Bank Secrecy Act and AML Requirements: The Basics

The Bank Secrecy Act (BSA), passed in 1970, requires financial institutions to file reports on large cash deposits and suspicious activities to federal regulators. It forms the legal backbone of anti-money laundering (AML) compliance in the United States and is enforced by the Securities and Exchange Commission, the Federal Reserve, and the Financial Crimes Enforcement Network (FinCEN).

The Origins and Purpose of the Bank Secrecy Act

The Bank Secrecy Act was Congress’s response to the growing problem of money laundering and financial crimes in the late 1960s. At that time, criminals and corrupt officials moved vast sums across borders and through banking systems with little transparency or oversight. The act created the first systematic reporting framework requiring banks to be eyes and ears for law enforcement.

The law is named somewhat ironically. “Bank secrecy” refers not to the banks’ secrets, but to the secrecy customers once enjoyed. The act breaks that secrecy by requiring disclosure to federal authorities. It’s one of the oldest and most consequential financial crime laws on the U.S. books.

Currency Transaction Reports: The $10,000 Threshold

When a customer deposits, withdraws, or exchanges $10,000 or more in a single business day, the bank must file a Currency Transaction Report (CTR) with FinCEN within 15 days. The threshold has remained $10,000 since 1970, unadjusted for inflation—meaning it captures far more activity today than it did decades ago.

The CTR is mechanical. It doesn’t imply wrongdoing; it’s simply a record. Legitimate businesses—restaurants, shops, contractors—file hundreds of CTRs annually and remain wholly compliant. The data helps law enforcement detect patterns: a single $10,000 withdrawal isn’t suspicious, but 40 deposits of $9,500 across multiple branches in one week is.

A critical nuance: structuring—deliberately breaking transactions into smaller amounts to avoid the $10,000 report—is itself illegal. Depositing $9,900 every other day to avoid CTRs can trigger prosecution for structuring, even if the underlying funds are legitimate. Conversely, banks have a safe harbor: they can’t be liable for filing a CTR they believe is legally required, even if the customer later claims the deposits were innocent.

Suspicious Activity Reports: The Broader Net

Suspicious Activity Reports (SARs) are filed when a bank suspects activity related to money laundering, fraud, corruption, or sanctions violations, regardless of the dollar amount. A SAR can be triggered by a $500 wire transfer to a high-risk jurisdiction, a series of small deposits by a customer whose occupation doesn’t match the pattern, or a transaction involving a politically exposed person.

SARs are filed within 30 days of detection and are subject to strict confidentiality rules. The bank is forbidden from tipping off the customer (“tipping off” is itself a crime). This secrecy is essential: if criminals knew they’d been flagged, they’d move their activities elsewhere. Law enforcement uses SARs to build cases, identify networks, and freeze accounts suspected of involvement in terrorist financing or major crimes.

The threshold for a SAR is intentionally low and subjective. Banks must file a SAR if they suspect activity “may involve” a violation of law or regulation. This creates a compliance burden—institutions must screen millions of transactions daily—but it also casts a wide net, catching patterns that might otherwise slip through.

Know Your Customer and Customer Due Diligence

The Bank Secrecy Act requires financial institutions to maintain current information about the identity of their customers. Know Your Customer (KYC) rules mandate that banks verify the customer’s name, address, date of birth, and Social Security number (for individuals) or tax identification number (for businesses).

Enhanced due diligence applies to high-risk customers: politically exposed persons, customers in high-risk jurisdictions, and beneficial owners of corporate accounts. Banks must now identify the individuals who own 25% or more of a business opening an account—a rule added by the Beneficial Ownership Rule to close loopholes that allowed shell companies to hide true ownership.

These requirements vary by institution type. A national bank regulated by the Office of the Comptroller of the Currency (OCC) has different compliance obligations than a money services business or a brokerage firm, though all fall under the BSA umbrella.

Record-Keeping Obligations

Banks must keep records of all transactions and file them with FinCEN. The standard retention period is five years, though some documents—like currency exchange records and large transaction documentation—must be kept longer. These records are the backbone of investigations: if a customer later appears in a criminal case, regulators can subpoena the bank’s files to establish a timeline and trace flows.

Smaller institutions and banks in rural areas sometimes struggle with record-keeping compliance due to cost and complexity. Regulatory agencies have issued guidance on risk-based approaches, allowing smaller banks to implement proportionate controls rather than enterprise-level systems.

Enforcement and Penalties

The Bank Secrecy Act is enforced by a constellation of agencies: FinCEN, the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the SEC, and state banking regulators.

Violations carry significant penalties. Civil penalties can reach $250,000 per violation. Criminal penalties include fines up to $10,000 and imprisonment up to five years for willful violations. In recent years, major banks have paid billions in settlements for BSA violations—failures to file SARs, inadequate KYC, or breached sanctions screening.

A 2019 FinCEN investigation found that Deutsche Bank, one of the world’s largest, filed inadequate SARs for years, allowing suspicious transactions to flow undetected. The bank paid $600 million. Similar penalties have hit Wells Fargo, JPMorgan Chase, and others. These settlements signal that regulators view BSA compliance not as box-ticking but as core institutional responsibility.

The Dodd-Frank Connection

The Dodd-Frank Act of 2010 strengthened BSA requirements by creating new emphasis on beneficial ownership, customer due diligence, and risk-based approaches to compliance. It also formalized FinCEN’s role as the BSA’s hub and clarified that all financial institutions—not just banks—must comply.

International Dimensions

The BSA’s influence extends globally. Many countries have modeled their AML frameworks on the U.S. approach. The Financial Action Task Force (FATF), an international body, sets global AML standards, and member countries (including most of the developed world) are expected to implement equivalent rules.

For multinational banks, this creates a patchwork: they must comply with BSA rules in the U.S., GDPR data protection rules in Europe, and equivalent AML regimes elsewhere. The pressure to harmonize has grown, but regulatory divergence remains a significant compliance cost.

See also