verified_user
Standardful
Homechevron_rightStandardschevron_rightUS Bank Secrecy Act / AML
ActiveInternational Standardupdate Standard Updated: January 2021fact_check Fact checked: Jun 28, 2026

US Bank Secrecy Act / AML

Bank Secrecy Act (Currency and Foreign Transactions Reporting Act) — 31 U.S.C. 5311 et seq. and 31 CFR Chapter X

apartmentPublishing Organization:U.S. Financial Crimes Enforcement Network (FinCEN)

Standard Introduction

US Bank Secrecy Act / AML is an active standard published by U.S. Financial Crimes Enforcement Network (FinCEN). It is commonly used across Finance & Banking, Services, Technology, Retail and applies in United States.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with US Bank Secrecy Act / AML.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define US anti-money laundering compliance scope

Identify the products, services, systems, entities, jurisdictions, teams, vendors, data flows, and stakeholders covered by US Bank Secrecy Act / AML. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for BSA/AML program, customer due diligence, beneficial ownership where applicable, suspicious activity reporting, currency transaction reporting, sanctions interface, funds transfer records, risk assessment, training, independent testing, and board oversight.

2
Phase 2schedule Duration: 4-10 weeks

Assess obligations and gaps

Compare current practices with the expected US anti-money laundering compliance approach. Review enterprise AML risk assessment, customer identification, CDD and EDD, transaction monitoring, SAR escalation, CTR filing, sanctions screening, record retention, model governance, training, independent testing, and issue remediation, then prioritize gaps by legal exposure, user or safety impact, customer commitments, operational dependency, reporting deadlines, and assurance readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and evidence

Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain risk assessments, AML policies, CIP records, CDD files, screening logs, transaction alerts, SAR and CTR decisions, training records, independent testing reports, board minutes, regulator communications, and remediation plans as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, report, and improve

Run management reviews, internal checks, technical testing or independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, reporting cycles, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and assurance

Frequently Asked Questions

Who needs US Bank Secrecy Act / AML?

expand_more

US Bank Secrecy Act / AML is most relevant to financial institutions, money services businesses, broker-dealers, casinos, banks, fintechs, and other covered entities under FinCEN and prudential regulator rules. The exact scope depends on products, services, jurisdictions, reporting duties, customer commitments, technical requirements, and the organization's role in the relevant ecosystem.

Is US Bank Secrecy Act / AML certifiable?

expand_more

The BSA/AML regime is a legal compliance obligation, not a certification. Covered institutions must maintain risk-based AML programs, reporting, recordkeeping, customer due diligence, and independent testing.

What should implementation focus on first?

expand_more

Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, customers, auditors, assurance providers, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.

What evidence is useful for US Bank Secrecy Act / AML?

expand_more

Useful evidence includes risk assessments, AML policies, CIP records, CDD files, screening logs, transaction alerts, SAR and CTR decisions, training records, independent testing reports, board minutes, regulator communications, and remediation plans. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever laws, products, vendors, incidents, reporting cycles, customer commitments, technical standards, or assurance expectations change. Higher-risk obligations should have more frequent monitoring and management reporting.

Official Documentation

View All

Related Categories