The BSA/AML Perimeter: FinCEN’s New Frontiers

Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. It does not give Bank Secrecy Act filing advice, sanctions opinions, suspicious-activity-report advice, legal opinions, or regulatory-compliance opinions. Regulatory status is current as of drafting (2026-06-15); see the status note at the end.

The money in a deal tells a second story. The first story is the one the seller wants to tell: revenue, adjusted earnings before interest, taxes, depreciation, and amortization, working capital, churn, concentration, capital expenditure, and price. The second story sits underneath it. Who sent the money. Who received it. Who had the power to move it. Which accounts carried the flow. Which names appeared only after the structure was unwound. Which transactions looked ordinary one at a time and strange in sequence. The federal law that turns that second story into a national-security problem is the Bank Secrecy Act (BSA), the shorthand name for the statutory and regulatory system the United States uses to require financial institutions and certain other businesses to keep records, identify customers, file reports, and provide financial intelligence to the government.

The federal bureau at the center is the Financial Crimes Enforcement Network (FinCEN), a Treasury bureau whose public mission is to safeguard the financial system from illicit activity, counter money laundering and terrorist financing, and promote national security through the use of financial authorities and financial intelligence. That mission statement is not decoration. It is the bridge between a familiar diligence problem, trace the funds, and the wider stack this series is about. Sanctions, export controls, foreign-investment review, data-security rules, forfeiture, and whistleblower bounties all need facts about money, ownership, and control. The BSA is where those facts become a public-private intelligence system.

For buyers, lenders, fund general partners, and counsel, this is not only a regulated-bank problem. It is a perimeter problem. The target may itself be a bank, money services business, broker-dealer, casino, insurance company, loan or finance company, or other financial institution already inside Title 31 of the Code of Federal Regulations (CFR), the codified body of federal rules. The target may be a private fund, adviser, real estate platform, fintech processor, precious-metals business, payroll company, marketplace, law-firm-adjacent service provider, or ordinary operating company that sits near the perimeter even if it is not yet squarely inside it. The buyer’s job is not to declare the legal answer in the data room. It is to recognize when the deal touches the perimeter, identify the facts that control the analysis, and move the question to qualified counsel and compliance specialists before signing, before a lender funds, and before a post-close discovery turns yesterday’s cash flow into tomorrow’s enforcement chronology.

This piece takes the BSA and FinCEN frontiers down to the practical layer. What the regime was built to solve. Who runs, examines, investigates, and enforces it. What changed from 2024 to 2026, including the three status traps that can ruin a memo if stated loosely: Beneficial Ownership Information (BOI) reporting under the Corporate Transparency Act (CTA) is now foreign-only and access-limited; the FinCEN Residential Real Estate (RRE) rule has been vacated and is on appeal, so Real Estate Reports are not currently required while the order stands; and the Investment Adviser anti-money-laundering rule (IA AML rule) is delayed to January 1, 2028. Then the diligence: what trips the wire in a deal, what the government can do, what a buyer asks for, what belongs in the risk memo, and when the work leaves the accountant’s lane and goes to counsel. The skill underneath is old forensic discipline in a newer regulatory room: build the ownership and funds-flow picture from sources, separate the live obligation from the proposed or vacated one, and never confuse a private FinCEN database with a public dataset.

What BSA/AML was built to solve

The BSA began with a simple government frustration. Money moves faster than evidence. A criminal enterprise can place cash into a bank, break it into smaller pieces, move it through accounts, send it overseas, bring it back as apparently clean capital, and use that capital to buy businesses, real estate, securities, or influence. By the time an investigator sees the end asset, the trail is often gone. The BSA solves that problem by making regulated financial intermediaries keep and report information while the money is still visible.

The modern statutory purpose is unusually direct. Section 5311 of Title 31 says the subchapter exists to require reports or records that are highly useful in criminal, tax, regulatory, intelligence, counterintelligence, and terrorism-protection work; to prevent money laundering and terrorist financing through reasonably designed risk-based programs; to track money sourced through criminal activity or intended to promote criminal or terrorist activity; to assess money-laundering, terrorism-finance, tax-evasion, and fraud risks to protect the United States (U.S.) financial system and national security; and to establish information-sharing frameworks among financial institutions, regulators, Treasury, and law enforcement. A deal memo does not need to quote that statute. It does need to absorb the point. BSA/AML is not paperwork for its own sake. It is a sensor network.

FinCEN’s public BSA page gives the same point in regulatory language. The Bank Secrecy Act authorizes Treasury to impose reporting and other requirements on financial institutions and other businesses to help detect and prevent money laundering. The implementing rules require financial institutions, among other things, to keep records of certain negotiable-instrument purchases, file reports of cash transactions exceeding \$10,000 in the daily aggregate, and report suspicious activity that may signal money laundering, tax evasion, or other criminal activity. Those are not all the obligations in the regime, but they are the entry point: records, currency reports, suspicious-activity reports, and programs designed to make those reports meaningful.

