Podcast: BSA, OFAC, KYC, and CIP – What do they mean to me?

Sarah Edwards: My name is Sarah Edwards. I’m part of McGlinchey’s Consumer Financial Services compliance group. I’m joined today by my colleagues, Chris Couch in the Birmingham office and Jeff Barringer in the Albany office, who are also part of the regulatory compliance group, to talk about these issues today. So Jeff and Chris, let’s kick off the discussion. Who is subject to the Bank Secrecy Act?

Chris Couch: Financial institutions are the principal subject of the BSA and Anti-Money Laundering rules.

Jeff Barringer: So, generally, the Bank Secrecy Act requires the development of an anti-money laundering program intended to identify abnormal or high-risk transactions that could potentially be used in connection with money laundering, to fund terrorism, or in connection with other illegal activity.

Sarah Edwards: And what does the term “financial institution” mean under the BSA?

Jeff Barringer: A financial institution generally means a bank or a depository institution, a credit union, a casino, money services business, and a loan or finance company with a caveat. And it’s only certain loan or finance companies that are subject to the Act, and they are treated differently in terms of their expected conduct with respect to their AML/BSA program, compared to other types of financial institutions.

Sarah Edwards: What is the definition of a “loan or finance company” under the BSA regs?

Jeff Barringer: Generally, a loan or finance company is an entity that is engaged in whole or in part in the capacity of certain lending or financial activities as designated by regulation, by FinCEN. And currently, FinCEN has only designated two types of entities as loan or finance companies. Those two types of entities are mortgage lenders, which would be the entity that’s explicitly listed in the note as being the initial payee in connection with a mortgage transaction, and mortgage originators. And a mortgage originator is the party that accepts a mortgage loan application or offers or negotiates the terms of a residential mortgage loan. So currently only residential mortgage lenders and originators are covered. And just one nuance here is that you are covered by this definition if you engage in this activity, whether or not you do it regularly in an ongoing manner. So for example, one of the items that may trigger the need for a mortgage broker or a mortgage loan originator license is offering or negotiating a residential mortgage loan, or taking an application for a residential mortgage loan, for compensation or gain. So the distinction and the broader breadth of this AML/BSA requirement in connection with that activity does not require you to be compensated to engage in the activity. So if you’re involved in other business activities and in connection with those business activities, you happen to be the conduit through which an application is received to facilitate that type of transaction, you are covered, even though you may not be a mortgage broker or mortgage loan originator for state licensing purposes, as an example.

Sarah Edwards: Let’s talk a little bit about what the BSA requires. How does it try to prevent money laundering and terrorist financing activities?

Chris Couch: Well, as Jeff said, the requirements differ between financial institutions based on the type of financial institution you may be. And there’s further a distinction between the money laundering requirements and the terrorist finance requirements. And that’s sort of the rub. Speaking very generally, the BSA requires financial institutions to do a couple of things. One is monitor suspicious transactions and report those to the government. And in order to do that, financial institutions have to have a practice, a policy and a practice for identifying what is suspicious. That’s based on the type of transactions engaged in through the financial institution. So casinos may be changing cash and gaming. Banks may be any manner of financial transactions, from intermediating payments to issuing loans, et cetera. Financial institutions that are money transmitters would be moving money from one place to another, of course. And as Jeff said, finance companies as identified in the FinCEN regulations (that’s the Financial Crimes Enforcement Network, a division of Treasury that’s charged with BSA implementation), the loan company universe is relatively small and focuses on mortgage origination. So what it means to identify your customer and monitor suspicious transactions differs along institutional lines. Now with respect to terrorist finance, the goal is a little more streamlined. It is not to do business with folks who have been identified as high risk, such that they may facilitate terrorist financing. So there are two distinct goals and they have two distinct sets of operational requirements.

Sarah Edwards: Okay. So what I’m hearing you say is that there is this requirement under the BSA to kind of “know your customer.” I want to switch gears a little bit and I want to talk about OFAC, because I think it would be easy for us at this point to say, “oh, the BSA’s Know Your Customer requirements only apply to a certain set of entities, and that’s the end of the story.” But we know that’s not the end of the story. So tell me a little bit about OFAC (Office of Foreign Asset Control). What are the OFAC requirements? And who’s subject to OFAC?

Jeff Barringer: At a high level, OFAC maintains a list of Specially Designated Nationals, sanctioned persons, and blocked persons. And the prohibition is essentially, “do not do business with these individuals or entities,” or if you do run across one of these individuals or entities, confirm that the business that you plan to undertake with them is permitted under the sanctions or the requirements that are dictated with respect to that particular individual or entity. So at a high level, it’s “don’t do business with folks on this list.”

Sarah Edwards: Where can I find this OFAC list?

Chris Couch: Well, the short answer is at OFAC. OFAC is the Office of Foreign Asset Control. It also is a department of Treasury and division of Treasury, and they literally maintain the list. It’s publicly available on their website. Financial institutions can connect directly with the office electronically and it can be automated, the review. But it can also be done manually over the internet.

Jeff Barringer: Yeah, and there’s one way that a lot of institutions comply with this requirement, particularly in the consumer finance space, is [through] the credit reporting bureaus or the party that they use to obtain a credit report that they’re getting for underwriting purposes. One of the services that’s often offered is an OFAC check. And so you can utilize a third party to run your OFAC check, and a vendor, if you do not want to either connect directly with the institution, directly connect with OFAC, or otherwise manually run a check through running searches through the list yourself.

Sarah Edwards: Is everyone required to comply with this OFAC check requirement? So if I am selling a piece of art on Craigslist as an individual in the United States, do I have to go and check this OFAC list?

Chris Couch: Yeah, absolutely. The requirement to check OFAC applies to everyone: individuals, entities. The prohibition is sweeping. As a practical matter, if you’re selling a piece of artwork on Craigslist, while the requirement applies and you’re subject to OFAC, the likelihood of that being a high-risk transaction is low and the likelihood of violation then low. And as a result, the likelihood of any sort of negative consequence for not checking the OFAC list, also pretty low. But, and as a result, it becomes complicated when companies find themselves a unique sort of financial institution for BSA purposes, that is a company that may not have an express requirement to identify people, but who’s also subject to this sweeping OFAC requirement that says, “you can’t do business with Specially Designated Nationals or blocked persons.”

Jeff Barringer: Yeah, Chris, I just want to follow up on that because you’re alluding to the fact that there are certain loan or finance companies that don’t have a CIP (Customer Identification Program) requirement or a KYC (Know Your Customer) requirement, which is accurate. You know, for example, you have internet-based lenders, unsecured lenders, that don’t have a BSA/AML requirement, and as a result, have no CIP requirement dictated by FinCEN regulations. And then similarly, loan or finance companies or residential mortgage lenders/ originators that actually do have FinCEN AML/BSA requirements, do not have an explicit “know your customer” requirement. So they don’t have the same obligations that are imposed on a financial institution or a money transmitter, for example.

Chris Couch: That’s right, Jeff. And that’s exactly the rub, that the FinCEN requirements implementing the Bank Secrecy Act do not uniformly require financial institutions to have a Customer Identification program, a CIP, or a Know Your Customer program, or KYC, as is commonly used. Those requirements are not universal. So certain financial institutions are not required to identify their customers in a very literal sense under the BSA. And yet they still have to comply with OFAC. How do you advise clients that find themselves in that gap?

