What Is the Bank Secrecy Act? Key Rules, Scope, and Purpose
Mar 24, 2026
·
19 min read
The Bank Secrecy Act, or BSA, is one of those laws that works quietly in the background but has a real impact on how financial products are built in the US. It influences which features make it to launch, how quickly partnerships move forward, and the kinds of questions banks and regulators ask along the way.
For fintech companies, the BSA tends to surface at key moments. A payment flow changes. A crypto feature is added. A bank partner asks for more details. Suddenly, monitoring, reporting, and risk become part of the conversation. Understanding the BSA at this stage can be the difference between forward momentum and friction.
This article breaks down the Bank Secrecy Act and why it matters for modern financial services. It also focuses on how the BSA shows up in real product decisions and day-to-day operations as companies grow.
At InnReg, we help fintechs, banks, and regulated financial institutions navigate Bank Secrecy Act requirements. From registration and licensing to building and managing BSA and AML compliance programs, our team supports companies as they grow and evolve.
The Bank Secrecy Act (BSA) Explained
The Bank Secrecy Act is a federal law meant to help spot and prevent financial crime. It does this by setting rules around recordkeeping, reporting, and internal controls related to how money moves through the system.
This law was passed in 1970 and has evolved to cover new risks and new types of financial activity.
At a high level, the BSA expects institutions to monitor defined categories of transactions, maintain detailed customer and transaction records, and identify and report activity that may indicate money laundering or other financial crimes.
Today, the Bank Secrecy Act serves as the backbone of the US anti-money laundering framework. It applies across traditional banking and modern fintech models, even when the product looks more like software than finance.
Why the Bank Secrecy Act Exists
The Bank Secrecy Act was created to give regulators visibility into how money moves through the financial system. Before the BSA, financial institutions were not consistently required to keep records or report suspicious activity. That gap made it easier for bad actors to move funds without much oversight.
This law addresses this problem directly. When large or unusual transactions happen without documentation, it becomes harder to detect money laundering, fraud, or other financial crimes.
For example, someone might break up cash deposits into smaller amounts to avoid attention, or move funds through multiple accounts with no clear business reason. Without reporting and recordkeeping rules, those patterns are easy to miss.
What Are the Four Basic Components of the Bank Secrecy Act?
The Bank Secrecy Act is built around four core components that work together to create visibility into financial activity.
Transaction reporting: Financial institutions must report specific activities to regulators. A common example is cash transactions over a specific dollar threshold. These reports don’t mean something is wrong. They simply create a record that regulators can review if questions come up later.
Suspicious activity reporting: This applies when transactions don’t make sense based on what’s known about a customer. For example, if a small business account suddenly starts moving large volumes of funds with no clear explanation, that activity may need to be reviewed and reported. The focus is on patterns and behavior, not one-off transactions.
Recordkeeping: Institutions must keep specific records related to transactions, customer information, and account activity. These records help reconstruct what happened if regulators or law enforcement need to follow the flow of funds.
Internal controls and oversight: This includes policies and procedures, as well as assigned responsibility for BSA compliance. It’s how institutions show they’re taking the law seriously and applying it consistently as their products and customer base grow.
Together, these four components shape how financial institutions manage risk in day-to-day operations.
What the Bank Secrecy Act Means for Fintech Companies
For fintech companies, the Bank Secrecy Act often comes into play earlier than expected. Even teams focused on product or growth can run into BSA questions once real money starts moving through a platform.
Here are the three aspects of a fintech company that the BSA directly impacts:
Product Design and Compliance Risk
Product design choices can directly shape how BSA obligations apply to a fintech company. Even small decisions about who holds customer funds or how transactions move through the product can change the compliance requirements tied to it.
For example, a fintech that only offers budgeting software may have limited BSA exposure. Add a feature that lets users store funds or transfer money, and the risk profile shifts.