The usual acronym, anti-money-laundering and countering the financing of terrorism (AML/CFT), can make the system sound narrower than it is. A good diligence team reads the acronym broadly because the government now does. FinCEN’s 2021 national AML/CFT priorities, issued under the Anti-Money Laundering Act of 2020 (AMLA), focus on threats that are not limited to drug proceeds or ordinary fraud. Corruption, cybercrime, terrorist financing, transnational criminal organizations, drug trafficking, human trafficking and smuggling, and proliferation financing sit in the same national-security field as sanctions, export controls, and foreign-investment review. That is why this article belongs in a national-security diligence stack rather than in a banking-compliance appendix. The same shell-company structure that hides a drug-trafficking route can hide a sanctioned owner, a proliferation procurement channel, a foreign intelligence access path, or a bribery fund. The diligence work is different in each case, but the first move is often the same: identify the real parties, map the money, and mark the reporting perimeter.

The system works through asymmetry. The government cannot sit inside every bank account, escrow account, money transmitter, casino cage, broker-dealer, title office, and adviser platform at the moment the transaction occurs. It delegates much of the first detection function to the institutions that see the activity in real time. That delegation is imperfect and burdensome, and the federal government itself has spent years trying to make the system more effective rather than merely voluminous. But the logic remains durable. If a financial institution sees enough to know that activity is suspicious, it may have a duty to file a Suspicious Activity Report (SAR). If it processes a reportable cash transaction above the currency threshold, it may have a duty to file a Currency Transaction Report (CTR). If it is subject to an AML program rule, it must build the internal controls, officer function, training, and testing that make detection possible.

The buyer’s question is not “Did the target file every report?” That is too late and too narrow. The buyer’s question is “What facts would have made a reasonable institution notice, document, escalate, and report?” The answer comes from a mixture of source documents: account statements, customer files, onboarding records, risk ratings, transaction-monitoring alerts, SAR decision logs, CTR filing records, independent-testing reports, regulatory exam correspondence, consent orders, board minutes, compliance budgets, employee disciplinary records, and management responses. The legal privilege and confidentiality rules around SARs require care, and a diligence team should not demand SAR contents casually or treat them as ordinary business records. But the underlying facts, the control environment, the decision process, and the remediation record are very much diligence subjects.

That distinction is the first serious practitioner lesson. BSA data is powerful because it is sensitive. SARs are confidential. BOI is confidential. Real Estate Reports, if the RRE rule returns, would be maintained by FinCEN under access limits rather than placed in public search. A public diligence lab cannot scrape this world. A buyer cannot assume a regulator’s database will answer the question. The work is source-grounded, document-by-document, and often private to the deal. The public sources tell you the regime’s shape. The target’s records tell you whether the facts inside the deal fit that shape.

Who runs the perimeter, and who enforces it

FinCEN is the bureau most associated with the BSA, but it is not the only actor a deal will meet. The BSA perimeter is run by a federal network, and the network’s shape matters because different targets see different examiners, different enforcement paths, and different remedies.

FinCEN administers and writes much of the regulatory architecture in 31 CFR Chapter X. It receives BSA reports through the BSA E-Filing system. It issues rules, guidance, advisories, Geographic Targeting Orders (GTOs), and enforcement assessments. It analyzes BSA data and shares financial intelligence with law enforcement, national-security agencies, regulators, and, through lawful channels, foreign financial intelligence units. It is a rulemaker, a data hub, an intelligence node, and an enforcement agency.

The federal banking agencies examine many banks and banking organizations for BSA/AML compliance under delegated or parallel authority. The Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations. The Board of Governors of the Federal Reserve System supervises bank holding companies and certain state member banks. The Federal Deposit Insurance Corporation (FDIC) supervises certain insured state banks. The National Credit Union Administration (NCUA) supervises federal credit unions. Those agencies can impose cease-and-desist orders, civil money penalties, growth restrictions, and remediation requirements. Their role is not theoretical. In the 2024 TD Bank matter, the OCC announced a \$450 million civil money penalty, a cease-and-desist order, and a growth restriction for BSA/AML deficiencies, while FinCEN, the Department of Justice (DOJ), the Federal Reserve, and others moved in parallel.

The DOJ sits on the criminal side. Its prosecutors can bring Bank Secrecy Act charges, money-laundering charges, conspiracy charges, forfeiture actions, and corporate resolutions. Its Money Laundering and Asset Recovery Section, Bank Integrity Unit, U.S. Attorney’s Offices, and, where national-security facts are present, the National Security Division can all appear in the broader enforcement picture. The TD Bank resolution is the recent teaching case because it tied program failure to criminal exposure in a way every deal principal can understand. DOJ announced that TD Bank N.A. and its parent pleaded guilty and agreed to pay more than \$1.8 billion in penalties to resolve DOJ’s investigation into BSA and money-laundering violations. FinCEN announced a separate record \$1.3 billion penalty and a four-year independent monitorship. The OCC imposed a separate \$450 million civil money penalty and growth restriction. One failure pattern, many remedies.

Other regulators matter by sector. Broker-dealers and mutual funds may see the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). Futures commission merchants and introducing brokers may see the Commodity Futures Trading Commission (CFTC) and the National Futures Association. Casinos may see state gaming regulators in addition to FinCEN. Money services businesses may see state money-transmission regulators, FinCEN registration requirements, and federal enforcement. Title insurance companies and closing professionals have seen FinCEN GTOs and, if the RRE rule returns, may see a national reporting rule. Investment advisers were scheduled to enter the BSA perimeter under the IA AML rule, but that effective date is now delayed to January 1, 2028.

