Bates Research | 08-06-25

Suspicious Activity Reports: Regulatory Expectations and Examination Risk

As former regulators turned BSA/AML consultants for the Bates Group, we've had a front-row seat to the life cycle of a Suspicious Activity Report (SAR)—from drafting to filing to regulatory review. We've sat on both sides of the table, performing examinations and remediation of enforcement actions. If there's one thing we want financial institutions to understand, it's this: your SARs are more than reports, they're a window into your entire compliance program.

A Costly SAR Mistake: What Happened and Why It Matters

Earlier this year, a compliance analyst at a buzzing fintech startup had one job: filing a SAR on a sketchy string of wire transfers. Easy enough, right? Not quite.

Instead of properly flagging the red-hot transaction trail, the analyst bungled the entire filing—missing key details, omitting crucial customer information, and submitting the report nearly a month late. At first, no one noticed. But during a routine audit, the oversight lit up like a neon sign. What should have been a routine filing turned into a full-blown compliance headache.

The fallout? Ugly. The late and sloppy SAR didn't just irritate regulators—it potentially disrupted an active criminal investigation. Law enforcement was not pleased, and neither was the firm's leadership. The company scrambled into damage control, launching emergency training sessions and enforcing a new policy: no SAR goes out without a second pair of eyes.

As for the analyst? Not fired but sidelined. They're not filing any SARs solo for the foreseeable future. The ordeal was a wake-up call: in compliance, dropping the ball isn't just a "whoops," it can get very real, very fast.

Why SARs Get Scrutinized

Contrary to popular belief, regulators aren't trying to nitpick every SAR. The real scrutiny starts when reports appear:

Inconsistent
Vague
Systemically deficient across a sample

Deficiencies in accuracy or regulatory compliance often invite a deeper dive.

Common examples include:

Not documenting the date, the activity was determined to be suspicious
Filing deadlines that are incorrect, e.g., MSBs using a 60-day timeline instead of the required 30 days (even if a subject is unknown)
Failure to explain early or late filings of continuing SARs
Brief narratives lacking sufficient detail about suspicious activity

These aren't just SAR errors; they signal broader weaknesses in compliance oversight.

What Regulators Are Actually Looking For

When regulators review SARs, they examine both content and process. Specifically, they want to confirm that your SARs:

Have all required fields accurate and complete, with narratives that provide enough context
Are timely and compliant with FinCEN's 30-day (or 30+90-day continuing SAR) rules
Show internal analysis and understanding of suspicious activity
They are supported by a tracking system that prevents duplicative or misclassified filings and provides a clear timeline from investigation to filing

Common compliance failures include:

Inconsistent narrative writing across SARs
Not checking "unknown" in the subject field when the narrative names a suspect
Failing to indicate the nature of suspicious activity in item boxes, or checking "other" without specifying what the activity was
Incorrect dollar rounding (SARs should always be rounded up to the next whole dollar)
Omitting clear explanations of amendments at the top of the narrative
Not tracking or including prior BSA ID numbers in continuing or amended SARs
Skipping non-critical fields (IP addresses, occupation, NAICS codes, subject roles, etc.)

Small oversights, big red flags. These issues reflect problems in governance, quality control, and staff training.

Common Pitfalls That Raise Red Flags

Some of the most frequent SAR-related issues include:

Narratives lacking the 5Ws (who, what, when, where, why) and failing to place customer activity in context
Missing totals or summaries of suspicious activity, making it hard to grasp the scope
Failure to include advisory key terms in Field 2 and narrative—especially when multiple typologies apply
Accidental subject name exposure in the SAR "Filing Name" section, risking internal leaks
Not indicating updated information or prior BSA IDs in continuing SAR narratives
Poor tracking of SARs related to continuing activity

Pro Tips from Former Regulators

Get your narrative right. A good SAR tells a clear, logical story, including a business model, timeline, total amounts, reasoning, and subject relationship.
Explain your logic. Filing early? Skipping a continuing SAR due to timing? Say so—in the narrative.
Track related SARs. Always include prior BSA ID numbers in both the form and the narrative.
Don't skip fields. Even "non-critical" fields can matter in federal investigations.
QA your filings. Regular quality assurance catches small issues before they become systemic ones.

What to Fix Before Your Next Exam

To avoid unnecessary scrutiny, address the following immediately:

Establish a SAR tracking log: subjects, filing types, prior BSA IDs, determination dates, due dates, amendment reasons
Validate SAR timelines: ensure all staff know the 30-day (and 30+90-day) rules
Refresh narrative templates to enforce clarity and structure
Create escalation protocols for edge cases (e.g., early filings, ambiguous classifications)
Use advisory key terms consistently across narratives and form fields
Review SARs for unnecessary subject name exposure
Ensure full documentation of the entire review process: from triage and investigation to QC, filing, retention, and QA

Final Word: SARs Are a Window into Your Program

SARs are not just standalone filings—they're snapshots of your institution's risk posture and compliance maturity. Regulators can learn more from them than from interviews or policies.

Make your SARs demonstrate: