Back to Frameworks

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

United States
v2020
9 domains
44 controls

The Bank Secrecy Act (31 U.S.C. 5311-5332) and implementing regulations (31 CFR Chapter X) establish requirements for financial institutions to detect and prevent money laundering, terrorist financing, and other financial crimes. Key components include AML compliance programs, customer identification/due diligence, suspicious activity reporting, currency transaction reporting, and recordkeeping. Amended by USA PATRIOT Act (2001), CDD Rule (2016), and AML Act (2020).

Verified

Get the official standard — this page is an AI-assisted companion tool, not a replacement for the authoritative text.

Visit ecfr.gov

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (9)

AML Compliance Program

5 controls

AML/BSA compliance program pillars (31 CFR 1010.210/1020.210).

Controls in the AML Compliance Program domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)5 controls
CodeTitle
BSA-AML-01AML Compliance Programme
BSA-AML-02BSA Compliance Officer
BSA-AML-03Independent Testing
BSA-AML-04AML Training
BSA-AML-24AML Programme Effectiveness (AMLA 2020)

Customer Identification and Due Diligence

11 controls

CIP, CDD and beneficial ownership (31 CFR 1010.220/.230).

Controls in the Customer Identification and Due Diligence domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)11 controls
CodeTitle
BSA-AML-05Customer Identification Program (CIP)
BSA-AML-06Customer Due Diligence (CDD)
BSA-AML-07Beneficial Ownership Identification
BSA-AML-08Enhanced Due Diligence (EDD)
BSA-CDD-1Beneficial Ownership Identification
BSA-CDD-2Beneficial Ownership Verification
BSA-CDD-3Customer Risk Profiling
BSA-CDD-4Enhanced Due Diligence (EDD)
BSA-CIP-1Customer Identification Program (CIP)
BSA-CIP-2Identity Verification
BSA-CIP-3CIP Recordkeeping

Enforcement

3 controls

Anti-structuring and BSA penalties (31 USC 5324; 31 CFR 1010.314).

Controls in the Enforcement domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)3 controls
CodeTitle
BSA-ENF-1Anti-Structuring Prohibition
BSA-ENF-2Civil Money Penalties
BSA-ENF-3Criminal Penalties

High-Risk Relationships

2 controls

Correspondent and private banking due diligence (31 CFR 1010.610/.620).

Controls in the High-Risk Relationships domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)2 controls
CodeTitle
BSA-AML-17Correspondent Account Due Diligence
BSA-AML-18Private Banking Due Diligence

Information Sharing

3 controls

314(a) and 314(b) information sharing (31 CFR 1010.520/.540).

Controls in the Information Sharing domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)3 controls
CodeTitle
BSA-AML-19Information Sharing 314(a)
BSA-AML-20Voluntary Information Sharing 314(b)
BSA-REC-4Information Sharing (Section 314)

Monitoring and Risk

2 controls

Transaction monitoring and AML risk assessment.

Controls in the Monitoring and Risk domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)2 controls
CodeTitle
BSA-AML-15Transaction Monitoring
BSA-AML-16AML Risk Assessment

Recordkeeping

6 controls

Recordkeeping and retention incl. Travel Rule and FBAR (31 CFR 1010.410/.350).

Controls in the Recordkeeping domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)6 controls
CodeTitle
BSA-AML-12Monetary Instrument Recordkeeping
BSA-AML-13Funds Transfer Recordkeeping (Travel Rule)
BSA-AML-21Recordkeeping and Retention
BSA-REC-1Funds Transfer Recordkeeping (Travel Rule)
BSA-REC-2Monetary Instrument Purchase Records
BSA-REC-3Foreign Bank Account Reporting (FBAR)

Reporting

10 controls

SAR, CTR and beneficial ownership reporting (31 CFR 1010.310/.320/.380).

Controls in the Reporting domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)10 controls
CodeTitle
BSA-AML-09Suspicious Activity Reporting (SAR)
BSA-AML-10Currency Transaction Reporting (CTR)
BSA-AML-11CTR Exemptions
BSA-AML-22Beneficial Ownership Reporting (Corporate Transparency Act)
BSA-CTR-1Currency Transaction Reports
BSA-CTR-2CTR Filing Deadline
BSA-SAR-1Suspicious Activity Reports - Threshold
BSA-SAR-2SAR Filing Deadline
BSA-SAR-3SAR Confidentiality
BSA-SAR-4SAR Recordkeeping

Sanctions and Special Measures

2 controls

OFAC screening and section 311 special measures (31 CFR 1010.651+).

