Suspicious Activity Report (SAR) Template: Narrative Writing, Filing Triggers, and Common Mistakes

TL;DR

• SAR filing thresholds: $5,000 for banks, broker-dealers, and (as of January 2026) SEC-registered investment advisers; $2,000 for money services businesses.
• The standard filing deadline is 30 days after detection; up to 60 days if no suspect is identified. Continuing activity gets a 90-day review window before the continuation SAR is due.
• FinCEN’s October 2025 FAQs clarified three persistent misconceptions: structuring SARs aren’t required just because transactions are below the CTR threshold; there’s no requirement to document no-file decisions; and institutions aren’t required to manually monitor for continuing activity after filing.
• The narrative is where most SAR programs fail. Describing what happened without explaining why it’s suspicious is the number-one deficiency examiners and FinCEN analysts flag.

Block’s SAR backlog grew from 18,000 unresolved alerts to 169,000 between 2018 and 2021. The company filed some SARs — the problem was volume, timeliness, and quality. State regulators who levied the $80 million enforcement action noted that Block’s BSA program couldn’t keep pace with its growth, and that the SAR function had become a queue to clear rather than an analysis function that produced actionable intelligence.

TD Bank’s $3.1 billion AML settlement — the largest in U.S. banking history — involved, among other failures, a SAR program that was structurally inadequate for the volume and risk profile of the bank’s customer base. Drug trafficking networks ran hundreds of millions of dollars through TD accounts for years.

Neither case was about the SAR form being filled out incorrectly. Both were about programs that failed at the foundation: identifying suspicious activity and reporting it with sufficient quality and timeliness to give law enforcement something to work with.

This is the practitioner guide to what a defensible SAR program looks like — the filing triggers, the narrative framework, the October 2025 FinCEN FAQ updates, and the 10 mistakes that get programs cited in examinations.

Who Must File SARs and When

Covered Institutions

SAR filing obligations under 31 CFR Parts 1010–1030 cover:

• Banks and credit unions (31 CFR 1020.320)
• Broker-dealers in securities (31 CFR 1023.320)
• Mutual funds (31 CFR 1024.320)
• Money services businesses (31 CFR 1022.320)
• Insurance companies (31 CFR 1025.320)
• Casinos (31 CFR 1021.320)
• Futures commission merchants and introducing brokers (31 CFR 1026.320)
• SEC-registered investment advisers — added by FinCEN’s September 2024 final rule, effective January 1, 2026 (31 CFR 1032.320)

If you’re a fintech operating as an MSB or through a sponsor bank, your SAR obligations flow through whichever charter applies. Fintechs that are not themselves licensed institutions may have contractual obligations to support their sponsor bank’s SAR program — your bank partner’s BSA team will tell you exactly what that requires.

Filing Thresholds

The threshold applies to transactions that are conducted or attempted by, at, or through your institution. Aggregation matters: multiple transactions that individually fall below the threshold but collectively meet it, when conducted by the same person or in a coordinated manner, count together.

The Filing Timeline: 30/60 Days and the Continuing Activity Framework

Standard Deadlines

The clock starts at initial detection — defined as the date when your institution knows or has reason to know the transaction may warrant a SAR, typically the date a case is opened for investigation.

• Standard deadline: 30 calendar days from initial detection
• Extension for unidentified suspects: Up to 60 calendar days from initial detection if no suspect has been identified (the additional 30 days allows time to identify who’s behind the activity)
• No extension exists beyond 60 days — if you still haven’t identified a suspect at 60 days, file with the information you have

Continuing Activity

For transactions that represent an ongoing pattern of suspicious activity, FinCEN’s October 2025 SAR FAQs clarified the process:

1. File the initial SAR for the suspicious activity you’ve identified
2. Conduct a 90-day continuing activity review period to assess whether the suspicious pattern is continuing
3. If suspicious activity continues at the 90-day mark, file a continuation SAR within 30 days after the review period ends
4. Repeat the 90-day review cycle as long as suspicious activity continues

The October 2025 FAQs also clarified that institutions are not required to manually review a customer or account after filing just to determine if suspicious activity has continued — automated transaction monitoring systems can fulfill the continuing activity monitoring obligation.

