Table of Contents
The Bank Secrecy Act is the legislative foundation of the entire US financial crime compliance framework — converting financial institutions into a reporting network that law enforcement depends upon to detect money laundering, tax evasion, and terrorist financing. This entry covers CTR and SAR obligations, the structuring prohibition, AML programme requirements under FINRA Rule 3310, and the proposed threshold reforms advancing through Congress in 2026.
The Bank Secrecy Act, enacted by the United States Congress in 1970 and formally titled the Currency and Foreign Transactions Reporting Act, is the foundational federal legislation establishing the framework through which financial institutions are required to assist US government agencies in detecting and preventing money laundering, tax evasion, terrorist financing, and other financial crimes. It was the first comprehensive federal law to impose anti-money laundering obligations on financial institutions and remains the cornerstone of the US financial crime compliance framework more than five decades after its enactment.
The BSA rests on a simple but powerful premise: financial institutions occupy a unique position in the economy because virtually all significant financial activity passes through them at some point. Banks, broker-dealers, insurance companies, money service businesses, and other financial intermediaries collectively have visibility into the movement of money that no single law enforcement agency can replicate. By requiring these institutions to collect, retain, and report specific categories of financial information, the BSA converts the financial system into a vast surveillance and reporting network that generates the data law enforcement needs to detect, investigate, and prosecute financial crime.
Administration of the BSA rests with the Financial Crimes Enforcement Network, known as FinCEN, a bureau of the United States Department of the Treasury. FinCEN issues regulations implementing the BSA, collects the reports that financial institutions are required to file, maintains the databases in which that information is stored, and makes it available to law enforcement agencies including the FBI, DEA, IRS Criminal Investigation Division, and Homeland Security Investigations. FinCEN also coordinates with international counterpart agencies to support cross-border financial crime investigations.
When the Bank Secrecy Act was passed in 1970, its primary focus was on the use of foreign bank accounts to evade US taxes and the use of large cash transactions to obscure the origins of criminally derived funds. The original act required banks to maintain records of certain transactions and to report large currency movements to the Treasury Department.
Over the following decades, the BSA was substantially amended and expanded through a series of legislative acts responding to evolving threats and enforcement priorities. The Money Laundering Control Act of 1986 made money laundering itself a federal crime for the first time, complementing the BSA's reporting and record-keeping requirements with criminal penalties for the underlying conduct. The Anti-Drug Abuse Act of 1988 expanded BSA requirements to cover additional financial intermediaries including money service businesses and casinos.
The most transformative expansion of the BSA came through the USA PATRIOT Act of 2001, enacted in the immediate aftermath of the September 11 terrorist attacks. The PATRIOT Act dramatically broadened the scope and stringency of BSA obligations, adding requirements for formal written AML compliance programmes, customer identification procedures, enhanced due diligence for high-risk accounts, and information sharing mechanisms between financial institutions and between institutions and government agencies. It also extended BSA obligations to a wider range of financial institutions and introduced the concept of correspondent account due diligence for foreign banks.
The Anti-Money Laundering Act of 2020, enacted as part of the National Defense Authorization Act, represented the most significant update to the BSA since the PATRIOT Act. It expanded the scope of covered institutions, introduced new priorities and reporting requirements, modernised the beneficial ownership framework, and established innovation provisions designed to allow financial institutions to use new technologies in their AML programmes.
One of the most operationally significant BSA requirements is the obligation to file Currency Transaction Reports, universally abbreviated as CTRs, with FinCEN for each transaction involving more than ten thousand dollars in physical currency within a single business day, whether the transaction involves a deposit, withdrawal, exchange, or other transfer of currency.
The ten thousand dollar threshold has remained unchanged since it was established in the original BSA regulations, despite decades of inflation that have significantly reduced the real value of that amount. The threshold applies to the aggregate of multiple currency transactions by or on behalf of the same person on the same business day, not just to individual transactions. A customer who makes three separate cash deposits of four thousand dollars each on the same day has conducted a single twelve thousand dollar currency transaction for CTR purposes, and the bank must file a CTR for the full amount.
CTRs contain detailed information about the transaction including the identity of the person conducting the transaction, the identity of the person on whose behalf the transaction is conducted if different, the account number or numbers involved, the financial institution and branch where the transaction occurred, and the date and amount of the transaction. This information is submitted electronically to FinCEN and stored in its database for use by law enforcement.
Structuring, which is the deliberate breaking up of currency transactions into amounts below the ten thousand dollar reporting threshold with the intent to evade CTR filing requirements, is itself a federal crime under the BSA regardless of whether the underlying funds are derived from criminal activity. A person who makes repeated cash deposits of nine thousand five hundred dollars specifically to avoid triggering the CTR threshold is committing a federal crime even if the cash comes from entirely legitimate sources. Financial institutions are required to identify and report structuring activity through Suspicious Activity Reports.
