Topics Types of Bank Fraud 12 Most Common Types of Bank Fraud Account Takeover (ATO) Fraud Check Fraud ACH Fraud Real-time Payment Fraud First-Party Fraud Wire Fraud Zelle Fraud Types of Card Fraud Credit Card Fraud Debit Card Fraud Lost or Stolen Card Fraud Card Skimming Chargeback Fraud Card Not Present (CNP) Fraud Fraud Defenses Anti-Money Laundering (AML) Crowdsourced Abuse Reporting Device Fingerprinting Real-time monitoring Email Reputation Service IP Reputation Service SR 11-7 Compliance Supervised Machine Learning Suspicious Activity Reports (SARs) Two-Factor Authentication (2FA) Unsupervised Machine Learning Fraud Tactics Bot Attacks Call Center Scams Card Cloning Credential Stuffing Data Breaches Deepfakes Device Emulators GPS Spoofing Money Mule Scams P2P VPN Networks Phishing Attacks SIM Swap Fraud URL Shortener Spam Web Scraping Fraud Tech Device Intelligence Feature Engineering Identity (ID) Graphing Fraud Types Application Fraud Transaction Fraud Payment Fraud Bust-Out Fraud Buyer-Seller Collusion Content Abuse Money Laundering Loan Stacking Romance Scams Synthetic Identity Theft Cryptocurrency Scams Pig Butchering Scams A Guide on Suspicious Activity Reports (SARs) Suspicious Activity Reports are a key part of anti-money laundering (AML). They’re required by the Bank Secrecy Act in the US to report potential money laundering or terrorist financing. Beyond that, they’re a crucial piece in flagging serious financial crime. In this wiki, you’ll learn how they work and how to file them. What is a Suspicious Activity Report? A Suspicious Activity Report (SAR) is a document financial institutions (FIs) must file when they suspect money laundering or financial fraud activity. In the US, FIs file SARs with the Financial Crimes Enforcement Network (FinCEN). Once and FI files a SAR, they must also document their findings. FinCEN offers guides on how to complete Suspicious Activity Reports so FIs know every piece of information to include. At many FIs, SARs are a built in part of their fraud platform. What triggers a Suspicious Activity Report? As the name implies, any kind of suspicious transaction or financial activity should trigger a SAR. Federal regulations in the US require FIs file a SAR for the following: Any amount of insider abuse Financial crimes totaling $5,000 or more where suspect is known. Financial crimes totaling $25,000 or more regardless of suspect identification. Transactions totaling $5,000 or more conducted or attempted by known suspicious entities. Transactions that may involve money laundering or terrorism financing. Transactions with no clear business or lawful purpose. Transactions outside normal expected customer behavior. There are some common activities that should trigger SARs as well. These include: Frequent/repetitive transactions, especially in round dollar amounts (i.e. many $9,999 deposits to avoid triggering mandatory reporting thresholds.) Large cash transactions over a certain threshold. “Structured transactions” or smurfing where many small transactions are made to the same or similar accounts. Rapid transfers, especially of large sums between multiple accounts. Anonymous accounts transacting with each other or suspicious accounts. Suspected identity fraud (behavior far outside the normal customer’s activity). Customers refusing to provide information or identification. Suspicious activity report requirements FinCEN provides specific requirements and guidelines for filing a SAR which are part of AML compliance. The key requirements for filing a SAR with FinCEN are: Reasonable suspicion of illicit financial activity based on specific facts, observations, or indicators. Completion and accuracy with SARs containing all required information. Timeliness of filing to ensure SARs reach FinCEN within 30 days of the date the suspicious activity is detected. Transaction exceeds minimum filing thresholds. Suspicious individuals or entities are identified if possible. Description of suspicious activity, including the nature of the transaction, amount, dates, and other relevant details. Supporting documentation and records related to the suspicious activity. Confidentiality of documents, protecting the integrity of ongoing investigations. Protection for reporting institutions from legal liability. Record keeping of SARs filed and supporting documentation, typically for five years. SAR narrative section that provides: 1) a detailed account of the suspicious activity, 2) the reasons for suspicion, and 3) any relevant background information. What happens after a suspicious activity report is filed? After an FI files a SAR, the investigation process begins. This usually starts with an initial review by the FI itself. The compliance department review the SAR to make sure it meets reporting criteria. Then, the FI can investigate internally by reviewing account records, transaction history, and relevant documents. Once FinCEN recieves the SAR they’ll send it to proper regulatory authorities. Law enforcement agencies may use SAR information to start investigations. If the case is serious enough, they may conduct surveillance, gather evidence, and take legal action. After filing a SAR, the FI should continue to monitor affected accounts or transactions. Because SARs are treated as confidential, the information they contain is not disclosed to the subject of the report. This confidentiality is crucial to protect the integrity of ongoing investigations. How to file suspicious activity reports Many FIs file SARs automatically through their fraud platforms based on rule triggers. These systems can monitor customer activity in real time and generate alerts as soon as a transaction meets the threshold. Manually filing SARs requires FIs to e-file them to FinCEN through the BSA E-Filing System. Any time a SAR is filed, the case management team will need to follow up and complete internal documentation as well as craft the SAR narrative. If you’re looking to utilize a platform that automates case management tasks and makes filing SARs simple, book a time to speak with our team about DataVisor’s AI-powered fraud prevention.