BSA / AML

The Bank Secrecy Act and related anti-money-laundering regulations require U.S. financial institutions to detect, prevent, and report suspicious financial activity. AI in transaction monitoring is increasingly subject to BSA scrutiny.

BSA / AML basics

The Bank Secrecy Act (1970) and a stack of subsequent statutes (USA PATRIOT Act, Anti-Money Laundering Act of 2020) require covered financial institutions to implement AML programs, perform customer due diligence (CDD), file Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs), and screen against OFAC sanctions lists. The Financial Crimes Enforcement Network (FinCEN) is the primary federal regulator; federal banking agencies and the SEC enforce at the institution level.

AI in transaction monitoring

Most large financial institutions use AI/ML for transaction monitoring (anomaly detection, false-positive reduction) and customer screening (sanctions and PEP matching). FinCEN, the OCC, and other federal banking regulators issued joint guidance in 2024 explicitly endorsing innovative approaches including ML for BSA/AML compliance, while making clear that model risk management (SR 11-7) still applies. AI vendors selling into the BSA/AML space face two diligence regimes: standard financial-services cybersecurity, and model risk management (governance, documentation, validation, ongoing monitoring of model performance).

Procurement questions

For AI transaction monitoring or sanctions screening vendors: do you provide model documentation sufficient for the buyer's MRM (model risk management) program, what is your testing and validation methodology, how is model drift detected and reported, are you willing to participate in regulator examinations, and how is performance measured (false positive rate, alert-to-SAR conversion). Many regulated buyers will also ask whether the vendor will indemnify against regulatory fines arising from undetected suspicious activity — a difficult contractual ask that most vendors decline.