Introduction
This checklist will assist in-house counsel and compliance teams at financial institutions who are responsible for ensuring that currency transaction reporting requirements set forth in the Currency and Foreign Transactions Reporting Act of 1970 (commonly referred to as the Bank Secrecy Act (BSA)) are met.
The BSA is aimed at detecting and preventing money laundering and requires financial institutions to report single currency (cash or coin) transactions over $10,000, and multiple currency transactions that aggregate to over $10,000 in a single day, conducted by, or on behalf of, one person. Such transactions are reported on Currency Transaction Reports (CTRs).
This checklist outlines the key steps a financial institution should take to comply with the Currency Transaction Reporting (CTR) requirements set out in the BSA:
- Determine whether your organization is within the scope of the CTR requirements
- Collect all the required identifying information
- Check whether the transaction presents other reporting requirement risks
This checklist is presented as a list of requirements and issues that you can check off as they are addressed. There are explanatory notes corresponding with each requirement in the checklist.
The checklist can be used in conjunction with the following How-to guides: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern, How to assess your organization for money laundering and terrorist financing risk and How to monitor Bank Secrecy Act (BSA) compliance and Checklist: Screening employees for roles in AML compliance.
This checklist for financial institutions provides guidance that is of general application. Each organization should check whether the BSA and applicable regulations contain additional or varied sector-specific requirements.
Step 1 – Determine whether your organization is within the scope of the CTR requirements
| No. | Requirement |
| 1.1 | Consider whether your organization is involved in transactions which fall within CTR filing obligations |
| 1.2 | Review whether multiple transactions should be aggregated for purposes of CTR |
| 1.3 | Consider whether any exemptions apply |
Step 2 – Collect all the required identifying information
| No. | Requirement |
| 2.1 | Ensure all required personal information has been collected for individuals attempting to conduct a reportable transaction |
| 2.2 | Ensure beneficial ownership information has been collected for legal entities |
Step 3 – Check whether the transaction presents other reporting requirement risks
| No. | Requirement |
| 3.1 | Consider whether there is a risk of structuring |
| 3.2 | Consider whether a Suspicious Activity Report (SAR) is required |
| 3.3 | Consider whether the transaction involves cryptocurrency |
| 3.4 | Consider whether the transaction involves an Informal Value Transfer System (IVTS) |
General notes
Legal framework
Financial institutions in the United States (see below for further detail on what is considered a financial institution) must report certain currency transactions to the Financial Crimes Enforcement Network (FinCEN) of the US Treasury Department. These requirements were established by the BSA to prevent financial institutions from being used to launder money to further a criminal enterprise, support terrorism, and other illegal activities. See, 31 USC section 5311 et seq. The USA PATRIOT Act of 2001 bolstered the requirements for financial institutions to report suspicious activities.
The Office of the Comptroller of the Currency (OCC) in the US Treasury Department performs regular investigations of financial institutions for BSA compliance. Financial institutions and customers can face a wide range of civil or criminal penalties under the BSA for failing to adhere to CTR requirements. See, 31 CFR 1010 Subpart H. For example, incomplete or inaccurate CTRs can earn fines of $500 each. Failing to file a required CTR within the 15-day deadline could result in a $10,000 fine for each day the report is not filed. A pattern of negligent violations can lead to a penalty of $50,000, in addition to any other penalties for negligent violations. Civil penalties can reach $100,000, and criminal penalties can reach $500,000 and up to 10 years’ imprisonment for the perpetrator.
Key considerations
Financial institutions subject to CTR requirements generally include the following:
- banks and other types of depository institutions;
- brokers or dealers in securities;
- money transmitters;
- currency exchangers;
- check cashers;
- issuers and sellers of traveler’s checks and money orders; and
- certain casinos and card clubs.
See, 31 CFR Chapter X for further guidance.
The BSA also has two catch-all provisions that empower the Secretary of the Treasury to consider any business or agency as a financial institution ‘if it is similar to, related to, or a substitute for any activity in which any business described in this paragraph is authorized to engage’ or if it is ‘any other business designated by the Secretary whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters.’ See, 31 USC section 5312(a)(2)(Y)-(Z). The broad definition has been used to take in business models that bear little resemblance to traditional financial institutions. For example, at least one court has held that a seller of virtual currency who transacted business through the use of automatic teller machines in a public place was engaged in the business of transmitting ’cash.’ See United States v. Freeman, No. 21-cr-41-JL (D.N.H. Aug. 22, 2023).
