The Bank Secrecy Act (BSA)–also called the Currency and Foreign Transactions Reporting Act–was passed in 1970 to stop people and organizations from hiding or “laundering” the proceeds of illicit and fraudulent operations. The Act requires all financial institutions with operations in the United States to assist in government efforts to detect and prevent financial crimes.
The BSA is the main legislation ensuring the financial transparency that is so essential to the U.S. economy. Its enforcement makes financial markets safer for everyone–but it also requires significant time and money for compliance.
The law’s definition of “financial institutions” includes more than twenty-five types of entities, including banks, securities brokers, telegraph companies, and even casinos.
When the law was passed, governmental concerns about money laundering seemed focused on criminal gangs and actual cash. But within two years, the BSA was invoked in the investigation of the Watergate break-in, due to the related campaign financing malfeasance. Over the years, as financial markets and practices became much larger and more complex, and criminal activities became correspondingly convoluted, newer anti-money laundering (AML) legislation has widened the scope of the BSA to try to keep up.
Most notably, the BSA requires financial institutions to keep records of cash purchases of money orders and other instruments, and to file reports for daily transaction totals exceeding $10,000. The BSA also requires them to report any suspicious activity indicating that financial crimes–like money laundering, but also tax evasion, terrorism financing, and other criminal activity such as human trafficking–could be taking place.
The Act is enforced by the Financial Crimes Enforcement Network (FinCEN), under the U.S. Department of the Treasury. FinCEN, the U.S. financial intelligence unit, issues regulations and guidance for compliance with the BSA, and can examine financial institutions and pursue enforcement for violations.
It also maintains a toll-free helpline for financial institutions, as well as an anti-terrorism hotline. FinCEN works with the Office of the Comptroller of the Currency (OCC), which regulates and supervises national banks and federal savings associations. The OCC conducts regular examinations of financial institutions to determine compliance with the BSA.
Unsurprisingly for the complexity of financial markets, several other government agencies play a critical role in implementing and enforcing BSA regulations, ensuring compliance, and providing guidance to businesses–including, of course, the Internal Revenue Service.
The BSA has been amended and augmented several times. In 1986, the Money Laundering Control Act made the practice a federal crime. It prohibited structuring transactions to evade filings, for example, and introduced civil and criminal forfeiture for BSA violations. The Anti-Drug Abuse Act of 1988 expanded the definition of financial institutions to include car dealers and real estate closing, requiring these businesses, too, to file reports on large currency transactions.
Perhaps the most notable expansion to the BSA came from the PATRIOT Act, passed in 2001 as a response to the September 11 terrorist attacks. Title III of the PATRIOT Act requires financial institutions to actively establish anti-money-laundering programs internally, and to adopt a customer identification program (CIP). The process of verifying customer identities is now commonly shorthanded to Know Your Customer (KYC).
In 2016, the Panama Papers revealed a loophole in the PATRIOT Act’s requirements for due diligence that did not cover financial malfeasance between business bank accounts. As a result, that year, FinCEN issued the Customer Due Diligence (CDD) Final Rule. The CDD Rule spelled out specific requirements for banks, fintechs, payment service providers, and other entities when onboarding business customers. This set of rules and best practices is now known as Know Your Business (KYB).
In 2020, Congress passed the Anti-Money Laundering Act as part of the National Defense Authorization Act. The AMLA, for the first time, imposes a federal requirement for institutions to determine the Ultimate Beneficial Owners (UBOs) of certain legal entities, and significantly broadens the scope of enforcement and requirements of the BSA and succeeding legislation.
To comply with the BSA and related legislation, every bank, neobank, fintech, and financial institution handling money must have an anti-money laundering (AML) and customer due diligence (CDD) program in place.
These financial institutions can adhere to requirements by following the five pillars of the Bank Secrecy Act:
Banks, fintechs and other financial institutions, will deal with pillars number three and five on a daily basis when onboarding new customers. What about the other pillars? Those are internal controls related to the administration of your anti-money laundering program rather than vital aspects of your day-to-day customer service.
The good news for these financial entities is the law doesn’t spell out exactly what measures must be taken, meaning institutions can assess their own risk tolerance in developing best practices for implementation of anti-money-laundering programs. The important part, for compliance, is that each institution has a written KYC procedure that adheres to the FDIC’s rules for a Customer Identification Program (CIP).
The CIP must require, at minimum, the following information from each customer opening an account:
This information can often be verified through non-documentary methods – for example, the customer submits their Social Security Number, which the bank can check against a database. Sometimes more information is required, such as documentary identification – a driver’s license, passport, Social Security card, or other identifying documents.
Businesses that perform KYC checks must keep a record of the information they use to make a KYC determination. Generally, they must keep these records for at least five years after the customer has closed their account.
Similarly, to comply with the CDD Rule, businesses must collect and verify information about new business customers (KYB):
Businesses must also cross-check this information to ensure no individuals appear on international sanctions lists, are not suspected of funding terrorism, and have otherwise not been proven to be bad actors. This cross-checking can prove arduous, but it helps businesses avoid hefty civil and criminal penalties – and potentially a huge hit to their reputations, which could lead to broken business relationships, or even more stringent oversight. Fortunately, there are providers like Middesk who can help automate the process.
Together, KYC and KYB due diligence programs ensure that a company isn’t aiding bad actors, abetting financial or other crimes, or assisting entities that are considered threats to U.S. national security.
A number of new laws will take effect in coming months and years, including the Corporate Transparency Act, passed in early 2020 but not fully implemented until 2023. It will create a database of beneficial ownership information to enable FinCEN to crack down on shell companies.
Notably, though, this act shifts some of the burden of collecting UBO information from financial institutions to the companies themselves–and includes penalties for non-compliance. Companies registered before January 1, 2024 have one year to file the required information with FinCEN; those that register after that date have 30 days to file. As with other anti-money laundering efforts, FinCEN will issue regular announcements and guidance to assist businesses with compliance.