What happened with Bank of America’s BSA compliance?** In December 2024, the OCC issued a cease-and-desist order against Bank of America for major weaknesses in BSA compliance, including delayed suspicious activity reporting, inadequate customer due diligence, and poor internal controls. The bank must now overhaul its entire compliance framework under strict regulatory supervision, demonstrating that even major institutions face severe consequences for compliance failures.
The Bank Secrecy Act stands as America’s primary defense against money laundering and financial crime. When a major bank faces regulatory action for BSA compliance failures, it signals serious problems that every financial institution should study carefully.
In December 2024, Bank of America received one of the harshest regulatory penalties possible: a cease-and-desist order from the Office of the Comptroller of the Currency. This enforcement action exposed widespread weaknesses in how the bank monitored transactions, reported suspicious activities, and managed compliance risks.
This breakdown explains exactly what went wrong, what BSA compliance requires, and how other banks can avoid similar regulatory trouble.
Understanding Cease-and-Desist Orders in Banking
A cease-and-desist order represents one of the most serious actions federal regulators can take against a financial institution. Unlike warning letters or minor citations, this legally binding document forces immediate action.
What makes these orders so powerful:
Banks must immediately stop unsafe practices and begin correcting identified problems. The regulator sets strict deadlines for each corrective measure and monitors progress continuously. When institutions fail to comply, they face massive fines, leadership removal, and potential growth restrictions that can freeze their business operations.
The order becomes public record, damaging reputation and investor confidence. For Bank of America, this meant explaining to shareholders, customers, and regulators worldwide why their compliance systems failed so dramatically.
The Three Critical Failures That Triggered Regulatory Action
Problem #1: Broken Suspicious Activity Reporting Systems
Bank of America’s transaction monitoring systems failed at their most basic function: identifying and reporting suspicious activities on time.
The bank’s automated alert systems used incorrect thresholds for flagging potentially criminal transactions. When thresholds are set too high, actual crimes slip through undetected. When set too low, compliance teams drown in false alarms, missing real threats hidden in the noise.
Federal law requires banks to file suspicious activity reports within 30 days of detecting potential criminal activity. Bank of America’s delays meant law enforcement lost crucial time to investigate money laundering, fraud, and terrorism financing networks.
Problem #2: Inadequate Customer Due Diligence
The OCC had previously identified weaknesses in how Bank of America verified customer identities and monitored account behavior. The bank failed to fix these issues, forcing regulators to escalate their response.
Customer due diligence forms the foundation of effective BSA compliance. Banks must know who their customers are, understand what normal activity looks like for each account, and spot unusual patterns that suggest criminal behavior.
Bank of America’s deficient system meant they couldn’t accurately classify customer risk levels. High-risk accounts may have received the same level of monitoring as low-risk customers, creating massive blind spots for criminal exploitation.
Problem #3: Weak Governance and Resource Allocation
The enforcement action revealed systemic issues beyond technology failures. Bank of America’s compliance culture needed fundamental restructuring.
Key governance breakdowns included:
Flawed risk assessments that failed to identify where the bank faced greatest exposure to financial crime. Inadequate board oversight allowed problems to persist without senior leadership intervention. Insufficient staffing meant compliance teams couldn’t handle the bank’s transaction volume. Poor training left employees unable to recognize and escalate suspicious activities effectively.
The OCC now requires Bank of America to establish a specialized board committee focused exclusively on compliance remediation, ensuring these issues receive highest-level attention.
The Five Essential Components of BSA Compliance Programs
Federal regulations require every financial institution to maintain these five critical elements:
| Compliance Pillar | Core Requirements | Bank of America’s Failure |
|---|---|---|
| Internal Controls | Risk-based policies, procedures, and monitoring systems that detect potential money laundering | Transaction monitoring systems used inappropriate thresholds, causing missed suspicious activity reports |
| BSA Compliance Officer | Designated leader with authority, resources, and direct board access to oversee all compliance activities | Insufficient staffing, knowledge gaps, and inadequate authority undermined effectiveness |
| Training Programs | Regular, role-specific education for all personnel on their compliance responsibilities | Deficient training programs left employees unprepared to maintain compliance standards |
| Independent Testing | External audits every 12-18 months to verify program effectiveness | Testing protocols failed to identify critical system weaknesses before regulatory examination |
| Customer Due Diligence | Procedures to verify identities, understand account purposes, and monitor ongoing activity | Previously identified CDD deficiencies remained uncorrected, showing persistent assessment gaps |
Understanding these pillars helps explain why the Bank of America case represents such serious failure. The bank didn’t just struggle with one component—weaknesses existed across the entire compliance framework.
The Costly Path to Compliance Remediation
Bank of America now faces a multi-year, expensive overhaul of its entire BSA compliance infrastructure. The required remediation involves several major components.
