13 min read

In 2011, a compliance analyst at a regional US bank was reviewing a customer account that had generated a persistent cluster of transaction monitoring alerts over several months. The alerts weren't unusual individually — each one had a plausible...

In This Chapter

Exercises Quiz Case Study 01 Case Study 02 Key Takeaways Further Reading

Chapter 11: Suspicious Activity Reporting and Case Management

Opening: The SAR That Saved a Bank

In 2011, a compliance analyst at a regional US bank was reviewing a customer account that had generated a persistent cluster of transaction monitoring alerts over several months. The alerts weren't unusual individually — each one had a plausible explanation. But the analyst noticed something that the monitoring system hadn't been designed to see: the pattern across all the alerts, taken together, looked like something she had read about in a FinCEN typology report. The customer was receiving funds from multiple international counterparties, converting them to cashier's checks, and then depositing those checks in small amounts across multiple branches.

She filed a SAR. The SAR was one of approximately 1.2 million filed in the US that year. It went to FinCEN. FinCEN shared it with federal law enforcement. The case connected to an ongoing federal investigation. The bank's SAR was the piece of evidence that enabled prosecutors to link several previously disconnected suspects.

The bank was commended. Its compliance analyst was recognized internally. The case was cited in subsequent FinCEN guidance as an example of effective financial intelligence.

The SAR filing was not the end of the work — it was the beginning of an investigation that the bank never knew about. But the filing happened because one analyst, reviewing a cluster of apparently routine alerts, made a judgment that something was not right and documented it.

This is what SAR filing is: a judgment about suspicion, documented and transmitted to the authorities who can act on it. The entire AML program — KYC, risk rating, transaction monitoring — exists to get to this moment.

US Requirements (Bank Secrecy Act / 31 CFR 1020.320)

US banks, broker-dealers, money service businesses, and other covered institutions must file a SAR when:

"The financial institution knows, suspects, or has reason to suspect that the transaction involves funds derived from illegal activity, or is intended to evade reporting requirements, involves no lawful purpose, or the transaction is not the sort in which the particular customer would normally be expected to engage."

Mandatory elements of a SAR: 1. Who: Identity of subject(s) — to the extent known 2. What: Description of the suspicious activity 3. Where: Financial institution and account information 4. When: Date and amount(s) of suspicious transaction(s) 5. How: How the suspicious activity was conducted (methodological description)

Filing threshold: $5,000 for banks (transactions involving funds exceeding $5,000); $2,000 for MSBs.

Filing deadline: 30 calendar days after the date of the initial detection of facts that may constitute a basis for filing a SAR. If no subject can be identified, 60 days. In cases where immediate notification of law enforcement is necessary, FinCEN can be notified immediately and the SAR filed within 30 days.

Confidentiality (the "tipping off" prohibition): Institutions that file a SAR are prohibited from notifying the subject of the SAR that it has been filed. Disclosure of a SAR — except to authorized law enforcement or regulatory personnel — is a federal crime.

UK Requirements (POCA 2002 / Terrorism Act 2000)

UK suspicious activity report obligations arise from two primary statutes:

Proceeds of Crime Act 2002 (POCA): Regulated sector institutions (banks, building societies, investment firms, MSBs, lawyers, accountants) must submit a SAR (called a "Suspicious Activity Report" or "SAR" in the UK) to the National Crime Agency (NCA)'s Financial Intelligence Unit when they "know or suspect" that a person is engaged in money laundering.

Terrorism Act 2000: Separate reporting obligation when a person has information about terrorist financing.

UK-specific elements: - "Defence" SAR: An institution may seek a "consent" (or "defence") from the NCA before proceeding with a transaction that would otherwise be money laundering — allowing the institution to transact after receiving NCA consent or after 7 working days without response - Moratorium period: Following an "appropriate consent" request, the NCA has 7 working days to respond; during this period the institution cannot process the transaction without consent - The full SAR: The institution must also file a full SAR within 30 days of the consent/defence SAR

EU Requirements (AMLD5)

AMLD5 requires member states to ensure that financial institutions submit a suspicious transaction report (STR) to the national financial intelligence unit (FIU) when they "know, suspect or have reasonable grounds to suspect" that funds are the proceeds of criminal activity or are related to terrorist financing.

