What is a FinCEN SAR?

A Suspicious Activity Report filed electronically with FinCEN describing transactions or patterns that may involve illicit activity.

When must a SAR be filed?

When a covered institution knows, suspects, or has reason to suspect reportable activity, generally within 30 calendar days of initial detection.

What dollar thresholds apply?

Thresholds vary by institution type—often $5,000 for banks and $2,000 for MSBs in many situations—but some SARs must be filed regardless of amount when a crime is involved.

Can I tell the customer about a SAR?

No. Federal law prohibits tipping off customers that a SAR has been filed.

What makes a strong SAR narrative?

Chronological facts, specific amounts and dates, customer identifiers, and a clear explanation of why activity is suspicious.

How long must SAR records be retained?

Supporting documentation is typically retained for five years from the filing date under BSA recordkeeping requirements.

FinCEN SAR Filing: Complete Guide to Suspicious Activity Reports

A Suspicious Activity Report (SAR) is how US financial institutions tell FinCEN that something does not look right. Filing timely, accurate SARs is both a legal obligation and a shield against allegations that your institution ignored obvious crime.

This guide explains when to file, how FinCEN SAR workflows operate, red flags by product type, and how to document decisions when you choose not to file.

Legal basis: BSA reporting requirements

The BSA requires certain financial institutions to report known or suspected violations of law or suspicious transactions. 31 CFR 1020–1026 (depending on industry) requires filing FinCEN SARs when transactions aggregate to at least $5,000 (or $2,000 for MSBs in many cases) and the institution knows, suspects, or has reason to suspect the transaction involves funds from illegal activity, is intended to hide illegal activity, is designed to evade BSA requirements, or lacks a business or lawful purpose.

Different thresholds apply to banks, broker-dealers, and MSBs—confirm your category in FinCEN guidance.

What triggers a SAR in practice?

Regulators emphasize red flags, not rigid checklists. Common indicators include:

Customers unwilling to provide source-of-funds documentation
Transactions inconsistent with stated business purpose
Rapid movement of funds with no economic rationale
Structuring deposits or withdrawals to avoid CTR thresholds
Use of shell companies with no operations
Account activity matching law enforcement typologies
Negative news or sanctions concerns discovered post-onboarding

Layer customer context from Customer Due Diligence (CDD), PEP screening, and adverse media.

The 30-day clock

Generally, institutions must file no later than 30 calendar days after the date of initial detection of facts that may constitute a basis for filing. If no suspect is identified, an additional 30 days may be allowed with documentation.

Late SARs are exam findings and can compound penalties in enforcement actions.

Filing mechanics: BSA E-Filing System

SARs are filed electronically through FinCEN’s BSA E-Filing System. Institutions need:

FinCEN credentials and organizational enrollment
Accurate financial institution type and TIN data
Narrative quality sufficient for law enforcement use

The narrative should be factual, chronological, and free of speculation presented as fact. Include account numbers, dates, amounts, and why activity is suspicious.

Continuing activity reports

If suspicious activity continues after an initial SAR, file continuing activity SARs on appropriate intervals (often every 90 days) while the activity persists. Document reviews even when activity stops.

No tipping off

Federal law prohibits notifying the customer that a SAR was filed. Train staff on tipping-off risks—support scripts should not mention SAR filings.

You may refuse or exit relationships using generic language approved by counsel.

When not to file—and how to document

Not every alert becomes a SAR. Maintain investigation files showing:

Alert details and data reviewed
Customer explanations tested
Why activity was deemed reasonable or not
Approver identity and date

Examiners request non-filing samples to test judgment quality.

SAR governance structure

Best practice workflow:

Front-line or monitoring system generates alert
Analyst investigates and drafts recommendation
BSA Officer reviews and approves/disapproves
Legal review for complex matters
SAR filed via E-Filing; confirmation stored
Post-filing account restrictions if warranted

The BSA Officer must have authority and independence—see What Is AML Compliance?.

