SAR and CTR Obligations in a FinTech

Everything we've built, identity, due diligence, monitoring, sanctions, ultimately produces two core Bank Secrecy Act reports to FinCEN. The Suspicious Activity Report, the SAR, tells the government about transactions that may involve money laundering or other illicit activity. The Currency Transaction Report, the CTR, reports large cash transactions.

Both are filed electronically through FinCEN's B-S-A E-Filing system. For a fintech, the CTR is often less central, because many fintechs handle little or no physical cash, but the SAR is the beating heart of the program: it's the output that the entire detection machine exists to produce. This lecture covers the thresholds, timelines, and quality standards for both, and where fintechs slip.

Start with the SAR. For money services businesses, the rule at thirty-one C-F-R ten-twenty-two point three-twenty requires a SAR for suspicious transactions of two thousand dollars or more; for banks, the parallel rule is ten-twenty point three-twenty with its own threshold. You file when you know or suspect that a transaction involves funds from illegal activity, is designed to evade BSA requirements, has no apparent lawful purpose, or otherwise looks suspicious for that customer.

Timing matters: you generally must file within thirty calendar days of detecting the facts that prompt the report, extendable to sixty days if you can't yet identify a suspect. The exam-style traps are the threshold and the clock: fintechs sometimes wait too long while an investigation drags, blowing the thirty-day window, or never file because no single transaction looks big, missing a pattern of smaller ones.

A SAR is only as useful as its narrative, and this is where many fintechs underperform. The narrative has to tell a clear story: who is involved, what happened, when and where it happened, and crucially why it's suspicious and how the activity unfolded. A good narrative is specific and chronological: it walks the reader through the accounts, amounts, dates, and the pattern, and explains the analyst's reasoning, not just the conclusion.

The common weakness is a thin, conclusory narrative, 'customer engaged in suspicious activity', that gives law enforcement nothing to act on. Examiners read SAR narratives and rate their quality; a program that files on time but writes uninformative narratives still has a finding. Train your analysts to write the story a detective could pick up and use, and keep the supporting documentation organized behind it.

Two more SAR essentials. First, confidentiality is absolute and legally protected. You must not tell the customer, or any unauthorized person, that a SAR was filed or even considered; tipping off is itself a violation, with narrow, specified exceptions for sharing within the organization and with regulators and law enforcement.

For a customer-friendly fintech, this means support and operations staff must be trained never to hint that an account action relates to a SAR. Second, recordkeeping: retain the SAR and its supporting documentation for the period the rules require, and keep it organized and producible. And close the loop, feed what you learn from filings back into monitoring and risk rating, so the program gets smarter over time.

A SAR isn't the end of a case; it's a data point that should sharpen your detection.

Now the CTR. Under thirty-one C-F-R ten-ten point three-eleven, a Currency Transaction Report is required for cash transactions exceeding ten thousand dollars by or on behalf of one person in a single business day, and you must aggregate multiple cash transactions that together cross the line, you can't let someone split a deposit to stay under it. Which brings up structuring: deliberately breaking cash into smaller amounts to evade the CTR is a federal crime in itself, and a strong basis for filing a SAR even though no single transaction triggered the CTR.

Many fintechs are cash-light and rarely file CTRs, but don't assume it never applies: if you have agent locations, cash-loading networks, ATM access, or cash on-ramps, you have CTR touchpoints. Map where physical currency enters your ecosystem, and make sure aggregation and CTR filing are handled there.

Let's lock it in. The two core reports are the SAR and the CTR. For an MSB, file a SAR on suspicious activity of two thousand dollars or more within thirty days of detection, write a specific narrative that tells the who, what, when, where, why, and how, and keep the filing strictly confidential, no tipping off.

The CTR covers cash transactions over ten thousand dollars in a day, with aggregation, and deliberate structuring to dodge it is both a crime and a SAR trigger. Self-check: can your program detect a pattern of small transactions that no single alert catches, file the SAR within thirty days, and write a narrative a detective could use? And do you know every place cash enters your ecosystem?

Next, the test it all leads to: regulatory exams and the enforcement trends shaping fintech AML.