PRIA Logo
Back to search
GovernmentConsumer Protections

Bank Secrecy Act & Anti-Money Laundering

27 min read·Updated May 12, 2026

Bank Secrecy Act & Anti-Money Laundering

The Bank Secrecy Act (1970) and its successors — most importantly USA PATRIOT Act Title III (2001), the Anti-Money Laundering Act of 2020, and the Corporate Transparency Act (2020) — form the legal backbone of the U.S. financial surveillance system. Financial institutions are required to file Currency Transaction Reports (CTRs) for cash transactions over $10,000 and Suspicious Activity Reports (SARs) whenever they detect patterns suggesting money laundering, fraud, or terrorism financing — roughly 4 million SARs filed annually. FinCEN (Financial Crimes Enforcement Network, Treasury) is the primary enforcer, though banking regulators and DOJ play major roles. For most individuals and businesses, BSA/AML compliance is invisible — it happens inside banks before you see it. But it can surface through account freezes, transaction holds, and enhanced due diligence requests that feel sudden and unexplained. The Corporate Transparency Act's beneficial ownership reporting, designed to unmask shell companies, has seen significant enforcement scope changes in 2025; domestic entities are currently exempt under a FinCEN interim rule following court challenges.

Current Law (2026)

ParameterValue
Core statutesBank Secrecy Act of 1970 (31 U.S.C. Chapter 53, Subchapter II); USA PATRIOT Act Title III (2001); Anti-Money Laundering Act of 2020; Corporate Transparency Act (2020)
Primary enforcerFinancial Crimes Enforcement Network (FinCEN), Department of Treasury
Additional enforcersFederal banking regulators (OCC, Fed, FDIC), DOJ, SEC, CFTC, state regulators
CTR threshold$10,000 (cash transactions must be reported by financial institutions)
SAR filing~4 million Suspicious Activity Reports filed annually
Beneficial ownershipCTA BOI reporting now mainly applies to certain foreign entities registered in the U.S.; domestic entities are exempt under current FinCEN rules
Criminal penaltiesUp to $500,000 fine and 10 years imprisonment for BSA violations; money laundering penalties under 18 USC §§ 1956-1957 up to 20 years
  • 31 U.S.C. § 5311 — Declaration of purpose (require certain reports and records to be maintained where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in intelligence or counterintelligence activities)
  • 31 U.S.C. § 5312 — Definitions (financial institution — broadly defined to include banks, broker-dealers, money services businesses, casinos, insurance companies, precious metals dealers, and others)
  • 31 U.S.C. § 5313 — Currency Transaction Reports (financial institutions must report each transaction in currency of more than $10,000 to FinCEN; the foundational BSA reporting requirement)
  • 31 U.S.C. § 5314 — Foreign financial accounts (FBAR — U.S. persons with financial interest in or signature authority over foreign financial accounts exceeding $10,000 must report annually to FinCEN)
  • 31 U.S.C. § 5316 — Currency or monetary instrument transportation reports (CMIR — persons physically transporting more than $10,000 in currency or monetary instruments into or out of the U.S. must file a report; enforced at the border by CBP)
  • 31 U.S.C. § 5318 — Compliance, exemptions, and summons authority (financial institutions must establish and maintain AML compliance programs — internal policies, compliance officer, training, independent testing; Secretary may issue subpoenas; customer identification program / CIP requirements; due diligence for correspondent and private banking accounts)
  • 31 U.S.C. § 5318(g) — Suspicious Activity Reports (financial institutions must file SARs for transactions that appear to involve funds derived from illegal activity, are designed to evade BSA requirements, or have no apparent lawful purpose; SARs are confidential — institutions are prohibited from disclosing SAR filings to subjects)
  • 31 U.S.C. § 5321 — Civil penalties (up to the greater of the amount involved or $100,000 per violation for negligent violations; up to the greater of $1M or the amount involved for pattern violations)
  • 31 U.S.C. § 5322 — Criminal penalties (willful violation of BSA requirements: up to $250,000 and 5 years; if in furtherance of another violation: up to $500,000 and 10 years)
  • 31 U.S.C. § 5324 — Structuring transactions to evade reporting (illegal to structure or assist in structuring transactions to evade the $10,000 CTR threshold — e.g., making multiple deposits of $9,500 to avoid reporting)
  • 31 U.S.C. § 5336 — Beneficial ownership reporting authority (Corporate Transparency Act; current FinCEN regulations now exempt domestic entities and U.S. persons in this reporting context, leaving a narrower foreign-entity reporting regime)

How It Works

The BSA/AML framework is the United States' primary defense against money laundering, terrorist financing, and other financial crimes — built on a system of mandatory reporting, recordkeeping, and compliance programs that make financial institutions the front line of detection.

