Anti-Money Laundering Compliance: Bank Secrecy Act and Fincen Rules

Money laundering as a crime involves knowingly conducting financial transactions to conceal the proceeds of illegal activity or to promote further crime. Federal statutes, principally 18 U.S.C. § 1956 and § 1957, make it an offense to launder the proceeds of specified unlawful activity, with serious penalties including imprisonment, fines, and forfeiture. The underlying crime generating the money, such as fraud, drug trafficking, or corruption, is separate, and laundering is the act of disguising those proceeds.

AML regulations exist largely to detect and deter this crime by requiring businesses to monitor and report. Because a money laundering charge is a serious financial crime that is fact-specific, the criminal side is distinct from the regulatory compliance obligations, though the two are closely connected.

AML compliance matters for businesses because regulated companies have legal duties to prevent and report laundering, and the consequences of non-compliance are significant. Covered businesses must maintain a compliance program, conduct due diligence on customers, monitor activity, and file required reports, and regulators examine them for compliance. Failures can lead to substantial civil penalties, enforcement actions, reputational harm, and in serious cases criminal exposure for the institution or individuals.

Beyond avoiding penalties, sound AML practices protect a business from being used to facilitate crime. Because AML compliance is a detailed and actively enforced obligation rather than an afterthought, treating it as a core responsibility is important for any business within its scope.

The Bank Secrecy Act and the USA PATRIOT Act are foundational to US AML law, each adding key obligations. The Bank Secrecy Act, the cornerstone statute, requires financial institutions to keep records and file reports, including currency transaction reports for large cash transactions and suspicious activity reports for potentially illicit activity. The USA PATRIOT Act, enacted after 2001, expanded AML requirements significantly, mandating customer identification programs, enhanced due diligence for certain accounts, and broader coverage to combat terrorist financing.

Together they form much of the backbone of AML compliance obligations for banking and financial institutions and other covered entities. Because these laws and their implementing regulations are detailed and have been amended over time, businesses should base their programs on the current requirements.

FinCEN, the Financial Crimes Enforcement Network, is the primary federal agency administering AML regulation in the United States. As a bureau of the Treasury Department, FinCEN issues and interprets AML regulations, collects reports such as suspicious activity reports and currency transaction reports, and shares financial intelligence with law enforcement. It also works with banking regulators and other agencies on enforcement and continues to modernize its rules, including ongoing efforts to update financial-institution AML/CFT program requirements around a risk-based approach.

For a covered business, FinCEN's rules and guidance define many of the day-to-day AML obligations. Because FinCEN's regulations evolve and it issues new guidance regularly, businesses should monitor its rules to keep their programs current, since a regulatory investigation can follow when obligations are not met.

Beneficial ownership reporting under the Corporate Transparency Act has changed significantly, and the current position is much narrower than when the law first took effect. Under current FinCEN guidance, entities created in the United States, previously known as domestic reporting companies, and their US beneficial owners are exempt from reporting beneficial ownership information to FinCEN, while certain foreign reporting companies that register to do business in the United States may still have reporting obligations on their own deadlines.

Because this area has changed through rulemaking and litigation, and FinCEN has indicated it may issue further rules, businesses should confirm the current FinCEN position before relying on older Corporate Transparency Act summaries. Confirming present requirements as part of corporate due diligence is especially important here, given how quickly this area has shifted.

The pillars of an AML compliance program are the core components regulators expect a covered business to have in place. They traditionally include internal controls and written policies and procedures, a designated compliance officer responsible for the program, an ongoing training program for relevant employees, and independent testing to audit the program's effectiveness. Customer due diligence, including understanding the nature and purpose of customer relationships and conducting ongoing monitoring, is also a required component.

Together these elements create a system to identify, manage, and report money-laundering risk, and they often sit within a broader corporate compliance framework. Because regulators assess whether each pillar is genuinely implemented and effective, a program that exists only on paper is not enough to satisfy AML requirements.

Know your customer and customer due diligence are the processes by which a business verifies who its customers are and assesses the risk they pose. KYC generally involves identifying and verifying a customer's identity at onboarding, while customer due diligence extends to understanding the customer's activity, monitoring transactions, beneficial ownership where required, and applying enhanced due diligence to higher-risk customers or relationships.

These processes help a business detect suspicious activity and avoid being used for laundering, and AML due diligence is required, in varying forms, of covered institutions. Because the depth of diligence should match the risk, a risk-based approach, with more scrutiny where risk is higher, is fundamental to an effective AML program.

Suspicious activity reports and currency transaction reports are two key filings that AML laws require, each serving a distinct purpose. A currency transaction report generally applies to cash transactions exceeding $10,000 in a day, providing authorities with a record of large cash movements, while a suspicious activity report depends on suspicious patterns or red flags rather than a simple dollar threshold and generally must be kept confidential from the customer.

These reports are a primary way the AML system surfaces potential crime and large cash flows. Because the timing, thresholds, and content of these reports are governed by specific rules, covered businesses must have processes to identify reportable activity and file accurately and on time.

A wide range of businesses are subject to AML rules, and the list has shifted as the framework has changed. Traditional covered entities include banks, credit unions, and other depository institutions, money services businesses such as money transmitters, broker-dealers and other securities firms, casinos, and certain insurance and lending businesses. Coverage of investment advisers should be described carefully: FinCEN postponed the effective date of the investment adviser AML rule to January 1, 2028, and has signaled it may further tailor the rule before then.

