Bank Secrecy Act Overview
The Bank Secrecy Act (BSA), enacted in 1970, is the cornerstone of anti-money laundering (AML) regulation in the United States. For trading platforms classified as Money Services Businesses (MSBs) or financial institutions, the BSA imposes comprehensive obligations to detect, prevent, and report money laundering and terrorist financing.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, administers the BSA and issues implementing regulations. Trading platforms that transmit money, exchange currencies (including virtual currencies), or provide stored value services fall squarely within FinCEN's regulatory jurisdiction.
Federal Criminal Penalties
Operating without an AML program when required is a federal crime under 18 U.S.C. 1960. Violations can result in criminal prosecution, civil money penalties up to $250,000 per violation, and imprisonment. Willful violations of BSA reporting requirements carry penalties up to $500,000 or 10 years imprisonment.
Who Must Comply?
FinCEN's regulations apply to various categories of financial institutions and MSBs. For trading platforms, the most common triggers are:
- Money Transmitters: Accepting and transmitting currency, funds, or value that substitutes for currency
- Currency Exchangers: Exchanging one currency for another, including fiat-to-crypto, crypto-to-fiat, or crypto-to-crypto exchanges
- Dealers in Foreign Exchange: Dealing in foreign currencies for profit
- Check Cashers: Cashing checks, money orders, or similar instruments
- Issuers of Stored Value: Selling prepaid access or stored value products
Virtual Currency Exchanges
FinCEN has clarified in multiple guidance documents that administrators and exchangers of convertible virtual currency are money transmitters under the BSA. This includes cryptocurrency exchanges, OTC desks, DeFi platforms with identifiable operators, and certain tokenized securities platforms. If your platform facilitates the exchange or transfer of digital assets, you are likely subject to full BSA/AML requirements.
Regulatory Framework
The BSA regulatory framework consists of multiple components:
| Component | Description | Key Requirements |
|---|---|---|
| Customer Due Diligence (CDD) | Know Your Customer requirements | Identity verification, beneficial ownership, ongoing monitoring |
| AML Program | Written compliance program | Five pillars: risk assessment, policies, officer, training, testing |
| Suspicious Activity Reporting | SAR filing obligations | Report suspicious transactions over $2,000 within 30 days |
| Currency Transaction Reporting | CTR filing for large cash transactions | Report cash transactions over $10,000 within 15 days |
| Travel Rule | Transmittal of funds information | Include originator/beneficiary information for transfers $3,000+ |
| Recordkeeping | Transaction and customer records | Maintain records for 5 years; make available to regulators |
| MSB Registration | FinCEN registration requirement | Register within 180 days of operations; renew every 2 years |
Five Pillars of AML Compliance
Every MSB and financial institution subject to the BSA must establish and maintain an effective Anti-Money Laundering program based on five fundamental pillars. While the BSA statute specifies four elements (policies, officer, training, and testing), FinCEN's evolving guidance and examination practices have elevated risk assessment to a critical fifth pillar that underpins the entire compliance framework.
The Five Pillars Framework
A comprehensive AML program must incorporate all five elements to satisfy FinCEN requirements and examination expectations
Risk-Based Approach Required
FinCEN requires a risk-based AML program. This means your policies, controls, and resource allocation must be calibrated to your specific risks. A high-volume crypto exchange has different risks than a small remittance service, and the AML program must reflect those differences. One-size-fits-all programs consistently fail regulatory scrutiny.
Integration of the Five Pillars
The five pillars are not standalone requirements—they must work together as an integrated compliance system:
- Your risk assessment identifies where to focus compliance resources and what controls are needed
- Your policies and procedures define what must be done based on identified risks
- Your compliance officer oversees implementation and enforcement
- Your training program ensures employees know how to execute the policies
- Your independent testing verifies that the system actually works as intended
Weaknesses in any single pillar undermine the entire program. FinCEN examiners evaluate not just the existence of each pillar, but their integration and effectiveness in practice.
AML Program Compliance Checklist
- Comprehensive written risk assessment identifying ML/TF risks specific to your business
- Risk assessment updated annually and when significant changes occur
- Written AML policies and procedures addressing all BSA requirements
- Policies tailored to your risk profile and business model
- Designated AML Compliance Officer with appropriate qualifications and authority
- Compliance Officer has direct access to senior management and board
- Customer Identification Program (CIP) with verification procedures
- Customer Due Diligence (CDD) procedures for all accounts
- Enhanced Due Diligence (EDD) for high-risk customers
- Beneficial ownership identification for legal entity customers
- Transaction monitoring system with documented scenarios and thresholds
- Alert investigation procedures and documentation standards
- SAR filing procedures with 30-day deadline tracking
- CTR filing procedures for cash transactions over $10,000
- OFAC sanctions screening at onboarding and ongoing
- Travel Rule compliance for funds transfers over $3,000
- Recordkeeping system with 5-year retention
- Initial training for all new employees within 30 days of hire
- Annual refresher training for all employees
- Role-specific training for compliance, customer service, and monitoring staff
- Training attendance records and materials maintained
- Independent testing conducted at least annually
- Testing performed by qualified independent party
- Testing report provided to senior management and board
- Remediation plan for testing findings with implementation tracking
- Board or senior management approval of AML program and risk assessment
Risk Assessment Requirements (Pillar 1)
A comprehensive risk assessment is the foundation of an effective AML program. While not explicitly mandated by the original BSA statute, FinCEN guidance, examination procedures, and enforcement actions make clear that a documented, risk-based approach is required. Trading platforms must identify, assess, and document their money laundering and terrorist financing risks.
Why Risk Assessment is a Pillar
While the BSA statute codified at 31 CFR 1022.210 lists four program requirements, FinCEN's 2016 guidance and subsequent examination manuals establish risk assessment as a foundational element. Without a proper risk assessment, you cannot:
- Design policies and procedures appropriate to your actual risks
- Allocate compliance resources effectively
- Calibrate transaction monitoring scenarios and thresholds
- Determine which customers require enhanced due diligence
- Justify your compliance decisions to examiners
Risk Assessment Methodology
An effective BSA/AML risk assessment should analyze risk across multiple dimensions:
AML Risk Assessment Process
Risk Categories to Evaluate
| Risk Category | Assessment Factors | Higher Risk Indicators |
|---|---|---|
| Products/Services | What you offer and how it can be used | Anonymous transactions, cross-border transfers, high-value limits, virtual currencies, algorithmic trading with rapid execution |
| Customers | Who uses your platform | Politically exposed persons, high-net-worth individuals, cash-intensive businesses, foreign entities, professional traders |
| Geographic | Where your customers and transactions are located | FATF high-risk jurisdictions, sanctioned countries, tax havens, areas with weak AML enforcement |
| Transaction Patterns | Volume, velocity, and characteristics of transactions | Rapid movement of funds, structuring patterns, round-dollar amounts, unusual transaction times, high-frequency trading |
| Delivery Channels | How services are delivered | Fully remote onboarding, mobile-only platforms, limited identity verification, agent networks, API-based trading |
Risk Assessment Framework for Trading Platforms
Trading platforms should use a structured framework to assess risk:
Trading Platform Risk Assessment Template
- Executive Summary: Overall risk rating, key findings, significant changes since last assessment
- Business Description: Products/services offered, customer types, transaction volumes, geographic footprint
- Inherent Risk Analysis: Identification of ML/TF risks before considering controls
- Product/service risks (e.g., crypto trading, margin accounts, API access)
- Customer risks (e.g., institutional vs. retail, domestic vs. international)
- Geographic risks (e.g., operations in high-risk jurisdictions)
- Transaction risks (e.g., high-frequency trading, large transfers)
- Delivery channel risks (e.g., mobile app, web platform, API)
- Control Assessment: Evaluation of existing controls for each identified risk
- Residual Risk Determination: Risk remaining after controls (High/Medium/Low)
- Gap Analysis: Areas where controls are inadequate or missing
- Action Plan: Specific steps to address identified gaps with timelines and responsible parties
- Management Approval: Sign-off by senior management and board (if applicable)
Documenting Your Risk Assessment
Your risk assessment must be documented in writing and updated periodically (at least annually or when significant changes occur). The documentation should include:
- Identification of inherent risks based on products, customers, geography, and delivery channels
- Assessment of the likelihood and impact of each risk
- Evaluation of existing controls and their effectiveness
- Determination of residual risk after controls
- Prioritization of risks requiring enhanced monitoring or additional controls
- Action plan for addressing identified gaps or deficiencies
- Senior management and board approval of the risk assessment
Best Practice: Dynamic Risk Scoring
Leading trading platforms implement automated risk scoring that continuously evaluates customer and transaction risk based on multiple data points. Rather than static risk classifications, dynamic systems adjust risk ratings based on behavior patterns, transaction characteristics, and external data sources. This approach enables real-time risk management and more efficient resource allocation.
Written AML Policies & Procedures (Pillar 2)
The second pillar of your AML program is comprehensive written policies and procedures. These must be reasonably designed to prevent your platform from being used for money laundering or terrorist financing, and must be tailored to your specific risk profile identified in your risk assessment.
Required Policy Components
At a minimum, your written AML program must address the following areas:
Sample AML Policy Outline for Trading Platforms
- Section 1: Program Overview - Purpose, scope, regulatory framework, senior management commitment
- Section 2: Risk Assessment Methodology - Risk categories, assessment process, update frequency
- Section 3: Customer Due Diligence (CDD) - Identity verification standards, beneficial ownership requirements, enhanced due diligence triggers
- Section 4: Customer Identification Program (CIP) - Required identifying information, verification procedures, recordkeeping requirements
- Section 5: Beneficial Ownership Identification - Procedures for identifying beneficial owners of legal entities (25% threshold)
- Section 6: Enhanced Due Diligence (EDD) - High-risk customer categories, additional verification steps, senior management approval requirements
- Section 7: Ongoing Monitoring - Transaction monitoring systems, alert investigation procedures, periodic customer review
- Section 8: Suspicious Activity Detection & Reporting - Red flags, SAR filing procedures, 30-day deadline, confidentiality requirements
- Section 9: Currency Transaction Reporting - CTR thresholds, aggregation rules, filing deadlines, exemptions
- Section 10: Travel Rule Compliance - Transmittal of funds information, recordkeeping, crypto-specific considerations
- Section 11: Sanctions Screening - OFAC SDN list screening, blocked assets procedures, reporting obligations
- Section 12: Recordkeeping Requirements - 5-year retention, records to maintain, accessibility standards
- Section 13: Training Program - Initial and ongoing training, role-based curricula, recordkeeping
- Section 14: Independent Testing - Scope, frequency, qualifications of tester, remediation of findings
- Section 15: AML Compliance Officer Responsibilities - Designation, authority, reporting structure, duties
- Section 16: Information Sharing (314(b)) - Procedures for sharing information with other financial institutions
- Section 17: Law Enforcement Requests - Responding to grand jury subpoenas, administrative summons, voluntary requests
- Section 18: Geographic Risk Controls - High-risk jurisdictions, sanctions programs, restricted countries
- Section 19: Special Measures & Alerts - Responding to FinCEN advisories, geographic targeting orders
- Section 20: Appendices - Red flags list, high-risk jurisdiction list, forms and templates
Crypto-Specific Policy Considerations
If your trading platform handles virtual currencies, your AML policies must address additional risks and controls unique to digital assets:
- Blockchain Analytics: Use of transaction monitoring tools to trace crypto flows and identify high-risk addresses
- Mixing/Tumbling Services: Prohibition on transactions from known mixers or privacy coins
- Unhosted Wallets: Enhanced scrutiny for transactions to/from non-custodial wallets
- Travel Rule Implementation: Procedures for obtaining and transmitting originator/beneficiary information for crypto transfers
- Stablecoin Risks: Monitoring for use in layering or rapid conversion schemes
- DeFi Protocol Interactions: Controls around decentralized exchange integrations
- NFT Transactions: Enhanced scrutiny for high-value NFT purchases potentially used for value transfer
FinCEN Virtual Currency Guidance
FinCEN's 2019 guidance on virtual currency confirmed that exchangers and administrators of convertible virtual currency are money transmitters. The 2020 proposed rule on digital asset transactions would impose additional recordkeeping and reporting requirements. Trading platforms should monitor FinCEN's evolving approach to crypto regulation and update policies accordingly.
Designated AML Compliance Officer (Pillar 3)
The third pillar requires designation of an individual responsible for day-to-day compliance with the BSA and implementation of the AML program. This Compliance Officer (often called the BSA Officer or AMLCO) is personally accountable for the program's effectiveness.
Compliance Officer Qualifications
While FinCEN does not specify formal credentials, your designated Compliance Officer must have:
- Knowledge: Understanding of BSA/AML requirements, money laundering typologies, and your business model
- Experience: Sufficient background in compliance, risk management, or financial crime prevention
- Authority: Direct access to senior management and the board; ability to enforce compliance policies
- Resources: Adequate budget, staff, and technology to implement the AML program
- Independence: Sufficient independence from business pressures to make objective compliance decisions
Compliance Officer Responsibilities
Your designated Compliance Officer's duties typically include:
| Responsibility | Description | Frequency |
|---|---|---|
| Program Oversight | Overall responsibility for AML program implementation and effectiveness | Continuous |
| Risk Assessment | Conducting and updating comprehensive risk assessment | Annual review, updates as needed |
| Policy Development | Drafting, updating, and maintaining AML policies and procedures | Annual review, updates as needed |
| SAR Review & Filing | Reviewing alerts, investigating suspicious activity, filing SARs | Within 30 days of detection |
| Regulatory Reporting | CTR filing, MSB registration, regulatory correspondence | Per applicable deadlines |
| Training Program | Developing and delivering AML training to employees | Annually (minimum) |
| Independent Testing Coordination | Engaging auditors, addressing findings, implementing remediation | Annual testing cycle |
| Management Reporting | Providing AML program updates, risk assessments, metrics to leadership | Quarterly or as required |
| Regulatory Liaison | Serving as primary contact for FinCEN, IRS, and law enforcement | As needed |
Compliance Officer Job Description Template
AML Compliance Officer - Sample Job Description
Position: Anti-Money Laundering Compliance Officer
Key Responsibilities:
- Oversee development, implementation, and maintenance of BSA/AML compliance program
- Conduct annual risk assessments to identify money laundering and terrorist financing risks
- Develop and update written AML policies and procedures
- Design and implement transaction monitoring systems and scenarios
- Investigate alerts and suspicious activity; make SAR filing determinations
- Ensure timely and accurate filing of SARs, CTRs, and other regulatory reports
- Implement and maintain OFAC sanctions screening program
- Develop and deliver AML training programs for all employees
- Coordinate independent testing and remediate identified deficiencies
- Serve as primary liaison with FinCEN, IRS, and law enforcement
- Monitor regulatory developments and update program accordingly
- Report program status and key metrics to senior management and board
Qualifications:
- 3+ years experience in BSA/AML compliance or financial crime prevention
- Knowledge of FinCEN regulations, BSA requirements, and money laundering typologies
- Experience with transaction monitoring systems and case management
- Strong analytical and investigative skills
- Excellent written and verbal communication skills
- Professional certification (CAMS, CFCS, or similar) preferred
- Experience with cryptocurrency/digital asset compliance a plus
Reporting Structure:
Reports directly to CEO/General Counsel/Board of Directors with independent authority to escalate compliance concerns
Organizational Structure
The Compliance Officer must have appropriate organizational positioning:
- Direct reporting line to senior management, CEO, or board of directors
- Not subordinate to business development or revenue-generating functions
- Authority to escalate compliance concerns without retaliation risk
- Budget authority or ability to request resources necessary for compliance
- Compensation structure that does not create conflicts with compliance duties
Small Business Considerations
For small trading platforms, the CEO or founder often serves as the Compliance Officer. This is permissible if the individual has adequate knowledge and dedicates sufficient time to compliance. However, as the business grows, FinCEN expects a dedicated compliance function. Outsourcing to a third-party AML consultant is also acceptable if properly documented and supervised.
Employee Training Requirements (Pillar 4)
The fourth pillar mandates ongoing training for employees involved in compliance functions, customer interactions, or transaction processing. Training must be appropriate to each employee's role and responsibilities, and must be provided on a regular basis.
Training Program Design
An effective AML training program should be risk-based and role-specific:
Sample Training Schedule by Role
| Employee Category | Initial Training | Annual Refresher | Key Topics |
|---|---|---|---|
| All Employees | Within 30 days of hire | Required | BSA overview, reporting obligations, confidentiality, red flags awareness |
| Customer Service | Before customer contact | Required | CDD procedures, identity verification, recognizing suspicious behavior |
| Compliance Team | Before assuming duties | Required + quarterly updates | SAR filing, alert investigation, sanctions screening, regulatory changes |
| Transaction Monitoring | Before system access | Required + as scenarios change | Monitoring scenarios, alert investigation, escalation procedures |
| Senior Management | Within 30 days of role | Required | Regulatory expectations, board oversight, enforcement trends, program effectiveness |
| IT/Security | Before system development | Required | Data security, recordkeeping, system controls, audit trails |
Required Training Content
Your AML training curriculum must cover:
- BSA/AML Legal Framework: Statutory requirements, FinCEN regulations, enforcement consequences
- Institutional Policies: Your specific AML policies, procedures, and internal controls
- Risk Assessment Findings: Key risks identified in your most recent risk assessment
- Red Flags & Typologies: Common money laundering schemes relevant to your business
- Customer Due Diligence: CDD/EDD procedures, beneficial ownership identification
- Transaction Monitoring: How monitoring systems work, alert investigation procedures
- SAR Reporting: When to file, how to file, confidentiality obligations
- Sanctions Screening: OFAC requirements, blocked property procedures
- Recordkeeping: What records to maintain, retention periods, accessibility
- Confidentiality: Prohibition on tipping off customers about SARs or investigations
- Regulatory Updates: New guidance, enforcement actions, emerging risks
Training Delivery Methods
Training can be delivered through various formats, each with advantages:
- Live Instruction: In-person or virtual sessions led by compliance officer or external expert (most engaging, allows Q&A)
- E-Learning Modules: Interactive online courses with assessments (scalable, trackable, consistent)
- Webinars: Remote group training sessions (efficient for geographically dispersed teams)
- Case Studies: Analysis of real enforcement actions or typologies (practical, memorable)
- Scenario-Based Training: Exercises using hypothetical suspicious transactions (develops judgment)
- Microlearning: Short, frequent training sessions on specific topics (reinforces learning)
Training Documentation & Recordkeeping
You must maintain records demonstrating training compliance:
- Training attendance records (date, duration, attendees)
- Training materials and curricula
- Assessment or testing results (if applicable)
- Employee acknowledgment of completion
- Annual training plan and schedule
- Training effectiveness evaluations
- Records of training updates in response to regulatory changes
Best Practice: Role-Based Scenarios
Rather than generic AML training, develop role-specific scenarios that employees will actually encounter. For customer service representatives, use examples of suspicious onboarding patterns. For transaction monitoring analysts, walk through actual alert investigations. For algorithmic traders, demonstrate how rapid execution patterns might trigger alerts. Role-specific training improves retention and practical application.
Independent Testing & Audit (Pillar 5)
The fifth pillar requires independent review and testing of your AML program to assess its adequacy and effectiveness. This independent audit serves as a critical check on whether your program works in practice, not just on paper.
Independence Requirements
The tester must be "independent" from the functions being tested. FinCEN guidance provides flexibility in how independence is achieved:
- External Auditor: Third-party firm with BSA/AML expertise (strongest independence, often required for larger institutions)
- Internal Audit Department: If separate from compliance function and reporting to board/audit committee
- Qualified Employee: From a different department with no compliance responsibilities (only for very small institutions)
- Parent Company: If you are a subsidiary, parent's audit function may test your program
The Compliance Officer or employees with compliance responsibilities may not perform the independent testing of their own work.
Testing Scope & Frequency
Independent testing should be comprehensive and risk-based. At a minimum, testing should occur:
- Annually: For most trading platforms, annual testing is the baseline expectation
- More Frequently: If higher risk, prior deficiencies, or regulatory direction
- After Significant Changes: New products, system implementations, regulatory changes
- Triggered by Red Flags: Compliance failures, unusual SAR volumes, internal fraud
Independent Testing Checklist
A comprehensive AML program audit should evaluate:
AML Program Independent Testing Scope
- Review of written risk assessment for completeness, accuracy, and appropriateness
- Assessment of risk assessment methodology and conclusions
- Review of written AML policies and procedures for completeness and accuracy
- Evaluation of AML Compliance Officer qualifications, authority, and resources
- Testing of Customer Identification Program (CIP) implementation
- Review of Customer Due Diligence (CDD) procedures and documentation
- Testing of Enhanced Due Diligence (EDD) for high-risk customers
- Evaluation of transaction monitoring system effectiveness (scenarios, thresholds, alerts)
- Review of alert investigation quality and documentation
- Assessment of SAR decision-making and filing timeliness
- Review of CTR filing accuracy and timeliness
- Testing of OFAC sanctions screening (name screening, interdiction)
- Evaluation of Travel Rule compliance (for funds transfers)
- Review of recordkeeping practices and retention compliance
- Assessment of employee training program (content, delivery, documentation)
- Evaluation of information sharing and law enforcement cooperation
- Testing of suspicious activity detection (red flags identification)
- Review of previous audit findings and remediation status
- Assessment of board and senior management oversight
- Evaluation of technology systems and data integrity
- Testing of internal controls and segregation of duties
- Review of vendor management for third-party service providers
- Assessment of program responsiveness to regulatory changes
Testing Methodologies
Independent testing should employ multiple methodologies:
- Sampling and Transaction Testing: Review random samples of customer files, transactions, alerts, and SARs
- Interviews: Discuss procedures with compliance staff, front-line employees, and management
- System Validation: Test transaction monitoring scenarios, sanctions screening, and data quality
- Lookback Reviews: Analyze whether past transactions were appropriately monitored and escalated
- Comparative Analysis: Benchmark against industry standards and peer institutions
- Regulatory Mapping: Confirm all BSA requirements are addressed in policies and practice
Audit Report and Remediation
The independent testing must result in a written report that includes:
- Scope of the audit and testing methodology
- Findings and deficiencies identified
- Assessment of overall program effectiveness
- Recommendations for corrective actions
- Management response and remediation plan
- Timeline for implementing corrective measures
The audit report should be provided to senior management and the board (if applicable). Identified deficiencies must be tracked and remediated promptly. Repeat findings in subsequent audits are a serious red flag to regulators.
Regulatory Examination Expectations
FinCEN and IRS examiners will review your independent testing reports. They expect to see comprehensive testing with meaningful findings and timely remediation. A "clean" report with no findings may actually raise suspicion that the audit was superficial. Effective testing identifies areas for improvement and drives program enhancements.
Red Flags for Algorithmic Trading Platforms
Algorithmic and high-frequency trading platforms face unique money laundering risks. The speed, volume, and automation of algorithmic trading can obscure suspicious patterns. AML programs must include red flags specific to automated trading environments.
Red Flags Specific to Algorithmic Trading
- Wash Trading Patterns: Algorithm executing offsetting buy and sell orders to create appearance of trading activity without actual market risk
- Layering Schemes: Rapid placement and cancellation of orders to move funds through multiple accounts or instruments
- Spoofing Behavior: Large orders placed and immediately canceled to manipulate market prices, potentially facilitating value transfer
- Cross-Product Arbitrage: Simultaneous trading across multiple exchanges or instruments inconsistent with stated strategy or customer profile
- API Key Sharing: Single API key used from multiple IP addresses or jurisdictions, suggesting account compromise or front-running
- Unusual Trading Hours: Algorithm executing trades exclusively during off-hours when monitoring may be reduced
- Round-Trip Transactions: Funds deposited, rapidly traded through multiple instruments, and withdrawn to different destination
- Structured Deposits/Withdrawals: Pattern of deposits or withdrawals just below reporting thresholds, even if trading volume is high
- Uneconomic Trading: Algorithm consistently generating losses or executing trades with no apparent profit motive
- Sudden Strategy Changes: Abrupt shifts in trading strategy, instruments, or risk profile inconsistent with customer history