Independent Review Requirements
The OCC mandated that Bank of America hire outside consultants to conduct two critical assessments. First, consultants must evaluate every aspect of the current compliance program to identify all weaknesses. Second, they must perform “lookback” reviews examining years of historical transactions to find suspicious activities that should have been reported.
These lookback reviews typically cost tens of millions of dollars and require analyzing billions of transactions. Every missed suspicious activity report must be filed, even years after the fact, helping law enforcement connect criminal networks they couldn’t investigate earlier.
Detailed Action Plans and Accountability
Within 60-90 days of receiving the order, Bank of America must submit comprehensive corrective action plans to the OCC. These plans must specify exactly how the bank will fix each identified problem, assign responsible executives for each task, and establish deadlines for completion.
The newly required Compliance Committee of the Board of Directors must meet regularly to oversee remediation progress. This top-level oversight ensures the bank dedicates necessary resources, technology investments, and personnel to rebuilding its compliance systems properly.
Failure to meet any deadline or requirement can trigger additional penalties, including massive fines and operational restrictions that would severely impact the bank’s business growth.
How Monitoring Systems Should Actually Work
The core failure in Bank of America’s case centered on transaction monitoring technology. Understanding how these systems should function helps explain what went wrong.
Risk-Based Transaction Monitoring
Effective monitoring systems don’t treat all customers and transactions equally. Instead, they use sophisticated risk-based approaches:
Customer risk scoring: Automated systems analyze each customer’s profile, transaction history, geographic connections, and business type to assign risk ratings. Higher-risk customers trigger more sensitive alerts with lower thresholds.
Scenario-based detection: Rather than simple dollar-amount triggers, modern systems use complex scenarios that recognize suspicious patterns. These might include rapid movement of funds, structured transactions designed to avoid reporting thresholds, or unusual activity inconsistent with known business purposes.
Regular tuning and validation: Risk profiles change constantly as customers’ businesses evolve and criminals develop new tactics. Banks must continuously test and adjust their monitoring parameters, typically quarterly or monthly for high-risk areas.
Integration with Due Diligence Data
Transaction monitoring systems must connect seamlessly with customer due diligence databases. When a compliance analyst investigates an alert, they need immediate access to customer background information, risk ratings, expected activity patterns, and previous investigations.
Bank of America’s systems apparently lacked this integration, meaning analysts couldn’t efficiently determine whether flagged transactions actually represented suspicious activity or legitimate business.
BSA Compliance Risk Assessment Best Practices
Every effective compliance program starts with comprehensive risk assessment. Banks must identify where they face greatest exposure to money laundering and adjust controls accordingly.
Critical risk factors to evaluate:
| Risk Category | Key Considerations |
|---|---|
| Products and Services | Cash-intensive services, wire transfers, trade finance, digital assets, and private banking create higher exposure to money laundering |
| Customer Types | Politically exposed persons, cash-intensive businesses, money service businesses, and customers in high-risk industries require enhanced scrutiny |
| Geographic Exposure | Jurisdictions with weak anti-money laundering laws, high corruption, or significant drug trafficking increase institutional risk |
| Delivery Channels | Non-face-to-face banking, mobile payments, and cryptocurrency services complicate customer verification and monitoring |
Annual risk assessments must account for new products, customer segments, and geographic expansions. When banks introduce new services—like cryptocurrency trading or real-time payment systems—they must evaluate money laundering risks before launch and design appropriate controls.
Bank of America’s flawed risk assessments meant their entire compliance program rested on faulty foundations. If you don’t accurately identify your risks, you can’t design controls that actually address them.
Common Questions About BSA Compliance
What exactly is the Bank Secrecy Act?
The Bank Secrecy Act, formally called the Currency and Foreign Transactions Reporting Act of 1970, established the United States’ anti-money laundering framework. It requires financial institutions to maintain records and file reports that help law enforcement investigate criminal activities, tax evasion, and terrorist financing.
The Financial Crimes Enforcement Network (FinCEN), part of the U.S. Treasury Department, administers BSA regulations and receives all required reports. Banks, credit unions, securities brokers, and money service businesses all fall under BSA requirements.
How do BSA and AML differ?
| Term | Definition | Relationship |
|---|---|---|
| BSA | Federal law establishing recordkeeping and reporting requirements | Creates legal obligations |
| AML | Industry practices and internal programs that financial institutions implement | Methods for meeting BSA legal requirements |
Think of BSA as the law telling banks what they must do, while AML represents how banks actually do it. An AML compliance program encompasses all the policies, procedures, systems, and controls a bank uses to satisfy BSA legal requirements.
What are Suspicious Activity Reports?
