How-to guide: How to identify suspicious activity and make a Suspicious Activity Report (SAR) (USA)

Updated as of: 17 July 2025

Introduction

This guide will assist in-house counsel and private practice lawyers within financial institutions to ensure suspicious activity reporting compliance. It sets out key issues to address and points to consider when preparing a program to monitor the reporting of suspicious activity compliance. This guide is aimed at in-house lawyers and compliance professionals in organizations of all sizes and sectors in the United States.

The requirements for compliance may also be governed by state or local laws. This guide is a general statement of the laws applicable in most US jurisdictions and is not a comprehensive summary. You are advised to consult local laws before developing a compliance program of this type.

The guide covers the following sections:

  1. Introduction to suspicious activity reports
  2. Components of effective suspicious activity monitoring and reporting systems
  3. Completing and filing a suspicious activity report

The checklist can be used in conjunction with the How-to guide: How to monitor Bank Secrecy Act (BSA) compliance and Checklist: Initial response to a report of suspicious activity.

Section 1 – Introduction to suspicious activity reports

Suspicious Activity Reports (SARs) are the cornerstone of the reporting system under the Bank Secrecy Act of 1970 (BSA), as amended by the USA PATRIOT Act of 2001 (PATRIOT Act). The BSA requires certain financial institutions to assist US government agencies in the detection and prevention of money laundering and criminal financial activity.

Financial institutions and businesses that provide money transfers, currency dealing or exchange, or that issue, sell, or redeem money orders or traveler’s checks, must follow the BSA reporting requirements. The adequacy and effectiveness of the SAR system depends on the quality of SAR content (see further below).

For further information on BSA compliance see How-to guide: How to monitor Bank Secrecy Act (BSA) compliance.

Reporting is mandatory for some potential crimes, including those that:

  • involve insider abuse;
  • have an identifiable suspect where the transaction is at least $5,000; and
  • do not have an identifiable suspect where the transaction is at least $25,000.

See, 12 CFR sections 21.11 and 208.62.

Other examples that require reporting include attempted or completed transactions aggregating to $5,000 or more, if the financial institution ‘knows, suspects, or has reason to suspect’ that the transaction:

  • involves funds derived from illegal activity;
  • is designed to hide assets derived from illegal activities to evade federal law, or avoid reporting requirements;
  • is designed to evade BSA requirements;
  • has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; and
  • involves the use of the financial institution to facilitate criminal activity.

See, for example, 31 CFR section 1020.320 and 12 CFR section 21.11.

Financial institutions (as defined in the BSA at 31 USC section 5312 (a)(2)) should have appropriate policies, procedures, and processes in place to ensure SARs are filed in a timely manner, that they are complete and accurate, and that the narrative portion of the SAR provides an adequate description of the reported activity, as well as the basis for filing. Financial institutions must timely submit SARs through the BSA E-filing System and be aware of the consequences for failing to do so (see further below).

No financial institution, and no director, officer, employee, or agent of a financial institution, that reports a suspicious transaction is permitted to notify any person involved in the transaction that the transaction was reported.

The BSA’s safe harbor provision provides unqualified protection to financial institutions and their employees from civil liability for filing a SAR. See, 31 USC section 5318 (g)(3).

Section 2 – Components of effective suspicious activity monitoring and reporting systems

There are two critical components of an effective suspicious activity monitoring system:

  • identification of, or an alert to, unusual or suspicious activity; and
  • managing unusual or suspicious activity alerts.

2.1 Identification of, or alert to, unusual or suspicious activity

Financial institutions must report suspicious activity to assist US government agencies in detecting and preventing potential criminal activity. The suspicious activities that require reporting involve criminal activities such as money laundering, BSA violations, terrorist financing, and certain other financial crimes that involve amounts above prescribed dollar thresholds. However, financial institutions are not obligated to investigate or confirm the underlying crime. Financial institutions should have in place policies, procedures, and processes for referring unusual activity from all business lines to the person or department responsible for evaluating unusual activity.

Examples of suspicious activity include the following:

  • a customer using multiple IDs or fake IDs to conduct transactions;
  • a customer stopping or changing a transaction after being asked to provide an ID; and
  • a customer breaking a large transaction into smaller transactions so that reporting or record-keeping thresholds are avoided.

While a financial institution is not expected to detect and report every potentially illicit transaction that occurs, an institution’s policies, procedures, and processes should be able to identify, evaluate, and report most suspicious activity transactions.

See Checklist: Initial response to a report of suspicious activity.

A financial institution will use multiple methods to identify potentially suspicious activities, including:

  • employee identification of suspicious activities;
  • law enforcement inquiries and requests;
  • national security letters; and
  • transaction monitoring using currency activity reports, fund transfer records, and monetary instrument records.

Employees who regularly encounter customers as a part of their duties should be appropriately trained on examples of suspicious activity that they might encounter. Employees should also be familiar with the financial institution’s internal processes for referring suspicious activity to the appropriate personnel.

The receipt of a law enforcement request (eg, grand jury subpoena, security letter, or request under section 314(a) of the PATRIOT Act) may, but does not automatically, trigger the filing of a SAR. The inquiry into the suspicious activity should be given adequate review by the proper personnel who can determine if the filing of a SAR is appropriate, based on the specific facts of the situation.

Transaction monitoring systems target specific transactions based on review of internal reports (eg, currency activity reports, fund transfer records, monetary instrument records, and surveillance monitoring) generated by the financial institutions to identify unusual activity. These internal reports are typically based on a discretionary dollar threshold selected by the financial institution’s management. The determination of what reports and thresholds are reviewed should be evaluated periodically, based upon the financial institution’s specific risk profile.

2.2 Managing alerts of unusual or suspicious activity

A financial institution should have a process for managing unusual or suspicious activity alerts. Management of alerts focuses on the processes used to investigate and evaluate identified unusual or suspicious activity.

It is a good idea for the financial institution to designate appropriate staff to oversee the evaluation of identified unusual activity. Management of alerts should be part of an internal process that is demonstrated to all employees during requisite BSA training.

Tailor the type of monitoring systems to the financial institution’s risk profile, with an emphasis on the specific departments or lines of business that pose a higher risk.

When possible, financial institutions should incorporate both internal and external research tools into the process. Internal research tools include account systems and account information, including customer due diligence (CDD) and enhanced due diligence (EDD). External research tools include news and internet media searches. Once research has been performed, the financial institution should have a process for retaining search documentation and the conclusions reached.

Establish adequate lines of communication between different departments. Maintain suspicious activity monitoring across the organization’s affiliates, subsidiaries, and business lines. As is consistent with BSA compliance requirements, the process should be demonstrated and identified in employee training.

For additional information, refer to How-to guide: How to monitor Bank Secrecy Act (BSA) compliance.

Section 3 – Completing and filing a suspicious activity report

3.1 SAR decision making

Financial institutions should have in place policies, procedures, and processes for referring unusual activity from all business lines to the person or department responsible for evaluating unusual activity. After research and analysis has been performed, forward the results to a final decision maker. The decision maker can be an individual or committee – who takes on this role will vary between financial institutions. They should be clearly identified to all employees in the financial institution’s policies, procedures, and processes for referring unusual activity. Make sure there is a well-defined escalation process to review and determine alerts in a timely manner.

The final decision maker should have full authority to make the decision to file the SAR. Whether or not to file a SAR is a subjective and fact-specific inquiry. However, the process for making the determination should be effective and consistent. Focus on whether the financial institution has an appropriate process and procedure in place for identifying the activity to be reported as suspicious activity, and not necessarily the individual decision made with respect to any one SAR filing. Accordingly, the financial institution should not be penalized for not filing a SAR in a particular case if there was no bad faith or significant failure of the internal process (although each failure to file will be assessed on a case-by-case basis). As a matter of best practice, financial institutions should document all decisions made, but there is no specific BSA documentation required when a SAR is not filed.

3.2 SAR completion and timely filing

Financial institutions need to ensure that adequate policies, procedures, and processes are established and maintained to ensure that any SARs are complete, thorough, accurate, and filed in a timely manner. Financial institutions are subject to penalties if they do not timely file the SAR. The amount of the penalty varies based on whether the failure to file was intentional or based on neglect.

