FinCEN BSA Compliance: A Plain-English Guide for US Financial Firms

The BSA is the cornerstone of the US anti-money laundering framework. Enacted in 1970 and significantly strengthened by the USA PATRIOT Act in 2001 and the Anti-Money Laundering Act of 2020, it creates binding obligations for banks, broker-dealers, money services businesses, insurance companies, mutual funds, and an expanding range of other financial institutions. FinCEN enforces the BSA and has the authority to impose civil money penalties, refer matters to the Department of Justice for criminal prosecution, and — in the most serious cases — seek the dissolution of a non-compliant institution.

This guide explains the BSA's five-pillar framework, the specific reporting obligations it creates, what FinCEN expects from a compliant programme, and how the regulatory landscape has evolved heading into 2026.

1. The Five Pillars of a BSA/AML Compliance Programme

FinCEN and the federal banking regulators (OCC, Federal Reserve, FDIC, NCUA) require covered financial institutions to implement a BSA/AML compliance programme structured around five core pillars. A programme that is weak on any one pillar is considered inadequate regardless of the strength of the others.

Pillar 1 — Internal Policies, Procedures and Controls

Firms must have written, board-approved AML policies that reflect their specific risk profile. These policies must cover customer identification, Customer Due Diligence, transaction monitoring, suspicious activity identification and reporting, record-keeping, and OFAC sanctions screening. Policies must be reviewed and updated regularly to reflect changes in the firm's business, regulatory guidance, and the evolving financial crime threat landscape.

Pillar 2 — A Designated BSA Compliance Officer

Every covered institution must designate a BSA Compliance Officer — an individual with sufficient authority, expertise, and resource to administer the AML programme effectively. The BSA officer must have direct access to senior management and the board, must be kept informed of all BSA/AML developments, and must not be so burdened with other responsibilities that AML compliance receives inadequate attention. Regulators have repeatedly found that a nominally designated BSA officer who lacks real authority or resource is a programme failure in its own right.

Pillar 3 — Ongoing Employee Training

All relevant employees must receive AML training appropriate to their roles. Front-line staff who interact with customers need to recognise the indicators of suspicious activity relevant to the products and services they deliver. Back-office staff processing transactions need to understand what triggers a CTR or SAR filing obligation. The BSA officer and compliance staff require deeper training on the technical and regulatory dimensions of the programme. Training must be documented, regularly refreshed, and not limited to generic online modules that bear no relationship to the firm's actual risk exposure.

Pillar 4 — Independent Testing (Audit)

The BSA/AML programme must be tested by an independent party — either an internal audit function that is genuinely independent of the compliance function, or an external third party. Testing must cover the adequacy of policies, the effectiveness of controls, the quality of transaction monitoring, the accuracy of SAR and CTR filings, and the completeness of the Customer Due Diligence programme. Findings must be reported to senior management and the board, and remediation must be tracked to completion.

Pillar 5 — Customer Due Diligence and Beneficial Ownership

The fifth pillar — added by FinCEN's Customer Due Diligence Rule in 2018 — requires covered institutions to identify and verify the identity of customers, understand the nature and purpose of customer relationships, conduct ongoing monitoring, and identify and verify the beneficial owners of legal entity customers. Beneficial ownership identification requires firms to collect information on individuals who own 25% or more of a legal entity customer, as well as one individual who controls the entity.

The customer onboarding process must capture all required CDD information before the business relationship commences. FinCEN has made clear that CDD is not a one-time event at onboarding — it is an ongoing obligation that must be refreshed when material changes occur or when the customer's activity deviates significantly from their expected profile.

2. Currency Transaction Reports (CTRs)

CTR filing is one of the most operationally demanding aspects of BSA compliance for institutions handling significant cash volumes. The aggregation requirement — which means that multiple cash transactions by the same customer on the same day must be combined when assessing whether the threshold is met — creates a surveillance obligation that must be built into transaction processing systems rather than left to individual teller judgement.

