Bank Secrecy Act Compliance: Essential Guide for Fintechs

The Bank Secrecy Act (BSA), enacted in 1970 and substantially strengthened by the USA PATRIOT Act of 2001, remains the foundational pillar of US anti-money laundering regulation. For fintech companies — whether operating as money services businesses (MSBs), licensed payment processors, or bank partners — BSA compliance is not optional, and the consequences of failure are among the most severe in the global regulatory landscape. Understanding the BSA's requirements, their practical implications, and the enforcement regime that backs them is essential for any company operating in or accessing the US payments system.

Who Must Comply

BSA obligations apply to "financial institutions" as defined in 31 USC § 5312. For fintech purposes, the most relevant categories are:

• Money services businesses (MSBs): Entities that operate as money transmitters, currency dealers or exchangers, check cashers, issuers/sellers of money orders or travellers' cheques, or providers/sellers of prepaid access. MSBs must register with FinCEN and comply with full BSA programme requirements.
• Banks and bank-like entities: Chartered institutions under federal or state banking law, including federally chartered credit unions. Banks have the most comprehensive BSA obligations and are subject to examination by their primary federal regulator.
• Broker-dealers, mutual funds, insurance companies: Also subject to BSA requirements, with specific rules applicable to their business activities.

Importantly, fintech companies that partner with banks under a banking-as-a-service (BaaS) model — where the bank holds the charter and issues the product — may have contractual BSA obligations delegated to them by the bank under a bank-fintech compliance arrangement. FinCEN has been increasingly clear that such delegation does not reduce the bank's regulatory liability, and many sponsor banks have significantly increased their compliance requirements for fintech partners as a result.

The Five Pillars of a BSA Compliance Programme

FinCEN requires every financial institution to maintain a written BSA/AML compliance programme that includes five minimum elements:

1. Internal Controls

A system of internal controls designed to ensure ongoing compliance with BSA requirements. This includes policies and procedures covering customer identification, transaction monitoring, SAR filing, CTR reporting, and record retention. Controls must be commensurate with the risk profile of the business — a high-volume cross-border payment processor faces materially different risks than a small local check casher, and the controls programme must reflect this.

2. Independent Testing

Regular independent testing (audit) of the BSA compliance programme. This may be conducted by an internal audit function or an external third party, but must be genuinely independent of the compliance function being tested. Examiners look for evidence that the testing programme covers all material BSA risk areas, produces findings that are reported to senior management and the board, and that findings are tracked and remediated.

3. Designated BSA Compliance Officer

A designated individual responsible for day-to-day management of the BSA compliance programme. This person must be sufficiently senior, qualified, and resourced to perform the role effectively. Critically, the BSA Officer must have direct access to senior management and the board — a compliance function buried in operations without board-level visibility is a red flag in any examiner review.

4. Training

Ongoing training for appropriate personnel. The training programme must cover the BSA requirements relevant to each employee's role, be refreshed regularly, and completion must be tracked and documented. Examiners will specifically look for evidence that training is not purely generic — frontline staff should be trained to recognise the specific red flags relevant to the products they service.

5. Customer Due Diligence

Following FinCEN's 2016 CDD Rule, customer due diligence is now an explicit fifth pillar. The CDD Rule requires financial institutions to establish and maintain written CDD procedures that include: (a) identifying and verifying the identity of customers; (b) identifying and verifying the identity of beneficial owners of legal entity customers; (c) understanding the nature and purpose of customer relationships; and (d) conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information.

Currency Transaction Reports (CTRs)

Financial institutions must file a Currency Transaction Report (FinCEN Form 112) for each cash transaction exceeding $10,000, or multiple transactions that aggregate to more than $10,000 in a single business day by or for the same person. CTRs must be filed within 15 calendar days of the transaction and retained for five years.

Structuring — breaking up transactions specifically to avoid the $10,000 reporting threshold — is a federal crime under 31 USC § 5324, regardless of whether the underlying funds are from legitimate sources. Compliance programmes must include controls to detect structuring patterns, and detected structuring should typically result in a SAR filing alongside the relevant CTR.

Suspicious Activity Reports (SARs)

Financial institutions must file a SAR with FinCEN when they know, suspect, or have reason to suspect that a transaction involves funds from illegal activity, is designed to evade BSA reporting requirements, lacks a lawful purpose with no reasonable explanation, or involves the use of the institution to facilitate criminal activity. The minimum SAR filing threshold is $5,000 for most MSBs (or $2,000 for specific institutions).

SARs must be filed within 30 calendar days of the date the suspicious activity is identified (or 60 days if no suspect can be identified at the time of detection). A critical safe harbour provision in 31 USC § 5318(g) protects institutions and their employees from civil liability for making a SAR disclosure in good faith. However, this protection does not extend to informing the customer that a SAR has been filed — "tipping off" is itself a federal violation.

FinCEN 314(a) and 314(b) Information Sharing

Two information-sharing provisions in the USA PATRIOT Act have significant implications for fintech compliance programmes:

Section 314(a) authorises FinCEN to send requests to financial institutions asking them to search their records for accounts or transactions linked to named subjects of law enforcement investigations. Institutions have 14 days to respond (two weeks for responses), and the existence of the request cannot be disclosed to the subject. Compliance with 314(a) requests is mandatory.

Section 314(b) is a voluntary programme that allows financial institutions to share information with each other about individuals or entities that the sharing institution believes may be involved in money laundering or terrorist financing. Participation requires registration with FinCEN, and safe harbour protections apply to good-faith information sharing. For fintech companies that see cross-institution activity patterns, 314(b) provides a legitimate mechanism for information sharing that would otherwise be prohibited.

Penalties for BSA Non-Compliance

BSA penalties are among the most severe in financial services regulation. Civil penalties of up to $25,000 per day per violation are possible for willful failures. For "patterns of negligent violations," civil penalties can reach $1 million or more for a single enforcement action. Criminal penalties for willful BSA violations include fines and imprisonment.

Beyond monetary penalties, BSA enforcement actions can result in deferred prosecution agreements (DPAs), consent orders, mandatory independent monitoring, and in extreme cases, the revocation of MSB registration or banking licence. The enforcement record — including major actions against Western Union, MoneyGram, and more recently multiple fintech firms — demonstrates that FinCEN and its federal partners take BSA non-compliance extremely seriously.