How does FinCEN define suspicious activity?
Quick answer
FinCEN defines suspicious activity as any $5,000+ transaction a bank has reason to suspect involves illegal funds, is designed to evade BSA reporting requirements, or has no apparent lawful business purpose. The four-part test is codified at 31 CFR 1020.320. ---
The full answer
FinCEN's definition of suspicious activity comes from 31 CFR 1020.320, the Bank Secrecy Act regulation covering banks, savings associations, and credit unions. A transaction is reportable when it involves $5,000 or more and the institution knows, suspects, or has reason to suspect any of four conditions:
- The funds come from illegal activity, or the transaction is intended to hide funds derived from illegal activity
- The transaction is designed to evade any BSA reporting requirement, including structuring
- The transaction has no apparent lawful purpose and the institution can't identify a reasonable explanation after reviewing the available facts
- The transaction involves use of the institution to facilitate criminal activity
The operative standard is "reason to suspect." Banks don't need proof. Reasonable suspicion grounded in observable facts is sufficient. The FFIEC BSA/AML Examination Manual is explicit on this: waiting for certainty is non-compliance.
The $5,000 threshold isn't universal. Money services businesses report at $2,000 for certain transactions under 31 CFR 1022.320. Casinos use $3,000 for table game transactions. When the suspected activity involves an institution's own employees or agents, there's no minimum threshold at all.
Structuring is its own offense
Deliberately breaking transactions into amounts below the $10,000 Currency Transaction Report threshold is a federal crime under 31 U.S.C. § 5324, regardless of whether the underlying funds are legitimate. Banks file SARs on structuring even when they have no other reason to suspect the source funds are dirty. The act of structuring is the violation, full stop.
FinCEN publishes SAR Activity Reviews twice yearly documenting the most common patterns banks are filing on. The recurring categories: structuring, transactions inconsistent with a customer's established profile, rapid layering across multiple accounts, and activity involving high-risk jurisdictions or entities with opaque ownership structures.
The tipping-off prohibition
Once a SAR is filed, it's a confidential law enforcement referral. The institution cannot disclose its existence to the subject under the prohibition at 31 U.S.C. § 5318(g)(2). Internal access is limited to staff with a legitimate need to know. Who can see a filed SAR? covers the access rules in full.
Why this matters
The breadth of "no apparent lawful purpose" is intentional. It shifts the burden to the institution: document why a transaction is normal, or document why it's suspicious and file. Teams that assume legitimacy without reviewing the facts are exposed.
The consequences of systemic SAR failures are severe. Capital One's 2021 consent order carried a $390 million civil money penalty, with deficient suspicious activity monitoring as a central finding by FinCEN and the OCC. TD Bank's 2024 guilty plea under the BSA, the largest in BSA history, involved a $3 billion settlement after the DOJ found the bank's compliance program allowed hundreds of millions in drug trafficking proceeds to flow through unchecked.
For compliance teams, the challenge isn't knowing the definition. It's operationalizing it across millions of daily transactions. What percentage of AML alerts are false positives? examines why most monitoring queues run 90-95% false positive rates and what that means for investigator capacity.
Good customer due diligence is what makes the "no apparent lawful purpose" test workable. If you don't know what a customer's normal activity looks like, you can't reliably identify what isn't. How often customer risk ratings should be refreshed directly affects how accurately teams can maintain that baseline and catch drift before it becomes a filing backlog.
AI-driven transaction monitoring is changing how banks apply the standard at scale. Machine learning models can flag behavioral anomalies against individual customer baselines far faster than static threshold rules. The legal definition stays the same. The model flags; a human investigator decides whether to file.
There's also a timing obligation that runs parallel to the detection question. How long banks have to file a SAR is a separate compliance requirement, but the clock starts from the moment suspicious activity is detected, not from the moment a team decides to file. That distinction surfaces regularly in enforcement actions.
Beneficial ownership is increasingly tied to the "no apparent lawful purpose" analysis. When a transaction involves an entity with opaque ownership, the institution often can't satisfy its own documentation obligation without knowing who the beneficial owner is. FinCEN's 2016 Customer Due Diligence rule made beneficial ownership verification mandatory for legal entity customers precisely because the existing framework left too many gaps.
Related questions
- How long do banks have to file a SAR?
- Who files a SAR: the MLRO or the compliance officer?
- What is the difference between a SAR and an STR?
- Who can see a filed SAR?
- What happens when a bank fails an AML exam?
Related concepts and regulations
- Bank Secrecy Act (31 U.S.C. § 5311 et seq.)
- 31 CFR 1020.320: SAR requirements for banks
- FFIEC BSA/AML Examination Manual
- FinCEN SAR Activity Review: Trends, Tips & Issues
- Anti-Money Laundering Act of 2020 (AMLA 2020)