Understanding Suspicious Activity Report Filing Requirements

Introduction

Financial institutions filed 4.7 million SARs in FY2024 — roughly 12,870 per day — yet many compliance teams, particularly at fintechs and growing financial firms, still struggle with the basics: when exactly is a filing required, what triggers the obligation, and what do recent regulatory changes mean for their programs?

FinCEN's October 2024 action against TD Bank assessed a record $1.3 billion penalty after the bank willfully failed to file SARs on suspicious transactions totaling approximately $1.5 billion. Missing filings invite regulatory penalties. The opposite problem — over-filing driven by defensive compliance — wastes resources and can contribute to unwarranted customer de-banking.

What follows gives you the precise answers: SAR definition, who must file (including why fintechs aren't off the hook), filing triggers and deadlines, the end-to-end process, and what the October 2025 FinCEN guidance changes require from your program right now.

TL;DR: Key Takeaways

  • SARs are mandatory reports under the Bank Secrecy Act, filed with FinCEN when activity is known, suspected, or reasonably suspected to involve financial crime above defined dollar thresholds
  • Banks, MSBs, broker-dealers, casinos, and insurance companies must file directly
  • Fintechs without a banking license carry SAR obligations contractually through their sponsor bank relationships
  • The standard deadline is 30 calendar days from initial detection, extended to 60 days if the subject is unknown
  • October 2025 FinCEN guidance rolled back three requirements: structuring SARs (absent evasion intent), mandatory post-SAR continuing reviews, and strict no-SAR documentation standards
  • Regulators now expect a risk-based, well-documented SAR program — with judgment and documentation carrying more weight than filing volume

What Is a Suspicious Activity Report (SAR)?

A SAR is a confidential report filed through FinCEN's BSA E-Filing System when a financial institution detects activity it knows, suspects, or has reason to suspect constitutes a financial crime. That includes money laundering, terrorist financing, fraud, human trafficking, and evasion of BSA reporting requirements.

SARs are a primary tool in U.S. financial intelligence. Law enforcement agencies across federal, state, and local levels access SAR data to identify criminal networks, trace illicit funds, and build prosecutable cases.

The Legal Foundation

SAR authority flows from 31 USC 5318(g), which authorizes the Secretary of the Treasury to require financial institutions, including their directors, officers, employees, and agents, to report suspicious transactions.

The current filing form, FinCEN SAR (Form 111), has been mandatory since April 1, 2013, replacing legacy forms including the SAR-DI and FinCEN Form 109. Electronic filing through the BSA E-Filing System is required; paper filings are not accepted.

Safe Harbor Protection

Under 31 USC 5318(g)(3), institutions and their personnel are shielded from civil liability for filing SARs. This protection is broad in scope:

  • Covers both mandatory filings and voluntary SARs filed below required thresholds
  • Applies regardless of subject notification (tipping off the subject is separately prohibited)
  • Extends across federal, state, and local law

In practice, this means compliance officers can file defensively without fear of civil exposure — a meaningful protection in high-ambiguity situations.

Who Is Required to File a SAR?

Direct Filers Under Federal Regulation

The following institution types have mandatory SAR filing obligations under FinCEN regulations:

Institution Type Governing Regulation
Banks and depository institutions 31 CFR 1020.320
Money services businesses (MSBs) 31 CFR 1022.320
Brokers or dealers in securities 31 CFR 1023.320
Casinos and card clubs 31 CFR 1021.320
Insurance companies 31 CFR 1025.320

Five financial institution types required to file SARs with governing regulations

Mutual funds, futures commission merchants, introducing brokers in commodities, and loan or finance companies are also covered under FinCEN's SAR filing instructions.

The Fintech Reality

Fintechs operating without their own banking license are not direct SAR filers under the BSA. The filing obligation sits with the licensed institution.

That said, fintechs are not off the hook. Per interagency guidance on bank-fintech arrangements, a bank's use of third parties does not diminish the bank's responsibility to comply with applicable law. Banks routinely require fintech partners to identify, document, and escalate suspicious activity contractually — putting fintech compliance teams on the same operational timeline and quality bar as the filing institution itself.

For fintechs navigating sponsor bank relationships, having a qualified BSA Officer — whether full-time or fractional — is both a regulatory expectation and a commercial requirement for maintaining the partnership.

Fraxtional's fractional BSA Officer service is built for exactly this scenario. It provides hands-on AML leadership across end-to-end SAR workflows, case governance, and sponsor bank audit support — without the overhead of a full-time hire.

Joint SAR Filings

Two or more financial institutions may file a single joint SAR on the same suspicious activity, with one institution designated as the filer of record. The filing institution must identify all joint filers in the narrative.

What Triggers a SAR Filing?

