The Financial Crimes Enforcement Network publishes every Bank Secrecy Act civil enforcement action—civil money penalties, consent orders, and cease-and-desist orders against banks, money services businesses, and cryptocurrency exchanges for failures in anti-money laundering compliance programs.
What FinCEN is
The Financial Crimes Enforcement Network is a bureau of the United States Department of the Treasury, established in 1990 by Treasury Order 105-08. FinCEN's statutory mandate derives from the Bank Secrecy Act (BSA), codified at 31 U.S.C. §§ 5311–5336, which gives the Treasury Secretary authority to require financial institutions to maintain records and file reports that are useful in criminal, tax, regulatory, and counterterrorism investigations. FinCEN administers the BSA for most financial institution types, functioning as the primary federal AML/CFT (anti-money laundering and countering the financing of terrorism) regulator for money services businesses, insurance companies, casinos, precious metals dealers, and cryptocurrency exchanges. For federally chartered banks and credit unions, FinCEN sets policy while prudential regulators—the OCC, FDIC, Federal Reserve, and NCUA—conduct examinations and can bring joint enforcement actions.
FinCEN is also the principal analytical center for financial intelligence in the US government. The bureau receives and analyzes Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) filed by financial institutions, and makes that analysis available to law enforcement and regulatory agencies. The scale is enormous: in 2022 alone, US financial institutions filed more than 3.6 million SARs. In 2020, the International Consortium of Investigative Journalists and BuzzFeed News published what became known as the FinCEN Files—a cache of leaked SARs revealing approximately $2 trillion in suspicious transactions that major global banks had processed and reported, but that had nonetheless flowed through the financial system with limited intervention. The episode focused international attention on the gap between SAR filing compliance and actual AML effectiveness.
A separate but significant FinCEN authority is the Corporate Transparency Act (CTA), enacted in 2021 as part of the National Defense Authorization Act. The CTA created the first federal beneficial ownership registry in US history, requiring most corporations, LLCs, and similar entities to report their true beneficial owners to FinCEN's Beneficial Ownership Information (BOI) database. Approximately 32 million existing companies were required to file by January 1, 2025, with new companies filing within 90 days of formation. The registry is non-public—accessible only to law enforcement and financial institutions with customer consent —addressing a long-standing gap that had allowed anonymous shell companies to serve as money laundering vehicles. The CTA's implementation encountered significant litigation: the National Small Business Association and National Federation of Independent Business brought constitutional challenges, and in January 2025 the Supreme Court stayed enforcement pending resolution of those challenges.
BSA compliance requirements
The Bank Secrecy Act and its implementing regulations at 31 C.F.R. Chapter X impose a layered set of obligations on covered financial institutions. FinCEN's enforcement actions consistently cite failures in the same four structural areas.
AML program: the four pillars
Every financial institution subject to the BSA must maintain a written anti-money laundering program that at minimum satisfies four requirements, known informally as the four pillars. First, the program must establish internal controls: written policies, procedures, and processes for detecting and reporting suspicious activity, maintaining required records, and complying with all applicable BSA requirements. Second, the program must provide for independent testing of those controls—typically an annual audit by a qualified third party or the institution's internal audit function. Third, the institution must designate a BSA compliance officer responsible for day-to-day program administration, with sufficient authority and resources to fulfill that role. Fourth, the program must provide ongoing training for applicable personnel.
FinCEN's largest enforcement actions almost uniformly involve findings that the institution's AML program was not commensurate with the risk profile of its business. TD Bank's $1.3 billion penalty in 2024 included findings that the bank had frozen its AML transaction monitoring budget for years while its correspondent banking and commercial customer base grew dramatically, and that employees had processed drug cartel transactions that were openly suspicious. The four-pillar framework sets a floor; the actual program must be calibrated to the institution's specific products, customer types, geographic footprint, and transaction volumes.
Customer Due Diligence and KYC
FinCEN's 2016 Customer Due Diligence (CDD) Rule added a fifth pillar to the AML program framework: a requirement that covered financial institutions establish and maintain written procedures to identify and verify the identity of beneficial owners of legal entity customers. The beneficial ownership threshold under the CDD Rule is 25 percent: any individual who owns or controls 25 percent or more of the equity interests of a legal entity customer must be identified and verified. Additionally, institutions must identify one individual who controls the entity, regardless of ownership percentage.