Controls in the Sanctions and Special Measures domain of Bank Secrecy Act / Anti-Money Laundering (BSA/AML)2 controls
CodeTitle
BSA-AML-14OFAC Sanctions Screening
BSA-AML-23Section 311 Special Measures

Your Compliance Coverage

If you comply with Bank Secrecy Act / Anti-Money Laundering (BSA/AML), you already cover:

Maps to 89 other frameworks

44 total controls
AML/CTF Act 2006 (Australia)
23 source controls mapped|27 target controls covered
52%
FTC GLBA Safeguards Rule (16 CFR Part 314)
5 source controls mapped|4 target controls covered
11%
Florida Digital Bill of Rights (FDBR)
5 source controls mapped|2 target controls covered
11%
Nigeria Open Banking Regulatory Framework (CBN, 2023)
4 source controls mapped|1 target controls covered
9%
Nevada Gaming Control Board Cybersecurity Requirements
4 source controls mapped|1 target controls covered
9%
India CERT-In Cyber Security Directions 2022
4 source controls mapped|1 target controls covered
9%
IFRS 17 - Insurance Contracts
4 source controls mapped|1 target controls covered
9%
GHG Protocol
4 source controls mapped|1 target controls covered
9%
APRA CPS 230 Operational Risk Management
4 source controls mapped|1 target controls covered
9%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
1 source controls mapped|2 target controls covered
2%
WCAG 2.2
1 source controls mapped|1 target controls covered
2%
W3C Verifiable Credentials (VC) Data Model 2.0
1 source controls mapped|1 target controls covered
2%
US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements
1 source controls mapped|1 target controls covered
2%
Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter
1 source controls mapped|1 target controls covered
2%
TSA Pipeline Cybersecurity Directives
1 source controls mapped|1 target controls covered
2%
Tennessee Information Protection Act (TIPA)
1 source controls mapped|1 target controls covered
2%
TEFCA - Trusted Exchange Framework and Common Agreement
1 source controls mapped|1 target controls covered
2%
SLSA
1 source controls mapped|1 target controls covered
2%
Sigstore - Software Artifact Signing and Verification
1 source controls mapped|1 target controls covered
2%
SIG (Shared Assessments)
1 source controls mapped|1 target controls covered
2%
Secure by Design: A Guide for Manufacturers (CISA)
1 source controls mapped|1 target controls covered
2%
Regulation on the European Health Data Space (EHDS)
1 source controls mapped|1 target controls covered
2%
PTES
1 source controls mapped|1 target controls covered
2%
OWASP Top 10 for LLM Applications 2025
1 source controls mapped|2 target controls covered
2%
OWASP SAMM
1 source controls mapped|1 target controls covered
2%
OWASP MASVS
1 source controls mapped|1 target controls covered
2%
OWASP DevSecOps Maturity Model (DSOMM)
1 source controls mapped|1 target controls covered
2%
OpenSSF Scorecard
1 source controls mapped|1 target controls covered
2%
Oman National Cybersecurity Framework
1 source controls mapped|1 target controls covered
2%
O-RAN WG11 Security Specification
1 source controls mapped|1 target controls covered
2%
NIST SP 800-92
1 source controls mapped|1 target controls covered
2%
NIST SP 800-88
1 source controls mapped|1 target controls covered
2%
2%
NIST SP 800-66
1 source controls mapped|1 target controls covered
2%
NIST SP 800-63-4
1 source controls mapped|1 target controls covered
2%
NIST SP 800-61
1 source controls mapped|1 target controls covered
2%
NIST SP 800-146
1 source controls mapped|1 target controls covered
2%
NIST SP 800-145
1 source controls mapped|1 target controls covered
2%
NIST SP 800-144
1 source controls mapped|1 target controls covered
2%
NIST SP 800-137
1 source controls mapped|1 target controls covered
2%
NIST SP 800-123
1 source controls mapped|1 target controls covered
2%
NIST Privacy Framework
1 source controls mapped|1 target controls covered
2%
NIS2 Directive Implementing Acts
1 source controls mapped|1 target controls covered
2%
NAIC Insurance Data Security Model Law (MDL-668)
1 source controls mapped|1 target controls covered
2%
MTCS (Singapore)
1 source controls mapped|1 target controls covered
2%
MITRE D3FEND
1 source controls mapped|1 target controls covered
2%
MITRE ATT&CK
1 source controls mapped|1 target controls covered
2%
MDS2 (Medical Device)
1 source controls mapped|1 target controls covered
2%
MARS-E
1 source controls mapped|2 target controls covered
2%
ITU-T X.805 - Security Architecture for End-to-End Communications
1 source controls mapped|1 target controls covered
2%
ISMAP (Japan)
1 source controls mapped|1 target controls covered
2%
HL7 FHIR Security Framework
1 source controls mapped|1 target controls covered
2%
GLI-33 - Gaming Laboratories International Event Wagering Systems
1 source controls mapped|1 target controls covered
2%
Ghana Cybersecurity Act
1 source controls mapped|1 target controls covered
2%
FISMA
1 source controls mapped|1 target controls covered
2%
FIDO2 / WebAuthn
1 source controls mapped|2 target controls covered
2%
FedRAMP Rev 5
1 source controls mapped|1 target controls covered
2%
FDA 21 CFR Part 11
1 source controls mapped|1 target controls covered
2%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
1 source controls mapped|1 target controls covered
2%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
1 source controls mapped|3 target controls covered
2%
ASD Strategies to Mitigate Cyber Security Incidents
1 source controls mapped|2 target controls covered
2%
Illinois Biometric Information Privacy Act (BIPA)
1 source controls mapped|2 target controls covered
2%
ISO 19011
1 source controls mapped|2 target controls covered
2%
2%
ISO/IEC 27400:2022
1 source controls mapped|1 target controls covered
2%
AWS Well-Architected Security Pillar
1 source controls mapped|1 target controls covered
2%
Armenia Law on Protection of Personal Data (2015)
1 source controls mapped|1 target controls covered
2%
Azure Security Benchmark
1 source controls mapped|1 target controls covered
2%
ISO 13485
1 source controls mapped|2 target controls covered
2%
NIST SP 800-190
1 source controls mapped|1 target controls covered
2%
BSI IT-Grundschutz
1 source controls mapped|1 target controls covered
2%
NIST SP 800-53 Rev 5
1 source controls mapped|3 target controls covered
2%
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0
1 source controls mapped|3 target controls covered
2%
ISO 27043
1 source controls mapped|1 target controls covered
2%
3GPP 5G Security Architecture (TS 33.501)
1 source controls mapped|1 target controls covered
2%
NIST Cybersecurity Framework 2.0
1 source controls mapped|2 target controls covered
2%
ISO 27018
1 source controls mapped|1 target controls covered
2%
ISO/SAE 21434
1 source controls mapped|1 target controls covered
2%
ISO 27799
1 source controls mapped|1 target controls covered
2%
MARS-E - Minimum Acceptable Risk Standards for Exchanges
1 source controls mapped|1 target controls covered
2%
DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)
1 source controls mapped|1 target controls covered
2%
SSAE 18 - Attestation Standards (SOC Reporting)
1 source controls mapped|1 target controls covered
2%
ISO 27017
1 source controls mapped|1 target controls covered
2%

