New York skyline

Strengthening financial integrity: BSA, AML, and emerging trends

The Bank Secrecy Act (BSA), first passed by the U.S. Congress in 1970, requires financial institutions to assist government agencies in helping to detect, report, and prevent money laundering. Over time, the BSA has evolved through amendments that expand its scope and reinforce the role of financial institutions in safeguarding the financial system from illicit activity.

The regulations that implement the BSA require financial institutions to keep records of cash purchases of “negotiable instruments” (e.g. written documents that promise payment and can be transferred to other entities, like a check or money order); file reports of cash transactions exceeding $10,000; and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activity. 

5 pillars of the BSA and anti-money laundering regulation

For BSA anti-money laundering (AML) compliance, financial institutions are expected to maintain a compliance program that aligns with five BSA AML pillars.

  1. Internal controls
  2. Designation of a BSA AML officer
  3. Establishment of BSA AML training program
  4. Independent testing of compliance program
  5. And, customer due diligence

The five pillars are intended to work together to lay the framework for an AML program.

  1. Internal controls
    The internal controls part of the BSA AML program might typically involve setting up systems to manage how an institution operates, making sure the specific risks they may need to address are included in their compliance plans, and keeping their Board of Directors informed about what’s being done to follow rules.

  2. BSA Officer
    Typically, in regulated firms, a Board of Directors designates a qualified individual as BSA Officer. The BSA compliance officer would be responsible for coordinating and monitoring the institution’s day-to-day BSA AML compliance. The compliance officer may also be best positioned to manage each aspect of the BSA AML compliance program. The Board of Directors is ultimately responsible for the bank’s BSA AML compliance however and could therefore require oversight of activities, while making sure the BSA compliance officer has sufficient authority, independence, and access to resources to execute their duties. 

  3. BSA AML training
    It is common for banks to provide BSA AML-related training to appropriate personnel within an organization. Appropriate personnel could include those whose duties require knowledge of or involvement in some aspect of BSA AML compliance activity. Training might cover aspects of the BSA that are relevant to the bank and its risk management processes.

    Foundational training for board members and senior management is also commonly included in BSA AML programs to support awareness of regulatory developments.

  4. Independent testing
    Independent testing could involve a periodic review of a financial institution’s BSA AML compliance program, conducted by internal staff who are not involved in day-to-day compliance, or by external parties. Its purpose might be to assess the effectiveness of a program, help identify gaps, and support regulatory adherence. It might typically be performed every 12–18 months or it could be based on a risk-related event the bank needs to respond to.

    This kind of independent evaluation can also help inform the board of directors and senior management of potential AML vulnerabilities, or areas that might need enhancements with stronger controls. 

  5. Customer due diligence
    Customer due diligence (CDD) generally involves designing a program or set of processes that enable institutions to develop an understanding of their customers, and the nature and purpose of that customer relationship, as well as maintaining and updating customer information on an ongoing basis. CDD can help banks mitigate the risk of working with bad actors, such as those attempting to launder money through the institution.

Who enforces BSA AML compliance?

To assist with BSA AML compliance and to hold financial institutions accountable, the United States Treasury Department established the Financial Crimes Enforcement Network (FinCEN) in 1990. FinCEN’s mission to “safeguard the financial system from the abuses of financial crime, including terrorist financing, money laundering and other illicit activity” means it can implement, administer, and enforce BSA AML compliance.

FinCEN works to help ensure banks adhere to the three main AML requirements of the BSA:

  1. Report cash transactions over $10,000 using the Currency Transaction Report
  2. Properly identify those conducting transactions
  3. Keeping appropriate records of financial transactions to maintain an accurate paper trail

FinCEN is the bureau of the US Treasury Department primarily responsible for establishing policies and standards related to BSA AML, but other areas of government also have oversight, depending on the nature of the institution or business in question. The Office of the Comptroller of the Currency (OCC), Federal Reserve System (FRS), National Credit Union Administration (NCUA), Federal Deposit Insurance Commission (FDIC), the Consumer Financial Protection Bureau (CFPB), and state financial regulators can also have BSA/AML regulatory oversight, as well as other regulators not named here.  

Upcoming regulatory changes

There are a few notable changes coming into place related to AML compliance in the US that it could be useful for financial institutions to prepare for.

  • Assignment of Investment Advisors
    Investment Advisors will soon be reclassified as a financial institution for the purpose of compliance with BSA AML. FinCEN has adopted a rule that will require Registered Investment Advisors to comply with AML laws and regulations. At present, the plan is for this rule to go into effect January 1, 2028. Investment Advisors may want to consider evaluating potential impacts of this rule to support future compliance planning.

  • Consideration of digital assets
    In 2025, the GENIUS Act was passed, the US’ first federal legislation on stablecoins, providing a comprehensive regulatory framework for this specific type of digital asset. This change could bring new risks that financial institutions may need to consider in the future, and they may begin exploring how evolving technologies and asset types could influence risk and compliance frameworks.

  • The role of AI
    Generative AI offers banks the opportunity to develop operational efficiencies and greater insights across areas of risk management and compliance, but it could also pose challenges that need to be addressed. For example, AI may help compliance departments conduct more efficient investigations, but AI may also help fraudsters find new ways to try to evade verification systems. 

What can institutions consider doing now to prepare?

As regulation in the US continues to evolve, financial institutions can take proactive steps to strengthen their AML compliance programs and prepare for potential challenges. Many institutions, for example, conduct gap assessments to evaluate alignment with regulatory expectations and industry standards. These assessments can help them prioritize improvements and allocate resources more effectively.

Updating training programs is another potential area of focus. As new considerations emerge—such as those related to digital assets or AI—training can evolve to support staff across relevant departments, so they remain informed and equipped to respond to the new technology.

Institutions may also benefit from reviewing their AI governance policies so use of generative AI in compliance or risk management is transparent, controlled, and aligned with AML standards.

Finally, with digital assets gaining regulatory attention, institutions may consider preparing for oversight requirements by evaluating how these assets fit into their existing risk frameworks and compliance strategies.

Institutions who plan in advance, understand how these changes may affect risk and compliance, and take steps to address them could gain a valuable advantage.

This content is provided for informational purposes only and does not constitute legal advice or a definitive interpretation of regulatory requirements. For legal advice, please consult a qualified professional. 

