Skip Header
U.S. flag

An official website of the United States government

Supervisory Insights

Connecting the Dots…The Importance of Timely and Effective Suspicious Activity Reports

Last Updated: July 10, 2023

PDF version of this article

Do you ever wonder what happens to all the Suspicious Activity Reports (SARs) financial institutions file? Do you think that SARs just disappear into a black hole and are never reviewed? While these are common notions voiced throughout the banking industry, they cannot be further from the truth. The significance of the SAR process in the fight against terrorism, drug trafficking, money laundering, bank fraud, and other financial crimes cannot be overstated.

History clearly shows that there is often a financial connection to crime. Connecting the dots between criminal activity and the financial transactions that facilitate such activity is invaluable, not only in identifying, investigating, and ultimately prosecuting criminals, but also in preventing and deterring crime. SARs play a critical role in exposing the financial links to illicit activities, on both a case-by-case and industrywide basis. The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), bank supervisory agencies, and law enforcement depend on SARs to identify, investigate, and analyze criminal activity. Overall, the banking industry has been diligent in detecting and reporting suspicious activity; however, merely filing a SAR may not be enough. The agencies depend on complete, accurate, and timely reports to use SAR information effectively and efficiently.

Examiners play a significant role in ensuring SAR data integrity, and Bank Secrecy Act/Anti-Money Laundering (BSA/AML) examinations nationwide continue to reveal common issues with SAR filings. This article will highlight the importance of SARs, provide examples of how various agencies use them, discuss common SAR filing issues and their potential negative impact on SAR utility, and offer tips and guidance on what makes an effective SAR. By better understanding how SARs are used and focusing on SAR quality, examiners and bankers can help to improve the reliability and integrity of the information and thereby help ensure that SAR users have this critical information to fight financial crimes.

SAR Filings Exceed 1 Million in 2006

Since the late 1980s, depository institutions have been required to report known or suspected criminal violations to FinCEN. In April 1996, the SAR replaced the Criminal Referral Form as the standard form to report suspicious activity.1 At that point, depository institutions (i.e., insured banks, credit unions, and thrifts) were the primary filers of SARs. However, following the terrorist events of September 11, 2001, the USA PATRIOT Act2 expanded SAR requirements to other types of financial institutions, including certain money services businesses (MSBs),3 casinos and card clubs, and certain segments of the securities and futures industries. As a result, the number of SARs filed annually has increased dramatically. As shown in Chart 1, all financial institutions subject to SAR requirements filed more than 1 million SARs in 2006—five times more than were filed in 2001. While other financial institutions have contributed significantly to the escalation in SAR filings, depository institutions continue to file the majority of SARs—more than 565,000 reports, or approximately 53 percent of the reports filed in 2006. As the number of SARs filed annually continues to rise, ensuring that depository institutions file quality SARs in a timely manner becomes increasingly important. (See text box, “SAR Reporting Requirements.")

Chart 1: SAR Filings Skyrocket SAR Filings SkyrocketChart 1 Description

SARs Serve Many Purposes

With limited exceptions, SARs are used to report all types of suspicious activity affecting depository institutions, including but not limited to cash transaction structuring,4 money laundering, check fraud and kiting, computer intrusion, wire transfer fraud, mortgage and consumer loan fraud, embezzlement, misuse of position or self-dealing, identity theft, and terrorist financing. All SARs filed are centralized in a secure database that can be accessed by authorized users, including representatives from FinCEN, bank supervisory agencies, and law enforcement. These agencies rely on SARs for a number of different purposes; yet, whether FinCEN is analyzing the entire SAR database to identify trends or a law enforcement agent is following up on a single SAR, the integrity of the data is critical to the government’s efforts to fight criminal activity.