The Suspicious Activity Report, universally abbreviated as SAR, is the most analytically significant report generated under the BSA framework. While CTRs are mechanical reports of large cash transactions filed without regard to whether the transaction is suspicious, SARs reflect a financial institution's judgement that specific activity warrants law enforcement attention.
A financial institution must file a SAR when it knows, suspects, or has reason to suspect that a transaction or pattern of activity involves funds derived from illegal activity, is designed to evade BSA requirements, lacks a lawful purpose or is inconsistent with the customer's known business or financial profile, or involves use of the financial institution to facilitate criminal activity. The filing threshold for SARs is generally five thousand dollars for banks and broker-dealers, though certain categories of suspicious activity must be reported regardless of the dollar amount involved.
SARs must be filed within thirty calendar days of the date the suspicious activity is first detected, with a sixty-day extension available where the identity of the subject is unknown. The SAR is filed electronically with FinCEN and contains a detailed narrative describing the suspicious activity, the basis for the filer's suspicion, and all available identifying information about the persons and accounts involved. The quality of the SAR narrative is critically important: law enforcement agents who use SARs to initiate or support investigations depend on clear, factual, and complete narratives that convey the full picture of the suspicious activity observed.
The tipping-off prohibition is one of the most important legal constraints associated with SAR filings. Financial institutions and their employees are strictly prohibited from disclosing to the subject of a SAR, or to any other unauthorised person, that a SAR has been filed or is being contemplated. Violating this prohibition is a federal crime. A registered representative who discovers that a SAR has been filed on a client account cannot inform that client under any circumstances, even if the client directly asks whether they have been reported to the government.
SAR filers are provided with safe harbour protection from civil liability for good faith SAR filings, meaning that a financial institution cannot be sued by the subject of a SAR for filing it, provided the filing was made in good faith based on a reasonable assessment of the available information.
Beyond the CTR and SAR reporting requirements, the BSA imposes extensive record-keeping obligations on covered financial institutions. These requirements are designed to ensure that financial records are available to support law enforcement investigations even when no report was filed at the time of the underlying transaction.
Financial institutions must retain records of all currency transactions above specified thresholds, records of wire transfers above three thousand dollars including the identity of the originator and beneficiary, records of the purchase of monetary instruments including cashiers cheques and money orders for amounts between three thousand and ten thousand dollars, and records of customer identification documents collected under the Customer Identification Programme. Most BSA records must be retained for a minimum of five years from the date of the transaction or the closure of the account.
The travel rule is a specific BSA record-keeping and transmission requirement applicable to wire transfers. For wire transfers of three thousand dollars or more, the transmitting financial institution must include specific information about the originator in the payment order transmitted to the receiving institution, and the receiving institution must retain that information. The travel rule is designed to ensure that identifying information travels with the funds through the wire transfer system, allowing law enforcement to trace the movement of money from origin to destination.
The USA PATRIOT Act added an explicit requirement that all financial institutions subject to the BSA establish and maintain a written anti-money laundering compliance programme. For broker-dealers, this requirement is codified in FINRA Rule 3310, which specifies the minimum elements that an AML programme must contain.
A compliant BSA and AML programme must include policies, procedures, and internal controls reasonably designed to ensure compliance with all applicable BSA requirements. It must designate a BSA compliance officer with sufficient authority, resources, and expertise to administer the programme effectively. It must provide for ongoing employee training covering all relevant BSA requirements and the firm's specific policies and procedures. It must include independent testing of the programme at least annually by qualified persons who are not responsible for day-to-day compliance functions. And it must incorporate the Customer Identification Programme requirements, including procedures for verifying customer identity at account opening.
For larger and more complex financial institutions, BSA compliance programmes are elaborate and resource-intensive operations employing dedicated compliance staff, sophisticated transaction monitoring technology, and multiple layers of supervisory review. Transaction monitoring systems analyse patterns of customer activity against defined rules and models designed to identify behaviour consistent with known money laundering typologies, generating alerts for human review and ultimately supporting SAR filing decisions.
The Customer Identification Programme, commonly called the CIP, is a required component of every BSA compliance programme and establishes the minimum standards for verifying customer identity at account opening. For individual customers, CIP requires collection and verification of the customer's full legal name, date of birth, residential address, and taxpayer identification number. For institutional customers, CIP requires identification and verification of the entity's legal name, principal place of business, and employer identification number.
The FinCEN Customer Due Diligence Rule, which took effect in 2018, added a fifth pillar to the BSA compliance programme framework by requiring covered financial institutions to identify and verify the beneficial owners of legal entity customers. Under this rule, institutions must identify each natural person who owns twenty-five percent or more of a legal entity customer and one individual who controls the entity, verify their identities using the same methods applied to individual account holders, and maintain records of that information.
