What Is a Suspicious Activity Report (SAR)? Filing Requirements Explained
Clear definition of Suspicious Activity Reports covering filing triggers, requirements, narrative standards, and practical guidance for crypto compliance teams.
What Is a Suspicious Activity Report (SAR)?
A Suspicious Activity Report (SAR) is a mandatory regulatory filing that financial institutions submit to their jurisdiction’s Financial Intelligence Unit upon detecting transactions suspected of involving money laundering, terrorist financing, or other financial crimes.
Regulatory Foundation and Filing Triggers
The SAR is the primary mechanism through which the private sector communicates suspicions of financial crime to law enforcement. In the United States, the SAR filing obligation derives from the Bank Secrecy Act (31 USC 5318(g)) and its implementing regulations. FinCEN requires financial institutions, including Money Services Businesses (MSBs) such as crypto exchanges and custodial wallet providers, to file a SAR when the institution knows, suspects, or has reason to suspect that a transaction: (1) involves funds derived from illegal activity or is intended to hide funds derived from illegal activity, (2) is designed to evade BSA reporting requirements (such as structuring transactions to avoid Currency Transaction Report thresholds), (3) lacks a business or apparent lawful purpose, or (4) involves the use of the financial institution to facilitate criminal activity.
For MSBs, including digital asset businesses registered with FinCEN, the SAR filing threshold is $2,000 or more in aggregate. This is lower than the $5,000 threshold applicable to banks and broker-dealers, reflecting FinCEN’s assessment that MSBs present heightened money laundering risk. The $2,000 threshold applies to transactions or patterns of transactions conducted by or through the MSB. Critically, the obligation extends beyond completed transactions: attempted transactions that meet the suspicious activity criteria must also be reported, even if the institution blocked or rejected the transaction.
FATF Recommendation 20 establishes the global standard, requiring financial institutions to report suspicious transactions to the FIU “regardless of the amount of the transaction.” This means the monetary thresholds in US law represent minimum standards; institutions are expected to file SARs for suspicious activity below the threshold when the circumstances warrant it. The FATF standard has been adopted into domestic law across member jurisdictions, though the specific reporting vehicle, threshold, and timeline vary.
How SAR Filing Works in Practice
The SAR filing process begins with detection, typically through transaction monitoring systems that generate alerts based on rule-based triggers, blockchain analytics exposure scores, or behavioral anomaly detection. When an alert is generated, a compliance analyst conducts an initial review to determine whether the flagged activity warrants further investigation. If escalated, a more senior investigator gathers additional context: the customer’s KYC profile, historical transaction patterns, blockchain analytics tracing (using tools like Chainalysis Reactor or TRM Labs Forensics), open-source intelligence (OSINT), and any relevant law enforcement requests or subpoenas.
If the investigation confirms that the activity meets the suspicious activity standard, the compliance team prepares the SAR. In the US, SARs are filed electronically through FinCEN’s BSA E-Filing system using the standardized FinCEN SAR form. The form requires structured data fields (subject information, financial institution information, suspicious activity characterization codes, transaction details) and a free-text narrative section. The narrative is the most critical component. FinCEN’s SAR Activity Review advisories consistently emphasize that the narrative must address the five essential elements: who is conducting the suspicious activity, what instruments or mechanisms are being used, when the activity occurred, where the activity took place, and why the activity is suspicious. For crypto-specific SARs, the narrative should include blockchain addresses, transaction hashes, chain identifiers, and the results of blockchain analytics tracing. FinCEN’s 2021 advisory on ransomware-related SARs and its 2023 advisory on DeFi-related suspicious activity provide specific guidance on narrative content for digital asset typologies.
The filing deadline in the US is 30 calendar days from the date the suspicious activity is first detected. If no suspect has been identified, the institution has 60 calendar days but must make reasonable efforts to identify the suspect during that period. Once filed, the institution must maintain a copy of the SAR and all supporting documentation for five years from the date of filing.