The same pattern shows up in crypto. A platform that only provides price data faces very different expectations than one that supports wallet transfers or asset custody.
These shifts often happen earlier than teams expect, which is why timing matters. Thinking about BSA risk during product design can help teams avoid rework later.
When compliance comes up early in product discussions, it’s easier to adjust transaction flows, choose the right structure, and clearly explain the model to regulators and partners.
Licensing, Registration, and Regulatory Readiness
BSA requirements often shape which licenses a fintech needs and how long approvals take. Before a company can operate at scale, regulators want a clear picture of how it will monitor activity and manage risk.
For example, a payments startup that plans to move customer funds may need to register as a money services business and explain how it will handle transaction monitoring and reporting. A crypto platform may face additional questions around wallet controls and customer verification.
When these expectations aren’t addressed early, licensing timelines can easily stretch.
Ultimately, planning for BSA compliance during licensing can help teams move forward with fewer surprises. When documentation is clear and compliance planning is realistic, conversations with regulators tend to be smoother, and the approval process usually involves less back and forth.
Bank Partnerships and Go-To-Market Timelines
For many fintech companies, bank partnerships are where BSA expectations become very real. Banks carry their own regulatory obligations, so they look closely at how partners manage risk before moving forward. If a fintech can’t clearly explain its BSA approach, partnerships can slow down or stall.
This often shows up during due diligence.
A bank may ask how transactions are monitored, who reviews alerts, or how suspicious activity gets escalated. For example, a payments platform planning to launch quickly might find that its timeline shifts once a bank asks for more detail around controls and oversight. These questions aren’t meant to block innovation, but they do affect launch plans.
Factoring BSA considerations into partnership discussions helps set realistic timelines. When fintechs can clearly explain their compliance approach, banks tend to move faster, and conversations stay focused on the business instead of open-ended risk questions.
Who Must Comply With the Bank Secrecy Act?
The Bank Secrecy Act doesn’t just apply to banks. It reaches a wide range of businesses that move money, hold value, or facilitate financial activity, including many fintech models that look more like tech companies than financial institutions.
1. Banks and Credit Unions
Banks and credit unions are fully subject to the Bank Secrecy Act and its related requirements. They’re expected to:
Monitor transactions
Maintain required records
Report specific activity across all of their core services.
Because they sit at the center of the financial system, regulators closely examine banks and credit unions. As a result, their BSA programs tend to be well established, with clear oversight, documentation, and accountability.
That scrutiny doesn’t stop with the bank’s own products. Regulators also assess the BSA risk of fintech partners, since weaknesses in a partner’s controls can create regulatory exposure for the bank itself.
2. Broker-Dealers and Investment Companies
Broker-dealers and investment companies are subject to the Bank Secrecy Act when they handle customer accounts or facilitate securities transactions. These obligations sit alongside securities laws and focus on monitoring activity that may involve money laundering or other financial crime.
For broker-dealers, this often includes reviewing trading behavior, funding sources, and account activity for red flags.
Because these firms already operate in a heavily regulated environment, BSA compliance usually ties closely to existing supervision and surveillance processes. The challenge is making sure AML controls align with trading and investment activity, rather than treating BSA as a separate or standalone obligation.
See also:
3. Money Services Businesses (MSBs)
Money Services Businesses (MSBs) sit squarely within the scope of the Bank Secrecy Act. This group includes companies involved in payments, money transmission, currency exchange, and similar services where funds move quickly and frequently.
Because of this transaction-heavy activity, MSBs must pay close attention to how customers use their products. For example, a money transmitter that sees repeated transfers just below reporting thresholds or unusual international flows must be able to detect, review, and document those patterns.
The goal isn’t to block transactions by default, but to establish a clear understanding of what normal customer activity looks like and to flag behavior that falls outside those expectations.
For many MSBs, BSA compliance becomes real very fast. Registration, monitoring tools, and clear internal processes often need to be in place early, especially when banks or regulators get involved.
