Bank Secrecy Act 101: Six Things Every AML Person Needs to Know

While anti-money laundering (AML) specialists are not expected to be Juris Doctors, there are still many laws with which they should be intimately familiar. Of those, perhaps none is more important than the Bank Secrecy Act (BSA).

This article will trace the evolution of the most critical AML legislation and give a primer on its finer points.

First: Background

When the BSA was first enacted in 1970, its original intent and purpose was to require the reporting of records that would have a high degree of usefulness in criminal tax proceedings or regulatory investigations. This, of course, was years before the term money laundering entered the banking lexicon, before the advent of AML and counter-terrorism financing as fields unto themselves, and before the events of 9/11 made these activities a national priority.

Today, this has been amplified by the USA PATRIOT Act to also compel reporting “in the conduct of intelligence or counterintelligence activities, including analysis to protect against international terrorism.”

Second: Reporting and Record Keeping

The basics of reporting requirements include the Financial Crimes Enforcement Network (FinCEN) requirements such as Currency Transaction Reports (CTRs), form 8300 and Suspicious Activity Reports (SARs) that must be filed for transactions that meet certain thresholds.


Currency Transaction Reports must be filed for cash transactions over $10,000. This requirement is in place solely for the physical transfer of currency, legal tender — coins and paper money — from one person to another. Wire and check transactions should not be considered currency transactions for CTR filing requirements.

Multiple cash transactions conducted on a single business day by one customer must be aggregated if it is known they were made by or on behalf of one person and result in either cash in or cash out totaling more than $10,000.

For example, if a customer deposits $6,000 into his/her account at 9:30 a.m. and returns at 2:30 p.m. to make a loan payment in cash of $5,000, the two transactions, in the aggregate, total $11,000 and a CTR must be filed. Deposits and withdrawals transactions should not be “netted.”

Form 8300

Form 8300 is similar to the CTR and is used for trade or businesses such as car dealers, insurance firms, art dealers and boat dealers. These companies, if they receive more than $10,000 in cash in one transaction or in two or more related transactions in 24 hours, must file Form 8300. Interestingly, with the Form 8300, regulators use a rolling 24-hour period, instead of one business day — the standard for CTRs. This can complicate the automation of the monitoring process.

This requirement results in an abundance of reports. In 2011, FinCEN received almost 200,000 paper filings of Form 8300.


Among the suspicious activities that must be reported are any transactions aggregating $5,000 or more (for MSBs, that is $2,000 in some instances) involving potential money laundering, suspected terrorist financing activities or violations of the BSA.

Can you voluntarily file for transactions that are under this threshold? Yes, although these are the required transaction levels for filing a SAR, it is permitted to file a SAR for suspicious transactions below these thresholds.

While software solutions can be helpful, they are by no means a comprehensive answer. In the case of SARs, $5,000 or more in aggregate daily transactions is enough to warrant a filing — if the transaction is suspicious, of course, and AML officers are expected to file within 30 days of the moment they determined the transaction is suspicious — not when their transaction monitoring systems flagged the transaction, which can be days or weeks earlier.

e-Filing and New Forms

In a modern move that was probably long overdue, FinCEN now requires most reports, like SARs and CTRs be filed electronically. Form 8300, however, can still be sent in paper by mail.

As of March 2012, FinCEN began to accept the new CTR and SAR into its BSA e-Filing System. As of July, these reports are no longer accepted in paper form. Together, these two new reports replaced FinCEN Form 104 (CTR), FinCEN Form 103 (CTR by Casinos), and all of the industry-specific SARs.

To be clear, the new CTR and SAR forms do not create any new obligations or otherwise change existing statutory and regulatory expectations of financial institutions.

Record Keeping

On the topic of record keeping, the monetary instrument log bears mentioning. Treasury regulations prohibits financial institutions from issuing or selling monetary instruments purchased with cash in amounts of $3,000 to $10,000, inclusive, unless it obtains and records certain identifying information on the purchaser and specific transaction information. Monetary instruments include bank checks, bank drafts, cashier’s checks, money orders and travelers checks.

The identifying information of all purchasers must be verified and multiple purchases during one business day should be aggregated and treated as one purchase.

Purchases of different types of instruments at the same time are treated as one purchase and the amounts should be aggregated as such to determine if the total is $3,000 or more. Many institutions use software to keep track of this.

Third: Know Your Customer

The difficulty in BSA reporting comes not in the well-known parameters of the law, but in the subjective gray areas, like the Know Your Customer (KYC) expectations foisted upon compliance professionals.

For instance, a schoolteacher would have a very different transaction record than, say, Mark Zuckerberg. These are practical obstacles faced by banks in monitoring clientele. This is truly one of the most difficult things AML compliance officers must determine. If you do not know your customer, you cannot fulfill this requirement.

