Key Takeaways
| # | Takeaway |
| 1 | The Bank Secrecy Act (BSA) requires financial institutions to maintain AML compliance programs built on five foundational pillars. |
| 2 | The five pillars are: (1) Internal Controls, (2) BSA/AML Compliance Officer, (3) Employee Training, (4) Independent Testing, and (5) Customer Due Diligence (CDD). |
| 3 | The CDD pillar was added in May 2018 under FinCEN’s Customer Due Diligence Rule, expanding the original four-pillar framework. |
| 4 | FinCEN’s 2024 proposed rule may add a sixth pillar: a mandatory, codified risk assessment process that serves as the foundation of the entire AML/CFT program. |
| 5 | Each pillar must be risk-based. A one-size-fits-all approach fails regulatory examination. Tailor controls, training, and testing frequency to your institution’s specific risk profile. |
| 6 | Non-compliance penalties are severe: the Anti-Money Laundering Act of 2020 (AMLA) increased fines up to $1 million per violation and introduced potential prison terms. |
| 7 | From 2028, Registered Investment Advisors (RIAs) will be classified as financial institutions under the BSA, bringing a new wave of firms into the AML compliance net. |
The Bank Secrecy Act: Foundation of AML Compliance in the United States
The Bank Secrecy Act (BSA), enacted in 1970, is the cornerstone of U.S. anti-money laundering (AML) law. The BSA requires financial institutions to keep records, file reports, and implement programs that help detect and prevent money laundering, terrorist financing, and other financial crimes.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department, administers and enforces BSA regulations. Other agencies, including the OCC, FDIC, Federal Reserve, NCUA, and SEC, also examine institutions against BSA requirements depending on the institution type.
At its core, the BSA imposes three reporting obligations on financial institutions: file Currency Transaction Reports (CTRs) when daily cash transactions exceed $10,000, submit Suspicious Activity Reports (SARs) when transactions suggest money laundering or fraud, and maintain records of cash purchases of negotiable instruments. These reporting obligations sit alongside the five structural pillars that every AML compliance program must implement.
Understanding BSA/AML compliance is essential not only in financial services but across any industry that handles financial transactions, from banks and credit unions to casinos, money service businesses (MSBs), and, soon, registered investment advisors. From a compliance risk management perspective, the five pillars provide the structural framework that regulators examine during every BSA audit.
The Five Pillars at a Glance
| Pillar | Name | Core Requirement | Key Regulatory Source |
| 1 | Internal Controls | Establish policies, procedures, and systems to detect, monitor, and report suspicious activity aligned to the institution’s risk profile | BSA / FFIEC Examination Manual |
| 2 | BSA/AML Compliance Officer | Designate a qualified individual with authority, independence, and resources to coordinate day-to-day BSA/AML compliance | BSA / FINRA Rule 3310 |
| 3 | Employee Training | Provide ongoing, role-specific training so all relevant personnel can identify and report suspicious activity | BSA / FFIEC Examination Manual |
| 4 | Independent Testing | Conduct periodic independent reviews (audit) of the AML program to assess effectiveness and identify deficiencies | BSA / FFIEC Examination Manual |
| 5 | Customer Due Diligence (CDD) | Identify and verify customer identities, identify beneficial owners of legal entities, understand the nature of customer relationships, and monitor transactions | FinCEN CDD Rule (2018) / BSA |
Each pillar reinforces the others. Internal controls without training are ineffective. Training without independent testing goes unchecked. CDD without internal controls produces data that nobody acts on. The pillars must operate as an integrated system, not a checklist of isolated activities.