The BSA's reporting framework centers on two mandatory forms. Currency Transaction Reports (CTRs) must be filed when any institution receives or disburses more than $10,000 in currency in a single transaction or related transactions — a threshold set in 1970 that would equal approximately $80,000 in 2025 dollars, meaning the BSA now captures millions of routine cash transactions. FinCEN receives approximately 20 million CTRs per year. Suspicious Activity Reports (SARs) are the more actionable enforcement tool: institutions must file when they detect transactions that appear to involve illegal funds, that are structured to evade reporting requirements, or that show patterns inconsistent with the customer's known profile. SARs are confidential — institutions cannot disclose that one has been filed — and law enforcement agencies (FBI, IRS-CI, DEA, Secret Service) mine the SAR database for investigative leads in drug trafficking, fraud, corruption, tax evasion, terrorism, and sanctions evasion. FinCEN receives approximately 4 million SARs per year.

Every financial institution must maintain an AML compliance program with four required pillars: internal policies and controls, a designated compliance officer, ongoing employee training, and independent testing. Regulators examine AML compliance during safety and soundness examinations; failures have produced billions in penalties — HSBC paid $1.9 billion in 2012 for Mexican drug cartel money laundering, and JPMorgan paid $2.6 billion in 2014 for Bernard Madoff-related BSA failures (JPMorgan also paid roughly $365 million in 2023 in private settlements with Jeffrey Epstein survivors and the U.S. Virgin Islands, though those were civil settlements rather than BSA enforcement actions). The 2016 CDD Rule added a requirement to identify and verify the beneficial owners of legal entity customers alongside the baseline Customer Identification Program (CIP) requirements for individuals. The Corporate Transparency Act of 2020 extended beneficial ownership reporting obligations beyond banks to businesses registered with states, though court challenges and FinCEN's March 26, 2025 interim final rule significantly narrowed compliance obligations — currently, the active BOI reporting requirement generally falls on certain foreign entities registered to do business in the U.S., with domestic entities and U.S. persons largely exempt under the interim rule.

How It Affects You

If you regularly handle large amounts of cash — whether you're a contractor paid in cash, a retail business, a landlord collecting rent, or someone who received a large inheritance — the most important thing to understand is the difference between a Currency Transaction Report (CTR) and a crime. Your bank files a CTR automatically whenever a cash transaction exceeds $10,000. This is routine, legal, and invisible to you — it's a report FinCEN receives, not an investigation of you. What IS a federal crime under 31 U.S.C. § 5324 is structuring: deliberately breaking a transaction into smaller amounts (multiple $9,000 deposits over a few days, for example) to avoid the $10,000 threshold. Structuring is illegal even if your money is completely legitimate — the crime is the intent to evade reporting, not the underlying activity. Federal prosecutors use structuring charges regularly against people who never did anything else wrong. If you have ongoing legitimate large-cash needs, ask your bank's compliance department about CTR exemptions available for established business customers — many cash-heavy small businesses qualify. Suspicious Activity Reports (SARs) are a separate matter entirely: banks file these based on transaction patterns that seem inconsistent with your profile (sudden large transfers, multiple small cash deposits, wire activity to certain countries). You'll never see the SAR or know it was filed — by law, the bank cannot tell you. If your account gets frozen or closed without explanation, a SAR is a likely cause; consult an attorney if this happens.

If you have financial accounts outside the United States — bank accounts, brokerage accounts, foreign pension accounts, signature authority over a company's foreign account — you may have mandatory annual reporting obligations regardless of whether the accounts earn any income. The FBAR (FinCEN Form 114) is required if the aggregate value of all your foreign financial accounts exceeds $10,000 at any point during the year — even for a single day. FBAR is filed electronically with FinCEN by April 15 (automatic extension to October 15). The penalties for failing to file are severe and not proportional to the harm: $10,000 per non-willful violation and up to the greater of $100,000 or 50% of the account balance per willful violation. Separately, the IRS requires disclosure of foreign financial assets above $50,000 (single) or $100,000 (married) on Form 8938 (FATCA), filed with your tax return. These two filings overlap but aren't identical — a foreign account can trigger both. The IRS Offshore Voluntary Disclosure Program has ended, but the IRS Streamlined Procedures still allow taxpayers who were non-willfully non-compliant to come into compliance with reduced penalties — consult a tax attorney before filing late FBARs if your situation is complicated. For straightforward cases (one foreign account, moderate balance, genuine oversight), many tax professionals can assist with catch-up compliance.

If you own a cash-intensive business — a restaurant, laundromat, car wash, pawn shop, or any business that regularly handles large cash volumes — your bank is scrutinizing your transactions more than you realize. Banks assess each business customer's cash activity against an expected baseline (your "cash profile"), and significant deviations trigger SAR reviews. Practically: document the business rationale for large cash transactions, maintain records that show the cash came from legitimate business activity, and deposit regularly and consistently rather than in irregular lumps. For businesses with legitimate high cash volumes, a CTR exemption for existing business customers can reduce the reporting burden — ask your bank's BSA officer. If you're dealing with customers who pay with monetary instruments (cashier's checks, money orders) totaling over $3,000, you must maintain records; for amounts over $10,000 in a day, the bank files a CTR regardless of the form. Be extremely cautious about any scheme that asks you to process payments through your account for someone else — even if it sounds like a referral fee or simple favor, this can create money laundering liability under 18 U.S.C. § 1956.

