The AML Training Academy and Advisory LLC Logo

Our Blog


Suspicious Activity Reporting (SAR)

is an AML procedural topic that confuses many and harvests many varied positions and opinions. Most people having anything to do with a SAR or potential SAR have never seen one written by another financial institution and perhaps have never even seen their own since that duty may be delegated to a special SAR writing team within their own institution.  While I was an investigator with the New York State Police and the El Dorado Task Force I was in the unique position to read, examine, and analyze thousands of SARs in every possible permeation from numerous financial institutions. This allowed me to compare how various financial institutions wrote their SARs which included the good, the bad, and the ugly. Combining that and knowing what information law enforcement wants to see in a SAR along with running major law enforcement investigations provided me with a unique perspective on SARs.

The Back Story

The SAR, or Suspicious Transaction Report (STR) in many countries outside of the U.S., is the bane of AML’s existence. The SAR is the handshake between financial institutions and law enforcement. Much of the policies of an AML program are performed with the intention of providing law enforcement with a heads up if suspicious behavior is afoot. Fulfilling this intention and properly completing a SAR then becomes one of the most important functions that a financial institution can perform.

✧ – ✦ – ✧  

Note: The era of Suspicious Activity Reports (SARs) in the United States began with the Annunzio-Wylie Anti-Money Laundering Act of 1992, which required regulated financial institutions to report transactions that they suspected might involve illicit funds or purposes. The USA Patriot Act of 2001 upped the ante to include securities broker/dealers. Then in 2006, the Bank Secrecy Act (BSA) was amended to require certain insurance companies and mutual funds to begin filing SARs. RMLO’s in 2012 and housing GSE’s were mandated to file in 2014. Other industries have a voluntary SAR reporting status.

✧ – ✦ – ✧  

Getting to Suspicious

One of the most frequent questions I get—and that FinCEN gets—is, “When should I file a SAR?” The term suspicious, in and of itself, is a bit nebulous. There is no absolute, clear cut, without-a-doubt answer for this question. The fact is that “suspicious” depends on many factors. What is suspicious for one institution may not be for another. Much depends on the points of information garnered from the risk assessment performed on the customer, such as financial history, geography, product(s), other entities involved, frequency, economic sense of the transaction and/or incident, and let’s not forget the risk appetite of the financial institution. 

Usually, an incident, “trigger”, or “alert” will be generated by the financial institution’s transaction monitoring computerized system. A system whose parameters probably have been set by the third-party vendor who sold and maintains the system in conjunction with the individual financial institution. These parameters are set differently depending on the type of financial institution and should be “fine-tuned” with regularity. There are two types of triggers: 1) The computer generated predetermined parameter that sets off a trigger or; 2) a human interaction, usually involving a vigilant employee at the first line of defense that sets off a trigger. The human interaction incident may not even get “scrubbed” through the computer system as it might not have been a transaction. For example, a customer facing employee notices something odd about a customer’s actions and reports same – no TM systems used. Perhaps the incident was someone trying to establish an account and upon gathering the potential customer’s KYC some giant red flag popped up that sent the hair on the back of the employees neck into a tizzy. So, not all alerts come from the computer monitoring system. In fact, some of the best triggers come via the human element. Whichever method caused the alert, the next step needs to be taken. That step is reviewing the alert.

The review begins with a human analyst who takes a look at the alert. The analyst might be able to determine very quickly, after a review, that the alert can be cleared. For example, a local florist deposits cash four times his norm on February 15. Unless there are other circumstances, Valentine’s Day may be the logical reason for the increase in cash deposits for the florist and the alert could be cleared. Other incidents may not be so easily cleared. The analyst may have to perform due diligence. At this stage incorporating the customers KYC info would be essential. The analyst should be looking for clues as to why this incident/transaction took place. A vertical and horizontal review on the customer should commence. That includes all his KYC info, previous transactions (all info that made up the customers risk matrix), open source info, and similar professions history to name a few. Does the transaction make sense based upon all that you know about the customer and his trends and patterns.  If the analyst cannot determine a reasonable explanation for the alert then it should be escalated. Note: the analyst will not be contacting the customer. Upon review, it might be determined to have the Relationship Manager (RM) or some front line personnel contact the customer. However, they must be fully aware of the “no tipping off” rule.    