- Third-Party Funding: Trading account funded by sources different from account holder, especially from higher-risk jurisdictions
- Dormant Account Reactivation: Previously inactive account suddenly begins high-volume algorithmic trading
- Inconsistent Documentation: Customer profile indicates retail investor but trading patterns suggest institutional sophistication
- Cross-Border Complexity: Algorithm trading through multiple jurisdictions with funds flowing to/from high-risk countries
- Privacy Coin Integration: Algorithm incorporating privacy coins or mixing services into trading strategy
General Money Laundering Red Flags
In addition to algorithmic trading-specific indicators, monitor for standard red flags:
- Customer reluctant to provide identifying information or provides suspicious/false documentation
- Customer requests exemption from AML policies or procedures
- Customer makes frequent deposits followed by immediate withdrawals with minimal trading
- Transaction patterns inconsistent with customer's stated business purpose or profile
- Customer uses multiple accounts to conduct transactions that should be in single account
- Rapid movement of funds between accounts or platforms (triangulation)
- Large transactions to/from high-risk jurisdictions or sanctioned countries
- Customer conducts transactions with known or suspected criminal entities
- Customer attempts to hide beneficial ownership or control of account
- Customer shows unusual interest in transaction reporting thresholds or recordkeeping
Crypto-Specific Red Flags
For platforms handling cryptocurrency, additional red flags include: deposits from known mixing services or tumblers; rapid conversion between multiple cryptocurrencies; transactions with privacy coins (Monero, Zcash); deposits from darknet market addresses; peel chain patterns indicating potential theft; and customer resistance to providing wallet source information.
Recordkeeping Requirements
The BSA imposes comprehensive recordkeeping requirements on MSBs and financial institutions. Trading platforms must create, maintain, and produce records upon regulatory request. Failure to maintain adequate records is a common source of BSA violations and civil money penalties.
Five-Year Retention Standard
The general retention period for BSA records is five years from the date of the transaction or the date the record was created. Records must be maintained in a format that permits retrieval and production to regulators upon request.
Required Records
Trading platforms must maintain the following categories of records:
| Record Category | Specific Records Required | Retention Period |
|---|---|---|
| Customer Identification | Name, address, DOB, ID number, verification documents, beneficial ownership information | 5 years after account closure |
| Transaction Records | All transactions >$3,000: date, amount, parties, payment method, account numbers | 5 years from transaction date |
| Funds Transfers | Originator/beneficiary information for transfers >$3,000 (Travel Rule) | 5 years from transmittal |
| Currency Transactions | CTR filings, multiple currency transaction logs, aggregation analysis | 5 years from filing date |
| Suspicious Activity | SAR filings, supporting documentation, alert investigation records | 5 years from filing date |
| Monetary Instruments | Records of sales of money orders, traveler's checks, or other instruments $3,000-$10,000 | 5 years from sale |
| Agent Records | Agent lists, contracts, oversight records (if using agents) | 5 years after termination |
| AML Program | Written policies, risk assessments, training records, independent testing reports | 5 years (ongoing updates) |
Recordkeeping Format and Accessibility
BSA regulations do not prescribe a specific format for record retention, but records must be:
- Retrievable: Organized to allow prompt retrieval upon regulatory request
- Legible: Clear and readable throughout the retention period
- Accurate: Complete and accurate reproduction of original information
- Accessible: Available for examination by FinCEN, IRS, or other authorities
Electronic recordkeeping is permissible and common for trading platforms. Key considerations for electronic records:
- Ensure data integrity and protection against alteration
- Maintain backup systems to prevent data loss
- Index and organize for efficient search and retrieval
- Test restoration procedures to verify records remain accessible
- Document your electronic recordkeeping system and retention procedures
Production to Regulators
You must produce records to FinCEN, IRS, or other authorities upon request, typically within a specified timeframe (often 5-10 business days for large requests). Inability to produce records can result in:
- Civil money penalties for recordkeeping violations
- Adverse inferences in enforcement actions
- Cease and desist orders or other restrictions on operations
- Criminal referrals for willful violations
Blockchain Records for Crypto Platforms
For cryptocurrency trading platforms, blockchain records can supplement but not replace traditional recordkeeping. While blockchain provides an immutable transaction log, you must also maintain customer identification information, transaction context, and supporting documentation that links wallet addresses to customer identities. Consider using blockchain analytics tools to enhance transaction monitoring and recordkeeping.