Similar but simpler requirements apply to ‘non-financial trades or businesses’ accepting cash payments over $10,000. They must file a Form 8300, Report of Cash Payments Over $10,000 Received in a Trade or Business with the Internal Revenue Service (IRS) if they receive more than $10,000 in cash from one buyer. The IRS provides additional guidance for non-financial trade or business reporting requirements. See, IRS Form 8300 Reference Guide.
Explanatory notes
Overview
You must file the CTR through FinCEN’s BSA E-Filing System. For fields that are marked as ‘critical,’ the financial institution must either provide the requested information or indicate that it is unknown. The institution has an obligation to provide the most complete information available and to file the CTR within 15 calendar days of the transaction. Unless the customer asks, the financial institution does not have to inform them that a CTR has been filed. The financial institution must retain copies of CTRs for five years from the date of filing. Back-filing and amending CTRs may be possible, but the institution should contact the FinCEN Resource Center for guidance.
Step 1 – Determine if your organization is within the scope of the CTR requirements
1.1 Consider whether your organization is involved in transactions which fall within CTR filing obligations
If your organization is
- a financial institution, and
- is involved in individual transactions (deposit, withdrawal, exchange of currency, or other payment or transfer) or multiple transactions which are related such that they should be aggregated, which are:
- greater than $10,000; and
- made by, through, or to your organization, by, or on behalf of, one person, in a single day,
such transactions are subject to the CTR requirements - See, 31 CFR Subtitle B Chapter X Part 1010 Subpart C. A 'financial institution' is defined as any person who does business in one or more of the following capacities:
- bank (except bank credit card systems);
- broker or dealer in securities;
- money services business;
- telegraph company;
- casino;
- card club;
- person subject to supervision by any state or Federal bank supervisory authority;
- futures commission merchant;
- introducing broker in commodities; or
- mutual fund.
A 'person' is defined as '[a]n individual, a corporation, a partnership, a trust or estate, a joint stock company, an association, a syndicate, joint venture, or other unincorporated organization or group, an Indian Tribe (as that term is defined in the Indian Gaming Regulatory Act), and all entities cognizable as legal personalities.'
In March 2025, FinCEN issued a Geographical Targeting Order (GTO) that lowered the reporting threshold from $10,000 to $200. This GTO applies to 30 counties along the southwest border of the United States (located in California and Texas). The stated purpose of the Order is to address ‘the significant risk to the U.S. financial system of the cartels, drug traffickers, and other criminal actors along the Southwest border’.
In April 2025, FinCEN issued a GTO directed towards Title Insurance Companies located in specific areas throughout the US. It applies if a purchase of real property is made without a bank loan or other similar form of external financing by a financial institution that has both an obligation to maintain an anti-money laundering program and an obligation to report suspicious transactions.
Conduct research to determine whether these GTOs apply to your organisation or if any new GTO’s or regulations have been enacted that impact the cash transaction reporting requirements that apply to it.
1.2 Review whether multiple transactions should be aggregated for purposes of CTR
If your organization knows that individual transactions are conducted by or on behalf of the same person during a single business day, these must be aggregated. Debits must be added to debits, and credits must be added to credits. If cash debit or credit totals exceed $10,000 in a business day, a CTR is required.
Most financial institutions have a system to automatically create a CTR for transactions over $10,000. However, for more complex situations involving multiple transactions or multiple parties, you may need an additional review to determine if a CTR is required for a particular set of transactions. See, 31 CFR section 1010.313.
The financial institution must determine if multiple transactions are made ‘by or on behalf of any person and result in either cash in or cash out totalling more than $10,000 during any one business day.’ This evaluation is based on a review of the transactions. If multiple transactions are made by, or on behalf of, a single person, those transactions should be aggregated and treated as a single transaction. Where the customer is a legal entity, the financial institution must perform due diligence to identify the beneficial owners of the legal entity or entities. See, 31 CFR section 1010.230(b)(2).
A financial institution must consolidate the monitoring of transactions in all its domestic branch offices in order to capture and report related transactions at different branches, made by, through, or to the organization, (by, or on behalf of, one person, that more than $10,000 of cash in or cash out). Night-time, weekend, and holiday transactions must be treated as if they were received the next business day.
The financial institution may presume that separately incorporated entities are independent persons, even if they share a common owner. However, if the financial institution determines that the businesses are not operating separately or independently of one another (eg, if they share staff, the same location, or if the bank accounts of one business are repeatedly used to pay expenses of another), then they should be treated as a single entity.
