GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Fraud & Compliance / Learning brief

Suspicious activity reporting and escalation

Your notes

What this means in plain language

When staff or systems spot activity that may indicate financial crime, firms escalate it internally and, where suspicion holds, file a suspicious activity report (SAR) or suspicious transaction report (STR) with the authorities, preserving the decision trail throughout.

Sometimes a transaction or a customer's behaviour looks wrong in a way ordinary checks cannot settle. A suspicious activity report (SAR), called a suspicious transaction report (STR) in some countries, is how a firm tells the authorities about it. The standard is deliberately lower than proof: staff need reasonable grounds to suspect, not evidence of a crime. The process is an escalation, not a snap decision. A member of staff or a monitoring system raises an internal report; a nominated officer, often the money laundering reporting officer (MLRO), reviews it and decides whether the suspicion holds; and if it does, a report is filed with the national financial intelligence unit (FIU). The firm keeps handling the customer normally and must not tip the customer off that a report has been made, because a warned suspect can frustrate an investigation. Whether or not a report is filed, the reasoning is written down and kept.

Understand the full idea, step by step

Maya notices something she cannot explain: money arriving in a customer's account and leaving within the hour, over and over, with no reason that fits what the bank knows about them. She has no proof of a crime. She is not even certain there is one. What is she supposed to do with a suspicion that is more than a feeling but far short of evidence?

The threshold of suspicion

A firm does not need to prove a crime, or even to know which crime. It needs reasonable grounds to suspect that funds or a transaction are connected to criminal conduct. Suspicion is more than vague unease but far less than evidence — something specific and articulable that an ordinary person, doing this job, would find suspicious. The threshold is set deliberately low so concerns reach the authorities early, while an investigation can still do something useful, rather than only after guilt is already clear.

Suspicious Activity Report / Suspicious Transaction Report (SAR / STR)the filing that hands a suspicion to the authorities

A SAR — called an STR in some regimes — is the report a firm files with its national financial intelligence unit (FIU), the body that receives and analyses these reports, when a suspicion holds. It is not an accusation. It hands a concern to specialists with a wider view, who can connect it to things a single bank cannot see and decide whether to act across many institutions at once.

Money Laundering Reporting Officer (MLRO)the nominated officer who owns the filing decision

Reporting is an internal escalation before it is an external filing. Front-line staff and monitoring systems rarely file with the authorities directly; instead they raise an internal report to a nominated person — commonly the MLRO, a role many regimes require by law. That routing concentrates the decision in someone trained to weigh it, gives one accountable owner for consistency, and means a junior employee is never left to judge alone.

The escalation path

  1. VALIDATION

    Maya raises an internal report to the nominated officer — she does not file externally, and she does not close the concern quietly by herself.

  2. VALIDATION

    The nominated officer gathers the customer file, the transaction history, the due-diligence record, and any explanation offered, then decides whether the suspicion holds.

  3. NOTIFICATION

    If it holds, a SAR or STR goes to the FIU in the required form and timeframe. If it does not, the internal report is closed — with reasons recorded.

  4. VALIDATION

    Throughout, the account is generally operated as normal unless the authorities instruct otherwise or unless continuing would itself be an offence — and nothing is done that would alert the customer.

WHAT IF — The firm files a SAR, and the customer then calls to ask why a recent payment was delayed.

What happens: Staff handle the query as normally as possible. They do not tell the customer a report has been filed, hint at an investigation, or freeze the account to signal something is wrong.

How it is handled: Disclosing that a report has been made or is contemplated — to the customer or an outsider — can be a criminal offence in many regimes, because a warned suspect can move funds or destroy evidence. This is tipping off. Staff are trained to route any difficulty to the nominated officer and to keep the customer relationship looking ordinary while the FIU does its work.

COMMON CONFUSION

Filing a SAR is accusing the customer of a crime, so a firm should only file when it is sure.

A SAR is not a verdict and does not assert guilt. The standard is suspicion, not proof, precisely so concerns arrive early enough to be useful. Waiting for certainty would defeat the purpose — and, where the duty applies, failing to report a genuine suspicion is itself the breach, not filing one that turns out to be innocent.

Preserve the decision trail

One obligation underpins all of this: keep the decision trail — the written record of who saw what, when, and why they concluded as they did — for reports filed and for concerns reviewed and not filed. Both decisions must be defensible. A firm that files can show the grounds; a firm that decides a concern falls short of the threshold can show it reviewed the matter properly rather than ignored it. Regulators and auditors test this by picking cases and following the trail, so records are kept for the retention period the regime sets.

