What Is the Bank Secrecy Act (BSA)? A Plain-English Guide for Fintechs

What Is the Bank Secrecy Act (BSA)? A Plain-English Guide for Fintechs

If you are building a fintech in the United States, the Bank Secrecy Act is the single most important piece of compliance legislation you need to understand. Almost every AML requirement you will encounter — from FinCEN registration to SAR filing to transaction monitoring — flows directly from the BSA.

And yet most founders encounter it for the first time in a sponsor bank meeting, scrambling to understand what they are being asked to comply with.

This article explains what the Bank Secrecy Act is, what it actually requires, who it applies to, and what the consequences look like when fintechs get it wrong.

What Is the Bank Secrecy Act?

The Bank Secrecy Act (BSA) is a U.S. federal law enacted in 1970, also known as the Financial Recordkeeping and Reporting of Currency and Foreign Transactions Act.

The law was created to fight money laundering, tax evasion, and other financial crimes by requiring financial businesses to maintain records and file reports that give law enforcement visibility into suspicious financial activity.

The BSA is administered and enforced by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. FinCEN writes the rules, collects the reports, and issues enforcement actions when businesses fail to comply.

Since 1970, the BSA has been significantly expanded through additional legislation — most notably the USA PATRIOT Act of 2001, which added stricter customer identification requirements, and the Anti-Money Laundering Act of 2020, which modernized the framework, strengthened beneficial ownership rules, and gave FinCEN new enforcement tools.

Who Does the BSA Apply To?

The BSA applies to businesses classified as financial institutions under federal law — a category that is much broader than most founders expect.

If your business falls into any of the following categories, the BSA applies to you:

• Money Services Businesses (MSBs) — money transmitters, currency exchangers, check cashers, prepaid card issuers, and cryptocurrency businesses that accept and transmit value
• Banks and credit unions — including neobanks operating under a sponsor bank charter
• Broker-dealers and investment firms
• Insurance companies offering certain products
• Casinos and card clubs above certain revenue thresholds
• Fintech companies operating under a sponsor bank — the bank's BSA obligations extend directly to your platform

One of the most common mistakes fintech founders make is assuming the BSA applies only to traditional banks. It does not. If your product moves money in any form, BSA requirements very likely apply to your business. Determining whether you are covered is one of the first compliance decisions you need to make — before you launch.

What Does the BSA Actually Require?

The BSA creates four main categories of obligations for covered businesses.

AML Program Requirements

Every covered financial institution must maintain a written, operational Anti-Money Laundering program. This program must include internal controls, a designated compliance officer, ongoing employee training, and independent testing — the four pillars of BSA compliance.

Since 2016, Customer Due Diligence (CDD) has been added as a fifth required element, covering how you verify and monitor your customers. Your AML program must be tailored to your specific business model, products, and customer base. A generic template does not satisfy BSA requirements.

Recordkeeping Requirements

• The BSA requires covered businesses to create and retain specific financial records:
• Currency Transaction Reports (CTRs) — filed for cash transactions over $10,000
• Records of funds transfers of $3,000 or more
• Customer identification records documenting KYC procedures conducted at onboarding
• SAR supporting documentation including investigation notes and evidence
• Purchase records for monetary instruments

Most records must be retained for a minimum of five years.

Reporting Requirements

Currency Transaction Reports must be filed for any cash transaction exceeding $10,000 in a single business day, within 15 days of the transaction.

Suspicious Activity Reports must be filed when a covered business knows, suspects, or has reason to suspect that a transaction involves funds from illegal activity, is designed to evade reporting requirements, or lacks a lawful purpose. SARs must generally be filed within 30 days of detecting the suspicious activity, with a maximum of 60 days where additional time is needed to identify a subject.

FinCEN Registration — most MSBs are required to register with FinCEN within 180 days of establishing the business, and to re-register every two years. Failure to register is a federal crime.

Customer Identification Program (CIP)

Covered businesses must implement a formal CIP — a documented set of procedures for verifying the identity of customers at onboarding. For individuals, this means collecting and verifying name, date of birth, address, and a government-issued ID number. For businesses, it means verifying the entity and its beneficial owners.

The Consequences of Non-Compliance

Civil money penalties can reach tens of millions of dollars for serious or repeated violations. FinCEN calculates penalties based on severity, duration, number of transactions affected, and whether the violation was willful.

Criminal penalties apply to willful violations — including fines and imprisonment for founders, executives, and compliance officers who knowingly violate BSA requirements.

Enforcement actions are public. FinCEN publishes all actions on its website. Being named in a BSA enforcement action has lasting consequences for your company's reputation, banking relationships, and ability to raise capital.

Sponsor bank termination is often the most immediate consequence for fintechs. When sponsor banks determine that a fintech partner's BSA controls are inadequate, they exit the relationship with limited notice — and other banks are unlikely to take on a company with a documented compliance failure.

Loss of operating licenses is a real risk in serious cases. State regulators can revoke money transmitter licenses when BSA violations reflect fundamental program failures.

How the BSA Connects to Your Daily Operations

The BSA is not just a legal requirement you satisfy once. It shapes ongoing operations across your entire business:

• Onboarding — your KYC and CIP process is a direct BSA requirement
• Transaction processing — your monitoring rules and CTR filing process operate under the BSA
• Customer support — frontline staff need BSA training to recognize and escalate suspicious behavior
• Product decisions — adding new products, entering new geographies, or serving new customer types all carry BSA implications that must be assessed before launch
• Technology — your compliance software stack must support BSA obligations including monitoring, screening, and SAR filing

Understanding the BSA is not just the compliance team's job. For fintechs, it is foundational business knowledge.

The BSA and Your Sponsor Bank

If you operate through a sponsor bank, the BSA creates a shared compliance responsibility. Your sponsor bank is a regulated institution with its own BSA obligations — and those obligations extend to the fintechs they partner with.

Your sponsor bank will require you to have a documented AML program before going live, conduct periodic reviews of your BSA controls, hold you to standards consistent with their own regulatory requirements, and terminate the relationship if your compliance posture creates unmanaged BSA risk for them.

The BSA is not just something you comply with for regulators. It is the foundation of the trust relationship with every banking partner you will ever have.

Frequently Asked Questions

What is the difference between the BSA and AML compliance?

The Bank Secrecy Act is the federal law that creates U.S. AML obligations. AML compliance — anti-money laundering compliance — is the broader practice of meeting those obligations through policies, controls, training, and monitoring. The BSA is the law. AML compliance is how you follow it.

Does the BSA apply to crypto companies?

Yes. FinCEN confirmed in 2013 that cryptocurrency businesses that accept and transmit value are money transmitters and therefore Money Services Businesses subject to full BSA requirements — including AML program, SAR filing, and FinCEN registration obligations.

What happens if a fintech operates without a BSA/AML program?

Operating without a required BSA/AML program exposes your company to civil money penalties, criminal prosecution in willful cases, sponsor bank termination, loss of state licenses, and permanent reputational damage. FinCEN enforcement actions are public and long-lasting.

How often does a BSA/AML program need to be updated?

At minimum, your AML program — including your risk assessment, policies, and controls — should be reviewed and updated annually. Updates are also required when you launch new products, enter new markets, significantly change your customer base, or when regulations change.

How ComplyOne Helps

ComplyOne works with fintech companies and money services businesses to build BSA-compliant AML programs from the ground up — whether you need compliance technology, advisory support, or both. From FinCEN registration to policy drafting to ongoing program management, we meet you where you are and build what you need.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Compliance requirements vary based on your business model, jurisdiction, and regulatory relationships. Consult a qualified compliance professional for guidance specific to your situation.