1.3 Consider whether any exemptions apply
Your organization may have customers who are exempt from CTR requirements. It is important to understand whether these exemptions apply.
The exemptions are divided into two ‘phases.’ See, 31 CFR section 1020.315.
1.3.1 Phase I
Phase I exemptions include customers who are:
- banks operating in the United States;
- local, state, or federal government agencies or departments; and
- entities established according to local, state, or federal law that exercise governmental authority on behalf of the local, state, or federal government.
The Phase I exemptions also include US operations of a majority-owned subsidiary (other than a bank) of an exempted entity, and the domestic operations of any ‘listed entity.’ A listed entity is any entity (other than a bank) whose common stock (or analogous equity interests) is listed on a major national stock exchange.
A Phase I exemption covers all currency transactions with the exempted entity, not just currency transactions that are conducted through an account.
1.3.2 Phase II
Phase II exemptions cover two types of customers:
- certain non-listed businesses; and
- payroll customers,
whose currency transactions meet specified criteria.
To qualify for a Phase II exemption, the non-listed entity must have maintained a transaction account for at least two months, must frequently engage in currency transactions exceeding $10,000, and must be eligible to do business in the United States.
However, businesses conducting the following non-listed business activities are ineligible for the CTR exemption if one or more of the activities in the following list generate more than 50% of the entity’s gross revenues:
- auction of goods;
- charter/operation of ships, buses, or aircraft;
- gaming of any kind, for instance selling lottery tickets;
- investment advisory or investment banking services;
- union activities;
- operation of a pawn brokerage;
- operation of a real estate brokerage, title insurance activities, or real estate closing;
- practice of law, accounting, or medicine;
- purchase or sale of farm equipment or any kind of motorized vehicle or mobile home; or
- financial institution services, such as check cashing.
Payroll customers withdraw funds to pay employees in cash. To be eligible for the exemption, the payroll customer must have maintained the transaction account for at least two months, regularly withdraw $10,000 in currency, and be eligible to do business in the United States. See, 31 CFR section 1020.315(e)(8).
In order to use the exemption, the financial institution must file a Designation of Exempt Person (DOEP) report on the BSA E-Filing system within 30 days after the date of the first reportable currency transaction. See, 31 CFR section 1020.315(c)(2). Financial institutions are not required to file a DOEP report for any Phase I exempted customers or any of the 12 Federal Reserve Banks.
At least once per year, the exemption eligibility must be reviewed. If the review reveals that accounts or customers no longer qualify or were improperly exempted, the financial institution can revoke the exemption by filing a DOEP report. The financial institution should also contact FinCEN’s Resource Center for a determination on whether to back-file CTRs for unreported transactions. FinCEN’s Resource Center can be reached by calling (800) 767-2825 or (703) 905-3591, or by e-mailing [email protected]. FinCEN can also be contacted through their online contact form.
Step 2 – Collect all the required identifying information
A financial institution must verify the identity of anyone who attempts to make a transaction over $10,000. Their identity must be verified regardless of whether the person has an account with the institution.
2.1 Ensure all required personal information has been collected for individuals attempting to conduct a reportable transaction
For individuals, the verification requirements include the following:
- recording the person’s Social Security number or taxpayer identification number;
- recording the person’s address; and
- verifying the person’s identity and address with acceptable identity documents.
2.2 Ensure beneficial ownership information has been collected for legal entities
The identification requirement includes a due diligence requirement (also known as the beneficial ownership rule) to identify beneficial owners of legal entity customers.
The financial institution may rely on the customer’s beneficial ownership information, unless the institution has other information that would reasonably call into question the reliability of the information supplied by the customer.
Step 3 – Check whether the transaction presents other reporting requirement risks
In addition to the determination of whether to file a CTR, it is important that your organization is aware of additional risks presented by certain types of transactions.
3.1 Consider whether there is a risk of structuring
Structuring transactions occurs when a person, acting alone or in conjunction with, or on behalf of, other persons, conducts or attempts to conduct one or more transactions in currency, in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading the CTR requirements. See, 31 CFR section 1010.100(xx).
If a customer appears to be deliberately avoiding reporting requirements, the financial institution may still have to file a CTR (as well as a Suspicious Activity Report (SAR) - see 3.2 below). See, 31 CFR section 1020.320(a)(2)(ii).
For example, a customer may deliberately conduct several transactions so that each is less than $10,000 such as a transaction of $9,999 conducted the day after another transaction of $9,999 made with the same party, which will appear suspicious.
On the other hand, two transactions slightly less than $10,000 conducted days or weeks apart may not necessarily be a sign of illegal structuring.
