How Bank Secrecy Act (BSA) Works
The Bank Secrecy Act establishes a framework of recordkeeping and reporting requirements that allow law enforcement and regulators to detect patterns of financial crime. It does not prohibit any specific transaction; instead, it creates a paper trail that investigators can follow. Understanding the operational sequence helps compliance teams build defensible programs.
Determine covered institution status
Confirm whether your business qualifies as a "financial institution" under BSA. This includes banks, credit unions, broker-dealers, money services businesses (MSBs), and many fintech and payment companies. MSBs must register with FinCEN within 180 days of starting operations.
Build a written AML compliance program
Establish the five-pillar BSA/AML program: internal policies and procedures, a designated compliance officer, ongoing employee training, independent testing, and customer due diligence (CDD) protocols. The program must be risk-based and appropriate to the institution's size and transaction volume.
Apply customer due diligence at onboarding
Collect and verify customer identity under Know Your Customer procedures. For legal entity customers, identify beneficial owners who hold 25% or more equity or exercise significant control. Document risk ratings for each customer relationship.
Monitor transactions continuously
Use transaction monitoring systems to flag activity inconsistent with a customer's expected behavior, peer group, or business type. Rules-based and machine-learning models are both widely used. Alerts must be reviewed, investigated, and either closed with documentation or escalated.
File Currency Transaction Reports (CTRs)
File a Currency Transaction Report with FinCEN within 15 calendar days whenever a customer conducts cash transactions aggregating more than $10,000 in a single business day. Multiple transactions by or on behalf of the same person are aggregated.
File Suspicious Activity Reports (SARs)
When a transaction of $5,000 or more (banks) or $2,000 or more (MSBs) involves suspected illegal activity, structuring, or evasion of BSA requirements, file a Suspicious Activity Report within 30 days of detection. Never tip off the subject of a SAR filing.
Maintain records and respond to exams
Retain transaction records for five years minimum. Cooperate fully with regulatory examinations by the OCC, Federal Reserve, FDIC, or FinCEN. Examiners assess both the design and the operational effectiveness of your BSA program.
Why Bank Secrecy Act (BSA) Matters
BSA compliance is not a formality — it is a foundational obligation with direct revenue and legal consequences for payment businesses. Regulators have made clear that inadequate AML programs will result in enforcement, regardless of institution size. The numbers behind the BSA illustrate its scale and stakes.
Financial institutions file approximately 20 million CTRs and 3.5 million SARs annually, generating a massive database that FinCEN and law enforcement mine for financial crime intelligence (FinCEN Annual Report, 2023). This data has supported thousands of criminal prosecutions, asset forfeitures, and sanctions actions each year.
The cost of non-compliance is staggering. Between 2008 and 2023, global banks paid over $56 billion in AML-related fines, with individual settlements reaching as high as $1.9 billion for a single institution (Refinitiv Global AML Fines Report, 2023). For payment companies and fintechs, BSA enforcement actions have increasingly resulted in consent orders that restrict business activities, in addition to financial penalties.
Beyond direct fines, BSA failures damage banking relationships. If a payment company loses its bank sponsor due to compliance deficiencies, it can be effectively shut out of the payment system entirely — a risk sometimes called "de-risking." Maintaining a robust anti-money laundering program is therefore both a legal and business continuity requirement.
Bank Secrecy Act (BSA) vs. Anti-Money Laundering (AML)
These terms are often used interchangeably, but they are not the same. The distinction matters for compliance program design and regulatory communication.
| Dimension | Bank Secrecy Act (BSA) | Anti-Money Laundering (AML) |
|---|---|---|
| Nature | Specific U.S. federal statute (31 U.S.C. §§ 5311–5336) | Broad category of laws, regulations, and programs |
| Scope | U.S. jurisdiction only | Global; includes FATF standards, EU directives, local laws |
| Administrator | FinCEN (U.S. Treasury) | Multiple regulators across jurisdictions |
| Key outputs | CTRs, SARs, recordkeeping | AML programs, transaction monitoring, sanctions screening |
| Applies to | Defined "financial institutions" under U.S. law | Any business at risk of being used for money laundering |
| Penalties | Civil and criminal under U.S. Title 31 | Vary by jurisdiction; can include license revocation |
| Relationship | BSA is the legal foundation for U.S. AML obligations | AML programs are the operational response to BSA and global rules |
In practice, when U.S. compliance teams say "BSA/AML program," they mean the combined framework that satisfies the BSA's statutory requirements while also meeting broader AML expectations from prudential regulators and international standards.
Types of Bank Secrecy Act (BSA) Obligations
The BSA creates several distinct categories of compliance obligation, each with different triggers, thresholds, and filing mechanics.
Reporting requirements are the most visible BSA obligations. CTRs cover large cash transactions; SARs cover suspicious activity. Both feed into FinCEN's database and are accessible to law enforcement under specific protocols.
