STR / SAR Filing Explained
How Banks Actually Make the “File or Not” Decision
A SAR is the most consequential single document a bank files with a regulator. Filing too few is a regulatory finding. Filing too many dilutes FIU intelligence. This guide covers the suspicion threshold, narrative structure, regional regimes (FinCEN SAR, UK NCA, FIU-IND, FIU.ae, STRO, JFIU), and what separates a good SAR from a defensive one.
The Suspicious Activity Report (SAR) — called Suspicious Transaction Report (STR) in many jurisdictions — is the single most consequential document a bank files with law enforcement. It’s the output that converts everything a KYC team does (customer profiles, EDD files, screening dispositions, transaction-monitoring alerts, AML investigations) into actionable intelligence for Financial Intelligence Units (FIUs) around the world. Under-filing attracts regulatory fines; over-filing dilutes FIU capacity and gets the bank labelled as a “defensive filer.” Calibrating the decision precisely is one of the hardest judgement calls in financial crime compliance.
This guide walks through SAR / STR filing as it actually operates at tier-1 banks and sophisticated KPO teams in 2026: the suspicion threshold under each major regime, the eight global FIU pathways, what a well-written narrative looks like, tipping-off restrictions, post-filing operations, and real scenarios from JPMorgan New York, Barclays London, HSBC Mumbai, Citi, Emirates NBD Dubai, BNY, State Street, eClerx, Genpact, WNS, and Revolut.
What a SAR / STR Actually Is
A SAR (or STR) is a confidential report filed by a regulated financial institution with its national Financial Intelligence Unit (FIU) when the institution has reasonable grounds to suspect that funds or transactions are connected to proceeds of crime, money laundering, terrorist financing, sanctions evasion, fraud, or other predicate offences. It is not an accusation and does not require proof — the statutory threshold is “suspicion,” not certainty.
Different jurisdictions use different acronyms for the same underlying concept. SAR is used in the US (FinCEN), the UK (NCA), and Canada. STR is used in India (FIU-IND), the UAE (FIU.ae), Singapore (STRO), Hong Kong (JFIU), and most EU jurisdictions (national FIUs). Some regimes also have secondary reports — CTRs (Currency Transaction Reports) in the US, DNFBP reports for designated non-financial businesses, and sanctions-specific filings (OFSI breach reports, OFAC voluntary self-disclosure). This guide uses SAR generically, but the mechanics translate.
The “Suspicion” Threshold — What It Actually Means
The legal threshold for filing a SAR is not “proof,” not “probable cause,” and not “beyond reasonable doubt.” It is reasonable suspicion — a substantially lower bar. The exact wording varies by regime but the substance is remarkably consistent.
| Regime | Statutory Threshold | Reporting Timeframe |
|---|---|---|
| US (BSA, FinCEN) | “Knows, suspects, or has reason to suspect” — subject-based suspicion around proceeds, structuring, or no-lawful-purpose patterns | 30 days from detection; 60 if unable to identify subject |
| UK (POCA 2002, MLR 2017) | “Knows or suspects, or has reasonable grounds for knowing or suspecting” | As soon as practicable after the MLRO is consented, before completing the reportable act |
| EU (6AMLD) | “Knows, suspects, or has reasonable grounds to suspect” — harmonised across 27 member states | Promptly; member states set specific deadlines |
| UAE (DFSA AML Module, FIU.ae) | “Reasonable grounds to suspect” | Without delay; typically 48 hours |
| Singapore (MAS Notice 626, STRO) | “Knowledge or reasonable suspicion” | Within 15 business days of forming the suspicion |
| Hong Kong (AMLO, JFIU) | “Knowledge or suspicion” | As soon as reasonably practicable |
| India (PMLA, FIU-IND) | “Reason to believe” the transaction is suspicious | Within 7 working days of conclusion that a transaction is suspicious |
| Canada (PCMLTFA, FINTRAC) | “Reasonable grounds to suspect” | Within 30 days |
A common interview mistake is saying “we’d need evidence of money laundering before filing.” That’s wrong. Reasonable suspicion is a substantially lower threshold than proof or even probable cause. If the activity is inconsistent with the KYC profile, cannot be reconciled to legitimate commercial rationale after a reasonable investigation, and aligns with known typologies — the threshold is met. The FIU is the body that investigates further; the bank’s role is to surface the signal.
