AML/CFT guide · United States
United States AML/CFT Framework: A Reference Guide
An overview of the US anti-money-laundering and sanctions framework, the authorities that administer it, its legislative history, and current obligations.
Last updated 2026-06-20
United States AML/CFT Framework: A Reference Guide
The United States anti-money-laundering (AML) and countering-the-financing-of-terrorism (CFT) regime is built on the Bank Secrecy Act (BSA) as its umbrella statute, layered over decades of subsequent legislation. In practice, US obligations fall into two stacked duties: a BSA "program" duty administered by FinCEN and the prudential regulators, and a separate sanctions duty administered by OFAC. The two carry different legal standards and are addressed below.
Regulators and authorities
| Authority | Role |
|---|---|
| FinCEN (Financial Crimes Enforcement Network, a Treasury bureau) | The US Financial Intelligence Unit and administrator of the BSA. Issues regulations (31 CFR Chapter X), collects SARs, CTRs and beneficial-ownership filings, operates the 314(a)/(b) information-sharing channels, and sets national AML/CFT priorities. |
| OFAC (Office of Foreign Assets Control, a Treasury office) | Administers and enforces US economic and trade sanctions, including the SDN List and the broader Consolidated Sanctions List. Distinct from the BSA. |
| Prudential / functional regulators — OCC, FDIC, Federal Reserve, NCUA | Examine and enforce BSA/AML compliance at the institutions they supervise; co-author the FFIEC BSA/AML Examination Manual. |
| SEC / FINRA | Apply BSA/AML and customer-identification rules to broker-dealers, mutual funds, and certain investment advisers. |
| DOJ | Criminal prosecution of money laundering (18 USC 1956/1957) and willful BSA violations; deferred and non-prosecution agreements. |
| IRS Criminal Investigation / Treasury | IRS-CI holds BSA examination authority for many non-bank financial institutions; Treasury sets policy. |
The largest enforcement actions frequently combine DOJ, OFAC and FinCEN.
History — timeline
| Year | Law / event | Issuing authority | What it changed |
|---|---|---|---|
| 1970 | Bank Secrecy Act (Currency and Foreign Transactions Reporting Act), P.L. 91-508 | Congress / Treasury | Foundational statute. Created reporting and recordkeeping duties for financial institutions — notably the Currency Transaction Report (CTR) for cash transactions over $10,000. No money-laundering crime yet. |
| 1986 | Money Laundering Control Act (MLCA), P.L. 99-570 | Congress / DOJ | Criminalized money laundering (18 USC 1956, 1957) for the first time; imposed criminal liability for knowingly assisting laundering. Made structuring (splitting transactions to evade CTRs) a crime. |
| 1990 | FinCEN created (Treasury order) | Treasury | Established FinCEN to analyze BSA data for law enforcement; later made the BSA administrator. |
| 1992 | Annunzio-Wylie Anti-Money Laundering Act | Congress / Treasury | Launched the modern Suspicious Activity Report (SAR) regime with a reporting safe harbor; authorized BSA compliance-program requirements. |
| 1994 | Money Laundering Suppression Act | Congress | Streamlined CTR exemptions; required money-services-business registration. |
| 2001 | USA PATRIOT Act, Title III, P.L. 107-56 | Congress | Mandated written AML programs for most financial institutions; established the Customer Identification Program (CIP) rule (§326); enhanced correspondent-banking controls; §311 special measures against primary money-laundering concerns; §314(a) law-enforcement information requests and §314(b) voluntary institution-to-institution information sharing; prohibited US correspondent accounts for foreign shell banks. |
| 2004 | Intelligence Reform & Terrorism Prevention Act | Congress | Authorized cross-border electronic-transmittal reporting; expanded SAR-sharing. |
| 2016 (eff. 2018) | CDD Rule (final May 2016, compliance May 11, 2018) | FinCEN | Codified the "fifth pillar": ongoing Customer Due Diligence plus a requirement to identify and verify the beneficial owners of legal-entity customers (25% ownership prong plus one control-prong individual). |
| 2020 (enacted Jan 1, 2021) | Anti-Money Laundering Act of 2020 (AMLA), including the Corporate Transparency Act (CTA), in the NDAA FY2021 | Congress | Directed FinCEN to set national AML/CFT priorities, modernize the BSA toward a risk and effectiveness focus, expand coverage to antiquities dealers, create a BSA whistleblower program, and stand up a beneficial-ownership (BOI) registry under the CTA. |
| 2021 | First AML/CFT National Priorities issued (Jun 30, 2021) | FinCEN | Eight priorities: corruption, cybercrime, terrorist financing, fraud, transnational crime, drug trafficking, human trafficking, and proliferation financing. |
| 2022–2024 | CTA BOI Reporting Rule finalized (Sep 2022; effective Jan 1, 2024) | FinCEN | Required reporting companies to file beneficial-ownership information with FinCEN. |
| 2024 | Investment Adviser AML Rule (final Aug 2024) | FinCEN | Extended BSA/AML program and SAR obligations to certain SEC-registered and exempt investment advisers. |
Current framework — core obligations
A covered financial institution's BSA/AML program today rests on the following elements, as set out in the FFIEC BSA/AML Examination Manual:
- AML program — the "four/five pillars": (1) internal controls and policies; (2) a designated BSA/AML compliance officer; (3) ongoing training; (4) independent testing and audit; and, since the 2018 CDD Rule, a fifth pillar — ongoing Customer Due Diligence, including beneficial-ownership identification.
