Compliance

How to write a good SAR report

Arnaud Schwartz
CEO and Co-Founder
0 minutes reading
October 22, 2025
Summary
Example H2

Writing a high-quality Suspicious Activity Report (SAR) is a critical competence for MLRO and Compliance officers.

The report you write is the primary, and often only, piece of information law enforcement or a Financial Intelligence Unit (FIU) will use to decide if a case is worth investigating.

There’s one "Golden Rule" of SAR writing : Write the report for an investigator who has no prior knowledge of your institution, your customer, or the case. It must be a complete, standalone document.

Here’s some of the best practices for writing a SAR report. Some local adjustments may be needed to fit the format expected by the FIU, but the structure is globally sound everywhere.

1. Structure: The Logical Flow

A well-structured SAR narrative tells a clear and logical story. Don't make the investigator hunt for information. Use a chronological and thematic flow.

A good structure for the SAR narrative section is as follows:

  1. Opening Summary (The "Hook"):
    • Start with a 1-2 sentence summary that states who you are filing on and why. This is the "executive summary" for the investigator.
    • Example: "The [Your Institution's Name] is filing this SAR on customer [Customer Name] due to activity inconsistent with their stated profile. Between [Date] and [Date], the customer received €[Amount] in structured cash deposits, which were immediately wired to a high-risk jurisdiction."
  2. Introduction to Subject(s) and Business:
    • Detail your customer (the subject of the SAR).
    • Include their stated business, source of funds, expected account activity (from onboarding/KYC), and the date the relationship was established.
    This helps set the "baseline" of what is considered normal for this customer.
  3. Chronological Description of Suspicious Activity (The "What"):This is the main body of the report. Detail the operations that triggered the suspicion.
    • Dates: Provide the date range of the activity and list key transaction dates.
    • Amounts: Specify the amounts of the suspicious transactions and the total sum.
    • Transactions: Describe the type of activity (e.g., cash deposits, wires, cheques, crypto purchases).
    • Counterparties: Detail the other parties involved (who sent the money, who received it). Include names, account numbers, and destination/origin jurisdictions if known.
  4. The "Red Flags" and Reason for Suspicion (The "Why"):This is the key section. You must help connect the dots for the investigator. Don't just list transactions; explain why they are suspicious.
    • Contrast: Explicitly state how the activity (from section 3) contrasts with the customer's profile (from section 2).
    • Red Flags: List the specific red flags you observed (e.g., structuring, unusual patterns, use of shell companies, adverse media hits, evasive answers from the customer).
    • Example: "The customer's activity is suspicious for the following reasons:
      1. Inconsistency: The customer’s profile states they are a salaried [Job Title] with an expected monthly income of €4,000. The €150,000 in cash deposits over three weeks is grossly inconsistent with this profile.
      2. Structuring: The deposits were made in 15 separate transactions, all under the €10,000 reporting threshold, suggesting an attempt to evade reporting.
      3. Evasive Answers: When contacted, the customer claimed the funds were from a 'family loan' but could not provide any details or documentation."
  5. Concluding Actions (What You Did):
    • Briefly state any actions your institution has taken.
    • Example: "A review of the account is ongoing," "Enhanced due diligence has been applied," or "A decision has been made to exit the relationship." (Follow your institution's specific policy on this).

2. The content: The "5 Ws and an H"

Your narrative must be comprehensive. An investigator should be able to read it and know exactly Who, What, Where, When, Why, and How.

  • Who:
    • Full legal name of your customer (the subject)
    • Date of birth, address, phone numbers, email
    • National ID number (e.g., SSN, Passport #)
    • All related account numbers
    • Information on all counterparties (names, locations, etc.)
  • What:
    • The specific transactions
    • The instrument used (e.g., SEPA, cash, cheque, SWIFT, crypto)
    • The total euro (or dollar, etc.) amount of suspicious activity
  • When:
    • The complete date range of the activity (e.g., "From January 1, 2025, to March 15, 2025")
    • The date your institution detected the activity
  • Where:
    • The branch locations used (if cash)
    • The origin jurisdictions of incoming funds
    • The destination jurisdictions of outgoing funds
  • Why (The most important):
    • The specific red flags and the analysis from your investigation (as detailed in the "Structure" section)
  • How:
    • The method used to conduct the transactions

3. The tone : Factual, Objective, and Professional

The tone of a SAR is critical. It is a formal, legal document that may be used in legal procedings

  • Be Objective and Factual:
    • DON'T: "I think the customer is a money launderer."
    • DO: "The customer's activity is consistent with money laundering red flags, such as structuring."
  • Avoid Speculation and Emotion:
    • DON'T: "The customer was very shady and seemed nervous."
    • DO: "When questioned about the source of funds, the customer was evasive and provided conflicting statements."
  • Be Professional and Formal:
    • Avoid slang, jargon, and internal acronyms. If you must use an internal acronym, define it on its first use (e.g., "Remote Deposit Capture (RDC)").
  • Be Decisive (in your suspicion):
    • Don't be vague. You are filing because you have a suspicion. State it clearly.
    • DON'T: "This might be suspicious, we aren't sure."
    • DO: "Due to the inconsistencies and red flags noted, [Your Institution] suspects the customer is engaged in..."
  • No Accusations:
    • You are reporting suspicion, not proof. Do not accuse the customer of a crime. Your job is to report; law enforcement's job is to investigate and prove.