Know Your Customer (KYC) requirements more broadly require institutions to collect identifying information for all account holders—at minimum name, date of birth, address, and an identifying number such as a Social Security number or passport number for individuals, or employer identification number for entities—and to verify that information against documentary or non-documentary sources. Enhanced due diligence (EDD) is required for higher-risk customers, including Politically Exposed Persons (PEPs). A PEP is an individual who holds or has held a prominent public function in a foreign country: heads of state, senior government officials, senior executives of state-owned enterprises, senior military officials, senior judiciary officials, and their immediate family members and close associates. PEPs present elevated money laundering risk because of their access to public funds and the potential for corruption.
Currency Transaction Reports and structuring
Financial institutions must file a Currency Transaction Report (CTR) for every cash transaction exceeding $10,000 in a single business day by or on behalf of the same person, whether the transaction is conducted in a single transaction or multiple transactions that the institution knows, suspects, or has reason to know are related. CTRs must be filed with FinCEN within 15 days of the transaction.
Structuring—the practice of breaking up cash transactions into amounts below $10,000 specifically to evade CTR filing requirements, also called smurfing—is itself a federal crime under 31 U.S.C. § 5324, punishable by up to five years imprisonment. It is not necessary for the government to prove that the underlying funds were derived from criminal activity; the act of structuring with intent to evade reporting is the offense. Civil asset forfeiture is available for funds involved in structuring. The IRS Criminal Investigation division and DOJ prosecute structuring cases, which frequently arise from cash businesses, convenience stores, restaurants, and—in high-profile cases—from individuals attempting to conceal legal income from tax authorities by keeping cash transactions below the CTR threshold.
Suspicious Activity Reports
The SAR filing obligation is the most analytically significant BSA requirement from an enforcement data perspective. Financial institutions must file a SAR within 30 days of detecting a known, suspected, or reasonably suspected violation of federal law, or a transaction involving funds the institution suspects are derived from illegal activity, if the transaction involves at least $5,000 (lower thresholds apply for specific categories including insider abuse and certain money services business transactions). The institution must conduct reasonable due diligence in identifying the suspicious activity and document its analysis.
A critical feature of the SAR regime is the safe harbor provision under 31 U.S.C. § 5318(g)(3): financial institutions and their employees are immune from civil liability to any person for filing a SAR, provided the filing is made in good faith. This provision addresses the concern that institutions might face defamation or tortious interference claims from customers who are the subject of SARs. The safe harbor extends to the fact of the SAR filing itself, which institutions are prohibited from disclosing to the subject of the SAR or to most third parties. Disclosing to a subject that a SAR has been filed is a separate federal crime.
The Travel Rule
The Travel Rule, codified at 31 C.F.R. § 1010.410, requires financial institutions transmitting or receiving wire transfers of $3,000 or more to include and pass along certain information about the originator and beneficiary. Transmitting banks must include the originator's name, address, account number, and the beneficiary's name and account number. Receiving banks must retain this information for five years. The rule's application to cryptocurrency has been a contested regulatory question: FinCEN proposed extending Travel Rule requirements to virtual asset service providers in 2020, and the Financial Action Task Force (FATF) has set international standards for crypto Travel Rule compliance, but implementation across cryptocurrency exchanges remains uneven.
FinCEN enforcement data
FinCEN publishes its civil enforcement actions on the enforcement actions page at fincen.gov/news-room/enforcement-actions. Each action is announced through a press release that describes the institution, the civil money penalty amount, the violation period, the specific BSA violations found, and the remediation steps required. The underlying consent order or assessment document is typically published as a PDF.
Civil money penalties under the BSA are authorized by 31 U.S.C. § 5321. The maximum per-transaction penalty is $25,000 for non-willful violations and $100,000 per day for willful violations. For patterns of systemic violations—which characterize most significant enforcement actions—these daily penalties compound into figures that can reach hundreds of millions or billions of dollars before any negotiated resolution. The largest penalties are typically the product of negotiation with DOJ, OFAC, and prudential regulators; FinCEN rarely litigates enforcement through the full administrative adjudication process.
FinCEN frequently coordinates enforcement actions with other agencies. The OCC or FDIC will bring a parallel enforcement action against the same bank, resulting in separate penalty amounts from each regulator. DOJ may bring criminal charges against the institution or individual executives. OFAC may impose a sanctions penalty if the BSA violations involved transactions with designated parties. The total penalty exposure in a major BSA case is therefore the sum of multiple agency actions: HSBC's 2012 settlement, for example, involved a $1.256 billion FinCEN/DOJ deferred prosecution agreement, a $665 million OCC penalty, and separate Fed and OFAC components.
High-profile enforcement cases
The trajectory of BSA enforcement penalties over the past fifteen years reflects both the growth in AML program expectations and the entry of cryptocurrency exchanges into the regulated financial sector.
HSBC Bank USA's 2012 penalty—then the largest BSA settlement in history—arose from the bank's processing of hundreds of billions of dollars in transactions for Mexican and Colombian drug cartels, including the Sinaloa Cartel, through accounts held at HSBC Mexico. The bank had eliminated its US AML compliance function as a cost-cutting measure and had failed to monitor transactions at HSBC Mexico despite repeated internal warnings. The deferred prosecution agreement required the appointment of an independent compliance monitor.
Deutsche Bank's $630 million 2017 penalty addressed a different failure mode: the Russian mirror-trade scheme, in which Deutsche Bank's Moscow and London equities desks processed a series of simultaneous buy and sell transactions in Russian securities, moving approximately $10 billion out of Russia between 2011 and 2015. The trades had no apparent legitimate business purpose and the bank's AML monitoring systems failed to flag them. The New York Department of Financial Services led the action with FinCEN participation.
Binance's November 2023 settlement—$4.316 billion in combined penalties—is the largest BSA enforcement action in FinCEN's history. FinCEN's civil money penalty component was $3.4 billion. Binance had operated without a functional AML program for years, processed transactions for users in Iran, North Korea, Cuba, and Syria without sanctions screening, and had actively structured its corporate organization to avoid US regulatory requirements. CEO Changpeng Zhao (CZ) pleaded guilty to BSA violations and resigned. The DOJ criminal component included charges under the BSA and the International Emergency Economic Powers Act.
Cryptocurrency and the BSA
FinCEN's interpretive guidance has progressively expanded the BSA's reach into the cryptocurrency sector. The foundational document is FinCEN's 2013 guidance on the application of BSA regulations to persons administering, exchanging, or using virtual currencies. That guidance established that administrators and exchangers of convertible virtual currencies are money transmitters under the BSA's regulatory framework, subject to the full range of AML program, registration, SAR, and CTR requirements. “Convertible” virtual currency—currency that has an equivalent value in real currency or acts as a substitute for real currency— is the operative category; the framework applies to Bitcoin, Ethereum, and all similar cryptocurrencies.
A 2019 FinCEN guidance memo clarified that cryptocurrency mixing and tumbling services are money transmitters under the BSA. Mixers and tumblers pool cryptocurrency from multiple users and redistribute it in a way designed to obscure the transaction trail. The guidance noted that the provider of such services conducts money transmission regardless of whether the mixing is done as a business for compensation, eliminating a potential definitional escape route. DOJ has since criminally prosecuted mixer operators under the BSA money transmission theory.
The cryptocurrency BSA enforcement record includes several landmark cases beyond Binance. Liberty Reserve, a Costa Rica-based digital currency exchange, was shut down in 2013 in a DOJ action alleging it had processed $6 billion in criminal proceeds for cybercriminals, narcotics traffickers, and other criminals. Its founder, Arthur Budovsky, pleaded guilty to money laundering. BitInstant and its CEO Charlie Shrem were charged in 2014 with failing to maintain an AML program and aiding and abetting the operation of an unlicensed money transmitting business; Shrem pleaded guilty and served two years. BTC-e, a Russia-linked exchange, was seized in 2017 and its alleged operator Alexander Vinnik was charged with laundering $4 billion in Bitcoin proceeds; FinCEN assessed a $110 million penalty against the exchange. BitMEX, a derivatives exchange that had processed over $11 trillion in transactions, paid $100 million in 2021 after DOJ charged its founders with willfully failing to maintain an AML program.
Shell companies and the Corporate Transparency Act
For decades, the most significant structural gap in the US AML framework was the absence of a federal beneficial ownership registry. Anonymous shell companies—corporations and limited liability companies with no public disclosure of their true owners—were a primary vehicle for money laundering through the US financial system. A financial institution opening an account for an LLC with no disclosed individual owners had no reliable mechanism to determine whether the entity was controlled by a drug trafficker, a sanctioned foreign official, or a legitimate business operator. The 2016 CDD Rule required banks to collect beneficial ownership information from customers at account opening, but the underlying state incorporation records remained opaque.
The Corporate Transparency Act, enacted as part of the National Defense Authorization Act for Fiscal Year 2021, created the federal Beneficial Ownership Information (BOI) database at FinCEN to address this gap. Effective January 1, 2024, most corporations, limited liability companies, and similar entities formed or registered to do business in the United States must report their beneficial owners—defined as individuals who own or control at least 25 percent of the entity, or who exercise substantial control over the entity regardless of ownership percentage —to FinCEN. Existing companies had until January 1, 2025 to file; companies formed after January 1, 2024 must file within 90 days of formation.