The specific form and filing process varies by member state FIU.

11.2 The SAR Quality Problem

The annual volume of SAR filings globally has grown dramatically: FinCEN received approximately 3.9 million SARs in the US in 2022. The UK NCA received approximately 901,000 SARs in 2022-23.

This volume creates a law enforcement intelligence challenge: not all SARs are actionable; some represent genuine intelligence; many represent compliance-driven filings that add volume without adding value.

The Quality Spectrum

At the low-quality end: a SAR filed to achieve a filing metric, or to "defensively file" when uncertainty exists. These SARs describe the suspicious activity in generic terms ("transactions inconsistent with customer's stated business purpose"), provide minimal context, and leave law enforcement to do all the investigative work.

At the high-quality end: a SAR that provides a comprehensive, structured description of the suspicious activity — including a narrative that synthesizes the transaction data, customer profile, counterparty information, and the analyst's reasoning about why the activity is suspicious. These SARs enable law enforcement to assess the intelligence value quickly and connect the information to broader investigations.

FinCEN SAR Quality Guidance

FinCEN has consistently emphasized that SAR quality matters as much as SAR quantity. Key quality dimensions:

Narrative clarity: The SAR narrative should tell a coherent story about what happened, in plain language. "Account received multiple wire transfers from offshore entities with no apparent business connection to the account holder, converted the proceeds to cashier's checks, and deposited the checks at multiple branch locations" is more useful than "Unusual transactions observed."

Complete subject identification: All known identifiers for the subject — name, address, date of birth, account number, TIN/SSN, phone numbers, email addresses, associated entities — should be included.

Specific amounts and dates: The SAR should reference specific transaction amounts and dates, not ranges or approximations.

Methodological description: How was the suspicious activity conducted? What specific products, accounts, or transaction types were involved? What geographic connections existed?

Law enforcement contact: If law enforcement has already been contacted about the subject, the SAR should note this.

11.3 Case Management Systems

A case management system is the technology platform that supports the SAR investigation and filing process — from the initial alert that triggers a case through the investigation, the SAR filing, and post-filing tracking.

Core Case Management Functions

CASE MANAGEMENT SYSTEM — FUNCTIONAL ARCHITECTURE

┌─────────────────────────────────────────────────────────┐
│  CASE INTAKE                                            │
│  Alert escalation from transaction monitoring            │
│  Manual case creation (relationship manager, external)   │
│  Law enforcement request or court order                  │
└────────────────────────┬────────────────────────────────┘
                         │
                         ▼
┌─────────────────────────────────────────────────────────┐
│  INVESTIGATION WORKSPACE                                 │
│  Customer profile panel (KYC data, risk rating)         │
│  Transaction history and pattern visualization           │
│  External database links (OSINT, regulatory databases)   │
│  Document attachment and evidence management             │
│  Analyst notes and investigation log                     │
│  Counterparty analysis and network visualization         │
└────────────────────────┬────────────────────────────────┘
                         │
                         ▼
┌─────────────────────────────────────────────────────────┐
│  DECISION WORKFLOW                                       │
│  Case classification: SAR / No SAR / Pending            │
│  Approval routing (senior review for complex cases)     │
│  SAR drafting tool (narrative generation support)       │
│  Filing integration (FinCEN BSA E-Filing / NCA)         │
└────────────────────────┬────────────────────────────────┘
                         │
                         ▼
┌─────────────────────────────────────────────────────────┐
│  POST-FILING MANAGEMENT                                  │
│  SAR registry (tracking all filed SARs)                 │
│  Account status (continuing / closed)                    │
│  Law enforcement response tracking                       │
│  Continuing activity monitoring (30-day SAR)             │
│  Regulatory examination support (pull SAR files)         │
└─────────────────────────────────────────────────────────┘

