How Does the Bank Secrecy Act Apply to Cryptocurrency Businesses?

Updated July 13, 2026 6 min read

When people picture financial regulation, they usually think of banks filling out forms in back offices. Cryptocurrency platforms operate under a surprisingly similar set of obligations, even though the assets themselves are new.

The short answer

The Bank Secrecy Act (BSA) is a decades-old US law that requires certain financial businesses to help prevent money laundering by verifying who their customers are, keeping records, and reporting suspicious activity. Many cryptocurrency exchanges and other platforms that move funds on behalf of customers qualify as “money services businesses” under the BSA, which means they carry many of the same compliance duties as traditional banks.

Why crypto platforms fall under the BSA at all

The BSA doesn’t name cryptocurrency specifically — it was written long before digital assets existed. Instead, it applies based on function: any business that accepts and transmits value on behalf of others can be treated as a money transmitter or money services business. Regulators have concluded that platforms letting customers convert cash into crypto, or move crypto between parties, generally perform that same transmitting function. That functional test is also why questions like whether Ethereum counts as a security get evaluated separately — securities law and the BSA are asking different questions about the same asset.

Core obligations that apply

A crypto business covered by the BSA typically has to build out a compliance program that includes several standard pieces:

These duties are one reason exchanges sometimes ask why a large withdrawal is being made — documenting the purpose of unusual activity is part of the same monitoring framework.

How enforcement actually works

The Financial Crimes Enforcement Network, a bureau of the Treasury Department, is the primary regulator administering the BSA for money services businesses, including many crypto platforms. This sits alongside how the Treasury Department more broadly classifies digital assets — through an anti-money-laundering and financial-stability lens rather than a securities or commodities one. Registration with FinCEN, combined with state-level money transmitter licensing in many cases, forms the baseline legal footing a crypto business needs before it can lawfully move customer funds. Falling short of these obligations can expose a company to civil penalties, loss of licensing, or in serious cases criminal liability.

What this means for individual users

For an everyday user, the practical effect is mostly friction: identity verification during signup, occasional requests for source-of-funds documentation, and account holds while a platform reviews unusual activity. None of this reflects wrongdoing by the user — it reflects the platform fulfilling its own legal duty. It’s also worth remembering that crypto held on these platforms carries risks the BSA framework doesn’t address at all, including price volatility, the possibility of an exchange becoming insolvent, and the fact that funds held with a company aren’t covered by FDIC or SIPC protection the way insured bank deposits or certain brokerage assets are.

The takeaway

The Bank Secrecy Act treats many crypto businesses the same way it treats banks and money transmitters: as gatekeepers responsible for knowing their customers and watching for illicit activity. Understanding this framework helps explain much of the identity verification and transaction monitoring users encounter on crypto platforms, even though the underlying technology looks nothing like a traditional bank account.