Jurisdiction Comparison: SAR Equivalents Worldwide
United States. SARs are filed with FinCEN via the BSA E-Filing system. The MSB threshold is $2,000. Filing deadline is 30 days (60 if no suspect identified). FinCEN received over 4.6 million SARs in fiscal year 2024, with crypto-related SARs representing an increasing share. FinCEN has issued multiple advisories providing crypto-specific SAR filing guidance, including FIN-2019-A003 (advisory on illicit activity involving convertible virtual currency) and FIN-2021-A004 (ransomware).
European Union. EU member states use Suspicious Transaction Reports (STRs), filed with national FIUs under the framework established by 6AMLD (Directive 2018/1673). Under MiCA, CASPs must file STRs with the FIU of the member state where they are authorized. There is no monetary threshold; any transaction that gives rise to suspicion must be reported. Filing timelines vary by member state but are typically shorter than the US standard, with several jurisdictions requiring reporting within 24 hours for urgent cases involving terrorist financing. The EU’s forthcoming AML Regulation (AMLR), expected to apply from 2027, will harmonize STR requirements across member states. See our MiCA compliance guide for CASP-specific obligations.
United Kingdom. Suspicious Activity Reports are filed with the UK FIU (part of the National Crime Agency) under the Proceeds of Crime Act 2002 and the Terrorism Act 2000. The UK system includes both standard SARs and Defence Against Money Laundering (DAML) requests, where the institution seeks consent from the NCA to proceed with a transaction it suspects may involve criminal property. The consent regime adds operational complexity: if the NCA does not respond within 7 working days, consent is deemed granted. Crypto firms registered with the FCA must file SARs through the same system as traditional financial institutions.
Singapore. Suspicious Transaction Reports (STRs) are filed with the Suspicious Transaction Reporting Office (STRO) under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act. DPT service providers licensed by MAS must file STRs electronically through STRO’s online system. Singapore law imposes criminal penalties for failure to file, including fines up to SGD 20,000.
Confidentiality and Legal Protections
SAR confidentiality is a foundational principle across jurisdictions. In the US, 31 USC 5318(g)(2) makes it a federal crime to disclose the existence or content of a SAR to the person who is the subject of the report (commonly known as “tipping off”). This prohibition extends to the institution’s employees, officers, directors, and agents. Violations can result in criminal prosecution and civil money penalties. The institution and its personnel are granted a safe harbor from civil liability for filing SARs in good faith, even if the reported activity ultimately proves to be legitimate.
Tipping-off prohibitions exist in virtually all jurisdictions that implement FATF standards. Under EU law, 6AMLD Article 39 prohibits disclosure to the person concerned or to third parties. The UK’s Proceeds of Crime Act 2002 criminalizes tipping off with penalties of up to two years’ imprisonment. These protections are essential to the SAR regime’s effectiveness, as disclosure would allow subjects to modify their behavior, destroy evidence, or flee.
Common Compliance Challenges
The most significant operational challenge is SAR narrative quality. FinCEN and other FIUs have consistently noted that many SARs contain vague, formulaic narratives that do not provide actionable intelligence for law enforcement. A narrative that states “customer engaged in suspicious transactions” without specifying the transactions, the amounts, the blockchain addresses, the counterparties, and the specific reason for suspicion is effectively useless. Compliance teams should develop SAR narrative templates tailored to common crypto typologies (ransomware proceeds, darknet market activity, romance scam cash-outs, sanctions evasion) while ensuring each narrative is fact-specific.
Additional challenges include determining when the “detection” clock starts for filing deadline purposes (particularly when suspicious activity emerges gradually through ongoing monitoring rather than a single alert), managing the volume of SAR filings at scale (large exchanges may file hundreds of SARs monthly), coordinating SAR filings across multiple jurisdictions for the same suspicious activity without violating tipping-off restrictions, and implementing a risk-based approach to SAR filing that avoids both defensive over-filing (which dilutes intelligence value) and under-filing (which creates regulatory risk). Maintaining comprehensive beneficial ownership information for entity customers is also essential, as SAR narratives for entity accounts must identify the natural persons behind the legal structure.