Structuring — the deliberate breaking up of cash transactions to avoid the CTR threshold — is itself a federal crime under 31 USC 5324, and detecting structuring patterns is one of the core functions of a transaction monitoring programme.

3. Suspicious Activity Reports (SARs)

SAR filing is the mechanism through which financial institutions report suspected money laundering, fraud, terrorist financing, and other financial crime to FinCEN. Unlike CTRs, SARs are triggered by suspicion rather than a fixed threshold — though FinCEN guidance specifies minimum dollar thresholds below which SAR filing is generally not required for most institution types.

The tipping-off prohibition applies to US SARs just as it does to UK SARs: institutions are legally prohibited from disclosing to a customer, or to anyone else, that a SAR has been filed or that it is under consideration. Violation of this prohibition is itself a federal offence. The entire SAR investigation process — from the initial alert through the internal review, the BSA officer's decision, and the final filing — must be documented and retained for five years.

4. The Corporate Transparency Act and Beneficial Ownership

The Corporate Transparency Act (CTA), which came into full effect in 2024, created a new beneficial ownership reporting regime administered by FinCEN. Under the CTA, most US corporations, LLCs, and similar entities are required to file beneficial ownership information directly with FinCEN — creating a national beneficial ownership registry that financial institutions can access to support their CDD obligations.

For financial institutions, the CTA does not eliminate the obligation to conduct their own beneficial ownership verification at onboarding — that obligation continues under the FinCEN CDD Rule. However, it creates an additional data source that institutions can use to corroborate the beneficial ownership information provided by customers, and its existence increases the reputational and legal risk for customers who provide inaccurate ownership information.

5. FinCEN Enforcement: Common BSA Failures

FinCEN's enforcement actions — often issued jointly with the OCC, Federal Reserve, or state regulators — reveal a consistent set of programme failures that attract the most serious penalties.

• Transaction monitoring gaps — systems that were not calibrated to the institution's actual customer base and transaction patterns, producing either excessive false positives or systematic false negatives. The transaction monitoring programme must be fit for purpose, not simply present.
• Failure to file SARs on a timely basis — particularly where internal escalation processes caused delays between detection and the BSA officer's review, resulting in filings outside the 30-day window.
• Inadequate CDD on high-risk customers — correspondent banking relationships, money services business customers, and customers from high-risk jurisdictions that received insufficient scrutiny at onboarding and during the relationship.
• BSA officer with insufficient authority or resource — a recurring finding in major enforcement actions, where the designated BSA officer lacked the seniority, independence, or staffing to run an effective programme.
• Failure to implement audit findings — programmes where independent testing identified material deficiencies that were not remediated on a timely basis, or where remediation was documented but not actually implemented.

6. Key Regulatory Developments for 2026

The US BSA/AML regulatory landscape continues to evolve under the Anti-Money Laundering Act of 2020, which mandated the most significant reforms to the BSA framework in decades. Key developments for 2026 include:

• FinCEN's AML/CFT Programme Rule — FinCEN has been developing a rule to modernise the requirements for AML/CFT programmes, incorporating a risk-based approach more explicitly into the programme requirements and updating the CDD framework. Firms should monitor FinCEN's rulemaking activity for finalisation.
• Beneficial ownership database access — as the CTA beneficial ownership registry matures, FinCEN is developing rules governing financial institution access to the registry for CDD purposes. This will eventually allow institutions to verify customer-provided beneficial ownership information against the FinCEN database.
• Virtual asset regulation — FinCEN continues to extend BSA requirements to virtual asset service providers, including proposed rules on cryptocurrency mixing services and additional guidance on Travel Rule implementation for US-regulated crypto firms.
• Whistleblower programme — the AML Act of 2020 created a significantly enhanced whistleblower programme for BSA violations, with awards of up to 30% of sanctions exceeding $1 million. This materially increases the risk that internal compliance failures will reach FinCEN's attention through channels outside the firm's control.