Bank Secrecy Act (BSA) — US AML Law

What is the Bank Secrecy Act?

The Bank Secrecy Act (BSA) — formally the Currency and Foreign Transactions Reporting Act of 1970, codified primarily at 31 U.S.C. §§ 5311–5336 — is the foundation of the United States' anti-money-laundering and counter-terrorist-financing regime. It requires US financial institutions to keep records, file specified reports, and operate compliance programs designed to detect and deter money laundering, terrorist financing, tax evasion, and other illicit financial activity.

The BSA is sometimes referred to as "BSA/AML" because it is the legislative anchor for the broader US AML framework, which has been expanded by the USA PATRIOT Act of 2001, the Anti-Money Laundering Act of 2020 (AMLA 2020), and a continuing flow of FinCEN rulemaking. It is administered by the Financial Crimes Enforcement Network (FinCEN) and supervised through the federal banking agencies using the FFIEC BSA/AML Examination Manual.

History and purpose of the BSA

Congress enacted the BSA in 1970 in response to growing evidence that financial secrecy — especially the use of foreign accounts and cash-intensive businesses — was being exploited to hide the proceeds of crime. The original statute focused on currency reporting (transactions over $10,000) and recordkeeping for wire transfers, cheques, and account openings. Subsequent legislation broadened its reach: the Money Laundering Control Act of 1986 criminalised money laundering itself; the Annunzio-Wylie Act of 1992 introduced Suspicious Activity Reports (SARs); the USA PATRIOT Act of 2001 extended the BSA after 9/11 to combat terrorism financing; and the AMLA 2020 — the most significant overhaul in three decades — created the federal beneficial-ownership registry, modernised SAR processes, and expanded the BSA's reach to include antiquities dealers and certain other businesses.

Who must comply with the Bank Secrecy Act?

The BSA applies to a wide range of US financial institutions and certain non-financial businesses. Covered entities include national and state-chartered banks, federal and state-chartered credit unions, savings associations, US branches and agencies of foreign banks, broker-dealers in securities, mutual funds, futures commission merchants, money services businesses (MSBs) such as money transmitters and currency exchangers, casinos and card clubs, insurance companies offering covered products, residential mortgage lenders and originators, and — following AMLA 2020 — dealers in antiquities. Crypto-asset firms generally fall within the MSB category as money transmitters and are subject to the same core BSA obligations.

The five pillars of BSA/AML compliance

Every covered institution must build and maintain a written AML compliance program based on the five pillars set out in BSA implementing regulations and reinforced by AMLA 2020. The first four pillars — internal policies, procedures and controls; a designated BSA compliance officer; ongoing employee training; and independent testing — date back to the original program rule. The fifth pillar, formally added in 2018, is Customer Due Diligence (CDD), which includes ongoing risk-based monitoring and identification of beneficial owners of legal-entity customers. AMLA 2020 added a sixth implicit expectation: programs must be risk-based, effective, and reasonably designed, shifting examiner focus from technical box-ticking to actual outcomes. For a fuller breakdown, see our explainer on the 5 pillars of an AML program.

Customer identification and KYC under the BSA

The BSA's Customer Identification Program (CIP) rule requires every covered institution to verify the identity of each new customer using documentary or non-documentary methods at account opening. This is the operational foundation of Know Your Customer (KYC) in the United States. CIP must capture, at minimum, the customer's name, date of birth (for individuals), address, and a government-issued identification number — and the institution must form a reasonable belief that it knows the true identity of the customer. The CDD Rule then layers on the requirement to understand the nature and purpose of customer relationships, identify the ultimate beneficial owner (UBO) of legal-entity customers, develop a customer risk profile, and conduct ongoing monitoring to detect and report suspicious activity.

For a vendor-by-vendor view of how US banks operationalise CIP and CDD, see our roundup of the top KYC solution providers in the USA.

Reporting obligations: CTRs, SARs, and beyond

Two reports sit at the heart of the BSA. Currency Transaction Reports (CTRs) must be filed with FinCEN for any cash transaction — or aggregated cash transactions by or on behalf of one person on a single business day — exceeding USD 10,000. Suspicious Activity Reports (SARs) must be filed within 30 days (extendable to 60) when an institution detects a transaction of at least USD 5,000 that it suspects involves money laundering, structuring, fraud, or other illicit activity. Beyond these, the BSA requires Reports of Foreign Bank and Financial Accounts (FBAR), Reports of International Transportation of Currency or Monetary Instruments (CMIR), and Form 8300 filings for cash transactions over USD 10,000 in a trade or business. Tipping off — informing a customer that a SAR has been or will be filed — is strictly prohibited.

Recordkeeping requirements

The BSA imposes detailed recordkeeping obligations. Institutions must retain identifying information collected at account opening, transaction records, wire-transfer instructions for transfers of USD 3,000 or more (the Travel Rule), and supporting documentation for CTR and SAR filings. The retention period is at least five years from the date of the transaction, account closure, or report filing — though many institutions retain for longer to align with civil-litigation and other regulatory requirements. Records must be stored in a manner that allows prompt retrieval in response to a regulatory or law-enforcement request.

Risk assessment and transaction monitoring

The BSA does not prescribe a single risk-assessment template, but examiners expect every institution to maintain a documented, periodically refreshed BSA/AML risk assessment covering customers, products and services, geographies, and delivery channels. The output of that assessment drives the design of transaction monitoring — the automated and manual systems used to detect unusual or potentially suspicious activity. Common monitoring scenarios include structuring patterns, rapid movement of funds, transactions inconsistent with a customer's profile, and exposure to high-risk geographies. Many US banks combine an internal transaction monitoring platform with third-party AML screening against sanctions, PEP, and adverse-media lists to satisfy the BSA's broader detection expectations.

BSA and the USA PATRIOT Act

The USA PATRIOT Act of 2001 is not a replacement for the BSA — it is an expansion. Title III of the PATRIOT Act amended the BSA to require enhanced due diligence for foreign correspondent and private-banking accounts, prohibit US institutions from maintaining accounts for foreign shell banks, mandate the CIP rule, and create the Section 314(a) and 314(b) information-sharing mechanisms between law enforcement, FinCEN, and financial institutions. Read together, the BSA defines the architecture of US AML compliance and the USA PATRIOT Act layers on counter-terrorism-specific obligations.

Penalties and enforcement

BSA violations can carry severe consequences. Civil penalties for wilful violations can reach the greater of USD 25,000 or the amount involved in the transaction (up to USD 100,000), and pattern-of-negligence penalties can run far higher. Criminal penalties for wilful violations can include fines of up to USD 250,000 and imprisonment of up to five years — doubled where the violation occurs in connection with another federal crime or a pattern of illegal activity exceeding USD 100,000 in a 12-month period. AMLA 2020 also expanded individual liability for senior managers and introduced enhanced whistleblower rewards, materially raising personal exposure for compliance failures.

Choosing BSA/AML software

Modern BSA/AML programs rely heavily on technology to satisfy the five pillars at scale — covering customer onboarding, sanctions and PEP screening, transaction monitoring, case management, and regulatory reporting. The right platform reduces manual review burden, generates the audit trails examiners expect, and adapts as new rules emerge from FinCEN. Signzy's overview of the best AML software for regulatory compliance outlines the core selection criteria.