The 8 Global FIUs — Where SARs Actually Go
| FIU | Jurisdiction | Filing Portal / Mechanism |
|---|---|---|
| FinCEN | United States | BSA E-Filing System; SAR form 111 |
| NCA UK FIU | United Kingdom | SAR Online (successor to Moneyweb); DAML and defence-against-money-laundering requests |
| FIU-IND | India | FINnet 2.0; STR, CTR, NTR, CBWTR filings |
| FIU.ae (UAE) | UAE Federal + DIFC / ADGM free zones | goAML Platform (UNODC-standardised) |
| STRO | Singapore | STR Online portal |
| JFIU | Hong Kong | STR-based via dedicated JFIU channels |
| FINTRAC | Canada | FWR (F2R) reporting system |
| National FIUs | EU member states (co-ordinated via AMLA from 2026) | goAML in most member states; national portals where applicable |
The 7-Section SAR Narrative — What Regulators Want to See
Every major FIU publishes narrative guidance, and the structure converges on seven core sections. A good SAR narrative is tight, factual, and investigation-ready — it reads like a case file, not a memo. The FIU analyst reading it needs to understand in under 15 minutes: who, what, when, where, how, why suspicion was formed, and what the bank did.
Subject Information
Who the SAR is about. Full legal name(s), including any aliases. Date of birth, nationality, identity document numbers. Address history relevant to the reporting window. UBOs and controlling parties where the subject is an entity. Roles, employers, and known counterparties.
Account & Relationship Summary
Which accounts are involved. Account numbers, account types, opening dates, declared NOB, customer risk rating at the time of the activity, and any prior SARs filed on the same subject. For corporate customers, UBO mapping and authorised-signatory list.
Activity Description — Factual and Sequential
What happened, in factual sequence. Dates, amounts, currencies, counterparties, originators, beneficiaries, wire types (domestic/international, SWIFT/RTGS), payment routing. No adjectives, no speculation, no interpretation — just the ledger-level facts a law-enforcement investigator could corroborate from records.
Typology Mapping
Which recognised typology the activity maps to. Structuring, funnel account, third-party payments, trade-based laundering, crypto-cycling, shell-company layering, correspondent-banking abuse. If the pattern matches a published FIU alert or a FATF typology study, reference it by name.
Why Suspicion Was Formed
The heart of the SAR. What makes this activity suspicious rather than commercially routine? Reconciliation attempts made and why they failed. Inconsistency with KYC profile. Adverse media or screening hits. Unexplained counterparties. Pattern alignment with typology. This section must show the analytical chain — “expected X based on KYC; observed Y; could not be reconciled after A, B, C; suspicion formed because of D, E, F.”
Bank’s Actions
What the bank did in response. Internal escalations. Customer contact (if made — tipping-off rules apply). EDD refresh. Risk re-rating. Account restrictions. Relationship exit plans. If the activity is ongoing, what monitoring is in place pending FIU guidance.
Supporting Evidence Index
An index of supporting documents retained and available on request — transaction records, KYC file, EDD refresh memo, screening outputs, adverse-media sources, counterparty documentation. FIU analysts rarely ask for all supporting evidence, but regulators auditing the SAR quality look for the index to confirm the filing was substantiated.
Tipping-Off — The Rule That Shapes Everything
Under every major AML regime, it is a criminal offence to inform the subject of a SAR that a SAR has been filed, or to disclose information that might prejudice a law-enforcement investigation. Tipping-off rules shape how banks communicate with customers, how account closures are worded, and how compliance teams interact with Relationship Managers who have commercial exposure to the customer.
What counts as tipping-off
- Telling the customer a SAR has been filed — direct violation
- Telling the customer their account is being closed “because of an AML investigation” — violation
- Asking the customer questions that reveal the specific pattern that triggered investigation — can constitute tipping-off
- Delays or unusual behaviour from RM or operations team that signal an investigation is underway — prosecutable under POCA and equivalent regimes
What is permitted
- Exit communications worded in generic commercial terms (“the bank has decided to discontinue the relationship”)
- KYC and EDD information requests made in the normal course of periodic review
- Internal information sharing within the compliance function and the MLRO structure
- Cross-border information sharing within the same financial group under approved data-sharing frameworks (FinCEN 314(b), EU information-sharing arrangements, equivalent regional regimes)
RMs with commercial responsibility for the customer often need to be kept out of SAR-specific information precisely because their communication with the customer could constitute tipping-off. At tier-1 banks, RM-side communication is channelled through scripted wording pre-approved by compliance. The decision to exit a SAR-related relationship is made by senior compliance with narrow commercial involvement.
