Suspicious Activity Reports (SARs): A Compliance Guide
Oct 20, 2025
·
14 min read
Contents
Suspicious Activity Reports are one of the most important compliance tools in financial services. In the United States and globally, regulators rely on these reports to detect and investigate money laundering, terrorist financing, fraud, and other forms of financial crime. Therefore, understanding when and how to file a SAR is critical for staying aligned with regulatory expectations.
This guide explains the essentials of suspicious activity reporting, with a primary focus on US requirements under the Bank Secrecy Act and FinCEN rules. It also covers international equivalents, common red flags, filing processes, and legal considerations.
We aim to provide a clear overview of the obligations that apply, how regulators approach suspicious activity, and the steps compliance teams can take to manage this responsibility without unnecessary complexity. Whether you’re running a startup payments app, a broker-dealer, or a crypto platform, SAR compliance is not optional.
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
What Are Suspicious Activity Reports?
A Suspicious Activity Report (SAR) is a filing that financial institutions submit to regulators when they detect activity that may indicate money laundering, terrorist financing, fraud, or another financial crime. In the United States, firms must file SARs with the Financial Crimes Enforcement Network (FinCEN) as part of the Bank Secrecy Act framework.
The purpose of a SAR is not to prove a crime, but to give authorities early insight into behavior that looks suspicious. Investigators then use SARs to connect data points across institutions, identify patterns, and launch formal inquiries when needed.
Globally, the same requirement exists under different names. Here are the following instances:
United Kingdom: Filings go to the National Crime Agency.
European Union: Reports are called Suspicious Transaction Reports (STRs).
Australia: Reports are submitted to AUSTRAC (Australian Transaction Reports and Analysis Centre).
Singapore: Reports are filed with the Monetary Authority of Singapore (MAS).
Despite these variations, the principle is the same: financial firms have a duty to alert regulators to suspicious activity when it arises.
Who Must File Suspicious Activity Reports
SARs apply to a broad range of financial institutions, not just banks. Regulators expect any covered entity to have systems in place to detect suspicious activity and file when required. Below are the primary groups responsible for SAR filings:
1. Banks and Credit Unions
All depository institutions in the US, including national and state-chartered banks and credit unions, must file SARs. These institutions have some of the highest filing volumes, given their central role in handling deposits, payments, and cross-border transfers.
They are obligated to file SARs because criminals often try to disguise illicit funds through deposits, transfers, and loans. Monitoring at this level provides regulators with an early warning system against money laundering and fraud.
2. Broker-Dealers and Securities Firms
Broker-dealers registered with the SEC and overseen by FINRA are subject to SAR rules. Suspicious trading activity, such as insider trading or manipulation of low-value securities, commonly triggers filings in this sector. SAR filings from these firms help regulators spot misconduct that might harm investors and market integrity.
3. Money Services Businesses and Fintechs
Money transmitters, payment platforms, remittance providers, and digital wallets all fall under the “money services business” category. Partner-bank arrangements can complicate responsibilities, making it critical to define who is responsible for reporting suspicious transactions. However, fintechs that provide these services directly must file SARs.
4. Cryptocurrency Exchanges and Digital Assets
US regulators classify cryptocurrency exchanges as money services businesses that face SAR obligations because digital assets are frequently used for layering, obfuscating transactions, or bypassing sanctions. Filing SARs helps regulators track illicit flows that might otherwise vanish in blockchain transactions.
They must register with FinCEN, maintain AML programs, and submit SARs on suspicious crypto activity. This includes transfers linked to darknet markets, mixing services, or sanctioned wallets.
5. Casinos and Other Regulated Entities
Casinos and card clubs that handle more than a set volume of cash transactions are subject to SAR obligations. These entities must file SARs so regulators can detect suspicious betting patterns or cash movements that might signal criminal activity.
Other regulated businesses, such as certain insurance companies and dealers in precious metals or jewels, may also fall under SAR rules depending on their activities.
See also:
6. Global Equivalents and Regulators
Other jurisdictions impose similar requirements under different frameworks. The UK, EU, Australia, and Singapore all operate suspicious transaction reporting regimes, with reports submitted to their respective financial intelligence units. While rules vary, the core obligation to report suspicious activity exists worldwide.
The obligation exists because criminals exploit weak links in the global system. Consistent SAR or STR regimes across countries make it harder for illicit actors to hide by moving money from one jurisdiction to another.
Need help with money transmitter compliance?
