What Is BSA/AML?

BSA / AML refers to the paired statutory and regulatory framework governing how U.S. financial institutions detect, record, and report suspicious or high-value transactions. The Bank Secrecy Act, 31 U.S.C. sections 5311-5336, imposes recordkeeping and reporting duties. The anti-money laundering provisions, enforced through 31 CFR Chapter X and FinCEN regulations, require covered entities to maintain risk-based compliance programs, customer identification procedures, and ongoing monitoring. Together, BSA / AML compliance is the core practice area for firms that advise banks, money services businesses, casinos, and other covered entities on avoiding civil money penalties and criminal liability.

How BSA / AML Obligations Operate in Practice

The Statutory Foundation

The Bank Secrecy Act originated in 1970 and has been amended repeatedly, most substantially by the USA PATRIOT Act of 2001. The statute delegates rulemaking authority to the Treasury Department, which operates through FinCEN and the federal banking agencies. 31 U.S.C. section 5318(g) requires the reporting of suspicious transactions, while section 5318(h) mandates written anti-money laundering programs. These are not suggestions. A failure to file a required Suspicious Activity Report, or SAR, can result in civil penalties exceeding the transaction amount and, in willful cases, criminal prosecution.

The Five Pillars of an AML Program

Every covered financial institution must maintain a program with five minimum components, codified at 31 CFR 1020.210 for banks and parallel sections for other entity types.

Internal controls. Written policies, procedures, and processes approved by the board of directors or equivalent governing body. These must be risk-based, meaning a community bank in rural Montana and a New York correspondent bank serving Latin American institutions will have materially different control frameworks.

Independent testing. A qualified party, either internal or external, must test the program's effectiveness at least every 12 to 18 months. The frequency and scope adjust to risk. A firm owner advising clients should know that regulators treat "independent" seriously: the tester cannot be the person who built or runs the program.

Designated BSA / AML officer. A person with sufficient authority and resources, named in writing. This is not a nominal role. Examiners expect the officer to have direct access to the board, a dedicated budget, and the ability to halt transactions or customer relationships.

Training. Ongoing, tailored to job function, and documented. Teller training differs from private banker training. The program must include training on red flags specific to the institution's products, services, and customer base.

Customer identification and due diligence. The CIP requirement, 31 CFR 1020.220, applies at account opening. The Customer Due Diligence Rule, finalized in 2016 and effective 2018, added the requirement to identify and verify beneficial owners of legal entity customers. This is the "fifth pillar" in industry parlance, though technically an expansion of the first.

Reporting Mechanics

Covered entities file Currency Transaction Reports for cash transactions exceeding $10,000 in a single business day, aggregated across the customer's accounts. SARs are filed for transactions aggregating $5,000 or more where the institution knows, suspects, or has reason to suspect the transaction involves illicit funds, is designed to evade BSA requirements, or has no apparent lawful purpose. The filing thresholds vary by entity type. Casinos, for instance, have distinct SAR and CTR thresholds under 31 CFR 1021.

Why BSA / AML Matters to the Compliance Firm Owner

If you run a regulatory compliance practice, BSA / AML is likely either your primary service line or a significant adjacent offering. The work is not episodic. Institutions need ongoing program review, policy updates, training delivery, look-back analysis, and examination preparation. A single civil money penalty against a bank, publicly announced by FinCEN or the OCC, can generate inbound inquiries from similarly situated institutions in the same geographic or product market.

The engagement models are durable. Retained compliance advisory relationships, where your firm serves as the outsourced BSA officer or provides quarterly testing, produce recurring revenue. Look-back projects, triggered by a regulatory enforcement action or a merger, can run six to eighteen months with substantial professional fees. Training engagements, while lower margin, keep your firm visible between larger projects.

The regulatory environment also creates urgency. FinCEN has proposed rulemakings on beneficial ownership access, cryptocurrency coverage, and real estate transaction reporting that will expand the covered entity population. Each proposal generates demand for gap analysis and program redesign.

Where Practitioners Get It Wrong

Confusing CIP with Full CDD

The Customer Identification Program, required since 2003, is account-opening verification. The Customer Due Diligence Rule, effective 2018, requires ongoing understanding of the customer relationship and beneficial ownership identification. Firms that update CIP policies without addressing the CDD Rule's ongoing monitoring and risk rating obligations leave clients exposed. Examiners have cited this specific gap in multiple public enforcement actions.

Treating Independent Testing as a Checklist Exercise

A testing report that finds no issues, uses the same scope every year, and fails to validate the risk assessment's accuracy is a red flag to regulators. Effective testing challenges the institution's own risk categorization. If the client rates its correspondent banking portfolio as low risk despite handling $200 million annually for foreign financial institutions in high-risk jurisdictions, the tester must document that discrepancy and test accordingly.

Inadequate SAR Documentation

The SAR itself is a brief form. The supporting documentation, maintained by the institution, is where the compliance story lives. Practitioners who fail to advise clients on building a contemporaneous investigation file, with timestamps, source documents, and escalation decisions, leave those clients unable to defend a decision not to file, or to explain a delayed filing, when examiners or law enforcement inquire.

Neglecting Non-Bank Coverage

Money services businesses, cryptocurrency exchanges, and certain real estate professionals are increasingly subject to BSA / AML obligations. A compliance firm that serves only traditional banks may miss a growing client base. The MSB registration requirements under 31 CFR 1022.380, and the state-level licensing that often accompanies them, create layered compliance demand that many generalist firms are unprepared to meet.

Related Terms in Regulatory and Compliance

A practitioner working in this space should also understand the CMMC framework for defense contractor cybersecurity, SOC 2 audits for service organization controls, FDA Warning Letters as a comparable enforcement mechanism in life sciences, ISO 13485 for medical device quality management, and the FSMA food safety rules that similarly blend preventive obligation with regulatory inspection. Each operates in a distinct vertical but shares the pattern of risk-based compliance, documented programs, and escalating enforcement for systemic failure.

If you lead a BSA / AML compliance advisory firm serving financial institutions or MSBs, see how ROI Wire reaches principals through Email Correspondence, Direct Mail, and Retargeting with follow-up by phone. For additional terms in this division, return to the Regulatory and Compliance glossary hub.