Financial institutions must file suspicious activity reports with FinCEN when they detect known or suspected violations of federal law, transactions connected to money laundering, or activities designed to evade BSA requirements.
The 30-day filing deadline starts when the institution first identifies facts suggesting reportable activity. If the bank cannot immediately identify a suspect, they receive a 30-day extension, but the report must still be filed within 60 days maximum.
SARs provide critical intelligence that law enforcement agencies use to build cases against criminal networks. When banks file late or miss reports entirely—as Bank of America did—investigators lose valuable time and evidence.
You can learn more about SAR requirements from the Financial Crimes Enforcement Network’s official guidance.
Why do even large banks struggle with BSA compliance?
Several factors make BSA compliance especially challenging for major financial institutions:
Transaction volume: Large banks process billions of transactions annually. Even highly accurate monitoring systems generate thousands of alerts daily, requiring human analysts to investigate each one and determine whether it represents actual suspicious activity.
Legacy technology: Many major banks operate on outdated computer systems that can’t easily share data between different business lines. A customer might have checking accounts, credit cards, investment accounts, and loans—but the bank’s systems may not connect this information for comprehensive monitoring.
Rapidly evolving risks: Criminals constantly develop new money laundering techniques. New financial products like cryptocurrency, peer-to-peer payment apps, and real-time payment systems create fresh opportunities for illicit activity that banks must learn to detect and prevent.
Resource constraints: Despite billions in revenue, banks often underinvest in compliance programs compared to money-generating business lines. Compliance teams may lack sufficient personnel, training budgets, or modern technology to keep pace with institutional growth and risk evolution.
For detailed analysis of regulatory enforcement trends, visit the Office of the Comptroller of the Currency enforcement actions page.
Critical Lessons for Financial Institutions
The Bank of America enforcement action offers valuable lessons for every financial institution, regardless of size.
Treat Monitoring Systems as Critical Infrastructure
Transaction monitoring systems require the same rigorous oversight as other critical technology. Banks should implement formal model risk management frameworks that include:
Regular validation testing to ensure scenarios detect current money laundering typologies. Threshold tuning based on actual transaction patterns and emerging risks, not just false positive rates. Integration testing to verify monitoring systems access current customer risk ratings and due diligence information. Documentation of all changes, testing results, and approval processes to demonstrate regulatory compliance.
Embed Risk-Based Thinking Throughout Operations
Every aspect of compliance must reflect actual risk levels. Low-risk customers and products need basic controls, while high-risk areas demand intensive monitoring and enhanced due diligence.
Conduct comprehensive risk assessments annually and whenever the bank introduces new products, enters new markets, or acquires other institutions. Use assessment results to allocate compliance resources where they provide greatest value.
Enhanced due diligence for high-risk customers should include more frequent account reviews, lower transaction monitoring thresholds, and additional documentation requirements that help analysts spot suspicious patterns.
Build Strong Compliance Culture from Leadership Down
Effective BSA compliance requires commitment from the board of directors and senior executives, not just compliance department efforts.
Board members must receive regular, detailed briefings on compliance program effectiveness, emerging risks, and resource needs. They should actively challenge management to ensure compliance receives adequate investment and attention.
The BSA compliance officer needs sufficient authority to escalate concerns directly to the board, adequate staffing to handle institutional transaction volume, and budget independence from business lines they oversee.
Training programs should extend beyond basic regulatory requirements to help employees understand why BSA compliance matters. When staff see compliance as protecting the financial system rather than bureaucratic busywork, they engage more effectively in detection and reporting activities.
👉The Non-Negotiable Nature of BSA Compliance
Bank of America’s cease-and-desist order delivers a clear message: robust BSA compliance programs are mandatory for safe and sound banking operations, not optional enhancements or cost centers to minimize.
Financial crime grows more sophisticated every year. Criminal organizations exploit weaknesses in bank monitoring systems, new payment technologies, and cross-border transaction flows. Regulatory scrutiny intensifies in response, with enforcement actions becoming more severe and more public.
The institutions that avoid Bank of America’s fate will be those that proactively invest in compliance technology, talent, and culture before regulators force the issue. Waiting for an enforcement action to drive improvement means facing massive remediation costs, reputational damage, and years of intense regulatory oversight.
The financial system’s integrity depends on effective anti-money laundering controls at every institution. That responsibility cannot be delegated, deferred, or treated as secondary to business growth. For banks of all sizes, BSA compliance must be a foundational commitment reflected in board priorities, resource allocation, and daily operations.
Protecting the financial system from criminal exploitation requires unwavering vigilance from the industry’s highest levels. The Bank of America case proves that even the largest institutions face serious consequences when that vigilance fails.
For more information on BSA compliance requirements and best practices, visit the Federal Financial Institutions Examination Council’s BSA/AML InfoBase.