For a buyer, the agency map tells you how to design diligence. A bank target needs a bank-exam and enforcement-history request. A money transmitter needs FinCEN registration, state licensing, agent oversight, sanctions screening, suspicious-activity-reporting and transaction-monitoring evidence. A real estate platform needs a GTO and RRE status analysis. A registered investment adviser needs a 2028 readiness analysis, not a false statement that the IA AML rule is currently live. An ordinary operating company with unusual cash, wires, shell-company customers, foreign agents, or private lenders may need a funds-flow and source-of-funds review even if it is not directly regulated as a financial institution.

The most important institutional fact is that the perimeter is not a single gate. It is a set of overlapping powers: FinCEN rulemaking and enforcement, bank-regulator examination and remedies, DOJ criminal prosecution and forfeiture, state licensing, securities and commodities regulators, and law-enforcement access to confidential reports. That overlap is why BSA/AML diligence belongs early in a transaction. A weakness that looks like a compliance gap in one room can become a criminal fact pattern in another.

What changed from 2024 to 2026

The old BSA story was stable enough to teach in a chart: the BSA in 1970, the USA PATRIOT Act in 2001, the customer due diligence rule, the AMLA in 2020, then the CTA and BOI registry. The 2024 to 2026 period made that chart unreliable unless it carries a status column. FinCEN pushed the perimeter outward, courts and Treasury narrowed or delayed parts of it, and enforcement against core institutions became more severe. Four changes matter for deal work.

First, the BOI regime changed in a way that many stale checklists still get wrong. The Corporate Transparency Act created a beneficial-ownership reporting regime, codified at 31 U.S.C. 5336 and implemented at 31 CFR 1010.380. But FinCEN’s March 2025 interim final rule removed BOI reporting requirements for U.S. companies and U.S. persons. FinCEN revised the regulatory definition of “reporting company” to cover only entities formed under foreign law that register to do business in a U.S. state or tribal jurisdiction by filing with a secretary of state or similar office, and it exempted entities previously known as domestic reporting companies. FinCEN’s public BOI materials also state that U.S. persons do not need to provide BOI with respect to reporting companies for which they are beneficial owners. The current diligence translation is narrow: a target formed in the United States is not, by itself, a live BOI reporting-company problem under the current FinCEN posture; a foreign-formed entity registered to do business in a state may be. BOI is also not a public bulk dataset. It is confidential and disclosed only under the CTA and access rule to authorized recipients in specified circumstances.

Second, the RRE rule is not a live broad filing obligation as of this draft. FinCEN finalized a nationwide residential-real-estate reporting rule in 2024, intended to require certain persons involved in closings and settlements to file Real Estate Reports on certain non-financed transfers of residential real property to legal entities and trusts. But on March 19, 2026, the U.S. District Court for the Eastern District of Texas issued an order vacating the rule. FinCEN’s RRE FAQ states that the order renders the rule without legal effect while the order remains in force, that reporting persons are not currently required to file Real Estate Reports, and that FinCEN and DOJ have appealed. The diligence translation is precise: the real estate money-laundering risk did not disappear, and FinCEN’s real estate concern remains visible, but a memo should not describe the RRE rule as a current filing requirement while the vacatur stands.

Third, the Investment Adviser AML rule moved from near-term implementation to a 2028 watch item. FinCEN’s 2024 final rule would define certain registered investment advisers (RIAs) and exempt reporting advisers (ERAs) as financial institutions under the BSA and require AML/CFT programs, suspicious-activity reporting, recordkeeping, and related obligations. FinCEN then issued exemptive relief and, on December 31, 2025, announced a final rule delaying the effective date from January 1, 2026 to January 1, 2028. The Federal Register (FR) notice published on January 2, 2026 gives the same operative date: the effective date is delayed until January 1, 2028. The diligence translation is not “ignore adviser AML.” It is “treat adviser AML as delayed, prepare for 2028, and do not mark a current breach solely because the IA AML rule is not implemented today.”

Fourth, BSA enforcement showed that program failure can become a deal-level economics problem. TD Bank is the recent public example. DOJ announced guilty pleas and more than \$1.8 billion in penalties. FinCEN announced a \$1.3 billion penalty and a four-year monitorship. The OCC announced a \$450 million civil money penalty, a cease-and-desist order, and a growth restriction. The article does not use TD Bank to accuse any other institution. It uses it for what official releases prove: federal agencies can treat BSA/AML failures as enterprise-level failures involving penalties, monitorship, governance remediation, growth limits, and criminal resolution.

There is a fifth change still in proposal form and therefore not a live final obligation: FinCEN’s April 2026 proposed rule on AML/CFT programs. The Federal Register identifies it as a proposed rule, with comments due June 9, 2026, and describes a proposed modernization of program rules across multiple categories of financial institutions. Because it is proposed, it belongs in the watch section of a diligence memo, not in the breach section. But its direction is useful. FinCEN is trying to push the system toward effective, risk-based programs tied to the purposes of the BSA, away from check-the-box compliance. That direction is also the direction of good diligence. A buyer should not stop at policy binders. It should ask whether the program identifies real risk, escalates it, and remediates it.

What trips the wire in a deal

BSA/AML does not trip on one fact the way CFIUS can trip on a foreign buyer or export controls can trip on a controlled technology. It trips through status, activity, and proximity. The diligence task is to identify which of those three is present.

Status means the target is itself a regulated financial institution or a business specifically covered by BSA rules. Banks, money services businesses, broker-dealers, casinos, mutual funds, insurance companies, dealers in precious metals and stones, loan or finance companies, housing government-sponsored enterprises, and other covered categories can sit inside Chapter X. The exact rule depends on the category. A bank’s AML program rule is not the same as a money services business rule, and a casino’s SAR rule is not the same as a broker-dealer’s. The diligence team should not flatten them. It should identify the target’s category, map the applicable subpart, and ask for evidence against that rule.

Activity means the target’s ordinary business creates BSA-relevant conduct even if the target is not a bank. Cash above reporting thresholds, money transmission, prepaid access, foreign wires, bulk cash logistics, private lending, check cashing, virtual-asset exchange, international trade payments, import-export intermediaries, high-risk third-party payment processors, and nominee-heavy customer structures can all create AML questions. Some of those activities may themselves move the company into a regulated category. Others may make the company a high-risk customer of a bank, lender, processor, or buyer. Either way, the deal team needs the activity map.

Proximity means the target is near a new or contested FinCEN frontier. A real estate closing platform may have GTO history and would be affected if the RRE rule returns. A private fund adviser may not have a live IA AML obligation today, but it may need a readiness plan for 2028, and it may have current obligations through affiliated broker-dealers, banks, administrators, or sanctions controls. A foreign-formed company registered in a state may have a BOI reporting question under the narrowed CTA regime. A fintech service provider may not be the regulated bank, but its technology, data, and operating failures may be embedded in the regulated bank’s monitoring and reporting system. The perimeter is often contractual before it is statutory.

The buyer should also treat ownership opacity as its own trigger. A target whose customer base, vendor base, investors, or private lenders include layered offshore entities, nominee shareholders, bearer-like arrangements, unexplained trusts, high-risk jurisdictions, sanctioned or politically exposed persons, or unexplained third-party payors is presenting an AML fact pattern even if no one has used the phrase BSA in the data room. The same is true of revenue that cannot be reconciled to customer contracts, cash-intensive spikes, deposits followed by quick withdrawals, round-dollar patterns, repeated transactions just below thresholds, inconsistent customer geography, and payment instructions that do not match the counterparty.

In a national-security deal, the AML trigger analysis should run beside the sanctions and export-control screens. If a beneficial owner cannot be traced, the sanctions screen is incomplete. If a customer is buying dual-use goods through a shell entity, the export-control screen is incomplete. If a foreign buyer funds a U.S. acquisition through opaque private capital, the CFIUS and source-of-funds questions are incomplete. BSA/AML is not the answer to those regimes. It is the evidentiary spine that lets the other regimes ask better questions.

The deal features that most often justify escalation are practical, not poetic:

• Target is a regulated financial institution.

BSA/AML question: Which Chapter X subpart applies, and is the program operating?

Diligence response: Map the exact rule, examiner, audits, SAR/CTR process, and remediation history.

• Target moves money for others.

BSA/AML question: Is it a money services business or agent, and is registration/licensing complete?

Diligence response: Obtain registrations, state licenses, agent lists, transaction monitoring, and suspicious-activity procedures.

• Target touches non-financed real estate transfers.

BSA/AML question: Was it subject to a GTO, and what happens if the RRE rule returns?

Diligence response: Treat RRE as vacated and on appeal; review past GTO compliance and readiness.

• Target is a foreign-formed entity registered in a state.

BSA/AML question: Is it a current BOI reporting company?

Diligence response: Check CTA status under the foreign-only rule; do not assume domestic entities report.

• Target is an RIA or ERA.

BSA/AML question: Is the IA AML rule live?

Diligence response: Treat rule as delayed to 2028; review readiness and current affiliated obligations.

• Money trail contains shell entities or third-party payors.

BSA/AML question: Is source of funds and beneficial ownership documented?

Diligence response: Build a funds-flow chart and unresolved-party list; escalate gaps.

• Prior exam or enforcement history exists.

BSA/AML question: Are orders, findings, or remediation obligations open?

Diligence response: Review orders, consent documents, monitorship, board reporting, and closure evidence.

The output is not a legal conclusion. It is a trigger map. The map says which facts are confirmed, which facts are missing, which regulatory status applies, and who must decide the legal question.

What the government can do

The BSA remedy set is varied because the government can attack a failure through several doors. It can assess a civil money penalty. It can issue a consent order or cease-and-desist order. It can require remediation, independent testing, board reporting, a monitor, or a lookback. It can impose growth or activity restrictions through a bank regulator. It can refer or prosecute criminal charges. It can seize or forfeit proceeds through the money-laundering statutes where the evidence supports it. It can publish advisories and GTOs to force reporting in risk areas. It can share financial intelligence with agencies pursuing sanctions, export-control, corruption, terrorism-finance, cybercrime, or national-security investigations.

FinCEN’s enforcement page states the broad authority in plain terms: under the BSA and its implementing regulations at 31 CFR Chapter X, FinCEN may bring enforcement actions for violations of reporting, recordkeeping, and other BSA requirements, and its Office of Enforcement evaluates matters that may result in remedies including civil money penalties. The article’s point is not to recite the entire penalty code. It is to make the remedy visible in deal economics. If the target is a financial institution with weak monitoring, the buyer may be buying more than a remediation budget. It may be buying a regulator relationship, an enforcement investigation, a monitor, a growth limit, a deferred investment plan, a customer-exit process, a suspicious-activity backlog, and a public headline.

