What is a Suspicious Activity Report (SAR)?
What is a Suspicious Activity Report (SAR)?
A Suspicious Activity Report (SAR) is a formal document that financial institutions are required to file when they detect transactions or behaviour that may indicate financial crime. These documents alert authorities to potential money laundering, fraud, or terrorist financing. Banks, payment providers, investment firms, and other regulated entities submit SARs to Financial Intelligence Units (FIUs), such as the Financial Crimes Enforcement Network (FinCEN) in the US, the National Crime Agency (NCA) in the UK, and national authorities across the EU.
Here, we’ll cover when SARs need to be filed, what goes into them, and more.
Why suspicious activity reports matter
SARs are a core requirement of AML (Anti-Money Laundering) and CFT (Combating the Financing of Terrorism) compliance frameworks in jurisdictions across the world. They represent a meaningful way in which financial institutions support law enforcement, enabling authorities to identify patterns of criminal activity. SARs are filed with national Financial Intelligence Units. FIUs then analyse and share them with relevant agencies where appropriate.
Beyond regulatory obligation, filing SARs protects institutions from unknowingly facilitating crime. Failing to file a SAR when the criteria are met carries significant consequences, including substantial financial penalties and, in serious cases, criminal liability.
What triggers a SAR?
Knowing what triggers a SAR is a critical aspect of compliance. Generally, triggers fall into three categories: transaction-based, customer behaviour, and red flag indicators.
Transaction-based triggers are flagged when transactions have no clearly identifiable lawful purpose. This includes unusually large or structured transactions (such as smurfing), transactions inconsistent with the customer's known profile, and multiple transactions just below reporting limits.
Customer behaviour triggers arise from how customers act and engage during the relationship. They include evasive behaviour or reluctance to provide identification, use of multiple accounts without clear reason, and sudden changes in transaction patterns inconsistent with the stated business purpose.
Red flag indicators include transactions involving high-risk jurisdictions, complex layering or rapid movement of funds, customers matching sanctions or adverse media alerts, and the involvement of shell companies or nominee accounts.
When does a SAR need to be filed?
Threshold requirements for filing a SAR vary by jurisdiction. In the UK, the standard is reasonable grounds for suspicion, with no minimum transaction value. In the US, thresholds are generally $5,000 or more for insider abuse and $25,000 or more for money laundering, though these may vary by institution type. Many EU jurisdictions apply no minimum threshold at all.
Once the threshold is met, institutions are expected to act promptly. Importantly, the clock starts from the point suspicion is identified, not from when the underlying transaction occurred.
In the UK, SARs must be submitted to the NCA as soon as practicable — in practice, within a matter of days of suspicion being identified. In the US, FinCEN requires filing within 30 calendar days of the date suspicious activity is initially detected, extendable to 60 days if no suspect can be identified. EU member states set their own deadlines, though most align broadly with the 30-day standard.
What information must a SAR include?
A well-constructed SAR should contain four categories of information.
Subject information: Covers the identity of the suspicious party, including name, address, date of birth, and identification numbers. This section should also include account numbers, details on the customer relationship, and beneficial owner information where applicable.
Transaction details: Includes the date, amount, and type of suspicious activity, a description of transaction patterns, and the source and destination of funds along with the payment methods used.
Reason for suspicion: This section should clearly explain which specific indicators triggered the report, why the activity is considered suspicious, and reference any relevant red flags or supporting documentation. Vague narratives are one of the most common quality issues regulators identify in SAR filings.
Institution information: Includes the compliance officer's contact details, internal case reference numbers, and the date on which suspicion was first identified.
The SAR filing process
Filing a SAR involves five steps, typically supported by compliance technology combined with human review.
1. Detection: Transaction monitoring systems flag unusual activity, staff observations raise concerns, or alerts are generated from sanctions, PEP, or adverse media screening.
2. Investigation: The compliance team reviews the flagged activity, gathers additional customer information, and assesses it against known typologies and red flags, all while documenting their findings.
3. Decision: The team determines whether the activity meets the SAR filing threshold, obtains senior management approval where required, and documents their rationale — whether they file or not. Documenting decisions not to file is just as important as filing itself.
4. Filing: The SAR is completed with all required information and submitted to authorities by the regulatory deadline. Internal records must be maintained throughout.
5. Ongoing monitoring: The customer's activity continues to be monitored following a SAR filing. Additional SARs must be filed if new suspicious activity occurs, and institutions should cooperate fully with any law enforcement follow-up. A full audit trail needs to be maintained for all decisions.
SAR confidentiality requirements
Confidentiality is a foundational principle of the SAR regime. For SARs to be effective, the subjects of those reports must not know they are under scrutiny. If they did know, they could move funds, destroy evidence, or otherwise obstruct an investigation. This is why SAR confidentiality rules are strict — and why breaching them carries serious consequences.
Enter the tipping-off prohibition, which prevents institutions from informing a customer that a SAR has been filed against them. This is a criminal offence in most jurisdictions and applies to all staff at the institution in question.
