BSA/AML Fundamentals

BSA/AML is the U.S. regulatory framework that requires financial institutions to report large cash transactions, file Suspicious Activity Reports on potential money laundering, and run risk-based compliance programs. The Bank Secrecy Act creates the paper trail law enforcement uses to follow illicit money, and the anti-money laundering rules layered on top dictate how banks monitor, escalate, and report.

The $9,500 Deposits

Rita was three months into her BSA analyst role at a regional bank when she spotted the pattern.

A local restaurant owner named Dennis Farrow had made four cash deposits over two weeks. Monday: $9,500. Wednesday: $9,400. The following Monday: $9,800. Thursday: $9,200.

Each deposit sat just under $10,000. Rita knew that number mattered. Federal law requires banks to file a Currency Transaction Report for any cash transaction over $10,000. Dennis apparently knew that number too.

She pulled his account history. For the past six months, he'd averaged $3,200 in weekly deposits. A burger joint doesn't quadruple its cash revenue overnight.

Rita drafted a Suspicious Activity Report. Not because any single deposit broke a rule. Because the pattern told a story: someone was deliberately breaking up cash deposits to avoid triggering reporting requirements. In BSA language, that's called structuring. And structuring is a federal crime even if the underlying money is perfectly clean.

Dennis Farrow's attorney would later argue that his client simply didn't like paperwork. The judge wasn't persuaded.

This story is fictional, but the patterns are real.

Why This Matters

If you work at a bank, credit union, money services business, or fintech, you operate under a web of federal regulations designed to catch financial criminals. The Bank Secrecy Act and its associated anti-money laundering rules aren't optional. They're the foundation of how the United States government tracks dirty money.

In previous modules, you learned how common fraud typologies work and how money moves through wire and ACH rails. This module covers what happens on the compliance side. When a fraud analyst spots suspicious activity, BSA/AML is the framework that determines what gets reported, to whom, and when.

Understanding BSA/AML matters even if you never file a report yourself. These rules shape how banks build their monitoring systems, how investigators escalate cases, and why certain transactions get flagged in the first place. Every fraud team operates within this regulatory structure whether they realize it or not.

The Bank Secrecy Act: A Brief History

The Bank Secrecy Act passed in 1970 with a straightforward goal: make it harder for criminals to use banks to hide the proceeds of illegal activity. The statutory framework lives at 31 USC 5311 et seq.↗^[1] and runs from § 5311 (declaration of purpose) through § 5336 (beneficial ownership reporting).

Before BSA, banks had no obligation to track or report large cash transactions. Drug traffickers, tax evaders, and organized crime figures could deposit millions in cash without anyone asking questions. The government couldn't trace money that nobody was required to document.

BSA changed that by requiring financial institutions to keep records and file reports that would create a paper trail. The idea wasn't to stop crime at the bank counter. It was to give law enforcement the documentation they needed to follow the money after the fact.

The law has been expanded significantly since 1970. The USA PATRIOT Act of 2001 added sweeping requirements after the September 11 attacks, including customer identification programs and enhanced due diligence for foreign accounts. The Anti-Money Laundering Act of 2020 (AMLA) brought the most significant updates in two decades. Among its key provisions: it created the FinCEN Office of the Whistleblower (which can pay awards of 10 to 30 percent of monetary sanctions over $1 million in successful enforcement actions), established the National AML/CFT Priorities that institutions must incorporate into their risk-based programs, modernized the SAR/CTR regime, and laid the statutory groundwork for the beneficial ownership reporting framework under the Corporate Transparency Act.

Who must comply with the BSA?

BSA doesn't just apply to traditional banks. The law covers a broad range of "financial institutions":

Fintechs don't get a pass. If a company transmits money, it's likely an MSB under federal law and must comply with BSA requirements. Many early fintech companies learned this the hard way.

What does FinCEN do?

The Financial Crimes Enforcement Network (FinCEN) is the Treasury Department bureau that administers BSA. Think of FinCEN as the central intelligence hub for financial crime data. Banks and other institutions send their reports to FinCEN. Law enforcement agencies query FinCEN's databases when investigating cases.

FinCEN doesn't conduct routine bank examinations. That job is delegated to the primary regulators: the OCC for national banks, the Federal Reserve for state member banks, the FDIC for state non-member banks, and NCUA for credit unions. For non-bank financial institutions like money services businesses and casinos, FinCEN delegates BSA examination authority to the IRS under 31 CFR 1010.810. These regulators conduct BSA/AML examinations and can impose penalties for non-compliance. FinCEN retains independent enforcement authority of its own, however, and has used it directly against major institutions (USAA Federal Savings Bank in 2022, Capital One in 2021, and others), often in parallel with the primary regulators.