The narrative portion of the SAR should provide a sufficient description of the activity reported, as well as the basis for filing. The SAR narrative should thoroughly describe the extent and nature of the suspicious activity.

For further information, refer to Checklist: Initial response to a report of suspicious activity.

3.2.1 Essential elements of a SAR narrative

Drafting the SAR narrative should identify the important informational elements related to the unusual or suspicious activity that is reported: the who, what, when, where, and why of the activity. The operational method (or ‘how’) is also important and should be included in the narrative. These six elements are set out below.

  • Who is conducting the suspicious or criminal activity? Set out details pertaining to the suspect including as follows:
    • suspect’s employer and occupation information;
    • relationship between the suspect and the financial institution; and
    • length of the financial relationship.
  • What are the instruments or mechanisms that are being used to facilitate the suspect transaction? Identify and detail the transactions that have raised suspicions.
  • When did the suspicious activity occur? Highlight the dates and duration of the suspicious activity and the dates the activity was noticed.
  • Where did the suspicious activity take place? Specify the locations that are associated with the suspicious activity. These could include any of the following:
    • multiple branches or ATMs;
    • other financial institutions; and
    • foreign jurisdictions.
  • Why does the financial institution think the activity is suspicious? Describe, in as much detail as possible, why the activity or transaction is unusual for the member. This is key to aiding law enforcement in understanding the rationale for filing the SAR.
  • How did the suspicious activity occur? Detail the modus operandi of the suspect who is conducting the suspicious activity, including an explanation of the source, movement, and application of funds.

The director of the Financial Crimes Enforcement Network (FinCEN) of the US Treasury Department, Andrea Gacki, advised in a conference in May 2024 that financial institutions can do the following things to increase the utility of their SAR reports. 

  • First, the beginning of each SAR should have a ‘bottom-line, upfront’ paragraph that summarizes why the activity is suspicious.
  • Second, the financial institution should cite any external information, like news reports, that were involved in the investigation.
  • Lastly, the financial institution should identify any connections to foreign countries so that FinCEN can collaborate as necessary.

With a 51.8% increase in filings from 2020 to 2024, the guidance provided by the Director can help with the processing and usefulness of the information provided by SARs.

3.2.2 Timely filing of the SAR

It is crucial to file the SAR in a timely manner. The SAR rules require that a SAR is filed electronically through the BSA E-Filing System no more than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing. In situations which require immediate attention, such as ongoing money laundering schemes or terrorist financing activity, a financial institution must, in addition to filing a timely SAR, immediately notify an ‘appropriate law enforcement authority’ and, as necessary, the financial institution’s primary regulator. If no suspect can be identified, the time for filing a SAR may be extended to no more than 60 days after detection.

For requests made under section 314(a) of the PATRIOT Act the response time is different. Here, financial institutions have just two weeks from the posting date of the request to respond within the secure portal with any positive matches.  Absent the matching of accounts or transactions, the financial institution is instructed not to reply to the 314(a) request.

Financial institutions are required to notify their board of directors or an appropriate board committee that a SAR has been filed. Financial institutions must retain copies of SARs and supporting documentation for five years from the date of filing. Retention of these copies may be in paper or electronic format.

3.2.3 Confidentiality requirements

No financial institution, and no director, officer, employee, or agent of a financial institution that reports a suspicious transaction is permitted to notify any person involved in the transaction that the transaction has been reported. There is no requirement to close the customer account after filing a SAR. The determination about how to proceed after the filing is left to the financial institution. See, FinCen's Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting.

A financial institution, or its agent, may reveal the existence of a SAR to fulfill responsibilities consistent with the BSA, provided that no person involved in a suspicious transaction is notified that the transaction has been reported. Sharing a SAR, or any information that reveals that a SAR exists, with a head office or controlling company helps promote compliance with the applicable requirements under the BSA by allowing the head office or controlling company to discharge its oversight responsibilities with respect to enterprise-wide risk management. A financial institution that has filed a SAR may share the SAR, or any information about the SAR’s existence, with an affiliate if the affiliate is subject to SAR regulation.

After a SAR is filed, FinCEN will share the information with law enforcement authorities, who will make the decision on how to proceed.

