How-to guide: How to monitor Bank Secrecy Act (BSA) compliance (USA)

Introduction

This guide sets out key issues to address and points to consider when preparing to monitor a Bank Secrecy Act (BSA) compliance program. This guide is aimed at in-house lawyers and compliance professionals in organizations of all sizes and sectors in the United States.

The guide is organized into the following sections:

Introduction to the BSA
Monitoring BSA compliance

State or local laws may set out additional requirements for compliance. Therefore, the discussion in this guide should be taken as a general statement of the laws applicable in most US jurisdictions and not as a comprehensive summary. You are advised to consult local laws before beginning to develop a compliance program of this type.

This checklist can be used in conjunction with the following How-to guides: How to appoint a Bank Secrecy Act (BSA) compliance officer, How to identify suspicious activity and make a Suspicious Activity Report (SAR), How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern, How to assess your organization for money laundering and terrorist financing risk and Checklists: Initial response to a report of suspicious activity and Staff awareness and training to prevent money laundering and terrorist financing.

Section 1 – Introduction to the BSA

The BSA requires US financial institutions to assist US government agencies in detecting and preventing money laundering. More specifically, it requires financial institutions to keep records of cash purchases of negotiable instruments, cash transactions exceeding $10,000 (daily aggregate amount), and to report any suspicious activity that may signify money laundering, tax evasion, or other financial criminal activities (31 USC sections 5311-5330 and 31 CFR Subtitle B Chapter X). The BSA is sometimes referred to as the anti-money laundering (AML) law.

The BSA is made up of a series of laws and regulations that aim to fight against money laundering and illicit criminal financial activity. It requires financial institutions to monitor and report suspicious activity and suspicious financial transactions. The laws and regulations surrounding the BSA and other AML considerations are constantly evolving. In July 2024, the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury, proposed a new rule that modernizes financial institutions’ AML and countering the financing of terrorism (CFT) programs, aiming to make them more effective and risk based. The new rule would allow financial institutions to use risk assessments, as required by FinCEN, to focus their specific programs on what security measures and internal policies are necessary for their individual institution. See, 89 FR 55428.

For further detail refer to How-to guide: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern.

1.1 What are the minimum requirements for compliance with the BSA?

The determination of the adequacy of BSA compliance is specific to each institution. When determining whether a BSA and AML compliance program is adequate, it is necessary to complete a review of the financial institution’s written policies, procedures, and processes.

Based on the Joint Statement of federal agencies (including the Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System, the Office of the Comptroller of Currency, and the National Credit Union Administration) a BSA monitoring program, at a minimum, must include the following five pillars:

a system of internal controls to ensure that there is ongoing compliance with the BSA;
independent testing for BSA and AML compliance;
a designated individual responsible for coordinating and monitoring BSA and AML compliance;
training for appropriate personnel; and
a Customer Identification Program (CIP) that includes risk-based procedures that ensure the financial institution can maintain a reasonable expectation that it knows the identity of its customers.

Section 2 – Monitoring BSA compliance

The method of compliance with the BSA will depend on the financial institution, its policies, procedures, and risk assessment process. There is no rigid formula for ensuring full BSA compliance. However, there are minimum requirements that must be satisfied. When reviewing an institution’s written policies, procedures, and processes, it is important to verify, at a minimum, that the five pillars of BSA compliance exist.

2.1 Internal systems and controls

Internal systems and controls allow the financial institution to ensure compliance with the BSA through policies, procedures, and processes that enable appropriate employees to mitigate and manage illicit financial risk, such as money laundering and financial criminal activity. The nature of the procedures that can be put in place will vary, but it is critical that financial institutions establish and maintain procedures that are reasonably designed to assure and monitor compliance with BSA regulatory requirements. It is reasonable for the board of directors to ensure that the financial institution has a practice of compliance that is appropriate to the institution’s size and scope. Depending on the size of the financial institution, it may be appropriate to have specially tailored internal controls to monitor department-specific risks. Establish a process to regularly monitor and update internal controls in response to changing regulations.