SAR Filing Triggers: What Activity Requires a SAR

The BSA’s suspicious activity standard is: the institution knows, suspects, or has reason to suspect that the transaction:

• Involves funds derived from illegal activity
• Is designed to evade BSA reporting requirements
• Lacks a lawful purpose or is not the type of transaction the customer would normally be expected to engage in
• Involves the use of the institution to facilitate criminal activity

Common SAR Trigger Categories

The Structuring Clarification

One of the most persistent SAR over-filing errors: institutions filing SARs on any customer who makes multiple sub-$10,000 cash transactions, regardless of whether evasion intent is evident. FinCEN’s October 2025 FAQs were explicit on this point: a SAR is not required simply because transactions are at or below the CTR threshold. A SAR is required only if the institution has reason to believe the pattern reflects intent to evade CTR reporting. Your AML risk assessment and monitoring calibration should drive which sub-threshold patterns generate alerts worth escalating.

How to Write a SAR Narrative That’s Actually Useful

The FFIEC BSA/AML Exam Manual Appendix L — SAR Quality Guidance — is blunt about what’s expected: the narrative must identify who is involved, what suspicious activity occurred, when and where it took place, why it’s suspicious, and how it was conducted. Law enforcement must be able to open your SAR and have enough to work with.

The Five W’s + How Framework

Who: Identify all subjects — name, date of birth, address, account number, occupation, and relationship to the institution. If the subject is a legal entity, include the entity name, EIN, business type, and beneficial ownership information you have on file. Cross-reference KYC records — what did the customer tell you their expected activity was at onboarding?

What: Describe the specific activity being reported. Transaction types, instruments used (cash, wire, ACH, check), accounts involved, counterparties. Be specific — “large cash deposits” is not specific. “$47,300 in cash deposited across 12 transactions during October 2025” is specific.

When: Provide the transaction dates and amounts. If reporting a pattern over time, a transaction table in the narrative is clearer than prose.

Where: Identify the account numbers, branch locations (if applicable), receiving institutions and account numbers in wire transfers, origination countries.

Why: This is the critical element that most narratives miss. Don’t just describe what happened — explain why it’s suspicious. What’s the deviation from expected behavior? What’s the red flag? What pattern doesn’t match the customer’s stated business purpose, risk profile, or prior transaction history? “The transactions are inconsistent with the customer’s stated occupation as a sole proprietor landscaping business and the expected activity documented at account opening” is an explanation. “The transactions appear to be suspicious” is not.

How: The method. Wire transfer, cash, third-party checks, peer-to-peer apps, shell company accounts. The how often reveals the money laundering methodology.

Narrative Structure

Introduction (2–3 sentences): Who is the subject, what institution is filing, what is the nature of the suspicious activity, and what is the total dollar amount involved. This orients the FinCEN analyst or law enforcement agent who may see hundreds of SARs a month.

Body: Chronological description of the activity, with specific dates, amounts, and counterparties. Use tables for multiple transactions. Note any prior relationship history — prior SARs filed, prior adverse information, CIP findings. Reference your customer’s stated activity and how the reported transactions deviate.

Conclusion (2–3 sentences): Summarize why the activity is suspicious and state any follow-up action your institution has taken (account closure, enhanced monitoring, referral to law enforcement).

10 SAR Narrative Mistakes That Get Your BSA Program Cited

BSA examiners and FinCEN analysts have published consistent feedback on narrative quality. These are the errors that appear in examination findings and SAR quality guidance most often.

1. Copying alert language without analysis. Your monitoring system’s alert description — “customer made 14 cash deposits below $10,000 in 30 days” — is a starting point, not a narrative. The analyst’s job is to interpret the alert, research the customer’s profile, and explain why this pattern is suspicious. Examiners look for evidence that a human analyzed the alert, not just forwarded it.

2. Missing the “why.” Describing what happened without explaining why it’s suspicious is the single most common SAR narrative deficiency. Your narrative needs the analytical step: this activity deviates from the customer’s stated profile in this specific way, which suggests this specific concern.

3. Spelling errors in FinCEN keywords. FinCEN uses keyword searches across the SAR database to identify trends and connect cases. If you spell “fentanyl” as “fentynal” or “marijuana” as “marijuanna,” your SAR won’t surface in those searches. Use consistent, correct spelling of controlled substances, crime types, and geographic names.

4. Excessive background, insufficient analysis. Long paragraphs explaining how SARs work, the customer’s account history back to 2019, or the institution’s monitoring process take up narrative space that should be used for analysis. Lead with the suspicious activity, not the backstory.

5. No specific amounts and dates. “The customer made numerous cash deposits throughout 2025” doesn’t give law enforcement what they need. “The customer deposited $147,300 in cash across 23 transactions between January 3 and November 14, 2025, with individual deposits ranging from $2,400 to $9,800” does.

6. Missing counterparties in wire transfers. For wire-related SARs, include the originating institution and account, the receiving institution and account, the beneficiary name, and the stated purpose. The counterparty trail is often where the investigation goes next.

