BSA/AML/CIP Study Notes

Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and Customer Identification Program (CIP)

• Origin and evolution

  • BSA originated from the Currency and Foreign Transactions Reporting Act of 1970; over time it has been amended several times.
  • The most prominent modern amendments occurred on or around February 2001 as part of AML provisions tied to the USA PATRIOT Act (Title III).
  • The overarching purpose is to require financial institutions to assist U.S. government agencies to detect and prevent money laundering.

• Core purposes and requirements of the BSA/AML framework

  • Require financial institutions to keep records of cash purchases of negotiable instruments.
  • Require filing reports of cash transactions over a daily amount of ${10{,}000}$.
  • Require reporting of suspicious activity that might signify money laundering, tax evasion, or other criminal activity (SARs).
  • The Bank Secrecy Act enforcement and regulatory authority rests with the Department of the Treasury.

• Regulatory authority and organizational structure

  • Department of the Treasury oversees BSA/AML regulation.
  • Under Treasury, two key branches are:
  • Internal Revenue Service (IRS)
  • Financial Crimes Enforcement Network (FinCEN)
  • FinCEN’s mission: safeguard the financial system from illicit use and combat money laundering; promote national security via collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.
  • The IRS mission complements FinCEN’s efforts (tax and financial investigations).

• Key statements from the BSA regarding regulatory approach

  • The Secretary of the Treasury issues regulations requiring financial institutions to maintain records and file reports that have a high degree of usefulness in criminal tax and regulatory investigations, or in intelligence/counterintelligence activities.
  • AML programs must be reasonably designed to prevent the institution from being used to facilitate money laundering or financing of terrorism.

• Anti-Money Laundering (AML) program requirements

  • Each covered financial institution must establish an AML program that is scalable to its size, location, and activities.
  • AML program components (minimum):
  • Internal policies, procedures, and controls (policies to prevent money laundering and terrorist financing).
  • Designation of a dedicated AML/compliance officer.
  • Ongoing employee training.
  • Independent audit function to test the program and catch any gaps.
  • The size and complexity of the program depend on the institution’s characteristics; there is no one-size-fits-all model.

• Who is covered under BSA/AML rules?

  • The term financial institution includes loan or finance companies, not just traditional banks.
  • Non-bank residential mortgage lenders and originators are considered a subset of the loan or finance company category and are therefore covered.
  • When rules reference sections like 1029.210 or 1029.320, these points are part of the rule set shaped by CFPB involvement (e.g., CFPB regulations guiding AML/SAR obligations for lending entities).

• Suspicious Activity Reports (SARs) and thresholds

  • Covered entities must develop and implement an AML program designed to prevent money laundering and financing of terrorism.
  • The final rule sets a reporting obligation for suspicious transactions with a threshold tied to lending activity: an aggregate of at least $5{,}000$ in funds or other assets through a loan or finance company.
  • SARs must be filed whenever a transaction meets the reportable criteria, irrespective of whether currency is involved.
  • Interpretation: almost every lending transaction exceeds the $5{,}000$ threshold when aggregated with related activities or across multiple attempts.

• What kinds of transactions are considered suspicious? (SAR triggers)

  • Funds derived from illegal activity or intended/ conducted to hide or disguise funds from illegal activity.
  • No business or apparent lawful purpose and lack of a reasonable explanation after reviewing available facts.
  • Use of a loan/finance company to facilitate criminal activity.
  • If any of these conditions are suspected, the institution must file a SAR.

• SAR filing timelines and urgent reporting

  • Generally, a SAR must be filed no later than $30$ calendar days after the date of the initial detection of the suspicious activity.
  • If no suspect is identified, there is an additional up-to $30$ days to file (i.e., up to $60$ days total from initial detection).
  • In situations requiring immediate attention (ongoing money laundering schemes or suspected terrorist financing), entities must immediately notify law enforcement authorities by phone or other appropriate means in addition to filing a timely SAR.

• Recordkeeping and confidentiality

  • Institutions must retain a copy of the SAR and any supporting documentation for a period of $5$ years.
  • Documentation should identify the actual suspicious activity and support the SAR filing.
  • SARs are confidential; no one (including officers, employees, agents) may disclose that a SAR exists or reveal its contents.
  • If ordered by subpoena or court to disclose, the entity must decline disclosure to maintain confidentiality.

• Examples of common fraud/scams relevant to BSA/AML/SAR considerations

  • Occupancy fraud: borrowers misrepresentting property use (primary residence vs. investment) to obtain more favorable terms.
  • Income fraud: overstating or understating income to qualify for a mortgage or to obtain concessions.
  • Appraisal fraud: inflating or deflating appraised values to influence loan proceeds.
  • Employment fraud: misrepresenting employment status or history.
  • Liability fraud: omitting significant liabilities from a mortgage application.
  • Debt elimination schemes: fake legal documents or schemes to negate mortgage obligations or extinguish balances.
  • Foreclosure rescue scams: offering services to stop or delay foreclosure through fraudulent means.
  • Identity theft/identity-related fraud: SSN, ITIN, EIN numbers or other government IDs used to qualify for credit.
  • Reverse mortgage fraud: seniors coerced into transfers or reverse mortgages that siphon equity without benefit to the homeowner.

• Real estate specific screening and Geographical Targeting Orders (GTO)

  • FinCEN renews real estate geographic targeting orders to identify high-end cash buyers.
  • Targeted in six metropolitan areas; title companies must verify the actual identity of buyers (whether investment groups or individuals) making all-cash offers on high-value properties.
  • High-value threshold referenced in the guidance context (e.g., properties around $40{,}000{,}000$ in all-cash deals).
  • Purpose: ensure funds originate from legitimate sources and identify potential illicit proceeds.

• Customer Identification Program (CIP) and its integration with SIP rules

  • All financial institutions must have a written policy prescribing a Customer Identification Program (CIP).
  • The SIP rule implements the Patriot Act and requires each bank to implement a written, size- and type-appropriate program with minimum requirements.
  • Objective: enable the bank to form a reasonable belief that it knows the true identity of each customer.
  • SIP program components include:
  • Account opening procedures that specify the identifying information collected from each customer.
  • Procedures to verify identity to the extent reasonable and practical.
  • Records of the information used to verify identity.
  • Procedures to determine whether the customer appears on lists of known or suspected terrorists or terrorist organizations provided by government agencies.

• Minimum identifying information required before opening an account or taking a mortgage loan

  • For each customer, at minimum, collect:
  • Name
  • Date of birth (for individuals)
  • Residential address
  • Identification number for a US person (taxpayer identification number or SSN) or a passport number with country of issuance, or alien identification card number and country of issuance, or any other unexpired government-issued document evidencing nationality or residence bearing a photograph or similar safeguard
  • This data is typically collected as part of the loan application and identity verification process.

• Written policies, records, and examiner expectations

  • AML and CIP programs must be in writing, with documented procedures and records.
  • FinCEN indicates that without capturing the required SIP data and documentation, filers would lack sufficient information to file a SAR.
  • The lender (even if a broker is involved) is ultimately responsible for SIP compliance; third-party originators (mortgage brokers acting as agents) must follow the lender’s SIP.
  • Guidance indicates lender liability can extend to brokers when SIP deficiencies occur, though risk can flow downhill to the broker as applicable.

• Mortgage brokers and third-party originators (TPOs)

  • When a mortgage broker acts as an agent for a lender (TPO), the broker should follow the lender’s SIP.
  • The lender bears primary responsibility for SIP compliance; brokers can be held to account for SIP deficiencies through regulatory enforcement or contractual arrangements.

• Practical note for exam and practice

  • Ensure AML programs and CIP are in place, written, and scalable to the organization size and risk profile.
  • Maintain thorough records, including SARs, supporting documentation, and identity verification data for at least $5$ years.
  • Implement robust identity verification at the time of account opening or mortgage loan initiation, including checking against government terrorist lists.
  • Be aware of real estate-specific regulatory enhancements (RTGO) and the role of title companies in verifying beneficial ownership and source of funds for high-value, all-cash real estate transactions.

• Summary takeaway

  • The BSA/AML framework imposes comprehensive, scalable requirements on financial institutions, including lenders, to detect and deter money laundering and terrorist financing through recordkeeping, reporting, and identity verification.
  • SARs are a central tool, kept confidential and subject to strict handling rules, with defined timelines and consequences for non-compliance.
  • CIP/SIP policies, particularly in mortgage lending and third-party origination, are essential to establish true customer identity and to support SAR filing and regulatory reporting.