If you work at a financial institution in any role that touches transactions, customer onboarding, or compliance: BSA/AML failures can result in personal liability — not just institutional penalties. Compliance officers have been personally fined and barred. Know your institution's SAR filing procedures; if you see something that looks suspicious, report it through internal channels. Safe harbor protections under 31 U.S.C. § 5318(g) protect financial institutions and their employees from civil liability for filing SARs in good faith. You are legally prohibited from disclosing to a customer that a SAR has been filed or that they are under BSA scrutiny — this "tipping off" prohibition applies even in response to a direct question. For KYC (Know Your Customer) obligations: verify customer identity at account opening, maintain ongoing understanding of the customer's business and transaction patterns, and escalate Enhanced Due Diligence (EDD) requests for high-risk customers (foreign PEPs, correspondent accounts, high-risk geographies) through proper channels rather than making informal exceptions.

State Variations

BSA/AML is primarily federal law, but:

  • State banking regulators examine state-chartered banks for BSA compliance alongside federal regulators
  • Some states have their own money transmission licensing and AML requirements
  • State AGs can bring money laundering prosecutions under state law
  • The Corporate Transparency Act preempts contrary state beneficial ownership reporting requirements, though some states (New York) have their own transparency laws

Implementing Regulations

  • 31 CFR Part 1010 — General Provisions — FinCEN's cross-cutting BSA framework applicable to all financial institutions, implementing 31 U.S.C. §§ 5311–5318 (76 sections across 10 subparts):

    • Subpart A — General Definitions (§ 1010.100): the definitional foundation for all of Title 31 Chapter X — defines "financial institution" broadly to include banks, broker-dealers, casinos, money services businesses, mutual funds, insurance companies, loan companies, and housing GSEs; defines "monetary instruments," "transaction," "person," and "United States person"
    • Subpart B — Programs (§§ 1010.200–1010.230): § 1010.205 — certain financial institutions are exempt from AML program requirements (e.g., some non-profit organizations, foreign financial agencies operating in their home country); § 1010.210 — each financial institution must maintain an AML program meeting at minimum the four pillars: (1) internal policies/controls, (2) designated compliance officer, (3) ongoing training, (4) independent audit; specific program requirements are in each institution type's own Part; § 1010.220 — CIP (Customer Identification Program) requirements cross-reference institution-specific rules; § 1010.230 — beneficial ownership requirements for legal entity customers: covered financial institutions must identify the beneficial owner(s) (individuals owning 25%+ of equity) and a single controlling-person of each legal entity customer at the time of account opening; must verify identity using documentary or non-documentary methods; covered financial institutions include banks, broker-dealers, and mutual funds (added 2016); NOTE: a major amendment was published at 89 FR 72274 (Sept. 4, 2024) revising definitions in §§ 1010.100 and 1010.605 — delayed until January 1, 2028 (91 FR 36, Jan. 2, 2026) due to ongoing FinCEN rulemaking related to the Corporate Transparency Act beneficial ownership reporting requirements
    • Subpart C — Reports Required (§§ 1010.300–1010.370): § 1010.301 — Treasury Secretary determination that BSA reports have high usefulness in criminal, tax, and regulatory investigations; § 1010.306 — CTR filing deadline: 15 calendar days after the reportable transaction; § 1010.310–1010.314 — currency transaction reporting (CTR) framework: § 1010.311 — each financial institution (other than casinos, which have separate rules at § 1021.311) must file a CTR for each currency transaction over $10,000 — covering deposits, withdrawals, exchanges of currency, and other payments; § 1010.312 — institution must verify and record customer identity before concluding the transaction; § 1010.313 — aggregation rule: multiple transactions by the same person in the same business day must be aggregated — a series of $9,500 transactions on the same day by the same customer at the same institution must be reported as a single $19,000 transaction; § 1010.314 — structuring prohibition: no person may cause a financial institution to fail to file a CTR by structuring transactions in amounts designed to avoid the $10,000 threshold — structuring is a federal crime regardless of whether the underlying funds are from legal activities; § 1010.320 — suspicious activity reporting (SAR): each financial institution must file a SAR for transactions that the institution "knows, suspects, or has reason to suspect" involve funds from illegal activity, are designed to evade BSA requirements, lack a lawful purpose, or involve violations of law; SAR-specific thresholds and filing procedures are in each institution type's own Part; § 1010.340–1010.350 — reports of transportation of currency or monetary instruments across the U.S. border (CMIR): persons who physically transport, mail, or ship more than $10,000 in currency or monetary instruments into or out of the U.S. must file a CMIR; § 1010.350 — Foreign Bank Account Report (FBAR): U.S. persons with a financial interest in or signature authority over foreign financial accounts exceeding $10,000 at any time during the calendar year must file FinCEN Form 114 (the FBAR) by April 15 (with automatic extension to October 15); failure to file carries civil penalties up to $10,000/year (non-willful) or 50% of the account balance per year (willful)
    • Subpart D — Records Required (§§ 1010.400–1010.430): § 1010.405 — records of funds transfers: financial institutions must keep records of all funds transfers of $3,000 or more, including the identity of both the transmittor and beneficiary; § 1010.410 — records for purchases of monetary instruments (money orders, cashier's checks, traveler's checks) over $3,000 must include customer identity and record of purchase; § 1010.415 — retention: all BSA records must be retained for 5 years from the date of the transaction
    • Subpart F — Special Standards of Diligence; Prohibitions; and Special Measures (§§ 1010.600–1010.670): the enhanced due diligence and correspondent banking rules: § 1010.605 — definitions for correspondent and private banking (amended at 89 FR 72274, delayed to 2028); § 1010.610 — correspondent account due diligence: covered financial institutions must have written policies and procedures for identifying and applying enhanced due diligence to foreign correspondent accounts that pose a higher risk — including accounts from jurisdictions on Treasury's lists of primary money laundering concerns; § 1010.620 — private banking account due diligence: covered institutions with private banking accounts (deposits of $1 million or more for non-U.S. persons) must establish policies to detect and report suspicious activity, and apply enhanced scrutiny to accounts for senior foreign political figures (PEPs) and their families; § 1010.630 — prohibition on shell bank correspondent accounts: U.S. financial institutions are prohibited from maintaining correspondent accounts with foreign shell banks (banks with no physical presence in any jurisdiction); must obtain and retain records of the ownership of each foreign bank holding a correspondent account; § 1010.651–1010.670 — special measures under Section 311 of the USA PATRIOT Act: Treasury may designate specific foreign jurisdictions, financial institutions, or classes of transactions as primary money laundering concerns and impose special measures including requiring enhanced due diligence, prohibiting accounts, or requiring information collection; current special measures in effect against Burma, the Commercial Bank of Syria, FBME Bank (Cyprus/Tanzania), and others