Need help with fintech compliance?
Fill out the form below and our experts will get back to you.
4. Fintech Companies and Platform Models
Many fintech companies don’t look like traditional financial institutions, but their activities can still trigger Bank Secrecy Act obligations. The key question is whether the platform:
Moves money
Holds value
Enables financial transactions for customers
For example, a marketplace that simply connects buyers and sellers may have limited exposure. Add a wallet, escrow feature, or payment flow, and the risk profile changes. The same applies to platforms that start as software tools and later add financial features to improve user experience.
For platform models, BSA compliance often comes down to structure. It matters who holds the funds, how transactions move through the platform, and who owns the customer relationship.
Getting that structure right early makes it easier to explain the model to banks and regulators as the business grows.
Bank-Fintech Partnership Structures
Bank-fintech partnerships often come with shared responsibility under the Bank Secrecy Act. Even when a fintech doesn’t hold a license, the bank still needs to understand how risk shows up across the combined product.
In many partnerships, the bank remains responsible for core BSA obligations, while the fintech supports day-to-day execution. For example, the fintech may handle onboarding, user interfaces, or transaction flows, while the bank oversees monitoring and reporting.
How those roles are divided needs to be clear and documented.
Clear structure helps everyone involved. When banks and fintechs agree on who does what, partnerships move more smoothly and compliance conversations stay focused on real risks rather than assumptions or gaps.
What Activities Trigger BSA Obligations?
BSA requirements don’t depend on how a company describes itself. They’re triggered by what a business actually does, especially when money or value moves through a product.
Money Transmission and Payments
When a business moves funds from one person to another, regulators expect visibility into how those transactions work and who’s involved.
As payment products grow, that expectation makes well-defined transaction flows and monitoring processes increasingly important. Teams that understand where funds enter, move, and exit the system have a much easier time managing BSA expectations as volume increases.
Custody of Funds or Value
When a company holds customer funds or value, Bank Secrecy Act requirements usually apply.
That expectation goes beyond traditional cash. Stored value, prepaid balances, digital wallets, and similar products can all raise BSA considerations.
For fintechs, custody changes the compliance conversation. Strong controls around access, movement, and recordkeeping make it easier to explain the product model to banks and regulators and help reduce friction as the product grows.
Crypto and Digital Asset Activity
Crypto and digital asset products often trigger Bank Secrecy Act obligations because they involve the movement and storage of value. Even when a platform feels technical or decentralized, regulators focus on how users interact with the product and who controls key functions.
What matters most is the level of control the company has over transactions, funds, and customer relationships, not the underlying technology.
For teams working in this space, clear documentation around product scope and controls helps set expectations early. That clarity becomes especially important when engaging banks, regulators, or other partners who need to understand how risk is managed.
See also:
Lending, Brokerage, and Investment Activity
Lending, brokerage, and investment products can also trigger Bank Secrecy Act obligations, especially when money moves through customer accounts.
For example, a lending platform may need visibility into how loans are funded and repaid, while an investment platform may need to understand how customers fund accounts and move proceeds.
For fintech teams, the key is understanding how money flows through the product. When funding and payout processes are clearly defined, it’s much easier to align BSA expectations with existing credit, trading, or investment operations.
Core Requirements of the Bank Secrecy Act
The Bank Secrecy Act isn’t a single rule. It’s a set of core requirements that guide how financial institutions monitor activity, keep records, and share information with regulators.
BSA Component | What It Covers | Why It Matters |
|---|---|---|
Transaction Reporting | Required reports for specific transactions, including large cash activity | Creates visibility into significant money movement |
Suspicious Activity Reporting | Review and reporting of activity that doesn’t match expected customer behavior | Helps identify potential money laundering or fraud |
Recordkeeping | Retention of customer, transaction, and account records | Supports audits, exams, and compliance with the rules |
Internal Controls and Oversight | Policies, procedures, and assigned compliance responsibility | Shows how the institution manages BSA risk day to day |
Currency Transaction Reports (CTRs)
Currency Transaction Reports (CTRs) focus on large cash transactions. When a customer conducts cash transactions over a set dollar threshold within a single day, the institution must file a report with regulators.
