5 Bank Secrecy Act Requirements Explained
What Is the Bank Secrecy Act (BSA)?
The Bank Secrecy Act (BSA) is a US anti-money laundering (AML) compliance regulation in the United States that applies to financial institutions. It aims to deter covert money laundering banking operations abroad by forcing financial institutions to maintain audit trails. In addition, the law regulates financial institutions' records management and reporting requirements.
Related content: Read our guide to AML in banking
In this article:
- Anti-Money Laundering (AML) Requirements
- Record-keeping Requirements
- Reporting Requirements
- Customer Identification Requirements
- Beneficial Ownership Identification Requirements
Bank Secrecy Act Requirements
The following are the main requirements stipulated in the BSA:
Anti-Money Laundering (AML) Requirements
Financial institutions must implement an AML program that addresses the organization's specific needs and risk profile to comply with the BSA. An effective AML program should include the following core elements:
- Implementation of internal policies and controls—the AML program must consist of a written set of policies and procedures for identifying suspicious activities that may indicate financial crimes such as money laundering. Organizations must monitor and block high-risk activities.
- Appointment of a compliance officer—institutions must appoint an employee to oversee the planning and implementation of their AML program. The compliance officer helps enforce internal controls and arranges third-party audits to help demonstrate compliance and improve the program where necessary.
- Providing BSA training—all employees must undergo basic BSA and AML compliance training. Some employees may require more advanced training or certification to fulfill their responsibilities.
- Scheduling third-party audits—organizations must regularly schedule a qualified third party to conduct independent audits to verify the effectiveness of the AML compliance program.
The BSA requires financial institutions to maintain various records for a minimum of five years. The types of documents required include:
- Customer accounts
- BSA filing requirements
- Documentation of BSA compliance
- Transaction records
- Customer identity documents (must be retained for at least five years after closing the account)
Institutions must keep records for a reasonable time and ensure their accessibility. Authorities may request or order a financial institution to retain certain records for longer.
There are two types of reports that financial institutions must submit:
- Currency Transaction Report (CTR)—reports currency transactions exceeding $10,000 (including multiple transactions conducted by an individual within the same day, amounting to over $10,000). Organizations must file CTRs to FinCEN, via the BSA e-filing system, within 15 days of relevant transactions. They must also retain a physical or electronic report copy for a minimum of five years. This requirement involves obtaining personally identifiable information about the individuals conducting large transactions, such as driver's licenses or Social Security numbers. Institutions must file a CTR even when they don't have an account or established relationship with the individual.
- Suspicious Activity Report (SAR)—SAR documents suspicious activity that an individual conducts (or attempts to conduct) through the financial institution. Definitions of suspicious activity may vary but generally include transactions that don't have a clear business purpose or may indicate criminal activities such as money laundering or terrorist financing. Organizations must file SARs through the FinCEN BSA e-filing system. Suspicious transactions covered by the SAR requirement include:
- Insider abuse, regardless of the amount.
- Transactions related to a federal crime of over $25,000 if there is no identified suspect or $5,000 if there is an identified suspect.
- Transactions that may help individuals evade BSA regulations of over $5,000.
- Transactions that are likely to involve illegally-obtained funds may conceal such funds, amounting to over $5,000.
- Transactions that do not appear to have a lawful purpose, occur in unusual circumstances, or are atypical for the customer making them, amounting to over $5,000. The institution may investigate further to identify an explanation.
Customer Identification Requirements
The BSA requires businesses to implement a customer identification program (CIP) to verify the personal information presented by customers. Verification may involve comparing the data against legal documents. In addition, customer identification is a prerequisite for establishing business relationships, stipulated by AML regulations.
All financial institutions must have a written, detailed CIP that provides a comprehensive outline of their BSA and AML procedures. Everyone involved in conducting the CIP must understand why it is necessary. Institutions should clarify the conditions they require their prospective customers to fulfill before conducting business with them. They should be aware of the risk indicators to look out for to avoid establishing business relationships with criminals.
Beneficial Ownership Identification Requirements
Beneficial ownership is when an individual ultimately controls the funds in an account, regardless of whether that individual officially owns the account or uses other means to control it. Both ownership and control are considered types of beneficial ownership, although power goes beyond legal title and authority to include the responsibility for managing an entity.
With some exceptions, legal entities must have a single identified individual who has ultimate control. The CIP requirement mentioned above applies to this individual. In addition, all entities covered by the BSA must identify any persons with an ownership share of 25% or more. These additional individuals (up to four in total) must also provide CIP information before opening an account.
Thus, an entity may have five individuals representing beneficial ownership (four owners and one controller). In some cases (if no one owns 25% or more of the entity), the CIP requirement only applies to the controlling individual. Financial institutions are not legally required to track ownership percentages, but maintaining a clear sense of who owns how much of an entity is considered a best practice. The extra information is also helpful for rating customer risk and conducting due diligence procedures.
Criminals often attempt to conceal the beneficial ownership of their entities. The BSA regulations make it more difficult for criminals to maintain their anonymity when moving or accessing funds. In addition, collecting information about the beneficial ownership of a legal entity can help in law enforcement investigations and ensure tax compliance.
KYC Identity Verification with BlueCheck
BlueCheck helps financial institutions conduct KYC checks, including identity and age verification, to meet anti-money laundering regulations. Key features include:
- Multiple datasets to confirm information—a combination of proprietary and commercially available databases are queried to verify the information. BlueCheck can increase the likelihood of a successful verification using this combination of resources, streamlining the onboarding process.
- Smart Database Navigation—Using smart database navigation, BlueCheck can automatically verify most customers. Queries move through the most accurate databases commercially available to ensure a match.
- Quick Implementation—Using our DirectAPI or CustomJS framework, BlueCheck Identity Verification can deploy quickly, saving your business time and money.
- Set How Users Are Verified—BlueCheck offers a host of verification methods giving users a choice and alternatives when identifying themselves. For example, allow for name & address, last 4 of SSN, or Photo ID verification.
- Encryption & Security Standards—BlueCheck utilizes multi-layer data encryption to ensure data is securely transmitted and stored, protect against malicious actors, and safeguard the verification process.
- Developer & API Documentation—thoroughly documented REST API available in addition to the verification plugin.