    31 CFR Part 1010 is the master framework that anchors all of FinCEN's BSA regulatory system — every institution-specific Part (1020 for banks, 1022 for money services businesses, etc.) cross-references Part 1010's general definitions, program requirements, and reporting rules. The two most consequential provisions for compliance officers are the aggregation rule (§ 1010.313 — aggregating same-day transactions to defeat structuring) and the FBAR requirements (§ 1010.350 — foreign account reporting that has generated billions in civil penalties and criminal prosecutions). The beneficial ownership rule (§ 1010.230) has been the most operationally complex addition since the 2001 PATRIOT Act changes — requiring banks to collect and verify the identities of individuals who own or control legal entity customers, a requirement that remains in flux due to the Corporate Transparency Act's parallel beneficial ownership information (BOI) reporting system at FinCEN.

  • 31 CFR Part 1020 — BSA Rules for Banks: the BSA compliance requirements specific to banks, savings associations, and credit unions — the most comprehensively regulated category of financial institution. Part 1020 cross-references Part 1010's general framework but adds bank-specific details for each program element. Key provisions:

    • § 1020.210 — Bank AML Program Requirements: banks must implement and maintain a written AML compliance program with four required pillars: (1) policies, procedures, and internal controls reasonably designed to ensure compliance; (2) designation of a BSA compliance officer (or AML Compliance Officer) responsible for daily operations; (3) ongoing employee training ensuring staff recognize red flags and understand their reporting obligations; and (4) independent testing (internal audit or third-party review) at appropriate intervals to test the program's effectiveness; banks regulated by a federal functional regulator (OCC, Fed, FDIC, NCUA) must incorporate their regulator's BSA examination procedures
    • § 1020.220 — Customer Identification Program (CIP): banks must establish a written CIP as part of their AML program; at minimum, the CIP must: (a) collect the customer's name, date of birth (individuals), address, and taxpayer identification number (SSN for individuals, EIN for businesses) before opening an account; (b) verify this information through documentary means (government-issued ID) or non-documentary means (credit bureau checks, comparison to third-party databases); (c) check the customer against the Treasury Department's OFAC SDN list (sanctions screening) and other government watchlists; (d) provide notice to customers that the bank is requesting information to verify identity; exemptions apply for existing customers (no re-verification required), accounts opened for certain regulated entities, and correspondent accounts under heightened due diligence
    • § 1020.315 — CTR Exemptions for Exempt Persons: banks must not file CTRs for exempt persons — specifically: (a) other domestic banks; (b) federal, state, and local government agencies; (c) listed companies (public companies traded on major U.S. exchanges, with their subsidiaries); and (d) Phase II exemptions for non-listed businesses and payroll customers established by the bank based on risk assessment; exemptions must be re-approved at least every two years; the exemption process reduces CTR volume for routine commercial cash transactions from known businesses while preserving reporting for higher-risk situations
    • § 1020.320 — Bank SAR Requirements: every bank must file a SAR within 30 calendar days of becoming aware of a suspicious transaction or pattern; SAR thresholds: (a) $5,000 or more in transactions involving insider abuse (no matter the amount if insider abuse is suspected); (b) $5,000 or more if the bank knows, suspects, or has reason to suspect the transaction involves funds from illegal activity, is designed to evade BSA requirements, lacks a lawful purpose, or involves a violation of federal law; banks may also voluntarily file SARs for transactions below the threshold; SARs are confidential — neither the filing of a SAR nor its contents may be disclosed to the subject of the report (or to most third parties) without legal process
    • §§ 1020.610–1020.670 — Correspondent Banking and Private Banking Due Diligence (Subpart F): banks must apply enhanced due diligence (EDD) for: (a) correspondent accounts for foreign financial institutions — a bank must implement a due diligence program for foreign correspondent accounts that identifies the foreign bank's AML program, assessments ownership, and assesses risk (§ 1020.610 → § 1010.610); (b) private banking accounts for foreign persons — accounts with balances over $1 million owned by non-U.S. individuals must receive enhanced scrutiny for money laundering or corrupt political figure (PEP) connections (§ 1020.620 → § 1010.620); (c) prohibition on accounts for foreign shell banks — banks are absolutely prohibited from maintaining correspondent accounts for foreign shell banks (banks without a physical presence in any country) or foreign banks operating in jurisdictions with no money laundering laws (§ 1020.630 → § 1010.630)

