What Is a Suspicious Activity Report (SAR)? A Fintech Filing Guide

What Is a Suspicious Activity Report (SAR)? A Fintech Filing Guide

For most fintechs that move money, filing a Suspicious Activity Report (SAR) is not optional — it is a legal requirement under the Bank Secrecy Act. Unlike many compliance obligations that feel abstract, SAR filing is concrete, deadline-driven, and directly tied to real decisions your team makes every single day.

Getting it right matters. Filing late, filing incorrectly, or failing to file when you should have are all violations that FinCEN actively enforces — and the consequences range from significant civil penalties to criminal exposure for individuals.

This article explains what a SAR is, what triggers the obligation to file one, exactly how the filing process works, and what infrastructure fintechs need to manage it properly.

What Is a Suspicious Activity Report?

A Suspicious Activity Report is a confidential report filed with the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury. SARs exist to give federal, state, and local law enforcement visibility into potential financial crime occurring within the U.S. financial system.

When a covered financial institution detects activity that appears suspicious — transactions that might involve money laundering, fraud, structuring, or other financial crime — it is required to file a SAR documenting that activity in detail. FinCEN aggregates SAR data from across the financial system and makes it available to law enforcement agencies including the FBI, DEA, IRS, and Homeland Security for criminal investigations.

SARs are strictly confidential. It is a federal crime to tip off the customer or any involved party that a SAR has been filed or is even being considered. This prohibition — called the SAR confidentiality rule — is one of the most operationally critical rules your entire team needs to understand.

Who Is Required to File SARs?

SAR filing requirements apply to businesses classified as financial institutions under the BSA:

— Banks and credit unions

— Money Services Businesses (MSBs) — including money transmitters, prepaid card issuers, check cashers, and cryptocurrency businesses

— Broker-dealers and investment firms

— Insurance companies for certain products

— Fintech companies operating under a sponsor bank — where the filing obligation may fall to the bank, the fintech, or both depending on the specific arrangement

If your business is registered as an MSB with FinCEN, you have independent SAR filing obligations that exist regardless of your sponsor bank's own program. Understand your obligation clearly before you launch — do not assume your sponsor bank handles it all.

What Triggers a SAR?

A SAR must be filed when your business knows, suspects, or has reason to suspect that a transaction:

— Involves funds derived from illegal activity — including proceeds of crime, drug trafficking, fraud, corruption, or tax evasion

— Is designed to evade BSA reporting requirements — including structuring transactions to remain below reporting thresholds

— Has no apparent lawful purpose and cannot be reasonably explained after investigation

— Involves use of the financial institution to facilitate criminal activity — including situations where an employee may be complicit

The standard is suspicion — not certainty. You do not need proof that a crime occurred. You need a documented, reasonable basis to suspect it might have. When in doubt, file.

Common Red Flags That Trigger SAR Reviews

— Transactions structured just below $10,000 reporting thresholds — a practice called structuring that is itself a separate federal crime

— Rapid movement of funds in and out of an account with no clear legitimate business purpose

— Customers who are reluctant to provide identification, explain the source of funds, or answer questions about transaction purpose

— Activity that is inconsistent with a customer's stated profile, business type, or historical behavior patterns

— Transactions involving high-risk geographies, sanctioned jurisdictions, or known high-risk counterparties

— Multiple accounts or customers sending funds to the same external recipient for no apparent reason

— Round-dollar transactions or unusual patterns repeated at regular intervals

The SAR Filing Process — Step by Step

Step 1 — Detection

Suspicious activity is identified through your automated transaction monitoring system — rules that flag activity meeting defined criteria — or through manual observation by compliance, operations, or customer-facing staff. Any employee can and should report suspicious activity internally.

Step 2 — Investigation

Before filing, your compliance team must conduct and document a thorough investigation. This means reviewing the flagged transaction in full account context, examining the customer's transaction history and KYC profile, searching for any legitimate explanation, and reaching a documented conclusion about whether the suspicion is reasonable. The quality of this documentation is what protects you in an examination.

