased and description of document or method used to verify the name and address of the purchaser.
  • Funds Transfers of $3,000 or More: For the bank acting as an originator’s bank, the name and address of the originator, amount of the payment order, execution date, payment instructions, the identity of the beneficiary’s bank, and information about the beneficiary. For banks acting as an intermediary bank, or a beneficiary’s bank. For each payment order that a bank accepts as an intermediary bank, or a beneficiary’s bank, the bank must retain a record of the payment order.
  • Suspicious Activity Reports (SARs) and supporting documentation
  • Currency Transaction Report (CTRs) and Designation of Exempt Person from CTR reporting
  • Customer Identification Program (CIP) records: Including all identifying information about a customer, a description of the document used to validate the identity of the customer, a description of the non-documentary methods and results of any measures the bank took to verify the identity of the customer, description of the bank’s resolution of any substantive discrepancy discovered when verifying the identifying information obtained.



Requirements for Forms and Filings

As part of their BSA compliance obligations, financial institutions are required to file specific reports to FinCEN. These include:


  • SAR (Suspicious Activity Report) Form 111
  • CTR (Currency Transaction Report) Form 112
  • DOEP (Designation of Exempt Person) Form 110
  • RMSB (Registration of Money Services Businesses) Form 107
  • FBAR (Foreign Bank Account Report) 114
  • Cash over 10K Received in Trade/Business Form 8300
  • International Transport of Currency or Monetary Instruments (CMIR) Form 105
  • Customer Due Diligence (CDD) Certification Form


BSA reporting requirements vary depending on the type of financial institution and the services that it offers.


Financial institutions are required to use the BSA E-Filing system to electronically file forms individually or in batches. The system also allows organizations to exchange secure messages with FinCEN, as well as receive advisories and system updates.


Currency Transaction Reports (CTRs) Requirements

For proper BSA compliance, financial institutions are required to report currency transactions over $10,000 conducted by, or on behalf of, one person, as well as multiple currency transactions that aggregate to be over $10,000 in a single day. Currency transaction reports must be filed to FinCEN within 15 calendar days of the reported transaction(s) using the BSA E-Filing System. Filers are required to save a printed or electronic copy of the report for at least five years.


To comply with this law, financial institutions must obtain personal identification information about the individual conducting the transaction such as a Social Security number as well as a driver’s license or another government-issued document. This requirement applies whether the individual conducting the transaction has an account relationship with the institution or not.


CTR Exemptions

According to the Bank Secrecy Act, financial institutions can exempt some customers from currency transaction reporting requirements. These include:


  • Banks operating in the U.S.
  • Federal, state, local, or inter-state governmental departments, agencies, or authorities
  • Entities listed on the major national stock exchanges
  • Subsidiaries (at least 51% owned) of entities listed on the major national stock exchanges
  • Non-listed businesses
  • Payroll Customers


According to FinCEN, non-listed businesses and payroll customers are those with recurring needs for large amounts of currency to support their commercial enterprises in the United States. A non-listed business is defined as an enterprise that: (i) has maintained a transaction account at the bank for at least 12 months, (ii) frequently engages in transactions in currency in excess of $10,000, and (iii) does business in the United States.


Businesses ineligible for treatment as non-listed businesses include those involved in the following activities:


  • serving as financial institutions or agents of financial institutions of any type;
  • the purchase or sale to customers of motor vehicles of any kind, vessels, aircraft, farm equipment or mobile homes;
  • the practice of law, accountancy, or medicine;
  • the auctioning of goods;
  • chartering or operation of ships, buses, or aircraft;
  • pawn brokerage;
  • gaming
  • investment advisory services or investment banking services;
  • real estate brokerage, title insurance and real estate closings;
  • trade union activities; and
  • any other activities that may be specified by FinCEN, such as marijuana-related businesses.


A payroll customer is defined as a person who has maintained a transaction account at the bank for at least 12 months, operates a firm that regularly withdraws more than $10,000 in order to pay its United States employees in currency, and is doing business in the United States.


To read more about FinCEN’s CTR requirements for filing, refer to the agency’s Q&A section.


Suspicious Activity Reports (SARs) Requirements

A Suspicious Activity Report (SAR) is a report that documents suspicious or potentially suspicious activity that is attempted or conducted at or through a financial institution. The definition of suspicious activity varies but can include a transaction or series of transactions that have no business purpose or might signal criminal activity (e.g. money laundering, terrorist financing).


Entities that have to file SARs include:


  • Banks (31 CFR §1020.320) including Bank and Financial Holding Companies (12 CFR § 225.4);
  • Casinos and Card Clubs (31 CFR § 1021.320);
  • Money Services Businesses (31 CFR § 1022.320);
  • Brokers or Dealers in Securities (31 CFR § 1023.320);
  • Mutual Funds (31 CFR § 1024.320);
  • Insurance Companies (31 CFR § 1025.320);
  • Futures Commission Merchants and Introducing Brokers in Commodities (31 CFR § 1026.320); and
  • Residential Mortgage Lenders and Originators (31 CFR § 1029.320).


For proper compliance with the Bank Secrecy Act, SARs should be e-filed through the FinCEN BSA E-Filing System. Transactions that need to be reported include:


  • insider abuse of a financial institution, involving any amount, detected by the institution;
  • federal crimes against, or involving transactions conducted through, a financial institution that the financial institution detects and that involve at least $5,000 if a suspect can be identified, or at least $25,000 regardless of whether a suspect can be identified;
  • transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect involve funds from illegal activities or attempts to hide those funds;
  • transactions of at least $5,000 that the institution knows, suspects or has reason to suspect are designed to evade any regulations promulgated under the BSA; and
  • transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect have no business or apparent lawful purpose or are not the sort in which the particular customer would normally be expected to engage and for which the institution knows of no reasonable explanation after due investigation.


According to FinCEN, SARs are to be filed no later than 30 calendar days after the date of the initial detection of facts that may constitute a basis for filing a report. If no suspect is identified on the date of such initial detection, a financial institution may delay filing a FinCEN SAR for an additional 30 calendar days to identify a suspect, but in no case shall reporting be delayed more than 60 calendar days after the date of such initial detection.


View our additional SAR resources:




Bank Secrecy Act Compliance

Organizations that ensure BSA AML compliance include (but are not limited to):



Failure to comply with BSA regulations can have serious consequences. At the start of 2021, a company was fined a $390,000,000 civil money penalty for engaging in both willful and negligent violations of the BSA and implementing regulations. The company admitted to willfully failing to implement and maintain an effective AML program and to willfully failing to file thousands of SARs and CTRs.


Experts expect FinCEN and other financial regulators to keep imposing escalating fines and penalties on organizations for AML violations.



How Alessa Can Help With BSA Compliance

Alessa is a software solution designed to support financial institutions to implement procedures that support an effective BSA and AML compliance program. The solution provides capabilities to support due diligence, ongoing monitoring of customers and transactions, reporting activities and more. It also is adaptable to changing regulations.


Alessa integrates with existing core systems and can be tailored to the financial institution’s needs and size. We offer a variety of AML compliance solutions, including:


  • Identity verification and customer due diligence for KYC/KYB
  • Real-time transaction monitoring and screening
  • Sanctions, PEPs, watchlist, crypto/virtual currency and other forms of screening
  • Configurable risk scoring
  • Electronic reporting to regulators, including SARs and CTRs to FinCEN
  • Advanced analytics like anomaly detection and machine learning to detect suspicious activity
  • Dashboards, workflows and case management


Contact us today to learn how Alessa can assist with Bank Secrecy Act compliance and strengthen your AML program.

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Recent Posts

AML geographic risk

Assessing AML Geographic Risk

Learn more about a methodology used by financial institutions on how to interpret an AML country risk rating assessment.

Please fill out the form to access the webinar: