BSA Record Keeping: The Foundation of Compliance
Record keeping isn't glamorous, but it's where many fintechs fail their first examination. Under the Bank Secrecy Act (31 U.S.C. § 5313 and 31 CFR Part 1010), financial institutions must create and retain specific records for defined periods. The core retention period is 5 years from the date of the transaction or account closure — whichever is later. Get this wrong, and you may face penalties even if your AML program is otherwise solid.
Records You Must Retain
1. Customer Identification Program (CIP) Records — 5 Years After Account Closure
- Copy of the identification document (or a description of it, including type, number, and expiration date)
- Record of the verification method used (documentary vs. non-documentary)
- Results of identity verification, including any discrepancies
- If you used a third-party verification service, retain the response/output
- Any exceptions or overrides to standard CIP procedures, with written justification
2. Currency Transaction Reports (CTRs) — 5 Years
You must file a CTR (FinCEN Form 112) for any cash transaction exceeding $10,000 in a single business day. Key requirements:
- File within 15 calendar days of the transaction
- Aggregate multiple cash transactions by the same person that total over $10,000 in a day
- Retain a copy of each CTR filed, along with supporting documentation
- Even if a customer is exempt from CTR filing (under 31 CFR 1020.315), you must retain the exemption documentation
3. Suspicious Activity Reports (SARs) — 5 Years
- Retain a copy of every SAR filed, including the narrative
- Retain all supporting documentation: transaction records, investigation notes, analyst worksheets
- Keep records of SAR decisions — including decisions NOT to file (with documented reasoning)
- SARs and supporting documentation must be available to FinCEN and your examiner upon request
4. Funds Transfer Records — 5 Years
Under the "Travel Rule" (31 CFR 1010.410), for any funds transfer of $3,000 or more, you must retain:
- Name and address of the originator
- Amount of the transmittal
- Date of the transmittal
- Identity of the recipient's financial institution
- Account number of the recipient (if available)
- Name and address of the beneficiary
5. OFAC Screening Records — 5 Years
- Records of every sanctions screening performed (customer onboarding and ongoing)
- Hits and false positives, with documentation of how each was resolved
- Records of any blocked or rejected transactions due to OFAC matches
- You must report blocked property to OFAC within 10 business days
6. Transaction Monitoring Records — 5 Years
- Alert details: what triggered the alert, which rule, threshold, and parameters
- Analyst disposition: how the alert was resolved and by whom
- Investigation notes for each alert, whether it resulted in a SAR or not
- Rule change logs: what rules were modified, when, why, and by whom
- System validation and testing records (model validation reports)
Audit Trail Requirements
Beyond retaining specific documents, you need a comprehensive audit trail that demonstrates your compliance program is functioning. This includes:
- User access logs: Who accessed what data, when, and what actions they took. This is especially critical for SAR-related information.
- Decision logs: Every compliance decision — onboarding approvals, enhanced due diligence results, SAR/No-SAR determinations — must have a timestamp, the decisionmaker's name, and documented reasoning.
- Policy version history: Retain all versions of your BSA/AML policies and procedures with effective dates. Examiners will want to see what policy was in effect at the time of a given transaction.
- Training records: Dates of BSA/AML training for each employee, topics covered, attendance records, and test results (if applicable). Under 31 CFR 1010.810, training is a pillar of your AML program.
- Independent testing reports: Results of your annual or biennial independent AML audit, including findings and management's response to each finding.
Practical Storage and Retrieval
- Searchability matters. Examiners will request specific records — "Show me all SARs filed on accounts opened in Q3 2025" — and expect them within hours, not weeks. Ensure your storage system supports search by customer name, account number, date range, and record type.
- Use immutable storage for compliance records. AWS S3 Object Lock, Azure Immutable Blob Storage, or equivalent. Records must not be alterable after creation.
- Implement retention policies programmatically. Don't rely on manual deletion. Set up automated retention schedules that flag records approaching their retention deadline, and require explicit approval before any deletion.
- Back up everything. Maintain geographically redundant backups. Losing compliance records due to a system failure is not an acceptable excuse for examiners.
Record Keeping Checklist
- CIP records retained for 5 years post-account closure
- CTRs filed within 15 days, copies retained 5 years
- SARs and supporting documentation retained 5 years
- Funds transfer records ($3,000+) retained 5 years
- OFAC screening logs retained 5 years
- Transaction monitoring alerts and dispositions retained 5 years
- Policy versions, training records, and audit reports archived with dates
- Audit trail logs are immutable and searchable
- Automated retention policies are configured and tested
- Backup and disaster recovery plan covers all compliance records
Practical Tip: During your first month of operations, create a "Record Retention Matrix" — a single document that lists every record type, the applicable regulation, the retention period, the storage location, and the responsible team. Review this matrix annually. This one document can save you hours during an examination.