This article covers what suspicious activity monitoring is, what triggers it, how the monitoring process works, what the SAR filing process involves, and what financial institutions — including fintechs, money transmitters, and crypto firms — need to know to stay compliant.
TL;DR
- Suspicious activity monitoring (SAM) is the regulated process banks use to identify, investigate, and report transactions that may indicate money laundering, fraud, or other financial crimes.
- All financial institutions — banks, fintechs, MSBs, and crypto firms — carry mandatory SAR filing obligations under BSA/AML frameworks.
- Monitoring uses two approaches: manual transaction review and automated surveillance systems.
- SAR deadlines are strict: 30 calendar days from initial detection, or 60 days if no suspect is identified.
- Growing fintechs without dedicated compliance staff face the highest program gap risk — and the steepest enforcement exposure.
What Is Suspicious Activity Monitoring in Banking?
Suspicious activity monitoring (SAM) is the formal process by which financial institutions identify, research, document, and (where required) report transaction patterns or customer behaviors that may indicate illegal activity. That includes money laundering, terrorist financing, fraud, and violations of the Bank Secrecy Act (BSA).
The Regulatory Foundation
Every SAM obligation traces back to a statutory source. In the US, that authority is 31 USC 5318(g), which empowers Treasury to require financial institutions to report suspicious transactions. The implementing regulation for banks is 31 CFR 1020.320, and the primary examination framework is the FFIEC BSA/AML Examination Manual.
Equivalent obligations exist across every jurisdiction Fraxtional serves:
- UK: Money Laundering Regulations 2017 (MLRs) and FCA Financial Crime Guide, which require holistic monitoring tailored to each firm's risk profile
- EU: The 2024 AML package, including AMLD VI (2024/1640/EU) and AMLR (2024/1624)
- Canada: The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), administered by FINTRAC
Cross-border fintechs carry obligations in every jurisdiction where they operate. These are not interchangeable — each regime has its own thresholds, filing channels, and documentation rules.
Who Must Comply
SAM obligations are not limited to traditional banks. The full scope of covered entities includes:
- Banks and credit unions (31 CFR 1020.320)
- Money services businesses and money transmitters (31 CFR 1022.320)
- Crypto firms — administrators and exchangers of convertible virtual currency are treated as MSBs under FinCEN guidance
- Embedded finance companies and BaaS providers, where obligations attach through their underlying bank or MSB structure
For early-stage companies and platforms processing payments through a third-party bank, this matters operationally: your compliance obligations are live from the moment you begin handling transactions, not once you reach a particular revenue or funding threshold.
What Counts as Suspicious Activity? Red Flags Banks Watch For
Under 31 CFR 1020.320, a bank must file a SAR when a transaction involves or aggregates at least $5,000 and the institution knows, suspects, or has reason to suspect the transaction:
- Involves funds from illegal activity
- Is designed to evade BSA reporting requirements
- Has no apparent lawful purpose inconsistent with the customer's known business
- Facilitates criminal activity through the institution
Common Red Flags
These categories account for the majority of SAR filings across bank and MSB institutions:
Structuring (smurfing): Multiple cash deposits each just below the $10,000 CTR threshold (31 USC 5324). One of the most frequently cited red flags in SAR filings.
Unexplained cash volume: A non-cash business regularly depositing large cash sums, or a personal account with a low opening balance that suddenly shows large, unexplained fund flows.
Geographic and counterparty indicators:
- Wire transfers to or from high-risk jurisdictions on FATF watchlists (North Korea, Iran, and Myanmar are currently subject to a call for action)
- Transactions with shell companies or entities in secrecy havens
- Sudden activity in previously dormant accounts
Crypto-specific indicators (per FinCEN's CVC advisory):
- Transactions linked to darknet-associated addresses
- Use of mixing or tumbling services
- Multiple cash deposits followed by virtual currency purchases
- Refusal to provide source-of-funds information
Context Is Everything
None of these red flags automatically triggers a SAR in isolation. What drives the filing decision is a pattern of activity reviewed against customer due diligence (CDD) records, known business profile, and account purpose. Institutions don't need to confirm a crime occurred — only to report what is suspicious.