Frequently Asked Questions

What is Bank Secrecy Act / Anti-Money Laundering (BSA/AML)?

Bank Secrecy Act / Anti-Money Laundering (BSA/AML) is a compliance framework from United States with 9 domains and 44 controls. The Bank Secrecy Act (31 U.S.C. 5311-5332) and implementing regulations (31 CFR Chapter X) establish requirements for financial institutions to detect and prevent money laundering, terrorist financing, and other financial crimes. Key components include AML compliance programs, customer identification/due diligence, suspicious activity reporting, currency transaction reporting, and recordkeeping. Amended by USA PATRIOT Act (2001), CDD Rule (2016), and AML Act (2020). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Bank Secrecy Act / Anti-Money Laundering (BSA/AML) have?

Bank Secrecy Act / Anti-Money Laundering (BSA/AML) has 44 controls organised across 9 domains. The largest domains are Customer Identification and Due Diligence (11 controls), Reporting (10 controls), Recordkeeping (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Bank Secrecy Act / Anti-Money Laundering (BSA/AML) map to?

Bank Secrecy Act / Anti-Money Laundering (BSA/AML) maps to 89 other compliance frameworks. The top mapping partners are AML/CTF Act 2006 (Australia) (52% coverage), FTC GLBA Safeguards Rule (16 CFR Part 314) (11% coverage), Florida Digital Bill of Rights (FDBR) (11% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Bank Secrecy Act / Anti-Money Laundering (BSA/AML) compliance?

Start your Bank Secrecy Act / Anti-Money Laundering (BSA/AML) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Bank Secrecy Act / Anti-Money Laundering (BSA/AML) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 44 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required