Photo courtesy of the author
Under the Bank Secrecy Act and regulations thereunder, financial institutions have long been required to file Suspicious Activity Reports (SARs) on a wide range of possible criminal activities with federal financial institution regulators. Over the past two decades, criminal and civil enforcement authorities have imposed BSA-related financial penalties in numerous cases for failure to file or untimely filing SARs.[1] At the same time, many in the financial sector have complained about the burdensomeness and questioned the value of SAR preparation.[2]
On October 9, the five federal financial institutions regulators (i.e., the Financial Crimes Enforcement Network, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency) jointly issued a document titled “Frequently Asked Questions Regarding Suspicious Activity Reporting Requirements” (SAR FAQs).[3] The SAR FAQs stated that “[t]he answers to these FAQs clarify regulatory requirements related to SARs to assist financial institutions with their compliance obligations while enabling institutions to focus resources on activities that produce the greatest value to law enforcement agencies and other authorized government users of Bank Secrecy Act (BSA) reporting.”[4]
Because the SAR FAQs restates some prior regulatory guidance and modifies other SAR guidance on SAR filing, this post will summarize and comment on each of the key issues that the SAR FAQs address.
Question 1: SAR Filings for Potential Structuring-related Activity
The SAR FAQs first ask, “Is a financial institution required to file a SAR for a transaction or a series of transactions with a value at or near the currency transaction reporting (CTR) threshold (i.e., over $10,000) absent information that the transaction or series of transactions is designed to evade BSA reporting requirements?” The answer is no:
The mere presence of a transaction or series of transactions by or on behalf of the same person at or near the $10,000 CTR threshold is not information sufficient to require the filing of a SAR. Financial institutions are only required to file a SAR if the institution knows, suspects, or has reason to suspect that the transaction or series of transactions are designed to evade CTR reporting requirements. Absent this knowledge, suspicion, or reason to suspect, financial institutions are not required to file a SAR.[5]
The SAR FAQs go on to summarize a financial institution’s obligations to file SARs in relation to structuring transactions, and states that a financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program
should be designed to detect and report structuring to guard against use of the institution for money laundering and ensure the institution is compliant with the suspicious activity reporting requirements of the BSA. The extent and specific parameters under which a financial institution must monitor accounts and transactions for suspicious activity should be commensurate with the level of money laundering and terrorist financing risk of the specific institution, considering the type of products and services it offers, the locations it serves, and the nature of its customers.[6]
Question 2: Continuing Activity Reviews
The SAR FAQs next ask, “Is a financial institution required to conduct a review of a customer or account following the filing of a SAR to determine whether suspicious activity has continued?” The answer is no:
Recognizing the burden that continued SAR filings on the same customer or account place on institutions, FinCEN suggested in October 2000 that institutions file a SAR for repeated and ongoing suspicious activity at least every 90 days. Over time, this suggestion has become interpreted as a requirement or expectation that financial institutions conduct a separate review of a customer or account following the filing of a SAR to determine whether suspicious activity has continued.
A financial institution is not required to conduct a separate review—manual or otherwise—of a customer or account following the filing of a SAR to determine whether suspicious activity has continued. Financial institutions instead may rely on risk-based internal policies, procedures, and controls to monitor and report suspicious activity as appropriate, provided those internal policies, procedures, and controls are reasonably designed to identify and report such activity.[7]
Question 3: Continuing Activity Reviews – Timeline
The SAR FAQs next ask, “What is the timeline for a financial institution that elects to file SARs in accordance with FinCEN’s continuing suspicious activity guidance?” Because prior regulatory guidance regarding filing timeline requirements was often well short of unambiguous, the answer deserves close scrutiny:
As noted in the prior FAQ, FinCEN previously suggested that financial institutions report continuing suspicious activity via a SAR filing at least every 90 days. Subsequent FinCEN guidance advised financial institutions to file SARs for continuing activity after a 90-day period with the filing deadline being 120 calendar days after the date of the previously related SAR filing.10 However, financial institutions are not required to do so and may instead file SARs as appropriate in line with applicable timelines. For financial institutions that elect to file SARs in accordance with FinCEN’s continuing suspicious activity guidance, below is a timeline in which a financial institution files a SAR with an identified subject and determines that suspicious activity has continued:
-
-
- Day 0: detection of facts that may constitute a basis for filing a SAR
- Day 30: filing of initial SAR
- Day 120: end of 90-day period
- Day 150: filing of a SAR for continued suspicious activity
-
When filing a SAR for continuing activity, the date or date range of suspicious activity (Item 30 on the SAR form) should include the entire 90-day period starting on the date immediately following the filing of the initial SAR or the date following the end of the previous 90-day period.[8]
Question 4: No SAR Documentation
Finally, the SAR FAQs ask, “Is a financial institution required to document the decision not to file a SAR?” Here again, the answer is no:
There is no requirement or expectation under the BSA or its implementing regulations for a financial institution to document its decision not to file a SAR. FinCEN has previously encouraged, but not required, financial institutions to document the decision not to file a SAR.
