How to File a Suspicious Activity Report (SAR)
Oct 23, 2025
·
10 min read
Contents
Filing a Suspicious Activity Report (SAR) is one of the most important regulatory obligations for financial institutions and fintech companies operating in the United States. Knowing how to file a suspicious activity report correctly can make the difference between meeting compliance expectations and facing regulatory scrutiny.
This article serves as a practical guide. It walks through who is required to file SARs, the exact steps in the filing process, and the critical details that regulators expect to see. You’ll also find common mistakes to avoid, tools that can simplify the process, and lessons drawn from recent enforcement actions.
This guide breaks down what filing involves in clear, actionable steps. By the end, you’ll know not only how to submit a SAR, but also how to build filing into your broader compliance operations in a way that is practical and sustainable.
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
Who Needs to File a Suspicious Activity Report?
Not every business in financial services has a direct filing obligation, but the list of covered entities is broad. Under the Bank Secrecy Act, the following categories must submit SARs when suspicious activity is detected:
Banks and credit unions
Money services businesses (MSBs), including money transmitters, check cashers, prepaid card providers, and currency exchangers
Futures commission merchants (FCMs) and introducing brokers in commodities
Mutual funds
Insurance companies offering products with cash value or investment features
Casinos and card clubs above the regulatory revenue threshold
Housing government-sponsored enterprises (GSEs)
For fintech companies, the obligation depends on structure. If your business holds a license as a money transmitter, broker-dealer, or another regulated category, you are directly responsible for filing.
If you operate through a partner bank or licensed MSB, the legal filing obligation rests with that partner. In practice, fintechs must still monitor for suspicious activity and escalate cases quickly so the partner can file within the required timeline. Here is a detailed breakdown of what obligation lands on each entity:
Entity | Obligation |
|---|---|
Banks and credit unions | Direct obligation under the Bank Secrecy Act |
Money services businesses (MSBs) | Includes transmitters, check cashers, prepaid providers; must file SARs |
Broker-dealers | Required under SEC and FINRA rules |
Futures commission merchants (FCMs) & introducing brokers | Covered by CFTC regulations |
Mutual funds | SAR obligations under FinCEN rules |
Insurance companies | Applies to life insurance companies offering products with cash value or annuities |
Casinos & card clubs | Must file if above revenue threshold |
Housing GSEs | Filing requirements under FinCEN rules |
Other designated entities | Entities that FinCEN specifies in guidance |
Fintech companies | Direct if licensed; indirect if operating through a partner bank or MSB (must escalate suspicious activity) |
How to File a Suspicious Activity Report Step by Step
Filing a SAR is more than just filling out a form. It is a structured process that starts with recognizing unusual activity and ends with securely documenting what you’re reporting. Each step matters because regulators expect both accuracy and timeliness.
Here’s how you can file a SAR for your business:
Step 1: Detect and Escalate Suspicious Activity Internally
Typically, institutions catch suspicious activity in two ways: through automated monitoring systems or by employees who notice irregular behavior. Automated systems flag patterns such as structuring, high-risk transactions, or unusual account behavior.
At the same time, frontline employees may spot red flags like customers asking unusual questions about thresholds or moving funds in ways that don’t fit their profile.
Once identified, the case must be escalated to compliance through a documented process. This usually involves logging the alert, assigning it to a compliance officer, and documenting the initial reason for suspicion.
Early escalation is critical because it starts the countdown to the 30-day filing deadline. Fintechs often build these steps into workflow tools so alerts don’t get lost in day-to-day operations.
Step 2: Collect the Required Customer and Transaction Details
A SAR must include precise information about the customer and the transactions in question. That means pulling identifiers like name, address, date of birth, account numbers, transaction dates, amounts, and involved counterparties.
Also, compile supporting evidence, such as transaction logs or scanned IDs. Gathering this information upfront makes drafting the report faster and reduces the risk of leaving gaps.
Step 3: Draft a Clear and Complete SAR Narrative
The narrative is the most important part of the report. It should describe the activity in plain language, answering who was involved, what happened, when and where it occurred, why it raised suspicion, and how the firm carried out the transactions.
Avoid jargon or vague statements like “unusual activity.” Instead, provide concrete examples: “The customer made five cash deposits of $9,500 within two weeks, inconsistent with their normal activity.” A detailed narrative helps investigators act on the report.
Step 4: Complete FinCEN Form 111 Accurately
FinCEN requires SARs to be filed through the BSA E-Filing System using Form 111. The form asks for several categories of information:
Subject details
Type of suspicious activity
Date ranges
Amounts
The narrative
Double-check all entries because incomplete or inaccurate forms are a common exam finding. Errors may undermine the usefulness of the SAR and reflect poorly on the compliance program.
Step 5: Submit the Report Through the BSA E-Filing System
Once complete, the SAR is submitted electronically. Institutions can file one-off reports or use batch filing if handling large volumes. The system will generate a confirmation with a tracking number and timestamp. Keep this document, as it proves you filed the SAR on time, which can be important during regulatory exams.
See also:
Step 6: Retain Records and Supporting Documentation
Institutions must keep a copy of the filed SAR, along with all supporting documents, for five years. This includes notes from the investigation, alerts that triggered the review, and correspondence.
Proper recordkeeping shows regulators that the institution has a disciplined compliance process and provides evidence if law enforcement follows up later. Secure, centralized storage is best to protect confidentiality and support future audits.
Need help with money transmitter compliance?
Fill out the form below and our experts will get back to you.
Key Details to Get Right in the Filing Process
Submitting a SAR is not enough. Regulators look closely at how well institutions meet deadlines, handle confidentiality, and maintain proper records. Small mistakes in these areas often trigger exam findings or enforcement actions.
