Who can see a filed SAR?

The full answer

A SAR filed in the US is accessible to a narrow set of authorized parties defined in 31 U.S.C. § 5318(g)(2) of the Bank Secrecy Act. That list doesn't include the subject of the report.

Authorized recipients in the US:

• FinCEN: Receives all US SARs through the BSA E-Filing System. Analysts there process filings, identify patterns across the financial system, and can issue geographic targeting orders or refer activity to law enforcement.
• Federal law enforcement: FBI, DEA, IRS Criminal Investigation, Homeland Security Investigations, Secret Service, and other agencies with FinCEN database credentials. Access is credential-gated and auditable.
• Federal banking regulators: OCC, Federal Reserve, FDIC, NCUA. They access SARs filed by institutions they supervise, primarily during exams. What triggers a regulatory exam often correlates with SAR filing patterns, and regulators use SAR history to contextualize what they find on-site.
• State bank examiners: Permitted with appropriate authority, depending on the state.
• The filing institution: Compliance officers, BSA officers, and legal counsel with a documented need. The person responsible for who actually submits the SAR doesn't automatically carry broader access rights than any other authorized compliance staff member.

The subject of a SAR has zero access. The institution can't confirm one was filed, can't produce it in response to a customer request, and can't acknowledge its existence in correspondence. That's the tipping-off prohibition. It holds regardless of how the question is framed, whether it comes from the customer directly, through counsel, or via a civil discovery demand.

Corporate group sharing is permitted within a consolidated banking entity under § 5318(g)(2)(B), as long as the recipient entity is also subject to SAR requirements. Sharing with an unregulated affiliate, an insurance subsidiary not covered by SAR rules, or a foreign branch operating under different legal standards all require a separate legal analysis. Don't assume that being part of the same corporate family is enough.

Section 314(b) of the USA PATRIOT Act enables voluntary information sharing between financial institutions about suspected money laundering or terrorist financing. It covers underlying suspicious activity information, not the SAR document itself. How FinCEN defines suspicious activity shapes what can be shared under 314(b) versus what stays locked inside a filed report.

In the UK, SARs go to the National Crime Agency under the Proceeds of Crime Act 2002. Sections 333A to 333E create the tipping-off offense, carrying up to two years' imprisonment. The NCA, HMRC, and Serious Fraud Office access UK SARs through authorized channels. When consent is sought via the DAML (Defence Against Money Laundering) system before proceeding with a transaction, the NCA sees the request immediately.

The difference between a SAR and an STR is relevant here. In some jurisdictions, STRs go to different agencies with different access rules. The authorized recipient list shifts depending on which regulatory framework applies, so cross-border compliance teams can't assume the US model translates directly.

Why this matters

The tipping-off prohibition creates genuine operational risk for front-line staff. Relationship managers who discuss an account closure without knowing a SAR triggered it can inadvertently tip off the subject. Customer service staff who say "I can look into why your account was closed" and then start reading case notes face the same problem. Every team that touches high-risk accounts needs clear, written guidance: no discussion of SARs, no confirmation, no denial.

Internal access controls are examination-ready evidence. Regulators ask for SAR access logs during BSA/AML exams. A long list of people with access, or access by staff with no clear AML function, signals weak governance. The correct posture is a narrow, documented access list that's reviewed at least annually.

The tipping-off risk goes beyond customer conversations. SAR-derived language appearing in a civil deposition response, a court-ordered document, or a regulatory submission can constitute disclosure. Legal counsel should review any document that might describe activity that triggered a filing. What happens when a bank fails an AML exam often traces back to exactly these process failures, not missing the filing deadline itself.

Law enforcement contact changes the calculus. If the FBI contacts the bank about a customer after a SAR was filed, the bank can share the SAR with the requesting agency. That's permitted. What the bank still can't do is tell the customer that law enforcement called. What a monitorship looks like and when one gets imposed is sometimes the direct consequence of a pattern where SAR confidentiality obligations were repeatedly breached or where the underlying program was structurally deficient.

How long banks have to file a SAR and the confidentiality rules around access are connected. The 30-day window exists partly because the report is meant to be invisible to the subject. A slow, poorly controlled filing process undermines the entire purpose.

For teams deploying AI in AML transaction monitoring, SAR access controls apply to AI-generated outputs too. If an alert narrative references a prior SAR, or if SAR metadata is stored in a system accessible to front-line staff, that's a control gap that will surface in the next exam.

Related questions

• Who files a SAR: the MLRO or the compliance officer?
• How long do banks have to file a SAR?
• How does FinCEN define suspicious activity?
• What is the difference between a SAR and an STR?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What triggers a regulatory exam?
• What is a monitorship and when is one imposed on a bank?
• Can AI be used for AML transaction monitoring?
• What is the difference between AML and CFT?