Lexology PRO analyses enforcement activity surrounding the seminal piece of US AML legislation in the last 12 months.
Key takeaways
- Multistate enforcement surged in 2025, targeting fintech and payment platforms.
- SAR reporting, transaction monitoring, and customer due diligence remain top compliance priorities.
- Expect continued scrutiny of fintech and crypto in 2026, despite delays in applying BSA to investment advisers.
Enforcement action for violations of the Bank Secrecy Act 1970 steadily continued in 2025, with fintech platforms and payment processors bearing the brunt of regulatory action.
Over the past 12 months, companies from Cash App to Wise faced multi-million-dollar penalties for failures in suspicious activity reporting (SAR), transaction monitoring, and customer due diligence, highlighting the compliance gaps that continue to attract scrutiny.
The pattern is clear: the Financial Crimes Enforcement Network (FinCEN) and state regulators are intensifying oversight of high-volume digital payment platforms, which process rapid, cross-border transactions that can be exploited for money laundering. But large, traditional banks are still at risk, as Canada’s TD Bank discovered in October 2024 when it agreed to pay more than US$3 billion in penalties to four US agencies, including FinCEN, for BSA failures.
Please note that the data in this article is based on Scanner’s regulatory coverage, full details of which can be found here. The data captured consists primarily of agency announcements referencing the BSA from 1 November 2024 to 1 November 2025.
Regulatory updates from FinCEN had the most references to BSA in the last 12 months, far outpacing other regulators. As well some notable enforcement actions (mentioned below), FinCEN recently issued guidance on SAR requirements and consultations on information sharing between financial institutions (FIs) and government agencies.
This activity underscore the BSA's core mandate: requiring FIs to maintain records of certain transactions and report suspicious activities to help detect money laundering, terrorism financing, and other financial crimes.
With key thresholds like the US$10,000 cash transaction reporting requirement still in place (though legislative changes may be coming), companies across sectors – from traditional banks to crypto platforms – face ongoing pressure to strengthen their anti-money laundering (AML) and BSA compliance programmes.
The biggest BSA violations of the last 12 months
Lexology PRO has identified three of the most significant BSA violations between November 2024 and November 2025, exploring the companies’ key failures.
Brink’s Global Services: “wilfully” violated the BSA
On 6 February 2025, US armoured car company Brink’s Global Services agreed to pay a US$37 million penalty to FinCEN and forfeit US$50 million under a non-prosecution agreement with the Department of Justice for “wilfully violating” the BSA.
The company failed to register as a money services business, implement an effective AML programme, and file SARs despite transporting hundreds of millions in bulk currency from Mexico.
Cash App and Block pay penalties to 48 states
US fintech Block, parent company of Cash App, agreed to pay over US$79 million in penalties and US$925,000 in administrative costs to settle a multi-state investigation into AML failures on 15 January 2025.
The settlement, announced by the Conference of State Bank Supervisors, involved regulators from 48 states and required Block to hire an independent consultant to review and implement a new AML programme. Regulators alleged that Cash App violated the BSA by failing to maintain adequate AML protections, including customer due diligence and SAR filing.
Wise
The US arm of UK payments company Wise agreed on 9 July 2025 to pay a US$4.2 million administrative fine to settle a multi-state investigation into violations of the BSA.
The consent order, signed on 9 July 2025 by regulators in New York, Texas, Nebraska, Minnesota, Massachusetts, and California, followed findings that Wise failed to conduct timely independent reviews of its AML programme, address deficiencies identified in audits, and file SARs promptly.
BSA violations by company type
Over the past 12 months, enforcement under the BSA have spanned multiple sectors, showing that compliance failures are not limited to one business model. Fintech and cryptocurrency businesses remain high-risk, but traditional FIs have also faced penalties.
Companies like Block and Wise received significant fines for inadequate BSA/AML programmes. These platforms process high volumes of small, rapid transactions, often across borders, which makes them attractive for illicit activity and harder to monitor effectively. Their reliance on automated onboarding and digital-first operations can lead to gaps in customer due diligence and transaction monitoring.
Crypto businesses including OKX and BitMEX have faced regulatory scrutiny. The decentralised nature of crypto transactions, combined with pseudonymity and global reach, creates inherent challenges for KYC and SAR obligations.
Even established banks are not immune. Recent actions against a Deutsche Bank subsidiary and Bank of America highlight legacy institutions can struggle with outdated systems, siloed data, and complex correspondent banking relationships.
Enforcement is sector-diverse, meaning companies should adapt BSA compliance programmes to business model-specific vulnerabilities.
What does 2026 hold for BSA enforcement?
The regulatory landscape for Bank Secrecy Act compliance could shift significantly in 2026.
The Streamline Act, introduced by Senators on 21 October 2025, proposes raising reporting thresholds for currency transaction reports from US$10,000 to US$30,000 and for suspicious activity reports from US$2,000 or US$5,000 to $3,000 or US$10,000. If enacted, these changes would reduce the volume of mandatory filings. According to Ben Hutten, partner at Orrick, these actions “are clear signals that the government is starting to take concrete steps to ease regulatory burden.”
However, whether this translates into lighter enforcement remains uncertain. Hutten expects “fewer instances of public enforcement for non-compliance with BSA requirements that are less critical to its purpose,” but adds that the government focus on risk will put more pressure on risk assessments, “because a good risk assessment can be used to justify how resource are – and, perhaps as importantly, are not – devoted.”
Looking ahead to 2026, Hutten believes FinCEN will continue to use statutory authorities like Section 311 of the PATRIOT Act 2001 and the FEND OFF Fentanyl Act 2024 to impose consequences on foreign FIs determined to be facilitating money laundering abroad. In an indication that this will indeed be a trend in the next year, on 13 November 2025 when FinCEN used these powers to identify 10 Mexico-based gambling establishments as a class of “transactions to be of primary money laundering concern.”
Another factor is the postponement of applying BSA obligations to investment advisers, which may signal a temporary slowdown in enforcement expansion. Yet, regulators could redirect resources toward sectors already under scrutiny, such as fintech, payment platforms, and crypto companies.
Hutten expects enforcement in the banking-as-a-service area to continue, “albeit at an abated pace,” whilst predicting that cryptocurrency enforcement will “significantly decline and be replaced in part with an uptick in state-driven BSA enforcement against non-bank entities.”
Overall, 2026 may bring a recalibration of priorities rather than a retreat from enforcement. Companies should watch legislative developments closely and prepare for evolving expectations around risk-based compliance.