SAR Filing: Writing Reports That Matter
When to file a Suspicious Activity Report, how to write narratives that help investigators, and common SAR scenarios every BSA analyst encounters
By Benjamin, Fraud Attacks · Updated
A Suspicious Activity Report is the confidential filing a U.S. financial institution sends to FinCEN when it knows, suspects, or has reason to suspect that a transaction involves illegal funds, evades reporting rules, or has no apparent lawful purpose. SARs must be filed within 30 days of initial detection, and the value they deliver to law enforcement comes almost entirely from the quality of the narrative.
The Narrative That Caught a Ring
Marcus Chen had been a BSA analyst at Pacific Northwest Federal Credit Union for two years when he noticed something odd in the alerts queue. A member named Yolanda Tran had received six incoming wire transfers from different senders over ten days, each between $4,000 and $7,000. The wires came from individuals at three different banks, none of whom had any obvious connection to each other or to Yolanda.
Within 48 hours of each wire arriving, Yolanda withdrew the equivalent amount in cash.
Marcus pulled her membership file. She'd joined two months earlier. Listed her occupation as "freelance consultant." The account had minimal activity until the wires started.
He could have filed a sparse SAR. "Member received multiple wires and withdrew cash." Technically, that meets the requirement. But Marcus had been trained to tell a story. He documented the timeline in chronological order, calculated the total dollar amounts, noted the pattern of rapid cash withdrawals following each wire, identified that none of the wire senders appeared in any shared transaction history with the member, and flagged that the account was newly opened with the stated occupation inconsistent with the volume and pattern of activity.
Six months later, Marcus got a call from a federal agent. His SAR had been cross-referenced with similar filings from the three banks where the wire senders held accounts. The pattern matched across institutions. Yolanda's account was one node in a funnel account network moving money for a drug trafficking operation. The investigation eventually identified 14 accounts at 8 institutions.
Marcus's narrative didn't just check a box. It gave investigators enough detail to connect the dots.
This story is fictional, but the patterns are real.
Why This Matters
In BSA/AML Fundamentals, you learned about the regulatory framework that requires financial institutions to report suspicious activity. This article gets into the practical skill that matters most: knowing when to file a SAR and writing one that actually helps.
SARs are the primary mechanism through which banks and other financial institutions communicate suspicious activity to law enforcement. FinCEN receives millions of SAR filings each year. Law enforcement agencies use them as starting points for new cases, as corroborating evidence in existing ones, and as intelligence for understanding financial crime trends. The filings sit at the end of the fraud investigation workflow every analyst learns.
A well-written SAR can launch an investigation that takes down a criminal network. A poorly written one gets lost in the noise. The difference isn't about following a template. It's about telling a clear, factual story that gives investigators what they need to take action.
When must a SAR be filed?
What triggers a SAR filing?
Banks and other covered institutions must file a SAR under 31 USC 5318(g)↗[1] when they know, suspect, or have reason to suspect that a transaction:
- Involves funds from illegal activity (or is intended to hide funds from illegal activity)
- Is designed to evade BSA reporting requirements (like structuring)
- Has no business or apparent lawful purpose that the institution can identify
- Involves the use of the institution to facilitate criminal activity
That third criterion is the one BSA analysts encounter most often. When you've looked at a transaction or pattern and can't come up with a reasonable legitimate explanation, that's your trigger.
What are the SAR dollar thresholds?
The reporting thresholds vary by what's involved. The FFIEC BSA/AML Examination Manual↗[2] sets out the tiered structure:
| Situation | Threshold |
|---|---|
| Insider abuse (employee or director) | Any amount |
| Known suspect (identified individual) | $5,000 or more |
| Unknown suspect (can't identify who) | $25,000 or more |
| Aggregated transactions (pattern) | $5,000 or more if suspect is known |
The $25,000 threshold for unknown suspects applies only when the institution has no substantial basis for identifying any suspect. If even a partial identification is possible (a name, an account number, a description that could lead to identification), the $5,000 threshold applies instead. The October 2025 FinCEN and banking-agency SAR FAQs reinforce this point: thin identification is still identification.
