Key Takeaways
Chapter 11: Suspicious Activity Reporting and Case Management
Core Concept
Suspicious Activity Reporting (SAR filing) is the culminating output of the AML program — the mechanism by which financial institutions share intelligence about suspected money laundering with law enforcement authorities. The entire KYC, risk rating, and transaction monitoring infrastructure exists to generate qualified SAR referrals.
Essential Points
1. The Legal Filing Standard - US: "knows, suspects, or has reason to suspect" — a relatively low bar; covers objective indicators of suspicion, not just subjective certainty - UK: "knows or suspects" — POCA 2002; personal liability for individuals who know or suspect and fail to report - EU: "knows, suspects or has reasonable grounds to suspect" — AMLD5 - Filing threshold (US): $5,000 (banks); $2,000 (MSBs) - Filing deadline (US): 30 calendar days from initial detection of suspicious activity
2. The Tipping-Off Prohibition - Institutions that file a SAR are prohibited from disclosing the SAR's existence to the subject - This prohibition is absolute — not disclosure to the subject, not hints that a SAR was filed - Even exiting a relationship immediately after filing (if obvious it's SAR-related) can constitute tipping off - UK "Defence SARs": a specific mechanism for seeking NCA consent before proceeding with a transaction that would be money laundering
3. SAR Quality Is as Important as SAR Volume - The annual global SAR volume has grown to millions — not all are actionable - A high-quality SAR narrative: who (specific identifiers), what (precise transactions/amounts/dates), why suspicious (specific typology indicators), context (how this deviates from declared purpose/history), prior contact - A low-quality SAR: generic descriptions, vague amounts, no narrative explanation of why it's suspicious — low intelligence value, dilutes law enforcement resources - FinCEN has explicitly warned that defensive filings of little intelligence value divert law enforcement resources
4. Case Management Systems Are the Investigation Infrastructure - Functions: case intake, investigation workspace, decision workflow, post-filing management - Key capabilities: transaction history visualization, external database integration, network visualization, narrative drafting tools, SAR filing integration - Network visualization (graph-based) enables detection of structural money laundering patterns not visible in transaction tables
5. Graph Analytics for SAR Investigation - Transaction networks: nodes = accounts; edges = money flows weighted by amount - Betweenness centrality: identifies hub accounts through which many transaction paths flow - In/out ratio: identifies rapid transit nodes (receiving and passing on nearly all funds) - Fan-in/fan-out: identifies structuring networks (one account receiving from many; many accounts receiving from one)
6. The 30-Day Rule and Continuing Activity Management - 30 days from initial detection (60 days if subject unidentified) — institutions must track this deadline per case - Continuing activity: if suspicious activity persists after SAR filing, monitor at 90-day intervals and file continuing activity SARs when warranted - SAR filing does not mandate immediate relationship exit — continuing the relationship while monitoring is often appropriate; legal counsel should advise on timing
7. AI-Assisted SAR Drafting - Appropriate for: data synthesis (extracting transactions from case data), pattern description, typology matching, template completion - Not appropriate for: the judgment of suspicion itself; legal characterization; novel typology recognition - The model: AI drafts the data-synthesis component; trained analyst reviews, adds judgment, finalizes
Key Distinctions
| Aspect | US SAR (BSA/FinCEN) | UK SAR (POCA/NCA) | EU STR (AMLD) |
|---|---|---|---|
| Filing authority | FinCEN | NCA Financial Intelligence Unit | National FIU (varies by member state) |
| Legal standard | "Knows, suspects, or has reason to suspect" | "Knows or suspects" | "Knows, suspects, or reasonable grounds" |
| Threshold | $5,000 (banks) | No minimum | Varies by member state |
| Deadline | 30 days from detection | Promptly (no specific number) | Promptly / without delay |
| Tipping off | Federal crime | Criminal offence | Criminal offence |
| Defence/consent | Not applicable | Yes — defence SAR mechanism | Varies |
Connections to Other Chapters
- Chapter 7 (Transaction Monitoring): Transaction monitoring alerts are the primary input to case management and SAR investigation
- Chapter 8 (Sanctions): Confirmed sanctions matches generate OFAC reporting obligations — distinct from but managed through the same case management infrastructure as SARs
- Chapter 10 (Customer Risk Rating): Customer risk rating drives prioritization of SAR investigations — high-risk customers get higher investigation priority
- Chapter 23 (NLP): NLP techniques can assist SAR narrative analysis at the FIU level — identifying clusters of related SARs, extracting entity names, pattern recognition across the filing corpus
- Chapter 26 (Explainable AI): AI-assisted SAR drafting requires explainability — the analyst must understand why the AI described the pattern as it did before finalizing the narrative
Regulatory Reference Points
| Framework | SAR/STR Relevance |
|---|---|
| 31 USC 5318(g) | US SAR filing obligation |
| 31 CFR 1020.320 | FinCEN SAR regulations for banks |
| 31 CFR 1023.320 | FinCEN SAR regulations for broker-dealers |
| Proceeds of Crime Act 2002 (POCA), ss. 330–332 | UK SAR obligations for regulated sector |
| Terrorism Act 2000, ss. 21A–21D | UK terrorist financing reporting |
| AMLD5, Article 33 | EU STR obligations |
| FATF Recommendation 20 | International STR filing standard |
| FATF Recommendation 29 | FIU standards for receiving and analyzing SARs |
Continue to Part 3: Risk Management and Regulatory Reporting →