TD Bank is the lesson because each agency described a different remedy. FinCEN’s release described a \$1.3 billion penalty and four-year monitorship. DOJ described guilty pleas and more than \$1.8 billion in penalties in its own resolution. The OCC described a \$450 million civil money penalty, cease-and-desist order, and growth restriction, and it listed deficiencies in risk assessments, customer due diligence, customer risk ratings, suspicious-activity identification and reporting, governance, staffing, independent testing, and training. In deal diligence, those categories become a request list. If the target has any meaningful AML exposure, the buyer should ask to see the exact controls the OCC found missing in that public matter, not because the target is TD Bank, but because the categories are the anatomy of program failure.

The government can also act before a full rule is permanent. GTOs are the example. FinCEN has long used residential real estate GTOs to require title insurance companies in covered jurisdictions to identify natural persons behind certain legal-entity purchases. Those orders have been temporary and jurisdiction-specific. The nationwide RRE rule was meant to replace or expand that logic into a standing rule for certain non-financed residential transfers to entities and trusts. The vacatur means that standing rule is not currently operative, but the GTO history shows how FinCEN can gather targeted data while rulemaking, litigation, or policy changes continue.

Finally, the government can turn BSA facts into another regime’s evidence. A SAR cannot be treated as public evidence in a diligence lab, and its confidentiality must be respected. But the underlying flow of funds can matter in an Office of Foreign Assets Control (OFAC) sanctions case, a DOJ forfeiture action, a corruption matter, a terrorism-finance matter, a CFIUS source-of-funds question, or a data-security matter where foreign access and payment routes overlap. This is why the risk memo should never isolate BSA/AML as a compliance silo. The money facts should be cross-referenced to sanctions ownership, export customers, foreign investors, data access, and proceeds exposure.

What a buyer asks for

The buyer’s BSA/AML request list should begin with classification. What is the target, legally and functionally? Is it a bank, money services business, broker-dealer, casino, insurance company, loan or finance company, adviser, real estate settlement participant, fintech service provider, payment processor, marketplace, private lender, or ordinary operating company with risky funds flow? Does it claim not to be regulated, and if so, who made that determination, on what facts, and when was it last revisited? The wrong answer at classification infects every answer after it.

The second request is the risk assessment. Not a marketing deck. The actual risk assessment used by management, compliance, the board, or the relevant committee. A good risk assessment identifies the products, services, customers, geographies, channels, transaction types, intermediaries, and affiliates that create money-laundering or terrorist-financing risk. It should not read the same every year. If the target added instant payments, cross-border customers, private lenders, digital assets, new geographies, or a high-risk acquisition, the assessment should change. If it did not, the buyer has found a live issue.

The third request is program architecture. For a regulated financial institution this means policies, procedures, internal controls, the designated compliance officer, training records, independent testing, customer-identification and customer-due-diligence procedures, sanctions screening, transaction monitoring, alert disposition, SAR and CTR filing procedures, record retention, model governance where systems are automated, vendor oversight, and board reporting. For a non-regulated target near the perimeter, it means the controls the target uses to know who its customers, vendors, investors, lenders, agents, and payors are, even if those controls are not labeled AML.

The fourth request is reporting and escalation evidence, handled carefully. The team should not treat SARs as ordinary diligence attachments. It should ask counsel how to handle SAR confidentiality and should focus on permissible evidence: policies, counts, governance reports, audit findings, regulator correspondence, issue logs, backlogs, quality-control results, and remediation evidence. For CTRs, it should ask about filing processes, exemptions, corrections, and reconciliations where relevant. The point is to see whether the reporting system exists, not to turn confidential government reports into deal-room exhibits.

The fifth request is ownership and source-of-funds evidence. This is where the certified public accountant (CPA) and certified fraud examiner (CFE) skill set is most useful. Trace ultimate beneficial owners (UBOs) to natural persons where possible. Tie investor funds to subscription documents, bank wires, capital calls, loan agreements, escrow instructions, and closing statements. Identify third-party payors, circular funding, unexplained intercompany transfers, pass-through entities, trusts, nominee patterns, foreign-government connections, politically exposed persons, sanctions-risk parties, and high-risk jurisdictions. The memo should distinguish proved facts from unresolved leads.

The sixth request is exam and enforcement history. Ask for regulator examination reports, supervisory letters, matters requiring attention, consent orders, enforcement actions, subpoenas, civil investigative demands, grand-jury subpoenas if disclosed through counsel, FinCEN correspondence, state money-transmission actions, law-enforcement requests, monitor reports, independent consultant reports, lookback reports, and closure letters. The absence of enforcement is not proof of a strong program, but the presence of exam findings is a direct diligence asset. It tells the buyer what the regulator already saw.

The seventh request is frontier status. For BOI, identify whether any entity in the deal structure is foreign-formed and registered to do business in a U.S. state or tribal jurisdiction, and check the current FinCEN status. For RRE, identify whether the target performs any closing, settlement, title, escrow, or reporting-cascade function, but state that the national RRE rule is vacated and on appeal as of this draft. For IA AML, identify RIAs and ERAs, current affiliate obligations, and readiness for January 1, 2028. For FinCEN’s 2026 AML/CFT program proposal, mark the proposal as a watch item unless and until it becomes final.

