BSA compliance refers to meeting the requirements of the Bank Secrecy Act — the foundation of U.S. AML law. Here is what it covers, who it applies to, and what a compliant program actually looks like.
What Is BSA Compliance? A Plain-English Guide for Fintechs
BSA compliance is one of those phrases that gets used constantly in fintech — in sponsor bank conversations, investor due diligence, regulatory meetings — but is rarely explained clearly to the people who need to understand it most.
BSA compliance refers to meeting the requirements of the Bank Secrecy Act — the primary federal law governing anti-money laundering obligations in the United States. For most fintechs that move money, BSA compliance is not optional and not peripheral. It is the regulatory foundation that everything else is built on.
What Is the Bank Secrecy Act?
The Bank Secrecy Act is a U.S. federal law enacted in 1970 and administered by the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury. The BSA requires covered financial institutions to maintain records and file reports that help detect and prevent money laundering, tax evasion, and other financial crimes.
Since its original enactment, the BSA has been significantly expanded — most notably by the USA PATRIOT Act in 2001 and the Anti-Money Laundering Act of 2020.
Who Is Required to Comply With the BSA?
BSA compliance requirements apply to businesses classified as financial institutions under federal law. For fintechs, the most relevant category is Money Services Businesses — a classification that covers most companies that move money.
Your fintech likely has BSA compliance obligations if you are a money transmitter, a prepaid card issuer, a currency exchanger, a cryptocurrency business that accepts and transmits value, or if you operate under a sponsor bank arrangement where the bank's BSA obligations extend to your platform.
What BSA Compliance Actually Requires
BSA compliance is not a single obligation — it is a set of interconnected requirements that together form your AML compliance program.
A Written AML Program
The BSA requires covered financial institutions to maintain a written, operational anti-money laundering program. The program must be approved by senior management and tailored to your specific business. It must cover five pillars: internal controls, a designated compliance officer, ongoing employee training, independent testing, and customer due diligence.
Customer Identification Program
Your BSA compliance program must include a written Customer Identification Program — procedures for verifying the identity of every customer at onboarding. For individuals, this means collecting and verifying name, date of birth, address, and a government-issued identification number. For businesses, it means verifying the entity and its beneficial owners.
Customer Due Diligence
Beyond basic identity verification, the BSA requires ongoing Customer Due Diligence — understanding who your customers are, what they are expected to do on your platform, and monitoring their activity against that expected profile.
Transaction Monitoring
Your BSA compliance program must include a mechanism for detecting suspicious activity — transaction monitoring rules that flag unusual activity for compliance review.
SAR Filing
When your monitoring identifies suspicious activity that meets the filing threshold, you must file a Suspicious Activity Report with FinCEN within 30 days of detecting the suspicious activity.
CTR Filing
For businesses that handle cash, Currency Transaction Reports must be filed for cash transactions exceeding $10,000 within 15 days.
Recordkeeping
The BSA requires covered businesses to maintain specific records for a minimum of five years, retrievable on reasonable notice.
FinCEN Registration
If your business qualifies as an MSB, you must register with FinCEN within 180 days of establishing the business and re-register every two years.
The Five Pillars of a BSA/AML Program
Internal controls — policies, procedures, and technology for detecting, investigating, and reporting suspicious activity.
Designated compliance officer — a named BSA Officer with the authority, resources, and expertise to oversee the program.
Ongoing employee training — regular, documented AML training for all employees whose roles touch compliance-relevant functions.
Independent testing — periodic review of the AML program by someone independent of the compliance function.
Customer Due Diligence — understanding your customers, assigning risk ratings, and monitoring ongoing activity.
What BSA Non-Compliance Costs
Civil money penalties from FinCEN can reach tens of millions of dollars for serious violations. Criminal penalties apply to willful violations. Sponsor bank termination is often the most immediate consequence for fintechs. Public enforcement actions create lasting reputational consequences.
Frequently Asked Questions
Is BSA compliance the same as AML compliance?
BSA compliance and AML compliance are closely related but technically distinct. The Bank Secrecy Act is the law. AML compliance is the practice of meeting that law's requirements. In practice, the terms are often used interchangeably.
How often does a BSA/AML program need to be updated?
Your BSA/AML program should be reviewed at minimum annually. Updates are also required when you launch new products, enter new markets, significantly change your customer base, or when regulatory guidance changes.
Does a fintech under a sponsor bank still need its own BSA compliance program?
Yes. A fintech operating under a sponsor bank arrangement has its own independent BSA compliance obligations. The sponsor bank's program does not replace the fintech's independent obligations.
How ComplyOne Helps
ComplyOne works with fintechs to build BSA compliance programs that are written, operational, and effective — covering all five pillars, satisfying FinCEN requirements, and passing sponsor bank review. Whether through compliance technology, advisory services, or both, we help you build the program correctly the first time.
Talk to the ComplyOne team to get started.
The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.