Jeff Barringer: Yeah, so there are elements of a CIP or KYC requirement that loan or finance company or a non-BSA regulated institution needs to undertake generally. One of the requirements is, for example, if you’re a lender, you want to know that the customer who’s borrowing money from you is who they say they are. Otherwise, you could have loan losses or defaults because a consumer who has been loaned money, that is not the individual who you think they are, has no incentive to repay. Another reason would be if Customer Identification Programs go part and parcel with an AML program to identify if a transaction is a risky transaction, or is not. For example, making a mortgage loan to an individual who has previously been convicted of mortgage fraud is a risky proposition. And so you would want to know who your customer is to identify whether or not they have previously engaged in mortgage fraud. And then under the Fair Credit Reporting Act (FCRA), as another example, you need a permissible purpose to obtain a credit report. And if you don’t know that the customer giving you consent to pull their credit is the actual individual who you are going to pull credit on, then you don’t have a permissible purpose because it’s a different individual. And so the requirement to have a CIP program under the BSA/AML, while it is limited to certain financial institutions, other institutions are doing it anyway and have to do it anyway, just out of pure business reasons.

Chris Couch: Operational necessity.

Jeff Barringer: That’s right.

Chris Couch: You know, interestingly, I think, that marries up with the purposes of BSA and the OFAC directives in the Patriot Act, because they also are sort of a risk-based, operationally sound approach — or intended to be operationally sound. They are tools imposed by the government on the private sector to achieve certain goals. And that, I think, is why the requirements differ depending on the type of institution you are, some being more limited, some being more robust. And the institutions to which they apply, even, are instructed through guidance, or permitted through guidance, to take a risk-based approach depending on the complexity of their operations, the nature. So for instance, one of the world’s largest financial institutions would need a far more robust program than a single branch bank that focuses on community-based activities and lending. Similarly, a money transmitter or money services business that engages with unknown consumers over the internet and sends money internationally may be a fairly simple business, but it may be a fairly risky business. And the requirements for BSA and OFAC would apply differently, even though it’s a mono-line small business. Is that more or less what you’re getting at and what you would describe?

Jeff Barringer: Yeah, that’s right. And if we were to take, you know, Sarah’s example of selling art over the internet on Craigslist, I think that might highlight this issue in a more simple manner. If Sarah is selling a piece of art and it’s to an individual that lives down the street from her, that might fundamentally pose less OFAC risk that she’s dealing with a blocked person than if she is taking that piece of art and sending it to Croatia, as an example. And so what would be reasonable under those circumstances, and the OFAC risk, might be fundamentally different based on who her buyer is. The same goes for a financial institution: where your consumer is located and what segment of the industry you’re serving, and the types of consumers you’re serving, is going to dictate different elements in your AML/BSA OFAC compliance program.

Sarah Edwards: So, Jeff and Chris, what are our key takeaways from this discussion?

Chris Couch: The primary takeaway, I think, when dealing with BSA/AML issues and OFAC is not only to know your customer, but to know your business. Different businesses pose different risks, as we’ve been discussing, and different transactions with different customers. So to bring it all home, if you’re a financial institution and you’re trying to comply, the best thing to do is really to know your business: to be in touch with how you interact with the financial system, the money you take in, the money that goes out, who your customers are, and importantly, who your customers are not. This is not a one-size-fits-all area. It’s risk-based, it’s reasonable. It’s a reasonableness standard. And so understanding your business is really the key to best practices with BSA compliance.

That wraps up our conversation for the day. This is part of our Deep Dive series on the Bank Secrecy Act and Anti-Money Laundering laws. Please stay tuned for more in that vein. And if you have any questions, please feel free to reach us at mcglinchey.com.

Sarah Edwards: Thank you, everyone, for listening to this episode of our McGlinchey podcast!

Subscribe wherever you listen to podcasts:

© Copyright 2025 McGlinchey Stafford PLLC. This communication is published by the law firm McGlinchey Stafford and may be considered attorney advertising under the ethical rules of certain jurisdictions. It is not intended to provide legal advice or opinion. Such advice may only be given when related to specific fact situations that McGlinchey Stafford has accepted an engagement as counsel to address. No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other attorneys. For further information, please see our Disclaimer and Privacy Policy.