Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
This page is no longer active. Its content has expired or been rescinded by the FDIC.
Financial Institution Letter
Bank Secrecy Act Compliance

SUBJECT: Guidelines for Monitoring
Bank Secrecy Act Compliance

The Federal Deposit Insurance Corporation (FDIC) recently revised its May 18, 1987, guidelines for monitoring Bank Secrecy Act (BSA) compliance. These new guidelines are attached.

On May 18, 1987, the FDIC issued a policy statement entitled "Guidelines for Monitoring Bank Secrecy Act Compliance." The guidelines included the steps that banks should take to comply with Section 326.8 of the FDIC's Rules and Regulations, which governs procedures within the bank to ensure compliance with Treasury Department rules, as well as a copy of the FDIC's BSA compliance examination procedures. While the 1987 policy statement will be rescinded, the guidelines have been updated. The FDIC recently adopted revised BSA examination procedures developed by an interagency working group, which are included in the attached revised guidelines.

In addition to the new BSA examination procedures, the revised guidelines include further instructions on independent testing, training, and designating an individual or individuals to be responsible for coordinating and monitoring compliance with the Bank Secrecy Act, as well as a brief section on "Know Your Customer" policies.

The FDIC's compliance requirements are separate from the substantive reporting and recordkeeping requirements of the Bank Secrecy Act and 31 C.F.R. 103. Banks must have an effective compliance program that not only meets the minimum requirements of the FDIC's rule, but addresses the specific circumstances of each banking office. For example, banks operating from numerous locations and banks with offices in border areas or in areas where money laundering or drug trafficking is prevalent must have in place extensive controls, plans and procedures beyond the minimum regulatory requirements.

The true test of any compliance program's effectiveness is its ability to prevent violations. If examiners find numerous or serious violations of the Treasury Department's regulations, the bank's compliance program will likely be judged inadequate, and violations of Section 326.8 will be cited.

The independent testing requirement contained in Section 326.8 demands the use of examination procedures by auditors, outside parties or employees who are independent of the currency transaction reporting function. The FDIC's examination procedures may be used as a model for developing such procedures within the banking organization. It is essential that the scope of any testing procedures as well as the results of those procedures be thoroughly documented. In most cases, this will involve retaining workpapers from internal and/or external audits of BSA compliance. Procedures that are not adequately documented will not be accepted as being in compliance with the independent testing requirement.

Repeated violations of Section 326.8 may result in a cease and desist order against the bank by the FDIC. Failure to comply with such an order may result in the assessment of civil money penalties. The FDIC reports to the Treasury Department all BSA violations discovered during each examination. Those violations are reviewed by Treasury for possible civil money penalty assessment.

Beginning February 19, 1996, the FDIC's Division of Supervision officially assumed full responsibility for BSA examinations from the Division of Compliance and Consumer Affairs. Questions regarding the attached guidelines, or the examination procedures incorporated within the guidelines, should be addressed to your Division of Supervision Regional Office.

Nicholas J. Ketcha Jr.


Financial Recordkeeping and Reporting Regulations Examination Procedures 31 C.F.R. 103 (99 kb, PDF help or hard copy ),
(PDF Format)

Distribution: FDIC-Supervised Banks (Commercial and Savings)


Section 326.8 of the FDIC's Rules and Regulations requires banks to develop and administer a program to assure compliance with the Bank Secrecy Act (BSA) and 31 C. F. R. 103. The compliance program must be in writing, approved by the bank's board of directors and noted in the minutes.

Section 326.8(c) sets out four minimum requirements of the compliance program. To meet the minimum requirements, a bank's compliance program should include:

  1. A system of internal controls . At a minimum, the system must be designed to:

    • Identify reportable transactions at a point where all of the information necessary to properly complete the required reporting forms can be obtained. The bank might accomplish this by sufficiently training tellers and personnel in other departments or by referring large currency transactions to a designated teller. If all pertinent information cannot be obtained from the customer, the bank should consider declining the transaction.

    • Ensure that all required reports are completed accurately and properly filed. Banks should consider centralizing the review and report-filing functions within the banking organization.

    • Ensure that customer exemptions are properly granted and recorded. The compliance officer or other designated officer should review and initial all exemptions prior to granting them.

    • Provide for adequate supervision of employees who accept currency transactions, complete reports, grant exemptions or engage in any other activity covered by 31 C. F. R. 103.

    • Establish dual controls and provide for separation of duties. Employees who complete the reporting forms should not be responsible for filing them or for granting customer exemptions.

  2. Independent testing for compliance with the BSA and 31 C. F. R. 103 . The independent testing should be conducted at least annually, preferably by the internal audit department, outside auditors, or consultants. Banks that do not employ outside auditors or consultants or that do not operate internal audit departments can comply with this requirement by utilizing for testing employees who are not involved in the currency transaction reporting function.

    The compliance testing should include, at a minimum:

    • A test of the bank's internal procedures for monitoring compliance with the BSA, including interviews of employees who handle cash transactions and their supervisors.

    • A sampling of large currency transactions followed by a review of CTR filings.

    • A test of the validity and reasonableness of the customer exemptions granted by the bank.

    • A test of the bank's recordkeeping system for compliance with the BSA.

    • Documentation of the scope of the testing procedures performed and the findings of the testing. Any apparent violations, exceptions or other problems noted during the testing procedures should be promptly reported to the board of directors or appropriate committee thereof.

    It is essential that the scope of any testing procedures, and the results of those procedures, be thoroughly documented. In most cases, this will involve retention of workpapers from internal and/or external audits of BSA compliance. Procedures that are not adequately documented will not be accepted as being in compliance with the independent testing requirement.

  3. The designation of an individual or individuals to be responsible for coordinating and monitoring compliance with the Bank Secrecy Act . To meet the minimum requirement, each bank must designate a senior bank official to be responsible for overall BSA compliance. Other individuals in each office, department or regional headquarters should be given the responsibility for day-to-day compliance. The title of the individual responsible for overall BSA compliance is not important; however, the level of authority and responsibility within the institution is. The senior bank official in charge of BSA compliance should be in a position, and have the authority, to make and enforce policies. A "BSA Officer" who reports to a senior official would not be sufficient to meet the requirements unless the senior official is officially designated as the officer in charge of overall BSA compliance.

  4. Training for appropriate personnel . At a minimum, the bank's training program must provide training of all personnel whose duties may require knowledge of the BSA, including, but not limited to, tellers, new accounts personnel, lending personnel, bookkeeping personnel, wire room personnel, etc.

    In addition, an overview of the BSA requirements should be given to new employees and efforts should be made to keep executives informed of changes and new developments in BSA regulation.

    Depending on the bank's needs, training materials can be purchased from banking associations, trade groups or outside vendors, or they can be developed by the bank. Copies of the training materials must be available in the bank for review by examiners.

    An effective "Know Your Customer" policy also is essential to compliance with the BSA and may aid in preventing the financial institution from becoming a conduit for a money laundering scheme. A "know your customer" policy consists of procedures that require proper identification of every customer at the time an account is opened in order to prevent establishment of fictitious accounts. The primary objective of such a policy is to enable the financial institution to predict, with relative certainty, the types of transactions the customer is likely to be engaged in. Internal systems should then be developed for monitoring transactions which are inconsistent with each customer's "transaction profile". In addition, the bank's employee education program should provide examples of customer behavior or activity which may warrant investigation.

Last Updated 5/13/2005

Last Updated: May 14, 1996