A practitioner's guide to spotting red flags, filing on time, and building a SAR program that holds up under regulatory review.
A Suspicious Activity Report is the formal mechanism by which banks, money services businesses, and other regulated entities flag financial activity that may involve money laundering, fraud, or other criminal conduct. Filing one isn't optional once the suspicion threshold is met — it's a legal obligation under frameworks like the U.S. Bank Secrecy Act and the UK's Proceeds of Crime Act 2002. Get the timing or the content wrong and an institution risks regulatory penalties; get the internal process wrong and it risks committing a separate offense by tipping off the subject of the report.
In This Article
A Suspicious Activity Report is a confidential document that a regulated financial institution files with a national financial intelligence unit when it suspects that a transaction, or a pattern of transactions, may involve money laundering, terrorist financing, fraud, or other criminal activity. The filing itself does not accuse anyone of a crime. It simply flags activity that warrants further investigation by law enforcement or the relevant financial intelligence unit, such as FinCEN in the United States or the National Crime Agency's UKFIU in the United Kingdom.
SARs exist because front-line institutions — banks, money transmitters, exchange houses — are often the first place unusual financial behavior surfaces. Regulators rely on this network of mandatory reporting to build a picture of money laundering typologies across the financial system. For a money transfer operator, a SAR obligation typically sits alongside transaction monitoring, sanctions screening, and customer due diligence as one pillar of a broader AML compliance program.
SAR obligations exist for three overlapping reasons. The first is legal: failing to file a required SAR, or filing one late, exposes an institution to civil penalties, license conditions, or enforcement action from its primary regulator. The second is systemic: SARs feed law enforcement's broader effort to disrupt money laundering networks, and a single filing can connect to dozens of other reports across institutions to reveal a pattern invisible to any one filer. The third is cultural — a functioning SAR process signals that compliance is built into daily operations rather than treated as a checkbox exercise.
For money transfer operators specifically, SAR quality has become a direct input into ongoing supervisory relationships. Examiners increasingly look not just at whether SARs were filed, but at the substance of the narrative, the speed of internal escalation, and whether the institution can show a documented decision trail from detection to filing.
Most SARs originate from a small set of recurring behavioral and transactional patterns. Staff trained to recognize these patterns — rather than memorize a static list — catch suspicious activity earlier and document it more usefully for the eventual filing.
A customer who suddenly moves volumes far outside their established pattern, or who breaks a large amount into multiple smaller transactions just under a reporting threshold, is exhibiting one of the oldest and most reliable laundering indicators: structuring. The mismatch between the transaction and the customer's known income, occupation, or stated purpose is the signal — not the dollar amount in isolation.
Customers who hesitate, refuse, or provide inconsistent answers when asked routine KYC questions — source of funds, purpose of transfer, relationship to the recipient — are flagging risk through behavior rather than through the transaction itself. This is especially significant when the reluctance appears only after a transaction crosses a monitoring threshold.
Transactions routed through multiple intermediaries, jurisdictions, or instruments with no clear business rationale are a classic layering indicator. This is particularly relevant for cross-border remittance, where a legitimate corridor can be exploited by routing funds through a chain of accounts or currencies to obscure origin.
Transactions tied to jurisdictions flagged by FATF for strategic AML deficiencies, or to jurisdictions under active sanctions regimes, warrant enhanced scrutiny regardless of transaction size. This does not mean every transaction touching a high-risk corridor is suspicious — it means the baseline level of due diligence should rise.
A dormant account that suddenly becomes active, or an established customer whose transaction profile changes sharply with no corresponding change in their stated circumstances, is one of the more commonly missed red flags because it requires a behavioral baseline to detect — a static rules engine alone will not catch it.
SAR obligations apply broadly across the regulated financial sector, though the exact scope varies by jurisdiction. In the United States, FinCEN's SAR requirement covers money transmitters, currency dealers and exchangers, issuers and sellers of money orders and traveler's checks, banks and credit unions, broker-dealers, and the U.S. Postal Service in its money order capacity. Notably, FinCEN's MSB rules exclude check cashers and stored-value issuers, sellers, and redeemers from the SAR filing requirement specifically, even though they remain subject to other BSA obligations.