The Unusual Activity Report

Depending on the size of the institution the path of an alert may vary. In smaller institutions the analyst may handle everything from initial review, to investigation, to SAR writing. In larger institutions there may be more layers in the process. Many larger institutions have created a new form called the “unusual activity report.” This was done for very specific reasons mostly having to do with terminology and timing. In the U.S., as per the Bank Secrecy Act (BSA), an institution must report to FinCEN any activity deemed suspicious within 30 days of the date of the incident being discovered, unless no subject is identified then you have 60 days to report. Typically larger financial institutions have multi-layered reporting processes. For example, teller to head teller, to assistant branch manager, to branch manager, to regional manager, to the financial intelligence unit, to the AML investigative team, to the compliance review group, to the SAR write up team, to submission to FinCEN…….whew!!!! By the time the suspicious activity in question reached the end of that administrative assembly line 30 days had past and the institution was in violation. So, in order to buy more time for the process to complete without getting jammed up by the regulators for failing to submit in a timely fashion, an ingenious idea was developed, the unusual activity report. The first line of defense and much of the second line of defense (customer facing staff and backroom staff) would no longer call an incident/alert “suspicious.” If the trigger could not easily be cleared after the initial analyst’s due diligence and review and it needed to be escalated, it would be deemed to be “unusual.” The term, “unusual” would remain as the incident/alert made its journey through the assembly line process until the end of the line. If at the end of the line the incident was still dubious, then and only then would the activity review team label it as “suspicious.” Now, the institution just bought themselves 30 days from this point to submit their SAR. I don’t know if that is what the AML founding fathers considered when putting together AML standards but I have to admit it is pretty ingenious to use a play on words to get more time. Why hire more people to get it done in 30 days when you can fall back on vocabulary. Brilliant…at least until the regulators put the kibosh on that.

Completing the Narrative

Once a financial institution completes its’ investigation their results should be reviewed by senior management and/or the legal staff before transmitting it to FinCEN. FinCEN’s online format has made things a bit easier for both the filers and the reviewers. Every box on the SAR has a corresponding drop down list and there should be no empty boxes on a SAR that’s ready to submit. The most difficult part is the narrative section. This area, allows for approximately 17,000 characters and is the place where you get to tell your story. This is also the section that seems to give many people trouble. The usual question is, “What do I put here?”. I have seen everything from great to horrible in this area. Too much info, too little info, info that appears to be written in Greek, info that pertains to nothing, and info that contains a bevy of acronyms I’ve never seen before (and I worked for the government) and apparently are institution specific. A fundamentally good SAR narrative should contain the following:

  • The basic Ws and the H: Who, What, When, Where, Why (although the why might not be decided or recognized), and How. 
  • Who’s conducting the suspicious activity? Who’s the customer? Who’s the counterparty? Who else is involved? Provide as much pedigree information as you have on the subject (hence a quality KYC program should provide all the pertinent information on identification). Obtain all addresses, phone numbers, mobile and landline, email address, URL’s and IP addresses. Is this a joint or business account? If so, list names. Your customer may not send up any red flags to law enforcement but perhaps the counterparty who’s being wired money does. Perhaps the person (smurf) who physically makes the deposits has a long rap sheet. This allows law enforcement to investigate all other names associated with the incident and the pieces of the puzzle may begin to come together.
  • What’s the suspicious activity? What instruments were used? Wire transfers, ATMs, shell companies, or foreign currency? Identify the source of funds. Think of it this way….What happened that made your “spidy senses” tingle? For example, what gave you, Mr/Mrs banker with many years of experience, the feeling that something was wrong? If you can just elaborate on that, you’re helping out law enforcement. I always made it a point to listen very closely when an experienced banker said to me, “I can’t put my finger on it, but something stinks with this.” If you can’t figure the situation out, with all the years of experience between you and your team, then the situation should be escalated to the next level.
  • When was the activity detected? When did the suspicious activity occur? Over what period of time? Any previous filings? These date breadcrumbs allow law enforcement (LE) to establish timelines. LE can then build on that timeline with information received from other SARs/CTR’s submitted by other financial institutions.
  • Where did the activity occur? Identify all the locations impacted by this activity. Identify all accounts involved. Refrain from writing that the activity occurred in branch #827. That tells LE nothing. Please put the physical address. If there are many locations then add a spreadsheet as an attachment. Hence refer to the above bullet about timelines. Many times I was able to create both a daily and an overall timeline to draw a map of the activities that revealed the “smurf(s)” going around the city from bank to bank. Prosecutors love that! And juries love that even more!
  • Why is the activity suspicious? Is it unusual for the customer, product type, or services offered by the institution? And here’s a major one, is there any legitimate business purpose for the transaction? This goes hand in hand with the “What” section above. Most people conduct their activities in the simplest way possible. They usually go from A to Z in a straight line. When that line curves, criss crosses, or takes some peculiar route, then it might be time to consider just what the heck is going on. 
  • How did the suspicious activity occur? One time event? Series of transactions? Source of funds? The flow of the funds.
  • FYI – Try to avoid using acronyms. Each financial institution has their own vernacular and jargon that may only be used by that institution. I can’t tell you how many times I read a SAR and had no idea what the writer was talking about. No in-house acronyms. Here’s something to consider. Law enforcement personnel are not bankers. If you write in banking jargon they may not understand it. Would you understand a police report with all the acronyms and codes? Consider this technique – If your mother had to read it, would she understand it? So, write it so that your mom could understand it. (I know there’s one wise guy out there right now saying, “but my mom works in a bank.”) And by the way, the SARs are confidential so don’t actually give one to mom!
  • If the basis of the SAR is money coming in, elaborate on how it goes out. The same goes for the reverse outgoing funds: Tell how they got into the account in the first place.
  • Try to write the narrative body in chronological order.
  • If you’re listing numerous transactions, dates, locations, and other numbers, I suggest you summarize. Nothing will cause the reviewer’s eyes to glaze over faster than pages of numbers. If the law enforcement reviewers need further specifics on the dates and times, they’ll contact you.
  • For example: Mr. X made 27 deposits, each under $10,000, on 27 separate days between August 1 and Oct 25, 2018.
  • Be short but informative. No need to rewrite War and Peace. Conversely, one or two sentences are not quite enough. Write to inform, not to impress.

Tips To Be a Rock SAR

  1. Detail if law enforcement has been contacted and include the name and numbers of the Agent/Investigator/Detective if possible. This helps prevent one LE agency from conflicting with another agency who may already have a case pending on the subject of the SAR. When I saw another LE agency listed on a SAR I would always contact that Investigator to determine what our next move would be. I would not want to find out that I’d been looking into a case for a couple of weeks to subsequently discover that the DEA had an active case on the same subject for the past 5 months.
  2. What may seem insignificant to you may be the missing piece of the puzzle for law enforcement. You don’t know what you don’t know.
  3. Law enforcement may not adopt a case the first time they review a SAR or quite possibly they may never adopt it. It may also take a couple of SARs before law enforcement determines that the situation will be investigated (and it could be SARs on the same subject from different institutions). Remember there are approximately 2 million SARs written every year. LE cannot investigate them all. They must triage all the information and select the ones that they believe require immediate attention. Also, it may take another SAR written 18 months later, by another financial institution, that grabs LE’s attention. Then they will backtrack and find your SAR. So, you may not hear back from LE today but you may hear from them down the road. 
  4. There should be a conclusion to the narrative. Summarize all your findings and notate any follow up action that may have been conducted by the institution. Particularly note if the relationship has been exited.
  5. Finally, document, document, document. Even if you do not submit a SAR you must notate your investigative actions and the reasons for not filing. Famous line by the regulators – if you did not document it, then you didn’t do it.

I hope I have been able to shed some light onto a cloudy topic. My golden rules are:

  • If you don’t understand the situation, escalate.
  • Don’t make a mountain out of a molehill, if you just tell me why you feel this incident is suspicious then you’re ahead of the game.
  • Don’t feel slighted if you don’t hear back from LE. That does not mean that the information you provided wasn’t useful to LE. 
  • Make friends with LE. Go to meetings and/or events where LE will be. It would be beneficial to have one or two LE representatives that you can call if you have questions or something that you think is very serious, such as a possible terrorist. One incident that might require a call to LE is an elder abuse scam situation. Let’s not wait for grandma to wire all her funds out to her new found online lover before you write a SAR. You can call LE. In this case, if you wait, grandma will be living in a refrigerator box under the highway before long as all her funds will be gone. If you are going to do a SAR, you can call and tell LE about it. In some circumstances, speed is of the essence.

I work with AML programs large and small, if you need a customized and quality anti-money laundering program, training, or advise I invite you to contact me to learn how I can help with your AML compliance. – Kevin Sullivan, CAMS, President of The Anti-Money Laundering (AML) Training Academy.

Related Articles

The Biggest Dangers of Money Laundering by Kevin Sulllivan, CAMS The AML Training Academy President

About the Author

Kevin Sullivan, CAMS, CCI is a retired New York State Police Investigator and Federal Agent who dedicated his career to AML and continues that work through his company, The AML Training Academy and Advisory LLC. Kevin coordinated AML investigations for the state of New York while being detailed to one of the worlds largest AML task forces, the NY High Intensity Financial Crime Area (HIFCA) El Dorado Task Force. He has helped develop and implement global AML guidelines and trained and advised all industries and government agencies requiring AML around the globe. He helped to write various certification programs for the Association of Certified Anti-Money Laundering Specialists’ (ACAMS) and was the co-founder and former chair of their inaugural chapter which was in NY. Follow Kevin or reserve a seat in one of his live webinars. Space is limited!

Upcoming Live Streaming AML/BSA/AFC/CTF Webinars


Join Kevin’s live streaming beginner and advanced AML/BSA/AFC/CTF compliance webinar courses at  Reserve your seat today.  Space is limited!

For more info or to arrange Custom Compliance Training Classes and Advisory Services contact The AML Training Academy and Advisory LLC at: ☎ (855) 265-7700 | 📧