3.2 Consider whether a Suspicious Activity Report (SAR) is required
Financial institutions must file SARs with FinCEN when there is reason to suspect money laundering or fraud.
The BSA provides very few guidelines on what constitutes suspicious activity. A few typical examples include when the financial institution:
- suspects that a customer is structuring a transaction to evade a CTR filing;
- suspects that separate independent businesses with a common owner are being used to avoid triggering reporting requirements; or
- discovers that the customer has backed out of the transaction after learning of the CTR reporting requirements (for example, if the customer asks whether a transaction is subject to reporting requirements). Even if the customer backs out rather than completing the transaction, the financial institution must file a SAR.
In each case, the financial institution should review and research the transactions, including determining the nature of the transaction, prior account history, whether the transaction has a business or apparent lawful purpose, and other relevant information pertaining to the customer, to assess whether the customer’s activity is suspicious. See, 31 CFR section 1010.314.
For further information, see:
Federal Deposit Insurance Corporation, Currency Transaction Reporting
Federal Financial Institutions Examination Council, BSA/AML Manual, Currency Transaction Reporting
US Dept. of Treasury, Notice to Customers: A CTR Reference Guide
3.3 Consider whether the transaction involves cryptocurrency
In 2021, the Infrastructure Investment and Jobs Act (IIJA) introduced new cryptocurrency reporting requirements. The reporting requirements of this legislation were initially meant to take effect from January 1, 2023, but shortly before that date the IRS put the requirements on hold. In August 2023, the IRS published proposed regulations (REG-122793-19) that were built on the IIJA that would cover reporting requirements for cryptocurrency brokers.
Centralized platforms like Coinbase and Gemini must report cryptocurrency transactions to the IRS on Form 1099-DA. This form is similar to the 1099 forms for dividends or capital gains, and it is designed to prevent taxpayers from overlooking or omitting crypto earnings. The IRS has said that it will begin tracking discrepancies in crypto earnings in 2026, using this data to identify differences between individual filings and reported transactions.
While custodial accounts on centralized platforms are subject to this requirement, decentralized exchanges like Uniswap and Sushiswap have different rules. Reporting for wallet-to-wallet trades on these decentralized platforms will not begin until 2027, and even then, they will only report gross proceeds, as they do not have access to purchase price data.
Cost basis reporting, which tracks the purchase price of crypto assets to calculate taxable gains or losses, is postponed until 2026. In 2025, investors will need to compute gains and losses manually. Additionally, investors in newly launched spot bitcoin ETFs will have to meet additional reporting obligations, and must receive either a 1099-B or a 1099-DA form, depending on the provider.
The IRS has issued temporary relief for the 2025 tax year and will allow crypto holders using centralized exchanges to avoid using the first-in, first-out (FIFO) method for calculating taxable gains. Investors will be able to use their personal records or crypto tax software to document which units they sell, providing flexibility during this transition period. See How-to guide: How to address tax and accounting considerations when using cryptocurrency.
3.4 Consider whether the transaction involves an Informal Value Transfer System (IVTS)
As the name suggests, an Informal Value Transfer System (IVTS) generally operates outside the conventional banking system. An IVTS is a network of people that receive money in order to make the funds or their equivalent value payable to a third party in another geographic location. The IVTS operator may be a business entity whose primary business activity has nothing to do with the transmission of money. However, IVTS transactions may intersect with the formal banking system if bank accounts held by the IVTS operator are used. An IVTS provides anonymity for their users, making them attractive for misuse by criminals.
The USA PATRIOT Act brought the IVTS into the definition of financial institution. See, 31 USC section 5312(a)(2)(R). This means that an IVTS must file CTRs, among other requirements. Additionally, if a financial institution knows or suspects that a customer is operating an unregistered IVTS, the institution should file a SAR.
Additional resources
Related Lexology Pro content
How-to guides:
How to assess your organization for money laundering and terrorist financing risk
How to monitor Bank Secrecy Act (BSA) compliance
How to appoint a Bank Secrecy Act (BSA) compliance officer
How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern
How to identify suspicious activity and make a Suspicious Activity Report (SAR)
How to identify relevant sanctions regimes and deal with conflicting obligations
How to ensure sanctions screening and sanctions due diligence is effective
Checklists:
Being prepared for a visit by a financial regulator
Initial response to a report of suspicious activity
Screening employees for roles in AML compliance
Staff awareness and training to prevent money laundering and terrorist financing
Reliance on information posted:
While we use reasonable endeavors to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.