BSA Recordkeeping Requirements Overview
The Bank Secrecy Act (BSA) imposes comprehensive recordkeeping obligations on financial institutions under 31 CFR 1010.430. These requirements are designed to create an audit trail that law enforcement and regulators can use to investigate money laundering, terrorist financing, and other financial crimes. For trading platforms, money services businesses, and broker-dealers, BSA recordkeeping is not optional—it's a federal legal requirement with severe penalties for non-compliance.
This guide provides a comprehensive reference for understanding BSA recordkeeping requirements, implementing compliant systems, organizing required records, and preparing for regulatory examinations.
Criminal Penalties for Recordkeeping Violations
Willful failure to maintain required BSA records is a federal crime under 31 U.S.C. 5322, punishable by up to 5 years in prison and fines up to $250,000 for individuals ($500,000 for organizations). Civil penalties can reach $100,000 per violation.
Who Must Comply?
BSA recordkeeping requirements apply to:
- Money Services Businesses (MSBs) - Money transmitters, currency exchangers, check cashers, issuers of stored value
- Banks and Credit Unions - Depository institutions
- Broker-Dealers - Securities firms registered with SEC/FINRA
- Futures Commission Merchants - Commodity brokers registered with CFTC
- Casinos and Card Clubs - Gaming establishments
- Cryptocurrency Exchanges - Platforms trading convertible virtual currency as MSBs
Trading Platform Applicability
If your trading platform transmits money, exchanges currencies (including crypto), or provides stored value products, you are likely classified as an MSB and must comply with BSA recordkeeping requirements. This applies even if you consider yourself primarily a technology company.
The 5-Year Retention Period
The cornerstone of BSA recordkeeping is the 5-year retention requirement. All required BSA records must be maintained for a minimum of 5 years from the date of the transaction or from the date the record was created, whichever is applicable.
Key Retention Principles
| Principle | Requirement | Implementation Notes |
|---|---|---|
| 5-Year Minimum | All BSA records retained for at least 5 years | Many institutions retain for 6-7 years to ensure compliance margin |
| Readily Accessible | Records must be retrievable within a reasonable time | Generally means within 48 hours of regulatory request |
| Original or Copy | Can maintain originals, copies, or electronic images | Electronic storage permitted if properly indexed and searchable |
| Organized System | Records filed in a systematic manner | Must have logical filing system—chronological, alphabetical, or by account |
| No Destruction | Cannot destroy records during legal hold or investigation | If subpoenaed or under examination, extend retention indefinitely |
Retention Period Calculation
For transaction records, the 5-year period begins on the date the transaction occurred. For customer identification records, it begins on the date the account is closed. For SARs, it begins on the date the SAR was filed. Incorrectly calculating retention periods is a common compliance mistake.
Required Records by Category
BSA regulations require specific categories of records to be maintained. Below is a comprehensive breakdown of each category.
1. Customer Identification Program (CIP) Records
Under 31 CFR 1022.210 (for MSBs) and similar rules for other financial institutions, you must establish a Customer Identification Program and maintain comprehensive customer records.
Required CIP Information
Retention Period: 5 years after the account is closed
2. Transaction Records ($3,000+ Threshold)
31 CFR 1010.410 requires financial institutions to maintain records of certain transactions. The key threshold is $3,000—transactions of $3,000 or more trigger recordkeeping requirements.
For each transaction exceeding $3,000, maintain records of:
- Customer identity (name, address, taxpayer identification number)
- Transaction date
- Transaction amount (dollar amount or cryptocurrency equivalent)
- Transaction type (purchase, sale, exchange, transfer, deposit, withdrawal)
- Account number (if applicable)
- Method of payment (cash, wire transfer, ACH, cryptocurrency, check)
- Counterparty information (if transaction involves another party)
Retention Period: 5 years from the transaction date
Aggregation Rules
You must aggregate multiple transactions by the same customer within a single business day to determine if they meet the $3,000 threshold. For example, three $1,500 transactions by the same customer on the same day = $4,500 aggregate, triggering recordkeeping requirements.
3. Funds Transfer Recordkeeping ($3,000+ Threshold)
The "Travel Rule" (31 CFR 1010.410(e)) requires specific recordkeeping for funds transfers of $3,000 or more. This rule is particularly important for trading platforms that transmit money or cryptocurrency.
| Role | Required Information |
|---|---|
| Transmittor (Originator) |
• Transmittor's name and address • Transmittor's account number (if any) • Amount of the transmittal order • Execution date • Payment instructions received • Recipient's financial institution • Recipient's name and account number |
| Intermediary/Beneficiary |
• All transmittor information received • Beneficiary name and address • Beneficiary's account number • Any other information received • Record of intermediaries in transfer chain |
Retention Period: 5 years from the transfer date
Cryptocurrency Travel Rule
FinCEN has clarified that the Travel Rule applies to virtual currency transactions. If you operate a crypto exchange or wallet provider that transmits $3,000+ in cryptocurrency, you must collect and retain the same information as required for traditional wire transfers.
4. SAR Documentation
Suspicious Activity Reports (SARs) and all supporting documentation must be maintained with strict confidentiality controls.
SAR Recordkeeping Requirements
- Filed SARs - Copy of FinCEN Form 111 (SAR) and all supporting documentation
- Supporting Documentation - Transaction records, account statements, internal investigation notes
- SAR Decision Log - Document why SARs were filed AND why potential SARs were not filed
- SAR Narratives - Detailed explanation of suspicious activity
- Internal Escalations - Emails, memos escalating suspicious activity to compliance
- Follow-up Actions - Any additional monitoring or investigation conducted
Retention Period: 5 years from the date the SAR was filed
SAR Confidentiality
SARs are confidential and must not be disclosed to the subject of the SAR or to anyone outside law enforcement/regulatory authority. Maintain SAR files separately from customer files with strict access controls. Unauthorized SAR disclosure is a federal crime.
5. CTR Filing Records
For Currency Transaction Reports (filed for cash transactions over $10,000):
- Maintain copy of FinCEN Form 112 (CTR)
- Retain supporting documentation (deposit tickets, withdrawal slips)
- Keep records of multiple cash transactions aggregated to exceed $10,000
- Document exemptions claimed (if applicable to your institution type)
- Maintain CTR filing logs showing all CTRs filed and filing dates
Retention Period: 5 years from the date the CTR was filed
Document Retention Schedule
Quick reference guide for BSA record retention periods:
| Record Type | Retention Period | Retention Trigger | Regulatory Citation |
|---|---|---|---|
| Customer Identification (CIP) | 5 years | After account closure | 31 CFR 1022.210 |
| Transaction Records ($3,000+) | 5 years | From transaction date | 31 CFR 1010.410 |
| Funds Transfers (Travel Rule) | 5 years | From transfer date | 31 CFR 1010.410(e) |
| SAR Filings | 5 years | From SAR filing date | 31 CFR 1022.320 |
| CTR Filings | 5 years | From CTR filing date | 31 CFR 1010.306 |
| Training Records | 5 years | From training date | 31 CFR 1022.210 |
| Independent Testing | 5 years | From testing date | 31 CFR 1022.210 |
| AML Policies | 5 years | After policy superseded | 31 CFR 1022.210 |
| Account Statements | 5 years | From statement date | 31 CFR 1010.430 |
| Beneficial Ownership Records | 5 years | After account closure | 31 CFR 1010.230 |
| FinCEN Registration | Permanent | N/A - keep indefinitely | 31 CFR 1022.380 |
| State Licenses | Permanent | N/A - keep indefinitely | State law varies |
Best Practice: 6-Year Retention
Many compliance professionals recommend retaining BSA records for 6 years instead of the minimum 5 years. This provides a buffer to ensure compliance even if retention period calculations are slightly off, and aligns with some state law retention requirements that exceed federal minimums.
Storage Requirements (Electronic vs Paper)
BSA regulations permit electronic recordkeeping, but the systems used must meet specific requirements to ensure records are accessible, authentic, and complete.
Electronic Recordkeeping Standards
| Requirement | Standard | Implementation Example |
|---|---|---|
| Accessibility | Records must be readily retrievable | Searchable database with indexing by customer name, date, transaction type |
| Reproduction Quality | Electronic images must be clear and legible | Minimum 300 DPI for document scans; PDF/A format recommended |
| Integrity Controls | Prevent unauthorized alteration | Write-once-read-many (WORM) storage; blockchain timestamping; audit trails |
| Backup and Redundancy | Protection against data loss | Daily backups to offsite location; disaster recovery procedures |
| Retrieval Capability | Ability to reproduce hard copies | System must allow printing or export of records on demand |
| Audit Trail | Track who accessed records and when | Access logs maintained for all record retrievals |
Acceptable Electronic Storage Media
BSA records may be stored on various electronic media:
- Cloud Storage - AWS, Azure, Google Cloud (with proper security controls)
- Database Systems - SQL databases, document management systems
- Optical Media - CD-ROM, DVD (less common today)
- Magnetic Media - Hard drives, tape backups
- Microfilm/Microfiche - Still acceptable though rarely used
- Blockchain/Distributed Ledger - Emerging technology for tamper-proof recordkeeping
Cloud Storage Considerations
If using cloud storage for BSA records, ensure: (1) Data is encrypted in transit and at rest; (2) You have written agreement with cloud provider addressing security and accessibility; (3) You can retrieve records even if provider relationship ends; (4) Provider has SOC 2 or equivalent security certification; (5) Data residency requirements are met if applicable.
Paper Records
If maintaining paper records:
- Store in secure, climate-controlled environment
- Organize in logical filing system (alphabetical, chronological, or by account)
- Protect against fire, water damage, and unauthorized access
- Maintain index or inventory of paper files
- Consider scanning to electronic format for backup and easier retrieval
Retrieval Requirements
BSA regulations require that you be able to produce records promptly upon request by FinCEN, IRS, or other authorized law enforcement agencies. "Promptly" is generally interpreted as within 48 hours, though subpoenas may specify longer timeframes.
Retrieval Standards
Your recordkeeping system must enable:
- Search by Customer - Ability to retrieve all records related to a specific customer
- Search by Date Range - All transactions within a specified time period
- Search by Amount - Transactions above or below certain thresholds
- Search by Transaction Type - Wires, ACH, cash, cryptocurrency, etc.
- Search by Geographic Location - Transactions by state, country, or IP address
- Combined Searches - Multiple criteria (e.g., "Customer X transactions over $5,000 in January 2024")
Offshore Recordkeeping
If you maintain BSA records outside the United States, special rules apply:
- You must notify FinCEN and the Secretary of the Treasury that records are maintained outside the U.S.
- You must provide the location of the records
- Records must be accessible to U.S. regulators at all times
- You must be able to produce records in the U.S. within a reasonable time (typically 48 hours)
- Consider legal and practical challenges of cross-border data transfers
Audit Preparation and Examiner Requests
Whether preparing for a FinCEN examination, IRS audit, or state regulator review, use this comprehensive checklist to ensure your BSA recordkeeping is examination-ready.
BSA Examination Readiness Checklist
- All required records for past 5 years are present and accessible
- Electronic systems can produce records within 48 hours of request
- Records are organized logically (customer-centric or record-type filing)
- Indexing allows search by customer, date, amount, and transaction type
- CIP files are complete for all active and closed accounts
- All SARs filed in past 5 years are documented with supporting materials
- SAR decision logs document why SARs were or were not filed
- All CTRs filed are documented and match transaction records
- Training records demonstrate all employees received required AML training
- Most recent independent testing report is available and deficiencies remediated
- Transaction monitoring reports and alerts are documented and reviewed
- High-risk customer files include EDD documentation
- Backup and disaster recovery procedures are documented and tested
- Access controls prevent unauthorized modification of records
- Record retention policy is documented in writing
- Procedures exist for responding to subpoenas and document requests
- Legal hold procedures prevent destruction during litigation/investigation
- Vendor agreements address recordkeeping and data retention
- Sample test: Can you produce all records for a specific customer within 2 hours?
- Sample test: Can you produce all transactions over $5,000 in a specific month within 2 hours?
Common Examiner Requests
During BSA examinations, regulators commonly request:
Typical Examination Document Requests
Responding to Examiner Requests
When preparing for a BSA examination or responding to a document request:
Examination Production Checklist
- Confirm scope of request (date range, customers, transaction types)
- Identify all relevant systems containing responsive records
- Run comprehensive searches across all systems
- De-duplicate records (same transaction may appear in multiple systems)
- Organize records logically (chronologically or by customer)
- Create index or table of contents for large productions
- Verify records are complete and legible
- Provide context if records are incomplete or unavailable
- Track time spent on production (may be relevant for cost recovery if subpoenaed)
- Maintain log of what was produced and to whom
Production Deadlines Are Strict
Failure to produce BSA records within the specified timeframe can result in enforcement action. If you cannot meet a production deadline, immediately contact the requesting agency to request an extension and explain the delay. Never ignore a record production request.
Common Recordkeeping Deficiencies Found in Examinations
Avoid these frequent deficiencies cited in BSA examinations:
- Incomplete CIP files (missing identification verification or beneficial ownership)
- Transaction records that don't meet the 5-year retention requirement
- SAR supporting documentation inadequate or missing
- No documented rationale for decisions not to file SARs on escalated alerts
- Training records incomplete or not maintained for 5 years
- Independent testing older than 2 years (should be annual or biennial)
- Records stored in system that cannot be searched or retrieved efficiently
- Electronic records without adequate backup or disaster recovery
- No written record retention policy
- Records destroyed prematurely (before 5-year period elapsed)
Mock Examination Exercise
Best practice: Conduct an annual mock examination where you simulate a regulator document request. Time how long it takes to gather and produce responsive records. This identifies system weaknesses and trains staff on production procedures before a real examination occurs.
BSA Recordkeeping Master Checklist
Comprehensive checklist of all records that must be maintained under BSA regulations:
Complete BSA Records Inventory
- Customer Identification Records - Name, address, DOB, TIN, ID verification documents (5 years after account closure)
- Beneficial Ownership Documentation - For legal entity customers, 25%+ owners and control persons (5 years after account closure)
- Customer Due Diligence (CDD) Records - Risk assessments, KYC questionnaires, source of funds documentation (5 years)
- Enhanced Due Diligence (EDD) Records - Additional documentation for high-risk customers (5 years)
- Transaction Records $3,000+ - All transactions meeting or exceeding threshold (5 years from transaction date)
- Funds Transfer Records - Wire transfers, ACH, crypto transfers $3,000+ with full Travel Rule information (5 years)
- SAR Filing Records - Copies of all SARs filed and supporting documentation (5 years from filing date)
- SAR Decision Documentation - Records of SAR filing decisions, including decisions not to file (5 years)
- CTR Filing Records - Currency Transaction Reports for cash over $10,000 (5 years from filing date)
- CTR Exemption Records - If applicable to your business type (5 years)
- OFAC/Sanctions Screening - Records of all sanctions checks performed (5 years)
- PEP Screening Records - Politically Exposed Person identification and monitoring (5 years)
- Adverse Media Screening - Negative news and reputational risk checks (5 years)
- Account Opening Documentation - Applications, agreements, disclosures (5 years after closure)
- Account Closure Records - Closure date, reason, final statements (5 years from closure)
- Account Statements - All customer account statements (5 years)
- Deposit and Withdrawal Records - All funding and withdrawal transactions (5 years)
- Internal Suspicious Activity Reports - Internal escalations and investigations (5 years)
- AML Training Records - All employee training documentation (5 years)
- Independent Testing/Audit Reports - BSA compliance audits and testing (5 years)
- Board Meeting Minutes - Related to BSA/AML program oversight (5 years)
- AML Program Documentation - Written AML policies and procedures, including all revisions (current + 5 years)
- FinCEN Registration - MSB registration and renewal records (permanent)
- State Licenses - Money transmitter licenses and renewals (permanent)
- Vendor Due Diligence - Third-party service provider risk assessments (5 years)
Document Organization Framework
An effective BSA recordkeeping system requires logical organization. Below are recommended frameworks for structuring your BSA records repository.
Option 1: Customer-Centric Filing
Organize all records by customer, with subfolders for record types:
Customer-Centric Structure
Option 2: Record-Type Filing
Organize by type of record, with subfolders for date ranges or customers:
Record-Type Structure
Hybrid Approach (Recommended)
Most effective: Use customer-centric filing for active customers and routine transactions, with separate filing for program-level records (SARs, training, audits). Leverage database systems with multiple indexing to enable searching by customer OR record type.