What is the Bank Secrecy Act? (and why it matters)
The Bank Secrecy Act (BSA) is the cornerstone of banking regulations in the United States.
It was created in 1970 to curb a very particular problem: dirty money flowing through banks. In other words, the focus and intent was (and still is) combating money laundering, terrorism financing, and fraud in the financial sector - an enormous task that needed specific attention.
In 1990, a new branch of the US Treasury emerged, one that would be in charge of the BSA: The Financial Crimes Enforcement Network (FinCEN).
FinCEN issued, regulated, and enforced the BSA with several other federal agencies having touchpoints, including the FDIC, IRS, and of course, the DOJ. Not only did this make the BSA the de facto' compliance rulebook' for financial institutions, it meant that if the rules were broken, these agencies would be the ones knocking - and they did.
$3.1 trillion of criminal funds flowed through the global financial sector in 2023.
It was a monumental figure. It showed precisely how banks using legacy AML solutions had failed, and the incoming penalties meant FinCEN knew about it. The banks were forced to pay $7 billion in fines, and non-compliance with the BSA was at the center of the problem.
Naturally, compliance with the law was the solution, and that hasn't changed in 2024.
Minimizing the risk of heavy fines and combating global criminal activity starts with understanding the BSA and extracting the AML requirements within.
Financial institutions can then use this blueprint as a foundation for better decision-making when selecting providers. Ultimately preventing fraud, avoiding fines, and minimizing losses.
What are the AML Requirements listed in the BSA?
The Bank Secrecy Act has countless amendments, rulings, and guidelines to interpret.
Of these, we've derived 14 specific AML requirements, with a caveat.
Compliance obligations expand with the organization. The larger the financial institution and the more resources present, the more scrutiny and demands on their AML processes. But, the foundation of the AML requirements stays the same.
We reference nine key acts and two final rulings (see table) while delving into the regulatory progression. The BSA requirements, seen through the lens of this progression, paint a very insightful picture of the current threat landscape and how we got here.
It started with its first release in 1970.
The original version of the Bank Secrecy Act was officially titled The Currency and Foreign Transactions Reporting Act. Common sense reporting guidelines were the goal. However, as technology advanced and criminals found more sophisticated ways to hide their money, the requirements had to evolve to keep up.
The 1970 act listed simple controls addressing money laundering. There were five rules that basic AML solutions, Core Banking Systems, and internal frameworks had to address at a minimum. These are still applicable today.
Recordkeeping - Obligations to keep records of transactions, account details, and customer information to allow authorities access to an audit trail for suspicious activity.
Currency Transaction Reports (CTRs) - Flagging cash deposits over $10,000 a day and reporting them to FinCEN.
Foreign Bank Account Reports (FBARs) - Filing a report if the aggregate value of a foreign financial account exceeds $10,000 when that person has a financial interest in or signature authority over the account.
Financial Institution Records - Verifying customers before issuing or selling bank checks, drafts, cashier's checks, money orders, and traveler's checks, which applied between $3,000 and $10,000 inclusive. The rule also required that ID information be stored for five years.
Cooperating with Law Enforcement - Sharing financial records under certain conditions like subpoenas or summons.
But CTRs and recordkeeping weren’t enough to address other suspicious activity, like erratic deposit patterns or transactions that were odd for the nature of a particular business. This gave way to Suspicious Activity Reports (SARs) becoming a requirement with The Annunzio-Wylie Anti-Money Laundering Act of 1992.
Suspicious Activity Reports (SARs) - Reporting transactions known as or suspected of money laundering with a guideline for assets/funds exceeding $5,000. However, the threshold amount doesn’t apply if the activity involves potential terrorist financing or the bank itself can reasonably identify a suspect.
But this didn't account for high-risk customers. So, the USA PATRIOT Act of 2001 then came into play, enhancing SAR reporting while significantly expanding the BSA, explicitly introducing new requirements for verification, and storing customer details.
Customer Identification Program (CIP) - A foundational KYC rule requiring banks and other financial institutions to collect and verify (against authoritative sources) the name, DOB, ID document, and address information of a customer prior to opening an account.
Enhanced Due Diligence (EDD) - In addition to the due diligence requirements set in previous amendments, the new rules required the implementation of rigorous controls, policies, and procedures for higher-risk customers, e.g., PEPs, customers with adverse media attention, and on watchlists.