Fill out the form below and our experts will get back to you.
When to File a Suspicious Activity Report
Financial institutions are not expected to confirm crimes. Instead, regulators expect them to recognize activity that looks unusual or inconsistent with what they know about a customer. More specifically, an entity must file a SAR when it has knowledge, suspicion, or reason to suspect a violation of law or abuse of the financial system.
Here are some methods to identify if you need to file a SAR:
Reporting Thresholds in the US
Regulators provide thresholds to guide when a SAR is required:
Insider abuse of any amount: If an employee, officer, or insider is involved in misconduct, the dollar value does not matter.
$5,000 or more with a known suspect: When the institution can tie suspicious activity to an individual or entity, reporting is required.
$25,000 or more with no suspect identified: Institutions must still report large unexplained activity, even if the person behind it remains unknown.
$5,000 or more that appears structured or lacks a lawful purpose: If transactions seem designed to avoid reporting rules or serve no legitimate business purpose, a SAR is required.
These thresholds reflect regulators’ view that even relatively small amounts can reveal larger criminal schemes when combined with other data.
Common Red Flags That Trigger Reporting
Beyond thresholds, compliance teams must use judgment. Red flags often include:
Structuring and Evasion Tactics
Structuring occurs when a customer deliberately breaks a large sum into smaller transactions to avoid triggering reporting thresholds. For example, instead of depositing $20,000 in one day, a customer might deposit $9,900 over several consecutive days.
This type of behavior suggests an attempt to evade detection, and regulators expect it to be reported even if each transaction individually looks ordinary. Patterns of withdrawals or transfers just below known limits often point to the same issue.
Unusual Transfers or Patterns
Another signal comes from activity that doesn’t match what you know about a customer. A small business that usually processes local payments suddenly wiring funds to multiple overseas accounts raises questions.
Likewise, an individual who has never moved large sums might abruptly transfer tens of thousands of dollars through multiple new accounts. The core test is whether the activity is inconsistent with a customer’s profile or stated purpose. Even if there’s no obvious explanation, regulators expect these anomalies to be reviewed and reported.
High-Risk Jurisdictions or Sanctions Links
Some destinations and counterparties are higher risk by definition. Transactions tied to countries known for weak anti-money laundering controls or terrorism financing, such as jurisdictions flagged by the Financial Action Task Force (FATF), are considered suspicious.
Similarly, dealings with individuals or entities on sanctions lists like those maintained by OFAC in the US require immediate attention.
SARs vs. CTRs
SARs are frequently confused with Currency Transaction Reports (CTRs). The difference is simple:
Aspect | Currency Transaction Report (CTR) | Suspicious Activity Report (SAR) |
|---|---|---|
Purpose | Track large cash movements for transparency | Flag potential money laundering, fraud, or other suspicious activity |
Trigger | Any cash transaction over $10,000, no suspicion required | Suspicious behavior involving $5,000+ (or any insider abuse, any amount) |
Scope of Transactions | Cash deposits, withdrawals, exchanges, and transfers only | All types of transactions: cash, wires, checks, crypto, securities, etc. |
Suspicion Required? | No, purely threshold-based | Yes, based on knowledge, suspicion, or reasonable grounds |
Example | Customer deposits $50,000 in cash | Customer deposits $9,900 three days in a row with an unclear source |
How to File a Suspicious Activity Report
Filing a SAR involves three core steps: detecting the activity, documenting it, and submitting the report within the required timelines. The process begins when a monitoring system or employee flags unusual behavior.
At a high level, the filing process looks like this:
Identify suspicious activity: Alerts may come from transaction monitoring tools or staff observations.
Investigate and decide: Compliance teams review the activity, gather facts, and determine whether it meets SAR criteria.
Prepare the report: Complete the FinCEN SAR form, with a clear narrative explaining what happened and why it’s suspicious.
Submit on time: File electronically through FinCEN’s BSA E-Filing System, usually within 30 days of detection.
Maintain records: Retain supporting documents and follow confidentiality rules to avoid tipping off customers.
If you’d like to learn more about how to file a Suspicious Activity Report, check out our detailed step-by-step guide.
Regulatory and Legal Considerations
SAR obligations come with strict legal requirements. In the US, SARs are filed with FinCEN, which acts as the central financial intelligence unit.