Willful failure to file or providing false information carries penalties of up to $10,000 in civil fines and up to two years of criminal imprisonment. The BOI database is not publicly searchable; access is restricted to law enforcement agencies, national security agencies, and financial institutions conducting required due diligence with customer consent. The CTA's implementation encountered legal challenges almost immediately after it took effect. In January 2025 the Supreme Court stayed enforcement of the CTA's reporting requirements while litigation—including the National Federation of Independent Business and National Small Business Association challenges on constitutional commerce clause and non-delegation grounds—proceeded in the lower courts. The stay created uncertainty for the approximately 32 million existing companies that had been required to file by the January 2025 deadline.
Accessing the enforcement data
FinCEN's enforcement actions are published as press releases on the FinCEN website, each linked to the underlying PDF consent order or assessment. There is no structured database API, no bulk download endpoint, and no machine-readable index. The press releases follow a consistent format that includes the institution name, penalty amount, violation period, and a narrative description of the violations; the PDF documents provide the complete factual findings and remediation requirements.
For structured analysis, the primary data sources are: the FFIEC BSA/AML Examination Manual, which describes examination standards and provides a framework for understanding what constitutes a violation; bank enforcement action databases maintained by the OCC, FDIC, and Federal Reserve, which include parallel actions for bank respondents and are more consistently structured than FinCEN's press release format; and FinCEN's own annual report, which provides aggregate statistics on SAR and CTR filing volumes, enforcement activity, and regulatory initiatives. Key data points in the PDF consent orders include: institution name and charter type, civil money penalty amount, the specific regulatory violations cited by 31 C.F.R. citation, the violation period (typically multi-year), the remediation steps required, and whether an independent compliance monitor was imposed.
Python analysis of BSA enforcement patterns
The following script uses an embedded dataset compiled from FinCEN press releases and consent orders to compute penalty distributions across institution types, year-over-year penalty totals, the ten largest BSA penalties in the enforcement record, and average penalty trends by period. Because FinCEN publishes no bulk API or download, production analysis requires either scraping the press release archive and parsing PDFs with a tool like pdfminer or pypdf, or using a commercial legal research database that has structured the enforcement record.
import csv
import sys
from collections import defaultdict
# Representative dataset of major BSA/AML enforcement actions
# Source: FinCEN enforcement actions (fincen.gov/news-room/enforcement-actions)
# FinCEN does not publish a structured API or bulk CSV; this dataset is compiled
# from published press releases and consent orders.
ENFORCEMENT_ACTIONS = [
# (institution, type, year, penalty_usd, violation_description)
("HSBC Bank USA", "bank", 2012, 1_256_000_000, "Mexican cartel AML failures, sanctions violations"),
("MoneyGram", "msb", 2012, 100_000_000, "Failure to maintain effective AML program; fraud facilitation"),
("JPMorgan Chase", "bank", 2014, 461_000_000, "BSA/AML failures related to Bernie Madoff accounts"),
("BNP Paribas", "bank", 2014, 8_900_000_000, "Sanctions evasion for Sudan, Iran, Cuba — coordinated DOJ/OFAC"),
("Ripple Labs", "msb", 2015, 700_000, "Failure to register as MSB; no AML program"),
("Western Union", "msb", 2017, 586_000_000, "Failure to maintain AML program; aiding and abetting wire fraud"),
("Deutsche Bank", "bank", 2017, 630_000_000, "Russian mirror-trade scheme; AML program failures"),
("U.S. Bancorp", "bank", 2018, 528_000_000, "Willful failures in AML program; SAR filing deficiencies"),
("Capital One", "bank", 2021, 390_000_000, "Willful BSA violations; AML program and SAR failures"),
("BitMEX", "crypto", 2021, 100_000_000, "Failure to register as MSB; no KYC/AML program"),
("NEC Networks (Beachhead)", "msb", 2021, 1_500_000, "AML program failures at check-cashing operation"),
("Payoneer", "msb", 2021, 1_400_000, "AML program deficiencies; sanctions screening gaps"),
("USAA Federal Savings Bank", "bank", 2022, 140_000_000, "Willful BSA violations; SAR and CTR filing failures"),
("Danske Bank", "bank", 2022, 2_059_000_000, "Estonian branch AML failures; $200B in suspicious flows"),