Use by FinCEN

FinCEN makes SAR and other BSA-related data available to authorized agencies and also plays a key role in analyzing the data to identify emerging trends and patterns associated with financial crimes.5 FinCEN analyzes SAR data to identify institutions with filing problems, such as missing information or incomplete SAR narratives,6 and uses sophisticated trend analysis and data-mining techniques to pinpoint emerging industry vulnerabilities, such as the recent rise in consumer and mortgage loan fraud.7 FinCEN also performs key word searches within SAR narratives to identify potential indicators or specific geographic areas linked to terrorist financing or drug trafficking.8 In testimony before the U.S. House of Representatives Financial Services Subcommittee on Oversight and Investigations in May 2007, FinCEN’s deputy director, William Baity, noted
that FinCEN produced 176 complex analytical products in fiscal year 2006, including reports concerning trends in mortgage loan fraud, the role of domestic shell companies in financial crime and money laundering, and financial activity along the U.S. southwest border to identify potential money laundering hot spots so that law enforcement can better direct resources.9

Use by Bank Supervisory Agencies

Public confidence in the banking system can be undermined when an institution insured by the Federal Deposit Insurance Corporation (FDIC) is a victim of internal or external fraud.10 Depository institutions incur millions of dollars in fraud losses annually, and, in extreme cases, fraud can contribute to a bank’s failure and result in significant losses to the Deposit Insurance Fund.11 Prompt identification and follow-up regarding suspected fraud is vital to the strength of the banking system and the Deposit Insurance Fund. SARs alert bank supervisory agencies such as the FDIC to fraud so that they can initiate an appropriate and timely response.

Bank fraud allegations or suspicions of wrongdoing may come to the FDIC’s attention through the on-site examination process, an anonymous tip, or a referral from an outside law enforcement agency. More commonly, fraud against state nonmember banks is identified by bank management and brought to the FDIC’s attention by a SAR filing. Each FDIC region has a SAR review process to follow up on depository institution SARs filed within its supervisory territory. This process identifies and responds to priority SAR filings, which generally include SARs involving institution-affiliated parties (IAPs)12 and those having a material impact on the financial soundness of the institution.

The FDIC is particularly interested in SARs that name IAPs as suspects. Fraud perpetrated by employees, officers, or directors can be especially damaging and may require an immediate regulatory response. If warranted, the FDIC can pursue civil enforcement actions against IAPs, including Removal and Prohibition Orders under section 8(e) of the Federal Deposit Insurance Act (Act) and Civil Money Penalties under section 8(i) of the Act. Many FDIC enforcement action cases against IAPs originate from SARs.

The FDIC’s Office of Inspector General, Office of Investigations (OIG-OI) conducts criminal investigations based on allegations of fraud at FDIC-supervised institutions, working either independently or jointly with other law enforcement agencies. Many of the OIG-OI’s investigations originate from SARs filed by FDIC-supervised institutions and involve IAPs. Often these investigations result in parallel criminal and civil enforcement action proceedings. Cooperation between the OIG-OI and other law enforcement agencies can be instrumental in bank fraud investigations and prosecutions. In fact, a number of successful cases in recent years have highlighted the collective work of several agencies. As of September 30, 2007, the OIG-OI had 106 open bank investigations under way, involving an estimated $1.7 billion in potential fraud. Seventy-seven percent of these cases were being pursued jointly with the Federal Bureau of Investigation (FBI).14

Use by Law Enforcement

“Whether motivated by criminal greed or a radical ideology, the activity underlying both criminal and counterterrorism investigations is best prevented by access to financial information by law enforcement and the intelligence community. The FBI considers this information to be of great value in carrying out its mission to protect the citizens of this country, and over the past few years, we have made significant advances in utilizing this information to carry out our mission.”

• Testimony of Salvador Hernandez, deputy assistant director, Criminal Investigative Division, National Crimes Branch, FBI, before the Financial Services Subcommittee on Oversight and Investigations, May 10, 200715

Law enforcement agencies use SARs to identify financial links to illicit activity. These agencies supplement ongoing investigations by querying FinCEN’s database for name matches to existing suspects and their known associates. For example, if the U.S. Drug Enforcement Administration (DEA) is investigating a specific individual in a narcotics case, agents would likely query the FinCEN database by name to identify additional leads, such as bank accounts, individual and business associates, geographic locations, or aliases. The search would likely include both SAR data and other BSA-related data such as Currency Transaction Reports, which could identify additional information about the suspect.