KYC is one of the most important — if not the most important — method to avoid criminal exposure for your institution from customers who abuse it for illicit purposes. As daunting a goal as it is, you must work to gain a clear and concise understanding of each customer’s practices. The adoption of KYC guidelines or procedures by financial institutions has proven extremely effective in detecting suspicious activity by customers of the institution in a timely manner.

Although not required by regulation or statute, it is key that financial institutions adopt these policies so they can detect suspicious activity at the institution. An effective KYC policy must, at a minimum, contain a clear statement of management’s overall expectations and establish specific line responsibilities. While the officers and staff of smaller banks may have more frequent and direct contact with customers than their counterparts in large urban institutions, it is incumbent upon all institutions to adopt and follow policies appropriate to their size, location and type of business.

A major shift in KYC requirements is on the horizon. On March 5, 2012, FinCEN issued an Advance Notice of Proposed Rulemaking (ANPRM) on the potential development of an explicit customer due diligence (CDD) obligation for financial institutions, including a requirement to collect beneficial ownership information of their customers.

Fourth: The Four Pillars

So much of BSA compliance is in the development of a comprehensive compliance regime, and to that end we explore the so-called four pillars of a sound AML program:

  1. Internal controls, in the form of written policies and procedures adopted and approved by the board of directors, must be implemented and bank practices must be consistent with these risk-based policies.
  2. An AML compliance officer must be designated. This individual is responsible for coordinating and monitoring day-to-day compliance, and they must be trained and equipped to do so.
  3. BSA training must be established and made available to employees, with a focus on each individual’s job tasks.
  4. Independent audits and reviews must be conducted by outside parties or personnel with no BSA responsibility or oversight.

These elements are connected, and the regulators will see them in conjunction with one another. We can best illustrate this with an example of how regulators might connect these elements when they review your AML program for potential violations during an onsite examination.

Hypothetically, let us assume a regulator is conducting your BSA exam. Let us also assume they begin by requesting the wire transfer log for incoming and outgoing transactions. If the information for the outgoing wire transfers is inadequate, they will learn this. They will cite an apparent violation of record keeping requirements.

But it does not end there. They will doubtless dig further, and when they do it will be obvious to them if the deficiencies in the wire logs are attributed to several branch locations failing to send sufficient information. The examiner will ask if these deficiencies were isolated to transactions originating in a few locations or whether it was bank-wide. Their examination could reveal — you hope — that the deficiencies are not systemic and your overall program remains effective. In that case, you will evade being written up for inadequate controls, but you are not off the hook quite yet.

When the examiner talks with your branch employees he learns that training in this area has been lacking, portending a citation for a training violation and a request that the institution implement a comprehensive training program encompassing all of its service locations.

So, in this example your AML program has been cited for multiple matters requiring attention, all stemming from a single record keeping violation.

Fifth: Customer Identification Programs

None of these pillars amount to much if there is no customer identification program (CIP) in place for them to support.

The CIP must be incorporated into the AML regime and apply to accounts held by customers with formal banking relationships, such as deposit accounts, transaction accounts, asset accounts, credit accounts, safe deposit boxes and cash management custodian accounts.

The program must be appropriate for the institution’s size and business and include certain minimum requirements: Name, address, date of birth and identification number.

Some banks continue to get it wrong. Sloppy customer identification and information capturing at the account opening process is often cited as a violation of the BSA in enforcement actions.

First National Community Bank, with 23 offices in Pennsylvania, was the subject of an enforcement action by the Office of the Comptroller of the Currency (OCC) in 2010. The regulator announced the issuance of a Consent Order in which the bank was directed to take various actions, including:

  • “To develop...account-opening procedures for all accounts by requiring: identification of all account owners and beneficial owners.
  • “Identification of the officers, directors, major shareholders or partners, as applicable, of business accounts; and
  • “Obtain the customer’s source of income or wealth.”

The Citibank case from last April is another good example of what the regulators expect these days from a CID and CDD program.

Sixth: Regulatory Atmosphere

There is no doubt that changes at the top of FinCEN will affect enforcement of the BSA. In August, the Department of Treasury announced that Jennifer Shasky Calvery, former chief of the Department of Justice’s Asset Forfeiture and Money Laundering Section (AFMLS), was tabbed the new director of FinCEN.

Her background as an aggressive prosecutor with some nine-figure bank penalty/forfeiture victories under her belt sends a message. This comes at a time when a rumored $1 billion fine is being considered for AML missteps at British multinational bank HSBC. We believe that FinCEN will be significantly more stringent in the months to come, as Shasky is not an industry insider.

Saskia Rietbroek, partner, AML Services International, LLC, Miami, FL, USA,

David Quinones, editor,, Miami, FL, USA,

Leave a Reply