Step 3 — The Filing Decision

If the activity meets the suspicion threshold and crosses the dollar amount requirement, a SAR is required. The filing decision must be made and documented by a designated compliance officer or BSA Officer. The dollar threshold for most fintechs and MSBs is $2,000 or more in a single transaction or aggregated transactions within 30 days involving the same person. For banks and broker-dealers the threshold is $5,000.

Step 4 — Filing With FinCEN

SARs are filed electronically through FinCEN's BSA E-Filing System at bsaefiling.fincen.treas.gov. The form requires a description of the suspicious activity, subject information, reporting institution details, and the type of suspicious activity identified. The narrative section is the most critical part — it must be clear, factual, chronological, and complete enough for a law enforcement agent with no prior knowledge of the account to understand exactly what happened and why it is suspicious.

Step 5 — Meet the Deadline

SARs must be filed within 30 calendar days of the date suspicious activity was initially detected. If additional time is needed specifically to identify a subject, you have up to 60 days maximum. There is no extension process. No exceptions. Missing the deadline is itself a BSA violation.

The SAR Confidentiality Rule — Train Everyone on This

Once a SAR is filed — or even once the decision to file is under consideration — no one inside your organization may disclose to the customer, the transaction subject, or any outside party that a SAR has been filed or is being contemplated. This prohibition applies to every person in the company — customer service staff, account managers, operations teams, founders, and executives alike.

This means if a customer calls asking why their account is under review, your team cannot confirm or deny that a SAR is involved. This rule requires specific training for customer-facing staff who are most likely to be asked directly.

Violating the confidentiality rule is a separate federal offense — independent of the underlying SAR violation.

SAR Recordkeeping Requirements

You must retain a copy of every SAR filed along with all supporting investigation documentation for a minimum of five years from the filing date. This includes transaction records, account history, monitoring alerts, investigative notes, and all communications related to the filing decision. These records must be retrievable on short notice for examination or law enforcement requests.

Building SAR Capability Before Your First Transaction

Four things must be fully operational before you process your first customer transaction:

1. Transaction monitoring — automated rules configured to surface suspicious activity for compliance review

2. A documented investigation workflow — step-by-step process for reviewing alerts, investigating activity, and reaching a filing decision

3. A designated BSA Officer — the named individual accountable for making final SAR filing decisions

4. FinCEN E-Filing System enrollment — your company must be registered before you can file

Do not wait until you encounter suspicious activity to build this infrastructure. By then, you are already behind the filing clock.

Frequently Asked Questions

What is the SAR filing deadline for fintechs?

SARs must be filed within 30 calendar days of the date suspicious activity was initially detected. If additional time is needed to identify a subject, the maximum is 60 days. There are no extensions.

What happens if a fintech fails to file a SAR?

Failure to file a required SAR is a BSA violation. Consequences include civil money penalties of up to $1 million per day for willful violations, potential criminal penalties for intentional non-compliance, and significant regulatory and sponsor bank consequences.

Can a fintech be penalized for filing too many SARs?

No. There is no penalty for filing SARs in good faith, even if the underlying activity turns out not to involve criminal conduct. The BSA provides safe harbor protections for good-faith SAR filers. The risk runs entirely in the direction of not filing when you should have.

What is the difference between a SAR and a CTR?

A Currency Transaction Report (CTR) is filed automatically for any cash transaction over $10,000 — it is not judgment-based. A SAR is filed when a covered institution has reason to suspect illegal activity — it requires investigation and a compliance judgment call.

How ComplyOne Helps

ComplyOne helps fintechs and MSBs build SAR investigation workflows, train compliance teams on all aspects of the SAR filing process, and establish the documentation practices that protect you in a FinCEN examination — whether through our compliance technology platform, advisory services, or both.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Compliance requirements vary based on your business model, jurisdiction, and regulatory relationships. Consult a qualified compliance professional for guidance specific to your situation.