Product-specific typologies

Neobanks and wallets

Mule accounts, rapid P2P in/out, dormant-then-burst activity.

Payment processors

Shell merchants, collusive chargebacks, inconsistent MCC behavior—Payment Processor Compliance.

Crypto

Mixer exposure, ransomware wallets, chain hopping—MiCA and FATF.

CTR relationship

SAR obligations differ from Currency Transaction Reports (CTRs) for cash over $10,000. Some institutions also file FinCEN Form 8300 for certain cash businesses. Do not conflate CTR filing with SAR analysis.

Record retention

Retain SARs and supporting documentation for five years from filing date. Workpapers must be exam-ready—AML Record Retention.

Ongoing monitoring linkage

Transaction monitoring should feed SAR workflows automatically. See Ongoing Customer Monitoring.

Penalties for failures

Failure to file, late filing, or systemic deficiencies contributed to major enforcement actions against banks and MSBs. Willful failures increase exposure to criminal referral.

Who must file?

Covered financial institutions including MSBs—confirm via Who Must Comply with BSA/AML?.

Improving SAR quality

Invest in analyst training on narrative writing
Hold monthly typology reviews with fraud and product teams
Track SAR filing rates and conversion from alerts
Feed law enforcement feedback into monitoring rules

SAR decision committees and legal privilege

Complex SARs benefit from short committee notes involving BSA Officer, counsel, and product risk. Privilege handling varies—do not use privilege to avoid filing when thresholds are met.

Joint SARs, 314(b), and information sharing

FinCEN’s 314(b) safe harbor allows voluntary information sharing among financial institutions for AML purposes when enrolled. Participation can clarify cross-institution typologies before SAR narratives are drafted.

Joint SAR filings between affiliates require clear entity attribution in narratives—each legal entity with filing obligations must comply.

Quality assurance programs should reread SAR narratives for accusatory language lacking factual support; law enforcement prefers precise chronologies.

Automate alert-to-SAR metrics for board reporting: conversion rates, aging investigations, and repeat subjects.

Subpoena response after SAR filing requires counsel coordination—customer litigation may follow account exits even when tipping-off rules bar SAR disclosure.

Red flag refresh workshops

Host semi-annual workshops with customer support, fraud, and payments teams to update red flag typologies tied to your product surface. Support tickets often surface mule recruitment patterns before monitoring rules catch them.

Training front-line staff on escalation

Customer support often sees social engineering and mule recruitment first. Publish internal escalation playbooks translating support signals into AML case creation without tipping customers. Measure support-to-AML referral counts monthly. Reinforce that partial information from support is enough to open investigations—waiting for perfect data delays SAR clocks.

Independent review of SAR quality

A second-line reviewer should sample filed SARs quarterly for narrative clarity, duplicate filing errors, and missing continuing activity reports when activity persisted.

Currency aggregation logic

Train analysts how your systems aggregate related transactions for SAR thresholds—aggregation mistakes are a top cause of late filings in MSB examinations. Calendar recurring typology reviews after FinCEN advisories publish to keep red flag lists current. BSA Officers should track days-to-file metrics for SARs and investigate outliers exceeding internal SLAs by more than five business days. Include law enforcement inquiry logs in SAR workpapers when agencies request supporting documentation. Never delay SAR filing solely to gather perfect evidence when suspicion thresholds are already met.

Get started with Legaltalent

Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.

Start your free trial and see how compliant onboarding and monitoring can scale with your business.

Practical next steps for your compliance program

Regulators expect documented policies, trained staff, and evidence that controls run in production—not slide decks. Map each obligation to an owner, a control, and a record type. Run tabletop exercises for SAR decisions, sanctions hits, and EDD escalations. When examiners or auditors arrive, they will ask for samples: show that your process is consistent, risk-based, and improving over time.

Technology should reduce manual error, not replace accountability. Automate identity verification, list screening, and case management, but keep human review for edge cases. Periodically validate vendor match quality and tune thresholds so you neither flood analysts with false positives nor miss material risk.