The enhancements didn’t stop there. In 2016 and 2018 respectively, under the BSA, two Final Rules (detailed directions issued by federal agencies, in this case, FinCEN) were implemented as additional controls for AML.
Risk-Based Customer Due Diligence (CDD) & Beneficial Ownership - Maintaining and updating customer information, understanding the nature and purpose of the customer relationship, and continuous monitoring. It included identifying and verifying beneficial owners of a legal entity (an individual directly or indirectly owning 25% or more of the legal entity).
CIP, AML, and Beneficial Ownership Expansions - This 2018 rule expanded CIP & AML rules to banks and other financial institutions that were not federally regulated. State-chartered banks, private banks, credit unions, and trusts now had the exact reporting requirements.
Finally, in 2020, The Anti-Money Laundering Act (AMLA) introduced penalties and whistleblower protection, bolstered FinCEN's powers, and strengthened existing laws.
BSA Purpose Expansion - Compliance with FinCEN's AML and Counter-Terrorism Financing (CTF) priorities across financial institutions' policies, procedures, and internal frameworks was mandated. FinCEN is expected to announce new priorities every four years.
Beneficial Ownership Registry - Although the 25% rule mentioned earlier still stands for what counts as a beneficial owner, legal entities now have to report these beneficiaries and any other individuals that exercise significant control over the entity to FinCEN upon the creation of the entity and where there are changes made on an ongoing basis.
Expanded Definitions for Cryptocurrency - The definition of 'financial institution' is now broadened to 'money transmitting' businesses, including crypto and digital currency businesses.
Modernization of AML Processes - Recommendations for adopting innovative technologies, AI, and digital identity solutions to enhance and streamline AML compliance.
From the incremental strengthening of old requirements to the introduction of new laws addressing emerging concerns, it's clear that the BSA is an ever-changing piece of legislation.
With this evolving regulatory environment, modern tools that can adapt to new requirements become a vital prerequisite, and with new amendments on the horizon, falling behind has never had more potential liability.
What are the new BSA requirements?
Nothing illustrates the progression and evolution of AML requirements like public enforcement of the laws outlined in the BSA.
As we saw in the 2020 AML regulations, crypto exchanges and digital currency businesses got ushered into the mix. The BSA had finally defined these as financial institutions. Cryptocurrency businesses now had to follow the rules and regulations that other institutions did, and the progress has been very visible.
Binance's record $4.3 billion fine for breaking AML laws illustrates the breadth of these regulations and the importance of following them. However, expanding the regulatory umbrella doesn't start and stop with the BSA and FinCEN.
Virtual Asset Service Providers (VASPs) was defined by an intergovernmental organization called The Financial Action Task Force (FATF) in 2019.
“Virtual asset service provider” as any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
i. Exchange between virtual assets and fiat currencies;
ii. Exchange between one or more forms of virtual assets;
iii. Transfer of virtual assets; and
iv. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
v. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
The comprehensive document for guidance on a risk-based approach defines virtual assets, ICOs, and more. Although FinCEN doesn't reference these definitions in the BSA, we can see a clear shift in adopting these rules for the future.
In October 2022, FinCEN announced that Bittrex, a VASP, failed to comply with AML and SAR reporting, specifically in high-risk customers on sanction lists and darknet markets. FinCEN fined Bittrex $29 million, making their stance clear: VASPs must play by the same rules.
Financial institutions operating in the gray had a reality check.
FinCEN, without a specific mention of VASPs in the BSA for activity between 2014 and 2017, well before the popularity of crypto or the presence of particular rules, still enforced Bittrex's failure to report suspicious activity. Why?
Because regardless of the timing, the actions were congruent with money laundering - the specifics were irrelevant.
Whether the amendments have been made or not, whether guidance has been given or withheld, financial institutions in 2024 that aren't at the forefront of fraud prevention and AML are under the microscope.
A lack of proactive adoption of AML, KYC, and CDD processes undoubtedly creates future risk for these organizations, a risk that did, in fact, materialize for the institutions mentioned earlier.
The tragedy is that this risk is entirely avoidable.
Innovating on fraud prevention and money laundering processes is as simple as partnering with a modern provider. Legacy providers have worked since 1970, but as we've seen, they are not future-proof. Nimble fintechs in the AML and KYC space can move faster within a changing technological and threat landscape, and that speed is pivotal in managing tomorrow's AML requirements.
