How long do banks have to file a SAR?
Quick answer
US banks have 30 calendar days from initial detection to file a SAR with FinCEN, per 31 CFR 1020.320. That window extends to 60 days when no suspect has been identified at the time of detection. Outside the US, deadlines vary: the UK requires filing as soon as practicable under POCA 2002. ---
The full answer
US banks must file a SAR within 30 calendar days of the date of initial detection of suspicious activity, per 31 CFR 1020.320. If the bank has not yet identified a suspect at the time of detection, that window extends to 60 calendar days. There is no further extension; 60 days is the hard ceiling.
The phrase "initial detection" is not the date of the transaction. FinCEN's position, reinforced in multiple guidance documents, is that the clock starts when the institution has enough information to recognize the activity as suspicious. For most banks, that means the date an alert is escalated to a compliance analyst for SAR review. A bank with a large alert queue, where alerts sit unreviewed for two or three weeks before escalation, is consuming its 30-day window before investigation even begins. Given that false positive rates in AML transaction monitoring regularly exceed 90%, the time cost of alert triage has a direct effect on how much investigation time remains before the SAR deadline.
Continuing activity SARs
Filing once doesn't close the obligation. FinCEN requires a follow-up SAR every 90 days for as long as the suspicious activity continues. This is a separate requirement from the original 30-day window. Compliance teams that treat the initial filing as the end of the process routinely accumulate 90-day violations without realizing it.
SAR deadlines by jurisdiction
| Jurisdiction | Deadline | Regulator | Source |
|---|---|---|---|
| United States | 30 days (60 if no suspect identified) | FinCEN | 31 CFR 1020.320 |
| United Kingdom | As soon as practicable | NCA / UKFIU | POCA 2002 |
| Australia | 3 business days (24 hrs if terrorism) | AUSTRAC | AML/CTF Act 2006 |
| Canada | 30 days | FINTRAC | PCMLTFA |
| EU member states | Promptly / without delay (varies by country) | National FIUs | AMLD6 |
The EU's Sixth Anti-Money Laundering Directive doesn't impose a single day count. German BaFin-supervised banks and French ACPR-regulated institutions operate on separate national timelines. Most EU implementations require filing immediately upon reasonable suspicion, which in practice means faster than the US 30-day window.
Urgent cases: terrorism and sanctions
The 30-day window doesn't apply when terrorism financing or sanctions involvement is suspected. FinCEN guidance and the USA PATRIOT Act require immediate verbal notification to appropriate law enforcement, followed by a written SAR, in those cases. The calendar deadline is a floor for ordinary suspicious activity, not a ceiling for serious threats.
How detection speed affects filing compliance
AI-assisted AML transaction monitoring reduces the gap between transaction date and detection date. Faster detection doesn't extend the 30-day window, but it does mean the investigation team has more of that window available for actual analysis. A bank that detects in 5 days has 25 days to investigate; one that detects in 20 days has 10. The difference often determines whether a SAR can be filed with complete supporting documentation or has to go out thin.
Why this matters
Late SAR filings are one of the more reliable predictors of a formal regulatory examination. Both FinCEN and the OCC track filing timeliness as an indicator of AML program health. A pattern of late filings, even without a specific penalty action, tells examiners that the detection-to-escalation pipeline is broken somewhere.
The penalty exposure is real. Under 31 U.S.C. 5321, FinCEN can assess civil money penalties of up to $1 million, or twice the transaction amount, for a pattern of BSA violations. The 2012 HSBC consent agreement, which resulted in a $1.92 billion settlement, cited systemic SAR filing failures among a broader set of AML program deficiencies. Smaller institutions have faced six-figure penalties for patterns of late or missed filings.
The MLRO or compliance officer responsible for filing typically builds internal buffers to absorb review and approval cycles. Most AML programs target SAR completion by day 20 to 25, leaving five to ten days for legal sign-off before the wall. That buffer disappears when enhanced due diligence surfaces new information late in the window, or when a CTR filing for the same transaction needs to be reconciled first.
FinCEN self-disclosure guidance expects banks that discover late filings to file retroactively and document the root cause. Proactive disclosure generally reduces penalty exposure. Failure to disclose, once examiners find the gap independently, compounds it. The consequences of a missed CTR follow a similar pattern, and regulators often find SAR and CTR compliance failures together.
Related questions
- Who files a SAR: the MLRO or the compliance officer?
- What is the penalty for a missed CTR?
- What triggers a regulatory exam?
- Can AI be used for AML transaction monitoring?
- What percentage of AML alerts are false positives?
Related concepts and regulations
- SAR (Suspicious Activity Report)
- CTR (Currency Transaction Report)
- Customer Due Diligence (CDD)
- Enhanced Due Diligence (EDD)
- FATF Recommendation 11: Record Keeping