What is the Bank Secrecy Act?

Learn about the Bank Secrecy Act's requirements and how the law could impact your business.

An image of 3 banks representing the bank secrecy act
Last updated:
Read time:
Share this post
Table of contents
⚡ Key takeaways
  1. The BSA requires all financial institutions to cooperate with the federal government in preventing money laundering.
  2. Under the BSA, financial institutions must verify their customers' identities, monitor and report suspicious activity, and develop internal anti-money laundering policies.
  3. Though the BSA originally applied to legacy financial institutions like banks and credit unions, its influence has grown to include many new and emerging industries.

The financial industry is one of the most regulated industries in the United States. While many of these regulations exist to protect consumers, some are designed to identify, monitor, and report financial crimes.

One of the most important laws that fall under this second category is the Bank Secrecy Act of 1970, which applies to all financial institutions — from banks, credit unions, and lenders to brokers, insurers, currency and cryptocurrency exchanges, fintech companies, and even casinos (amongst others).

With this in mind, let’s take a closer look at what exactly the Bank Secrecy Act is, review its requirements for financial institutions, and explore how a law that is more than 50 years old is shaping today’s emerging industries.

What is the Bank Secrecy Act (BSA)?

The Bank Secrecy Act (BSA) is a US law that was passed in 1970 to fight money laundering and other financial crimes. It is also known as the Currency and Foreign Transactions Reporting Act and is occasionally referred to generically as the anti-money laundering law.

The goal of the Bank Secrecy Act is simple: prevent US financial institutions from becoming a tool that criminals can use to launder money or commit other financial crimes. It achieves this by requiring all financial institutions (including banks, lenders, brokers, insurers, and more) to cooperate with the federal government in preventing money laundering.

Specifically, the BSA requires financial institutions to keep records of any cash transaction exceeding $10,000 in a single day and report any activity they suspect might be tied to tax evasion, money laundering, and other financial crimes.

Over the years, the Bank Secrecy Act has been amended and expanded a number of times, most recently with the USA PATRIOT Act of 2001 and the Anti-Money Laundering Act of 2020.

Bank Secrecy Act (BSA) requirements

While the goals of the Bank Secrecy Act are relatively straightforward, compliance can be complicated. That’s because the law establishes several requirements that financial institutions must meet. These requirements can be broken down into three main areas: customer identity verification, monitoring and reporting, and internal policies.

1. Customer identity verification

Financial institutions are required by law to verify the identity of their customers. This allows financial regulators to “follow the money” in cases of confirmed or suspected money laundering and other financial crimes, and also makes it more difficult for fraud, like account takeovers, to occur.

While customer identity verification processes vary per business, it usually entails collecting information like the customer’s name, date of birth, address, and Social Security number — amongst other data points as necessary — from verified sources such as a government-issued ID. It also involves creating risk profiles for customers. Once verified, these customer identities may be cross-checked against other databases, such as sanctions lists, adverse media lists, and watchlists.

These requirements are known collectively as Know Your Customer (KYC), Customer Identification Programs (CIP), and/or Customer Due Diligence (CDD). Customer identity is typically verified during onboarding, when a user creates their account, and then routinely monitored over time.

Customer identity verification was not an original requirement of the Bank Secrecy Act. Instead, the tenets of KYC compliance were introduced with the creation of the Financial Crimes Enforcement Network (FinCEN) in the early 1990s, and then later expanded by the USA PATRIOT Act in 2001.

2. Monitoring & reporting

The Bank Secrecy Act requires financial institutions to report any customer activity that might signify money laundering, tax evasion, or other financial crimes.

There are multiple reports financial institutions are required to file when they do encounter suspicious activity. Amongst the most important of these reports are:

  • Currency Transaction Report (CTR): Financial institutions must file a CTR any time a customer makes cash transactions over $10,000 in a single business day. This can be from a single or multiple transactions.
  • Form 8300: Businesses that receive cash payments totaling at least $10,000 in a single business day (whether from a single or multiple transactions) must file a Form 8300. Businesses commonly subject to this reporting requirement include insurance firms, art galleries, and car dealerships, amongst other businesses.
  • Suspicious Activity Report (SAR): If the financial institution suspects suspicious activity, they are required to submit an SAR. What exactly constitutes suspicious activity is up to interpretation. That being said, it often includes patterns of behavior that may indicate the customer is attempting to avoid CTR reporting requirements or is otherwise engaged in money laundering, check fraud, wire fraud, terrorist financing, or other financial crimes.
  • Foreign Bank and Financial Account Report (FBAR): Individuals holding at least $10,000 in a foreign bank account must file an FBAR each year. Though this is an obligation of the account holder, it is not uncommon for financial professionals like tax professionals and wealth managers to file the form on behalf of their clients.

