Bank Secrecy Act Checkup

Thoughtware Article Published: Jun 01, 2016
A banker looking at charts

The Bank Secrecy Act (BSA) has required financial institutions to have a BSA compliance program since 1986. However, the business of preventing money laundering, terrorist financing and other financial crimes continues to evolve. The changing regulatory landscape includes newer issues like marijuana money and virtual currency as well as a steady stream of new regulations from the Financial Crimes Enforcement Network (FinCEN) and other federal and state regulators.

History & Evolution

The four pillars of the BSA are:

  • Policies, procedures and controls
  • Designation of a compliance officer
  • Ongoing employee training
  • An independent audit program

The BSA program must be written and approved by the board, and it’s typically updated and approved annually. Since 2003, financial institutions have been required to obtain sufficient information to form a reasonable belief regarding the identity of each customer opening a new account. This is known as the Customer Identification Program (CIP) Rule and has its origins in the 2001 USA PATRIOT Act. The CIP must include:

  • Risk-based procedures for verifying identities
  • Account opening procedures
  • Identity verification procedures
  • Account record-keeping and notice requirements

All customers should be risk rated for the CIP. High-risk customers require enhanced due diligence, which should include continuous monitoring and the filing of suspicious activity reports (SAR), as warranted.

On May 11, 2016, FinCEN issued a final customer due diligence rule requiring financial institutions and other entities to collect information on beneficial owners when an account is opened. The rule is effective on July 11, 2016, but compliance isn't mandatory until May 11, 2018. A model form can be used to collect the information on persons owning directly or indirectly more than 25 percent of the equity interests in a “legal entity customer” or a single individual exercising control over the entity. In general, a legal entity customer is a corporation, limited liability company or other entity which is created by the filing of a public document with a Secretary of State or similar office. The definition of “account” is unchanged from FinCEN’s existing CIP rules. Increasingly, the new rule is being referred to as the “Fifth BSA pillar.”


Common BSA reports include:

  • SARs
  • Currency Transaction Reports (CTRs)
  • Form 8300, Report of Cash Payments Over $10,000 Received in a Trade or Business
  • International Transportation of Currency or Monetary Instruments
  • Report of Foreign Bank and Financial Accounts

CTRs must be filed within 15 days of the reported transaction and SARs within 30 days from the initial detection of suspicious activity. Reporting of the actual SAR isn’t necessary, but sufficient information—enough to fulfill fiduciary duties while being mindful of confidentiality—must be reported to the board or designated committee in a timely fashion.

In 2015, financial institutions filed more than 900,000 SARs—many related to structuring, i.e., attempting to evade the cash reporting threshold. Structuring is a crime subject to civil and criminal penalties and possible imprisonment for up to 10 years, and prosecutors don’t need to prove defendants knew structuring was illegal. In a recent case, FinCEN fined a community bank $4.5 million in a structuring case where a bank employee facilitated a customer’s structuring scheme.

In addition to large fines, financial institutions and employees have been subject to deferred prosecution agreements, cease-and-desist orders and personal liability. On January 8, 2016, a U.S. District Court in Minnesota ruled compliance officers and other individuals can be held responsible for anti-money laundering control failures under the BSA. In that case, a former MoneyGram compliance officer was fined $1 million by FinCEN.

Marijuana Money

Although marijuana remains illegal at the federal level under the Controlled Substances Act, at least 24 states and the District of Columbia have legalized marijuana for medical and/or recreational purposes. By some estimates, quasi-legal annual revenues are approaching $5 billion. Most institutions are likely to have some connection—intentional or not—to marijuana money.

Financial institutions face significant risks by participating in the industry, including:

  • Seizure or forfeiture of deposits and assets
  • Loan default waivers
  • Federal criminal charges related to money laundering
  • Aiding and abetting criminal activity

In addition, lawsuits are possible under the Racketeer Influenced and Corrupt Organizations Act (RICO), permitting private rights of action with treble damages and possible attorney fees. At least one lawsuit filed under RICO against marijuana-related business (MRB) settled before trial and included a national bank, its accountant and a contractor. A Colorado credit union intending to exclusively serve the marijuana industry unsuccessfully sued the Federal Reserve Bank of Kansas City in federal court for denial of a master account. In dismissing the lawsuit, the judge wrote, “Bank regulators might look the other way if financial institutions don’t mind violating the law. A federal court cannot look the other way.”