STRICTLY SPEAKING

Strictly speaking, the name of the report, the FIU it goes to, the filing deadline, the exact wording of the suspicion standard, the tipping-off defences, and the record-retention period all vary by jurisdiction — the SAR/STR framework is close to universal in shape, not in detail. Treat the specific deadlines and periods as things to look up in the applicable regime, not fixed numbers to memorise.

FOR NOW, REMEMBER

  • The trigger to report is reasonable suspicion — specific and articulable — not proof of a crime, set low so concerns reach the FIU early.
  • Reporting escalates internally to a nominated officer (often the MLRO) before any external SAR or STR is filed.
  • Tipping off — telling the customer or an outsider a report has been made or is contemplated — can be a criminal offence.
  • The decision trail is preserved for reports filed and concerns closed alike, because both decisions must be defensible on review.

TRY IT YOURSELF

Maya's investigation confirms a genuine suspicion, and Bank Alfa files a SAR with the FIU. The customer then calls a colleague to ask why a recent payment was delayed. What must the colleague do?

Explain that a suspicious activity report has been filed, so the customer understands what is happening.

Not this one — That is tipping off, which can be a criminal offence: a warned suspect can move funds or destroy evidence, defeating the whole point of the report.

Handle the query as normally as possible without revealing the report or the investigation, routing any difficulty to the nominated officer.

Correct — Correct. The relationship is kept looking ordinary while the FIU works; staff are trained to answer normally and escalate anything awkward to the nominated officer rather than disclose.

Freeze the account at once and tell the customer it is under investigation.

Not this one — Freezing to signal a problem and telling the customer both tip off. Accounts are generally operated as normal unless the authorities instruct otherwise or continuing would itself be an offence.

You have now walked the AML side end to end — from knowing the customer to reporting a suspicion. The next topic steps back to place it beside sanctions screening: two different controls, different questions, one shared goal.

KEEP GOING

Three things to remember

  1. 01

    A suspicious activity report is filed on reasonable grounds to suspect, well below the standard of proof.

  2. 02

    Reporting is an escalation: staff raise an internal report, and a nominated officer decides whether to file.

  3. 03

    Both filing and deciding not to file must be documented, so either decision can be explained later.

Where you would use this

USE CASE 01

A branch employee who notices behaviour that does not fit a customer's profile raises an internal suspicious activity report to the nominated officer.

USE CASE 02

A money laundering reporting officer reviews internal reports and decides whether each meets the threshold to file with the financial intelligence unit.

USE CASE 03

An auditor reviews the decision trail behind filed and unfiled reports to confirm escalation worked as the policy describes.

Put the idea into a real situation

Illustrative example: at a fictional bank, Northwind Savings, a monitoring alert flags that a customer, the fictional individual Dana Okafor, whose file describes a part-time consultant, received four incoming transfers totalling EUR 62,000.00 over eight days and sent EUR 60,000.00 onward to a newly added counterparty within 48 hours. A branch analyst raises an internal report the same day; the money laundering reporting officer reviews the file, finds the customer's explanation does not resolve the concern, and files a suspicious activity report (SAR) with the financial intelligence unit inside the firm's four-day internal deadline. The account keeps operating normally, the customer is not told, and every step is time-stamped in the case record.

Evidence & review

REVIEWED 2026-07-13

Suspicious activity/transaction reporting and internal escalation as framed by the FATF standards; report names, the receiving FIU, filing deadlines, tipping-off rules, and retention periods are set by each jurisdiction.

What this brief simplifies: Presents one generic escalation path (staff to nominated officer to FIU). Real regimes differ on the suspicion standard's wording, mandatory versus discretionary reporting, deadlines, defences, and how account handling is directed after a filing; no specific deadlines or retention periods are stated as numbers.

Sources for this brief2
  1. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · Recommendation 20 (suspicious transaction reporting); Recommendation 21 (tipping-off / confidentiality)

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  2. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Maya's escalation from an unresolved alert to a filing

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Fraud & Compliance archive

Screening for politically exposed persons (PEPs)

Politically exposed persons hold prominent public roles that carry higher corruption risk. Screening flags them so a bank applies enhanced due diligence — a deeper, documented review and senior sign-off — rather than the hard payment stop a sanctions match triggers.

READ BRIEF

Adverse media screening

Adverse media screening checks a customer against negative news linking them to crime or misconduct. It surfaces risk that official lists miss and feeds due diligence rather than blocking payments — while generating false positives a programme must control.

READ BRIEF