Safe harbour provisions protect institutions that file in good faith. This means an institution cannot be sued for filing a SAR, providing legal protection against defamation or similar claims from the subject of a report.
Confidentiality obligations mean that SARs are confidential government documents that cannot be disclosed except to authorities. Internal distribution must be restricted to a strict need-to-know basis, and unauthorised disclosure carries significant penalties.
Record retention requirements typically mandate that SAR records are maintained for several years and kept available for regulatory examination and potential investigations.
SAR management with Fourthline
Fourthline's AML screening and monitoring solution integrates directly into the SAR workflow, supporting each stage of the process from detection through to documentation. Automated alert generation flags potentially suspicious activity across sanctions, PEP, and adverse media databases. All verification results, screening decisions, and risk assessments are captured in a comprehensive audit trail, keeping institutions compliant from day one.
Find out more about how Fourthline supports AML compliance.
FAQs
What happens after a SAR is filed?
Once filed, the SAR goes to the relevant Financial Intelligence Unit (FIU), such as the National Crime Agency (NCA) in the UK or FinCEN in the US. The FIU analyses it, combines it with other intelligence, and may pass it to law enforcement. The filing institution typically receives no feedback on the outcome due to confidentiality requirements. In the meantime, institutions must continue monitoring the customer and file additional SARs if new suspicious activity arises.
Can you tell a customer you've filed a SAR about them?
No, doing so is a criminal offence known as “tipping off.” The prohibition covers any communication that might alert a customer to suspicion or an investigation, including indirect hints or unexplained changes in service. If a customer queries a delayed or blocked transaction, staff must provide a neutral explanation without referencing the SAR or any ongoing investigation.
What is the deadline for filing a SAR?
Deadlines vary by jurisdiction. In the UK, SARs must be submitted to the NCA as soon as practicable after suspicion is formed. In the US, FinCEN requires filing within 30 calendar days of detecting suspicious activity, extendable to 60 days if no suspect can be identified. EU member states set their own deadlines.
Do all suspicious transactions require a SAR?
Not necessarily. A SAR is required when there are reasonable grounds to suspect money laundering, terrorist financing, or other financial crime. Unusual activity alone does not automatically meet that threshold. Compliance teams must investigate and determine whether activity has a legitimate explanation or genuinely indicates criminal conduct. Crucially, institutions must document their reasoning whether they file or not, and should focus on quality reporting rather than defensive filing of reports lacking substance.
A Suspicious Activity Report (SAR) is a formal document that financial institutions are required to file when they detect transactions or behaviour that may indicate financial crime. These documents alert authorities to potential money laundering, fraud, or terrorist financing. Banks, payment providers, investment firms, and other regulated entities submit SARs to Financial Intelligence Units (FIUs), such as the Financial Crimes Enforcement Network (FinCEN) in the US, the National Crime Agency (NCA) in the UK, and national authorities across the EU.
Here, we’ll cover when SARs need to be filed, what goes into them, and more.
Why suspicious activity reports matter
SARs are a core requirement of AML (Anti-Money Laundering) and CFT (Combating the Financing of Terrorism) compliance frameworks in jurisdictions across the world. They represent a meaningful way in which financial institutions support law enforcement, enabling authorities to identify patterns of criminal activity. SARs are filed with national Financial Intelligence Units. FIUs then analyse and share them with relevant agencies where appropriate.
Beyond regulatory obligation, filing SARs protects institutions from unknowingly facilitating crime. Failing to file a SAR when the criteria are met carries significant consequences, including substantial financial penalties and, in serious cases, criminal liability.
What triggers a SAR?
Knowing what triggers a SAR is a critical aspect of compliance. Generally, triggers fall into three categories: transaction-based, customer behaviour, and red flag indicators.
Transaction-based triggers are flagged when transactions have no clearly identifiable lawful purpose. This includes unusually large or structured transactions (such as smurfing), transactions inconsistent with the customer's known profile, and multiple transactions just below reporting limits.
Customer behaviour triggers arise from how customers act and engage during the relationship. They include evasive behaviour or reluctance to provide identification, use of multiple accounts without clear reason, and sudden changes in transaction patterns inconsistent with the stated business purpose.
Red flag indicators include transactions involving high-risk jurisdictions, complex layering or rapid movement of funds, customers matching sanctions or adverse media alerts, and the involvement of shell companies or nominee accounts.
When does a SAR need to be filed?
Threshold requirements for filing a SAR vary by jurisdiction. In the UK, the standard is reasonable grounds for suspicion, with no minimum transaction value. In the US, thresholds are generally $5,000 or more for insider abuse and $25,000 or more for money laundering, though these may vary by institution type. Many EU jurisdictions apply no minimum threshold at all.
Once the threshold is met, institutions are expected to act promptly. Importantly, the clock starts from the point suspicion is identified, not from when the underlying transaction occurred.