The final request is the integration question: who owns the risk after closing? If the buyer is a strategic acquirer, does its existing compliance program absorb the target? If the buyer is a private equity sponsor, does the fund have a portfolio AML governance framework? If the lender is financing the transaction, what conditions precedent, covenants, or reporting rights does it require? If the target is under an order, can the order transfer, accelerate, or conflict with closing? The issue is not only whether a past problem exists. It is whether the buyer has a credible post-close control plan.

What belongs in the risk memo

The BSA/AML section of a diligence memo should be short enough to be read and structured enough to be audited. It begins with status: whether the target is directly regulated, near-regulated, or ordinary but exposed through funds flow. It identifies the applicable legal sources and status table row. It states which obligations are live, which are delayed, which are proposed, and which are vacated. This is where the three FinCEN frontiers must be exact. BOI is foreign-only and access-limited under current FinCEN materials. RRE is vacated and on appeal. IA AML is delayed to January 1, 2028.

The memo then states the fact base. It should include the target’s regulated category, licensing and registration footprint, product and customer risk, geographic risk, transaction channels, ownership structure, third-party payors, cash exposure, foreign wires, private lenders, high-risk customers, exam history, enforcement history, remediation status, and integration plan. It should state the sources reviewed. If a conclusion rests on management representation because documents were unavailable, say that.

The memo should separate three different risk types. Legal or regulatory breach risk asks whether the target failed to meet a live requirement. Operational control risk asks whether the program is likely to fail even absent a known breach. National-security adjacency risk asks whether the funds-flow or ownership facts connect to sanctions, export controls, foreign influence, data access, corruption, terrorism financing, drug trafficking, human trafficking, cybercrime, or proliferation finance. Those three risks overlap, but they are not the same. A company can be legally outside a direct AML program requirement and still present serious source-of-funds risk.

The memo should also separate allegation from finding. If a regulator found a violation in a consent order, call it a finding only to the extent the document does. If DOJ filed a complaint or information, identify whether there was a plea, admission, deferred prosecution agreement, or unresolved allegation. If management says an alert backlog was caused by a software migration, mark it as management’s explanation unless testing confirms it. This is basic CFE discipline, but it matters more in national-security work because adjectives can outrun evidence quickly.

The deal response comes last. It may include a price adjustment, escrow, special indemnity, closing condition, remediation covenant, regulator-notification covenant, post-close audit, independent review, customer offboarding, enhanced sanctions screening, revised onboarding, staffing commitment, integration timeline, or a walk-away right. If the risk is unresolved because ownership or funds flow cannot be traced, the memo should not bury that fact. An untraceable ownership chain is not a footnote. It is a diligence result.

When to escalate to counsel

Escalation is part of the product. A diligence team that hoards legal questions is not being efficient. It is making the risk worse.

Escalate immediately when the target may be a regulated financial institution and the classification is uncertain; when money transmission, payment processing, digital assets, private lending, or prepaid access appears; when SAR confidentiality questions arise; when any regulator exam, enforcement action, consent order, subpoena, monitor, or lookback is disclosed; when the buyer may inherit an open order or remediation obligation; when the target has a meaningful foreign ownership or source-of-funds gap; when a sanctions, corruption, export-control, terrorism-finance, human-trafficking, cybercrime, or proliferation-finance lead appears; when a real estate business may have GTO history or RRE readiness issues; when a foreign-formed registered entity may owe BOI; or when an adviser needs a 2028 IA AML readiness plan.

Escalate also when the requested documents themselves create a problem. SARs and SAR-related information are sensitive. BOI is confidential. Real Estate Reports, if the RRE rule returns, would not be a public dataset. The right legal question may be how to diligence around protected reports by reviewing control evidence, audit reports, board materials, and underlying transaction data without demanding restricted material in the wrong forum.

The accountant and CFE role is to identify the issue, source the facts, maintain the evidence line, and write the risk in a form counsel can use. The legal determination, filing strategy, regulatory communication, privilege call, and remediation negotiation belong to counsel. That division of labor is not a disclaimer tacked onto the end. It is how the work stays useful.

Practitioner Skill Built By This Article

The skill this piece builds is the ability to run a BSA/AML perimeter screen on a transaction and reduce the result to a defensible source-of-funds and regulatory-status memo.

• What you can now recognize: the difference between a directly regulated financial institution, a business near the FinCEN perimeter, and an ordinary company with AML-relevant funds-flow risk; the three status traps for BOI, RRE, and IA AML; and the agency map that turns a program failure into civil, supervisory, and criminal exposure.
• What source you verify it against: the BSA statute and 31 CFR Chapter X for core authority; FinCEN’s BSA page for the records, currency reporting, and suspicious-activity frame; FinCEN’s BOI, RRE, and IA AML pages for current status; the Federal Register for rules and proposed rules; and official enforcement releases for public examples.
• What you can produce: the BSA/AML section of a diligence report, the frontier-status table below, a source-of-funds request list, and an unresolved ownership and funds-flow issue log.
• When you escalate: at classification uncertainty, protected-report questions, any open regulatory history, any ownership or funds-flow gap that cannot be resolved, or any fact pattern touching sanctions, export controls, corruption, terrorism finance, cybercrime, human trafficking, drug trafficking, or proliferation finance.