SAR filing thresholds (US banks):
- Insider abuse: any amount
- Suspect can be identified: $5,000 or more
- No suspect identified: $25,000 or more
MSBs carry a lower threshold: $2,000 or more under 31 CFR 1022.320.
How the Monitoring Process Works: Manual vs. Automated
The FFIEC BSA/AML Examination Manual identifies two primary monitoring approaches. Which one an institution uses — or whether it uses both — depends on its risk profile, transaction volume, and customer mix.
Manual Transaction Monitoring
Manual monitoring relies on staff review of periodic reports, including:
- Currency activity reports
- Funds transfer records
- Large item reports
- ATM and NSF reports
Frontline employees — tellers, relationship managers — serve as the first line of detection and escalate unusual activity to compliance staff. This approach is common in smaller institutions where enterprise surveillance software is cost-prohibitive.
Automated Surveillance Monitoring
Automated systems scan all account activity against rules and behavioral profiles. Two main types:
- Rule-based systems: Flag transactions outside defined parameters (for example, wires above a threshold to certain jurisdictions)
- Intelligent/adaptive systems: Compare customer activity against historical data or peer groups to detect behavioral anomalies
Regulators increasingly favor automated monitoring as transaction volumes grow. That said, the FFIEC is explicit: system sophistication should be dictated by the institution's risk profile — not by what competitors are running.
The Five Key Components of an Effective Program
Per the FFIEC manual, a compliant suspicious activity monitoring program requires:
- Identification or alert of unusual activity — the initial flag, whether manual or automated
- Alert management and escalation — review, triage, and routing to the right decision-maker
- SAR decision-making — documented analysis of whether activity meets the filing threshold
- SAR completion and filing — accurate, timely submission through the BSA E-Filing System
- Monitoring and SAR filing on continuing activity — ongoing review of previously flagged accounts
Each component depends on the others functioning correctly. Alert backlogs, for example, carry the same enforcement exposure as having no program at all — TD Bank's 2024 penalty stemmed in part from precisely that failure: unresolved alert queues and systemic breakdowns in escalation and reporting.
The SAR Filing Process: Timelines, Thresholds, and Obligations
Filing Deadlines
Under 31 CFR 1020.320:
- 30 calendar days from initial detection of facts that may constitute a basis for filing
- 60 calendar days if no suspect can be identified at the time of detection
- "Initial detection" begins when an investigation concludes the activity is suspicious — not when a transaction is simply flagged for review
All SARs must be filed electronically through FinCEN's BSA E-Filing System. Paper filing has not been permitted since April 2013.
Record Retention and Confidentiality
| Obligation | Rule |
|---|---|
| Retention period | 5 years from the date of filing |
| Tipping-off prohibition | No employee or agent may notify any person named in a SAR that a report was filed |
| Safe harbor | 31 USC 5318(g)(3) protects institutions from civil liability for good-faith SAR filings |
| Continuing activity | File a new SAR after a 90-day review; deadline is 120 days after the prior related SAR |
The tipping-off prohibition is absolute. Customers are never notified that their activity has been reported, regardless of the outcome of any investigation.
That confidentiality requirement operates at scale. In FY 2024, FinCEN received 4.7 million SARs — averaging 12,870 filings per day. For any institution managing SAR obligations, this is a continuous operational workload, not a periodic compliance exercise.
Building an Effective Monitoring Program: Challenges and Best Practices
The Risk-Based Approach
Regulators do not expect every institution to run the same program. The FFIEC is clear: monitoring systems should be calibrated to the institution's specific risk profile — accounting for customer types, product mix, geographic exposure, and transaction volumes.
