BSA Bank Secrecy Act Audit Obligations

The Bank Secrecy Act establishes a framework of recordkeeping, reporting, and program requirements that apply to banks, credit unions, money services businesses, and a range of other financial institutions operating in the United States. Compliance with BSA obligations is subject to mandatory independent testing — commonly called a BSA audit — which examines whether an institution's anti-money laundering controls are functioning as designed. Regulators treat deficiencies in BSA audit programs as independent violations, separate from any underlying recordkeeping failures, making the audit function a standalone compliance obligation rather than a secondary review process.

Definition and scope

The Bank Secrecy Act (31 U.S.C. §§ 5311–5336), enacted in 1970 and administered jointly by the Financial Crimes Enforcement Network (FinCEN) and federal prudential regulators, requires covered financial institutions to maintain anti-money laundering (AML) programs that include four mandatory pillars: internal controls, independent testing, designated compliance officer, and ongoing training. The independent testing pillar is the BSA audit obligation.

FinCEN's implementing regulations at 31 C.F.R. Part 1020 specify that the independent testing function must be conducted by qualified personnel who are not responsible for operating the BSA/AML program. For depository institutions, the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual provides the primary supervisory benchmark that examiners use when assessing whether an institution's audit meets regulatory expectations.

Scope of the obligation extends across all product lines, business units, and geographic locations subject to BSA requirements. Institutions covered include national banks, state member banks, savings associations, credit unions (examined by the National Credit Union Administration), broker-dealers (subject to FINRA oversight), and money services businesses registered with FinCEN. The breadth of BSA coverage means anti-money laundering audit requirements often overlap with institution-specific examination frameworks such as those described in FDIC audit requirements for banks.

How it works

A BSA audit proceeds through a structured sequence of phases that mirror broader risk-based auditing in financial services principles:

1. Audit scope determination. The auditor defines which BSA program elements, transaction monitoring systems, and reporting functions will be tested. Scope is driven by a risk assessment that weights factors such as customer types, geographic exposure, and product complexity.
2. Policy and procedure review. Written AML policies are evaluated against current FinCEN guidance and FFIEC Manual standards to confirm regulatory alignment.
3. Transaction testing. A sample of Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs), and exempt-entity designations is pulled and evaluated for accuracy, timeliness, and completeness. FinCEN requires CTRs to be filed within 15 calendar days of the triggering transaction (31 C.F.R. § 1010.306).
4. Customer Due Diligence (CDD) review. Following the 2016 FinCEN CDD Rule (31 C.F.R. § 1010.230), auditors verify that beneficial ownership information for legal entity customers is collected at the 25% ownership threshold and that ongoing monitoring procedures are documented.
5. Training program assessment. Adequacy and frequency of BSA training for relevant staff are confirmed against internal training records.
6. Findings and reporting. Results are documented in a formal audit report delivered to the board of directors or a designated audit committee, which is itself a supervisory expectation under the FFIEC Manual.

The audit must be conducted with sufficient frequency to detect emerging risks. While no universal statutory interval is mandated for all institution types, the FFIEC Examination Manual indicates that most institutions should complete independent testing on at least an annual cycle, with higher-risk institutions requiring more frequent coverage.

Common scenarios

Large cash-intensive customer base. A community bank serving a significant number of cash-intensive businesses — such as convenience stores or car dealerships — may face elevated CTR filing volumes. BSA audits in this context focus heavily on whether automated transaction monitoring thresholds are calibrated appropriately and whether structuring alerts are being resolved, not merely closed.

Correspondent banking relationships. Banks that provide correspondent accounts to foreign financial institutions carry heightened BSA risk under 31 C.F.R. Part 1010, Subpart I. Auditors examine due diligence files on foreign correspondents and test whether nested correspondent relationships have been identified.

Money services business (MSB) customers. Depository institutions banking MSBs must apply enhanced due diligence. BSA audit procedures in this scenario include reviewing whether MSB customers are confirmed as registered with FinCEN and whether their transaction activity is monitored against expected patterns.

Beneficial ownership gaps. Post-2018 enforcement of the CDD Rule created a common audit finding: incomplete beneficial ownership certification forms for legal entity accounts opened before or during the rule's transition period. Examiners and auditors both treat missing or expired certifications as control failures.

Decision boundaries

Independent testing vs. internal self-assessment. The BSA audit must be performed by personnel independent of the BSA compliance function. A compliance officer reviewing their own program does not satisfy the independent testing requirement. An internal audit department, a qualified external firm, or a qualified consultant each may perform the function — but none can be operationally responsible for BSA program implementation. This distinction parallels the broader separation discussed in internal vs. external audit differences.

BSA audit vs. regulatory examination. A BSA audit is an institution-managed internal or third-party review. A BSA examination is a supervisory activity conducted by the institution's primary federal regulator. The two processes assess similar controls but carry different legal authority; examination findings can result in formal enforcement actions including civil money penalties, while audit findings trigger internal remediation obligations. The structural difference between these review types is explored further in bank examination vs. financial audit.

Compliance audit vs. financial statement audit. BSA auditing is a compliance audit vs. financial audit distinction that matters for scoping. A financial statement audit conducted under Generally Accepted Auditing Standards does not substitute for independent BSA testing. The two engagements serve different regulatory masters and apply different testing methodologies.

Frequency triggers. The FFIEC Manual identifies risk factors — including rapid growth in high-risk customer segments, prior examination findings, or significant changes to products or systems — that warrant increasing audit frequency beyond the standard annual cycle. Institutions that have received BSA-related Matters Requiring Attention (MRAs) from examiners are typically expected to complete remediation-targeted audits within a compressed timeframe, often within 6 months of the MRA issuance.

References

• Bank Secrecy Act, 31 U.S.C. §§ 5311–5336 — House Office of Law Revision Counsel
• FFIEC BSA/AML Examination Manual — Federal Financial Institutions Examination Council
• FinCEN Customer Due Diligence Rule, 31 C.F.R. § 1010.230 — eCFR
• 31 C.F.R. Part 1020 — Banks and Other Financial Institutions, eCFR
• 31 C.F.R. § 1010.306 — Filing of Reports, eCFR
• Financial Crimes Enforcement Network (FinCEN) — U.S. Department of the Treasury
• National Credit Union Administration — Examination and Supervision