The BSA compliance program must be written, approved by the board of directors, and noted in the board minutes. See, 12 CFR section 208.63. The BSA applies to US entities and persons. There is the expectation that foreign offices of domestic institutions will implement policies, procedures, and processes designed to protect against the risks of money laundering activity and terrorist financing. See, 12 CFR section 208.63, 12 CFR section 326.8, and 12 CFR section 21.21. Merely having written policies, procedures, and processes does not amount to having an adequate BSA and AML compliance program. You must implement the practices mentioned in the written policies. Policies, procedures, processes, and practices should align with the institution’s unique money laundering, terrorist financing, and other illicit financial activity risk profile.

2.1.1 Suspicious Activity Reports (SARs)

Financial institutions must complete and file a Suspicious Activity Report (SAR) immediately upon detecting known or suspected violations of federal law, suspicious transactions relating to money laundering activity, or violations of the BSA.

For further information, please refer to How-to guide: How to identify suspicious activity and make a Suspicious Activity Report (SAR) and Checklist: Initial response to a report of suspicious activity.

2.2 Independent testing

The financial institution should engage a party with the necessary independence from the board to function as an auditor to ensure compliance with the BSA. This may be an internal audit department, an outside auditor, consultant, third party or even a combination of these resources under the appropriate circumstances and in accordance with the institution’s risk profile. The party who performs the independent audit or testing should report to the board of directors on the status of compliance. The BSA does not set out how often to perform independent testing. The goal of independent testing is to evaluate the adequacy of the institution’s BSA compliance program and identify any weaknesses or deficiencies that need to be remedied.

Independent testing helps to determine if the financial institution’s policies and procedures align with the institution’s risk profile, and whether the financial institution is adequately adhering to its policies and procedures and maintaining BSA compliance. The third party conducting the independent testing should also prepare a report which outlines the findings and makes an explicit determination regarding the institution’s compliance with the BSA. The financial institution should determine the frequency with which to conduct the testing and ensure that all documentation is securely maintained in the normal course of business.

2.3 BSA compliance officer

Each institution’s board of directors must designate a qualified individual or individuals to coordinate and monitor daily compliance with the BSA. See, 12 CFR section 208.63. The board must also ensure that the individual has the requisite authority and access to administer an adequate BSA compliance program specific to the institution’s risk profile. The compliance officer should have the necessary authority and ability to oversee the pillars of the BSA compliance program.

While there are no official criteria or requirements to be a compliance officer, the selected individual should be well versed and knowledgeable regarding the BSA program and regulations. The role of compliance officer has important consequences for the entire institution, so extensive knowledge of the institutional processes and procedures, and the banking industry would be advisable, in addition to extensive BSA knowledge. Continuous training and review are necessary to ensure that the compliance officer is up to date on the applicable laws and regulations and is aware of new and emerging types of threats.

Under FinCEN’s proposed rule ‘Anti-Money Laundering and Countering the Financing of Terrorism Programs’ issued July 3, 2024 the title of the BSA Compliance Officer would be changed to the AML/CFT Officer (see Section IV, D, 3), to formally reflect the CFT considerations for this role under section 6101 of the Anti-Money Laundering Act of 2020 (AMLA). This change also is consistent with the updated terminology of AML/CFT program.

Please refer to the How-to guide: How to appoint a Bank Secrecy Act (BSA) compliance officer.

2.4 Training

The BSA requires financial institutions to provide training for appropriate personnel. Appropriate personnel include any employee whose position and duties require knowledge of the BSA. Tailor each employee’s training to the specific duties and role within the organization of each employee and the risks that someone in such a position may encounter. The training should include an overview of the BSA and of the internal policies and procedures for reporting at the financial institution.

The board of directors and the compliance officer, as well as any other employee in a supervisory position who is subject to the BSA, should receive additional training and stay apprised of any recent changes and developments. They should establish a detailed understanding of the financial institution’s risk profile in conjunction with BSA requirements. Since the board of directors approves the written BSA program, they must have a comprehensive understanding of the BSA.

Financial institutions should develop a program to ensure that all appropriate employees stay up to date on BSA requirements and developments, and that those employees are identified and trained throughout each year. Training may include money laundering and suspicious activity scenarios that employees might encounter in their respective roles. For example, training for bank tellers may include the recommended response to large deposits of cash currency, but individuals who work in the loan department should be exposed to examples of money laundering schemes that involve the lending process. Conducting testing on the training may serve as an effective way to ensure the BSA guidelines have been understood by employees.