Case Investigation Tools

Effective case investigation requires synthesizing information from multiple sources. Modern case management platforms integrate:

Internal data: Transaction history, account information, product usage, KYC file, prior alert history, prior SAR history (masked subject reference)

Commercial data: Adverse media search results, PEP/sanctions screening results, corporate registry and beneficial ownership data, credit bureau data (where permitted)

Public sources (OSINT): Company filings, court records, news archives, social media (for entity verification, not personal monitoring)

Law enforcement and regulatory data: FinCEN SAR database lookups (where authorized), law enforcement information sharing (through established LE relationships)

Network Visualization

One of the most valuable features of modern case management systems is network visualization — displaying the financial relationships between subjects, accounts, and counterparties as a visual graph rather than a table of transactions.

"""
Financial network visualization for SAR investigation.

Constructs a transaction network graph from case data and
identifies structural characteristics relevant to AML investigations:
- Hub accounts (high transaction betweenness centrality)
- Rapid transit nodes (high in/out with low balance)
- Peripheral accounts that may be smurfing points
"""

import networkx as nx
from collections import defaultdict


def build_transaction_network(transactions: list[dict]) -> nx.DiGraph:
    """
    Build a directed transaction graph from a list of transactions.

    Each transaction: {
        "from_account": str,
        "to_account": str,
        "amount": float,
        "date": str
    }

    Returns a directed graph where:
    - Nodes = accounts
    - Edges = transaction flows (weighted by total amount)
    """
    graph = nx.DiGraph()
    edge_weights: dict[tuple[str, str], float] = defaultdict(float)
    edge_counts: dict[tuple[str, str], int] = defaultdict(int)

    for txn in transactions:
        src = txn["from_account"]
        dst = txn["to_account"]
        edge_weights[(src, dst)] += txn["amount"]
        edge_counts[(src, dst)] += 1

    for (src, dst), total_amount in edge_weights.items():
        graph.add_edge(
            src, dst,
            weight=total_amount,
            transaction_count=edge_counts[(src, dst)]
        )

    return graph


def identify_aml_risk_nodes(graph: nx.DiGraph) -> dict[str, dict]:
    """
    Calculate risk metrics for each node in the transaction network.

    Returns dict keyed by node ID with the following risk metrics:
    - betweenness_centrality: nodes through which many transaction paths flow
    - in_out_ratio: ratio of total inflows to total outflows
    - fan_out: number of distinct recipients (potential structuring indicator)
    - fan_in: number of distinct senders
    """
    if len(graph.nodes) == 0:
        return {}

    # Betweenness centrality: important intermediary nodes
    centrality = nx.betweenness_centrality(graph, weight="weight")

    node_metrics = {}

    for node in graph.nodes:
        # In/out flows
        in_flow = sum(graph[pred][node]["weight"]
                      for pred in graph.predecessors(node))
        out_flow = sum(graph[node][succ]["weight"]
                       for succ in graph.successors(node))

        in_out_ratio = in_flow / out_flow if out_flow > 0 else float("inf")
        rapid_transit = (
            in_out_ratio > 0.85  # Passing through most of what comes in
            and in_flow > 10_000  # Material amount
        )

        node_metrics[node] = {
            "betweenness_centrality": centrality.get(node, 0),
            "in_flow": in_flow,
            "out_flow": out_flow,
            "in_out_ratio": in_out_ratio,
            "fan_in": graph.in_degree(node),
            "fan_out": graph.out_degree(node),
            "is_rapid_transit": rapid_transit,
            "risk_indicators": []
        }

        # Flag risk indicators
        if centrality.get(node, 0) > 0.5:
            node_metrics[node]["risk_indicators"].append("HIGH_CENTRALITY")
        if rapid_transit:
            node_metrics[node]["risk_indicators"].append("RAPID_TRANSIT")
        if graph.out_degree(node) >= 5 and out_flow > 10_000:
            node_metrics[node]["risk_indicators"].append("HIGH_FAN_OUT")

    return node_metrics

11.4 The SAR Narrative: Writing Effective Intelligence

The SAR narrative is the most important element of the SAR from a law enforcement utility perspective. A well-written narrative enables law enforcement to quickly assess whether to prioritize the SAR and how to use it in investigations.