Below these thresholds, filing is optional but still permitted. If you see a $3,000 transaction that's clearly suspicious, you can file a SAR. Many institutions do.
When does the 30-day clock start?
Once a suspicious transaction is identified, the institution has 30 calendar days to file a SAR with FinCEN under 31 CFR 1020.320(b)(3)↗.[3] If no suspect is identified at the time of initial detection, the institution gets an additional 30 days (60 total) to try to identify the suspect before filing.
The clock starts when the activity is first detected, not when a manager reviews it or when it reaches the BSA team. This matters because delays in escalation can compress the time available for investigation and narrative writing.
SARs are confidential. 31 CFR 1020.320(e)↗[4] prohibits any bank or its officers from disclosing a SAR or any information that would reveal its existence to the subject. This means you cannot tell a customer their activity is being reported, and you cannot include SAR filing status in any customer-facing communications. Violating this "tipping off" prohibition is a serious offense.
What Triggers Suspicion
BSA analysts develop intuition over time, but certain patterns reliably warrant closer examination:
Inconsistency with customer profile. A retired schoolteacher suddenly receiving $40,000 wire transfers from overseas. A small landscaping company moving $500,000 monthly through its account. Activity that doesn't match what you'd expect based on the customer's occupation, income, or stated business purpose.
Rapid movement of funds. Money that comes in and goes right back out, especially if it leaves through a different channel than it arrived. Wires in, cash out. ACH in, wire out to a different country. These patterns show up routinely in BEC and wire fraud investigations.
Structuring indicators. Multiple cash transactions just under $10,000, especially when they occur over a short period or involve the same person visiting multiple branches.
Geographic red flags. Transactions involving countries that FinCEN or FATF have identified as high-risk for money laundering. Frequent transactions with jurisdictions that have no apparent connection to the customer's business.
Third-party involvement. Accounts receiving funds from multiple unrelated parties who then send funds to a common destination. People conducting transactions on behalf of others without a clear reason.
Unusual account behavior. Dormant accounts that suddenly become active. New accounts with immediate high-volume activity. Business accounts used for personal purposes or vice versa.
Writing the SAR Narrative
The narrative section is the most important part of a SAR filing. The checkboxes and data fields provide structure. The narrative tells the story.
What Makes a Good Narrative
A strong SAR narrative answers the five W's concisely and factually:
Who is involved? Name the subject if known. Describe their relationship to the institution (account holder, authorized signer, non-customer). If multiple parties are involved, clarify each person's role.
What happened? Describe the suspicious activity specifically. Dollar amounts, transaction types, frequencies, patterns. Be precise: "seven wire transfers totaling $47,200 over 12 days" is better than "multiple wire transfers."
When did it happen? Provide a clear timeline. Start and end dates for the suspicious activity. Dates of key transactions. When the activity was first detected versus when it actually occurred.
Where did the activity take place? Which branch, which account, which geographic locations were involved. For wire transfers, identify originating and receiving banks and locations.
Why is this suspicious? This is where your analysis matters. Connect the facts to explain why the activity raises concern. Don't just list transactions. Explain what makes them unusual in context.
A Bad Narrative vs. a Good Narrative
Weak narrative:
"Customer received multiple wire transfers and withdrew cash. Activity appears suspicious. Customer could not provide adequate explanation for the transactions."
This tells investigators almost nothing. How many wires? From where? How much cash? Over what timeframe? What did you actually ask the customer?
Strong narrative:
"Between January 3 and January 13, account holder Yolanda Tran (DOB: 03/15/1988, SSN: XXX-XX-4521) received six incoming wire transfers from five different individuals at three financial institutions, totaling $33,400. Individual wire amounts ranged from $4,200 to $7,100. Within 48 hours of each wire receipt, the account holder withdrew the equivalent amount in cash from branch 4, totaling $32,800 in cash withdrawals over the same period.
The account was opened on November 5. Account holder listed her occupation as 'freelance consultant' with estimated annual income of $45,000. Between account opening and January 3, the account had minimal activity (two direct deposits totaling $3,200 and routine debit card purchases).