In spite of the Controlled Substances Act, federal regulators don’t entirely prohibit marijuana industry banking. Following issuance of the U.S. Department of Justice’s Cole Memorandum setting forth enforcement priorities, FinCEN issued FIN-2001-G001 to clarify how financial institutions can provide services to MRBs consistent with BSA obligations. This guidance lays out the due diligence an institution must conduct to bank an MRB, including verification of an MRB’s good standing with the Secretary of State and the jurisdiction’s marijuana licensing authority, ongoing monitoring of red flags and publicly available information and developing an understanding of normal and expected activity.

The FinCEN guidance defines three types of SARs to be filed related to MRBs. Marijuana Limited is filed at the financial institution’s first service. Marijuana Priority is filed when the institution reasonably believes one of the Cole Memorandum priorities or a state law may have been violated. The Marijuana Termination SAR is used when the institution decides to terminate the relationship. According to FinCEN, the decision to open, close or refuse any particular account should be made by each financial institution based on a number of factors specific to that institution.

Essentially, the guidance requires financial institutions to perform a high level of due diligence regarding MRBs, including policies, procedures, training, CTR and SAR filings and ongoing monitoring. This may help the institution stay out of the regulatory crosshairs but isn’t absolute assurance.

For financial institutions opting not to serve the industry, there are tools available to identify MRBs, including business data feeds from Dow Jones and MRBMonitor that help manage risk and compliance. Alternatively, institutions could perform keyword and word stem searches in their customer databases, e.g., "grow," "green," "canna," "mari," "pharma," "medi," etc.

Money Service Businesses & Virtual Currency

In general, a business engaging in one or more transactions with any person on any day with one or more transactions exceeding $1,000, or engaging in money transmission in any amount, is considered a Money Service Business (MSB). These businesses typically perform check cashing, money orders and traveler’s check sales, offer prepaid products and provide currency exchange. These customers present a higher risk to the financial institution and are required to register with FinCEN.

FinCEN notes that MSBs serve important functions, including facilitating remittances and providing other financial services, and emphasizes that high risk doesn’t necessarily mean impossible to bank. Institutions serving this niche would be well advised to thoroughly assess and develop programs to appropriately manage these risks. Increasingly, larger banks are requiring their MSB customers to provide evidence of independent testing of the MSB’s compliance program.

Financial institutions with virtual currency exchangers or administrators as customers must follow FinCEN’s Virtual Currency Guidance, which includes performing due diligence similar to that required for more traditional MSBs. Part of that due diligence should include confirming the exchanger or administrator has registered with FinCEN as an MSB.

Prepaid Cards

On March 21, 2016, Interagency Guidance was issued concerning CIP requirements and prepaid cards. According to the guidance, prepaid cards providing a cardholder with the ability to reload funds or access to credit or overdraft features should be treated as accounts. Once the account has been established, the financial institution must identify the customer for purposes of the CIP rule. In many cases, the cardholder should be treated as the customer for purposes of the CIP rule, even if the cardholder is not the named account holder. The guidance provides specific examples regarding payroll cards, government benefit cards, health savings accounts and flex spending and health reimbursement accounts.

BSA Audits

Examiners expect annual BSA audits, which can be performed internally, provided internal auditors are independent of program administration, or by an external provider. An emerging expectation is that any BSA interdiction software in use also must be independently validated. An institution unable to provide evidence of model validation is likely to be criticized during the BSA exam. Some institutions rotate BSA auditors and firms for a fresh perspective.


While products, services, risks and risk appetites change over time, the basic due diligence and risk management principles of board oversight, policies, procedures, training, testing and continuous monitoring are universal within financial services—for now and in the foreseeable future. These core program elements and the associated BSA reporting have successfully disrupted terrorism networks, money laundering and multimillion-dollar fraud schemes, according to FinCEN.

Accordingly, when in doubt, the best advice is to file a SAR. If a SAR isn’t filed, be sure to carefully document the decision-making process. Receiving credit for the institution’s substantial BSA efforts results from thoroughly documenting what was done or deliberately omitted. A clear document trail for examiners and auditors is one bridge to a better BSA outcome.

Contact your BKD advisor for more information on BSA program changes.

Related Thoughtware

Kate & Ben — How can we help you? Contact Us!

How can we help you?