In recent years, law enforcement agencies increasingly have used SARs to generate new leads and determine whether to open new cases. For example, an agency may identify and pursue a structuring case on its own merits based on a SAR filing, and in the course of such an investigation might further determine that structuring took place to cover up other illicit activities, such as drug trafficking or tax evasion. This proactive approach to using SARs is best exemplified by the development of joint agency SAR Review Teams.

Today, SAR Review Teams, coordinated by the U.S. Department of Justice through the U.S. Attorney’s Offices, exist in 80 of the 94 federal judicial districts nationwide. The primary purpose of a SAR Review Team is to systematically review all SARs that affect a specific geographic jurisdiction, identify individuals who may be engaged in criminal activities, and coordinate and disseminate leads to appropriate agencies for follow-up. The composition of these teams, while varying by location, generally includes representatives from law enforcement and various regulatory agencies, with the U.S. Attorney’s Office and the Internal Revenue Service’s Criminal Investigations Division (IRS-CID) typically in a lead role. Other participants may include representatives from the FBI; the DEA; the Bureau of Immigration and Customs Enforcement; the Bureau of Alcohol, Tobacco, Firearms, and Explosives; the U.S. Secret Service; and state and local law enforcement. A number of SAR Review Teams also have representation from bank supervisory agencies, including the FDIC.16 Coordination among the respective agencies results in improved communication and more efficient resource allocation.

Common SAR Mistakes and Weaknesses

Banks must file complete, accurate, and timely SARs in order for FinCEN, bank supervisory agencies, and law enforcement to gain maximum benefit from the information.17 Preparation errors and filing weaknesses, including late submissions, can reduce SAR effectiveness.

Incomplete or Inaccurate Data Fields

Parts I through IV of the SAR are essentially objective data fields that call for specific information about the filing institution, the suspect(s), the nature of the suspicious activity, any regulatory or
law enforcement contacts made before the SAR was filed, and the contact person for additional information. Each numbered reporting field can be used to query the information in the database; therefore, omissions and inaccuracies in any of the data fields can reduce the overall utility of the data. For example:

  • Not identifying the bank’s primary federal regulator in Part I–Reporting Financial Institution Information, or not denoting an IAP relationship in Part II–Suspect Information, can prevent the appropriate regulator from promptly detecting and responding to a priority SAR.
  • Not listing all suspects individually in separate Part II sections can prevent law enforcement from linking suspects to existing investigations or from generating new leads for suspects reported by multiple financial institutions.
  • Not specifying occupation or type of business in Part II can hinder users’ ability to understand why the reported activity is suspicious for a particular customer.
  • Not appropriately characterizing the suspicious activity in Part III–Suspicious Activity Information, can skew FinCEN’s semiannual analysis of industry trends, as published in The SAR Activity Review–By the Numbers.
  • Not aggregating the suspicious activity dates and dollar amounts in Part III when filing a SAR for continuing suspicious activity can cause law enforcement to overlook the severity of a situation and delay an investigation.
  • Not indicating in Part III that a particular law enforcement agency has been contacted can result in duplicative investigative efforts by multiple agencies and waste valuable resources.

Insufficient SAR Narratives

Part V–Suspicious Activity Information Explanation/Description, commonly referred to as the SAR narrative, provides the only free-flow text area to summarize the suspicious activity. The SAR narrative is often the basis for sophisticated data mining, as well as crucial decisions regarding whether to investigate a suspect further. Incomplete, incorrect, illogical, or disorganized narratives can make analysis difficult and adversely affect users’ decisions. For example:

  • Incomplete narratives that do not describe suspect relationships or do not explain the nature of ongoing suspicious activity can reduce the effectiveness of FinCEN’s key word searches, lead to decisions not to pursue suspicious activity, or delay investigations while additional facts are gathered.
  • Narratives that do not clearly explain why an activity is suspicious can hinder a user’s ability to understand the possible criminal action and to make an informed, appropriate, and timely decision whether to pursue an investigation.
  • Narratives that refer to attachments are particularly problematic because information contained in tables, spreadsheets, and similar attachments is not keypunched into the FinCEN database. Worse yet, submitting an entire narrative as an attachment results in no description of the suspicious activity.