Recordkeeping requirements are less visible but equally important. The BSA requires financial institutions to retain records of wire transfers of $3,000 or more (the "Travel Rule"), maintain customer identification records, and keep logs of cash purchases of monetary instruments between $3,000 and $10,000. These records must be available to examiners on request.
Registration requirements apply specifically to money services businesses. MSBs must register with FinCEN, renew registration every two years, and maintain an agent list if they operate through agents. Failure to register is an independent criminal offense.
AML program requirements obligate covered institutions to implement and maintain the core compliance infrastructure described above. Examiners assess these programs against published guidance, including FinCEN's AML program rule and interagency examination manuals.
Foreign bank account reporting is a related but distinct obligation. The BSA created the Report of Foreign Bank and Financial Accounts (FBAR), requiring U.S. persons with foreign financial accounts exceeding $10,000 to disclose those accounts annually to FinCEN.
Best Practices
For Merchants
Merchants operating high-volume or cross-border payment flows should treat BSA awareness as a business priority, even if they are not themselves the "financial institution" filing CTRs and SARs.
- Understand your sponsor's BSA obligations. If you process payments through a bank or payment facilitator, their BSA requirements will flow downstream to your onboarding requirements, transaction limits, and data sharing obligations. Non-cooperation can result in account termination.
- Maintain clean transaction records. Retain transaction-level data, customer identification documents, and dispute records for at least five years. This protects you in the event your payment provider receives a regulatory inquiry related to your account.
- Avoid structuring. Never split transactions to stay under reporting thresholds — even with legitimate funds. Structuring is a federal crime under 31 U.S.C. § 5324 regardless of the source of funds.
- Screen customers and counterparties. Use OFAC sanctions screening and, for higher-risk relationships, check against PEP (politically exposed person) databases. Your payment provider may require evidence of this screening.
- Respond promptly to KYC requests. When your bank or payment provider requests additional documentation — enhanced due diligence — respond quickly and completely. Delays can trigger account reviews or holds.
For Developers
Developers building payment products must design systems that support BSA compliance by default rather than retrofitting controls later.
- Build audit trails into data models from day one. Every transaction record should capture timestamps, amounts, counterparties, IP addresses, and device identifiers. Retroactive data reconstruction for regulatory requests is expensive and often incomplete.
- Implement threshold alerting in transaction monitoring. Flag transactions at or near $10,000 cash thresholds for compliance review. Integrate with CTR filing workflows so that alerts automatically route to the appropriate queue.
- Support Travel Rule data fields. For transfers of $3,000 or more, your system must be able to transmit and receive originator and beneficiary information. Design APIs and data schemas to accommodate this from the start.
- Encrypt and access-control SAR-related data. SAR filings and the investigations that generate them are legally protected. Implement role-based access controls so that SAR data is visible only to authorized compliance personnel.
- Test monitoring rules regularly. Transaction monitoring rule sets degrade over time as customer behavior and typologies evolve. Build automated regression tests and schedule periodic rule reviews into your development roadmap.
Common Mistakes
Treating BSA as a one-time setup. Many early-stage payment companies build a BSA program during licensing and never revisit it. Regulators expect programs to evolve as transaction volumes grow, new products launch, and typologies change. A static program is a red flag in examination.
Filing CTRs only for individual transactions. The CTR aggregation rule catches many companies off guard. Multiple cash transactions by or on behalf of the same person in a single business day must be aggregated, even if no single transaction exceeds $10,000. Failure to aggregate is a common examination finding.
Insufficient SAR narratives. A SAR with a thin narrative — "transaction appeared suspicious" — provides little value to law enforcement and suggests a weak investigation process. Examiners review SAR quality, not just quantity. Each SAR should document who, what, when, where, why, and how in specific terms.
Missing the 30-day SAR deadline. The clock for SAR filing starts when suspicious activity is detected, not when the transaction occurs. Weak escalation workflows that let alerts sit in queues for weeks frequently result in late filings — a direct regulatory violation.
Inadequate beneficial ownership collection. Since FinCEN's 2016 CDD Rule (and its successor requirements under the Corporate Transparency Act), collecting beneficial ownership information is mandatory for legal entity customers. Many fintech platforms collect this at onboarding but fail to refresh it when business ownership changes — leaving stale, inaccurate records that examiners will find.
Bank Secrecy Act (BSA) and Tagada
BSA compliance directly affects how payment orchestration platforms like Tagada are configured for merchants operating in the United States. When routing transactions through U.S.-regulated payment rails, BSA-related data requirements flow through every layer of the stack.
BSA-aware payment routing with Tagada
Tagada's payment orchestration layer can be configured to enforce transaction-level data capture — including originator and beneficiary fields required under the BSA Travel Rule — across all connected processors. For merchants at risk of BSA-triggered reviews, routing high-value transactions through processors with strong compliance infrastructure is a configurable default. Work with your Tagada implementation team to align routing rules with your sponsor bank's BSA program requirements before go-live.