    Part 1020's SAR thresholds (as low as $5,000 for insider abuse or when funds are suspected of illegal origin) are significantly lower than the $10,000 CTR threshold. This means bankers must actively monitor and report suspicious patterns at much lower transaction amounts — a requirement that has driven the development of automated transaction monitoring systems at all banks. The SAR confidentiality rule creates a unique dynamic: banks file millions of SARs annually (generating critical law enforcement intelligence) but cannot disclose the filing to anyone without specific authorization, including when law enforcement asks whether a SAR was filed for a specific person. Banks that "tip off" SAR subjects face criminal exposure under 31 U.S.C. § 5318(g)(2).

  • 31 CFR Part 1021 — BSA Rules for Casinos and Card Clubs: casinos and card clubs have a separate regulatory framework reflecting their unique cash-intensive business model; unlike banks (which must report all currency transactions over $10,000 within 15 days), casinos must file CTRs for cash-in or cash-out transactions over $10,000, which includes chips purchased, currency exchanged, deposits to slot club accounts, and wagering credit redemptions; the aggregation rule (§ 1021.313) combines multiple transactions by the same customer in a gaming day; casinos must also file SARs (§ 1021.320) for suspicious activity involving $5,000 or more and must maintain records of large cash transactions

  • 31 CFR Part 1023 — BSA Rules for Brokers or Dealers in Securities: securities broker-dealers face BSA obligations covering customer identification (§ 1023.220 — CIP requirements aligned with SEC Rule 17a-8), AML program requirements (§ 1023.210 — four-pillar program approved by senior management), SAR obligations (§ 1023.320 — suspicious activity involving $5,000 or more), and correspondent account due diligence (§ 1023.610 → § 1010.610); broker-dealers are jointly regulated by FinCEN and FINRA for BSA compliance — FINRA conducts BSA examinations of its member firms under delegated authority from FinCEN; broker-dealers are a significant SAR filer category because of their access to financial markets and the cross-border nature of securities transactions

  • 31 CFR Part 1027 — BSA Rules for Dealers in Precious Metals, Precious Stones, or Jewels: FinCEN's AML rules for dealers in gold, silver, platinum, diamonds, gemstones, and jewelry — a sector with historically weak AML oversight despite significant money laundering risk:

    • § 1027.210 — AML program requirement: each "dealer" (a person engaged in the business of buying and selling covered goods and whose gross revenues from covered goods exceed $50,000 in any calendar year) must develop and implement a written AML program; the program must: (1) incorporate policies, procedures, and internal controls reasonably designed to prevent the business from being used for money laundering; (2) designate a compliance officer; (3) provide ongoing employee training; and (4) provide for independent testing of the program; the $50,000 revenue threshold exempts one-off sellers and hobbyists while capturing commercial dealers
    • § 1027.330 — Currency Transaction Reporting: dealers who receive more than $10,000 in cash in a single transaction or related transactions must file an IRS Form 8300 (Cash Payment Report) identifying the payer; a buyer who pays $15,000 in cash for a gold coin collection triggers the reporting obligation; dealers must provide written notice to customers when a Form 8300 is filed for their transaction; knowingly structuring cash payments to stay below $10,000 is a federal crime (structuring) even if the underlying transaction is legal
    • § 1027.410 — Recordkeeping: dealers must maintain records in accordance with the general BSA recordkeeping requirements in 31 CFR § 1010.410, which include records of transactions above $10,000 and customer identification documents; records must be retained for 5 years and made available to FinCEN and law enforcement upon request

    The precious metals and stones sector has been a persistent weak point in the U.S. AML framework. Unlike banks (which have extensive BSA compliance infrastructure) or casinos (which face strict reporting requirements), precious metals dealers historically operated with minimal AML oversight. Gold and diamonds are inherently portable, high-value, and difficult to trace — ideal vehicles for converting cash proceeds of drug trafficking, corruption, or sanctions evasion into untraceable wealth. The FinCEN Part 1027 program requirement closes the most obvious gap by requiring dealers to know their customers and report suspicious activity — though enforcement resources for non-bank BSA compliance remain limited compared to the banking sector.