Good SAR vs Defensive SAR — What Separates Them
| Dimension | Good SAR | Defensive SAR |
|---|---|---|
| Suspicion rationale | Specific, documented analytical chain from KYC baseline to observed activity to failed reconciliation | Generic — “unusual pattern,” “inconsistent with profile” without specifics |
| Typology mapping | Named typology with reference to FIU alert or FATF study | No typology identified; or “possible money laundering” without pattern specificity |
| Narrative structure | 7-section structure; factual sequence of events; ledger-level detail | Narrative in generic terms; no specifics; reads like a memo, not a case file |
| Reconciliation attempts | Documented attempts to reconcile to legitimate rationale before filing | No documented reconciliation; filed reflexively |
| Supporting index | Clear index of supporting evidence retained | No supporting index; evidence trail thin |
| Post-filing follow-through | Enhanced monitoring, EDD refresh, relationship review documented | Filed and forgotten; account continues without adjustment |
FinCEN, FCA, MAS, and the FATF all publish typology studies showing that defensive filing — large-volume, low-specificity SARs filed to protect the institution from liability rather than to produce actionable intelligence — dilutes FIU analytical capacity and is itself a compliance failure. Regulators audit SAR quality, not just volume. “We file a lot of SARs” is not a credible defence against under-investigation findings.
Real-World SAR Scenarios
Scenario 1 — Classic structuring at Barclays GCC Mumbai
An SME customer at Barclays GCC Mumbai produces 47 cash deposits of ₹48,000–₹49,500 over 11 days, totalling ~₹23 lakh. Declared monthly expected cash was ₹3 lakh. Investigation fails to reconcile to declared NOB. Customer responses to RFI are inconsistent.
SAR workflow: Level 2 investigator builds the narrative. Typology: classic structuring under FATF typology studies. Suspicion rationale: activity materially inconsistent with KYC baseline, cannot be reconciled, pattern aligns with recognised typology. STR filed with FIU-IND under the 7-working-day PMLA timeframe. Internal actions: customer risk re-rated to high, EDD refresh triggered, account restricted from further high-value cash transactions, exit plan developed pending law-enforcement direction. Tipping-off considerations drive RM communication wording.
Scenario 2 — Trade-based laundering at JPMorgan New York
A trade-finance customer at JPMorgan New York imports “industrial components” from Hong Kong at 3–4x market unit prices and exports “finished goods” to UAE at 40% below market. Classic over-invoicing / under-invoicing pattern in a single trade flow.
SAR workflow: Trade-finance AML team builds the narrative around documented Bills of Lading, invoices, port-of-loading and discharge records. Typology mapping: trade-based laundering per FATF 2006 TBML Red Flags study and FinCEN FIN-2010-A001 advisory. SAR filed with FinCEN within 30 days. Internal actions: trade-finance relationship declined, customer exit, Named Individual exposure assessed for senior-management reporting.
Scenario 3 — Funnel account at BNY
A fund-administrator customer at BNY operates a USD operating account receiving inbound wires from 38 jurisdictions in 30 days, same-day outbound to a single Singapore beneficiary. Declared model: corporate services, UK-centric counterparties.
SAR workflow: Investigator documents the funnel-account typology with full transaction sequence. Suspicion rationale: geographic concentration and same-day in/out inconsistent with declared model, UBO trace identifies a previously unidentified beneficial owner via nominee structure. SAR filed with FinCEN. Relationship exited with scripted exit wording to avoid tipping-off.
Scenario 4 — Crypto-to-fiat cycling at Revolut
A retail customer at Revolut with declared income $60K/year receives five inbound wires totalling $180K over 60 days, each preceded by crypto-asset conversion through a third-party exchange. The customer’s crypto exposure wasn’t captured at onboarding.
SAR workflow: Investigator documents the crypto-to-fiat cycling pattern. Typology mapping: crypto-cycling per FATF 2021 VASP report and FinCEN FIN-2019-A003 advisory. On-chain analysis via blockchain analytics provider documents wallet exposure patterns. SAR filed with FinCEN or equivalent FIU based on Revolut legal entity. Account restricted, KYC refresh captures the crypto activity, EDD applied going forward.
Common SAR Failures
Narrative describes activity but doesn’t articulate why the activity is suspicious rather than commercially routine. Fix: every SAR narrative includes a “suspicion formed because” section with analytical chain from KYC baseline to failed reconciliation.
