Table of contents
- A suspicious activity report is a confidential report a regulated institution files with FinCEN when it suspects a transaction may involve money laundering, fraud or other financial crime.
- It is a cornerstone of the US Bank Secrecy Act, giving law enforcement intelligence to detect and investigate crime that would otherwise stay hidden.
- Banks must generally file when suspicious activity aggregates to 5,000 dollars or more and a suspect can be identified, with a higher threshold where no suspect is known; money services businesses use a 2,000 dollar threshold.
- The filing deadline is normally 30 calendar days from the date the institution first detects the facts, extendable to 60 days where no suspect has yet been identified.
- The narrative is the heart of a SAR: a clear account of who, what, when, where and why the activity is suspicious.
- SARs are strictly confidential, and tipping off the subject that one has been filed is prohibited.
A suspicious activity report, or SAR, is a confidential report regulated businesses must file with the US Financial Crimes Enforcement Network, FinCEN, when they suspect a transaction involves money laundering, fraud, terrorist financing or other financial crime. It is a core Bank Secrecy Act requirement, and it alerts authorities to investigate without itself proving a crime occurred.
TL;DR
A suspicious activity report is a confidential report filed with FinCEN when a regulated institution suspects money laundering, fraud or other financial crime. It is a Bank Secrecy Act requirement. Banks generally file when suspicious activity reaches 5,000 dollars and a suspect can be identified, with a higher threshold where none is known; money services businesses use 2,000 dollars. The deadline is normally 30 days from detection, up to 60 if no suspect is identified. The narrative, explaining who, what, when, where and why, is the most important part. SARs are strictly confidential, and tipping off the subject is prohibited.
What is a suspicious activity report?
A suspicious activity report is the formal way a regulated business tells the authorities that something looks wrong. When a bank, money services business or other obliged institution detects activity it suspects may be linked to money laundering, fraud, terrorist financing or other crime, it documents the suspicion and files a report with the US Financial Crimes Enforcement Network, FinCEN. That report becomes intelligence for law enforcement.
The purpose is detection, not prosecution. A SAR does not allege a proven crime; it flags a reasonable suspicion so that investigators can connect it with other information and decide whether to act. Filing is a legal obligation under the Bank Secrecy Act, not a discretionary courtesy, and the quality and timeliness of SARs is something supervisors examine closely. SAR filing sits at the end of the detection chain that begins with customer due diligence and transaction monitoring, and it is a defining output of any AML compliance programme.
When must a suspicious activity report be filed?
A SAR must be filed when an institution knows, suspects or has reason to suspect that a transaction or pattern of activity involves illicit funds, is designed to evade Bank Secrecy Act requirements, has no apparent lawful purpose, or otherwise looks like financial crime. The trigger is suspicion supported by the facts, not proof.
There are monetary thresholds for banks: a SAR is generally required where suspicious activity aggregates to 5,000 dollars or more and the institution can identify a suspect, with a higher threshold of 25,000 dollars where no suspect can be identified, and any amount for certain insider abuse. Money services businesses use a lower 2,000 dollar threshold. On timing, the institution must file within 30 calendar days of the date it first detects facts that may form a basis for filing, and may take up to an additional 30 days, 60 in total, where no suspect has been identified. Recognising the suspicion promptly depends on strong monitoring and a clear understanding of source of funds.
What is the difference between a SAR, an STR and a CTR?
These three reports are often confused. A suspicious activity report and a suspicious transaction report are essentially the same thing under different names: SAR is the term used in the US and some other countries, while STR is the term used in many jurisdictions and in FATF guidance. Both report suspicion of financial crime.
A currency transaction report, or CTR, is different in kind. A CTR is an objective, threshold-based report that a US institution must file for cash transactions exceeding 10,000 dollars in a day, regardless of whether anything is suspicious. The key distinction is judgement versus mechanics: a CTR is triggered automatically by an amount, whereas a SAR is triggered by suspicion and requires the institution to form and document a view. Criminals attempting to avoid CTRs by structuring or smurfing transactions often generate exactly the suspicion that leads to a SAR.
What information goes into a SAR?
A SAR has structured fields identifying the subjects, accounts, instruments, dates and amounts involved, but its most important element is the narrative. The narrative is a written explanation, in plain language, of what happened and why the institution considers it suspicious. A good narrative answers the classic questions: who is involved, what occurred, when and where it happened, how the activity was conducted, and why it raised suspicion.
Regulators and FinCEN repeatedly emphasise narrative quality, because a thin or vague narrative is far less useful to investigators than a clear, complete one. The report should describe the activity factually, reference the supporting transactions, and avoid both unsupported conclusions and unnecessary jargon. Because writing strong narratives at volume is demanding, many institutions are exploring how to support analysts in drafting them consistently, a topic explored in our work on AI and SAR narratives, while keeping a human accountable for the final judgement.
What is tipping off and SAR confidentiality?
SARs are strictly confidential. An institution, and its staff, must not disclose to the customer, or to anyone not entitled to know, that a SAR has been filed or is being considered. This prohibition, often called the rule against tipping off, exists because warning a subject could let them move funds, destroy evidence or otherwise frustrate an investigation.
The confidentiality runs deep. The existence and content of a SAR generally cannot be revealed even in response to a subpoena from the subject, and disclosing one improperly is itself a serious violation. Institutions must therefore handle suspicious-activity reporting through controlled, need-to-know processes, train staff never to alert customers, and design systems so that the fact of a filing is protected. Handling this correctly is part of a disciplined, audit-ready compliance stack, where sensitive reporting is logged and access-controlled rather than ad hoc.
Who files SARs and to whom?
In the US, SARs are filed with FinCEN, part of the Treasury, through the BSA E-Filing system. The obligation falls on a broad range of institutions: banks and credit unions, money services businesses, broker-dealers, casinos, and increasingly other regulated firms, each under rules tailored to their sector but built on the same Bank Secrecy Act foundation.
Within an institution, SAR decisions typically run through the compliance or financial-crime team, often with a designated officer responsible for the filing decision, after alerts from monitoring systems and reviews by analysts. Filing is the visible output, but it rests on the whole detection apparatus beneath it: identity verification, customer due diligence, screening and monitoring. The same logic applies internationally, where equivalent reports go to each country's financial intelligence unit, which is why connected, well-documented controls and clean identity data, the goal of perpetual KYC, matter so much to the quality of what is ultimately reported.
What happens if a firm fails to file SARs?
Failing to file required SARs, filing them late, or filing poor-quality reports is among the most heavily penalised compliance failures. Supervisors treat SAR failures as evidence of a broken anti-money-laundering programme, and enforcement actions frequently cite missed or delayed filings alongside weak monitoring and inadequate staffing.
The consequences extend well beyond a fine. Institutions have faced very large penalties, mandated remediation, and lasting reputational damage where systemic SAR failures allowed illicit flows to go unreported, as the lessons from major enforcement cases make clear. The takeaway for any regulated firm is that SAR filing cannot be an afterthought: it depends on monitoring that surfaces the right activity, analysts with capacity to investigate, and a process that reliably converts confirmed suspicion into a timely, well-written report, all underpinned by strong sanctions and screening controls.
The bottom line
A suspicious activity report is how a regulated firm turns a confirmed suspicion into intelligence for law enforcement, confidentially and within a deadline. The mechanics matter, the thresholds, the 30-day clock, the strict confidentiality, but the substance is the narrative: a clear who, what, when, where and why. SAR filing is only as good as the monitoring and due diligence beneath it, which is why firms that invest in clean identity data, strong screening and continuous monitoring file better, faster and more defensible reports, and why SAR failures are treated by regulators as a signal that the whole programme is weak.
Related resources
- The TD Bank $3 billion AML lesson
- AML compliance software in 2026
- Enhanced due diligence workflows
- Sanctions screening false positives
- Perpetual KYC vs periodic KYC