How does FinCEN define suspicious activity?

The full answer

FinCEN's definition of suspicious activity is in 31 CFR § 1020.320. A bank must file a SAR when a transaction involves or aggregates to $5,000 or more and meets at least one of four conditions:

1. The transaction involves funds from illegal activity.
2. The transaction is structured to evade any Bank Secrecy Act requirement, including keeping deposits below the $10,000 CTR threshold.
3. The transaction lacks a lawful purpose or is inconsistent with the customer's known business, and no reasonable explanation exists after examination.
4. The transaction involves using the bank as an instrument for criminal activity.

The $5,000 floor applies to banks, broker-dealers, casinos, and insurance companies. Money services businesses file at $2,000 under a separate implementing regulation. Thresholds are aggregate: a customer who splits a $7,000 transfer into two $3,500 transactions on the same day can still trigger a SAR obligation.

How long do banks have to file a SAR? Once suspicious activity is detected, the clock is 30 calendar days. When no suspect is identified, that window extends to 60 days. Missing either deadline is itself a BSA violation, separate from any underlying conduct.

The "reason to suspect" standard

This is the part most compliance teams get wrong. FinCEN doesn't require certainty. It doesn't require knowing the predicate offense. The standard is objective: would a reasonable compliance officer, given the same customer profile and transaction pattern, suspect illegal activity?

OCC examination findings have repeatedly cited banks for applying a much higher bar, essentially demanding near-certainty before filing. That gap between what the statute requires and what banks actually practice is where enforcement actions come from. TD Bank's 2024 $1.3 billion FinCEN penalty included failures to file SARs on transactions that clearly met the "reason to suspect" standard by any objective measure.

The tipping-off prohibition under 31 USC § 5318(g)(2) is absolute. You can't tell a customer, counterparty, or correspondent that a SAR has been filed or may be filed. The prohibition applies even if the filing was a mistake. It's a separate federal offense with its own civil and criminal penalties.

The safe harbor under 31 USC § 5318(g)(3) is equally unconditional in the other direction. Good-faith SAR filers are immune from civil liability. The subject of the SAR cannot sue, even if the suspicion turns out to be wrong. Compliance teams sometimes hesitate to file on high-value or long-standing customers. The safe harbor exists precisely for that situation.

It's worth noting that "suspicious activity" covers more than transactions. FinCEN's framework extends to non-transactional conduct: a customer who asks staff specific questions about BSA reporting thresholds, or who provides identification documents that appear inconsistent, can generate a SAR obligation without any funds moving. For how the U.S. SAR framework maps to international equivalents, see what is the difference between a SAR and an STR?

Why this matters

The definition directly shapes how transaction monitoring systems get tuned. If your alerts only fire on clear-cut structuring at $4,900, you're applying a narrower standard than the regulation requires. FinCEN's "no lawful purpose" trigger covers transactions that fall within normal dollar ranges but are inconsistent with the customer's profile. That's where customer risk ratings and CDD and EDD data feed directly into SAR obligations. A customer scored as low-risk gets less scrutiny. A transaction that would be suspicious from a high-risk customer gets flagged. The risk rating is the context for the definition.

Alert tuning that's too broad creates the opposite problem. We've seen compliance teams carry open alert queues of 6,000 or more, with no clear triage methodology. What percentage of AML alerts are false positives? At most institutions, it's above 95%. Every unnecessary alert adds to backlog. Backlogs of that size mean SARs get filed late or not at all, which is a violation on top of the underlying conduct.

SAR narrative quality matters as much as the filing decision. The FFIEC BSA/AML Examination Manual evaluates whether narratives explain the suspicion in concrete terms. What does the customer normally do? What changed? What triggered the alert? What did the investigation find? A narrative that says "transaction appears unusual" fails the examination standard every time.

Who files a SAR is the institution's obligation in the U.S., not any individual officer's. But internal escalation and approval chains get reviewed during exams. If the chain adds delays that push filings past the 30-day window, that's a finding. The process has to be fast enough to actually meet the deadline.

Can AI be used for AML transaction monitoring? Yes, and many institutions now use model-based scoring to triage alerts against the "reason to suspect" standard. The challenge is explainability. Examiners want to know why a specific transaction resulted in a SAR referral, not just that a model scored it above a threshold. Audit trails for individual decisions aren't optional anymore.

If you're running a multi-jurisdiction program, FinCEN's definition doesn't map cleanly onto all EU member states' interpretations of suspicion under AMLD6. The UK's threshold is zero: any suspicion, regardless of amount, triggers a filing obligation. The difference between AML and CFT matters here too, since CFT reporting sometimes follows lower thresholds than standard AML triggers.

For downstream consequences, see what happens when a bank fails an AML exam and who can see a filed SAR. And if your program extends to currency transactions, the penalty for a missed CTR is a separate but related exposure to understand.

Related questions

• How long do banks have to file a SAR?
• Who files a SAR: the MLRO or the compliance officer?
• What is the difference between a SAR and an STR?
• Who can see a filed SAR?
• What percentage of AML alerts are false positives?

Related concepts and regulations

• What is the difference between CDD and EDD?
• What is the penalty for a missed CTR?
• Can AI be used for AML transaction monitoring?
• What is the difference between AML and CFT?
• What happens when a bank fails an AML exam?