SAR narrative doesn’t identify a recognised typology, which makes the filing less actionable for FIU analysts. Fix: every SAR maps to a named typology from FATF, FinCEN, FCA, or equivalent FIU typology libraries.
Institution files SARs reflexively to reduce regulatory liability, diluting intelligence value. Audits and regulators catch this pattern. Fix: SAR quality is a KPI; investigator training emphasises suspicion-threshold judgement; senior review samples SAR quality at defined cadence.
RM tells the customer the account is “under AML investigation” or operational delays signal the investigation to the customer. Fix: scripted exit wording pre-approved by compliance; tipping-off training for all customer-facing staff; RM channels ring-fenced from SAR-specific information.
Institution detects suspicion but files outside the statutory deadline (30 days FinCEN, 7 working days FIU-IND, 15 business days STRO, etc.). Fix: SLA tracking from detection to filing; escalation framework ensures deadline-driven filing even where investigation is incomplete (initial filing can be followed by supplementary SARs).
The Interview Question: How Do You Decide to File?
“You’ve investigated a suspicious activity alert. Walk me through how you decide whether to file a SAR.”
“The decision is a suspicion-threshold call, not an evidence call. I walk through four tests. First, is the activity genuinely inconsistent with the KYC baseline — expected volume, velocity, counterparties, geographies? Second, have I made reasonable attempts to reconcile the activity to legitimate commercial rationale, including RFI where appropriate, and has reconciliation failed? Third, does the pattern align with a recognised typology — structuring, funnel account, third-party payments, trade-based laundering, crypto cycling, shell-company layering? Fourth, is there adverse-media or screening context that reinforces suspicion? If three or four of those are affirmative, the reasonable-suspicion threshold is met and I recommend filing. I don’t need proof; I need a documented analytical chain showing why a reasonable investigator would suspect. I also consider the filing deadline under the applicable regime — FinCEN 30 days, PMLA 7 working days, STRO 15 business days — and file within it even if further investigation continues. Post-filing I manage tipping-off carefully, drive EDD refresh and risk re-rating, and coordinate relationship exit where warranted.”
How SAR Filing Capability Shapes Your KYC Career
SAR-quality writing is where investigators and senior KYC analysts are most visible to senior compliance leadership. A well-drafted SAR reads as careful, analytical, and investigation-ready; a weak one is a compliance-review finding. Analysts who develop strong SAR-writing judgement are the candidates who move from execution roles into Level 3 investigation, senior AML review, and eventual MLRO-path roles. If your long-term ambition is to move from KYC into broader financial-crime compliance or investigations, SAR capability is the skill that opens the door.
Here the role-match matters explicitly. If your day-to-day is actually AML investigation, SAR / STR filing, typology work, or broader financial-crime case management, an AML-focused credential like CAMS is a genuine role fit. But if you’re in pure KYC — onboarding, CDD/EDD, UBO tracing, screening disposition — you’ll get more interview traction with KYC-specific credentials: GO-AKS (Globally Certified KYC Specialist), IKYCA (Internationally Certified KYC Specialist), and IR-KAM (Internationally Certified KYC Manager). For crypto KYC and VASP roles: C2KO (Certified Crypto KYC Officer) and C3O (Certified Crypto Compliance Officer). The common mistake is defaulting to CAMS by reputation without matching it to the specific role you want to be in. Pick the credential aligned to where you actually want to be promoted.
Related Reading
- Transaction Monitoring Explained: How Banks Actually Detect Suspicious Activity
- Top 25 AML Red Flags Every KYC Professional Must Know
- AML Explained: What Anti-Money Laundering Actually Is
- UBO Identification & Complex Structures
- Enhanced Due Diligence (EDD) Guide
- Top 100 KYC Interview Questions & Model Answers
Own the SAR Judgement That Wins Senior Interviews
SAR filing scenarios are among the most-tested questions at Goldman Sachs, JPMorgan, Barclays, Emirates NBD, and HSBC interviews for senior KYC, AML, and FCC roles. Practise the suspicion-threshold scenarios out loud on AGZIT’s voice-based AI Mock Interview — with a 10-dimension Scorecard after every session.
ATS Resume Builder
Voice-based
10-dimension
Coaching
Elevator pitch
DPR-based
30-day roadmap
Silver/Gold/Platinum
Trusted by KYC candidates targeting roles in Mumbai · Dubai · London · New York · Toronto · Singapore