While FinCEN collects the reports, other regulators enforce compliance:
Federal banking agencies oversee banks and credit unions
The SEC and FINRA review broker-dealers
State regulators monitor money services businesses
Each regulator expects institutions to maintain a reasonably designed AML program that includes effective SAR reporting. Hence, there are several regulatory and legal considerations you must consider:
See also:
Confidentiality and Tipping-Off Prohibitions
One of the most important rules is that SARs are confidential. Institutions cannot disclose to customers, employees outside compliance, or third parties that a report has been filed. Doing so is considered “tipping off” and can result in civil or criminal penalties.
Even if a customer directly asks, institutions are required to withhold that information. Furthermore, when closing an account, firms must use neutral language and avoid referencing the report.
Safe Harbor Protections for Filers
The Bank Secrecy Act provides a safe harbor for financial institutions and employees. No liability attaches for filing a SAR in good faith, even if the suspicion later proves unfounded. This protection is designed to encourage reporting without fear of legal retaliation.
Recordkeeping and Retention Requirements
Institutions must retain a copy of each SAR and supporting documentation for at least five years. These records must be stored securely with restricted access. Regulators expect systems that not only capture the SAR but also preserve the evidence behind it.
At InnReg, we help fintech companies build practical workflows for these requirements. Our team designs policies that aid in maintaining confidentiality and set up reliable retention practices.
Because we operate as outsourced compliance departments, we integrate into existing tools and systems to make recordkeeping and regulator-ready documentation straightforward.
Common Compliance Challenges for Fintechs
For fintech companies, SAR obligations often feel more complex than for traditional banks. Fast growth, high transaction volumes, and cross-border operations can strain compliance programs. The challenge is not only detecting suspicious activity but doing so in a way that scales with the business.
Monitoring at Scale and Alert Fatigue
As transaction volume grows, so does the number of alerts. Smaller fintechs may start with manual reviews, but this quickly becomes unsustainable. Too many false positives can overwhelm teams, while missing true positives risks regulatory findings.
Balancing Quantity vs. Quality of SARs
Regulators expect timely filings, but they also scrutinize report quality. A poorly written SAR narrative can draw criticism, even if the filing itself was on time. Compliance teams often struggle to balance filing enough reports to stay covered without producing generic or low-value submissions.
Coordinating with Partner Banks
Many fintechs operate under sponsorship models with licensed banks. In these setups, roles and responsibilities for SAR filing must be clearly defined. Unclear accountability can lead to missed reports or duplication, both of which regulators view as weaknesses in the program.
Cross-Border and Multi-Jurisdictional Filings
Fintechs with global reach face the added burden of handling multiple reporting regimes. An activity may require a SAR in the US, an STR in the EU, and equivalent filings elsewhere. Aligning these requirements into a cohesive process is a common sticking point.
Misconceptions About Suspicious Activity Reports
Founders and even experienced compliance staff often hold misconceptions about how SAR obligations work. Clearing up these misunderstandings is critical to avoiding gaps that could expose a firm to regulatory scrutiny.
SARs Are Only for Large Banks
Many startups assume SAR rules apply only to big financial institutions. In reality, the obligation covers money services businesses, broker-dealers, and fintechs that handle customer funds. If your company falls under these categories, regulators expect you to file.
Filing Guarantees Law Enforcement Action
Submitting a SAR does not automatically trigger an investigation. Law enforcement uses SARs to build cases and spot patterns, but firms rarely receive feedback. The value of filing lies in contributing to the bigger picture, not in immediate action against a customer.
Filing Requires Account Closure
Filing a SAR does not mean the institution must close the account. Some firms adopt a “file and exit” approach, but regulators do not require it. In fact, keeping the account open can sometimes help investigators track ongoing activity.
SARs Are Just Regulatory Paperwork
SARs are not box-ticking exercises. Regulators rely on the information to detect serious threats, from fraud rings to terrorist financing. A poorly prepared or missing report can be just as damaging to an institution as the activity it was meant to flag.
Recent Updates and Enforcement Trends
SAR requirements continue to evolve as regulators adapt to new risks and business models. Fintech leaders need to stay aware of changes in rules and enforcement priorities to avoid being caught off guard.
New SAR Rules for Investment Advisors
Starting January 1, 2028, registered investment advisors and certain exempt reporting advisors will be required to implement AML programs, including SAR filing obligations. This marks a significant expansion of FinCEN’s reach and will bring thousands of additional firms into the SAR regime.
See also:
Push to Modernize SAR and CTR Thresholds
Industry groups have argued that the $5,000 SAR and $10,000 CTR thresholds are outdated, given inflation and the burden of high-volume filings.
Legislation has been introduced to raise these levels, but for now, the thresholds remain unchanged. Compliance teams should monitor developments, as higher thresholds could reshape monitoring strategies.
FinCEN Advisories and Emerging Typologies
FinCEN regularly issues advisories to highlight new risks, such as
Ransomware payments
Human trafficking
Misuse of crypto mixers
These notices often include key terms that institutions should use in SAR narratives. Ignoring such guidance can leave filings incomplete or less helpful to investigators.
High-Profile Enforcement Actions
Recent enforcement actions underscore the consequences of SAR failures. In 2024, FinCEN imposed a record $1.3 billion penalty on a bank for widespread AML breakdowns, including missed SAR filings.
Crypto exchanges have also faced multimillion-dollar penalties for failing to report suspicious wallet activity. Globally, regulators in Europe and Asia are imposing similar fines for late or inadequate STR filings.
Best Practices for Suspicious Activity Reporting
Meeting SAR obligations is about more than filing on time. Regulators look closely at the quality of reports, the systems behind them, and whether the firm treats suspicious activity reporting as a core compliance function. For fintechs, adopting practical best practices can mitigate both regulatory risk and operational strain.
Effective Monitoring Systems
Transaction monitoring tools should align with the business model. For early-stage fintechs, simple rule-based systems may suffice, while high-volume firms often need automated monitoring and case management.
Start by mapping transaction flows for your business model and identifying points where illicit activity could occur. Define scenarios that should raise alerts, such as
Deposits structured just under $10,000
Rapid movement of funds across accounts
Wallet addresses tied to high-risk jurisdictions
Review thresholds and monitoring rules at least quarterly. Without adjustment, fast-growing fintechs risk overwhelming their teams with false positives or missing activity that regulators expect to see flagged.
Train and Offer Awareness for Staff
Frontline employees are often the first to notice unusual behavior. Regular training helps staff understand what to look for and how to escalate issues. Well-trained teams strengthen the overall compliance program and reduce reliance on automated alerts alone.
Firms should deliver training during onboarding and refresh it annually, with case studies tailored to fintech products like payments apps or crypto wallets. Staff must know not only how to recognize red flags but also how to escalate them.
Leverage Technology and Regtech Solutions
Manual reviews quickly become unsustainable as transaction volume grows. Artificial intelligence and regtech platforms can improve detection by identifying complex patterns across large datasets. Fintechs should deploy monitoring systems that integrate sanctions screening and generate alerts in real time.
Regtech platforms like Regly can also help with transaction monitoring, cutting down drafting time. These tools also help streamline workflow management, freeing compliance staff to focus on judgment calls. Technology should not replace human oversight, but it can free compliance teams to focus on high-risk cases instead of repetitive tasks.
Outsource or Co-Source Compliance Support
Building a large in-house compliance function is costly. Outsourcing parts of the SAR workflow, such as Level 1 alert reviews, policy development, or independent testing, gives fintechs access to experienced specialists without the expense of full-time hires.
At InnReg, we often act as outsourced compliance departments, integrating into client systems and delivering regulator-ready processes. This approach helps fintechs scale compliance capabilities alongside business growth.
Build a Compliance Culture
A strong culture ensures SAR obligations are treated as a core business function, not after-the-fact paperwork. Senior leadership should receive regular updates on SAR statistics and trends, while compliance teams should document both filed and unfiled cases.
Embedding compliance into strategic decision-making sends a clear signal to regulators and investors that the company takes its AML obligations seriously.
—
Suspicious Activity Reports are not just regulatory paperwork. They are a primary means by which regulators detect and disrupt money laundering, fraud, and other financial crimes. For fintechs, the obligation to file SARs brings added pressure due to rapid growth, innovative business models, and often lean compliance teams.
The practical steps outlined in this guide are what regulators expect to see in place. Recent enforcement actions show that failures to file, or filing weak reports, can be as damaging as the underlying suspicious activity itself.
At InnReg, we work with fintechs that operate at the edge of innovation. By acting as outsourced compliance departments, we help companies design monitoring systems, manage reporting responsibilities, and build cultures that stand up to regulatory scrutiny. Speak to an expert today and build a system that works for you.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with money transmitter compliance, reach out to our regulatory experts today:
Published on Oct 20, 2025
Last updated on Oct 20, 2025
Related Articles
Featured LinkedIn Posts
