AML BSA Compliance US: SEC & CFTC Requirements Guide

What is AML BSA Compliance in the United States (SEC/CFTC)?

Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) compliance in the United States represents one of the most consequential regulatory obligations facing financial institutions, fintech platforms, broker-dealers, futures commission merchants, and digital asset businesses. BSA compliance US requirements establish the foundational framework through which financial entities detect, prevent, and report suspicious activity that could facilitate money laundering, terrorist financing, or other financial crimes.

The Bank Secrecy Act, enacted in 1970 and codified at 31 U.S.C. §§ 5311–5336, requires covered financial institutions to maintain robust recordkeeping systems, file specific reports with the Financial Crimes Enforcement Network (FinCEN), and implement comprehensive internal controls. Within the securities and derivatives sectors, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) layer additional AML obligations on top of FinCEN's baseline requirements, creating a multi-regulator compliance environment that demands careful navigation.

For AML program US fintech companies, crypto asset platforms, registered investment advisers, broker-dealers, and swap dealers, understanding the intersection of BSA obligations with SEC and CFTC rules is not optional — it is a precondition for operating lawfully in U.S. markets. Enforcement actions from FinCEN, the SEC, and the CFTC have resulted in penalties exceeding hundreds of millions of dollars in recent years, underscoring the stakes involved.

Legal Requirements and Regulatory Framework

AML BSA compliance in the United States is governed by an interlocking web of statutes, regulations, and agency guidance. The primary legal instruments include:

• Bank Secrecy Act (31 U.S.C. §§ 5311–5336): The foundational statute requiring financial institutions to assist government agencies in detecting and preventing money laundering. Implementing regulations are found at 31 C.F.R. Chapter X.
• USA PATRIOT Act (2001): Significantly expanded BSA requirements, mandating Customer Identification Programs (CIP), enhanced due diligence for correspondent and private banking accounts, and information-sharing protocols under Section 314(a) and 314(b).
• Anti-Money Laundering Act of 2020 (AMLA 2020): The most significant AML reform in decades, embedded within the National Defense Authorization Act, expanding beneficial ownership requirements, updating the BSA's predicate offenses, and establishing new FinCEN priorities.
• SEC Rule 17a-8: Requires broker-dealers registered with the SEC to comply with the BSA's reporting and recordkeeping requirements, directly incorporating FinCEN's broker-dealer AML rules.
• CFTC Regulation 42.2: Requires CFTC-regulated entities, including futures commission merchants (FCMs) and introducing brokers (IBs), to comply with applicable BSA regulations enforced by FinCEN.
• FinCEN Regulations (31 C.F.R. Part 1023 for broker-dealers; Part 1026 for FCMs): Specify AML program requirements, Suspicious Activity Report (SAR) filing obligations, Currency Transaction Report (CTR) thresholds, and Customer Due Diligence (CDD) rules.

FINRA also plays a critical enforcement role for broker-dealers through FINRA Rule 3310, which sets minimum AML program standards and mandates independent testing, designated compliance officers, and ongoing training. The interplay between FinCEN, the SEC, the CFTC, and FINRA creates overlapping jurisdiction that compliance teams must address comprehensively.

Key Clauses and Requirements

A compliant AML program under BSA compliance US standards must address the following core pillars, often referred to as the Five Pillars of AML compliance:

• Internal Policies, Procedures, and Controls: Written AML policies must be tailored to the institution's specific risk profile, products, services, customers, and geographic exposure. Generic templates do not satisfy regulatory expectations.
• Designation of a Compliance Officer: A qualified AML compliance officer must be appointed with sufficient authority, resources, and independence to implement and oversee the program. For CFTC registrants, FinCEN and CFTC both expect demonstrated expertise.
• Ongoing Employee Training: All relevant personnel — including front-office, operations, and senior management — must receive regular AML training covering red flags, reporting obligations, and escalation procedures.
• Independent Testing and Auditing: AML programs must be tested periodically by an independent party (internal audit or external consultant) to assess adequacy and effectiveness. FINRA Rule 3310 mandates annual independent testing for broker-dealers.
• Customer Due Diligence (CDD) and Beneficial Ownership: FinCEN's CDD Rule (31 C.F.R. § 1010.230) requires covered institutions to identify and verify the identity of beneficial owners of legal entity customers owning 25% or more equity interest, plus one controlling-person prong. The Corporate Transparency Act further expands beneficial ownership reporting to FinCEN's Beneficial Ownership Information (BOI) registry.
• Customer Identification Program (CIP): Institutions must verify customer identity at account opening using documentary or non-documentary methods, maintain records, and check against OFAC sanctions lists and government-issued watch lists.
• Suspicious Activity Reporting (SARs): Broker-dealers must file SARs for transactions of $5,000 or more involving suspected illegal activity. FCMs and IBs have similar thresholds. SARs must be filed within 30 calendar days of detecting suspicious activity (or 60 days if no suspect is identified).
• Currency Transaction Reports (CTRs): Cash transactions exceeding $10,000 must be reported to FinCEN, with aggregation rules applying to multiple related transactions.

Step-by-Step Process for Building an AML BSA Compliance Program

For founders launching fintech platforms, broker-dealers, FCMs, or digital asset businesses subject to SEC or CFTC oversight, the following process provides a practical roadmap:

• Step 1 — Conduct a Risk Assessment: Before drafting any policies, perform a documented institutional risk assessment evaluating your customer base, products, delivery channels, and geographic risks. This assessment drives the risk-based calibration of your entire program and is the first document regulators will request in an examination.
• Step 2 — Draft Written AML Policies and Procedures: Develop written policies that address each BSA/AML requirement applicable to your registration category. For SEC-registered broker-dealers, this means complying with 31 C.F.R. Part 1023. For CFTC-regulated FCMs, 31 C.F.R. Part 1026 governs. Ensure policies are living documents with version control.
• Step 3 — Implement CIP and CDD Procedures: Build onboarding workflows that collect required identifying information (name, date of birth, address, identification number), verify identity against reliable sources, screen against OFAC's SDN List and FinCEN's 314(a) requests, and document beneficial ownership for legal entity customers.
• Step 4 — Deploy Transaction Monitoring: Implement automated or manual transaction monitoring systems calibrated to your risk assessment. Define red flag scenarios specific to your business model — for AML program US fintech companies, this includes structuring patterns, rapid fund movements, and inconsistent transaction profiles.
• Step 5 — Establish SAR and CTR Filing Workflows: Create clear escalation and decision-making processes for SAR determinations. Document the rationale for both filing and non-filing decisions. Establish quality control reviews before submission to FinCEN's BSA E-Filing System.
• Step 6 — Appoint and Empower the AML Compliance Officer: Formally designate a qualified AML officer in writing. Ensure this individual has direct board or senior management access, an adequate budget, and authority to escalate concerns without retaliation risk.
• Step 7 — Train All Relevant Staff: Deploy role-specific training at onboarding and annually thereafter. Maintain training completion records. Front-office personnel, customer service teams, and technology staff all require tailored content.
• Step 8 — Schedule Independent Testing: Engage qualified internal auditors or third-party AML consultants to conduct independent program testing. Address findings promptly and document remediation actions. Regulators evaluate the timeliness and thoroughness of your response to audit findings.
• Step 9 — Maintain Records: BSA requires retention of CIP records for five years after account closure and SAR records for five years from filing. Build document retention systems that are audit-ready at all times.

Common Mistakes to Avoid

Even sophisticated institutions frequently make preventable AML compliance errors. The following represent the most common — and most costly — pitfalls observed in SEC and CFTC enforcement actions:

• Treating AML as a One-Time Setup: AML programs must evolve with your business. Failing to update policies when launching new products, entering new markets, or changing customer segments is a recurring enforcement theme. FinCEN and FINRA expect dynamic, risk-responsive programs.
• Inadequate Beneficial Ownership Collection: Many firms still fail to collect and verify beneficial ownership for legal entity customers at account opening. Post-AMLA 2020 and BOI reporting requirements, this gap carries heightened regulatory and criminal exposure.
• SAR Filing Delays and Documentation Failures: Missing the 30-day SAR filing deadline or failing to document the SAR decision-making process — including why a SAR was not filed in borderline cases — is a primary examination finding. Maintain thorough SAR decision logs.
• Relying on Generic, Off-the-Shelf AML Policies: Regulators consistently criticize cookie-cutter AML programs that are not tailored to institutional risk. Generic policies signal that senior management has not genuinely committed to compliance.
• Insufficient Transaction Monitoring Calibration: Deploying monitoring systems with default thresholds that are never adjusted for your specific business model generates excessive false positives, alert fatigue, and missed genuine red flags. Annual tuning and validation of monitoring rules is a regulatory expectation.
• Ignoring FinCEN's AML/CFT Priorities: Following AMLA 2020, FinCEN published its first-ever national AML/CFT Priorities in June 2021, identifying corruption, cybercrime, domestic and foreign terrorist financing, fraud, transnational crime, drug trafficking, human trafficking, and proliferation financing as top concerns. Programs must demonstrably address applicable priorities.

Frequently Asked Questions

Does the Bank Secrecy Act apply to SEC-registered investment advisers?

As of 2024, FinCEN has finalized a rule requiring SEC-registered investment advisers (RIAs) and exempt reporting advisers (ERAs) to establish AML/CFT programs and file SARs, effective January 1, 2026. This long-anticipated rule closes a significant gap in the U.S. AML framework and will require investment advisers to implement full BSA compliance US programs for the first time, including CIP, CDD, and transaction monitoring obligations. RIAs should begin program development immediately to meet the compliance deadline.

What are the AML obligations for crypto and digital asset platforms under CFTC jurisdiction?

CFTC-regulated entities dealing in crypto derivatives — including registered FCMs, swap dealers, and retail foreign exchange dealers offering digital asset products — are fully subject to BSA AML requirements under 31 C.F.R. Part 1026. Additionally, FinCEN's 2013 guidance clarifies that money services businesses (MSBs) dealing in convertible virtual currency have independent AML obligations. The convergence of CFTC registration and MSB status for many crypto platforms creates layered compliance obligations. AML program US fintech and crypto businesses must carefully map all applicable regulatory frameworks and build unified compliance architectures.

How does FINRA enforce AML BSA compliance for broker-dealers?

FINRA enforces BSA compliance for broker-dealers primarily through FINRA Rule 3310 and examination authority. FINRA conducts routine AML examinations, reviews SAR filing practices, tests transaction monitoring systems, and assesses training programs. FINRA can impose fines, suspensions, and bars on individuals, and can refer matters to FinCEN or the SEC for additional enforcement action. FINRA's AML examination findings are public and provide valuable guidance on current regulatory expectations.

What is the difference between a SAR and a CTR under BSA compliance US requirements?

A Currency Transaction Report (CTR) is a mandatory, objective report filed for any cash transaction exceeding $10,000, regardless of whether suspicious activity is detected — it is threshold-based. A Suspicious Activity Report (SAR) is filed based on a subjective determination that a transaction of $5,000 or more (for broker-dealers) involves funds from illegal activity, is designed to evade BSA requirements, lacks a lawful purpose, or is otherwise suspicious. SARs are confidential and subject to strict tipping-off prohibitions. Both reports are filed with FinCEN through the BSA E-Filing System, but they serve distinct regulatory functions and have separate filing timelines and standards.

What penalties apply for BSA AML compliance failures?

Civil penalties under the BSA can reach $25,000 per day for negligent violations and up to the greater of $1 million or twice the transaction amount for willful violations. Criminal penalties include fines up to $500,000 and imprisonment up to ten years for individuals. The SEC can impose additional civil penalties under the Securities Exchange Act, and the CFTC has authority to impose penalties up to $1 million per violation for BSA-related failures by its registrants. Recent landmark enforcement actions — including multi-hundred-million-dollar settlements with major financial institutions — demonstrate that regulators treat AML failures as existential compliance risks, not technical deficiencies.