Virtual asset service providers are also in scope where they function as a money transmitter under FinCEN's guidance on convertible virtual currencies — meaning an exchange or custodial wallet provider acting as an administrator or exchanger is generally treated the same as any other MSB for SAR purposes. In the UK and most FATF-member jurisdictions, the regulated sector extends further still, drawing in accountants, solicitors, estate agents, and other "gatekeeper" professions under anti-money laundering regulations, in addition to banks, payment institutions, and MSBs.
| Entity Type | Typical Status | Notes |
|---|---|---|
| Banks & credit unions | Mandatory | Core BSA / AML obligation in virtually every jurisdiction |
| Money transmitters / MSBs | Mandatory | Includes currency exchangers, money order issuers |
| Virtual asset service providers | Mandatory | Where acting as administrator or exchanger of convertible virtual currency |
| Broker-dealers & investment firms | Mandatory | Subject to sector-specific SAR rules |
| Check cashers / stored value issuers | Excluded from SAR rule | Still subject to other BSA recordkeeping duties |
| Accountants, solicitors, estate agents | Jurisdiction-dependent | In scope under UK and many FATF-member AML regimes |
Figure 1: SAR filing obligations by entity type. Source: FinCEN, "MSBs Subject to the SAR Requirement."
Filing speed is where institutions most often slip, usually because the clock starts at detection, not at the point internal investigation concludes. In the United States, FinCEN requires a SAR to be filed no later than 30 calendar days after the date of initial detection of facts that may constitute a basis for filing. If no suspect has been identified within that window, the institution may take up to an additional 30 days to file — a maximum of 60 days from detection — but no longer. FinCEN's October 2025 FAQ guidance also clarified that its suggested 90-day continuing-activity filing cycle is a recommendation, not a mandatory deadline, giving institutions some discretion in how they handle ongoing suspicious activity once an initial SAR is on file.
In the UK, there is no fixed statutory day count. SARs must be submitted to the National Crime Agency "as soon as practicable" after the suspicion arises, through the NCA's SAR Online Portal. Where an institution needs to proceed with a transaction it suspects may involve criminal property — and wants legal protection from a money laundering offense — it can submit a Defence Against Money Laundering request alongside the SAR, asking the NCA for consent to continue. As of July 2025, the reporting threshold for a DAML request rose from £1,000 to £3,000, reducing the volume of low-value DAML filings reaching the UKFIU.
| Jurisdiction | Standard Deadline | Extension | Filing Channel |
|---|---|---|---|
| United States (FinCEN) | 30 days from detection | Up to 60 days total if no suspect identified | BSA E-Filing System |
| United Kingdom (NCA) | As soon as practicable | No fixed extension — DAML request if a transaction must proceed | SAR Online Portal |
Figure 2: Comparative SAR filing deadlines. Source: FinCEN SAR FAQs (Oct. 2025); National Crime Agency UKFIU Chapter 2 & Chapter 3 guidance (Dec. 2025).
Filing a SAR well is less about the form itself and more about the process that precedes it. The following sequence reflects how a mature compliance function moves from detection to a defensible filing.
Figure 3: The five-step SAR filing process from detection to recordkeeping. Source: FinCEN BSA recordkeeping rules (31 CFR 1010.430); National Crime Agency UKFIU guidance.
Abstract red-flag lists are easier to apply when paired with concrete scenarios. The following two examples illustrate how the recognition-to-filing process plays out in practice.
A SAR narrative is judged on specificity. Vague language like "the transaction seemed unusual" gives investigators nothing to act on, while a narrative built around concrete facts gives the filing investigative value. At minimum, a complete SAR should identify the parties involved, including names, account numbers, and any known relationships between them; describe the transaction or pattern in factual terms, including dates, amounts, and channels used; and state plainly why the activity is considered suspicious, tying the explanation back to the specific red flag or deviation from expected behavior that triggered the review.
The narrative section deserves particular attention because it is what a financial intelligence unit analyst actually reads to decide whether a case warrants further investigation. A well-written narrative answers who, what, when, where, and why in plain language, in the order an investigator would need it, without speculation framed as fact.
The same handful of mistakes recur across SAR programs of every size, and most of them are process failures rather than judgment failures.
When front-line staff sit on a red flag for days before escalating it, the institution can lose much of its 30-day filing window before the MLRO even sees the case. A documented internal SLA for escalation — measured in hours, not days — protects the overall filing deadline.
Generic language that could apply to any transaction signals to regulators that the filing was completed to satisfy a checkbox rather than to genuinely flag risk. Specific, factual narratives are both a compliance best practice and a defense if the filing is later examined.
In jurisdictions with a DAML or equivalent consent mechanism, failing to request it before proceeding with a transaction tied to suspected criminal property removes the institution's legal protection entirely — the SAR alone does not provide that defense.
Examiners increasingly ask not just whether a SAR was filed, but how the institution arrived at that decision. Without a documented trail from detection through MLRO review, the institution cannot demonstrate the judgment behind the filing — or the judgment behind cases it chose not to file.
Front-line staff who don't know what a red flag looks like in practice — as opposed to in a training slide — are the weakest link in any SAR program. Training has to be refreshed regularly and tied to real, anonymized case examples to stay effective.
A SAR program that holds up under regulatory review rests on four ongoing commitments rather than a one-time setup. Recurring staff training keeps red-flag recognition current as typologies evolve — what counted as suspicious five years ago is often standard practice for legitimate customers today, and the reverse is also true. Regular policy and procedure reviews ensure the institution's internal thresholds and escalation paths keep pace with regulatory guidance updates, such as FinCEN's 2025 SAR FAQ clarifications.
Independent audits — internal or third-party — test whether the documented process actually happens in practice, not just on paper. And a genuine culture of compliance, reinforced from leadership down, is what determines whether front-line staff escalate a borderline case or let it slide because they're worried about flagging a good customer. Institutions that treat these four elements as ongoing operational commitments, rather than annual compliance exercises, consistently perform better under examination.
Three shifts are reshaping how SAR programs operate this year. AI-powered transaction monitoring has moved from pilot to mainstream, with machine learning models building customer-specific behavioral baselines rather than relying solely on static rules — but examiners now treat these models as risk models in their own right, expecting documented training data, validation testing, and periodic revalidation rather than a black-box system.
Regulatory scrutiny of false-positive rates has intensified alongside this shift. A monitoring system that generates an overwhelming volume of low-quality alerts is itself a supervisory concern, because it implies the institution cannot meaningfully review what it flags — which undermines the entire purpose of the SAR regime.
Beneficial ownership reporting has also moved in an unexpected direction. Rather than expanding, FinCEN's March 2025 interim final rule narrowed the Corporate Transparency Act's beneficial ownership information requirements substantially, exempting most domestic U.S. companies and citizens from reporting. Institutions that built compliance workflows assuming broad beneficial ownership disclosure obligations have had to revisit those assumptions, while a newer FinCEN rule covering certain non-financed residential real estate transfers — effective March 2026 — adds a narrower, separate reporting stream worth tracking for institutions with related exposure.
RemitSo's platform is built to give compliance teams the audit trail a SAR program depends on. Every alert generated by the platform's 55+ indicator transaction monitoring engine — calibrated by corridor — carries a timestamped record through the AML/CTF case management module, so the path from initial detection to MLRO decision is documented automatically rather than reconstructed after the fact. Real-time sanctions screening against 40,000+ records across 8+ global watchlists, including OFAC, UN, EU, and HMT, with fuzzy matching and alias detection, reduces the chance that a sanctioned party slips through before a SAR-worthy pattern is even noticed.
For operators building beneficial ownership verification into onboarding, RemitSo's business entity screening module pairs tiered KYC — from standard checks through full enhanced due diligence — with ownership verification at account opening, so the data examiners expect to see is already part of the customer record rather than something compliance has to chase down after an alert fires. Teams building out the broader governance layer around SAR filing often pair this with a clear view of how compliance and risk management responsibilities differ and intersect, and can review RemitSo's AML consulting services for program design support.
Need Expert Guidance on Money Transmitter Compliance?
See how RemitSo's transaction monitoring, sanctions screening, and case management modules give your compliance team an audit-ready SAR workflow from day one.