The penalties are significant. Banks have paid hundreds of millions of dollars in BSA/AML fines. Individual compliance officers have faced personal liability, including criminal charges, for willful failures to file required reports.

The Core Reporting Requirements

When does a bank file a CTR?

The most mechanical BSA requirement is the Currency Transaction Report. Any cash transaction over $10,000 triggers a mandatory CTR filing under 31 CFR 1010.311↗.^[2] The bank has no discretion here. It's automatic.

"Cash" means physical currency. Checks, wire transfers, and electronic payments don't count toward the $10,000 threshold. A customer who deposits a $50,000 check doesn't trigger a CTR. A customer who deposits $10,001 in twenty-dollar bills does.

Banks must file CTRs within 15 calendar days of the transaction. The report captures who conducted the transaction, the amount, the account involved, and identifying information like driver's license numbers.

What is structuring?

Remember Rita's case with the restaurant owner. Structuring is the act of breaking up transactions to stay under reporting thresholds. 31 USC 5324↗^[3] makes this illegal regardless of where the money came from.

This catches people off guard. A small business owner who deposits $9,500 instead of $10,500 to "avoid the hassle of paperwork" has committed a federal crime. The money could be completely legitimate. The intent to evade the reporting requirement is the crime.

Structuring patterns come in several flavors:

Breaking up deposits. Instead of depositing $25,000 in cash, a person makes three deposits of $8,300 over a week.

Using multiple branches. Same person deposits $9,000 at three different branches on the same day.

Using multiple people. The account holder sends family members to make deposits at different branches. This is sometimes called "smurfing."

Keeping deposits variable. Sophisticated structurers avoid round numbers. They deposit $9,472 one day and $8,831 the next, making the pattern less obvious to automated systems.

Banks are required to monitor for structuring and file Suspicious Activity Reports when they identify it under 31 CFR 1020.320↗.^[4] The best BSA analysts look beyond individual transactions and focus on patterns over time.

How does the 314(b) information-sharing program work?

One of BSA's most powerful but underutilized tools is Section 314(b), which allows financial institutions to share information with each other about suspected money laundering and terrorist financing.

Normally, bank privacy rules prevent institutions from discussing customer information. 314(b) creates a safe harbor. Banks that register for the program can contact other banks to ask about specific transactions or customers when investigating potential money laundering.

Here's how it works in practice. Say a BSA analyst at Bank A sees $50,000 wired to an account at Bank B, and the circumstances are suspicious. Under 314(b), the analyst at Bank A can contact Bank B's compliance team and ask: "Does this account have activity consistent with money laundering?" Bank B can share relevant information without violating privacy laws.

FinCEN's December 2020 314(b) Fact Sheet^[6] clarified an important point. Sharing is not limited to activity the institution has already concluded is money laundering or terrorist financing. It also extends to information about suspected specified unlawful activities (SUAs) under 18 USC § 1956 (fraud against individuals, organizations, or governments; computer fraud and abuse; and other predicate crimes) that could form the basis for money laundering. This broader reading lets institutions collaborate earlier in the investigation, before they have certainty about how funds will ultimately be moved.

The program requires voluntary registration through FinCEN. Both parties must be registered for the information sharing to be protected. The shared information can only be used for BSA/AML purposes, not for competitive advantage or marketing.

314(b) has become increasingly important as criminals spread activity across multiple institutions. No single bank sees the whole picture. Information sharing helps connect the dots.

What is the Travel Rule?

The Travel Rule sits at 31 CFR 1010.410(f) (FinCEN) with a parallel Federal Reserve recordkeeping rule at 31 CFR 1020.410; the original 1995/1996 rulemaking was issued jointly. It requires that certain identifying information about the originator and beneficiary "travel" with funds transmittals of $3,000 or more. For each covered wire, the originating institution must pass to the next institution in the chain the originator's name, address, and account number, the amount and execution date, and the beneficiary's identifying information when known.

The point is to prevent banks from acting as anonymous relays. If a wire passes through three banks, every institution in the chain should be able to see who sent the money and who is receiving it. Travel Rule compliance is closely tied to OFAC screening and to SAR investigations, since incomplete or mismatched originator data is itself a red flag. FinCEN and the Federal Reserve have an open proposed rule that would lower the threshold to $250 for cross-border transfers and explicitly extend Travel Rule obligations to convertible virtual currency transmittals, mirroring guidance FinCEN has applied to crypto since 2019.