Deadlines: 30 Days, 60 Days, and Continuing SARs
Timing is one of the most heavily scrutinized parts of SAR compliance. Regulators expect firms to track each case closely and document the timeline from first detection to filing. You have three deadlines to manage in the filing process:
30 days: A SAR must be filed within 30 calendar days of detecting suspicious activity. Detection is the point at which facts have established a reasonable suspicion, not just when an alert was generated.
60 days: If you can’t identify a suspect during the first 30 days, the deadline extends to 60 days total. Once a suspect is identified, you must file the SAR immediately, even if the 60-day window has not closed.
Continuing SARs: For ongoing suspicious behavior, you’ll need to file a continuing SAR every 90 days until the activity ends. Each filing should update law enforcement on what occurred since the previous report.
Best practice: Many fintech compliance teams set up compliance automation and use task management tools (like Asana or Jira) that trigger countdowns from the moment a case is escalated.
Confidentiality and the “No Tipping Off” Rule
SARs are strictly confidential. Institutions cannot disclose to the subject of the report or to unauthorized third parties that a SAR has been filed. Violating this rule can lead to serious penalties. Internally, only share SAR information with those who need access for compliance purposes.
Recordkeeping: What to Store and for How Long
You must retain every SAR and its supporting documentation for five years. This includes the filed form, evidence used in the investigation, and internal communications related to the decision to file. Proper storage is critical for regulatory exams and for responding to potential law enforcement inquiries. A clear audit trail demonstrates a disciplined compliance program.
Common Mistakes to Avoid When Filing SARs
Even when teams understand the rules, filing mistakes happen. Regulators regularly cite errors in narratives, data entry, and timeliness during exams and enforcement actions. Knowing the most common pitfalls helps compliance officers design better safeguards.
Incomplete or Vague Narratives
The narrative is the most important part of the SAR. A weak description, such as “customer engaged in unusual activity,” adds little value. Examiners expect specifics: dates, amounts, account numbers, and the reasons the activity appears suspicious. Failing to provide details undermines the usefulness of the report and can be viewed as a compliance weakness.
Missing or Incorrect Data Fields
A complete and accurate form is as important as the narrative itself. Errors in basic information, like account numbers or subject identifiers, are another frequent issue.
These often occur when data is pulled from multiple systems without reconciliation. Institutions should have review steps or validation tools to catch inaccuracies before submission.
Late Filings and Weak Internal Tracking
Deadlines are strict. Filing even a few days late can raise questions during exams, especially if it becomes a pattern. Weak internal tracking, such as relying on spreadsheets or ad hoc reminders, leads to missed filings. Setting up automated reminders or dedicated case management tools reduces this risk and creates a clear audit trail.
Tools and Approaches That Make Filing Easier
SAR compliance is labor-intensive, especially for fintechs dealing with large transaction volumes or limited in-house staff. Leveraging the right tools and approaches can reduce errors and improve efficiency without compromising regulatory expectations.
See also:
Case Management and SAR Automation Software
Specialized compliance platforms can centralize alerts, investigations, and filings in one place. These tools often integrate directly with FinCEN’s BSA E-Filing system, auto-populate customer and transaction data, and generate internal audit trails. For fintechs, automation is valuable because it reduces manual entry and helps keep deadlines visible.
Using Checklists and Templates for Consistency
Even with automation, human review is essential. Standardized checklists and SAR narrative templates guide investigators through required fields and remind them to include specific details. Checklists promote consistency across different team members and make it easier to train new staff.
Outsourcing or Augmenting Your Compliance Team
Some firms choose to outsource parts of their SAR process to experienced compliance providers like InnReg. This approach can be cost-effective compared to hiring full-time staff, especially for startups.
It also brings access to specialists who understand both financial regulations and fintech business models. For companies that prefer to keep core compliance in-house, outsourcing can still provide surge capacity when alert volumes spike.
Lessons from Recent Enforcement Actions
Enforcement actions give a clear picture of what regulators expect from SAR filings. Two recurring themes are deficient narratives and late or missed reports.
What Regulators Flagged in Deficient SAR Filings
The SEC and FINRA have penalized broker-dealers for submitting SARs that lacked essential information. In some cases, firms failed to include account numbers, transaction dates, or explanations of why the activity was suspicious.
Others used vague language like “unusual trading” without describing the actual pattern. Regulators noted that these gaps reduced the usefulness of the SARs to law enforcement, effectively making the reports non-compliant even though they were filed on time.
Banking Regulator Findings on Late or Missed SARs
The OCC and other banking regulators have highlighted repeated issues with timeliness. Institutions have been cited for filing SARs well past the 30-day deadline, often because escalation processes were unclear or case tracking was weak.
In more severe cases, banks and credit unions failed to file altogether, despite clear red flags. Regulators view late or missed filings as systemic compliance failures, and penalties can be significant.
For fintechs, these cases emphasize that regulators examine both the quality of reporting and the discipline of the filing process.
Final Takeaways for Fintech Leaders
Filing a SAR is a test of how well your institution manages regulatory risk. Regulators pay attention to the quality, timeliness, and completeness of every report. For fintech leaders, this means building systems that not only detect suspicious activity but also handle the reporting process with discipline.
The most common pitfalls are avoidable with the right mix of processes and tools. For growing fintechs, outsourcing or augmenting compliance staff can provide depth of expertise without the cost of building a large internal team.
If your team needs specialized support, InnReg helps fintechs design and operate compliance programs that integrate SAR processes into daily operations, bringing fintech-specific expertise and a cost-effective alternative to building large in-house teams.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with money transmitter compliance, reach out to our regulatory experts today:
Published on Oct 23, 2025
Last updated on Oct 23, 2025
Related Articles
Featured LinkedIn Posts
