Everything You Should Know About Suspicious Activity Reports (SARs)

AT A GLANCE

A Suspicious Activity Report (SAR) is a mandatory document that financial institutions file with FinCEN  when they detect potential money laundering, fraud, or other financial crimes. Banks must file within 30 days of detecting suspicious activity, reporting any transaction over $5,000 with a known suspect or over $25,000 with an unknown suspect. The filing process involves identifying who, what, when, where, why, and how the suspicious activity occurred. Filing is confidential—customers cannot be informed about SARs. Institutions use transaction monitoring software to detect unusual patterns like rapid cash deposits, wire transfers to high-risk countries, or transactions inconsistent with customer profiles.

What Is a Suspicious Activity Report (SAR)?

A Suspicious Activity Report (SAR) is a tool that financial institutions use to document and report nearly any type of suspicious activity to federal authorities. Banks file SARs to alert FinCEN—the Financial Crimes Enforcement Network—about potential money laundering, terrorist financing, fraud, and other financial crimes.

SARs cover activities that raise the possibility that an account holder is attempting to conceal something or conduct an illegal transaction. The activity doesn't need to be proven illegal—suspicion alone triggers the reporting requirement.

The Bank Secrecy Act of 1970 first introduced suspicious activity reporting in the United States. By 1996, SARs became the standard process for all financial institutions to report suspicious behavior. Today, the applications have broadened significantly as banking digitization and globalization have increased money laundering risks.

When a financial institution notices questionable behavior in an account, it files a SAR with FinCEN, which investigates the matter. FinCEN is a bureau of the United States Treasury that analyzes financial intelligence and shares information with law enforcement agencies including the FBI and Immigration and Customs Enforcement.

SARs must include six key components:

1. Who is conducting the suspicious activity?
2. What instruments or mechanisms are being used?
3. When did the suspicious activity take place?
4. Where did it occur?
5. Why does the filer think the activity is suspicious?
6. How did the suspicious activity take place?

‍

What Triggers a Suspicious Activity Report?

Several specific thresholds and scenarios  might all need to submit a SAR. The Federal Deposit Insurance Corporation (FDIC) has established clear triggers that mandate reporting.

Financial institutions must file a SAR when they detect a known or suspected violation of federal law that meets specific reporting requirements:

Insider Abuse Involving Financial Gain

Any insider abuse—employees or officials misusing their position for financial benefit—requires immediate SAR filing regardless of the dollar amount involved.

Transactions Over $5,000 with Known Suspects

When a transaction exceeds $5,000 and involves a person readily identifiable as a suspect in a federal crime, the institution must file a SAR.

Transactions Over $25,000 with Unknown Suspects

For transactions exceeding $25,000 where no specific suspect has been identified but the activity appears suspicious, a SAR is required.

Terrorism, Money Laundering, and Cybercrime

Activities related to terrorism, terrorist financing, money laundering, identity theft, impersonation, or cyber hacks require SAR filing regardless of the monetary value.

Common suspicious patterns that trigger SARs include:

• Rapid bursts of transactions in dormant accounts
• Oddly structured deposits into business accounts (mixing cash and checks unusually)
• Unusually complex transaction series involving multiple accounts, banks, or parties
• Wire transfer volumes or patterns inconsistent with business type
• Transactions attempting to avoid reporting and recordkeeping requirements
• Bulk cash payments, monetary instruments, and remittances
• Activity levels incompatible with the account's stated purpose
• Lack of evidence that parties engage in legitimate business operations

‍

What Happens After a SAR Is Filed?

Once a financial institution files a SAR with FinCEN, federal authorities take over the process.The institution's responsibility ends with accurate, timely filing.

FinCEN shares SARs with law enforcement agencies including the FBI, DEA, IRS, and US Immigration and Customs Enforcement. These agencies use the reports to detect patterns and trends in financial crimes, both organized and individual.

However, SARs cannot serve as direct evidence in court cases due to banking privacy rules. Law enforcement uses SARs to identify potential crimes and establish patterns, but cannot use them as standalone proof in judicial proceedings.

If investigators need additional information or evidence, they must escalate the inquiry and issue a subpoena to the financial institution. This legal process allows them to obtain records and information that can be used in court.

SARs enable law enforcement to:

• Identify patterns in organized financial crime
• Anticipate criminal and fraudulent activity before it escalates
• Connect seemingly unrelated incidents across multiple institutions
• Build cases against money laundering operations
• Track terrorist financing networks

Financial institutions must retain SAR filings for five years from the filing date for regulatory compliance and potential future reference.