  • 31 CFR Part 1026 — BSA Rules for Futures Commission Merchants and Introducing Brokers in Commodities (22 sections): FinCEN's AML implementing regulations for futures commission merchants (FCMs) — the commodity brokers who execute trades on futures exchanges on behalf of customers — and introducing brokers (IBs) in commodities, who solicit and refer customers to FCMs. FCMs and IBs are classified as financial institutions under 31 U.S.C. § 5312 and must comply with BSA reporting, recordkeeping, and customer identification requirements. Part 1026 is jointly administered by FinCEN and the Commodity Futures Trading Commission (CFTC), which conducts BSA examinations of FCMs and IBs:

    • § 1026.200 — AML Program Requirement (Subpart B): each FCM and IB must develop and implement an AML compliance program with the standard four pillars — internal policies and controls; a designated compliance officer; ongoing employee training; and independent testing; the program must be approved in writing by senior management; unlike broker-dealers (which FINRA audits for BSA compliance), FCMs and IBs are examined by the CFTC and the National Futures Association (NFA), which has been designated by FinCEN as a self-regulatory organization for BSA examination purposes
    • §§ 1026.300–1026.370 — Reports Required (Subpart C): FCMs and IBs must file Currency Transaction Reports (CTRs) for currency transactions exceeding $10,000; must file Suspicious Activity Reports (SARs) for transactions of $5,000 or more that involve suspected money laundering, terrorist financing, or fraud; the SAR reporting threshold for FCMs is the same as for banks and broker-dealers — $5,000 — reflecting FinCEN's view that the commodities markets, like securities markets, are vulnerable to suspicious activity at lower transaction values; SAR filing must occur within 30 days of detecting the suspicious activity; SARs are confidential and may not be disclosed to the subject of the report
    • §§ 1026.400–1026.410 — Records Required (Subpart D): FCMs and IBs must maintain records of all funds transfers of $3,000 or more, including the identity of the transmittor and beneficiary; records must be retained for 5 years; cross-reference to the general BSA recordkeeping rules at 31 CFR § 1010.410
    • §§ 1026.500–1026.560 — Special Information Sharing (Subpart E): FCMs and IBs participate in the § 314(a) and § 314(b) information sharing programs — FinCEN's law enforcement can send voluntary information requests (§ 314(a)) to all covered financial institutions including FCMs, asking whether they have accounts for specified subjects; FCMs may voluntarily share information with other covered financial institutions to identify suspicious activity (§ 314(b)) with safe harbor from civil liability for the sharing
    • §§ 1026.600–1026.670 — Special Measures (Subpart F): FCMs and IBs must apply enhanced due diligence for correspondent accounts with foreign financial institutions under special measures designated by Treasury under USA PATRIOT Act § 311; if Treasury designates a foreign jurisdiction or institution as a primary money laundering concern, FCMs must take specified measures including enhanced recordkeeping, enhanced due diligence, or prohibition on accounts

    FCMs operate at the intersection of financial markets and commodities trading — a venue historically associated with sophisticated clients and lower retail transaction volume than retail banking, but also with significant risks from foreign participants, speculative trading, and the use of commodity futures to hedge (or obscure) other financial positions. The CFTC's dual role as both market regulator and BSA examiner creates a more integrated compliance regime than the fragmented bank-FINRA-SEC framework applicable to securities broker-dealers. Recent rulemakings: Part 1026 was last significantly amended at 81 FR 76865 (Nov. 2016) to expand SAR requirements, and at 76 FR 10521 (Feb. 2011) when FinCEN revised the general AML program and SAR rules for commodity firms.

