The requirements of the Bank Secrecy Act (BSA) and anti-money-laundering laws (AML) are pervasive and longstanding, yet they continue to vex companies trying to comply with them. Regulators have hit virtually all large banks, and many nonbanks, with BSA/AML-related enforcement actions, resulting in large fines, deferred prosecution agreements, criminal consequences, and reputational damage.
New BSA/AML requirements are making compliance more, not less, challenging. The Financial Crimes Enforcement Network’s Customer Due Diligence Rule, for example, will add to compliance costs and could contribute to further de-risking of bank accounts for money services businesses and other customers. This has made it more difficult for customers to maintain accounts and added to the demanding nature and already high cost of BSA/AML compliance.
The nexus between BSA/AML requirements and law enforcement and national security concerns will ensure that compliance remains a top priority for regulators and the Department of Justice. Understanding exactly what is required of an institution from a BSA/AML perspective is therefore more critical than ever.
Enacted in 1970, the BSA is primarily a recordkeeping and reporting statute. Its purpose is to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.
Tax evasion was the BSA’s initial purpose, but it subsequently became a primary weapon in the fight against narcotics, money laundering, terrorist financing, human trafficking, elder abuse, and other illicit activity. The Patriot Act, enacted shortly after 9/11, expanded the BSA beyond banking, and now most nonbank financial institutions have BSA-related obligations, including compliance programs and suspicious-activity reporting. Even entities not subject to the BSA often assume compliance responsibilities because they contract with an entity subject to the BSA.
Chief among this expanded scope of institutions subject to the BSA are money services businesses (MSBs)—money transmitters, check cashers, providers of prepaid access, and dealers in foreign exchange, among others—and residential mortgage loan originators (RMLOs). The specific requirements for these categories of institutions are discussed in detail below.
Requirements for MSBs
Compliance program. The fundamental requirement for MSBs under the BSA is the development and implementation of a BSA/AML compliance program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. The written compliance program must be commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided by, the MSB and made available for inspection by the Department of the Treasury.
These programs must incorporate what are referred to as the four pillars:
- policies, procedures, and internal controls that are reasonably designed to assure compliance with the BSA, including procedures to verify customer identification (applicable only to providers or sellers of prepaid access), file reports, maintain records, and respond to law enforcement requests;
- a designated person to assure day-to-day compliance with the program;
- education and training of appropriate personnel; and
- independent review to monitor and maintain an adequate program.
Registration. MSBs (other than providers of prepaid access) are required to register with FinCEN and renew that registration every two years; states in which the MSB does business often require registration as well. Agents generally do not have to register.
Reporting. MSBs have specific reporting requirements, the most important of which are currency transaction reports (CTRs) on cash transactions exceeding $10,000 and suspicious-activity reports (SARs) on suspicious transactions exceeding $2,000. MSBs must retain CTRs and SARs for five years from the date of filing.
An MSB may disclose SARs to only a limited group: FinCEN; a federal authority (such as the IRS) or state authority with power to examine the MSB for compliance with the BSA; and federal, state, and local law enforcement. Strict confidentiality requirements apply, with criminal penalties for unauthorized disclosure. The business may share facts, transactions, and documents underlying a SAR with other institutions and, in limited circumstances (permitted by regulation or regulatory guidance), may share the actual report within the organization. MSBs are protected from civil liability extending from SAR filings. FinCEN and its delegates are responsible for examining MSBs for compliance with these requirements.
Requirements for RMLOs
RMLOs are subject to program requirements that are similar to those applicable to MSBs. Although RMLOs are not required to submit CTRs, they are required to file similar reports (Form 8300) when receiving cash payments over $10,000. They are also subject to SAR requirements, although the filing threshold is $5,000. The SAR recordkeeping and confidentiality requirements also apply, as well as the safe harbor from civil liability. As with MSBs, FinCEN and its delegates conduct compliance examinations.
Sanctions are not formally part of the BSA, but are related and important. Compliance with the sanctions regime is required for all U.S. persons, not just financial institutions. The Office of Foreign Assets Control (OFAC) is responsible for administering U.S. sanctions. There is no formal program requirement, but regulators expect banks and most nonbank financial institutions to have an effective filtering process in place to screen accounts and transactions for the involvement of individuals and entities that are on the Specially Designated Nationals and other lists or are OFAC-sanctioned jurisdictions, such as Iran and North Korea. Companies are expected to block or reject (depending on the exact sanctions) attempted transactions that result in hits and report them to OFAC. Sanctions compliance has been under intense scrutiny in recent years, and violations have resulted in large fines.
Although nonbanking institutions are not regulated for BSA/AML and sanctions compliance to the same degree that banks are, they are widely perceived as vulnerable to illicit activity and therefore subject to significant scrutiny. Enforcement agencies include FinCEN, DOJ, and OFAC as well as federal, state, and local regulators. As fines over many years have made clear, the costs of getting it wrong in this area can be severe. Institutions subject to the BSA/AML requirements should therefore take care to develop, implement, and maintain procedures covering the following areas:
- risk assessment
- customer identification
- customer due diligence/enhanced due diligence (CDD/EDD)
- customer risk rating
The primary purpose of these procedures is to help companies develop a deep enough understanding of their customers to be aware of which ones present AML risks, and then help companies successfully manage those risks while identifying and reporting suspicious transactions.
Given the expanding role of nonbanking institutions in the payment system and the overall economy—and the persistent focus on money flows implicating national security or law enforcement concerns—BSA/AML compliance is poised to be an area of increasing importance for the foreseeable future.
 See Customer Due Diligence Rule, 31 C.F.R. § 1010.230.
 See Bank Secrecy Act, 31 U.S.C. § 5311 et seq.
 See Pub. L. No. 107-56, 115 Stat. 272 (2001).
 Much of the subsequent discussion of the requirements of BSA/AML laws and related compliance obligations are descriptions drawn from 31 C.F.R. §§ 1010, 1020, and 1029. For more information, see https://www.law.cornell.edu/cfr/text/31/subtitle-B/chapter-X.