("Silvergate Bank", "bank", 2023, 43_000_000, "Failures in AML monitoring for crypto clients"),
("Binance", "crypto", 2023, 4_316_126_163, "Willful BSA violations; AML program; sanctions evasion — CZ pleaded guilty"),
("TD Bank", "bank", 2024, 1_300_000_000, "Systemic AML failures; drug cartel transaction processing"),
("Liberty Reserve", "crypto", 2013, 6_000_000_000, "Unlicensed money transmitter; $6B in criminal proceeds"),
("BTC-e / Alexander Vinnik", "crypto", 2017, 110_003_314, "Operating unlicensed crypto exchange; AML failures"),
("BitInstant / Charlie Shrem", "crypto", 2014, 950_000, "Willful failure to file SARs; unlicensed MSB operation"),
("First Bank of Delaware", "bank", 2012, 15_000_000, "Third-party payment processor AML failures"),
("Lone Star National Bank", "bank", 2015, 2_000_000, "BSA/AML program deficiencies at Texas border bank"),
("Comptoir National d'Escompte de Paris", "bank", 2015, 350_000_000, "Sanctions violations; coordinated with DOJ and OFAC"),
("Merchants Bank of California", "bank", 2016, 7_000_000, "AML program failures; MSB customer monitoring"),
("Eurobank", "bank", 2016, 2_100_000, "AML program deficiencies; CTR filing failures"),
]
# (a) Penalties by institution type
type_totals = defaultdict(lambda: {"count": 0, "total": 0})
for name, itype, year, penalty, desc in ENFORCEMENT_ACTIONS:
type_totals[itype]["count"] += 1
type_totals[itype]["total"] += penalty
print("\n=== BSA Penalties by Institution Type ===")
type_labels = {"bank": "Bank/Depository", "msb": "Money Services Business", "crypto": "Crypto Exchange"}
for itype, label in type_labels.items():
d = type_totals[itype]
avg = d["total"] / d["count"] if d["count"] else 0
print(f"{label}: {d['count']} actions, ${d['total']:,.0f} total, ${avg:,.0f} avg")
# (b) Total penalty by year (2010-2024)
year_totals = defaultdict(int)
for name, itype, year, penalty, desc in ENFORCEMENT_ACTIONS:
year_totals[year] += penalty
print("\n=== Total BSA Penalty Amount by Year ===")
for yr in sorted(year_totals):
bar = "#" * min(40, int(year_totals[yr] / 500000000))
print(f"{yr}: ${year_totals[yr]:>15,.0f} {bar}")
# (c) Top 10 largest BSA penalties ever
print("\n=== Top 10 Largest BSA Civil Penalties ===")
sorted_actions = sorted(ENFORCEMENT_ACTIONS, key=lambda x: x[3], reverse=True)
writer = csv.writer(sys.stdout)
writer.writerow(["Rank", "Institution", "Type", "Year", "Penalty (USD)", "Notes"])
for i, (name, itype, year, penalty, desc) in enumerate(sorted_actions[:10], 1):
writer.writerow([i, name, itype, year, f"${penalty:,.0f}", desc])
# (d) Average penalty by period
print("\n=== Average Penalty by Period ===")
periods = {"2010-2014": [], "2015-2019": [], "2020-2024": []}
for name, itype, year, penalty, desc in ENFORCEMENT_ACTIONS:
if 2010 <= year <= 2014:
periods["2010-2014"].append(penalty)
elif 2015 <= year <= 2019:
periods["2015-2019"].append(penalty)
elif 2020 <= year <= 2024:
periods["2020-2024"].append(penalty)
for period, penalties in periods.items():
if penalties:
avg = sum(penalties) / len(penalties)
total = sum(penalties)
print(f"{period}: {len(penalties)} actions, ${avg:,.0f} avg, ${total:,.0f} total")
The output illustrates several structural features of BSA enforcement. Cryptocurrency exchanges have generated the largest individual penalties despite comprising a small share of the total action count, a pattern that reflects both the scale of unmonitored transaction flows on major crypto platforms and the political priority FinCEN and DOJ placed on establishing BSA compliance precedents in the sector. Banks generate more actions by count but the penalty distribution is heavily right-skewed by a handful of mega-penalties. The post-2020 period shows a sharp increase in average penalty magnitude, driven by Binance, TD Bank, Silvergate, and USAA Federal Savings Bank.
For researchers building a full enforcement database, the recommended approach is to use requests and BeautifulSoupto scrape the FinCEN enforcement actions page, extract PDF links, and then use a PDF parsing library to extract the penalty amount, institution name, and violation period from the document header and findings section. Regex patterns for dollar amounts and the consistent structure of consent orders make this feasible; OCR may be required for older scanned documents. The resulting structured dataset can be enriched by joining on institution name against FDIC call report data (for banks) or FinCEN MSB registration records (for money services businesses) to add financial metrics and cross-reference regulatory identifiers.
Related: Treasury OFAC sanctions · SEC enforcement actions
Part of the Federal Regulatory Data Hub.