Whether a particular business is covered depends on what it does and the specific regulations in force, which makes confirming current status important. Because coverage can be nuanced and has been changing, a business uncertain about its obligations should verify whether and how AML rules apply to its activities under current law.

Crypto businesses should not be treated as one category, because not every crypto company automatically carries the same AML obligations. Under FinCEN guidance, persons acting as exchangers or administrators of convertible virtual currency may be money transmitters and money services businesses when they accept and transmit value, which brings AML program, reporting, and recordkeeping duties. Ordinary users of virtual currency are generally treated differently.

Whether a given crypto business is covered therefore depends on its specific activities rather than the label, and cryptocurrency regulation in this area continues to develop. Because the analysis is activity-based and evolving, a crypto or payments business should assess its status carefully against current FinCEN guidance.

AML and sanctions compliance are distinct but closely related, and many businesses must address both together. AML focuses on detecting and reporting money laundering, while economic sanctions, administered by the Office of Foreign Assets Control, prohibit dealings with designated countries, entities, and individuals. Both require screening customers and transactions, and a strong financial-crime program typically integrates the two, since the same monitoring and due diligence support each.

A failure in either can carry serious penalties, which is why OFAC sanctions compliance is often built alongside AML. Because sanctions and AML obligations overlap operationally but rest on different legal regimes, businesses generally address them as related parts of a broader financial-crime effort, and the underlying economic sanctions rules carry their own requirements.

Penalties for AML violations can be substantial and take several forms, depending on the nature and severity of the failure. Regulatory consequences can include civil monetary penalties, formal enforcement actions, and requirements to remediate compliance deficiencies, while serious or willful violations can lead to criminal charges against a business or responsible individuals. Beyond direct penalties, AML failures can cause significant reputational harm and business disruption.

Forfeiture of funds may also be involved, and asset seizure and forfeiture can accompany money-laundering enforcement. Because the level of financial crime penalties depends heavily on the facts and on evolving enforcement practice, specific figures should not be assumed, and exposure should be assessed against current law.

Anti-money laundering, or AML, is the set of laws, regulations, and practices designed to detect, prevent, and report money laundering and related financial crime. It requires certain businesses, especially financial institutions, to verify their customers, monitor transactions, and report suspicious or large cash activity to authorities. In the United States, the framework is built on the Bank Secrecy Act and later laws and is administered largely by FinCEN. The aim is both to stop criminals from disguising illicit funds as legitimate and to give law enforcement the information needed to investigate. For covered businesses, AML is a set of legal obligations requiring a compliance program, due diligence, and reporting, not an optional best practice.

AML is the overall legal and compliance framework for detecting and preventing money laundering, while KYC and CDD are components within it. KYC, know your customer, focuses on verifying who the customer is, typically by identifying and confirming identity at onboarding. CDD, customer due diligence, goes further by evaluating the customer relationship, expected activity, beneficial ownership where required, and ongoing risk over time, with enhanced due diligence applied to higher-risk customers. In short, AML is the broad framework, KYC verifies identity, and CDD assesses and monitors the relationship and its risk. All three work together, with KYC and CDD serving as building blocks of an effective AML program.

A business needs an AML program when it falls within a covered category under the Bank Secrecy Act or FinCEN rules, such as a bank, money services business, money transmitter, broker-dealer, casino, or other covered financial business. Whether a business is covered depends on its specific activities rather than its general industry label, so the same type of company may or may not be subject to AML rules depending on what it actually does. Because the categories have been expanding and some rules are evolving, a business that is unsure should confirm its status under current law. Being subject to AML brings significant program, due diligence, and reporting obligations, so identifying coverage early is important.

No, not every crypto company automatically has AML obligations, because the answer depends on the activity rather than simply being in the crypto industry. Under FinCEN guidance, crypto exchangers and administrators that accept and transmit convertible virtual currency may be treated as money transmitters and money services businesses, which brings AML program, reporting, and recordkeeping duties. Ordinary users of virtual currency are generally treated differently. So a crypto business must look at what it specifically does, such as whether it accepts and transmits value for others, to determine its status. Because this area is activity-based and still developing, confirming obligations against current FinCEN guidance is important for any crypto or payments business.

Failure to identify or file required suspicious activity reports or currency transaction reports can lead to serious consequences. These can include regulatory examinations, civil monetary penalties, remediation orders requiring the business to fix its program, and significant reputational harm, and in serious or willful cases, criminal exposure for the business or responsible individuals. Reporting failures are a common focus of AML enforcement because the reports are central to how the system detects laundering and large cash flows. Because the consequences can be severe and depend on the facts, a business that discovers reporting gaps should address them promptly, often with guidance, rather than waiting for a regulator to identify the problem.

AML and sanctions compliance are related but rest on different legal regimes and goals. AML focuses on detecting and reporting money laundering and is built on laws like the Bank Secrecy Act administered by FinCEN. Sanctions compliance, administered by the Office of Foreign Assets Control, prohibits dealings with designated countries, entities, and individuals. Both require screening customers and transactions, and businesses often integrate them into a single financial-crime compliance program because the underlying monitoring and due diligence overlap. A failure in either can bring serious penalties. So while AML and sanctions are distinct obligations, they are operationally connected and are usually managed together as parts of a broader compliance effort.