Bank Secrecy Act (BSA)

What Is the Bank Secrecy Act?

The Bank Secrecy Act (BSA), formally known as the Currency and Foreign Transactions Reporting Act, is the primary U.S. law designed to combat money laundering and financial crime. Signed into law by President Nixon on October 26, 1970, the BSA requires financial institutions to maintain records of certain transactions and report activities that may indicate money laundering, tax evasion, or other criminal conduct to the federal government.

Congress passed the BSA in response to growing concerns about criminals depositing large quantities of untraceable cash into banks. The law established a framework of reporting obligations that has since become the backbone of the U.S. anti-money laundering regime. Over more than five decades, the BSA has been amended repeatedly to address new threats, including terrorist financing after 9/11 and the rise of cryptocurrency.

The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury established in 1990, serves as the primary administrator and regulator of BSA compliance. FinCEN issues regulations, provides guidance to regulated industries, and pursues civil enforcement actions against violators.

How It Works

The BSA imposes four core obligations on financial institutions: filing Currency Transaction Reports, filing Suspicious Activity Reports, implementing Customer Identification Programs, and maintaining detailed records.

Currency Transaction Reports (CTRs)

Financial institutions must file a CTR for any cash transaction exceeding $10,000 in a single business day. If a customer conducts multiple cash transactions that aggregate above $10,000 in one day, those also trigger a CTR. The $10,000 threshold was established by regulation in 1972 and has never been adjusted for inflation.

CTRs are filed with FinCEN and must be retained for at least five years. They capture identifying information about the parties involved, including names, addresses, Social Security numbers, and the nature of the transaction.

Suspicious Activity Reports (SARs)

SARs are filed when a financial institution knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity, is designed to evade BSA reporting requirements, or lacks a lawful purpose. Filing thresholds vary:

• Any amount for transactions involving insider abuse at the financial institution
• $5,000 or more when a suspect can be identified
• $25,000 or more regardless of whether a suspect is identified

SARs are confidential: institutions are prohibited from disclosing to the subject that a SAR has been filed. This confidentiality enables law enforcement to investigate without tipping off suspects.

Customer Identification Programs (CIP)

Under Section 326 of the USA PATRIOT Act, financial institutions must implement a written Customer Identification Program to verify the identity of anyone opening an account. At minimum, the institution must collect four pieces of information: name, date of birth, address, and an identification number such as a Social Security number. CIP forms the foundation of broader KYC (Know Your Customer) procedures.

Recordkeeping Requirements

The BSA mandates that most transaction records be maintained for at least five years. Records can be stored in original, microfilm, electronic, or reproduced form, but must be accessible within a reasonable period. Financial institutions must also retain records related to fund transfers of $3,000 or more under the Travel Rule, which requires passing originator and beneficiary information to the next institution in a transfer chain.

BSA and Cryptocurrency

The BSA applies to cryptocurrency businesses through FinCEN's classification of virtual currency exchangers and administrators as money services businesses. Two key pieces of guidance define this framework.

The 2013 Virtual Currency Guidance

In March 2013, FinCEN issued its first guidance (FIN-2013-G001) applying BSA rules to virtual currencies. The guidance drew a critical distinction: a user of virtual currency is not an MSB, but an administrator or exchanger of virtual currency is a money transmitter and must register with FinCEN, implement an AML program, and file CTRs and SARs.

The 2019 Expanded Guidance

FinCEN's 2019 guidance (FIN-2019-G001) extended BSA obligations to additional crypto business models and clarified that requirements apply equally to domestic and foreign-located virtual currency money transmitters that conduct business within the United States, even without a physical U.S. presence. The guidance confirmed that the Travel Rule applies to virtual currency transfers of $3,000 or more.