Dollar Thresholds

Under 31 CFR 1020.320, banks must file a SAR when:

  • Any amount — criminal violations involving insider abuse
  • $5,000 or more — criminal violations when a suspect can be identified
  • $25,000 or more — criminal violations regardless of whether a suspect is identified
  • $5,000 or more — transactions where the institution knows, suspects, or has reason to suspect money laundering, terrorist financing, BSA evasion, or activity with no apparent lawful purpose

Primary Categories of Suspicious Activity

Three situations create a filing obligation:

  1. Potential money laundering or illegal activity — including terrorist financing, fraud, and human trafficking
  2. Structuring with intent to evade — breaking transactions into smaller amounts to avoid CTR requirements (see below)
  3. No apparent lawful purpose — transactions that cannot be explained after reviewing all available facts, customer background, and account history

The same transaction pattern can be entirely legitimate or deeply suspicious depending on the customer's profile, business type, and history. Context drives the analysis.

Understanding Structuring

Structuring means conducting currency transactions in any amount, at one or more institutions, for the purpose of evading BSA reporting requirements. The key word is purpose.

Multiple cash deposits below $10,000 do not automatically require a SAR. A restaurant making three daily deposits of $3,000 each for legitimate operational reasons is not structuring.

A customer who explicitly asks a teller how to stay under the $10,000 threshold — or whose deposit patterns shift abruptly after learning about CTR requirements — presents a clear structuring indicator. The 2025 FinCEN guidance reinforced this distinction directly (covered below).

Alert Sources and Law Enforcement Inquiries

Knowing where alerts originate matters for how institutions triage and document their decisions. Suspicious activity surfaces through multiple channels:

  • Automated transaction monitoring alerts
  • Day-to-day employee observations
  • Law enforcement inquiries — grand jury subpoenas, Section 314(a) requests, National Security Letters

Receiving a law enforcement inquiry does not automatically require a SAR. The institution must evaluate account activity and customer risk holistically. The inquiry informs the risk assessment; it does not replace it.

The "No Reasonable Explanation" Standard

When reviewing activity against all available facts — CDD/EDD data, transaction history, customer profile — the test is straightforward: if no legitimate explanation exists, a SAR is warranted.

Institutions are not required to confirm or investigate the underlying crime. That is law enforcement's role. The obligation is to report, not to prove.

SAR Filing Deadlines and Timing Requirements

The 30/60-Day Rule

Two deadlines govern every SAR filing:

Scenario Deadline from Initial Detection
Suspect identified 30 calendar days
No suspect identified 60 calendar days

SAR filing 30 versus 60 day deadline comparison based on suspect identification

Filing cannot be delayed beyond 60 days to continue searching for a suspect.

Important: "Initial detection" is not the moment a transaction monitoring system generates an alert. The clock starts after appropriate review concludes that the activity is suspicious within the meaning of the SAR regulation.

Continuing Activity SARs

Historically, institutions were expected to file a continuing SAR at least every 90 days for ongoing suspicious activity, with a 120-day outer limit from the prior related SAR.

The October 2025 FinCEN FAQ changed that. Mandatory periodic reviews following each SAR filing are no longer required. Institutions may now rely on risk-based internal monitoring to surface and report continuing activity — provided those systems are genuinely calibrated to catch it. The obligation to file on continuing suspicious activity remains; only the mechanical review trigger is gone.

Emergency Notifications

When a situation requires immediate attention — imminent terrorist activity, active fraud — institutions must immediately notify law enforcement by telephone before or alongside filing the SAR:

  • Local FBI or IRS Criminal Investigation Division office for most situations
  • FinCEN's Financial Institutions Terrorist Hotline (866-556-3974) for suspected terrorist activity

A phone call does not replace the SAR filing. The telephone notification and the written SAR are separate, concurrent obligations.

How the SAR Filing Process Works

The Five FFIEC Components

Per the FFIEC BSA/AML Examination Manual, an effective SAR monitoring and reporting system has five interconnected components:

  1. Identify or alert on unusual activity — through transaction monitoring, employee observation, or law enforcement inquiry
  2. Manage alerts — triage, investigate, and document alert dispositions
  3. Make SAR decisions — research, analyze, and escalate to a designated decision-maker with clear authority
  4. Complete and file the SAR — accurately, completely, and on time through BSA E-Filing
  5. Monitor and file on continuing activity — using risk-based internal controls, not mandatory manual reviews

Five FFIEC SAR monitoring and reporting process components flow diagram

In practice, most examination findings trace back to gaps in alert management or the SAR decision step — where documentation and escalation paths are weakest.

SAR Quality Requirements

Examiners assess SAR quality along three dimensions: complete, accurate, and timely.

The narrative section matters most. A vague narrative that says "customer made unusual transactions" is nearly useless to law enforcement. A strong narrative describes:

  • The nature and extent of the suspicious activity
  • Why it is suspicious
  • The specific facts supporting the filing decision

On the FinCEN SAR form, fields marked with an asterisk are critical and must be completed or marked "Unknown." Non-critical fields should be completed where information is available.