So, what should a modern provider include?
How does a modern provider address the requirements we listed earlier?
The answer: a lot of new technology, good data, and integration that works with older systems.
What AML solutions are BSA compliant?
In other words, what features should a modern AML solution have?
In 1970, we had about five specific rules in the BSA: currency transaction reporting, simple thresholds, foreign account reporting, etc. Legacy AML solutions would hook into Core Banking Systems (how banks operate their business) and provide these simple flags.
It’s 2024, and now:
Criminals are using AI to fabricate extremely convincing people (Synthetic Fraud).
Doctoring documents with the same technology is up 38% year-over-year.
Cryptocurrency, online banking, online businesses, and complex structuring are all new avenues for money laundering.
With more stringent regulations, sophisticated technological threats, and a wider risk surface, it’s now a prerequisite for banks to use modern identity verification and fraud detection to avoid losses.
Fraud detection solutions that address all 14 requirements we outlined, and any subsets of these laws (present or future), need to go beyond flagging the basics; they need to:
Automate the creation and decision-making for risk profiles based on risk tolerance (risk-based approach).
Access global authoritative sources while being sophisticated and targeted in risk scoring.
Ensure customer due diligence requirements are met.
Pre-validating entered data (which also reduces drop-off during account opening).
Biometric scanning and facial matching.
Detecting fake or doctored IDs with AI-powered authenticity checks.
Sequence identity checks across multiple authoritative data sources while remaining cost-effective.
Scan and flag high-risk individuals across global watchlists and sanction lists (enhanced due diligence)
Check for adverse media presence and flag politically exposed persons.
Remain flexible and integrate seamlessly with systems already in use.
All while ensuring the customer experience remains frictionless, match rates are maximized, false positives are minimized, and legitimate new account holders aren't sacrificed for security.
It's pivotal that compliance teams identify providers that can deliver these capabilities and ask the right questions when considering options.
Data Zoo's Identity-Proofing Buyers Guide Questionnaire is a great start in ensuring customer due diligence is on par or beyond industry standards when evaluating fintech partners.
Another point to consider is whether their compliance certifications provide an extra layer of security regarding data handling.
After confirming these modern capabilities are available and industry certifications are present, financial institutions will be in one of the most advantageous positions for fraud prevention as well as AML and regulatory compliance as a whole.
What Are The Most Important BSA Amendments?
There are nine essential amendments to the Bank Secrecy Act (including the original).
Although many pieces of legislation directly support, accompany, or otherwise relate to the BSA, we've identified nine that have significantly impacted AML, KYC, and CDD requirements for financial institutions.
These amendments we link to are a fantastic primary reference to the requirements we derived and listed earlier. The reference table briefly summarizes each amendment, but the primary material is much more nuanced.*
*More comprehensive reading should be conducted after this introduction, especially when informing your compliance policies, procedures, or AML/KYC provider decisions.
The Bank Secrecy Act & Key Amendments: Reference Table and Summary
Regulation | Summary |
The original version of the regulation aimed at money laundering. It established common sense transaction thresholds and reporting to curb money laundering. Other intentions were to create an audit trail for larger transactions and track foreign accounts. | |
Established money laundering as a federal crime and set up mechanisms to combat the structuring of financial activity to avoid transaction thresholds. | |
Targeted money laundering specifically relating to drug trafficking, reinforcing the importance of Currency Transaction Reports (CTRs) and increasing penalties at the federal level. | |
Introduced Suspicious Activity Reports (SARs) and established the Bank Secrecy Act Advisory Group (BSAAG). | |
Enhanced communications and cooperation requirements across government bodies and financial institutions. | |
The Money Laundering and Financial Crimes Strategy Act of 1998 | Created a coordinated national effort to combat money laundering. |
Significantly expanded the BSA framework by including enhanced customer identification program (CIP) requirements, more customer due diligence for foreign accounts, and improved information-sharing provisions across financial institutions and the federal government. | |
The Intelligence Reform and Terrorism Prevention Act of 2004 | Added efforts for sharing information when curbing terrorism and money laundering. |
The most recent and one of the most significant amendments to the BSA. It expanded requirements in AML and counter-terrorism financing while introducing more information-sharing provisions and substantial increases to whistleblower rewards. |