How is OFAC different from BSA?

BSA is not the only compliance regime BSA officers usually own. Running alongside it is the U.S. economic sanctions regime, administered by the Office of Foreign Assets Control (OFAC) at Treasury under authorities like the International Emergency Economic Powers Act (IEEPA) and the Trading With the Enemy Act. Where BSA is about reporting and recordkeeping to support law enforcement, OFAC sanctions are about prohibition: U.S. persons and U.S.-touching transactions cannot do business with sanctioned parties, sanctioned countries, or sanctioned sectors at all, regardless of intent.

The two regimes operate as parallel tracks. FinCEN and the bank's prudential regulator examine the BSA/AML program; OFAC enforces sanctions compliance separately and can impose strict-liability civil penalties for violations. Many institutions run their BSA and sanctions functions out of the same compliance department because the workflows overlap heavily (customer identification, transaction monitoring, watchlist screening), but the legal authorities and the consequences for failure are distinct. Sanctions screening typically happens in real time at the point of payment and at customer onboarding, against OFAC's SDN list and sectoral sanctions lists, with hits blocked or rejected rather than merely reported.

How Money Laundering Actually Works

Understanding money laundering helps you see why BSA reporting matters. Laundering isn't a single act. It's a process with three recognized stages.

Placement: Getting Dirty Money Into the System

Placement is the hardest stage for criminals. They have cash from illegal activity (drug sales, extortion, fraud proceeds) and need to get it into the financial system without attracting attention.

Common placement methods include:

• Depositing cash in small amounts across multiple banks (structuring)
• Using cash-intensive businesses as fronts (laundromats, car washes, restaurants)
• Purchasing money orders or cashier's checks with cash
• Smuggling cash to countries with less rigorous reporting requirements
• Using casinos to convert cash to chips and then back to a check

The CTR requirement targets placement directly. By forcing banks to report large cash transactions, BSA makes it harder to move significant amounts of cash into the banking system unnoticed.

Layering: Creating Distance

Once money is inside the financial system, criminals layer it through a series of transactions designed to obscure its origin. The goal is to create so many steps between the dirty cash and the final destination that investigators can't connect the two.

Layering might involve wiring money between accounts at different banks, moving funds through shell companies in multiple countries, converting between currencies, or purchasing and selling assets. Each step adds distance from the original crime.

This is where Suspicious Activity Reports become critical. While no single transaction in a layering scheme looks obviously criminal, the pattern of rapid movement through multiple accounts, round-trip transactions, or transfers to high-risk jurisdictions can trigger BSA reporting.

Integration: Clean Money, Dirty Origin

Integration is when laundered money re-enters the legitimate economy. The criminal buys real estate, invests in businesses, purchases luxury goods, or simply uses the funds as if they were clean earnings.

By the time money reaches integration, it's extremely difficult to trace. The criminal might own a legitimate business purchased with laundered funds. The business generates real income. The original drug money is now buried under layers of legitimate transactions.

Effective BSA/AML programs aim to catch laundering at placement or layering, before integration makes the money virtually untraceable.

Building a BSA/AML Compliance Program

Every covered financial institution must maintain a BSA/AML compliance program with five required elements, often called the "five pillars." The FFIEC BSA/AML Examination Manual↗^[5] is the canonical examiner guidance on what each pillar looks like in practice:

1. Internal Controls

Written policies and procedures that define how the institution identifies, monitors, and reports suspicious activity. This includes transaction monitoring rules, customer risk rating methodologies, and escalation procedures.

2. BSA/AML Officer

A designated individual responsible for the day-to-day operation of the compliance program. This person must have sufficient authority and resources to do the job effectively. Regulators scrutinize whether the BSA officer has genuine authority or is just a figurehead with an impressive title and no budget.

3. Training

All relevant employees must receive BSA/AML training appropriate to their role. Tellers need to know about CTR requirements and structuring. BSA analysts need deep knowledge of suspicious activity indicators. Senior management needs to understand their oversight responsibilities.

4. Independent Testing

The BSA/AML program must be tested by an independent party (internal audit or external auditors) to ensure it's working effectively. Testing evaluates whether transaction monitoring systems catch what they should, whether SAR filings are timely and complete, and whether the risk assessment is current.