A Suspicious Activity Report is a confidential filing that a regulated financial institution submits to a national financial intelligence unit when it suspects a transaction may involve money laundering, fraud, or other criminal activity. The report is filed with authorities such as FinCEN in the United States or the National Crime Agency in the United Kingdom, not with the customer involved. Filing a SAR does not require proof that a crime occurred — only a reasonable suspicion based on documented facts. The obligation applies to banks, money transmitters, and a range of other regulated entities depending on jurisdiction.
In the United States, FinCEN requires a SAR to be filed within 30 calendar days of initial detection, with a possible extension to 60 days total if no suspect has been identified. The UK has no fixed day count — the National Crime Agency requires SARs to be submitted "as soon as practicable" through its SAR Online Portal once suspicion arises. Other jurisdictions set their own standards, so institutions operating across multiple corridors need to track each regulator's specific deadline. Missing the deadline, even without intent to delay, can still expose the institution to regulatory penalties.
In the U.S., FinCEN's SAR requirement covers banks, credit unions, money transmitters, currency dealers and exchangers, issuers and sellers of money orders and traveler's checks, broker-dealers, and virtual asset service providers acting as a money transmitter. Check cashers and stored-value issuers are specifically excluded from the SAR filing rule, though they remain subject to other recordkeeping obligations. In the UK and most FATF-member jurisdictions, the regulated sector is broader still, extending to accountants, solicitors, and estate agents under anti-money laundering regulations. The exact scope always depends on the institution's license type and jurisdiction.
The obligation is triggered by reasonable suspicion, not by a fixed dollar threshold or a confirmed crime. A transaction must be reported if the institution knows, suspects, or has reason to suspect it involves funds from illegal activity, is structured to disguise the source of funds, is designed to evade BSA or equivalent reporting requirements, or simply has no apparent lawful business purpose given what the institution knows about the customer. Common triggers include structuring patterns, sudden behavioral changes, vague or evasive answers to KYC questions, and transactions connected to high-risk jurisdictions. The threshold is intentionally broad because the filing itself is just a flag for investigation, not an accusation.
Accurate, specific details are critical: the parties involved, the type and structure of the transaction, and a clear factual explanation of why the activity is considered suspicious. A strong narrative names dates, amounts, account numbers, and channels rather than describing the activity in general terms. It explicitly ties the filing to the specific red flag or behavioral deviation that triggered review, since that is what a financial intelligence unit analyst uses to decide whether the case warrants investigation. Vague language weakens the filing's investigative value even when the underlying suspicion is well-founded.
No. Disclosing that a SAR has been filed, or that a money laundering investigation is underway, is a separate criminal offense in most jurisdictions, known as "tipping off." In the UK, this offense carries a maximum penalty of two years' imprisonment under the Proceeds of Crime Act 2002, and a related offense of prejudicing an investigation carries up to five years. The confidentiality requirement is precisely why internal escalation procedures must route the decision to the MLRO without involving or alerting the customer at any stage. Staff training has to cover this explicitly, since well-meaning customer service responses are a common way tipping-off violations happen unintentionally.
A Defence Against Money Laundering request is a UK mechanism that lets an institution ask the National Crime Agency for consent to proceed with a transaction it suspects involves criminal property, without committing a money laundering offense itself. It's needed specifically when a SAR-worthy transaction is still pending and the institution must decide whether to process it, hold it, or reject it before the underlying suspicion can be resolved. As of July 2025, the reporting threshold for DAML requests rose from £1,000 to £3,000, reducing the volume of low-value cases that require this additional step. Institutions outside the UK should check whether their jurisdiction has an equivalent consent mechanism, since the underlying legal exposure — proceeding with a transaction involving suspected criminal property — exists under most AML frameworks even where the specific defence mechanism differs.
Under U.S. BSA rules, institutions must retain a copy of any filed SAR and its supporting documentation for at least five years from the date of filing, per FinCEN recordkeeping requirements at 31 CFR 1010.430. This retention period covers the original or business-record equivalent of the underlying evidence, not just the filed form itself, since examiners may request the full decision trail during a later review. Institutions operating in multiple jurisdictions should confirm the equivalent retention period under each relevant regulator, as some frameworks specify longer periods for related sanctions or anti-fraud records. Building retention into the case management workflow from the start avoids the scramble to reconstruct records years after a filing.