In the UK, SARs must be submitted to the NCA as soon as practicable — in practice, within a matter of days of suspicion being identified. In the US, FinCEN requires filing within 30 calendar days of the date suspicious activity is initially detected, extendable to 60 days if no suspect can be identified. EU member states set their own deadlines, though most align broadly with the 30-day standard.
What information must a SAR include?
A well-constructed SAR should contain four categories of information.
Subject information: Covers the identity of the suspicious party, including name, address, date of birth, and identification numbers. This section should also include account numbers, details on the customer relationship, and beneficial owner information where applicable.
Transaction details: Includes the date, amount, and type of suspicious activity, a description of transaction patterns, and the source and destination of funds along with the payment methods used.
Reason for suspicion: This section should clearly explain which specific indicators triggered the report, why the activity is considered suspicious, and reference any relevant red flags or supporting documentation. Vague narratives are one of the most common quality issues regulators identify in SAR filings.
Institution information: Includes the compliance officer's contact details, internal case reference numbers, and the date on which suspicion was first identified.
The SAR filing process
Filing a SAR involves five steps, typically supported by compliance technology combined with human review.
1. Detection: Transaction monitoring systems flag unusual activity, staff observations raise concerns, or alerts are generated from sanctions, PEP, or adverse media screening.
2. Investigation: The compliance team reviews the flagged activity, gathers additional customer information, and assesses it against known typologies and red flags, all while documenting their findings.
3. Decision: The team determines whether the activity meets the SAR filing threshold, obtains senior management approval where required, and documents their rationale — whether they file or not. Documenting decisions not to file is just as important as filing itself.
4. Filing: The SAR is completed with all required information and submitted to authorities by the regulatory deadline. Internal records must be maintained throughout.
5. Ongoing monitoring: The customer's activity continues to be monitored following a SAR filing. Additional SARs must be filed if new suspicious activity occurs, and institutions should cooperate fully with any law enforcement follow-up. A full audit trail needs to be maintained for all decisions.
SAR confidentiality requirements
Confidentiality is a foundational principle of the SAR regime. For SARs to be effective, the subjects of those reports must not know they are under scrutiny. If they did know, they could move funds, destroy evidence, or otherwise obstruct an investigation. This is why SAR confidentiality rules are strict — and why breaching them carries serious consequences.
Enter the tipping-off prohibition, which prevents institutions from informing a customer that a SAR has been filed against them. This is a criminal offence in most jurisdictions and applies to all staff at the institution in question.
Safe harbour provisions protect institutions that file in good faith. This means an institution cannot be sued for filing a SAR, providing legal protection against defamation or similar claims from the subject of a report.
Confidentiality obligations mean that SARs are confidential government documents that cannot be disclosed except to authorities. Internal distribution must be restricted to a strict need-to-know basis, and unauthorised disclosure carries significant penalties.
Record retention requirements typically mandate that SAR records are maintained for several years and kept available for regulatory examination and potential investigations.
SAR management with Fourthline
Fourthline's AML screening and monitoring solution integrates directly into the SAR workflow, supporting each stage of the process from detection through to documentation. Automated alert generation flags potentially suspicious activity across sanctions, PEP, and adverse media databases. All verification results, screening decisions, and risk assessments are captured in a comprehensive audit trail, keeping institutions compliant from day one.
Find out more about how Fourthline supports AML compliance.
FAQs
What happens after a SAR is filed?
Once filed, the SAR goes to the relevant Financial Intelligence Unit (FIU), such as the National Crime Agency (NCA) in the UK or FinCEN in the US. The FIU analyses it, combines it with other intelligence, and may pass it to law enforcement. The filing institution typically receives no feedback on the outcome due to confidentiality requirements. In the meantime, institutions must continue monitoring the customer and file additional SARs if new suspicious activity arises.
Can you tell a customer you've filed a SAR about them?
No, doing so is a criminal offence known as “tipping off.” The prohibition covers any communication that might alert a customer to suspicion or an investigation, including indirect hints or unexplained changes in service. If a customer queries a delayed or blocked transaction, staff must provide a neutral explanation without referencing the SAR or any ongoing investigation.
What is the deadline for filing a SAR?
Deadlines vary by jurisdiction. In the UK, SARs must be submitted to the NCA as soon as practicable after suspicion is formed. In the US, FinCEN requires filing within 30 calendar days of detecting suspicious activity, extendable to 60 days if no suspect can be identified. EU member states set their own deadlines.
Do all suspicious transactions require a SAR?
Not necessarily. A SAR is required when there are reasonable grounds to suspect money laundering, terrorist financing, or other financial crime. Unusual activity alone does not automatically meet that threshold. Compliance teams must investigate and determine whether activity has a legitimate explanation or genuinely indicates criminal conduct. Crucially, institutions must document their reasoning whether they file or not, and should focus on quality reporting rather than defensive filing of reports lacking substance.
Solutions
Solutions
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.