5. Customer Due Diligence (CDD)

Institutions must understand who their customers are and what normal activity looks like for them. CDD builds on the KYC controls applied at onboarding, then extends through identifying beneficial owners of legal entities (who actually controls the company behind the account), assessing customer risk throughout the relationship, and monitoring for activity inconsistent with the customer's profile.

The CDD Final Rule was issued in May 2016 with an applicability date of May 11, 2018, formalizing CDD as the fifth pillar of a BSA/AML program. Most institutions were already doing some version of it. The beneficial ownership requirement was a major change, requiring banks to identify the natural persons who own or control legal entity customers.

Why is BSA/AML risk-based?

BSA/AML isn't one-size-fits-all. Regulators expect institutions to take a risk-based approach, devoting more resources to higher-risk areas.

A community bank in rural Iowa serving local farmers faces different money laundering risks than an international wire transfer hub in Miami. The community bank's BSA program should reflect its actual risk profile, not copy a program designed for a global bank.

Risk assessment considers:

Customer risk. Certain customer types carry higher BSA risk: foreign political figures (politically exposed persons or PEPs), money services businesses, non-profit organizations operating in conflict zones, cannabis businesses, and customers who are reluctant to provide information. Many of these profiles overlap with the criminal infrastructure that BSA reporting is ultimately trying to disrupt.

Product risk. Some products are more vulnerable to abuse. Private banking, correspondent accounts, wire transfers, and prepaid cards all carry elevated risk.

Geographic risk. Customers and transactions involving countries with weak AML controls, high corruption, or active sanctions present higher risk. FinCEN and the Financial Action Task Force (FATF) publish guidance on high-risk jurisdictions.

Transaction risk. Unusual transaction patterns, structuring, rapid movement of funds, and transactions inconsistent with a customer's profile (a hallmark of account takeover) all elevate risk.

The risk-based approach means banks don't need to apply maximum scrutiny to every customer and every transaction. They need to calibrate their monitoring to where the actual risks are.

Key Takeaways

• BSA creates the paper trail that law enforcement follows. Currency Transaction Reports and Suspicious Activity Reports are the foundation of financial crime investigations in the United States.
• Structuring is a crime regardless of the money's source. Breaking up transactions to avoid reporting requirements is a federal offense, even if the cash is legitimate.
• Money laundering has three stages: placement, layering, and integration. BSA reporting targets the first two stages, when detection is still possible.
• The 314(b) program lets banks share information about suspected laundering. No single institution sees the full picture, so cross-institution information sharing is essential.
• BSA/AML compliance is risk-based, not one-size-fits-all. Institutions must calibrate their programs to their actual risk profile, devoting more resources to higher-risk areas.

What's next: The SAR Filing article covers how to identify suspicious activity and write effective SAR narratives, the most critical skill for BSA analysts.

Key Terms

References

1. 31 USC 5311 et seq. — Bank Secrecy Act statutory framework↗ (Cornell LII). Sections § 5311 through § 5336, including § 5313 (currency transaction reports), § 5318 (compliance and SAR authority), and § 5324 (structuring prohibition).

2. 31 CFR 1010.311 — Filing obligations for reports of transactions in currency↗ (Cornell LII). Requires financial institutions other than casinos to file a CTR for "a transaction in currency of more than $10,000."

3. 31 USC 5324 — Structuring transactions to evade reporting requirement prohibited↗ (Cornell LII). The federal anti-structuring statute.

4. 31 CFR 1020.320 — Reports by banks of suspicious transactions↗ (Cornell LII). The operative SAR rule for banks: 30-day filing deadline from initial detection, 60-day cap if no suspect is identified, confidentiality of SARs, and the five-year retention requirement.

5. FFIEC BSA/AML Examination Manual↗. Interagency examiner guidance covering each of the five pillars (internal controls, BSA compliance officer, training, independent testing, and customer due diligence) and the SAR program in detail.

6. FinCEN Section 314(b) Fact Sheet (December 2020)↗. Replaces the prior November 2016 fact sheet and rescinds the 2009 Guidance (FIN-2009-G002) and the 2012 Administrative Ruling (FIN-2012-R006). Confirms that 314(b) sharing is voluntary, that the safe harbor extends to specified unlawful activities under 18 USC § 1956 (including fraud against individuals/organizations/governments and computer fraud and abuse), and that institutions need not have reached a conclusive determination that activity is suspicious before sharing.