Transaction Monitoring, SAR/CTR Decisioning & Tipping-Off *(OUTLINE + BULLET BODY)*

Two o'clock on a Tuesday, and your monitoring system throws an alert: a customer who normally moves a few thousand dollars a month just wired ninety-five thousand to three countries in six days. An analyst has to decide — is this a story with an innocent ending, or the start of a federal investigation? And whatever they decide, there's one thing they absolutely cannot do: pick up the phone and warn the customer. By the end of this lecture, you'll know how that alert becomes a decision, when that decision becomes a SAR, and why warning the customer is a crime.

- Transaction monitoring is an **ongoing CDD obligation** under the FinCEN CDD Rule (31 CFR 1010.230) — institutions must conduct ongoing monitoring to identify and report suspicious activity and to keep customer information current. - The pipeline: **monitor** (rules/scenarios scan transactions) → **alert** (activity breaches a threshold or matches a typology) → **investigate/disposition** (analyst reviews, gathers context) → **escalate or close** → **file or don't file**. - An **alert is not a finding** — most alerts are **false positives** with a legitimate explanation. The point of disposition is to separate the explainable from the genuinely suspicious. Every disposition decision, file *or* no-file, should be **documented** so an examiner can reconstruct the reasoning later. - Monitoring is both **automated** (transaction-monitoring systems) and **manual** (front-line staff, referrals). Both feed the same case-management process.

- A **Currency Transaction Report** (FinCEN Form 112) is filed for **cash transactions exceeding $10,000** in **currency** by, through, or to the institution in a **single business day** (Bank Secrecy Act / 31 CFR 1010.311). - The CTR is **mechanical and objective** — no suspicion required. It also requires **aggregation**: multiple cash transactions by or on behalf of the **same person** totaling more than $10,000 in one business day must be added together and reported. - **Structuring** — deliberately breaking cash into amounts under $10,000 to evade the CTR — is itself a **crime** (31 USC 5324), even if the underlying cash is clean. Structuring is a classic SAR trigger. - **CTR filing deadline:** within **15 calendar days** of the reportable transaction.

- A **Suspicious Activity Report** (FinCEN Form 111) is filed when the institution **knows, suspects, or has reason to suspect** a transaction involves illegal funds, is designed to evade BSA requirements, has no apparent lawful purpose, or facilitates criminal activity (31 CFR 1020.320 for banks). - **Dollar thresholds for SAR filing** (banks): aggregate **$5,000 or more** where a suspect can be identified; **$25,000 or more** regardless of whether a suspect is identified. (Money services businesses use a **$2,000** threshold.) These are floors — suspicious activity below them can still be reported voluntarily. - **SAR timing — memorize this:** file within **30 calendar days** of initial detection of facts that may constitute a basis for filing. If **no suspect is identified** on the date of detection, the institution may delay up to an **additional 30 days** to identify a suspect, but **no later than 60 calendar days** after initial detection. - **Continuing activity:** if suspicious activity continues, file a **continuing SAR** — guidance directs review and, where appropriate, filing on the ongoing activity (commonly every **90 days**).

- **CTR** = objective, cash > $10,000/day, no suspicion needed, 15 days. **SAR** = subjective, suspicion-based, dollar floors of $5k/$25k (banks), 30/60 days. - The two are **not mutually exclusive**: a single event can require **both** (e.g., a $40,000 structured cash pattern can generate CTRs on the deposits *and* a SAR on the structuring). - Exam trap: a customer asking "how can I avoid the CTR?" or making deposits of $9,500 is a **SAR red flag for structuring** — the right answer is rarely "advise the customer," it's "monitor, document, and consider a SAR."

- **Tipping-off prohibition:** under the BSA (31 USC 5318(g)(2)) and FATF Recommendation 21, an institution and its staff **may not disclose to the customer (or any unauthorized person) that a SAR has been filed or is being considered.** Doing so can be a **criminal violation**. - **SAR confidentiality is broad:** the prohibition covers the SAR itself *and* any information that would reveal its existence. SARs may **not** be released in response to subpoenas; requests are referred to FinCEN. Sharing **within** the corporate group for AML purposes, and with FinCEN/law enforcement/examiners, is permitted. - Practical guardrail for analysts: you may ask a customer normal due-diligence questions ("what's the purpose of this wire?") — that is **not** tipping off. What you cannot do is signal that a report has been or might be filed. - FATF Recommendation 21 also provides a **safe harbor**: staff who report suspicions in good faith are **protected from liability**, even if the underlying criminal activity is never proven and even if it turns out there was no crime.

- **SAR records:** retain a **copy of the SAR and all supporting documentation for 5 years** from the filing date (31 CFR 1020.320). Supporting documentation must be made available to FinCEN and appropriate law enforcement on request — **without a subpoena**. - **CTR records:** retain for **5 years**. - **General BSA recordkeeping** (CDD, account, and certain transaction records) — the BSA's baseline retention norm is **5 years**. - The discipline that ties it together: a well-documented alert, a defensible disposition, a timely report, and a clean retained file — that is what an examiner inspects, and what protects the institution.

Let's pull it together. Monitoring produces alerts, alerts get investigated and dispositioned, and a documented decision either closes the case or becomes a report. A CTR is the easy one: cash over ten thousand in a day, fifteen days to file, no judgment involved. A SAR is the hard one: knowing, suspecting, or having reason to suspect — five thousand and twenty-five-thousand-dollar floors for banks, and that crucial thirty-day clock that stretches to sixty if you're still hunting for a suspect. Never warn the customer — tipping off is a crime — and keep the SAR and its support on file for five years. Next, we zoom out from the transaction to the institution itself: governance, culture, and the three lines of defense — who actually owns AML risk, from the front-line teller all the way to the board.