Suspicious Activity Report (SAR)

Requirements, Examples, & How to File

Subscribe to our newsletter!

Please fill out the form below:

Click on the bookmark to view chapters of this webpage
Click on the bookmark to view chapters of this webpage

Whether or not certain customer behavior results in a crime, a lot of financial activity can be considered suspicious. Financial institutions need to report this potentially malicious activity to the proper authorities, ensuring that it gets investigated.

Typically, this is done using suspicious activity reports. It can be difficult to know when a SAR needs to be filed, what information to include, and what happens after a report is filed. To ensure you know exactly what a SAR is and when one needs to be filed, we cover all that in detail below.

New call-to-action

What is a Suspicious Activity Report (SAR)?

A suspicious activity report (SAR) is a report used by FIs to announce incidents of suspicious activity to the appropriate regulatory authorities. SARs can be filed for various purposes, but they are commonly used in relation to fraud, money laundering, and other financial crimes.

In the United States, the concept of the suspicious activity report was introduced with the Bank Secrecy Act of 1970 and is currently managed by the BSA. By 1996, the SAR had become the standard protocol used by American financial institutions to report any suspicious activity. Over the years, as banking has become increasingly global and digital, the possible uses for these reports have been extended.

While these have traditionally been filed using paper documents, as of July 1st, 2012, SARs are required to be filed electronically, making it much easier for organizations to manage SAR filing.

How Long Do You Have to File a Suspicious Activity Report?

It’s best practice to file SARs as timely as possible so that the activity can be reported to the appropriate authorities and thoroughly investigated.

In most cases, a financial institution has a maximum of 30 calendar days to submit the SAR from the time of detection. If the FI cannot identify the suspect associated with the transaction in question, the SAR filing can be delayed for an additional period of 30 days; or a total of 60 calendar days. There are no circumstances that allow a SAR to be filed beyond 60 days.

It’s also important to note that SARs filed late are subject to fines and penalties.

When Should a SAR be Filed?

While countries have slightly different reporting procedures, the general principle is the same; FIs are required to report any suspicious activity. One of the biggest universal challenges with this is that suspicious activity can vary significantly from individual to individual, and even more so between individuals and entities.

For example, a petroleum supplier receiving a $100 million wire transfer from a foreign conglomerate would be a legitimate transaction, but if another entity performed that same action, it could raise red flags.

For this reason, determining the proper thresholds to trigger suspicious activity can be very challenging. Really, it comes down to deciding if the behavior is abnormal for customers, which often needs to be done on a case-by-case basis.

To help you determine when you do and don’t need to file a SAR, we’ve created this handy flow chart:

When to file a SAR, a helpful flow chart

What is Considered Suspicious Activity?

While there are many reasons to file a suspicious activity report (and one should be filed for any behavior that raises suspicions about the legitimacy of accounts or transactions), it can be challenging to determine if a particular behavior or incident qualifies as ‘suspicious’ activity.

There is no universal standard for suspicious activity, and what qualifies may vary depending on the country. Even within the United States, it’s sometimes difficult to know if behavior qualifies as suspicious or not.

Below, we outline what constitutes suspicious activity - and therefore warrants a suspicious activity report.

  • Violations of $5,000 or more (with an identifiable suspect): If an account is exhibiting suspected suspicious activity or money-laundering behavior that has amounted to $5,000 in transaction value.
  • Violations of $25,000 or more (no matter the suspect): If an account is exhibiting suspected suspicious activity or money-laundering behavior that has amounted to $25,000 in transaction value.
  • Insider trading abuses: If there is any suspicion involving the bank itself committing or facilitating a criminal violation by providing information that is unavailable to the public.
  • Transactions that violate the BSA: Any transactions that could violate the BSA, including transactions where funds were potentially generated from illegal activity, transactions where funds were potentially used to hide the origin of illegal activity or transactions that in any way attempt to evade existing BSA or other AML regulations.

Sometimes, it can be difficult to determine if suspicious activity warrants a SAR filing. To stay on the safe side (and avoid any potential fines or penalties), it’s best to file a SAR for any activity where there is a reasonable suspicion of fraud or money laundering.

How to File a Suspicious Activity Report (SAR)

To report suspicious activity, teams need to be able to monitor transactions and customer behavior for anomalies. To streamline the process, it’s essential to follow best practices for identifying and reporting SARs.

Below, we explain the main, high-level steps that need to be taken to file a SAR.

Step 1: Complete a SAR Form for Each Incident of Suspicious Activity

Once suspicious activity has been found, a SAR form needs to be filled out. All pertinent information needs to be completed, and any additional documents or resources need to be attached to the file.

Reporting software can significantly reduce the time to create these reports. They automate much of the process and guide investigators, ensuring no information is missed. This can save a significant amount of time in completing the actual report.

Step 2: Submit SARs to FinCEN

Once the SARs are completed, the SARs need to be submitted to FinCEN. This can be done individually or in batches, as long as the reports are filed within the appropriate time frame.

While this process can be completed manually, it’s tedious and time-consuming. Regulatory reporting software can automate SAR filing, submitting all reports in batches to the appropriate authorities (like FinCEN, goAML, NCA, and more). This saves you time - and also peace of mind - knowing that reports will be submitted promptly.

PRO TIP: In 2022, Unit21 customers filled 16,030 SARs. Unit21’s case management software is specifically designed to reduce investigations and SAR filing times by 78%. With automated SAR filing, teams never miss a deadline. 

Step 3: Keep Records for a Period of Time

There is no actual follow-up for FIs after SARs have been filed. FinCEN will take necessary action, escalating the case to the appropriate authorities and law enforcement. While there is no further action required on the financial organization’s end, it’s best to keep records for a period of time in case the regulatory body requires more information or wants to follow up.

Suspicious Activity Report Requirements: What to Include

The requirements for reporting suspicious activity can vary significantly in different countries. That being said, most regulators require similar details about the suspicious activity.

In the United States, FinCEN has the following requirements for their suspicious activity report forms:

  • Subject Information: Any information that can assist in identifying the parties involved. This can include a name, address, birth date, social security number, phone number, driver's license number, and occupation.
  • Suspicious Activity Information: Information related to the actual activity being reported, such as the time and the type of suspicious activity. This is often as simple as a date range and code that describes the suspicious activity.
  • Financial Institution Information: Any information related to the financial institution where the activity occurred, such as the locations, software, or other areas that were affected by the suspicious activity.
  • Filing Institution’s Contact Information: Any contact information needed for FinCEN to follow up with the SAR. These would typically be contact details for the compliance officer at the financial institution and any law enforcement agencies that have been informed of the suspicious activity.
  • Complete Breakdown of Suspicious Activity: Any further information about the incident. This portion of the form is less structured and allows filing institutions to explain the suspicious activity fully.

What Happens After a Suspicious Activity Report is Filed?

Once a FI files suspicious activity, the SAR is escalated to the appropriate law enforcement agency, where the findings can be investigated. FinCEN does this automatically, escalating the case to the proper authorities, such as the FBI.

It’s essential to remember that the SAR itself is not used as legal evidence, but simply to report the crime.

Suspicious Activity Report Examples to Help You Determine if You Should File

At the end of the day, what constitutes suspicious activity can sometimes be hard to determine. To help you decide when you should (and shouldn’t) file a SAR, we outline a few different example cases below.

Ultimately, any suspicious behavior should be reported. It’s often better to err on the side of caution and report behavior that may not end up being suspicious in nature.

Example of a case where a SAR must be filed

A customer has a relatively new account, which has historically only been used for domestic payments. Onboarding was completed, and no red flags were presented.

Their account receives an international transfer of $27,000.

In this instance, a SAR must be filed, as the $25,000 transaction threshold has been exceeded.

Example of a case where a SAR may or may not be filed

A customer has been a client for 5 years. They are in good standing with the financial institution and have had no suspicious activity in the past. They make relatively routine transactions that have not raised any flags.

Seemingly out of nowhere, the customer makes a handful of transactions of $4,000 each. In total, they make 5 transactions two weeks apart, amounting to $20,000.

While this could be a legitimate attempt to transfer a large amount of money (spread out over a period of time), it could also be an attempt to skirt the $5,000 threshold for automatic AML filings. 

Having a transaction monitoring solution can detect this anomaly, flagging it for investigation. After investigation, an analyst may find that the transactions are not suspicious, or could still have suspicions about the legitimacy of the transfers. This could be ruled out or could be escalated, with a SAR being filed.

Example of a case where a SAR does not need to be filed

A customer has been a client for over 5 years, and is in good standing with the financial institution. They have consistent transaction activity, none of which raises red flags.

The customer is in the process of purchasing their first home, and makes a large down payment. This transaction is undoubtedly out of the norm for their account activity, but it isn’t malicious. This would likely prompt an investigation, but an investigation should determine that this is a legitimate transaction. In most cases, this would not warrant a SAR filing.

Download Operating System Product Guide