The Five Elements of an Effective SAR Narrative

1. The subject — Who is involved? What is their known identity? What is their account relationship with the institution?

2. The activity — What happened? What transactions occurred? Over what time period? What amounts?

3. The suspicious pattern — Why is this suspicious? What specific indicators made the analyst conclude suspicion rather than explain the activity away? Reference to FATF typologies or FinCEN guidance is helpful.

4. The context — What do we know about the customer that makes this activity inconsistent? What was their declared business purpose? What does their historical transaction pattern look like compared to the current activity?

5. Prior contact or investigation — Has law enforcement been contacted? Has the institution filed prior SARs on this subject? Are there related accounts or entities the institution has identified?

SAR Narrative Example: Structuring Case

Poor quality narrative:

"Customer made multiple deposits below the $10,000 reporting threshold over a short period. Activity appears suspicious and inconsistent with customer's account history."

High quality narrative:

"Cornerstone Financial Group submits this SAR regarding JOHN DOE SMITH (DOB 01/15/1978, SSN XXX-XX-1234), who maintains a personal checking account (No. XXXXXX8832) at the Westside Branch, since September 2019.

During the period 03/01/2023 through 03/22/2023, SMITH conducted 11 cash deposits across three Cornerstone branches totaling $95,300. Each individual deposit ranged from $7,500 to $9,800, and no single deposit exceeded the $10,000 CTR filing threshold. The deposits were made at three branch locations (Westside, Northgate, and Riverside) on 11 distinct business days. This pattern is consistent with the structuring typology described in FinCEN Advisory FIN-2019-A001.

SMITH's account history from September 2019 through February 2023 (42 months) shows average monthly deposits of $3,200, consistent with his stated occupation as a self-employed contractor. The March 2023 activity represents a 2,981% increase over his historical monthly average.

No apparent business purpose consistent with SMITH's contractor occupation explains the cash deposits across multiple branch locations. SMITH has not contacted the bank to explain this activity. No prior SARs are on file for this customer. Law enforcement has not been contacted.

Cornerstone Financial Group requests that FinCEN evaluate this information in connection with potential criminal structuring under 31 U.S.C. § 5324."

11.5 Continuing Activity and 30-Day Continuing SARs

When suspicious activity continues after a SAR has been filed, the institution must evaluate whether additional SAR filings are required.

The 90-day rule: Financial institutions should review their filed SARs at least every 90 days. If the suspicious activity is continuing, a "continuing activity SAR" should be filed.

The 30-day SAR: Under FinCEN regulations, if suspicious activity continues after a SAR has been filed, a continuing activity SAR should be filed for each subsequent 90-day period (or sooner if new significant activity warrants). However, in practice, FinCEN does not require a SAR for every 90-day window — the requirement is to monitor continuing activity and file when warranted.

Account continuation vs. exit: When a SAR is filed, the institution must make a separate decision about whether to continue or exit the customer relationship. Exiting a relationship immediately after SAR filing — or citing compliance concerns as the reason for exit — could constitute "tipping off" the subject about the SAR investigation. Most institutions continue the relationship for a period while monitoring continues, consulting legal counsel about the appropriate timing of any relationship exit.

11.6 Technology-Assisted SAR Drafting

One of the more recent RegTech applications is AI-assisted SAR narrative drafting — systems that analyze the case data (transactions, customer profile, alert history) and generate a draft SAR narrative that analysts can review and finalize.

