The Bank Secrecy Act and its anti-money laundering regulations fill thousands of pages of regulatory text, examination procedures, and guidance documents. If you're a compliance officer at a community bank, you don't need a law school treatise, you need to know exactly what your program must include and what examiners will check. This guide breaks BSA/AML requirements into plain language, organized by the obligations that actually generate examination findings.
Key Takeaways:
- BSA/AML programs must include five pillars codified under 31 CFR § 1020.210, with documented evidence for each
- CDD and beneficial ownership rules under 31 CFR § 1010.230 remain the most frequent source of exam findings
- SAR obligations require filing within 30 days of initial detection, with documented decision-making for both filed and not-filed determinations
- OFAC screening is not optional, every customer, beneficiary, and originator must be screened against the SDN list
The Five Pillars of a BSA/AML Program
Under 31 U.S.C. § 5311 and its implementing regulations at 31 CFR § 1020.210, every bank must maintain a written BSA/AML program with five components. Examiners from the FFIEC BSA/AML Examination Manual test each independently.
1. System of Internal Controls
Internal controls are the documented policies, procedures, and processes that govern how your bank identifies and reports suspicious activity. This means written procedures for every BSA obligation, CIP verification, CDD collection, SAR decision-making, CTR filing, and OFAC screening.
Examiners don't just want to see policies on a shelf. They want evidence that controls are executed: signed acknowledgments, timestamped workflow completions, exception reports with documented resolutions. If your policy says high-risk accounts get quarterly reviews, the examiner will ask for the last four quarters of review documentation.
2. Independent Testing
Your BSA/AML program must undergo independent testing at least every 12 to 18 months, depending on your risk profile. "Independent" means the tester cannot be responsible for BSA operations, this can be an internal auditor, an outside firm, or a qualified employee from a different department.
Testing scope must cover every program element: CIP, CDD/EDD, suspicious activity monitoring, CTR filing accuracy, OFAC screening, 314(a) responses, and board reporting. A common MRA trigger is testing that only covers transaction monitoring while ignoring CIP or CDD procedures.
3. Designated BSA Officer
The bank must designate a qualified individual as the BSA compliance officer, responsible for day-to-day program administration. Under 12 CFR § 21.21, the BSA officer must have sufficient authority, resources, and access to information across all business lines.
The board of directors must approve the BSA officer appointment and ensure the officer has direct reporting access to the board or a board committee. Examiners will review board minutes for evidence of this reporting relationship.
4. Training
BSA/AML training must be tailored to job function, not a one-size-fits-all annual presentation. Frontline tellers need training on CTR requirements and red flags for structuring. Loan officers need training on CDD for commercial customers and trade-based money laundering indicators. The BSA officer and compliance team need training on regulatory updates, SAR narrative writing, and examination preparation.
Training records must document attendance, content covered, and date delivered. Examiners review training materials for relevance and completeness.
5. Risk-Based CDD Procedures
Since 2018, customer due diligence procedures are a codified fifth pillar (31 CFR § 1010.230). Your bank must establish procedures for:
- Identifying and verifying customer identity (CIP under 31 CFR § 1020.220)
- Identifying and verifying beneficial owners of legal entity customers
- Understanding the nature and purpose of customer relationships
- Conducting ongoing monitoring to identify and report suspicious activity
Customer Identification Program (CIP) Requirements
CIP rules under 31 CFR § 1020.220 require banks to collect four pieces of identifying information for individuals: name, date of birth, address, and identification number (SSN or TIN for U.S. persons). For non-U.S. persons, acceptable identification numbers include a passport number, alien identification card number, or other government-issued ID number.
Banks must verify identity using documentary methods (reviewing a government-issued ID), non-documentary methods (checking third-party databases), or a combination. Your CIP procedures must describe the specific documents and methods used, when non-documentary methods apply, and what happens when verification fails.
Examiners test CIP by pulling a sample of recently opened accounts and checking whether all four data elements were collected and identity was verified within a reasonable timeframe. A common finding: banks collect the data but don't document when and how verification occurred.
Customer Due Diligence and Beneficial Ownership
CDD goes beyond CIP. After verifying who the customer is, you must understand what the customer does, why they need the account, and what expected activity looks like. This baseline lets you identify activity that deviates from the norm, which is the foundation of suspicious activity monitoring.
For legal entity customers (corporations, LLCs, partnerships, trusts), the FinCEN Beneficial Ownership Rule requires collecting and verifying the identity of each individual who owns 25% or more of the entity, plus one individual with significant management responsibility (the "control person").
Enhanced Due Diligence (EDD) applies to customers that present higher risk: PEPs, MSBs, foreign correspondents, cash-intensive businesses, nonprofit organizations, and customers in high-risk geographies. EDD means more information collected at onboarding, more frequent periodic reviews, and tighter transaction monitoring thresholds.
SAR Filing Obligations
Under 31 CFR § 1020.320, banks must file a Suspicious Activity Report with FinCEN for any transaction (or pattern of transactions) that involves $5,000 or more and where the bank knows, suspects, or has reason to suspect the transaction:
- Involves funds from illegal activity
- Is designed to evade BSA reporting requirements (structuring)
- Has no lawful purpose and is inconsistent with the customer's known activity
- Involves the use of the bank to facilitate criminal activity
The filing deadline is 30 calendar days from initial detection of the suspicious activity. If a suspect is identified, the deadline may extend to 60 days. SAR narratives must include the five W's, who, what, when, where, and why, with sufficient detail for law enforcement to understand the activity.
Equally important: decisions not to file a SAR must be documented. If your monitoring system generates an alert and an analyst closes it without filing, examiners will review the closure rationale. Undocumented "no-file" decisions are a frequent source of BSA-related enforcement actions.
CTR Filing Requirements
Currency Transaction Reports must be filed for cash transactions exceeding $10,000 in a single business day, per customer. CTRs are filed on FinCEN Form 104 and must be submitted within 15 calendar days of the transaction.
Banks must aggregate multiple cash transactions by the same customer in a single business day. If a customer makes three cash deposits totaling $11,000 across different branches, that triggers a CTR. Failure to aggregate is a common finding in BSA examinations.
CTR exemptions exist for certain customers under 31 CFR § 1020.315, primarily other banks, government agencies, and NYSE/AMEX listed companies. Phase I exemptions (banks and government entities) are automatic. Phase II exemptions (other eligible businesses) require documented eligibility determination and annual review.
OFAC Screening Requirements
OFAC compliance is technically separate from BSA, but examiners evaluate it as part of the BSA/AML examination. Every bank must screen customers, beneficiaries, and transaction parties against the Specially Designated Nationals (SDN) list maintained by the Treasury Department's Office of Foreign Assets Control.
Screening must occur at account opening, when customer information changes, and when the SDN list is updated. Wire transfers require screening of both originator and beneficiary. ACH transactions require screening of the counterparty.
Potential matches ("hits") must be investigated and dispositioned. Confirmed matches require blocking the transaction and filing a blocked property report with OFAC within 10 business days.
FinCEN Beneficial Ownership: Corporate Transparency Act
The Corporate Transparency Act (CTA) created a new FinCEN beneficial ownership registry separate from the CDD rule. While the CTA's BOI reporting requirements apply to the entities themselves (not banks), the registry creates a new data source for banks to verify beneficial ownership information collected during CDD.
Banks should monitor FinCEN guidance on how the BOI database integrates with existing CDD obligations. The CDD rule at 31 CFR § 1010.230 still requires banks to independently collect and verify beneficial ownership at account opening, the FinCEN registry supplements but does not replace this obligation.
What Examiners Actually Focus On
Based on recent examination trends documented in the FFIEC BSA/AML Examination Manual, the highest-priority areas include:
- SAR decision documentation: Both file and no-file decisions must have a written rationale
- CDD and beneficial ownership completeness: Missing or stale beneficial ownership data is an easy finding
- Transaction monitoring tuning: Is the monitoring system calibrated to your bank's products and risk profile, or are you running default rules?
- Board and management reporting: Examiners check whether the board receives meaningful BSA reporting, not just SAR counts, but risk assessments, program changes, and audit findings
- OFAC screening coverage: Are all products covered? Are you screening on updates to the SDN list, not just at onboarding?
How Canarie Helps Community Banks Stay Exam-Ready
BSA/AML compliance generates a paper trail across dozens of obligations, CIP verification, CDD collection, SAR filings, CTR aggregation, OFAC screening, training records, audit findings, and board reporting. When examiners arrive, the question is whether you can produce evidence that each obligation was met, on time, every time.
Canarie maps BSA/AML policy requirements to executable tasks with built-in evidence capture. Each task records who completed it, when, and what documentation was attached. When your examiner asks for SAR filing timelines or CDD review records, you pull them from a single compliance execution platform instead of reconstructing them from email threads and shared drives.
See how Canarie keeps your BSA/AML program exam-ready →
Frequently Asked Questions
What are the five pillars of a BSA/AML compliance program?
The five pillars, codified under 31 CFR § 1020.210, are: (1) a system of internal controls, (2) independent testing, (3) a designated BSA compliance officer, (4) training for appropriate personnel, and (5) risk-based customer due diligence procedures including beneficial ownership. The fifth pillar was added by the 2018 CDD Final Rule.
How quickly must a SAR be filed after detecting suspicious activity?
SARs must be filed within 30 calendar days of initial detection. If no suspect is identified, the bank has an additional 30 days (60 days total) to identify a suspect before filing. Regardless, no SAR filing can be delayed more than 60 days after initial detection. The clock starts at detection, not at the date the transaction occurred.
Does the Corporate Transparency Act change banks' CDD obligations?
The CTA created a FinCEN beneficial ownership registry, but it does not eliminate banks' independent obligation to collect and verify beneficial ownership under 31 CFR § 1010.230. Banks must still collect beneficial ownership at account opening through their own CDD procedures. The registry may serve as a supplemental verification source once fully operational.
What triggers an OFAC blocking requirement versus a rejection?
A blocking requirement applies to transactions involving SDN list matches, the bank must freeze the funds and file a blocked property report with OFAC within 10 business days. A rejection applies to prohibited transactions under specific sanctions programs where blocking isn't required but the transaction cannot be processed. The distinction depends on the sanctions program involved and OFAC's specific directives for that program.