Suspicious Activity Reporting for Crypto: SAR Filing Guide

Suspicious activity reporting is the mechanism through which digital asset service providers fulfill their most critical obligation to law enforcement and financial intelligence units. Every SAR filed represents a judgment by the compliance team that a transaction or pattern of activity meets the threshold for reporting – that there is reason to suspect the activity involves funds derived from illegal activity, is designed to evade BSA requirements, lacks a lawful purpose, or involves the use of the financial institution to facilitate criminal activity. For crypto businesses, where the underlying blockchain data provides unprecedented transaction transparency, the quality and timeliness of SAR filings directly impacts law enforcement’s ability to investigate financial crimes.

When to File a Suspicious Activity Report

Filing Thresholds

Under FinCEN’s SAR filing requirements (31 CFR 1022.320 for MSBs), a money services business must file a SAR when it knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the MSB:

1. Involves funds derived from illegal activity or is intended to hide or disguise funds derived from illegal activity
2. Is designed to evade any requirement of the BSA
3. Lacks a business or apparent lawful purpose and the MSB knows of no reasonable explanation for the transaction after examining available facts
4. Involves the use of the MSB to facilitate criminal activity

Dollar Threshold: MSBs must file SARs for suspicious transactions of $2,000 or more. There is no dollar threshold for transactions suspected of involving terrorist financing – these must be reported regardless of amount.

Timing: SARs must be filed within 30 calendar days of the initial detection of the suspicious activity. If no suspect is identified, the filing deadline extends to 60 days. For ongoing suspicious activity, continuing activity reports should be filed every 90 days.

Crypto-Specific Red Flags

FinCEN has identified numerous red flags specific to the digital asset industry. Compliance teams should incorporate these into their monitoring rules and investigation procedures:

Transaction Pattern Red Flags:

• Structuring transactions just below the $10,000 CTR threshold or the $3,000 Travel Rule threshold
• Rapid movement of funds through multiple wallets with no apparent business purpose (layering)
• Receiving funds from multiple unrelated sources followed by immediate consolidation and withdrawal
• Converting between multiple cryptocurrencies rapidly without apparent trading purpose
• Transactions involving known mixing services, tumblers, or privacy-enhancing protocols
• Deposits immediately followed by withdrawals to a different address or blockchain (pass-through activity)
• Large transactions that are inconsistent with the customer’s stated income, occupation, or transaction history

Counterparty Red Flags:

• Transactions involving addresses linked to darknet markets (identified through blockchain analytics)
• Transactions involving addresses linked to ransomware, fraud, or known scam operations
• Transactions with addresses in or associated with OFAC-sanctioned jurisdictions
• Transactions involving addresses flagged by blockchain analytics as high-risk
• Multiple customers transacting with the same suspicious external address

Customer Behavior Red Flags:

• Customer uses multiple accounts or identities
• Customer provides false or inconsistent identification information
• Customer is uncooperative when asked about the source of funds or purpose of transactions
• Customer’s transaction activity changes significantly without apparent reason
• Customer accesses the platform exclusively through VPN or Tor
• Customer resists providing KYC documentation or provides obviously fraudulent documents

Account Activity Red Flags:

• Newly opened account with immediate large deposits and rapid withdrawals
• Account used primarily for converting between crypto and fiat with minimal holding periods
• Account receiving funds from high-risk third-party payment processors
• Multiple accounts controlled by the same individual or group
• Account dormant for extended periods followed by sudden high-volume activity

The SAR Filing Process

Step 1: Alert Generation and Triage

The SAR process begins with the transaction monitoring system generating an alert based on configured rules and thresholds. The compliance team triages the alert to determine whether it warrants investigation:

• Review the alert details and the underlying transactions
• Pull the customer profile, including KYC information, transaction history, and any prior alerts or SARs
• Make an initial determination: close as false positive (with documentation) or escalate for investigation

Step 2: Investigation

If the alert is escalated, a compliance analyst conducts a thorough investigation:

• Analyze the full transaction history using blockchain analytics tools (Chainalysis Reactor, Elliptic Navigator, or TRM Forensics)
• Trace the flow of funds to identify the source and destination of suspicious transactions
• Review the customer’s account history, including KYC documentation, prior alerts, and any customer communications
• Search open-source intelligence (OSINT) for information about the customer or associated addresses
• Contact the customer for an explanation if appropriate and if doing so would not compromise a potential investigation
• Document all findings in the case management system

Step 3: SAR Decision

Based on the investigation, the BSA/AML officer or designated compliance officer makes the SAR filing decision:

• If suspicious activity is identified: proceed to SAR filing
• If the investigation resolves the suspicion: close the case with detailed documentation explaining why the activity is not suspicious
• If the activity is ambiguous: err on the side of filing – defensive SAR filing is strongly preferred over non-filing when activity meets the suspicion threshold