‍

How Long Does a Bank Have to File a SAR?

Financial institutions must file a SAR within 30 calendar days of initially detecting suspicious activity. This timeline is strict and starts from the moment the institution identifies the suspicious behavior, not when they complete their investigation.

If the institution needs more time to gather supporting information or documentation, they can request a 60-day extension. However, extensions should be the exception, not the rule. Waiting until the deadline approaches creates significant risks.

Why immediate filing matters:

External factors can delay the process unexpectedly. The SAR might require additional information gathering, internal investigations might be needed, or the number of required reports might suddenly increase. Filing promptly reduces the risk of missing deadlines and incurring regulatory penalties.

The institution does not need proof that a crime occurred before filing. Reasonable suspicion alone justifies—and requires—SAR filing. Waiting for definitive proof defeats the purpose of the early warning system.

Customers cannot be informed that a SAR has been filed about their account. This confidentiality requirement is absolute and protects the integrity of ongoing investigations.

‍

Who Must File Suspicious Activity Reports?

Multiple types of financial institutions and businesses have SAR filing obligations under the Bank Secrecy Act.

Entities required to file SARs include:

• Banks and credit unions
• Securities brokers and dealers
• Money service businesses (check cashers, money transmitters)
• Casinos and card clubs
• Insurance companies
• Mutual funds
• Currency exchanges

Each institution type has specific thresholds and circumstances that trigger SAR requirements, but all share the fundamental obligation to report suspicious activity to FinCEN.

Failure to file required SARs results in severe penalties for both institutions and individuals. Regulators can impose significant fines, and criminal charges may apply in cases of willful non-compliance. The Anti-Money Laundering Act of 2020 further increased these obligations and penalties.

‍

How Do You Detect Suspicious Activity in Financial Transactions?

Detecting suspicious activity requires a combination of automated systems and trained staff who understand red flags. Modern financial institutions use transaction monitoring software  to flag unusual patterns automatically.

Transaction monitoring software identifies:

• Transactions inconsistent with customer profiles
• Unusual volumes or frequencies
• Geographic red flags (high-risk jurisdictions)
• Structuring attempts (breaking large amounts into smaller transactions)
• Rapid movement of funds
• Complex layering schemes

Manual detection focuses on:

• Customer behavior changes
• Vague or inconsistent explanations for transactions
• Reluctance to provide required information
• Nervousness or unusual interest in reporting thresholds
• Transactions lacking clear business purpose

Staff training is essential. Employees need to recognize money laundering indicators, understand regulatory requirements, and know internal escalation procedures. The more team members who can identify red flags, the more effective the institution's compliance program becomes.

‍

What Information Must Be Included When Reporting Suspicious Activity?

A complete SAR filing requires specific information organized into clear categories. FinCEN mandates that reports include comprehensive details about the suspicious activity and the parties involved.

Required SAR components:

Subject Information

Full identification of the person or entity conducting suspicious activity, including names, addresses, Social Security numbers or tax IDs, dates of birth, and any account numbers.

Financial Institution Information

Details about where the activity occurred, including institution name, address, primary federal regulator, and contact information for the person filing the report.

Suspicious Activity Details

Specific information about what happened: transaction dates, amounts, instruments used (cash, wire transfers, checks), and the accounts or parties involved.

Narrative Section

A detailed, chronological explanation of why the activity is suspicious. This narrative should clearly articulate the red flags, unusual patterns, or inconsistencies that triggered concern.

The narrative must answer:

• What made this activity stand out as suspicious?
• How does it differ from the customer's normal behavior?
• What specific red flags or patterns were observed?
• What steps did the institution take to investigate?

Clear, detailed narratives improve the report's usefulness to law enforcement and reduce the likelihood of follow-up requests for clarification.

‍

Can You Tell a Customer That You Filed a SAR?

No. Federal law strictly prohibits financial institutions from disclosing SAR filings to customers or any unauthorized parties.

The confidentiality requirement is absolute. Institutions cannot:

• Tell customers a SAR was filed about their account
• Discuss the SAR with unauthorized employees
• Reference the SAR in communications with the customer
• Hint or suggest that reporting occurred

This prohibition protects ongoing investigations. If customers knew about SAR filings, they could alter their behavior, destroy evidence, or flee before law enforcement can act.

Violating SAR confidentiality can result in significant penalties for both the institution and individual employees. The rule applies even if the customer directly asks whether they've been reported.

‍

7 Best Practices for Suspicious Activity Reporting

1. Use Transaction Monitoring Software to Automate Detection

Deploy automated systems that flag suspicious patterns in real-time. Manual review of millions of daily transactions is impossible. Software identifies unusual volumes, geographic risks, structuring attempts, and profile inconsistencies automatically, allowing compliance teams to focus on investigation and reporting.

2. File Reports Immediately Upon Detection

Don't wait until the 30-day deadline approaches. File as soon as suspicious activity is confirmed and documented. Early filing prevents last-minute rushes, reduces deadline risk, and ensures timely alerts to law enforcement. Delays compound when multiple SARs need filing simultaneously.

3. Document Large and Unusual Transactions Proactively

Maintain detailed records of transactions that could become suspicious. Large deposits, international wire transfers, transactions unrelated to the customer's stated business, and unusual cash activity should all be documented immediately. This preparation streamlines SAR filing when reporting becomes necessary.

4. Write Clear, Detailed Narratives

Create reports that tell the complete story chronologically. Include specific dates, amounts, parties involved, and clear explanations of why the activity raised concerns. Avoid vague language like "seemed suspicious" and instead describe concrete red flags: "Customer made ten cash deposits of $9,500 each over two weeks, just below the $10,000 reporting threshold."

5. Train All Customer-Facing Staff Regularly

Educate employees on SAR requirements, common money laundering indicators, and reporting procedures. Front-line staff often notice suspicious behavior first. Training should cover specific red flags, proper escalation procedures, and the importance of confidentiality. Regular refresher training keeps awareness high.

6. Maintain Strict Confidentiality

Never inform customers about SAR filings. Train all staff on confidentiality requirements and establish clear protocols. Even innocent-seeming discussions can compromise investigations. If customers ask about reporting, staff should be trained to decline comment professionally without confirming or denying anything.

7. Understand Competing Responsibilities

Balance customer service with regulatory compliance. Financial institutions serve customers while also protecting the financial system from crime. Finding this balance requires clear policies, well-trained staff, and strong compliance infrastructure. Both obligations are essential and must be maintained simultaneously.

‍

Frequently Asked Questions

What triggers a suspicious activity report?

Suspicious activity reports are triggered by insider abuse involving financial gain, transactions over $5,000 with known suspects, transactions over $25,000 with unknown suspects, and any activity related to terrorism, money laundering, identity theft, or cyber hacks regardless of amount. Common triggers include rapid transactions in dormant accounts, unusual wire transfer patterns, structuring attempts, and transactions inconsistent with the customer's stated business.

What happens when you report suspicious activity?

After a financial institution files a SAR with FinCEN, the report is shared with law enforcement agencies including the FBI, DEA, and ICE. Law enforcement uses SARs to identify crime patterns and build cases, but cannot use them as direct court evidence. If additional information is needed, investigators must issue a subpoena to the financial institution. The customer is never informed about the SAR filing.

How long does a bank have to file a SAR once suspicious activity is detected?

Banks must file a SAR within 30 calendar days of initially detecting suspicious activity. Institutions can request a 60-day extension if more information needs to be gathered, but immediate filing is recommended to avoid missing deadlines. The timeline starts when suspicious activity is first identified, not when the investigation concludes.

Can a bank tell you if they filed a suspicious activity report?

No. Federal law strictly prohibits financial institutions from disclosing SAR filings to customers or any unauthorized parties. Banks cannot tell customers that a SAR was filed, discuss the report, or even hint that reporting occurred. Violating this confidentiality requirement results in significant penalties for both the institution and individual employees.

What amount of money triggers a suspicious activity report?

SARs are required for transactions over $5,000 when a suspect in a federal crime is readily identifiable, and for transactions over $25,000 when no specific suspect has been identified but activity appears suspicious. However, certain activities like insider abuse, terrorism, or money laundering require SAR filing regardless of the dollar amount involved.

How do banks detect suspicious activity?

Banks use transaction monitoring software that automatically flags unusual patterns including transactions inconsistent with customer profiles, unusual volumes or frequencies, geographic red flags, structuring attempts, rapid fund movements, and complex layering schemes. Trained staff also manually detect suspicious behavior through customer interactions, noting behavior changes, vague explanations, reluctance to provide information, and transactions lacking clear business purpose.

What happens after a SAR is filed with FinCEN?

FinCEN shares the SAR with appropriate law enforcement agencies who use it to detect crime patterns and build investigations. The SAR cannot be used as direct evidence in court due to banking privacy rules. If investigators need more information or evidence that can be used in judicial proceedings, they must escalate the inquiry and issue a subpoena to the financial institution.