  • 31 CFR Part 1024 — BSA Rules for Mutual Funds (21 sections): FinCEN's AML implementing regulations for mutual funds — investment companies registered under the Investment Company Act of 1940 that pool investor assets into diversified portfolios of securities. Despite managing trillions of dollars in investor assets, mutual funds were added to BSA coverage later than banks or broker-dealers, reflecting their historically low cash-transaction volume and indirect investor relationships:

    • § 1024.210 — AML Program: each mutual fund must implement a written AML compliance program with the four standard pillars — internal policies and controls, a designated compliance officer, ongoing employee training, and independent testing; mutual fund AML programs must address the specific money laundering risks of pooled investment vehicles, including risks from nominee account holders and aggregators who hold fund shares on behalf of underlying beneficial owners
    • § 1024.220 — Customer Identification Program: mutual funds must establish a CIP applicable to each account opened — collecting the investor's name, address, date of birth (for individuals), and Social Security or taxpayer identification number; mutual funds may rely on the CIP of an introducing broker-dealer or registered investment adviser for accounts opened through intermediaries, provided the reliance agreement meets FinCEN requirements; this intermediary reliance provision is critical because most retail mutual fund shares are purchased through brokerage accounts or 401(k) platforms, not directly from the fund
    • § 1024.320 — SAR Requirements: mutual funds must file SARs for transactions of $5,000 or more that the fund knows, suspects, or has reason to suspect involve proceeds of illegal activity or are designed to evade BSA requirements; because mutual fund transactions are typically electronic and involve securities rather than cash, SAR filings tend to reflect redemption patterns, nominee structures, or transactions linked to OFAC-designated persons rather than cash structuring
    • §§ 1024.500–1024.560 — Special Information Sharing: mutual funds participate in the § 314(a) FinCEN information-sharing program (law enforcement requests) and may share information with other covered financial institutions under § 314(b) with civil liability safe harbor

    Mutual funds present a distinct BSA compliance challenge: the fund itself may never interact directly with its beneficial investors (who transact through intermediaries), making traditional "know your customer" compliance heavily dependent on the intermediary chain. FinCEN's intermediary reliance framework allocates primary CIP responsibility to the point of customer contact while requiring mutual funds to maintain program oversight. Recent rulemakings: FinCEN finalized AML/CFT program rules for investment advisers (SEC-registered) in 2024, closing a related gap for separately managed accounts — mutual fund BSA obligations under Part 1024 predate these investment adviser rules and remain the more established framework for pooled investment vehicles.

  • 12 CFR Part 21 — OCC Minimum Security Devices, Suspicious Activity Reports, and BSA Compliance (6 sections): the OCC's parallel framework to FDIC Part 326, applying to national banks and federal savings associations under the Bank Protection Act of 1968 (12 U.S.C. § 1882) and BSA (31 U.S.C. § 5318). Three subparts cover physical security, SAR filing, and BSA program monitoring respectively. Key provisions:

    • § 21.1 — Scope: Subpart A applies to all national banks and federal savings associations; the OCC issues physical security requirements under 12 U.S.C. § 1882 to deter crimes against banking offices and preserve evidence for law enforcement
    • § 21.2 — Designation of security officer: within 30 days of opening, the board of directors must designate a security officer with authority to develop and administer a written security program — a tighter window than the FDIC's 180-day requirement for new institutions
    • § 21.3 — Security program: the written program must establish procedures for opening/closing and currency safekeeping, install and maintain security devices (cameras, alarms, locks), provide personnel training, and include procedures that help identify perpetrators and preserve evidence
    • § 21.4 — Annual board report: the security officer must report at least annually to the board on implementation and effectiveness of the security program
    • § 21.11 — Suspicious Activity Report: national banks must file a SAR when they detect a known or suspected violation of federal law or a suspicious transaction related to money laundering or BSA violations; includes specific thresholds, timelines, and the 5-year record retention requirement
    • § 21.21 — BSA compliance monitoring: all national banks and savings associations must establish and maintain a BSA compliance program with four pillars: (1) internal controls, (2) a designated BSA compliance officer, (3) employee training, and (4) independent testing; aligns with FinCEN's parallel requirements under 31 CFR Part 1020

    Part 21 is the OCC's counterpart to FDIC Part 326: both implement the Bank Protection Act's physical security mandate and the BSA's compliance program requirement, but OCC Part 21 applies to the nationally chartered bank universe while FDIC Part 326 covers state nonmember FDIC-supervised institutions. The 30-day security officer designation window in § 21.2 (vs. FDIC's 180 days) reflects the OCC's stricter stance on governance readiness for new national charters. The SAR section (§ 21.11) is OCC's primary enforcement lever for BSA suspicious-activity reporting — distinct from FinCEN's own SAR rules at 31 CFR § 1020.320, but cross-referencing them.

  • 12 CFR Part 326 — FDIC Minimum Security Devices and BSA Compliance (6 sections): the FDIC's physical bank security and BSA monitoring requirements under the Bank Protection Act of 1968 (12 U.S.C. § 1882), applying to all FDIC-supervised insured depository institutions. Key provisions:

    • § 326.2Designation of security officer: within 180 days of receiving FDIC insurance, the board of directors must designate a security officer with authority to develop and administer a written security program for each banking office
    • § 326.3Security program requirements: the written program must establish procedures for opening/closing operations and safekeeping of currency and negotiable securities; install and maintain security devices (cameras, alarms, locks); train personnel in security procedures; and include procedures that assist in identifying persons who commit crimes against the institution and preserve evidence for prosecution
    • § 326.4Annual board reporting: the security officer must report at least annually to the board of directors on the implementation, administration, and effectiveness of the security program — a governance accountability mechanism ensuring board-level oversight of physical security
    • § 326.8BSA compliance monitoring: each FDIC-supervised institution must establish and maintain procedures reasonably designed to assure and monitor compliance with the BSA (31 U.S.C. Chapter 53 subchapter II) and FinCEN's implementing regulations; compliance monitoring must be integrated into the institution's overall compliance management system and is subject to examination by the FDIC