- CIP (Customer Identification Program): verify the identity of customers at account opening (PATRIOT Act §326).
- CDD and beneficial ownership (2018 rule): identify and verify legal-entity beneficial owners — a 25% ownership prong plus a control-prong individual — and conduct risk-based ongoing monitoring.
- Reporting: SARs (suspicious activity) and CTRs (cash over $10,000); plus CMIR, FBAR, and Form 8300.
- Recordkeeping: including the funds-transfer "Travel Rule" (originator and beneficiary information on transmittals of $3,000 or more).
- Information sharing: §314(a) (responding to law-enforcement queries) and §314(b) (voluntary institution-to-institution sharing, with a safe harbor).
- Sanctions screening (OFAC): screen customers and transactions against OFAC lists — legally separate from the BSA program but operationally part of the same compliance function.
Sanctions obligations (OFAC)
- Lists: OFAC publishes the Specially Designated Nationals and Blocked Persons (SDN) List and a broader Consolidated Sanctions List (non-SDN lists such as SSI and FSE). US persons are generally prohibited from dealing with listed parties and with entities 50% or more owned by them (the "OFAC 50 Percent Rule").
- Strict-liability standard: OFAC civil enforcement applies a strict-liability standard — a US person can be penalized for a prohibited transaction even without knowledge or intent. This differs from the negligence/reasonableness standard generally applied to BSA program failures.
- Penalty scale: Under IEEPA-based programs, the statutory maximum civil penalty is the greater of approximately $377,700 per violation (inflation-adjusted) or twice the transaction value; criminal penalties can reach $1M and 20 years. Correspondent-banking failures have produced the largest settlements, including BNP Paribas (approximately $8.9B, 2014), Standard Chartered, and HSBC.
- Expectations: OFAC's Framework for Compliance Commitments sets out the expectation of a risk-based sanctions compliance program: management commitment, risk assessment, internal controls, testing, and training.
Enforcement
Civil penalties for BSA program failures can be substantial and are often paired with mandated remediation or monitorships; willful violations carry criminal exposure. The AMLA raised BSA penalty ceilings and added a whistleblower incentive and protection program. The costliest cases typically combine sanctions breaches with AML program deficiencies in cross-border and correspondent-banking contexts, reflecting that screening and program controls are examined together.
Recent and proposed developments
Corporate Transparency Act / BOI registry. BOI reporting took effect on January 1, 2024 and was subsequently challenged on constitutional grounds. On March 21, 2025, FinCEN issued an interim final rule that redefined "reporting company" to cover only foreign entities registered to do business in the US, with separate deadlines for those foreign entities. FinCEN has stated it was reviewing public comments toward a final rule. The scope of BOI reporting is the subject of ongoing rulemaking and litigation and may change; current obligations should be verified against FinCEN's published guidance. Separately, some states (for example, New York's LLC Transparency Act) have enacted their own beneficial-ownership regimes.
AML/CFT program reform (proposed, as of April 2026). On April 10, 2026, FinCEN, together with the prudential agencies, issued a proposed rule to reform AML/CFT program requirements under the BSA — shifting toward a risk-based, effectiveness-and-outcomes model and requiring programs to incorporate the national AML/CFT priorities. As proposed, the rule contemplates a 12-month implementation window after any final rule. The proposal is not final and remains subject to the rulemaking process.
Other AMLA implementation in progress. This includes the 2024 investment-adviser AML rule, residential-real-estate and gatekeeper rulemakings, broader BSA modernization, and periodic refresh of the national priorities (required at least every four years).
Sources & primary authorities
URLs checked 2026-06-20.
This guide is general information, not legal advice, and is current as of 2026-06-20.
Keep this guide current
Monthly sanctions enforcement digest
Regimes change. Get the monthly digest of new designations and enforcement actions — and a heads-up when we publish a downloadable PDF of this United States guide.