Wire senders include: John Park (Wells Fargo, $4,200 on 1/3 and $5,900 on 1/8), Lisa Huang (Bank of America, $6,100 on 1/5 and $4,500 on 1/11), and David Kim (Chase, $7,100 on 1/7 and $5,600 on 1/13). No shared transaction history exists between the account holder and any wire sender. The account holder has no business entity on file that would explain receipt of funds from multiple unrelated parties.
The pattern of receiving wires from multiple unrelated individuals with immediate cash withdrawal is consistent with funnel account activity, where a single account aggregates funds from multiple sources to facilitate laundering."
The second narrative gives investigators a complete picture. They can look up the wire senders. They can check the timeline. They can see why the analyst flagged this pattern. They can cross-reference against SARs from other institutions.
Narrative Best Practices
Stick to facts. Report what you observed, not what you think the customer's intent was. "Customer made five cash deposits below $10,000 over three days" is factual. "Customer was clearly trying to avoid CTR reporting" is a conclusion. You can note that the pattern is "consistent with structuring," but don't assert motive.
Be specific with numbers. Exact amounts, exact dates, exact counts. Rounding and approximations reduce the narrative's value to investigators.
Identify all parties. Full names, dates of birth, identification numbers, addresses. Every person involved in the suspicious activity should be identified to the extent possible.
Describe the customer's profile. What's their stated occupation? What's their typical account activity? Context helps investigators understand why the flagged activity is anomalous.
Connect the pattern. Don't just list individual transactions. Explain how they relate to each other. "The wire transfers arrived from different senders but followed a consistent pattern of immediate cash withdrawal" is more useful than listing six separate transactions.
Use chronological order. Tell the story from beginning to end. Investigators are reading hundreds of SARs. A clear timeline is the kindest thing you can give them.
Avoid jargon without explanation. If you reference a specific risk indicator, briefly explain why it matters. Not every investigator reading your SAR has the same domain knowledge you do.
Keep it proportional. A simple structuring case needs a clear, concise narrative. A complex multi-party international scheme needs more detail. Match the length to the complexity.
Common SAR Filing Scenarios
Structuring
The most straightforward SAR type. A customer makes multiple cash deposits or withdrawals that appear designed to stay under the $10,000 CTR threshold.
Your narrative should document the specific transactions (dates, amounts, branches), note the aggregate amount that would have triggered a CTR, describe any customer explanations provided, and identify the structuring pattern (same day at multiple branches, alternating days, variable amounts below threshold).
What is a funnel account?
Like Marcus's case. An account receives funds from multiple unrelated sources, then rapidly moves the money elsewhere. Funnel accounts serve as collection points in larger laundering networks.
Document the inflows (who sent money, from where, how much), the outflows (where did money go, through what channel), and the timeline between receipt and disbursement. Note any connection (or lack thereof) between senders. The tracing techniques used to reconstruct these flows feed straight into the narrative.
Unusual Wire Activity
International wire transfers to or from high-risk jurisdictions, wires with no apparent business purpose, or patterns of wires that don't match the customer's profile. Note the originating and beneficiary information, any intermediary banks, and the stated purpose of the wires.
Fraud-Related SARs
When your institution is the victim of fraud (check fraud, ACH fraud, account takeover), you file a SAR reporting the criminal activity. These SARs should describe how the fraud was perpetrated, what the institution's losses were, and any identifying information about the perpetrator.
When your customer appears to be a victim of fraud (elder exploitation, romance scam), you also file a SAR. The narrative should describe the suspicious pattern that suggests exploitation and identify any known or suspected recipients of the customer's funds.
How are insider abuse SARs different?
When an employee is suspected of misusing their access for financial gain. These SARs have no minimum dollar threshold. Under 12 CFR 21.11 and the parallel banking-agency rules, insider abuse must be reported regardless of amount because insider threats carry outsized risk. The narrative should describe the employee's role and access level, the specific suspicious activity, and how it was detected.