The practical habit is the same one used in fraud work. Do not begin with accusation. Begin with reconciliation. Match the customer to the invoice, the invoice to the payment, the payment to the bank account, the bank account to the signer, the signer to the owner, the owner to the control person, and the control person to the risk screen. When the chain breaks, mark where it breaks. That break may turn out to be innocent, sloppy, privileged, or legally significant. The memo’s value is that it shows the break cleanly and early enough for the buyer to act.

The shipped artifact: BSA/AML and FinCEN frontier intake map

Use this at intake on any target that handles money for others, receives substantial cash or foreign wires, has layered ownership, touches non-financed real estate, operates in private capital, or has any prior regulatory contact. It produces leads for the memo, not legal conclusions.

• Intake question: Is the target directly regulated under the BSA?

Source to request: Entity chart, licenses, registrations, regulatory counsel memo, Chapter X category analysis.

Memo treatment: State category and live obligations; escalate if uncertain.

• Intake question: Does the target move money for others?

Source to request: Payment flows, processor agreements, money-transmission licenses, agent lists, customer terms.

Memo treatment: Identify money services or payment-processing risk.

• Intake question: Does the target have cash or threshold-reporting exposure?

Source to request: Cash logs, bank statements, CTR procedures, exemption records.

Memo treatment: Review process and reconciliation; do not overstate without records.

• Intake question: Does suspicious-activity reporting apply?

Source to request: SAR policy, alert workflow, board reporting, audit results, legal guidance.

Memo treatment: Do not request SAR contents casually; evaluate controls and permissible evidence.

• Intake question: Can ownership and source of funds be traced?

Source to request: Ownership chart, UBO certifications, subscription docs, wires, escrow records, loan files.

Memo treatment: Build unresolved-party and unresolved-funds-flow log.

• Intake question: Is BOI relevant?

Source to request: Formation jurisdiction, state registrations, CTA analysis.

Memo treatment: Current status is foreign-formed reporting companies only; BOI is not public.

• Intake question: Is RRE relevant?

Source to request: Closing, escrow, title, settlement, and real-estate-transfer functions; GTO history.

Memo treatment: Current status is RRE rule vacated and on appeal; no current Real Estate Report duty while order stands.

• Intake question: Is IA AML relevant?

Source to request: Form ADV, adviser status, fund structure, compliance roadmap.

Memo treatment: Current status is delayed to January 1, 2028; assess readiness and current affiliated obligations.

• Intake question: Is there exam or enforcement history?

Source to request: Exam reports, orders, subpoenas, remediation plans, monitor reports, closure letters.

Memo treatment: Separate findings, allegations, remediation, and open obligations.

• Intake question: Who owns post-close remediation?

Source to request: Integration plan, budget, staffing, covenants, board reporting.

Memo treatment: Convert diligence finding into deal terms.

The artifact should travel with two attachments: a funds-flow diagram and a frontier-status appendix. The funds-flow diagram shows the path of money from source to target to seller to post-close owner. The frontier-status appendix states, in one page, whether BOI, RRE, IA AML, or any FinCEN proposed rule is live, delayed, vacated, proposed, or merely watch-listed as of the memo date.

Applied DD Lab: Replicate the Screen

The companion lab for this article should not use BOI records, SARs, CTRs, Real Estate Reports, or customer data. BOI is never a public bulk dataset. SARs are confidential. Real Estate Reports are not currently required under the vacated RRE rule, and if the rule returns they would still not be public raw material for a lab. The lab therefore teaches the screen with synthetic ownership records and public rule-status data only.

The exercise is simple and useful. Build a synthetic dataset of ten counterparties. Each record has formation jurisdiction, U.S. registration status, business type, customer type, payment method, cash exposure, foreign wire exposure, real-estate role, adviser status, ownership-chain completeness, sanctions-screen status, and prior regulatory-history flag. The notebook then routes each record through a perimeter decision tree:

1. Is it directly regulated under a BSA category?
2. Is it near the perimeter because it moves money, touches real estate closings, advises private funds, or receives high-risk payments?
3. Does BOI apply under the foreign-only current rule?
4. Is RRE merely a watch item because the rule is vacated and on appeal?
5. Is IA AML delayed to 2028, requiring readiness rather than breach language?
6. Does the ownership or funds-flow chain break in a way that creates an unresolved diligence lead?
7. Which companion screen should receive a cross-reference: sanctions, export controls, data security, CFIUS, or forfeiture?

The output is a triage table, not a finding. It labels each synthetic counterparty “regulated,” “frontier watch,” “source-of-funds issue,” “ownership gap,” or “no BSA/AML trigger identified from synthetic facts.” It also generates a memo stub with three sentences: current status, facts driving the triage, and recommended escalation. The lab can use public official pages to populate the status constants, but the parties and records stay synthetic.

What the lab can prove: that a clean status table prevents stale legal claims; that a decision tree can keep BOI, RRE, and IA AML from being misstated; and that ownership and funds-flow gaps can be logged without turning leads into accusations. What it cannot prove: whether a real company violated the BSA, whether a real SAR should have been filed, whether a real BOI report exists, or whether a real person is a beneficial owner. Those are legal and factual determinations requiring non-public records and counsel.

The guardrail is strict because it is the point of the exercise. Public rule status is allowed. Synthetic ownership records are allowed. Confidential FinCEN datasets are not.