What AI Can Do

Data synthesis: Extract and organize transaction data, dates, amounts, and counterparties from the case management system into a structured format

Pattern description: Describe the pattern in plain language based on the transaction data ("Account received X wires totaling $Y from Z counterparties over a period of N days")

Typology matching: Identify the AML typology most closely matched by the transaction pattern and reference relevant FinCEN guidance

Template completion: Fill in standard SAR fields (who, what, when, where) from case data

What AI Cannot Do

Judgment about suspicion: The decision to file a SAR requires a human judgment that the analyst "knows, suspects, or has reason to suspect" money laundering. AI can describe patterns; only the analyst can conclude suspicion.

Legal nuance: The decision about how to characterize activity for legal purposes requires human judgment and, in complex cases, legal counsel.

Novel typology recognition: AI trained on known typologies cannot reliably identify genuinely novel money laundering methods.

The appropriate model: AI drafts the data-synthesis and pattern-description components; a trained analyst reviews, augments with judgment, and finalizes. This reduces the average SAR narrative drafting time while maintaining the human judgment requirement.

11.7 SAR Program Metrics and Management

An effective SAR program is measurable. Key metrics for program management:

Metric Description Industry Benchmark
SARs filed per FTE analyst per month Output efficiency 3–8 (varies with complexity)
Alert-to-SAR conversion rate What % of investigated alerts result in a SAR? 0.5–3%
Average case cycle time Days from alert escalation to SAR filing 20–30 days
SAR filing deadline compliance % of SARs filed within 30-day deadline 99%+
SAR quality scores (QA-reviewed) Narrative quality assessment > 4.0/5.0
Continuing SAR rate % of filed SARs requiring continuing filings Varies significantly
Law enforcement inquiries referencing institution's SARs Indicates SARs are generating intelligence value Tracked but confidential

The Defensive SAR Problem

An ongoing concern in SAR programs is "defensive filing" — filing SARs not because the analyst genuinely suspects money laundering, but to protect the institution from regulatory criticism if suspicious activity is later identified on an account where no SAR was filed.

Defensive filing dilutes the intelligence value of the SAR database: law enforcement resources are devoted to assessing low-quality filings. FinCEN has explicitly noted that "unnecessarily filing SARs of little or no value diverts law enforcement resources."

The compliance culture counterpoint: in an environment where regulatory penalties for missed SARs are severe, relationship managers and compliance officers face asymmetric incentives — the penalty for a missed genuine SAR is greater than the reputational cost of a defensive filing. Addressing this incentive structure requires explicit program guidance and leadership that values SAR quality over SAR quantity.

Chapter Summary

Suspicious Activity Reporting is the culminating output of the AML program — the mechanism by which financial institutions share intelligence about suspected money laundering with law enforcement and regulatory authorities.

The legal framework — US SAR (Bank Secrecy Act), UK SAR (POCA 2002), EU STR (AMLD5) — creates a mandatory reporting obligation when suspicion of money laundering exists, with specific filing deadlines, confidentiality requirements, and content standards.

SAR quality matters as much as SAR quantity. A well-written SAR narrative — specific, coherent, and descriptive — enables law enforcement to use the intelligence effectively. A generic, defensive filing adds noise without signal.

Case management systems provide the investigation workspace and filing infrastructure — integrating transaction data, customer profiles, external databases, network visualization, and SAR filing tools into a single analyst environment.

Network analysis using graph algorithms (betweenness centrality, in/out ratio, fan-out analysis) can identify structural characteristics of money laundering schemes — hub accounts, rapid transit nodes, structuring networks — that are difficult to identify from transaction tables alone.

AI-assisted SAR drafting can accelerate the data-synthesis component of narrative writing, but the judgment about suspicion and the final narrative review remain essential human functions.

The 30-day deadline and continuing SAR obligations require program discipline — a calendar management function that is often underestimated in SAR program design.

Continue to Part 3: Risk Management and Regulatory Reporting →