After Filing: Continuing Obligations
SAR Monitoring
Filing a SAR isn't the end of the story. Institutions must continue monitoring the account and file supplemental SARs if suspicious activity continues. If the activity escalates, a follow-up SAR should document the new activity and reference the original SAR filing.
How long must SAR records be retained?
SARs and all supporting documentation must be retained for five years from the date of filing under 31 CFR 1020.320(d)↗.[5] This includes the SAR itself, any internal investigation notes, transaction records, and correspondence related to the case.
Law Enforcement Contact
Sometimes law enforcement will contact the institution after reviewing a SAR. They might request additional records, ask about related accounts, or provide context that helps the institution's ongoing monitoring. Institutions should have a process for handling these inquiries and ensuring they reach the appropriate compliance personnel.
Key Takeaways
- SARs are the most important tool connecting banks to law enforcement. A well-written SAR can launch investigations that dismantle criminal networks; a vague one gets ignored.
- The narrative section is what matters most. Checkboxes provide structure, but the narrative tells the story investigators need. Answer who, what, when, where, and why with specific facts.
- Stick to observable facts, not conclusions about intent. Describe the pattern and explain why it's suspicious. Let investigators determine motive.
- The 30-day filing clock starts at detection, not at review. Delays in escalation compress the time available for quality investigation and narrative writing.
- SARs are confidential. Never disclose to a customer that a SAR has been filed. Tipping off the subject is a federal offense.
- Filing is not a one-time event. Ongoing monitoring, supplemental SARs, and record retention are all part of the process.
What's next: The KYC 101 article covers how institutions verify customer identity at onboarding, the first line of defense in any BSA/AML program.
Key Terms
| Term | Definition |
|---|---|
| Suspicious Activity Report (SAR) | Confidential report filed with FinCEN when a financial institution detects activity that may involve money laundering, fraud, or other financial crime |
| SAR narrative | The free-text section of a SAR where the analyst describes the suspicious activity in detail |
| Tipping off | Illegally disclosing to the subject of a SAR that a report has been filed |
| Funnel account | An account that aggregates funds from multiple sources before moving them elsewhere, often used in money laundering |
| Structuring | Breaking up transactions to avoid triggering reporting thresholds |
| Supplemental SAR | A follow-up SAR filed when suspicious activity at a previously reported account continues |
| Insider abuse | Suspicious activity committed by an employee or director of the financial institution |
References
1. 31 USC 5318 — Compliance, exemptions, and summons authority↗ (Cornell LII). Subsection (g) is the statutory basis for the SAR program: Treasury may require institutions to report any suspicious transaction relevant to a possible violation of law or regulation.
2. FFIEC BSA/AML Examination Manual — SAR Regulatory Requirements↗. Confirms the tiered SAR thresholds: "Criminal violations involving insider abuse in any amount"; "Criminal violations aggregating $5,000 or more when a suspect can be identified"; "Criminal violations aggregating $25,000 or more regardless of a potential suspect."
3. 31 CFR 1020.320(b)(3) — Time for reporting↗ (Cornell LII). "A bank is required to file a SAR no later than 30 calendar days after the date of initial detection by the bank of facts that may constitute a basis for filing a SAR." Filing may be delayed up to an additional 30 days to identify a suspect, capped at 60 calendar days total.
4. 31 CFR 1020.320(e) — Confidentiality of SARs↗ (Cornell LII). "No bank, and no director, officer, employee, or agent of any bank, shall disclose a SAR or any information that would reveal the existence of a SAR."
5. 31 CFR 1020.320(d) — Retention of records↗ (Cornell LII). "A bank shall maintain a copy of any SAR filed and the original or business record equivalent of any supporting documentation for a period of five years from the date of filing the SAR."
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.
Continue learning
- BSA/AML & ComplianceBSA/AML FundamentalsThe Bank Secrecy Act framework, CTR reporting, structuring rules, money laundering stages, and the regulatory structure every fraud professional needs to understand
- More from Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- More from Money Movement & Transaction FraudPayment Systems 101: How Money Really MovesEssential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
- More from Account TakeoverATO FundamentalsEssential foundation every fraud professional needs to know about account takeover attacks