Untimely SARs

Timely filings enable SAR users to identify and respond promptly to potential criminal activities. Nonetheless, examinations continue to find late SARs, as well as SARs that are not filed every 90 days for ongoing suspicious activity. Untimely SARs can be particularly detrimental when terrorist financing is suspected, in criminal cases where asset seizures are possible, or when significant fraud threatens the viability of a depository institution. In such situations, time is of the essence; therefore, not only is it important to file a SAR within the prescribed period, but bank management is encouraged to contact law enforcement directly to ensure immediate attention to the matter.

Submitting an Effective SAR

SAR filing deficiencies often result from internal control weaknesses. On a macro level, it is important for financial institutions to establish strong overall risk management practices with respect to suspicious activity monitoring and reporting, including effective policies and procedures, strong management information systems, appropriate staffing and senior management oversight, comprehensive training, and periodic independent testing.18 On a micro level, it is beneficial for financial institutions to establish comprehensive procedures for SAR preparation, review, and approval. The following steps can help to ensure that complete and appropriate SAR information is collected, organized, and maintained.

Conduct thorough research and analysis to gather as much information as possible about the potentially suspicious activity. FinCEN’s Guidance on Preparing a Complete and Sufficient Suspicious Activity Report Narrative provides extensive tips on what information to collect and how to organize it effectively.19 Generally, the guidance indicates that the filing institution should consider all pertinent information it has available through the account opening process and due diligence efforts.

Accurately complete all objective data fields and write a clear and comprehensive SAR narrative. The SAR should be completed as fully as possible. Although information called for in Parts I through IV occasionally may be unknown or unavailable and should be left blank, Part V—the SAR narrative—should always include a detailed description of the suspicious activity.

An effective SAR narrative should clearly detail:

  • Who conducted the suspicious activity
  • What instruments or mechanisms were used to facilitate the suspect transaction(s)
  • When the suspicious activity took place
  • Where the suspicious activity took place
  • Why you (the filer) think the activity was suspicious
  • How or by what method of operation the suspicious activity took place

All SARs are potentially useful, but a SAR containing complete factual data and an effective narrative can determine whether FinCEN gleans useful statistical data, the FDIC takes appropriate and timely action with respect to bank fraud, or law enforcement opens a criminal investigation. For example, a SAR clearly evidencing a deposit structuring pattern extending over a lengthy period and involving a large dollar amount, or a SAR specifically detailing statements by a suspect to a bank employee regarding intent to evade financial reporting requirements, is more likely to get law enforcement’s attention than a SAR that understates the severity of the activity or omits potentially incriminating suspect statements. FinCEN’s Guidance on Preparing a Complete and Sufficient Suspicious Activity Report Narrative includes several examples of both useful and ineffective SAR narratives, with a discussion of the strengths or weaknesses of each.

Maintain comprehensive SAR supporting documentation, since it provides the critical evidence associated with the suspected activity. SAR supporting documentation should be described in the SAR narrative and refer to all documents or records that assisted a financial institution in making the determination that certain activity required a SAR filing. Documentation may include transaction records, new account information, tape recordings, e-mail messages, and correspondence.20 One IRS-CID special agent indicated that the following types of documentation can be particularly useful:

  • Account opening information for all suspects, such as account signature cards and corporate filings identifying officers and directors
  • Account statements for all affected product types
  • Photocopies (front and back) of all applicable financial instruments associated with the suspicious movement of funds, including monetary instruments and deposit tickets
  • Complete wire transfer records, including wire request forms identifying the individual initiating the wire transfer, who may not be the named originator
  • All pertinent loan documents

See the text box titled “Important SAR Preparation Guidance” for a list of resources on completing SARs.

