What Is a Suspicious Activity Report?
A Suspicious Activity Report (SAR) is a document that organizations, such as banks, neobanks, and payment processors, file to regulatory enforcers (such as FinCen in the US) when they detect suspicious financial activity on their platforms.
Technically, all companies (regulated or otherwise) must legally submit SARs if they suspect suspicious financial activity.
In tangible terms, these reports tip off law enforcement agencies who get to work investigating if crimes like money laundering, fraud, terrorist financing, human trafficking, sanctions evasion, and other illicit activities are occurring.
Regulations vary worldwide concerning issues such as when a financial service files a report - for example, 30 days after the event. But sending SARs to regulatory bodies is mandatory in most jurisdictions globally.
In the past, a SAR in paper form was the norm - but like with other government forms in the digital age, such as tax returns, electronic filings are now standard (and in some cases, like FinCen, electronic is the only option).
As sanctions.io reported, SAR filings are surging in 2023. You can read why here - Suspicious Activity Reports (SARs) Are Surging in 2023: 4 Reasons Why.
Where Are Suspicious Activity Reports Sent?
Before answering other pertinent questions, such as what is considered suspicious activity, it's crucial to understand the following:
The first thing that any compliance team - such as a new FinTech startup, getting their head around SAR obligations - must do is to work out who they are legally obliged to file reports.
There is no one-size-fits-all answer to this.
After all, each company has unique circumstances depending on their operational jurisdictions and whether they're regulated or non-regulated. A dedicated compliance or AML officer should complete this task (and continually monitor it for regulatory changes). Outside guidance may be necessary for smaller companies that don't have a dedicated expert managing the issue.
But let's look at some real examples of where SARs are filed:
The above links direct you to the account creation and login pages for filing SARs in the US and the UK. In the cases of those jurisdictions, these are the portals where companies file SARs.
Recommended reading - For general guidance about SAR filing processes, the following sanctions.io guide will be helpful.
What Is Considered Suspicious Activity?
Activity considered suspicious - and thus a SAR filing is legally necessary - depends on the regulatory bodies to which your company is subject.
And once again, given that every organization has unique operational conditions, it's up to the compliance team (either internal or external) to determine the specific suspicious activity triggers based on the regulations they fall under.
Remember, the above links are to demonstrate how jurisdictions worldwide provide guidance.
Compliance teams must comprehensively understand the corresponding guidance from regulatory bodies they are subject to.
And this process is crucial. Why? Because if you get it wrong, meaning you fail to file SARs for transactions where you had a legal obligation to do so, regulatory enforcers may throw the book at you - which in real terms means hefty financial penalties and reputational damage.
However, here are some of the general triggers to file a SAR in jurisdictions worldwide:
- Customers breaking large transactions into smaller ones
- Customers using false or multiple IDs
- Two or more customers using the same or similar IDs
- Rapid movements of funds
- Transactions that are possibly for sanctions evasion purposes
- Unexplained sources of funds
- Unusually large cash deposits
- The suspicion of insider trading abuse
- Abnormal customer behavior
How Does Confidentiality Work in SAR Filings?
SAR filings may not have a red top secret stamp on them - but confidentiality is one of the most essential elements of a SAR.
But how so? Firstly, it's important to remember that individuals subject to a SAR filing are innocent until a legal case proves otherwise.
According to research from the Bank Policy Institute, only 4 percent of SARs result in any follow-up from law enforcement. And within that small percentage, only a tiny fraction results in a conviction.
The vast majority of individuals with a SAR filing against their name are innocent - that's why organizations submitting SARs must also take legal and data protection measures to protect the identity of the person they are reporting.
Again, different jurisdictions have varying legal requirements. But this is the reality: If you submit a SAR about a customer, and information about that customer (such as the name) enters the public domain, then employees from the company and the company itself may face criminal prosecution.
For example, in the United States, SAR confidentiality is protected under the Bank Secrecy Act (BSA).
Therefore, if SAR filings are necessary for your business operations, systems must also be set up to comply with confidentiality obligations.
It's also worth noting that many jurisdictions allow anonymous SAR filings. In this situation, the company and names of employees submitting the SAR are kept confidential and not disclosed to the authorities or the public.
But again (keeping AML and compliance officers busy working it all out), countries worldwide offer various levels of anonymity for different situations.
What Happens if You Fail To Send Suspicious Activity Reports?
Failing to file SARs can lead to serious legal consequences for the company and the employees in the organization responsible for them.
Again - and this is a common theme in the article - it depends on the jurisdiction as to how severe the penalties are. But all the following consequences are possible:
- Financial penalties
- Revoking licenses
- Reputational damage
- In extreme cases, imprisonment
SAR penalties are a real risk to companies. For example, only a few weeks ago (at the time of writing), the US Securities and Exchange Commission slapped a $12 million penalty on Merrill Lynch and its parent company for failing to submit SARs between 2009 to late 2019.
sanctions.io is a highly reliable and cost-effective solution for sanctions checking. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their sanctions screening needs.
To learn more about how our sanctions, PEP, and criminal watchlist screening service works and to receive answers to all your queries regarding the sanctions.io API, integrations, and more. Book a free Discovery Call now.
7-Day Free Trial (No Credit Card Required)
We offer a free 7-day trial (no credit card is required) and will be delighted to walk you through our service.