Terms used in this article

The full glossary lives in the section’s master glossary; the terms you need for this piece:

• BSA (Bank Secrecy Act): the statutory and regulatory framework requiring records, reports, and programs to help detect and prevent money laundering, terrorist financing, and related illicit finance.
• AML/CFT (anti-money-laundering and countering the financing of terrorism): the modern shorthand for programs designed to prevent, detect, and report money laundering and terrorist-financing risk.
• FinCEN (Financial Crimes Enforcement Network): the Treasury bureau that administers and enforces much of the BSA framework and manages financial intelligence under lawful access rules.
• SAR (Suspicious Activity Report): a confidential report filed with FinCEN when suspicious activity meets applicable rule criteria; SAR contents and SAR-related disclosure require careful legal handling.
• CTR (Currency Transaction Report): a report generally tied to cash transactions exceeding \$10,000 in the daily aggregate by covered financial institutions, subject to applicable rules and exemptions.
• BOI (Beneficial Ownership Information): ownership information reported to FinCEN under the CTA; under current FinCEN materials, domestic entities and U.S. persons are exempt, and BOI is confidential and access-limited.
• CTA (Corporate Transparency Act): the statute codified at 31 U.S.C. 5336 that created BOI reporting, now narrowed by FinCEN’s March 2025 interim final rule.
• RRE rule (Residential Real Estate rule): FinCEN’s residential-real-estate reporting rule for certain non-financed transfers to entities and trusts; vacated and on appeal as of this draft.
• IA AML rule (Investment Adviser anti-money-laundering rule): FinCEN’s rule for certain RIAs and ERAs; delayed to January 1, 2028.
• UBO (Ultimate Beneficial Owner): the natural person who ultimately owns or controls an entity after intermediate entities and nominees are traced.
• GTO (Geographic Targeting Order): a FinCEN order requiring targeted records or reports for specified transaction types, locations, or businesses for a limited period.
• Source of funds: evidence showing where transaction money came from, how it moved, and who controlled it.

Selected sources

• Core BSA authority: 31 U.S.C. 5311 to 5336, including 31 U.S.C. 5311 (statutory purpose), 31 U.S.C. 5318 (AML program and suspicious-transaction authority), 31 U.S.C. 5321 and 5322 (civil and criminal penalties), 31 U.S.C. 5323 (AML whistleblower), 31 U.S.C. 5324 (structuring), and 31 U.S.C. 5336 (beneficial ownership), uscode.house.gov and govinfo.gov.
• FinCEN, “The Bank Secrecy Act,” including the recordkeeping, cash-transaction-reporting, suspicious-activity-reporting, and Chapter X codification summary, https://www.fincen.gov/resources/statutes-and-regulations/bank-secrecy-act.
• FinCEN home and mission materials, https://www.fincen.gov/.
• USA PATRIOT Act, Pub. L. 107-56, including Title III, and FinCEN USA PATRIOT Act materials, https://www.fincen.gov/resources/statutes-and-regulations/usa-patriot-act.
• Anti-Money Laundering Act of 2020, Division F of Pub. L. 116-283, and FinCEN AMLA materials.
• FinCEN, “Anti-Money Laundering and Countering the Financing of Terrorism National Priorities,” June 30, 2021.
• BOI and CTA current status: FinCEN BOI page, https://www.fincen.gov/boi; FinCEN March 21, 2025 release removing BOI reporting requirements for U.S. companies and U.S. persons; Federal Register, 90 FR 13688, March 26, 2025; BOI access and safeguards final rule materials.
• RRE current status: FinCEN Residential Real Estate FAQ and newsroom, https://www.fincen.gov/rre-faqs and https://www.fincen.gov/rre-newsroom; Federal Register final rule, 89 FR 70258, August 29, 2024; current status per source_status_table.md is vacated and on appeal.
• IA AML current status: FinCEN December 31, 2025 release delaying the IA AML rule to January 1, 2028; Federal Register, 91 FR 36, January 2, 2026; 2024 final rule at 89 FR 72156.
• FinCEN April 2026 AML/CFT program proposed rule: Federal Register, 91 FR 18704, April 10, 2026, comments due June 9, 2026.
• Enforcement example: FinCEN October 10, 2024 TD Bank release; DOJ October 10, 2024 TD Bank guilty-plea release; OCC News Release 2024-116.

Status note

• Last reviewed: 2026-06-15.
• Next scheduled review: 2026-09-15.
• Current operative status: BSA/AML core is in force; BOI under the CTA is narrowed to foreign-formed entities registered to do business in a U.S. state or tribal jurisdiction and remains confidential and access-limited; the RRE rule is vacated and on appeal, so Real Estate Reports are not currently required while the order stands; the IA AML rule is delayed to January 1, 2028; FinCEN’s April 2026 AML/CFT program modernization is proposed, not final, as of this draft.
• Watch items: the RRE appeal and any stay or reinstatement; any final CTA rule or BOI access-rule change; the January 1, 2028 IA AML effective date and any rescope; finalization or withdrawal of FinCEN’s 2026 AML/CFT program proposal; new GTOs; major BSA/AML enforcement involving banks, money services businesses, advisers, real estate, or digital assets.

By Noah Green CPA CFE, for Sheepdog Prosperity Partners. Educational only; not legal advice.