Step 4: SAR Narrative Writing

The SAR narrative is the most important element of the filing. It tells law enforcement the story of the suspicious activity in a clear, concise, and actionable format. An effective SAR narrative includes:

The Five W’s:

• Who: Identify the subject(s) of the SAR, including name, date of birth, account numbers, wallet addresses, and any known aliases
• What: Describe the suspicious activity – the specific transactions, amounts, and patterns that triggered the report
• When: Provide the dates and times of the suspicious transactions
• Where: Identify the jurisdictions involved, the blockchain(s) used, and the counterparty VASPs or addresses
• Why: Explain why the activity is suspicious – what makes it inconsistent with legitimate use, what illicit activity it may indicate

Blockchain-Specific Information:

• Transaction hashes (TXIDs) for the suspicious transactions
• Wallet addresses involved (both the customer’s and counterparty addresses)
• Blockchain analytics findings (e.g., “Chainalysis identified the counterparty address as attributed to a darknet marketplace”)
• The chain of transaction hops if layering is involved
• Any known cluster associations for the counterparty addresses

Supporting Analysis:

• Customer’s stated purpose for the account versus actual activity
• Comparison to the customer’s historical transaction pattern
• Risk scoring from blockchain analytics platforms
• Any relevant OSINT findings

Step 5: Filing

SARs are filed electronically through FinCEN’s BSA E-Filing System. The filing includes:

• Completed FinCEN SAR form (FinCEN Form 111) with all applicable fields populated
• SAR narrative (up to 20,000 characters in the electronic filing system)
• Subject information including names, addresses, identification numbers, and account information
• Transaction details including dates, amounts, and types of transactions
• Filing institution information

Filing Deadlines:

• Initial SAR: within 30 days of detection (60 days if no suspect is identified)
• Continuing activity SAR: every 90 days for ongoing suspicious activity
• Supplemental SAR: filed when new information becomes available about previously reported activity

Step 6: Post-Filing Actions

After filing a SAR:

• Determine whether to continue the customer relationship, restrict the account, or exit the relationship
• If continuing the relationship: implement enhanced monitoring on the account
• If restricting: implement appropriate transaction limits or blocks
• If exiting: follow the firm’s customer exit procedures, which should include a reasonable wind-down period unless immediate action is required for sanctions or imminent fraud reasons
• Do not inform the customer that a SAR has been filed (SAR confidentiality under 31 USC 5318(g)(2))
• Retain the SAR and all supporting documentation for five years
• Be prepared to respond to law enforcement requests for information about the SAR

SAR Quality and Common Deficiencies

FinCEN and Examiner Expectations

Regulators evaluate SAR quality based on:

1. Completeness: All required fields populated, all relevant subjects identified, all associated accounts and transactions included
2. Timeliness: Filed within the 30-day deadline
3. Narrative quality: Clear, detailed narrative that provides law enforcement with actionable information
4. Blockchain-specific detail: Inclusion of transaction hashes, wallet addresses, and blockchain analytics findings
5. Consistency: The narrative is consistent with the data in the structured fields
6. Proportionality: The filing reflects the severity of the suspicious activity

Common Deficiencies

• Insufficient narratives: Narratives that merely recite the alert details without providing context, analysis, or blockchain-specific information
• Missing transaction details: Failure to include blockchain transaction hashes, wallet addresses, or analytics findings
• Late filing: SARs filed beyond the 30-day deadline
• Failure to file continuing SARs: Not filing 90-day continuation reports for ongoing suspicious activity
• Inconsistent data: Discrepancies between the narrative and the structured fields
• Failure to include all subjects: Not identifying all individuals or entities involved in the suspicious activity

EU and International SAR Requirements

EU Suspicious Transaction Reporting

Under the EU’s Anti-Money Laundering Directive and MiCA framework, CASPs must report suspicious transactions to their national Financial Intelligence Unit (FIU). Requirements vary by member state, but generally:

• No minimum transaction threshold for reporting
• Report must be filed “promptly” upon suspicion
• The report includes customer information, transaction details, and the basis for suspicion
• Tipping-off (informing the customer about the report) is prohibited
• Reports are filed through national FIU systems (e.g., goAML in many jurisdictions)

UK Suspicious Activity Reports

UK crypto-asset businesses must file SARs with the National Crime Agency (NCA) through the SAR Online system. Key differences from the US system:

• There is a consent regime: for certain transactions, the business must seek consent from the NCA before proceeding
• If consent is not received within seven working days, the business may proceed (deemed consent)
• The moratorium period can be extended by court order
• All SARs must be filed using the NCA’s standard format

Metrics and Program Effectiveness

For the SAR glossary entry, see What is a Suspicious Activity Report?. For blockchain transaction monitoring, see the transaction monitoring guide. For the AML program framework, see the AML program guide. For the FinCEN entity profile, see FinCEN profile. For official guidance, see FinCEN SAR filing instructions and FATF suspicious transaction reporting.