4. Format: Clear, Clean, and Easy to Read

The narrative section of a SAR is typically a free-text box or pre-structured sections depending on the country.

The text format can be the difference between a report that is read and one that is skimmed (although AI now helps a lot of FIU extract data from the pile of report their are gathering) .

  • Structured Fields vs. Narrative: Most SAR forms (like TRACFIN or US FIN SAR) have structured fields (for names, dates, amounts, etc.) and a narrative section.
    • Best Practice: Fill out all structured fields as completely as possible. Do not just write "See narrative." Law enforcement uses these fields to query their databases. The narrative is where you explain the data.
  • Make the Narrative Readable:
    • Use Bullet Points and Numbered Lists: This is the most effective way to make a narrative readable. Use them to list transactions, red flags, or individuals.
    • Use Short Sentences and Paragraphs: Avoid dense "walls of text." Each paragraph should cover one main idea.
    • Use Simple Headings: If the system allows, use simple sub-headings (like those in the "Structure" section above) to break up the text.
    • Proofread: Spelling and grammar errors look unprofessional and can obscure your meaning.
    • Define Acronyms: As mentioned, always define your acronyms. The investigator does not know your bank's internal lingo.

5. A Suspicious Activity Report (SAR) Narrative Example

This example involves a customer whose activity changes suddenly, involves high-risk jurisdictions, and shows signs of layering.

Subject: ACME LLC

Account: XXXXXX7890 (IBAN: FRXX XXXX XXXX XXXX XXXX)

Date of Suspicion: October 22, 2025

  1. Opening Summary

International Bank S.A. is filing this SAR on customer ACME LLC due to a sudden and unexplained change in activity. Between September 1, 2025, and October 20, 2025, the account received €480,000 in structured cash deposits and international wires from high-risk jurisdictions, all of which were immediately transferred out via SEPA Credit Transfers to a crypto-asset service provider. This activity is inconsistent with the customer's stated business profile and appears indicative of money laundering.

2. Introduction to Subject and Business Profile

  • Subject: ACME LLC (Acct: XXXXXX7890, Company Reg. No.: 987XXXXXX)
  • Owner/Signer: Mr. John K. Dupond (DOB: 15-JAN-1988, National ID No.: XXXXXXXXX)
  • Onboarding Date: January 12, 2025
  • Stated Business: The customer’s file states they are a "digital marketing consultant," earning revenue from consulting fees from local businesses.
  • Expected Activity: At onboarding, the customer projected €25,000 - €30,000 in monthly revenue, primarily from domestic SEPA transfers.
  • Historical Activity: From January 2025 to August 2025, activity was consistent with this profile, with an average monthly balance of €15,000.
  1. Description of Suspicious Activity

Suspicious activity began on September 1, 2025. The activity consists of two distinct types: structured cash deposits and unusual international wires.

  • Cash Deposits (Total: €85,500):
    • Between 01-SEP-2025 and 15-OCT-2025, the account received 10 separate cash deposits.
    • The deposits were made at three different branches across the city.
    • All deposits were between €8,000 and €9,500.
    • This structuring appears designed to evade reporting obligations associated with cash transactions at or above the €10,000 threshold.
  • International Wires (Total: €394,500):
    • 05-SEP-2025: €148,000 incoming wire from "Global Ventures Ltd." (Bank: Eastern Star Bank, Jurisdiction: Cyprus)
    • 20-SEP-2025: €97,000 incoming wire from "Unicorp Trading S.A." (Bank: Apex Financial, Jurisdiction: Panama)
    • 10-OCT-2025: €149,500 incoming wire from "Global Ventures Ltd." (Bank: Eastern Star Bank, Jurisdiction: Cyprus)
  • Outgoing Transfers (Total: €479,000):
    • Within 48 hours of each deposit or wire, the funds were transferred out.
    • All outgoing transfers were SEPA Credit Transfers to "CryptoGo Exchange," a known crypto-asset service provider.
  1. Red Flags and Reason for Suspicion

This bank deems the activity suspicious because it is inconsistent with the customer's profile and indicative of layering and structuring.

  1. Gross Inconsistency with Profile: The customer’s stated business (digital marketing) does not align with receiving nearly half a million Euros in large international wires and structured cash deposits.
  2. Structuring: The cash deposits were made in amounts just below the €10,000 reporting threshold, at multiple locations, which is a classic red flag for structuring.
  3. High-Risk Jurisdictions: The wires originate from Cyprus and Panama, jurisdictions known for high levels of corporate secrecy and money laundering risk. The sending entities (Global Ventures Ltd, Unicorp Trading S.A.) have no clear business relationship to a digital marketing consultant.
  4. Rapid Movement of Funds (Layering): The account is being used as a pass-through. Funds arrive and are immediately moved out via SEPA transfers, leaving a low account balance. This suggests an attempt to obscure the audit trail.
  5. No Clear Economic Purpose: The combination of structured cash and high-risk wires, followed by an immediate conversion to crypto-assets, has no apparent lawful or economic purpose related to the customer's business.
  6. Customer Evasiveness: When contacted on 18-OCT-2025 regarding the wire activity, Mr. Dupond claimed the funds were from "new international clients" but was evasive and refused to provide any contracts or documentation.
  7. Concluding Actions

International Bank S.A. has filed this SAR and the account has been placed on enhanced monitoring. A review is underway to determine if the relationship should be terminated.

Learn more about Marble

Watch a demo