Who is responsible for filing a suspicious activity report?

Financial institutions including banks, credit unions, securities brokers, money service businesses, casinos, insurance companies, mutual funds, and currency exchanges are responsible for filing SARs. Within each institution, designated compliance officers typically oversee the SAR process, but all employees have a duty to identify and escalate suspicious activity according to internal procedures.

What is the timeframe for filing relevant suspicious activity reports?

The standard timeframe is 30 calendar days from initially detecting suspicious activity. If the institution needs additional time to gather supporting documentation, they can request a 60-day extension. However, prompt filing is strongly recommended because external factors can delay the process, and missing the deadline results in regulatory penalties.

What information must be included when reporting suspicious activity?

SARs must include complete subject information (names, addresses, identification numbers), financial institution details, specific suspicious activity information (dates, amounts, instruments used, accounts involved), and a detailed narrative explaining why the activity is suspicious. The narrative should chronologically describe red flags, unusual patterns, inconsistencies, and investigative steps taken by the institution.

‍

Common Patterns of Suspicious Activity

Financial institutions should watch for these frequently observed suspicious activity patterns that FinCEN has identified:

Transaction Patterns:

• Rapid bursts of transactions in previously dormant or inactive accounts
• Oddly mixed deposits into business accounts (combinations of cash, checks, money orders)
• Unusually complex transaction series involving multiple accounts, banks, and parties
• Transactions atypical for similar businesses operating locally
• Activity inconsistent with the claimed business type

Wire Transfer Red Flags:

• Unusual high volumes or amounts of wire transfers
• Recurring wire transfer patterns without clear business rationale
• Wire transfers to or from high-risk jurisdictions
• Immediate withdrawal of incoming wire transfers

Behavioral Indicators:

• Transactions or activity levels incompatible with account's stated purpose
• Transactions attempting to circumvent reporting and recordkeeping requirements
• Bulk cash payments and monetary instrument deposits
• Unusual financial relationships for the particular business type
• Lack of evidence that parties engage in legitimate business activities

Structuring Attempts:

• Multiple transactions just below reporting thresholds
• Breaking large amounts into smaller deposits over short periods
• Using multiple accounts or institutions to avoid single large transactions
• Coordinated transactions across multiple parties to avoid detection

‍

Why Suspicious Activity Reporting Matters

Suspicious activity reports serve as the financial system's early warning system against crime. The goal of SAR filing and the investigations that follow is identifying clients involved in money laundering, fraud, terrorism funding, and other financial crimes.

SARs enable law enforcement to:

• Recognize patterns and trends in organized crime
• Connect seemingly isolated incidents across institutions
• Anticipate criminal activity before it escalates
• Build comprehensive cases against financial crime networks
• Protect the integrity of the financial system

The Anti-Money Laundering Act of 2020, effective January 1, 2021, significantly increased obligations under anti-money laundering statutes. This legislation expanded SAR requirements and strengthened enforcement mechanisms, reflecting the critical role these reports play in combating financial crime.

Consequences of non-compliance are severe. Failure to file required SARs or disclosing SAR filings to customers can result in:

• Substantial civil penalties for the institution
• Criminal charges against responsible individuals
• Regulatory enforcement actions
• Reputational damage
• Loss of banking licenses or operating privileges

SARs have frequently enabled law enforcement to launch or continue major investigations into money laundering, terrorist financing, and organized financial crime. Many significant financial crime prosecutions began with suspicious activity reports from vigilant financial institutions.

‍

Strengthen Your SAR Compliance Program

No financial organization can afford to treat suspicious activity reporting casually. SARs are critical tools for combating money laundering, financial fraud, terrorism financing, and other financial crimes that threaten the integrity of the global financial system.

Modern AML compliance solution simplify SAR management by:

• Automating suspicious activity detection through advanced transaction monitoring
• Streamlining investigation workflows and documentation
• Ensuring timely, accurate reporting to FinCEN
• Maintaining comprehensive audit trails for regulatory examinations
• Reducing operational burden on compliance teams

Effective SAR programs require the right combination of technology, trained personnel, clear procedures, and strong compliance culture. Institutions that invest in these elements protect themselves from regulatory penalties while contributing to the broader fight against financial crime.

Flagright's transaction monitoring and AML case management features support complete SAR filing workflows, from initial detection through final reporting. Contact us to schedule a demo and discover how modern compliance technology can strengthen your suspicious activity reporting while reducing operational complexity.