The first step in evaluating training protocols is to determine which departments, and which employees in those departments, will require BSA training. A training program should address the purpose of the BSA, as well as the relevant regulations, and should familiarize the employees with the financial institution’s internal procedures for ensuring compliance. The training should provide examples of suspicious activity and money laundering specific to the departments within the institution. Finally, the financial institution must ensure that there are records documenting the training sessions, the written materials used, and testing for each department and employee. Maintain these records in the normal course of the institution’s business.

Please also refer to Checklist: Staff awareness and training to prevent money laundering and terrorist financing and How-to guide: How to assess your organization for money laundering and terrorist financing risk.

2.5 Customer Identification Program

The BSA compliance program must include a Customer Identification Program (CIP) with risk-based procedures. These procedures must enable the financial institution to form a reasonable belief that it knows the identity of its customers. Financial institutions, including certain domestic subsidiaries, are required to have a written CIP that is appropriate for their business size and type and that includes certain minimum requirements (see below).

Please also refer to How-to guide: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern.

The CIP rule pertains to a ‘customer.’ This includes a person who opens a new account, a person who opens a new account for an individual lacking capacity, or an entity that is not considered a legal person. See FinCEN, Interagency Interpretive Guidance on Customer Identification Program Requirements under Section 326 of the USA PATRIOT Act.

The CIP minimum requirements include those listed below.

Account-opening procedures which detail the identifying information to obtain from each customer.
Risk-based procedures to verify a customer’s identity within a reasonable period of time following the account being opened. This includes a description of when to use documentary and non-documentary methods (or a combination of both) to verify a customer’s identity.
Procedures that set out which documents the financial institution will use, if relying on documents to verify a customer’s identity, or if non-documentary methods of verification are used, a written procedure that outlines the verification process.
Procedures for responding to circumstances in which the financial institution is unable to form a reasonable belief that it knows the customer’s identity.
Procedures for creating and maintaining a record of all information obtained to identify and verify the customer. At a minimum, the financial institution must retain all identifying information, such as the individual’s name, date of birth, address, identification number, and all other identifying information obtained when an account is opened pursuant to 31 CFR section 1020.220(a)(2)(i). For the purposes of the CIP this information should be retained for a period of five years after the closure of the account. For credit cards, the financial institution must retain this information for a period of five years after the account is either closed or becomes dormant. A financial institution may elect to retain copies of the documents it uses to verify the identity of a customer; however, it is not a requirement under the CIP rule. If the financial institution does retain copies of identifying documents rather than a description, these documents must be retained under the general recordkeeping requirements under 31 CFR section 1010.430.
Procedures to determine whether the customer is on any list of known or suspected terrorists or terrorist organizations that has been issued by any federal government agency and designated by the Treasury Department.
Procedures to provide the institution’s customers with adequate notice that the financial institution requests information to verify their identity. The CIP rule does not alter an institution’s authority to use a third party, such as an agent or service provider, to perform services on its behalf.

2.6 Ongoing customer due diligence

The BSA compliance program must include appropriate risk-based procedures for conducting ongoing customer due diligence (CDD) and complying with beneficial ownership requirements for legal entity customers as set out in regulations issued by FinCEN. The objective of CDD is to enable the financial institution to understand the nature and purpose of customer relationships. This may include understanding the types of transactions in which a customer is likely to engage. All financial institutions must develop and implement appropriate risk-based procedures for conducting ongoing customer due diligence. See, 31 CFR section 1020.210(b)(2)(v).

CDD and beneficial ownership requirements are part of the first pillar of internal controls: to ensure ongoing compliance by understanding the nature, purpose, and risk factor of customer relationships by verifying the identity of legal entity members for each new banking relationship established after May 11, 2018.

The collection of customer information regarding beneficial ownership is governed by the requirements specified in the beneficial ownership rule. See, 31 CFR section 1010.230(e)(2) and 31 CFR section 1010.230(h). Customer information collected under the CDD rule may be relevant to other regulatory requirements, including identifying suspicious activity, identifying nominal and beneficial owners of private banking accounts, and determining Office of Foreign Assets Control-sanctioned parties.

