Suspicious Activity Reporting

Suspicious Activity Reporting (SAR) requires broker-dealers to detect potentially suspicious activity and file a SAR with FinCEN for transactions of a material amount or more when the firm knows, suspects, or has reason to suspect illegal funds, evasion of BSA requirements, no lawful purpose, or facilitation of criminal activity (31 CFR § 1023.320). Operationalize it by defining “initial detection,” building alert-to-case workflows, documenting decisions, meeting filing timelines, and enforcing SAR confidentiality.

Key takeaways:

• SAR obligations are triggered by suspicion plus a a material amount transaction threshold for broker-dealers (31 CFR § 1023.320).
• You need an end-to-end operating model: monitoring → investigation → decision → filing → recordkeeping, with clear ownership.
• Exams focus on timeliness, decision quality, documentation, and confidentiality controls as much as on the SAR form itself.

A “SAR program” is not a policy binder or a single filing capability. Examiners expect a repeatable process that starts before an event occurs: calibrated monitoring, trained front-line escalation, documented investigative steps, and a governed decision framework that is consistent across teams. Under 31 CFR § 1023.320, broker-dealers must file a SAR with FinCEN when a transaction of a material amount or more is suspicious based on what the firm knows, suspects, or has reason to suspect, including illegal activity, evasion of BSA requirements, lack of lawful purpose, or use of the firm to facilitate criminal activity (31 CFR § 1023.320).

For a CCO or GRC lead, the fastest path to operationalization is to translate the rule into “who does what by when” and then create the evidence trail that proves it happened. That means: (1) defining detection sources and what counts as “initial detection,” (2) putting investigators on a documented playbook, (3) implementing a formal SAR decision and approval workflow, (4) enforcing confidentiality and access controls, and (5) retaining the right artifacts so an examiner can replay your decisions from alert to filing.

Regulatory text

What the rule says (requirement-level): Broker-dealers must file a Suspicious Activity Report (SAR) with FinCEN for any transaction of a material amount or more that the firm knows, suspects, or has reason to suspect involves funds from illegal activity or is designed to evade BSA reporting requirements (31 CFR § 1023.320). The rule summary also captures additional suspicious bases: transactions that lack a lawful purpose or involve use of the firm to facilitate criminal activity, plus a requirement to file within the specified timeframe from initial detection and maintain SAR confidentiality (31 CFR § 1023.320).

What an operator must do: Build and run an operating process that (a) identifies potentially suspicious transactions at or above the threshold, (b) investigates promptly and consistently, (c) makes and documents a SAR/non-SAR decision using defined criteria, (d) files SARs within the rule’s timeline and keeps filings confidential, and (e) maintains ongoing monitoring systems and supporting records (31 CFR § 1023.320).

Plain-English interpretation

You must file a SAR when you see a transaction of a material amount or more and your firm has enough facts to reasonably suspect something is off in one of the ways the rule describes (illegal proceeds, structuring/evasion, no lawful purpose, or the account being used to facilitate crime) (31 CFR § 1023.320). Your obligation is about reasonable suspicion, not certainty. The work is proving that your firm can: detect, assess, decide, file, and document—reliably and on time—without tipping off the subject.

Who it applies to (entity and operational context)

In-scope entities: Broker-dealers (explicitly covered by 31 CFR § 1023.320). Your backend data also lists “Investment Advisers” as applicable entity types; treat that as an internal scoping prompt, but operationalize to the broker-dealer SAR requirement as written and confirm any adviser obligations against the applicable adviser rule set before extending this control set.

Where it shows up operationally:

• Trading activity, deposits/withdrawals, wires/ACH/checks, journals, ACAT transfers, and cash management features that touch customer funds.
• Digital onboarding and account maintenance events that change risk: new beneficial owners, changes in address, unusual power of attorney, sudden liquidity events.
• Third parties and intermediaries: introducing brokers, clearing firms, custodians, payment processors, and affiliates. Even if a third party runs surveillance, you still need clear accountability for detection, investigation, decisioning, and filing.

What you actually need to do (step-by-step)

1) Define triggers, ownership, and “initial detection”

Deliverables

• A SAR procedures document mapped to 31 CFR § 1023.320.
• A RACI that names: alert triage owner, investigator, SAR decision approver, SAR filer, and QA reviewer.

Operational choices you must make

• Initial detection definition: Decide what event starts the SAR clock in your environment (e.g., a surveillance alert generated, a manual escalation logged, or a clearing firm notification). Document it and apply it consistently.
• Escalation channels: Create at least two ways to escalate: automated (from surveillance) and manual (from reps, ops, customer support).

2) Implement monitoring and intake that can surface SAR-eligible behavior

The rule expects ongoing systems to detect suspicious transactions (31 CFR § 1023.320). Put controls in place across:

• Automated surveillance: scenarios/alerts for unusual patterns tied to your products (deposits, liquidations, rapid movement of funds, repeated failed reporting thresholds, unusual counterparties).
• Manual escalation: a simple, mandatory workflow for staff to file an internal suspicious activity referral with required fields (who/what/when/why, related accounts, transaction details).
• Third-party signals: intake from clearing/custody partners, fraud tools, sanctions screening hits, and chargeback/returns intelligence, with a documented handoff.

Practical tip: If you cannot show how an alert became a case, you will struggle in exams. Build a unique case ID that links alerts, notes, evidence, approvals, and the SAR filing record.

3) Standardize investigations with a case playbook

Create an investigation checklist that an examiner can replay. Minimum components:

• Transaction reconstruction: amount, instrument, timestamps, counterparties, account numbers, and channel.
• Customer context: KYC profile, expected activity, occupation/source of funds notes you have on file.
• Pattern analysis: is this isolated or repeated, and how does it compare to the customer’s baseline.
• Reason-to-suspect rationale: map facts to the rule’s suspicious bases (illegal activity, evasion, no lawful purpose, facilitation of crime) (31 CFR § 1023.320).
• Disposition options: SAR file, no SAR (with rationale), monitor, restrict/exit relationship (if permitted by your policies).

Keep the playbook tight. Investigators should not freestyle.

4) Run a governed SAR decision and approval process

Decisioning control: Establish a formal SAR committee or named approver(s) with documented authority. The key exam question is predictable: “Who decided, based on what, and where is it documented?”

Decision memo template (recommended fields):

• Trigger source and initial detection date
• Facts established and gaps
• Suspicion basis mapped to 31 CFR § 1023.320
• Filing decision and approver sign-off
• Any immediate risk actions (heightened monitoring, account restrictions)
• Confidentiality handling notes

5) File SARs, enforce confidentiality, and control access

Filing: Ensure trained staff can file SARs with FinCEN and can meet the timeline from initial detection (31 CFR § 1023.320). Your procedures should include:

• Backup filer coverage (illness, vacations)
• Quality review before submission
• Post-filing confirmation capture (submission receipts/acknowledgments)

Confidentiality: Restrict SAR knowledge to need-to-know personnel. Implement:

• Role-based access to SAR systems and case folders
• “Do not disclose SAR” language in investigator training and internal comms guidance
• Guardrails for customer communications so staff do not inadvertently tip off

6) Retain evidence and prove ongoing effectiveness

Ongoing monitoring and documented SAR processes are part of the expectation (31 CFR § 1023.320). Build a QA loop:

• Periodic sampling of closed cases (SAR and non-SAR) for documentation quality and consistency
• Alert tuning feedback (false positives/false negatives)
• Training refreshers tied to observed errors

If you want this to move fast without losing rigor, Daydream can help as the system of record for SAR workflows: standardized case templates, approval routing, evidence collection, and an audit-ready timeline view that ties “initial detection” to your actions and filing record.

Required evidence and artifacts to retain

Keep artifacts that reconstruct the full story from detection to decision:

• SAR policy and procedures mapped to 31 CFR § 1023.320 (31 CFR § 1023.320)
• Monitoring inventory: alert scenarios, sources, and change logs
• Case files: alert snapshot, escalation intake, investigation notes, supporting documents, transaction reconstructions
• Decision records: SAR/non-SAR rationale, approvals, and any committee minutes
• Filing records: SAR submission confirmation and final filed narrative
• Confidentiality controls: access lists, RBAC screenshots/export, training attestations
• QA results: review findings, remediation tickets, tuning changes

Common exam/audit questions and hangups

Expect questions like:

• “How do you define initial detection, and where is it documented?” (31 CFR § 1023.320)
• “Show me three SARs and the full investigative file that supported each decision.”
• “Show me three non-SAR dispositions where you chose not to file. Why was that reasonable?”
• “How do you ensure SAR confidentiality across the business?” (31 CFR § 1023.320)
• “What monitoring exists for this product/channel, and who owns tuning?”
• “How do you handle alerts or referrals from a clearing firm or other third party?”

