Bates Research | 08-06-25
Suspicious Activity Reports: Regulatory Expectations and Examination Risk

As former regulators turned BSA/AML consultants for the Bates Group, we've had a front-row seat to the life cycle of a Suspicious Activity Report (SAR)—from drafting to filing to regulatory review. We've sat on both sides of the table, performing examinations and remediation of enforcement actions. If there's one thing we want financial institutions to understand, it's this: your SARs are more than reports, they're a window into your entire compliance program.
A Costly SAR Mistake: What Happened and Why It Matters
Earlier this year, a compliance analyst at a buzzing fintech startup had one job: filing a SAR on a sketchy string of wire transfers. Easy enough, right? Not quite.
Instead of properly flagging the red-hot transaction trail, the analyst bungled the entire filing—missing key details, omitting crucial customer information, and submitting the report nearly a month late. At first, no one noticed. But during a routine audit, the oversight lit up like a neon sign. What should have been a routine filing turned into a full-blown compliance headache.
The fallout? Ugly. The late and sloppy SAR didn't just irritate regulators—it potentially disrupted an active criminal investigation. Law enforcement was not pleased, and neither was the firm's leadership. The company scrambled into damage control, launching emergency training sessions and enforcing a new policy: no SAR goes out without a second pair of eyes.
As for the analyst? Not fired but sidelined. They're not filing any SARs solo for the foreseeable future. The ordeal was a wake-up call: in compliance, dropping the ball isn't just a "whoops," it can get very real, very fast.
Why SARs Get Scrutinized
Contrary to popular belief, regulators aren't trying to nitpick every SAR. The real scrutiny starts when reports appear:
-
Inconsistent
-
Vague
-
Systemically deficient across a sample
Deficiencies in accuracy or regulatory compliance often invite a deeper dive.
Common examples include:
-
Not documenting the date, the activity was determined to be suspicious
-
Filing deadlines that are incorrect, e.g., MSBs using a 60-day timeline instead of the required 30 days (even if a subject is unknown)
-
Failure to explain early or late filings of continuing SARs
-
Brief narratives lacking sufficient detail about suspicious activity
These aren't just SAR errors; they signal broader weaknesses in compliance oversight.
What Regulators Are Actually Looking For
When regulators review SARs, they examine both content and process. Specifically, they want to confirm that your SARs:
-
Have all required fields accurate and complete, with narratives that provide enough context
-
Are timely and compliant with FinCEN's 30-day (or 30+90-day continuing SAR) rules
-
Show internal analysis and understanding of suspicious activity
-
They are supported by a tracking system that prevents duplicative or misclassified filings and provides a clear timeline from investigation to filing
Common compliance failures include:
-
Inconsistent narrative writing across SARs
-
Not checking "unknown" in the subject field when the narrative names a suspect
-
Failing to indicate the nature of suspicious activity in item boxes, or checking "other" without specifying what the activity was
-
Incorrect dollar rounding (SARs should always be rounded up to the next whole dollar)
-
Omitting clear explanations of amendments at the top of the narrative
-
Not tracking or including prior BSA ID numbers in continuing or amended SARs
-
Skipping non-critical fields (IP addresses, occupation, NAICS codes, subject roles, etc.)
Small oversights, big red flags. These issues reflect problems in governance, quality control, and staff training.
Common Pitfalls That Raise Red Flags
Some of the most frequent SAR-related issues include:
-
Narratives lacking the 5Ws (who, what, when, where, why) and failing to place customer activity in context
-
Missing totals or summaries of suspicious activity, making it hard to grasp the scope
-
Failure to include advisory key terms in Field 2 and narrative—especially when multiple typologies apply
-
Accidental subject name exposure in the SAR "Filing Name" section, risking internal leaks
-
Not indicating updated information or prior BSA IDs in continuing SAR narratives
-
Poor tracking of SARs related to continuing activity
Pro Tips from Former Regulators
-
Get your narrative right. A good SAR tells a clear, logical story, including a business model, timeline, total amounts, reasoning, and subject relationship.
-
Explain your logic. Filing early? Skipping a continuing SAR due to timing? Say so—in the narrative.
-
Track related SARs. Always include prior BSA ID numbers in both the form and the narrative.
-
Don't skip fields. Even "non-critical" fields can matter in federal investigations.
-
QA your filings. Regular quality assurance catches small issues before they become systemic ones.
What to Fix Before Your Next Exam
To avoid unnecessary scrutiny, address the following immediately:
-
Establish a SAR tracking log: subjects, filing types, prior BSA IDs, determination dates, due dates, amendment reasons
-
Validate SAR timelines: ensure all staff know the 30-day (and 30+90-day) rules
-
Refresh narrative templates to enforce clarity and structure
-
Create escalation protocols for edge cases (e.g., early filings, ambiguous classifications)
-
Use advisory key terms consistently across narratives and form fields
-
Review SARs for unnecessary subject name exposure
-
Ensure full documentation of the entire review process: from triage and investigation to QC, filing, retention, and QA
Final Word: SARs Are a Window into Your Program
SARs are not just standalone filings—they're snapshots of your institution's risk posture and compliance maturity. Regulators can learn more from them than from interviews or policies.
Make your SARs demonstrate:
-
Attention to detail
-
Narrative clarity
-
Technical compliance
-
Understanding of institutional risk
When done well, SARs show that your AML program doesn't just exist, it's thriving, strategic, and helps build a true culture of compliance.