Pillar 1: Internal Controls
Internal controls form the operational backbone of the AML program. These are the policies, procedures, processes, and systems that ensure the institution detects, monitors, and reports financial crime in compliance with BSA regulations.
| Internal Control Component | Description | Examples |
| Policies and Procedures | Written guidelines that define how the institution detects and reports suspicious activity | Transaction monitoring procedures; SAR filing protocols; CTR filing thresholds |
| Risk Assessment | Identification and evaluation of the institution’s money laundering and terrorist financing risks across customers, products, services, and geographies | Annual ML/TF risk assessment; country-risk scoring; product-risk classification |
| Transaction Monitoring | Systems and processes that flag unusual or suspicious transaction patterns | Automated transaction monitoring software; rule-based alerts; threshold monitoring |
| Record Keeping | Maintenance of accurate records of transactions, customer identification, and reports filed | CTR archives; SAR filing logs; CDD documentation; beneficial-ownership records |
| Board Oversight | Regular reporting to the Board of Directors on BSA/AML program status, risk assessment findings, and audit results | Quarterly BSA reports to the Board; risk-committee briefings |
| Escalation Procedures | Defined pathways to escalate suspicious activity from front-line staff to the compliance team and, ultimately, to FinCEN via SAR filing | Escalation matrix; SAR referral workflow; case-management system |
Internal controls must be risk-based. An institution with high-volume cash transactions, international wire transfers, or customers in high-risk jurisdictions needs more robust monitoring rules and lower alert thresholds than a community bank with a low-risk customer base.
The FFIEC BSA/AML Examination Manual, available from FinCEN, provides detailed guidance on calibrating controls to risk. Our guide on internal controls and risk management explores this topic in depth.
Pillar 2: BSA/AML Compliance Officer
The Board of Directors must designate a qualified individual as the BSA/AML Compliance Officer. This person coordinates and monitors the institution’s day-to-day compliance with BSA regulations and serves as the primary liaison with regulators, auditors, and law enforcement.
| Responsibility | Description |
| Program oversight | Coordinate all five pillars; ensure the AML program operates as designed and remains current with regulatory changes |
| Policy development | Draft and maintain BSA/AML policies and procedures; ensure alignment with the institution’s risk assessment |
| Regulatory liaison | Communicate with FinCEN, examiners, auditors, and law-enforcement agencies; manage examination responses |
| SAR and CTR oversight | Review and approve SAR and CTR filings; ensure filings are timely, accurate, and complete |
| Training coordination | Ensure all employees receive appropriate, role-specific BSA/AML training on schedule |
| Risk assessment leadership | Lead or oversee the annual ML/TF risk assessment; present findings and recommendations to the Board |
| Issue remediation | Track audit and examination findings; ensure corrective actions are implemented and closed on time |
| Regulatory awareness | Monitor regulatory developments (FinCEN advisories, OFAC updates, AMLA requirements) and update the program accordingly |
The compliance officer must have sufficient authority, independence, and resources. Regulators examine these three factors during every BSA audit. An underfunded or overridden compliance officer is a red flag.
The Board retains ultimate accountability, but the officer runs the program day to day. FinCEN’s 2024 proposed rule would formally rename this role to “AML/CFT Officer.”
Learn how this role connects to broader governance in our Three Lines Model guide. The compliance officer typically sits in the second line of defense.
Pillar 3: Employee Training
Every employee whose duties touch BSA/AML compliance must receive training, including front-line staff, operations, management, and the Board of Directors. Training must be ongoing, role-specific, and documented.
| Training Element | Requirement | Best Practice |
| Timing | Upon hire and at least annually thereafter | Supplement annual training with ad-hoc sessions after regulatory changes or internal incidents |
| Content | BSA/AML fundamentals; institution-specific policies; red-flag indicators; SAR and CTR obligations; OFAC screening requirements | Customize scenarios to the institution’s products, services, customer types, and geographic risk profile |
| Audience | All relevant personnel: tellers, customer-service representatives, loan officers, operations staff, compliance team, senior management, Board members | Tailor depth and focus by role; front-line staff need transaction-level red flags; the Board needs strategic compliance updates |
| Documentation | Maintain records of training dates, attendees, and content covered | Use a learning management system (LMS) to track completion and produce audit-ready reports |
| Assessment | Regulators expect evidence that employees understand the material, not just attendance | Include quizzes or knowledge checks; track pass rates; remediate low performers |
| Updates | Training content must reflect current regulations, FinCEN advisories, and institution-specific risk assessment findings | Review and refresh training materials at least annually; incorporate lessons from recent SARs, exam findings, and industry typologies |
Training is not a compliance checkbox. A well-trained front-line employee is your first sensor. If tellers and customer-service staff cannot recognize structuring, unusual wire patterns, or identity-verification red flags, your transaction-monitoring systems become the last line of defense instead of a backstop. Our compliance risk assessment guide covers how to embed training into a broader compliance framework.
Pillar 4: Independent Testing
Independent testing provides an objective, external (or functionally independent internal) assessment of the AML program’s design and operating effectiveness. Think of independent testing as the third-line assurance function applied specifically to BSA/AML compliance.
| Testing Element | Requirement | Key Considerations |
| Independence | The tester must be independent of the AML program’s day-to-day operations | Testers cannot be involved in AML training, policy development, or SAR filing; external firms or internal audit departments that do not report to the compliance officer qualify |
| Scope | Review all five pillars: internal controls, compliance officer effectiveness, training adequacy, CDD procedures, and the risk assessment | Include transaction testing (sample SARs, CTRs, CDD files); policy review; system-effectiveness testing; OFAC screening validation |
| Frequency | At least annually; more frequently (semi-annually or quarterly) if the institution is high-risk | Regulators assess frequency against the institution’s risk profile; high-risk MSBs and international-remittance providers often require more frequent testing |
| Risk Assessment | The tester should prepare or validate a risk assessment as part of the engagement | The risk assessment informs both the scope of testing and the institution’s overall risk classification (low, medium, high) |
| Reporting | Testing results must be shared with the Board of Directors and senior management | Reports should include findings, risk ratings, and actionable recommendations with remediation deadlines |
| Remediation Tracking | Deficiencies identified must be tracked to closure | Use an issues-and-actions register with named owners, due dates, and evidence-of-closure requirements |
FinCEN’s 2024 proposed rule would tighten independence requirements, explicitly prohibiting testers from performing functions that create a conflict of interest. Institutions that currently use internal staff with dual roles should plan to separate these functions. See our risk assessment policy guide to understand how independent testing connects to the broader ERM lifecycle.
Pillar 5: Customer Due Diligence (CDD)
The CDD pillar, added in May 2018 under FinCEN’s Customer Due Diligence Rule, formalized requirements that many institutions already practiced. The rule imposes four core obligations.
| CDD Obligation | Description | Risk Management Link |
| 1. Identify and verify the customer | Collect and verify the identity of each individual or entity opening an account (Know Your Customer / KYC) | Prevents anonymous account opening; creates an audit trail linked to the customer’s verified identity |
| 2. Identify and verify beneficial owners | Identify each individual who owns 25% or more of a legal-entity customer and one individual who controls the entity | Unmasks shell companies and layered ownership structures used to obscure illicit fund flows |
| 3. Understand the nature and purpose of the relationship | Document the expected account activity: transaction types, volumes, geographies, and business purpose | Establishes a baseline against which unusual activity can be detected by transaction-monitoring systems |
| 4. Conduct ongoing monitoring | Continuously monitor transactions to identify suspicious activity; update customer information as risks change | Ensures CDD is not a one-time event but a living process that reflects evolving customer behavior and risk |
CDD is where AML compliance meets risk assessment at the individual-customer level. A risk-based CDD approach applies enhanced due diligence (EDD) to high-risk customers (politically exposed persons, cash-intensive businesses, customers in high-risk jurisdictions) and simplified due diligence to low-risk relationships. This tiering mirrors the concept of risk tolerance thresholds applied to customer risk categories.
The Emerging Sixth Pillar: Codified Risk Assessment
In June 2024, FinCEN proposed a rule to “strengthen and modernize” AML/CFT programs. If finalized, this rule would codify a mandatory risk assessment process as the foundation of every AML/CFT program, effectively creating a sixth pillar.