Naturally, in order to comply with these reporting requirements, the financial institution must have processes in place to securely monitor customer transaction activity on an ongoing basis.

3. Internal policies

Finally, the Bank Secrecy Act requires financial institutions to develop internal anti-money laundering (AML) policies, procedures, and controls. This requirement originates in Section 352 of the PATRIOT Act, which amended the BSA, and from FINCEN’s customer due diligence rule, which further expanded the requirements.  

There are five key components, or pillars, of AML compliance:

  1. Designate a compliance officer who will act as the key point person for anything related to AML compliance.
  2. Develop internal policies to monitor for suspicious activity and comply with reporting requirements.
  3. Create an AML training program for employees that empowers them to spot suspicious activity and comply with BSA requirements.
  4. Independently test and audit anti-money laundering policies and programs through third-party auditors.
  5. Implement a risk-based approach to customer due diligence and identity verification.

Want a more in-depth look at these requirements? Check out our deep dive on the five pillars of AML compliance.

Free white paper
Learn why compliance doesn’t have to tank conversions

Why the Bank Secrecy Act still matters today

Even though the Bank Secrecy Act is more than 50 years old, it continues to have a significant impact on businesses today. In fact, amendments and expansions of the law in recent years have arguably made it an even more powerful regulatory force.

Though the law originally applied to banks, lenders, credit unions, insurers, and other legacy financial institutions, its influence has grown to include many new and emerging industries. Fintech companies, online casinos, cryptocurrency exchanges, and more are all subject to the KYC and AML regulations that originated with the BSA. Even organizations not currently under the purview of the BSA — like decentralized exchanges — may suddenly find themselves subject to its requirements with little warning.

With all of this in mind, it’s critical for any business that may be considered a financial institution to have adequate KYC and AML policies in place. Failure to do so can lead to substantial financial penalties. Just weeks ago, Wells Fargo Advisors was forced to pay a $7 million penalty to settle charges related to the late filing of 34 suspicious activity reports between 2017 and 2021.

Regardless of the specific industry you operate within, if you are subject to the Bank Secrecy Act, Persona can help you meet your compliance needs.

Our Verifications tool allows you to verify your customers’ and users’ identities as you see fit while meeting KYC requirements. Meanwhile, our Reports tool continuously cross-checks your database of customers and users against a number of different reports, such as watchlists, sanctions lists, and more. When our system flags suspicious activity and you want to take a closer look, our Cases tool gives you a single hub to investigate and make decisions.

Interested in learning more? Start for free or get a demo today.

Published on:

Frequently asked questions

No items found.

Continue reading

Continue reading

From fraud to fairness: Leveraging KYC and age verification for online gaming
From fraud to fairness: Leveraging KYC and age verification for online gaming

From fraud to fairness: Leveraging KYC and age verification for online gaming

KYC can help keep online gamers of all ages safe and reduce fraud. Learn how KYC and age verification can benefit your gaming platform.

How to fight ID fraud in a world of generative AI
How to fight ID fraud in a world of generative AI

How to fight ID fraud in a world of generative AI

Learn how generative AI is changing the game when it comes to fake IDs and what you should be mindful of when enhancing your fraud strategy.

What is remote KYB onboarding?
What is remote KYB onboarding?

What is remote KYB onboarding?

Remote Know Your Business (KYB) technology efficiently onboards business customers. Learn more about how digital onboarding addresses changing regulations.

What is Know Your Customer (KYC) — and why does it matter?

What is Know Your Customer (KYC) — and why does it matter?

KYC and AML are regulations that require businesses to verify their customers’ identities. Here’s what you need to know.

What is a Customer Identification Program (CIP)?

What is a Customer Identification Program (CIP)?

Learn what a CIP is, how it works, and what requirements CIPs need to meet.

CDD vs EDD: What’s the difference?

CDD vs EDD: What’s the difference?

Explore how CDD and EDD work and learn when each is necessary.

Ready to get started?

Get in touch or start exploring Persona today.