Record Retention

Quality filings are only half the obligation — retention requirements are equally enforceable. Institutions must retain SAR copies and all supporting documentation for five years from the filing date. Supporting documentation includes every record used to make the filing determination.

Two details that frequently catch institutions off guard:

  • Supporting documentation must be provided to FinCEN or law enforcement upon request, without a subpoena
  • The BSA E-Filing System is not a recordkeeping system — institutions must save and store their own copies

SAR Confidentiality

It is illegal to notify any person involved in a transaction that a SAR has been filed — or even that one exists. This prohibition applies to the institution and all directors, officers, employees, and agents. Violations carry civil penalties up to $100,000 per violation, criminal fines up to $250,000, and imprisonment up to five years.

Limited exceptions do apply. SARs may be shared internally within a corporate structure and with qualifying U.S. affiliates that are themselves subject to SAR regulations.

What the October 2025 FinCEN Guidance Changes Mean for Your Program

On October 9, 2025, FinCEN issued a joint FAQ with the Federal Reserve, FDIC, NCUA, and OCC clarifying SAR filing requirements. Treasury Secretary Bessent described these as "commonsense yet consequential reforms that will ease regulatory burdens without undermining law enforcement efforts."

The guidance creates no new obligations — its purpose is to reduce unnecessary defensive filing and redirect compliance resources toward genuinely high-risk activity.

Clarification 1: Structuring SARs

Transactions at or near the $10,000 CTR threshold do not automatically require a SAR. A filing is only required when the institution knows, suspects, or has reason to suspect the transactions were designed to evade reporting.

In practice, small businesses making multiple daily cash deposits for legitimate operational reasons should not reflexively trigger a SAR. Over-filing on those customers contributes to the de-banking problem regulators have increasingly flagged.

Clarification 2: Continuing Activity Reviews

Institutions are no longer required to conduct a separate manual review of every customer after filing a SAR. Internal risk-based monitoring systems can — and should — do that work.

For compliance teams, this means one thing: don't file continuing SARs defensively because you previously filed on a customer. File when your monitoring system surfaces actual continued or new suspicious activity.

Clarification 3: No-SAR Documentation

There was never a formal regulatory requirement to document decisions not to file. But examination practice had evolved to expect extensive no-SAR memos, creating significant compliance burden. The 2025 guidance clarifies that if an institution chooses to document a no-SAR decision, a "short, concise statement" is sufficient.

Updating Your SAR Program for This Shift

The October 2025 guidance signals a clear shift: regulators want risk-based, outcomes-focused SAR programs — not volume-maximizing defensive ones. Compliance teams should:

  • Audit processes that exist solely because "it's always been done that way"
  • Ensure transaction monitoring systems — not manual reviews — are driving detection
  • Reallocate resources toward highest-risk customers and activity types
  • Right-size no-SAR documentation to a brief, factual record

October 2025 FinCEN guidance three key SAR program changes compliance checklist

Building and maintaining this kind of program requires experienced compliance leadership. For fintechs and growing financial institutions without a full-time BSA Officer or CCO, Fraxtional provides director-level SAR program expertise on a fractional basis. That includes transaction monitoring calibration, SAR workflow design, and sponsor bank relationship management — scoped to your stage and budget, not a full-time salary.

Frequently Asked Questions

How long do I have to submit a SAR?

The standard deadline is 30 calendar days from the date of initial detection that activity is suspicious — not from when a monitoring system first flagged it. If the subject cannot be identified, the deadline extends to 60 calendar days from initial detection.

Who can submit a SAR?

Licensed financial institutions — including banks, MSBs, broker-dealers, casinos, and insurance companies — are required to file directly with FinCEN. Fintechs operating under a sponsor bank arrangement are not direct filers but carry their own reporting obligations through that relationship.

What triggers a SAR report?

A SAR is required when an institution identifies:

  • Suspected money laundering or other illegal activity
  • Transactions structured to evade BSA reporting requirements, where intent to evade is evident
  • Transactions of $5,000 or more with no apparent lawful purpose that cannot be explained after reviewing all available facts and customer history

Is a SAR filing confidential?

SARs are strictly confidential. Institutions and their employees are prohibited from disclosing to any person involved in a transaction that a SAR has been filed. Violations carry civil penalties up to $100,000 per violation and criminal penalties including fines and imprisonment.

What happens if a financial institution fails to file a SAR?

Failure to file can result in significant regulatory fines, enforcement actions by FinCEN and prudential regulators, reputational damage, and — in serious cases — consent orders. The TD Bank $1.3 billion penalty is the most prominent recent example. Consequences scale with the severity and pattern of non-compliance.

Do fintechs need to file SARs?

Fintechs without a banking license aren't direct SAR filers under the BSA, but they aren't exempt either. Sponsor bank contracts typically require fintechs to identify and report suspicious activity on the same standards and timelines as a licensed institution.