7. Failure to identify all subjects. If the suspicious activity involves multiple accounts or multiple individuals, identify all of them — even if you have limited information on some. File a SAR with partial information on a subject rather than omitting them entirely.

8. No prior SAR reference. If you’re filing a continuing activity SAR, reference the prior SAR’s document control number. FinCEN’s systems link SAR filings, but explicit references in the narrative help analysts connect cases.

9. Compliance jargon. “The subject engaged in layering behavior consistent with ML typologies” is compliance-speak. “The customer received $85,000 in wire transfers from three different states over 10 days, immediately withdrew the funds in cash, and the stated business purpose — a sole proprietor painting contractor — does not account for this volume of interstate wire activity” is plain English that law enforcement can act on.

10. Filing too late and noting it in the narrative. If you’re filing past the 30-day window, the narrative should acknowledge the delay and briefly explain it (complex investigation, suspect identification effort). Don’t omit this — examiners will note the discrepancy between detection date and filing date.

Your SAR Program Template: 8 Required Components

A SAR program is more than a form. A defensible program includes:

1. SAR policy. Governs who files, what triggers a filing, the escalation process, approval requirements, and record retention. Your CIP template feeds the customer identity data that anchors every SAR.

2. Monitoring system rules and calibration. Documented alert rules, thresholds, and tuning decisions. Examiners want to see that your monitoring is calibrated to your actual customer risk profile — not a vendor default.

3. Alert investigation procedures. Step-by-step process for how alerts are assigned, investigated, escalated, and closed. Decision trees help ensure consistent analyst decisions.

4. Escalation and approval workflow. Who makes the SAR-or-no-SAR call, who approves it, and what happens when analysts disagree. For significant or high-profile cases, board or senior management notification requirements.

5. SAR narrative template. A structured template aligned to the five W’s + how framework ensures analysts cover all required elements. Templates reduce variability in narrative quality.

6. Case management documentation. Evidence retained for each investigation: transaction data, alert details, customer information reviewed, analysis performed, decision made, and approval. Retained for five years minimum.

7. Continuing activity review calendar. Tracking which filed SARs are in their 90-day continuing activity review window, with deadlines for continuation SAR decisions.

8. SAR review metrics. Timeliness (percent filed within 30 days), volume trends, investigator caseloads, and alert-to-SAR conversion rates. These metrics let management identify program strain before the backlog reaches Block-level territory.

So What?

FinCEN received 4.7 million SAR filings in fiscal year 2024 — an average of 12,870 per day. The agencies that review and act on those filings can’t use a SAR that describes transactions without analysis. Law enforcement can’t build a case from “activity appeared suspicious.” The regulatory imperative behind SAR quality isn’t about checking a box — it’s about making sure your filing is one of the ones that leads somewhere.

Most SAR program failures start the same way: volume grows faster than the compliance function, alerts pile up, analysts start clearing queues instead of doing analysis, and narrative quality degrades to alert copy-paste. By the time an examiner pulls a sample of your SARs and finds the same template paragraph in 80% of them, the program has been broken for years.

The fix is upstream: clear trigger policies, a narrative template with the five W’s built in, training that teaches analysts to explain the “why,” and metrics that show you when investigator caseloads are unsustainable before the backlog takes over.

Frequently Asked Questions

What happens if we file a SAR with incomplete information? File what you have on time. An incomplete SAR filed within the deadline is always better than a complete SAR filed late. You can file an amendment to a previously filed SAR if you obtain additional information. Don’t let information gaps become a reason for delay — document what you know, note what you’re still investigating, and meet the deadline.

Can employees be held personally liable for SAR failures? Yes. BSA violations can result in civil money penalties against the institution and, in egregious cases, criminal charges against individuals. BSA officers who fail to maintain adequate SAR programs have faced personal enforcement actions. The 2024 K&L Gates review of BSA enforcement actions noted that several 2024 actions involved BSA officers designated as ineffective or unqualified. This is not theoretical risk.

What is SAR tipping off and what are the consequences? Tipping off — disclosing to the subject of a SAR that a SAR has been or may be filed — is a federal crime under 31 U.S.C. § 5318(g)(2). This includes disclosures to the customer, to the public, or to anyone outside the institution who would communicate the information to the subject. Penalties include criminal prosecution and civil money penalties. If a customer asks whether a SAR was filed, the institution must neither confirm nor deny.

Do we need to file SARs for internal fraud by employees? Yes. Employee fraud that involves misuse of customer accounts, falsification of records, or embezzlement at or above the applicable threshold requires a SAR filing. Internal fraud SARs require the same narrative quality as customer-facing SARs — and often more detail, since they may support an internal investigation and potential criminal referral.