The GENIUS Act (2025)

The GENIUS Act, signed into law on July 18, 2025, marked the first major federal crypto legislation in the United States. The law explicitly classifies permitted payment stablecoin issuers as "financial institutions" under the BSA, requiring them to:

• Establish comprehensive AML and counter-terrorist financing (CFT) programs
• File SARs for suspicious activity at the $5,000 threshold
• File CTRs for cash transactions exceeding $10,000
• Comply with BSA recordkeeping rules for fund transfers of $3,000 or more
• Appoint a U.S.-based AML/CFT compliance officer
• Maintain capability to block, freeze, and reject transactions violating the law

Full enforcement of GENIUS Act BSA provisions is expected by January 2027, with FinCEN rulemaking underway as of mid-2026.

Key Amendments and Expansions

The BSA has been significantly amended several times since 1970, each expansion responding to evolving financial crime threats:

Structuring and the $10,000 Threshold

One of the most consequential BSA provisions is the prohibition on structuring: deliberately breaking a large cash transaction into smaller amounts to avoid triggering a CTR. Under 31 U.S.C. Section 5324, structuring is a federal felony regardless of whether the underlying funds are legally obtained. The crime is the act of evasion itself.

Penalties for structuring are severe: up to five years in federal prison and fines up to $250,000. If connected to another crime such as drug trafficking, penalties increase to up to ten years imprisonment. Structured funds are also subject to civil forfeiture.

Why It Matters for Crypto and Fintech

The BSA is the regulatory framework that determines which crypto businesses must implement compliance programs and how. Any company that exchanges, transmits, or custodies virtual currency in the United States is almost certainly classified as an MSB and subject to full BSA requirements. This includes centralized exchanges, payment processors handling crypto, and stablecoin issuers under the GENIUS Act.

For companies building on Bitcoin infrastructure, understanding BSA obligations is critical. Self-custodial wallets and non-custodial software providers are generally not classified as MSBs, but businesses that facilitate exchange or transmission are. The regulatory boundary between user tools and regulated services shapes the design of products across the ecosystem, from self-custodial wallets to stablecoin payment rails.

Enforcement and Penalties

BSA violations carry substantial penalties. Civil fines can reach $25,000 per day for ongoing AML program violations, while per-violation fines range from $5,000 to $1 million or 1% of a financial institution's assets daily, whichever is greater. Criminal penalties include up to five years imprisonment and $250,000 in fines, escalating to ten years and $500,000 for aggravated violations involving more than $100,000 in a twelve-month period.

Recent enforcement actions demonstrate the stakes for crypto businesses. In November 2023, FinCEN imposed a record $3.4 billion penalty against Binance for willfully operating as an unregistered MSB with deficient AML controls. In late 2025, OKX faced over $500 million in fines for AML failures. These cases underscore that BSA compliance is not optional for businesses operating in or serving U.S. customers.

Risks and Considerations

Compliance Costs

Implementing a BSA-compliant AML program requires significant investment in transaction monitoring systems, trained compliance staff, independent auditing, and ongoing employee training. For smaller crypto businesses, these costs can be a meaningful barrier to entry.

Privacy Tensions

BSA reporting obligations create inherent tension with financial privacy. CTRs and SARs provide government agencies with detailed transaction data on individuals who may not be suspected of any crime. Privacy advocates argue that the $10,000 CTR threshold, unchanged since 1972, now captures routine transactions that would not have triggered reporting at the original inflation-adjusted level.

Regulatory Uncertainty in DeFi

The application of BSA requirements to decentralized protocols remains unsettled. While FinCEN withdrew its proposed rulemaking on unhosted wallet verification in April 2024, the broader question of how BSA obligations apply to decentralized exchanges, automated market makers, and other non-custodial protocols continues to evolve. Builders in the DeFi space must monitor regulatory developments closely.

Global Coordination

The BSA operates alongside international standards set by the Financial Action Task Force (FATF), but requirements can diverge across jurisdictions. Crypto businesses operating globally must navigate BSA compliance alongside regulatory frameworks in other countries, including the EU's MiCA regulation and jurisdiction-specific licensing requirements for money transmitters.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.