Module 1: BSA Compliance Fundamentals

This module covers the foundational requirements of the Bank Secrecy Act — the cornerstone of U.S. anti-money laundering regulation. Required for all employees regardless of role.

Lesson 1.1 — What Is the Bank Secrecy Act?

The Bank Secrecy Act of 1970 (BSA), also known as the Currency and Foreign Transactions Reporting Act (31 U.S.C. §§ 5311–5336), is the primary U.S. federal law establishing requirements for financial institutions to maintain records and file reports that help law enforcement and regulatory agencies identify and investigate potential money laundering, tax evasion, and other financial crimes.

The BSA is administered and enforced by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. FinCEN collects and analyzes financial transaction data from financial institutions, sharing it with law enforcement agencies including the FBI, DEA, IRS-CI, and DHS.

The BSA establishes three core pillars that every covered financial institution must implement:

Customer Identification Program (CIP) — Verify the identity of every customer before opening an account. Collect name, date of birth, address, and identification number for natural persons; equivalent information for legal entities.
Customer Due Diligence (CDD) — Understand the nature and purpose of customer relationships, develop risk profiles, and conduct ongoing monitoring of transactions relative to those profiles.
Suspicious Activity Reporting — File Suspicious Activity Reports (SARs) with FinCEN when a covered transaction involves at least $5,000 and involves, or is reasonably suspected to involve, criminal activity.

⚖ Regulatory Note

The BSA was substantially amended by the USA PATRIOT Act of 2001 (Section 352), which required all financial institutions to implement formal AML programs — not just recordkeeping. The PATRIOT Act also expanded BSA requirements to cover more institution types including money services businesses, broker-dealers, and insurance companies.

Lesson 1.2 — Know Your Customer (KYC) and Customer Due Diligence

KYC is the practical implementation of CIP and CDD requirements. Every financial institution must have written procedures for collecting, verifying, and maintaining customer identity information.

Customer Identification Program (CIP) — Minimum Requirements

For individual customers, the following information must be collected at account opening:

Legal name
Date of birth
Street address (not P.O. Box for primary address)
U.S. taxpayer ID number (SSN/ITIN) — or for non-U.S. persons, a passport number, alien identification card number, or government-issued ID

For legal entity customers (corporations, LLCs, partnerships), collect: entity name, street address, EIN, and — critically — Beneficial Ownership information.

Beneficial Ownership Rule (FinCEN CDD Rule — 2018)

Financial institutions must identify and verify the identity of any individual who owns 25% or more of a legal entity customer, plus one individual who controls the entity (the "Control Prong"). This rule was enacted to prevent use of shell companies to obscure the true owner of an account.

⚠ Violation Risk

Failing to collect or verify beneficial ownership information when required is a BSA violation. The beneficial ownership threshold is 25% — not 51% or 50%. A company with four equal 25% owners requires identification of all four.

Customer Risk Rating

After collecting identity information, institutions must assign a risk rating to each customer — typically Low, Medium, or High. Higher-risk customers require Enhanced Due Diligence (EDD), which includes:

Source of funds verification
More frequent account review and monitoring
Senior management approval for account opening
Ongoing documentation of the business relationship purpose

Factors that trigger EDD include: Politically Exposed Person (PEP) status, high-risk jurisdiction, cash-intensive business, complex ownership structure, or prior suspicious activity history.

Lesson 1.3 — Currency Transaction Reports (CTRs)

A Currency Transaction Report (CTR) must be filed with FinCEN for any single cash transaction or series of related cash transactions totaling more than $10,000 in a single business day. This requirement exists regardless of whether the transaction appears suspicious.

CTR filing is triggered by currency (physical cash) transactions — wire transfers, ACH, and card payments do NOT trigger CTR requirements.

Scenario Analysis

A business customer deposits $6,000 at 10:00 AM and $5,500 at 3:00 PM on the same day at different branches. Is a CTR required?

Yes. The two transactions are aggregated as related cash transactions by the same person on the same day — total $11,500, which exceeds the $10,000 threshold. The teller system should automatically aggregate transactions and prompt CTR filing. Manual aggregation may be required for transactions at different branches. Failure to aggregate is a common BSA examination finding.

Structuring — What It Is and Why It's a Federal Crime

Structuring (also called "smurfing") is the practice of breaking up currency transactions into smaller amounts to intentionally avoid the $10,000 reporting threshold. Structuring is a federal crime under 31 U.S.C. § 5324 — regardless of whether the underlying funds are from illegal activity.

⚠ Critical: Structuring Red Flags

Watch for: multiple cash deposits just under $10,000 (e.g., $9,900, $9,800), customer asking about reporting requirements before completing a transaction, customer withdrawing a transaction when informed of CTR requirements, or multiple individuals making structuring deposits for the same beneficiary. Each of these scenarios should trigger a SAR assessment.

Lesson 1.4 — Suspicious Activity Reports (SARs)

A Suspicious Activity Report must be filed with FinCEN when a covered financial institution knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity, is designed to evade BSA requirements, or lacks a lawful purpose when a reasonable explanation is not possible.

Filing thresholds:

$5,000 or more — when a suspect can be identified
$25,000 or more — regardless of suspect identification

Filing deadline: 30 calendar days from the date the suspicious activity is initially detected. This extends to 60 days when no suspect was identified at the time of initial detection.

SAR confidentiality: Federal law (31 U.S.C. § 5318(g)(2)) prohibits financial institutions and their employees from disclosing — to the subject of the SAR or any third party — that a SAR has been filed. This is the tipping off prohibition. Violating it carries criminal penalties.

Scenario Analysis

A customer's account shows $8,500 in structured deposits over 3 days. Your compliance team files a SAR. The relationship manager asks whether they can "have a conversation with the customer about how they're banking" to retain the relationship. How do you respond?

No. Once a SAR has been filed or is under consideration, any communication with the customer that could alert them to the investigation — even an indirect one — violates the tipping off prohibition. The relationship manager should be told: "If a SAR is filed for this customer, you cannot take any action that could tip them off. This includes discussing their banking patterns, 'educating' them about reporting thresholds, or altering the relationship in any way that signals scrutiny."

Note — Safe Harbor

The BSA provides a "safe harbor" (31 U.S.C. § 5318(g)(3)) that protects financial institutions and their employees from civil liability for filing SARs — even if the suspicious activity turns out not to involve criminal conduct. This safe harbor does NOT extend to employees who disclose the existence of a SAR to unauthorized parties.

Module 1 Complete

Test your understanding of BSA requirements before proceeding to Module 2.

Take Knowledge Check →