    Part 326 represents the physical-security and board-governance layer of FDIC bank oversight — complementing the FinCEN Title 31 framework (Parts 1010/1020 above) with requirements for cameras, alarms, and safekeeping procedures that deter and document bank robberies and internal theft. The BSA compliance section (§ 326.8) connects FDIC safety-and-soundness supervision to FinCEN's AML framework, requiring FDIC-supervised banks to have monitoring systems that ensure they are meeting their Title 31 reporting obligations — a structural link the FDIC enforces through its examination authority. Recent rulemakings: last amended at 85 FR 3246 (Jan. 2020).

Pending Legislation

  • HR 5877Combatting Money Laundering in Cyber Crime Act: expands Secret Service authority over digital-asset money laundering, doubles FinCEN record retention. Status: In Committee.
  • S 3801Combating Money Laundering, Terrorist Financing, and Counterfeiting Act of 2026: tightens AML rules, expands penalties, restores wiretap powers. Status: Introduced.
  • S 1995 (Sen. Markey, D-MA) — FinCEN-SBA Coordination on Beneficial Ownership Registration Act: creates FinCEN-SBA partnership for beneficial ownership compliance outreach. Status: Introduced.
  • HR 2400 — Art Market Integrity Act: would add art dealers, galleries, and intermediaries to AML reporting with $10K/$50K thresholds. Status: Introduced.

Recent Developments

  • The Corporate Transparency Act's beneficial ownership regime was substantially narrowed by FinCEN's March 2025 interim final rule, which exempted domestic entities and U.S. persons from BOI reporting and left a narrower foreign-company filing regime
  • FinCEN finalized rules updating the AML/CFT compliance framework for financial institutions, including explicit requirements for real estate transactions and investment advisors
  • Cryptocurrency compliance has been a major enforcement focus — FinCEN has extended BSA requirements to cryptocurrency exchanges and proposed rules for unhosted wallet transactions, intersecting with securities regulation and CFTC oversight of crypto derivatives
  • The Anti-Money Laundering Act of 2020 modernized the BSA framework, established AML/CFT national priorities, created a FinCEN whistleblower program, and expanded information sharing between government and financial institutions
  • FinCEN assessed a $3.5 million civil money penalty against Paxful, a peer-to-peer cryptocurrency exchange, for facilitating suspicious transactions involving sanctioned jurisdictions and failing to maintain an adequate AML program — part of a broader enforcement push against crypto platforms with weak BSA compliance.
  • FinCEN announced a multi-tiered, data-driven border operation to detect and disrupt potential cross-border money laundering, enabled by Treasury's ongoing technology modernization investments to improve financial intelligence analysis.
  • FinCEN issued a final rule postponing the effective date of the investment adviser AML/CFT rule to 2028, delaying a requirement that would have imposed BSA compliance obligations on registered investment advisers and certain exempt reporting advisers.
  • FinCEN convened financial institutions and law enforcement agencies through its FinCEN Exchange public-private partnership to share information and coordinate efforts to identify and dismantle money laundering networks exploiting the U.S. financial system.
  • FinCEN proposes fundamental AML/CFT program reform (April 2026): FinCEN proposed a rule to fundamentally reform financial institution programs designed to fight illicit finance — the most significant overhaul of Bank Secrecy Act compliance requirements since the USA PATRIOT Act. The proposed rule would shift AML programs from rules-based checklists toward risk-based effectiveness measures.
  • FinCEN proposes whistleblower reward program (April 2026): FinCEN proposed a rule to pay whistleblowers who report fraud, money laundering, and sanctions violations — modeled on the SEC and CFTC whistleblower programs. FinCEN also launched a dedicated webpage for whistleblower tips.
  • FinCEN issues healthcare fraud advisory (April 2026): FinCEN issued an advisory on healthcare fraud schemes targeting Medicare, Medicaid, and other federal health programs — alerting financial institutions to red flags associated with billing fraud, kickback schemes, and phantom provider operations.
  • FinCEN streamlines customer due diligence (April 2026): FinCEN issued exceptive relief to streamline Customer Due Diligence (CDD) requirements, reducing compliance burden on financial institutions while maintaining beneficial ownership transparency goals.
  • Treasury proposes to sever Swiss bank MBaer's U.S. access (April 2026): Treasury proposed a rule to cut Swiss bank MBaer from the U.S. financial system, citing money laundering concerns — a rare use of the "special measures" authority under Section 311 of the USA PATRIOT Act.

At My Address

See how Bank Secrecy Act & Anti-Money Laundering plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address