SAR Reporting Requirements

The U.S. Department of the Treasury’s financial recordkeeping regulations (31 CFR 1020.320) require federally supervised banking organizations to file a SAR when they detect a known or suspected violation of federal law meeting applicable reporting criteria. FDIC Rules and Regulations (12 CFR 353) detail the SAR filing requirements that apply to state-chartered nonmember banks, including dollar amount thresholds, filing timelines, and record retention.a

Dollar Amount Thresholds – Banks are required to file a SAR in the following circumstances: insider abuse involving any amount; transactions aggregating $5,000 or more where a suspect can be identified; transactions aggregating $25,000 or more regardless of potential suspects; and transactions aggregating $5,000 or more that involve potential money laundering or violations of the BSA. It is recognized, however, that with respect to instances of possible terrorism, identity theft, and computer intrusions, the dollar thresholds for filing may not always be met. Financial institutions are encouraged to file nonetheless in appropriate situations involving these matters, based on the potential harm that such crimes can produce. Even when the dollar thresholds of the regulations are not met, financial institutions have the discretion to file a SAR and are protected by the safe harbor provided for in the statute.b

a Similar regulations are applicable to other federally supervised banking organizations by their respective primary regulator. See 12 CFR 208.62, 211.5(k), 211.24(f), and 225.4(f) (Board of Governors of the Federal Reserve System); 12 CFR 748 (National Credit Union Administration); and 12 CFR 21.11 (Office of the Comptroller of the Currency).

b BSA Advisory Group, “Section 4 – Tips on SAR Form Preparation and Filing,” The SAR Activity Review—Trends, Tips, & Issues, Issue 6, November 2003, page 55, at

Filing Timelines – Banks are required to file a SAR within 30 calendar days after the date of initial detection of facts constituting a basis for filing.c This deadline may be extended an additional 30 days up to a total of 60 calendar days if no suspect is identified. FinCEN guidance recommends that banks file an updated SAR at least every 90 days in situations where the suspicious activity is ongoing.d

Record Retention – Banks are required to maintain copies of any SAR filed and the original or business record equivalent of any SAR supporting documentation for five years from the date of filing. Supporting documentation, though not submitted to FinCEN with the original SAR, is considered part of the SAR and must be retained and made available to authorized agencies upon request.

c Initial detection is discussed in the BSA Advisory Group’s “Section 5—Issues and Guidance,” The SAR Activity Review—Trends, Tips & Issues, Issue 10, May 2006, pages 44–46, at
According to the guidance, “The 30-day (or 60-day) period does not begin until an appropriate review is conducted and a determination is made that the transaction under review is ‘suspicious’ within the meaning of the SAR regulations.”

d BSA Advisory Group, “Section 5—Issues and Guidance,” The SAR Activity Review, Issue 1, October 2000, page 27, at .

Making the Connection

The quality of SAR data is crucial to the effective implementation of the suspicious activity reporting system, which not only forms the cornerstone of the overall BSA reporting system but is critical to the United States’ ability to use financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes.21 SARs play a vital role in the investigation and prosecution of criminal cases by law enforcement, as well as in the issuance of civil enforcement actions by bank supervisory agencies and in the identification of financial crime patterns and trends by FinCEN. Examiners and bankers share an important responsibility in ensuring that SARs are complete, accurate, timely, and effective so that users can readily connect the dots to identify, analyze, and investigate financial crime.

Lori Kohlenberg
Rocky Hill, CT

Rebecca Williams
Case Manager (Special Activities)
Braintree, MA

Important SAR Preparation Guidance

FinCEN Resources:

Other Resources:

  • FDIC Risk Management Manual of Examination Policies, Management, Section 9.1 – “Fraud,” and Section 10.1 –“Suspicious Activity and Criminal Violations.” See
  • Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering Examination Manual, August 24, 2007, pages 60–76, 356–357. See

1 SAR forms are available at

2 The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) is arguably the single most significant AML law Congress has enacted since the BSA itself. Among other things, Title III of the USA PATRIOT Act (International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001) criminalized the financing of terrorism and augmented the existing BSA framework by strengthening customer identification procedures; prohibiting financial institutions from engaging in business with foreign shell banks; requiring financial institutions to have due diligence procedures and, in some cases, enhanced due diligence procedures for foreign correspondent and private banking accounts; and improving information sharing between financial institutions and the U.S. government. See

3 Generally, MSBs include the U.S. Postal Service and five distinct types of financial services providers: (1) currency dealers or exchangers; (2) check cashers; (3) issuers of traveler’s checks, money orders, or stored value; (4) sellers or redeemers of traveler’s checks, money orders, or stored value; and (5) money transmitters. However, a business in one of the first four categories is considered an MSB only if it engages in such transactions in an amount greater than $1,000 for any person on any day in one or more transactions. Refer to and 31 CFR 1010.100 (ff).

