BSA/AML — U.S. Bank Secrecy Act & Anti-Money Laundering

The Bank Secrecy Act (BSA) and the broader U.S. Anti-Money Laundering (AML) framework is the primary U.S. regime for preventing the financial system from being used to launder proceeds of crime or finance terrorism. Administered by FinCEN (Financial Crimes Enforcement Network) within the Treasury, BSA/AML obligations apply to banks, credit unions, money services businesses, securities dealers, and an expanding range of fintechs.

This page covers the core BSA/AML obligations, what a compliant program looks like, the specific filings BSA requires, and how evidence infrastructure supports BSA/AML compliance.

The five pillars of a BSA/AML program

Since 2018, covered institutions must implement an AML program that meets five pillars:

1. Internal controls — documented policies and procedures for the risk-based compliance program.
2. Designated BSA officer — a specifically named individual responsible for program implementation (typically a Chief Compliance Officer or BSA Officer).
3. Training — ongoing training for relevant personnel on BSA/AML obligations.
4. Independent testing — regular independent review of the program's design and operating effectiveness.
5. Customer due diligence (CDD) — including the beneficial ownership rule for legal-entity customers.

Core BSA filings

Suspicious Activity Reports (SARs)

When a covered institution knows, suspects, or has reason to suspect a transaction involves funds derived from illegal activity, is intended to hide such activity, is designed to evade reporting requirements, or has no apparent lawful purpose, it must file a SAR within 30 days (60 days if a subject has not been identified) with FinCEN.

Currency Transaction Reports (CTRs)

Cash transactions (deposit, withdrawal, exchange) exceeding $10,000 in aggregate by the same person on the same business day must be reported on a CTR. Structuring transactions to evade the threshold is itself a crime.

Beneficial Ownership (FinCEN BOI Reporting)

Under the Corporate Transparency Act, most U.S. and foreign legal entities doing business in the U.S. must file beneficial ownership information with FinCEN. Implementation has been subject to legal challenges; verify current reporting status through counsel before acting on specific deadlines.

Other filings

FBAR (Report of Foreign Bank and Financial Accounts), Form 8300 (cash transactions in a trade or business over $10K), Section 314(a) and 314(b) information sharing.

Customer Due Diligence and beneficial ownership

The CDD rule requires covered institutions to identify and verify beneficial owners of legal-entity customers (typically at 25% ownership threshold, or any single individual exercising significant control) at account opening and on an ongoing basis. This is where BSA/AML intersects directly with KYC and KYB orchestration.

Specific CDD elements:

• Customer identification (CIP — Customer Identification Program)
• Beneficial ownership identification for legal-entity customers
• Understanding customer relationships and expected activity (risk profile)
• Ongoing monitoring to detect and report suspicious activity

Who BSA/AML applies to

BSA/AML obligations apply broadly:

• Banks, credit unions, savings associations
• Money services businesses (MSBs) — money transmitters, currency exchangers, issuers/redeemers of traveler's checks
• Securities dealers and broker-dealers
• Casinos and card clubs
• Certain fintechs (especially those operating as MSBs or partnering with banks)
• Dealers in precious metals, stones, or jewels; mortgage lenders; insurance companies

Fintechs operating on a banking-as-a-service partnership structure inherit BSA/AML obligations through their sponsor banks — whose compliance obligations flow contractually to the fintech partner.

Evidence requirements

BSA/AML audits (whether by FinCEN, functional regulators, or independent testers) rely on evidence:

• Customer identification records per the CIP program
• Beneficial ownership records per the CDD rule
• Risk-profile documentation at customer onboarding and on updates
• Transaction monitoring alerts, reviews, and dispositions
• SAR and CTR filings with supporting documentation
• Training records
• Independent testing reports
• Policy and procedure documentation with version history

All of this must be produced on demand, typically with tight timelines. An institution that can't produce evidence for a specific customer/transaction/date range has failed the audit regardless of how well the underlying controls actually worked.

How FinQub supports BSA/AML compliance

FinQub's orchestration across KYC, KYB, transaction monitoring, sanctions screening, and communications vendors produces evidence relevant to multiple BSA/AML pillars:

• CIP and CDD execution — every identity verification logged with the vendor, decision, confidence, and documentation references.
• Beneficial ownership — every UBO identification logged with registry source, ownership percentage, and individual KYC reference.
• Risk profile establishment — risk tier assigned per workflow with the inputs and rules that drove it.
• Transaction monitoring alerts — alert generation, routing to review, disposition, and SAR/CTR escalation all logged chronologically.
• Tamper-evident record-keeping — hash-chained audit trail with regulatory framework tagging (BSA/AML, FinCEN, FINTRAC).
• Examiner-ready export — complete files for a given customer or transaction or date range as a single document.

FinQub provides evidence infrastructure — not compliance determination. Whether a specific BSA/AML program meets FinCEN, OCC, FDIC, or Federal Reserve expectations remains the responsibility of the covered institution, its BSA Officer, and its regulators. What FinQub provides is the infrastructure required to demonstrate compliance.

Practical next steps for BSA Officers and CCOs

1. Inventory every AML-relevant decision your program makes — onboarding, ongoing monitoring, transaction monitoring, alert review, escalation, SAR/CTR filing.
2. For each decision type, assess where the evidence currently lives and how quickly it can be produced on demand.
3. Identify the high-risk gaps — typically alerts generated in transaction monitoring systems that don't tie cleanly to customer records, or KYC decisions whose rationale isn't preserved beyond the vendor's retention window.
4. Prioritize consolidation: every decision surface you can move onto a platform with built-in evidence infrastructure is one less place that can fail an audit.