Who can see a filed SAR?

A Suspicious Activity Report enters a tightly restricted channel once filed. Five categories of parties have authorized access: FinCEN, authorized law enforcement, banking regulators, the filing institution itself, and (in limited cases) corporate affiliates. Everyone else, including the subject of the report, is legally barred from knowing it exists.

The full answer

FinCEN is the central repository. Every U.S. SAR goes through FinCEN's BSA E-Filing System. Analysts use the aggregated data to map typologies and respond to formal law enforcement requests. Investigators can query the system through the FinCEN Query (FCQ) platform, but access isn't open: it ties to specific active cases, not general browsing.

Authorized law enforcement covers a broad range of agencies. The FBI, DEA, IRS Criminal Investigation, Homeland Security Investigations, and authorized state financial crime units all have potential FCQ access. A SAR filed about a wire transfer doesn't alert every federal agent in the country. Someone has to request it, with a case to attach it to.

Banking regulators see your SAR filings during BSA/AML examinations. The OCC, Federal Reserve, FDIC, NCUA, and state regulators review filing rates, narrative quality, and timeliness. This is one reason how long do banks have to file a SAR matters operationally: a pattern of late filings shows up in exam data. For context on how examiners use this information, see what triggers a regulatory exam.

The filing institution keeps a copy for five years under 31 CFR § 1020.320(d). Internal access is narrow: the BSA officer, compliance leadership, and relevant senior management. The analyst who flagged the original transaction doesn't automatically receive a copy of the filed SAR.

Corporate affiliates have limited sharing rights. FinCEN's FIN-2010-G006 guidance (July 2010) permits sharing within a corporate family, including parent companies, head offices, and subsidiaries, provided each entity maintains its own AML program. It isn't automatic. The institution still has to assess whether the disclosure violates the tipping-off prohibition before sharing internally. The MLRO vs. compliance officer filing question is partly a governance question about who within the institution controls SAR access.

The tipping-off prohibition

The subject of a SAR can't see it. 31 U.S.C. § 5318(g)(2) makes disclosing the existence of a filed SAR, or one under consideration, a federal crime. This covers every person at the institution: the relationship manager, the teller, the IT staff with access to the filing system. There's no carve-out for "just mentioning it to the client."

SARs are exempt from FOIA requests under 5 U.S.C. § 552(b)(7)(A). Federal courts have held they're not producible in civil discovery proceedings. How FinCEN defines suspicious activity is worth reading alongside this: the definition determines what enters this confidential channel in the first place.

International SAR access

In the UK, Suspicious Activity Reports go to the National Crime Agency's (NCA) Financial Intelligence Unit under the Proceeds of Crime Act 2002, Section 330. The same tipping-off restriction applies. When a bank seeks DAML consent from the NCA to pause a transaction, it can't tell the customer why the transaction is being held.

EU member states route SARs to national FIUs, which share intelligence through the Egmont Group's secure network. For jurisdictional differences in SAR terminology, see what is the difference between a SAR and an STR.

Cross-border U.S. SAR data reaches foreign governments through MLATs or Egmont channels. It's a formal request process, not a standing access right.

Why this matters

The tipping-off prohibition creates an operational constraint most institutions underestimate. A SAR gets filed. The relationship continues. The frontline team keeps serving the account without any disclosure: no hint in client conversations, nothing in shared CRM fields that frontline staff could inadvertently reveal. The compliance team carries information that can't flow anywhere it doesn't need to go.

That operational constraint is one reason who files a SAR, the MLRO or the compliance officer, is a real governance question: the fewer people who know, the lower the tipping-off risk. Institutions that route SAR decisions through a single decision-maker reduce their exposure.

There's also no feedback loop. The institution files, retains the copy, and hears nothing. Law enforcement may act on a SAR within weeks or not for years. You won't know either way. That silence is by design, part of the same framework that protects any investigation that follows.

From an exam perspective, regulators benchmark SAR filing rates against peer institutions. A bank filing 200 SARs per month when similarly sized peers file 2,000 gets scrutinized for potential under-identification. The reverse is also true: flooding FinCEN with low-quality, defensive filings is its own exam finding. For the downstream consequences of exam findings, see what happens when a bank fails an AML exam.

AI used in AML transaction monitoring changes the volume question. Reducing false positive alert rates means the SARs that get filed represent genuinely analyzed cases, not defensive volume. That distinction matters when examiners review narrative quality alongside raw filing counts.

Related questions

• How long do banks have to file a SAR?
• Who files a SAR, the MLRO or the compliance officer?
• What is the difference between a SAR and an STR?
• How does FinCEN define suspicious activity?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What triggers a regulatory exam?
• What is the difference between CDD and EDD?
• Can AI be used for AML transaction monitoring?
• What percentage of AML alerts are false positives?