4 Structuring is defined in 31 CFR 1010.100 (ff) as the act of conducting or attempting to conduct one or more transactions in currency in any amount, at one or more financial institutions, on one or more days, in any manner, for the purpose of evading the currency transaction reporting requirements. See Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, February 15, 2015, Appendix G, “Structuring,” at

5 In addition to SARs, BSA-related data include Currency Transaction Reports (CTRs), Reports of International Transportation of Currency or Monetary Instruments (CMIRs), Designations of Exempt Person (DOEPs), Reports of Foreign Bank and Financial Accounts (FBARs), and Reports of Cash Payments Over $10,000 Received in a Trade or Business (8300s). See

6 The SAR narrative refers to Part V of the Suspicious Activity Report by Depository Institutions (FinCEN Form 111), titled Suspicious Activity Information Explanation/Description. This mandatory section is to be used to provide a complete chronological account of the suspected violation of law or suspicious activity.

7 “Staying Alert to Mortgage Fraud,” Supervisory Insights, Vol. 4, Issue 1, Summer 2007, discusses the housing boom of the early 2000s and how the resultant demand led to increased mortgage fraud activity. See

8 BSA Advisory Group, “Section 5—Issues and Guidance,” The SAR Activity Review—Trends, Tips & Issues, Issue 11, May 2007, pages 39–42, at

10 FDIC, Risk Management Manual of Examination Policies, Section 10.1, Suspicious Activity and Criminal Violations,

11 “Enforcement Actions Against Individuals 2005: A Year in Review,” Supervisory Insights, Vol. 3, Issue 1, Summer 2006, highlights a calendar year of FDIC-issued enforcement actions against individuals for insider fraud, with a focus on the resultant losses to institutions. See

12 Institution-affiliated party is defined in section 3(u) of the Federal Deposit Insurance Act (12 U.S.C. 1813(u)) as—(1) any director, officer, employee, or controlling stockholder (other than a bank holding company) of, or agent for, an insured depository institution; (2) any other person who has filed or is required to file a change-in-control notice with the appropriate Federal banking agency under section 7(j) of the FDI Act; (3) any shareholder (other than a bank holding company), consultant, joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution; and (4) any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in—(A) any violation of any law or regulation; (B) any breach of fiduciary duty; or (C) any unsafe or unsound practice, which caused or is likely to cause more than a minimal financial loss to, or a significant adverse affect on, the insured depository institution. See

13 The FDIC OIG’s Semiannual Report to Congress for October 1, 2006, to March 31, 2007, details a number of successful internal and external bank fraud investigations that highlight the cooperative efforts of OIG investigators, FDIC divisions and offices, U.S. Attorney’s Offices, and others in the law enforcement community.

14 Source: FDIC OIG-OI.

16 As of September 30, 2007, the FDIC participated in SAR Review Teams in California, Connecticut, Illinois, Iowa, Kansas, Maine, Massachusetts, Minnesota, Missouri, Nebraska, New Hampshire, New York, North Dakota, Puerto Rico, Rhode Island, South Dakota, and Vermont.

17 SAR references in this section pertain to the SAR by Depository Institutions (FinCEN Form 111). See

18 See FFIEC BSA/AML Examination Manual, February 15, 2015, “Suspicious Activity Reporting – Overview,” “Suspicious Activity Reporting – Examination Procedures,” and Appendix L, “SAR Quality Guidance” at

20 FinCEN Advisory, FIN-2007-G003, Suspicious Activity Report Supporting Documentation, June 13, 2007,

21 See FFIEC BSA/AML Examination Manual,February 15, 2015, “Suspicious Activity Reporting – Overview,” at