That means conducting and documenting regular risk assessments to recalibrate thresholds and parameters as the business grows. A program built for a $5M ARR payments startup will not satisfy a regulator reviewing a $200M crypto exchange.
Where Fintechs and Crypto Firms Get Into Trouble
The most common gaps Fraxtional encounters when working with seed-to-Series B fintechs and crypto firms:
- No dedicated BSA expertise: Compliance is owned by a generalist or legal counsel with no SAR filing experience
- Miscalibrated monitoring rules: Thresholds set too high miss real activity; too low creates alert fatigue and backlogs
- Technology that outpaces the program: The product scales, the monitoring system doesn't
- Missing documentation: Decisions not to file a SAR go undocumented, creating examination exposure
The numbers illustrate the stakes. FinCEN assessed $3.4 billion against Binance in November 2023 for failure to register as an MSB, maintain an effective AML program, and report suspicious transactions. In 2022, FinCEN and OFAC assessed $29.3 million against Bittrex for failing to file SARs for over three years.
How Fraxtional Addresses These Gaps
For fintechs and crypto firms that cannot justify a full-time BSA Officer or CAMLO, Fraxtional provides fractional compliance leadership — a named BSA Officer, CAMLO, or MLRO who takes direct ownership of the monitoring program without the overhead of a permanent hire.
In practice, that engagement involves:
- Owning daily monitoring and SAR/STR workflows, including backlog remediation without disrupting operations
- Calibrating transaction monitoring thresholds, alert triggers, and rules to the client's specific business model (prepaid, lending, crypto, payments)
- Designing or recalibrating AML systems, policies, and QA controls aligned to sponsor bank BSA risk assessment requirements
- Covering US (BSA/FinCEN), UK (FCA/MLRs), Canadian (FINTRAC), and EU obligations under a single fractional engagement
One fintech lender's compliance lead put it this way: "Their AML monitoring setup made it easier for our team to catch issues before they escalated. We're now handling volume with more confidence."
For seed-to-Series B fintechs pursuing sponsor bank partnerships or approaching their first regulatory examination, program gaps at this stage are the most likely trigger for a deal pause or enforcement referral. Having a named BSA Officer on record before that conversation starts changes the outcome.
Frequently Asked Questions
What is suspicious activity monitoring?
Suspicious activity monitoring is the formal, regulated process by which banks identify, research, document, and report transaction patterns that may indicate money laundering, terrorist financing, fraud, or other financial crimes. It is a legal requirement under BSA/AML frameworks in the US and equivalent regimes in the UK, EU, and Canada.
What triggers a SAR investigation?
A SAR investigation is triggered when a transaction meets legal criteria under 31 CFR 1020.320 — involving illegal funds, evasion of BSA reporting, or activity inconsistent with the customer's known profile. Filing thresholds are $5,000 when a suspect can be identified and $25,000 regardless of suspect identification.
How do I know if my bank account is being monitored?
All bank accounts are subject to ongoing monitoring as standard compliance practice. Institutions are legally prohibited from notifying customers that a SAR has been filed (the tipping-off prohibition under 31 CFR 1020.320). Customers are never informed when their activity has been flagged or reported.
What is the difference between transaction monitoring and surveillance monitoring?
Manual transaction monitoring involves staff reviewing specific reports (currency activity, funds transfer, large items) to flag unusual transactions. Automated surveillance monitoring uses software rules and behavioral profiles to scan all account activity for suspicious patterns. Both approaches can and often are used together.
How long does a bank have to file a SAR after detecting suspicious activity?
Institutions must file within 30 calendar days of initial detection. If no suspect can be identified, the deadline extends to 60 calendar days. Filing cannot be delayed beyond 60 days under any circumstance.
What are the consequences for banks that fail to file a SAR?
Failure to file required SARs can result in civil money penalties, consent orders, growth restrictions, and reputational damage. FinCEN's October 2024 action against TD Bank illustrates the scale of exposure: a $1.3 billion penalty tied in part to SAR failures on thousands of suspicious transactions.