The risk assessment has always been a regulatory expectation, but this proposed rule would make the requirement explicit and legally binding.
Under the proposed rule, financial institutions would need to: determine and analyze their money laundering and terrorist financing risks, reasonably manage and reduce those risks, and incorporate FinCEN’s AML/CFT priorities (cybercrime, human trafficking, corruption, proliferation financing) into their risk-based programs.
The proposed rule would also require internal controls to be tied directly to risk assessment findings and would update the compliance officer’s title to “AML/CFT Officer.”
Organizations should not wait. Building a documented, dynamic risk assessment process now positions your institution ahead of the final rule and demonstrates proactive governance to examiners. Our enterprise risk management framework guide and risk assessment matrix guide provide the methodology you can adapt to AML/CFT risk assessment.
Eight Common Pitfalls in BSA/AML Compliance Programs
| # | Pitfall | Regulatory Consequence | Fix |
| 1 | Generic, off-the-shelf policies not tailored to the institution’s risk profile | Examiner finding: “Internal controls do not reflect the institution’s risk assessment” | Customize policies to your products, services, customer types, geographies, and transaction volumes |
| 2 | Compliance officer lacks authority or resources | Examiner finding: “BSA officer does not have sufficient independence”; MRA or MRIA issued | Ensure Board-level mandate, direct reporting line, adequate budget, and access to systems and data |
| 3 | Training is attendance-only with no knowledge assessment | Examiner finding: “Training program does not demonstrate employee comprehension” | Add quizzes, scenario exercises, and pass-rate tracking; document remediation of low performers |
| 4 | Independent testing performed by someone with a conflict of interest | Examiner finding: “Independent testing lacks objectivity” | Engage external firms or internal auditors with no involvement in AML program operations |
| 5 | CDD is treated as a one-time onboarding event | Examiner finding: “Ongoing monitoring is inadequate” | Implement risk-based ongoing monitoring; trigger periodic CDD refreshes based on customer risk tier |
| 6 | Risk assessment is static and not updated after material changes | Examiner finding: “Risk assessment does not reflect current risk environment” | Update the risk assessment annually and after product launches, geographic expansion, or regulatory changes |
| 7 | SAR filing is untimely or incomplete | FinCEN enforcement action; civil money penalties | Establish SAR filing workflows with 30-day deadlines, quality-review checkpoints, and escalation procedures |
| 8 | Board of Directors is not engaged | Examiner finding: “Board oversight of BSA/AML compliance is deficient” | Provide quarterly BSA reports to the Board; include risk assessment findings, SAR statistics, audit results, and remediation status |
90-Day Roadmap: Strengthening Your BSA/AML Compliance Program
| Phase | Timeline | Actions | Owner | Deliverable |
| Phase 1: Risk Assessment & Gap Analysis | Days 1–30 | Conduct or update the ML/TF risk assessment across customers, products, services, and geographies; benchmark current program against all five pillars; identify gaps using the FFIEC BSA/AML Examination Manual as the standard | BSA/AML Officer / Internal Audit | Updated risk assessment; gap analysis report |
| Phase 2: Controls & Policy Update | Days 31–60 | Close priority gaps in internal controls; update policies and procedures to reflect current risk profile; configure or recalibrate transaction-monitoring rules; verify CDD and beneficial-ownership procedures are current | BSA/AML Officer / IT / Operations | Updated policy manual; recalibrated monitoring rules; CDD procedure refresh |
| Phase 3: Training & Communication | Days 61–75 | Deliver refreshed, risk-based training to all relevant personnel; update Board briefing materials; communicate program changes organization-wide | BSA/AML Officer / HR | Training records; Board briefing deck; communication log |
| Phase 4: Test & Report | Days 76–90 | Engage independent tester to assess program effectiveness; present findings to the Board; track remediation actions; schedule next annual independent test and risk assessment cycle | BSA/AML Officer / Independent Tester / Board | Independent test report; Board presentation; remediation tracker; annual calendar |
The Future of BSA/AML Compliance
Codified Risk Assessment. FinCEN’s proposed sixth pillar will require documented, dynamic risk assessments tied directly to AML/CFT program design. Institutions should begin building this process now rather than waiting. Our risk assessment process guide provides the methodology.