Should a financial institution choose to document its decision not to file a SAR, the level of appropriate documentation may vary based on the specifics of the activity being reviewed and need not exceed that which is necessary for the institution’s internal policies, procedures, and controls, which should be risk-based and reasonably designed to identify and report suspicious activity. In most cases, a short, concise statement documenting a financial institution’s SAR decision will likely suffice, although a financial institution may consider more documentation to explain the factors that the institution considered in reaching a SAR filing determination in more complex investigation scenarios.[9]
Comments
Although the SAR FAQs do not address the financial sector’s larger concerns about the overall burdensomeness and utility of SARs, they do provide some useful guidance on the circumstances in which financial institutions should file on potential structuring transactions and the need for post-SAR filing review of customers accounts, and state regulatory expectations for SAR filing timelines more clearly. They also generally clarify that financial institutions are not obligated to document their decisions not to file SARs, though financial institutions may still find it prudent to include in their AML/CFT programs some further guidance pertaining to extraordinary situations (e.g., when a financial institution decides not to file a SAR when a high-risk customer would be a subject).
Financial institutions should therefore review their AML/CFT programs with reference to the SAR FAQs and document any modifications they make in response to those FAQs. In addition, because the SAR FAQs do not address the full range of SAR issues that financial institutions may face, attorneys and compliance officers for financial institutions should also review the Wolfsberg Group Statement on Effective Monitoring for Suspicious Activity with reference to the FAQs.[10] Although issued before the SAR FAQs, the Wolfsburg Group Statement makers a number of pertinent observations on how to develop and implement a risk-based approach to suspicious activity monitoring.
Footnotes
[1] See, e.g., Financial Crimes Enforcement Network, FinCEN Assesses Record $1.3 Billion Penalty against TD Bank, October 10, 2024, https://www.fincen.gov/news/news-releases/fincen-assesses-record-13-billion-penalty-against-td-bank ($1.3 billion civil penalty in part for failure to file SARs on thousands of transactions); Securities and Exchange Commission, Deutsche Bank Subsidiary to Pay $4 Million for Untimely Filing Certain Suspicious Activity Reports, December 20, 2024, https://www.sec.gov/newsroom/press-releases/2024-208 ($4 million civil penalty for untimely filing of SARs).
[2] See Austin Anton, BPI Survey Finds FinCEN Significantly Underestimates SAR Filing Demands, Bank Policy Institute, April 17, 2024, https://bpi.com/bpi-survey-finds-fincen-significantly-underestimates-sar-filing-demands/; Independent Community Bankers Association, ICBA: Government Underestimates Suspicious Activity Reporting Burden, July 2, 2024, https://www.icba.org/newsroom/news-and-articles/2024/07/02/icba-government-underestimates-suspicious-activity-reporting-burden#:~:text=Washington%2C%20D.C.%20(July%202%2C,of%20community%20bank%20compliance%20burdens.%E2%80%9D.
[3] Financial Crimes Enforcement Network, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency, Frequently Asked Questions Regarding Suspicious Activity Reporting Requirements, October 9, 2025, https://www.fincen.gov/system/files/2025-10/SAR-FAQs-October-2025.pdf (hereinafter SAR FAQs).
[4] Id. 1.
[5] Id. 1-2 (footnotes omitted).
[6] Id. 2 (footnotes omitted).
[7] Id. 2-3 (footnote omitted).
[8] Id. 3-4 (footnotes omitted).
[9] Id. 4 (footnote omitted).
[10] Wolfsberg Group, Statement on Effective Monitoring for Suspicious Activity: Part I: Moving Beyond Automated Transaction Monitoring, July 1, 2024, https://db.wolfsberg-group.org/assets/e3d83d2f-fad9-46d2-b5a9-3cf4e932f53f.
Jonathan J. Rusch is Director of the U.S. and International Anti-Corruption Law Program and Adjunct Professor at American University Washington College of Law and a Senior Fellow with the NYU Program on Corporate Compliance and Enforcement at New York University Law School.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).