CTRs are about documentation, not suspicion. Filing one doesn’t mean the activity is problematic or under investigation. It simply creates a record of significant cash movement that regulators can reference if questions come up later.
For fintechs that handle or support cash activity, understanding CTR triggers is an important first step. From there, clear processes for tracking cash transactions help teams file accurately and avoid gaps as transaction volume grows.
For a closer look at Currency Transaction Reports and what they mean for compliance, see our CTR guide →
Suspicious Activity Reports (SARs)
Suspicious Activity Reports (SARs) focus on activity that doesn’t align with what’s known about a customer or their behavior. These reports apply when transactions raise questions about suspicious activity that can lead to potential money laundering, fraud, or other financial crime.
Unlike CTRs, SARs depend on judgment. A single transaction may not trigger a report, but a pattern over time might. For example, an activity that suddenly changes in size, frequency, or purpose can warrant review, even if each transaction looks normal on its own.
For teams managing SAR obligations, consistency matters. Clear review processes and documented decision-making help support reporting choices and explain them if regulators ask later.
For a closer look at Suspicious Activity Reports and how they work in practice, see our SAR compliance guide →
Recordkeeping and Retention Requirements
The Bank Secrecy Act also requires financial institutions to keep specific records related to customers, transactions, and account activity. These records help regulators and law enforcement understand what happened, in case questions come up later.
Recordkeeping isn’t just about storing data. Institutions need to keep information in a way that’s accurate, accessible, and tied to real activity.
For example, transaction records should clearly show:
Who was involved
When the activity occurred
How funds moved
For growing fintechs, retention requirements often surface during exams or partner reviews. When records are well organized and retention timelines are clear, those conversations are easier, and information is quickly produced when needed.
Customer Identification Program (CIP)
A Customer Identification Program (CIP) focuses on knowing who your customers are before you do business with them. To support that goal, the Bank Secrecy Act requires certain financial institutions to collect and verify basic information to confirm a customer’s identity.
This usually includes details like:
Name
Date of birth
Address
Identification number.
The goal is to establish a baseline understanding of who’s using the product. That baseline becomes important later if something doesn’t line up.
For fintech teams, CIP often comes into focus during onboarding design. When identity checks align with the product’s risk level, teams can support compliance without making the user experience heavier than it needs to be.
The Five Pillars of a BSA Compliance Program
A BSA compliance program is built around five core pillars that guide how a company manages risk day to day. Regulators review these pillars together to assess whether the program actually works in practice.
See also:
1. Internal Policies, Procedures, and Controls
Policies and procedures explain how a company handles BSA obligations day to day. They also document:
What the business does
Who is responsible for making decisions
How decisions are made when something needs review
Strong controls don’t need to be long or overly technical. They need to reflect how the product actually works. For example, transaction review steps should match real user flows, not generic templates.
For fintech teams, policies work best when they evolve with the business. Clear, practical documentation helps onboard new staff, supports partner reviews, and provides a reference point during regulatory exams.
2. Independent Testing and Audits
Independent testing checks whether a BSA program works the way it’s supposed to. Someone who isn’t involved in day-to-day compliance reviews the program and looks for gaps, inconsistencies, or areas that need improvement.
This doesn’t always mean a full-scale audit every time. For smaller or early-stage fintechs, testing might focus on specific areas like transaction monitoring or onboarding controls. As the business grows, reviews usually become more formal.
Regular testing adds value when teams act on the results. By documenting findings and following up on issues, companies show regulators that they take their BSA responsibilities seriously.
3. Designated BSA Compliance Officer
Every BSA program needs a clear owner. The designated BSA Compliance Officer is responsible for:
Overseeing the program
Answering questions
Serving as a point of contact for regulators and partners
This role doesn’t require one person to do everything. In many fintechs, the Compliance Officer coordinates work across products, operations, and engineering. What matters is that someone has the authority to make decisions and escalate issues when needed.
For growing companies, this role often evolves over time. As responsibilities expand, clear ownership helps keep the program consistent even as transaction volume and complexity increase.
4. Ongoing Employee Training
Employee training helps make BSA compliance part of daily work, not just a policy on paper. Through training, teams learn:
What to look for
When to ask questions
How to escalate issues if something doesn't feel right
Training works best when it matches real roles. For example, a customer support team may need to recognize unusual account behavior, while product or operations teams need to understand how design changes affect risk.
As companies grow, training needs to evolve. Regular updates and refreshers are what help keep teams aligned as products, customers, and regulations change.
5. Customer Due Diligence and Beneficial Ownership
Customer Due Diligence (CDD) builds on basic identity checks by helping teams understand who a customer is and how they plan to use the product. This includes collecting information about a customer’s business, expected activity, and risk profile over time.
For business customers, beneficial ownership information plays a big role. Rather than focusing only on the entity, companies need to identify the individuals who own or control it. This creates clarity around who ultimately benefits from the account and who may influence activity.
Together, these steps create a more complete picture of customer risk. That understanding makes it easier to spot changes in behavior and respond appropriately over time.
BSA Regulators and Oversight
Several regulators play a role in overseeing Bank Secrecy Act compliance. Oversight depends on a company’s business model, licenses, and activities, so that BSA supervision can look different across financial services.
FinCEN and the US Department of the Treasury
FinCEN sits at the center of Bank Secrecy Act oversight in the US. As the primary rulemaking authority, it:
Writes BSA regulations
Collects reports like CTRs and SARs
Shares information with law enforcement when needed
Most financial institutions interact with FinCEN indirectly. Reporting happens through FinCEN systems, while guidance comes through rules, advisories, and enforcement actions. As a result, FinCEN’s expectations influence day-to-day compliance even without direct contact.
For fintech teams, understanding FinCEN’s role helps clarify why certain requirements exist. That understanding also makes it easier to see why many questions from banks, regulators, and partners trace back to FinCEN guidance and how it interprets risk across the financial system.
Federal Banking Regulators
Federal banking regulators oversee how banks manage Bank Secrecy Act obligations.
Agencies like the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve review BSA programs during routine exams and expect banks to identify issues and address them in a timely way.
These regulators also pay close attention to the risks that come from outside the bank.
When banks work with fintech partners, they are expected to understand how those relationships affect their BSA programs. That expectation is why banks often ask detailed questions about a fintech’s controls, processes, and oversight.
For fintech companies, this context is important. Understanding that dynamic can make partnership discussions more productive and help set realistic expectations early on.
SEC and FINRA Oversight
The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) oversee Bank Secrecy Act compliance for broker-dealers and certain investment firms.
Their focus is on how:
Firms monitor customer activity
Supervise accounts
Respond when something doesn’t look right
During exams, regulators look closely at how BSA controls fit into day-to-day operations. That includes how firms review trading activity, track the movement of funds, and document follow-ups when activity raises questions.
If those processes live in separate silos, gaps tend to show up quickly.
For broker-dealers and investment firms, BSA compliance works best when it’s tied directly to supervision and surveillance. When teams treat it as part of normal oversight rather than a separate exercise, exams tend to run more smoothly, and issues are easier to explain.
IRS Oversight of Money Services Businesses
The IRS oversees Bank Secrecy Act compliance for many money services businesses, including money transmitters, currency exchanges, and check cashers.
Its reviews tend to focus on the basics. That includes proper registration, required reporting, recordkeeping practices, and whether the business understands how customers use its services.
If those fundamentals aren’t clear, reviews can become more time-consuming than expected.