2.6.1 Customer risk profile and enhanced due diligence

Financial institutions should understand the money laundering and terrorist financing risks of their customers. This is referred to in the rules as the customer risk profile (or risk rating), 31 CFR section 1020.210(b)(2)(v)(A). Financial institutions should identify the specific risks of the customer or category of customers, and then analyze all pertinent information to develop the customer’s risk profile.

Collecting additional information about customers that pose a heightened risk is considered enhanced due diligence (EDD). Customers that pose higher money laundering or terrorist financing risks (ie, higher risk profile customers) present increased risk exposure to institutions. The requirement for ongoing monitoring of the customer relationship reflects existing practices established to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. The CDD program should include risk-based procedures for performing ongoing monitoring of the customer relationship to maintain and update customer information, including beneficial ownership information of legal entity customers. The financial institution’s procedures should establish criteria for determining when and by whom customer relationships will be reviewed, and when to update customer information and reassess the customer’s risk profile.

2.6.2 Beneficial ownership

Under the beneficial ownership rule (31 CFR section 1010.230), a financial institution must create and maintain written procedures reasonably designed to identify and verify the beneficial owner of legal entity customers, and it must include such procedures in its AML compliance program. Under the beneficial ownership rule, a legal entity customer is ‘a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or other similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account.’ See Federal Financial Institutions Examinations Council (FFIEC), Beneficial Ownership Requirements for Legal Entity Customers – Overview.

The determination of beneficial ownership may be decided by using the control prong or ownership prong analysis. Under the control prong, the beneficial owner means a single individual with significant responsibility to control, manage, or direct a legal entity customer. This would include an executive officer, senior manager, or another single individual who regularly conducts similar functions. Under the control prong, one beneficial owner must be identified for each legal entity customer. Under the ownership prong, a beneficial owner is each individual who ‘directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity of a legal entity customer.’ See, 31 CFR section 1010.230 (d)(1). For instance, if a trust owns 25% or more of the equity, the beneficial owner is the trustee. Identification of a beneficial owner under the ownership prong is not required if no individual owns 25% or more of a legal entity customer. As such, all legal entity customers will have a total of between one and five beneficial owners – one individual under the control prong and zero to four individuals under the ownership prong.

In March 2025, FinCEN issued an interim final rule that removed the requirement for US companies (and US persons) to report information concerning their beneficial ownership to FinCEN under the Corporate Transparency Act. Financial institutions are, however, still required to identify and verify the beneficial ownership of their legal entity customers, including US companies.

2.7 Effectiveness of compliance monitoring

Monitoring BSA compliance requires a comprehensive understanding of the BSA and a determination of the financial institution’s risk-based profile. Evaluation of the financial institution’s departments, procedures, policies, and processes is essential to ensuring BSA compliance. The financial institution must have specific procedures to ensure that BSA compliance is established and maintained. The program must be tailored to the risk profile of the financial institution and updated as needed based on changing BSA regulations or the institution’s risk assessment.

FinCEN and federal banking agencies have released a notice of proposed rulemaking for AML/CFT compliance program rules. These rules affect eleven industries under the BSA.

Driven by section 6101 of the AMLA, the changes are intended to establish national examination priorities, and to streamline rules across financial industries. The goals of FinCEN include promoting consistency and integrating the concept of ‘effectiveness’ into compliance programs for banks, casinos, broker-dealers, mutual funds, futures commission merchants, and brokers in commodities. However, the proposal lacks clarity on what ‘effectiveness’ entails and how it will be assessed.

Additional resources

Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and
Conducting Customer Due Diligence
FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Instructions
FinCEN, Interagency Interpretive Guidance on Customer Identification Program Requirements under Section 326 of the USA PATRIOT Act
Federal Financial Institutions Examinations Council (FFIEC), Beneficial Ownership Requirements for Legal Entity Customers – Overview

Filed under

Topics

Laws

Bank Secrecy Act 1970 (USA)

How-to guide: How to monitor Bank Secrecy Act (BSA) compliance (USA)