3.3 Monitoring and SAR filing on continuing activity

If suspicious activity continues over a period of time, such information should be made known to law enforcement and the federal banking agencies. The financial institution should develop policies, procedures, and processes that indicate when it is appropriate to escalate issues that are identified due to repeat SAR filings on accounts. These procedures should include those listed below:

  • review by senior management and legal staff (eg, a BSA compliance officer or SAR committee);
  • criteria regarding when it is necessary to analyze the overall customer relationship;
  • criteria for whether and when to close an account;
  • criteria for when to notify law enforcement, if appropriate; and
  • appropriate policies, procedures, and processes to ensure SARs are filed in a timely manner, that they are complete and accurate, and that the narrative portion of the SAR provides an adequate description of the activity reported and the basis for filing.

See, the FFEIC's BSA/AML Manual – Assessing Compliance with BSA Regulatory Requirements, Suspicious Activity Reporting—Overview.

Ultimately, monitoring SAR compliance requires processes, procedures, and policies that are effectively communicated to all employees and allow for the identification and referral of unusual activity from all business lines to those responsible for evaluating unusual activity. Once sufficient research and analysis have been performed, forward the results to a designated final decision maker with the authority to make the decision on whether to file a SAR. Consistency in following the internal process is key to ensuring compliance with the BSA requirements for suspicious activity reporting.

3.3.1 SAR Obligation Violations and Lessons Learned

Insufficient resources and no SARs filed: in August 2024, the SEC imposed a $1.2 million fine on a broker-dealer for failing to file any SARs. The firm lacked a properly designed AML program and it missed numerous red flags that came up in over 1,800 transactions. The broker-dealer’s compliance department consisted of only a chief compliance officer and one associate, and sufficient resources were not allocated to it. The fine highlighted the imbalance between AML efforts and the volume of transactions.

Takeaway: adequate resources must be allocated to a compliance program. It is not sufficient to merely establish an AML program: investment in technology and personnel is crucial. A broker-dealer must actively implement and support its program.

Insufficient oversight of delegated AML/SAR compliance programs: in 2023, a broker-dealer faced a $6 million fine due to its parent company’s inadequate SAR program. The monitoring system set the threshold at $25,000 instead of the correct $5,000 for broker-dealers, missing suspicious activities for nearly a decade. Despite corrective actions, the SEC found willful violations of Section 17(a) and Rule 17a-8.

Takeaways: ensure oversight of third-party compliance programs and tailor them to your business needs. Broker-dealers are responsible for compliance even when functions are outsourced. Regular testing and careful oversight are essential, especially when multiple firms are involved. Remediation and cooperation are also important, and penalties may be mitigated by proactively identifying and addressing issues. Corrective actions must be documented, and the organization should be prepared to share its findings with regulators. Self-reporting can prevent violations from escalating to more severe tiers under the Securities Exchange Act.

Continuing activity SARs: several broker-dealers have faced penalties for mishandling ‘continuing activity’ SARs. These are follow-ups to previously filed SARs when suspicious activity persists. Firms have struggled with timely reviews and adequate reporting within FinCEN guidelines.

Takeaway: understand the rules, and train compliance teams accordingly. Ongoing training is vital for effective AML programs, and there should be a focus on timing and crafting accurate SAR narratives. Policies must cover new suspicious activities as well as continuing ones.

SAR obligations are a regulatory priority. To avoid penalties, broker-dealers must thoroughly understand SAR requirements and maintain a well-managed compliance program.

Additional resources

Related Lexology Pro content

How-to guides:

How to assess your organization for money laundering and terrorist financing risk
How to monitor Bank Secrecy Act (BSA) compliance
How to appoint a Bank Secrecy Act (BSA) compliance officer
How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern
How to identify relevant sanctions regimes and deal with conflicting obligations
How to ensure sanctions screening and sanctions due diligence is effective

Checklists:

Being prepared for a visit by a financial regulator
Currency transaction reporting requirements
Initial response to a report of suspicious activity
Screening employees for roles in AML compliance
Staff awareness and training to prevent money laundering and terrorist financing

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics

Laws

Industries