For MSBs and fintechs that operate in this space, clear processes and up-to-date documentation make a real difference. When teams know how their BSA program works and can explain it simply, interactions with the IRS tend to stay focused and predictable.
Common Bank Secrecy Act Compliance Challenges
As companies grow, BSA compliance tends to get more complex. What worked at an early stage often needs adjustment once transaction volume, product scope, or regulatory scrutiny increases. Below are some of the most common challenges teams run into.
Scaling BSA programs as companies grow: Early programs are often built for low volume and simple products. As customer numbers and transaction activity increase, manual processes break down, and oversight becomes harder to maintain without a clearer structure.
Transaction monitoring and alert fatigue: Monitoring systems can generate large numbers of alerts, many of which turn out to be low risk. Without tuning and prioritization, teams can spend time reviewing noise instead of focusing on meaningful risk.
Data quality and system integration: BSA programs rely on accurate data from multiple systems. Gaps, delays, or inconsistent data make it harder to understand activity patterns and support reporting decisions.
Third-party and vendor risk management: Many fintechs rely on vendors for onboarding, monitoring, or payments. When roles and responsibilities aren’t clearly defined, risk can fall through the cracks and create compliance exposure.
Keeping policies aligned with how the product actually works: Policies often lag behind product changes. When workflows evolve but documentation doesn’t, gaps show up quickly during exams or partner reviews.
Role clarity and ownership: As teams grow, it’s not always clear who owns which part of the BSA program. Handoffs between compliance, product, and operations can create delays or missed follow-ups.
Change management for new features: New features can introduce new BSA risk. Without a structured review process, teams may launch changes without fully understanding the compliance impact.
Exam readiness and documentation: Even when controls exist, teams may struggle to explain them clearly. Incomplete documentation or scattered evidence can make exams more difficult than they need to be.
Consistency in decision-making: Inconsistent alert reviews or SAR decisions can raise questions. Regulators look for patterns and rationale, not just outcomes.
—
The Bank Secrecy Act is a constant presence in modern financial services, even when it’s not obvious at first. As products evolve and money starts moving, BSA expectations begin to shape design decisions, partnerships, and day-to-day operations.
When teams understand how those requirements apply to their business, growth becomes more predictable and far less disruptive.
With the right structure and planning in place, BSA compliance can support growth rather than slow it down. By putting clear controls and practical documentation in place early, teams can align with regulators and partners and scale with confidence.
Frequently Asked Questions About the Bank Secrecy Act
What is the difference between BSA and AML?
The Bank Secrecy Act is a US law that sets formal requirements for monitoring and reporting financial activity. AML refers to the broader programs, controls, and processes companies use to meet those requirements. In practice, the BSA provides the legal framework, and AML is how companies apply it day to day.
What is the original purpose of the BSA?
The BSA was created to increase transparency around how money moves through the financial system. Before it existed, financial institutions weren’t consistently obligated to keep records or report certain transactions. The law gave regulators and law enforcement tools to identify and investigate financial crime.
What are the rules of the Bank Secrecy Act?
The BSA requires covered institutions to keep records, file specific reports, and maintain a compliance program that matches their activities. These rules cover areas like transaction reporting, suspicious activity monitoring, and customer identification. The exact requirements vary by business type and risk profile.
What is the penalty for violating the Bank Secrecy Act?
BSA violations can lead to civil penalties, regulatory enforcement actions, and, in serious cases, criminal charges. Regulators also consider how a company responds once issues are identified. Firms that ignore known gaps tend to face more serious consequences.
What is Section 3 of the BSA?
Section 3 of the BSA gives regulators the authority to require financial institutions to keep records and submit reports related to financial activity. It forms the legal foundation for many BSA reporting and recordkeeping obligations used today.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with compliance, reach out to our regulatory experts today:
Last updated on Mar 24, 2026
Related Articles
Featured LinkedIn Posts