Frequent implementation mistakes (and how to avoid them)

1. No consistent “initial detection” timestamp.
   Fix: Make it a required field in every case, auto-populated where possible, and enforce it in QA.

2. Weak narratives and unexplained non-filing decisions.
   Fix: Require mapping to the suspicious bases in 31 CFR § 1023.320 in every closure memo (31 CFR § 1023.320).

3. Over-reliance on third parties without accountability.
   Fix: Document what the third party does vs. what you do, and test handoffs with sample cases.

4. Confidentiality breaches through casual internal communications.
   Fix: Train staff on what they can say, restrict distribution lists, and keep SAR discussions inside controlled tools and channels (31 CFR § 1023.320).

5. Monitoring that exists “on paper” but is not tuned or reviewed.
   Fix: Put monitoring changes under change management and tie tuning work to QA findings.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this page. Treat that absence as a documentation constraint, not as reduced risk. In practice, SAR failures create regulatory exposure because they indicate breakdowns in AML governance: weak monitoring, poor investigative rigor, missed deadlines, and confidentiality lapses (31 CFR § 1023.320). Your control design should assume an examiner will test SAR decisions as a proxy for the effectiveness of the broader AML program.

Practical execution plan (30/60/90)

Numeric timelines are presented as planning phases, not regulatory requirements.

First a defined days (stabilize and define)

• Confirm scope: products, channels, and which teams generate SAR-relevant signals.
• Publish “initial detection” definition and SAR RACI.
• Standardize case intake and investigation templates.
• Lock down confidentiality controls: access groups, storage locations, communication rules (31 CFR § 1023.320).

Days 31–60 (operationalize and prove repeatability)

• Implement alert-to-case workflow (surveillance + manual escalation).
• Train investigators, approvers, and filers on the playbook and confidentiality (31 CFR § 1023.320).
• Run tabletop exercises using prior incidents or synthetic scenarios; produce case files and mock decisions.
• Start QA sampling of closed cases; document corrective actions.

Days 61–90 (harden and scale)

• Tune monitoring based on QA findings and operational feedback.
• Add metrics that management can act on (e.g., backlog aging, investigation cycle bottlenecks) without inventing “target” numbers.
• Formalize third-party handoffs with clearing/custody partners and test evidence capture.
• Prepare an exam-ready binder: policies, workflow evidence, sample cases, QA results, training records (31 CFR § 1023.320).

Frequently Asked Questions

What triggers a SAR filing for a broker-dealer?

A SAR is required when there is a transaction of a material amount or more and the firm knows, suspects, or has reason to suspect the transaction involves illegal activity, evasion of BSA requirements, lacks a lawful purpose, or facilitates criminal activity (31 CFR § 1023.320).

What does “has reason to suspect” mean in practice?

It means you do not need certainty. You need a documented, reasonable rationale based on facts available to the firm that ties back to the suspicious bases in the rule (31 CFR § 1023.320).

How do we define “initial detection” so we can meet SAR deadlines?

Pick a single operational event that starts the clock (such as an alert creation or a logged referral) and enforce it as a mandatory field in every case. Apply it consistently and test it in QA, because inconsistent start points are hard to defend (31 CFR § 1023.320).

Can we rely on our clearing firm or another third party to do SAR filings?

You can use third parties for monitoring inputs or operational support, but you still need documented accountability for detection, investigation, decisioning, and confidentiality under your program. Make handoffs explicit and retain evidence that you met your obligations (31 CFR § 1023.320).

What evidence should we keep for a “no SAR filed” decision?

Keep the same core evidence as a filed case: the triggering facts, transaction reconstruction, investigative steps, and a clear rationale mapped to the rule’s suspicious criteria. Examiners commonly test non-filing decisions for consistency (31 CFR § 1023.320).

How do we prevent SAR confidentiality breaches across business teams?

Restrict access to SAR case data, train staff on non-disclosure expectations, and route all SAR-related discussions through controlled workflows rather than email or broad chat channels (31 CFR § 1023.320).