The Corporate Transparency Act, enacted as part of the Anti-Money Laundering Act of 2020, complemented the CDD rule by requiring most US corporations and limited liability companies to report their beneficial owners directly to FinCEN, creating a centralised beneficial ownership database that financial institutions and law enforcement can access to verify the information provided by customers.
The BSA framework operates within a broader international anti-money laundering architecture centred on the Financial Action Task Force, the intergovernmental standard-setting body whose Forty Recommendations establish the global baseline for AML and counter-terrorist financing requirements. The United States is a founding member of FATF and has generally maintained BSA requirements that meet or exceed FATF standards.
For US financial institutions with international operations or correspondent banking relationships with foreign banks, the BSA imposes additional requirements including enhanced due diligence for correspondent accounts maintained for foreign banks from jurisdictions identified as high risk, and prohibitions on maintaining correspondent accounts for foreign shell banks that have no physical presence in any jurisdiction.
International wire transfers and cross-border transactions are subject to heightened scrutiny under both US BSA requirements and the requirements of the recipient country's AML framework, and financial institutions must navigate these overlapping obligations carefully in designing their compliance programmes for international activity.
The penalties for BSA violations are severe and have increased substantially over time as regulators have prioritised financial crime compliance enforcement.
Civil penalties for wilful violations of BSA requirements can reach the greater of one hundred thousand dollars per violation or twice the amount of the transaction involved, up to one million dollars per violation in certain cases. Criminal penalties for wilful violations include fines of up to two hundred and fifty thousand dollars and imprisonment of up to five years per violation. Where violations occur in connection with other criminal activity, penalties can be substantially higher.
In addition to these statutory penalties, regulators including FinCEN, the Federal Reserve, the OCC, the FDIC, and FINRA have imposed some of the largest enforcement actions in financial regulatory history for BSA compliance failures. Multi-billion dollar settlements with major global banks for BSA and AML violations have become regular features of the enforcement landscape, reflecting both the seriousness with which regulators view these obligations and the scale of the consequences that can result from systematic compliance failures.
The ten thousand dollar CTR threshold and the five thousand dollar SAR threshold have remained at their original levels for decades despite substantial inflation that has eroded their real value significantly. In purchasing power terms, ten thousand dollars in 1972 is equivalent to approximately eighty thousand dollars in 2026, meaning the current threshold captures vast volumes of entirely routine transactions that were never intended to trigger federal reporting obligations when Congress first passed the BSA.
In March 2025, Representative Barry Loudermilk of Georgia introduced the Financial Reporting Threshold Modernization Act, designated H.R. 1799, in the 119th Congress. The bill proposes to raise the CTR threshold from ten thousand dollars to thirty thousand dollars, raise the SAR threshold from five thousand dollars to ten thousand dollars for most transaction types, and introduce automatic inflation adjustments to both thresholds every five years so that their real value is maintained going forward. In January 2026, the bill passed out of the House Financial Services Committee by a vote of thirty to twenty-four, advancing it to the full House floor before proceeding to the Senate.
As of May 2026, H.R. 1799 has not been enacted into law. The ten thousand dollar CTR threshold and the five thousand dollar SAR threshold remain the legally operative standards under current BSA regulations. Financial professionals and examination candidates should be aware of both the current legal thresholds in force today and the proposed legislative changes working through Congress.
Students preparing for the SIE, Series 7, or Series 65 examinations should note that examination questions reflect thresholds in force under current law at the time of their examination. FRC will update this article promptly upon enactment of any change to these thresholds.
For a full breakdown of H.R. 1799, its legislative status, its key provisions, and what enactment would mean for financial institutions and examination candidates, see our dedicated article on the Financial Reporting Threshold Modernization Act.
The Bank Secrecy Act is one of the most heavily tested regulatory topics across the SIE, Series 7, Series 63, and Series 65 examinations. Candidates must understand the purpose and history of the BSA, the CTR filing requirement and the ten thousand dollar threshold, the SAR filing requirement and the tipping-off prohibition, the structuring prohibition, the elements of a FINRA-compliant AML programme under Rule 3310, and the CIP and CDD requirements for customer identification and beneficial ownership.
The core points to retain are these: the BSA is the foundational US financial crime law requiring financial institutions to maintain records and file reports assisting law enforcement; CTRs must be filed for cash transactions exceeding ten thousand dollars in a single business day; SARs must be filed when suspicious activity is detected and the subject must never be informed of the filing; structuring transactions to avoid the CTR threshold is itself a federal crime regardless of whether the underlying funds are legitimate; BSA compliance programmes must include written policies, a designated compliance officer, employee training, independent testing, and a Customer Identification Programme; the proposed Financial Reporting Threshold Modernization Act H.R. 1799 would raise the CTR threshold to thirty thousand dollars and the SAR threshold to ten thousand dollars but has not yet been signed into law as of May 2026; and penalties for wilful BSA violations include substantial civil and criminal sanctions.
