What is a Suspicious Activity Report (SAR)? Complete Filing Guide for 2026

The SAR is the operational endpoint of the AML compliance programme. Customer onboarding, transaction monitoring, sanctions screening, and analyst investigation all exist to surface potential financial crime — and the SAR is the mechanism through which that surfaced suspicion is escalated to the authorities who can act on it.

The SAR process is also where the personal stakes are highest for compliance professionals. The decision to file (or not file) a SAR is the MLRO's personal regulatory responsibility. Doing it well requires not just the right systems but the right judgement, applied consistently across thousands of cases per year in larger institutions.

A SAR does not appear out of nowhere. It is the outcome of a structured investigation that begins with an alert (typically generated by transaction monitoring, sanctions screening, or staff escalation), proceeds through analyst investigation, escalates to MLRO review, and concludes either with a SAR filing or with a documented decision not to file.

Alerts can come from automated monitoring systems (a transaction crosses a defined threshold or matches a defined typology), from sanctions or PEP screening (a customer or counterparty matches a watchlist entry), or from human staff (a relationship manager notices behaviour they consider unusual). All three are valid sources and all three must feed into the same investigation workflow.

The alert is assigned to an analyst for triage. The triage step distinguishes alerts that warrant deeper investigation from alerts that can be closed at first review (the most common cause of which is false-positive sanctions matches against common names). Triage decisions and rationale must be documented — a closed alert that later turns out to have been a missed SAR will be examined by regulators.

Where deeper investigation is warranted, the analyst pulls the customer's full profile, transaction history, and any prior alerts; reviews the specific behaviour that triggered the alert; assesses whether there is a legitimate explanation; and where appropriate, escalates internally to obtain additional information from the relationship manager or, in limited cases, from the customer directly. The investigation, the evidence reviewed, and the analyst's conclusions must all be documented in the case management system.

Where the investigation cannot exclude suspicion, the case escalates to the MLRO. The MLRO's decision — whether to file a SAR — is the personal regulatory responsibility that defines the role. The MLRO must document the decision and the rationale, including the reasoning if the decision is not to file. An MLRO who is overruled on a SAR decision by commercial management is a regulatory failure in itself.

Where the decision is to file, the SAR is submitted to the relevant FIU through the prescribed channel — the NCA SAR Online portal in the UK, FinCEN BSA E-Filing System in the US, the STRO online portal in Singapore. Each FIU has specific format requirements and the filing must be made within the regulatory deadline (typically 30 days from the initial detection of the relevant facts).

Filing a SAR does not end the firm's obligations or terminate the relationship. The firm typically continues to operate the relationship while the FIU and law enforcement evaluate the report. In some cases, the FIU will issue a "consent" framework allowing specific transactions to proceed (or requiring them to be blocked); in other cases, the firm continues normal operation and supplements the original SAR with further reports as new information emerges.

The firm must also retain all records relating to the SAR — the original alert, the investigation file, the MLRO decision, and the SAR itself — for the regulatory retention period (typically five years from the filing or from the end of the relationship, whichever is later). These records are subject to subpoena and routinely examined during regulatory inspections.