Expansion to Investment Advisors. From January 1, 2028, SEC-registered RIAs will be classified as financial institutions under the BSA, bringing AML compliance obligations to a sector that previously operated without them. RIAs should start gap analysis and program design now.
Digital Assets and Stablecoins. The 2025 GENIUS Act introduced the first federal regulatory framework for stablecoins. Financial institutions must incorporate digital-asset risks into their BSA/AML risk assessments, transaction monitoring, and CDD processes as this asset class matures.
AI-Powered Transaction Monitoring. AI and machine learning are transforming transaction monitoring, enabling institutions to detect complex patterns that rule-based systems miss. But AI also introduces model-risk and explainability challenges. Institutions must balance innovation with governance. See our guide on AI risk assessment frameworks.
Build a Stronger AML Program Today
You now have the five pillars, the emerging sixth, and a practical roadmap. Explore these riskpublishing.com resources: Compliance Risk Assessment Guide • Enterprise Risk Management Framework • Risk Assessment Policy Guide • Risk Assessment Matrix • Three Lines Model.
More guides: Risk Appetite vs. Risk Tolerance • Key Risk Indicators by Sector • Third-Party Risk Management • Operational Resilience • KRI Dashboard Guide • Risk Quantification for Boards • Shadow AI Risk Management.
Frequently Asked Questions
What are the 5 pillars of BSA/AML compliance?
The five pillars are: (1) Internal Controls – policies, procedures, and systems to detect and report suspicious activity; (2) BSA/AML Compliance Officer – a designated individual with authority to manage the program; (3) Employee Training – ongoing, role-specific AML training; (4) Independent Testing – periodic independent review of program effectiveness; and (5) Customer Due Diligence (CDD) – identity verification, beneficial-ownership identification, and ongoing transaction monitoring.
When was the fifth pillar added?
FinCEN’s Customer Due Diligence (CDD) Rule became effective in May 2018, formally adding CDD as the fifth pillar. Before 2018, the BSA framework had four pillars.
Is a sixth pillar coming?
FinCEN’s June 2024 proposed rule would codify a mandatory risk assessment process as the foundation of every AML/CFT program. If finalized, this would effectively create a sixth pillar. Institutions should begin preparing now.
What are the penalties for BSA/AML non-compliance?
The Anti-Money Laundering Act of 2020 (AMLA) increased penalties significantly. Financial institutions and individuals face civil money penalties up to $1 million per violation, potential criminal prosecution, consent orders, cease-and-desist orders, and severe reputational damage.
Who enforces BSA/AML compliance?
FinCEN is the primary administrator of BSA regulations. Examination and enforcement are carried out by the institution’s primary federal regulator: OCC (national banks), FDIC (state non-member banks), Federal Reserve (state member banks), NCUA (credit unions), SEC (broker-dealers and, from 2028, RIAs), and state regulators (MSBs and state-chartered institutions).
References
2. FinCEN – Customer Due Diligence Final Rule
3. FinCEN – Proposed Rule to Strengthen AML/CFT Programs (2024)
4. FFIEC BSA/AML Examination Manual
5. FINRA Rule 3310 – Anti-Money Laundering Compliance Program
6. Anti-Money Laundering Act of 2020 (AMLA)
7. ISO 31000:2018 – Risk Management Guidelines
8. COSO ERM – Integrating with Strategy and Performance (2017)
9. IIA Three Lines Model (2020)
10. NIST Cybersecurity Framework 2.0
11. FATF – International Standards on Combating Money Laundering
12. US Treasury – Office of Foreign Assets Control (OFAC)
13. IRM – Institute of Risk Management
14. GENIUS Act 2025 – Stablecoin Regulatory Framework
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.