Suspicious Activity Reports (SARs): Best Practice Guide

The Suspicious Activity Report is the primary mechanism through which the financial sector contributes to law enforcement's fight against money laundering, terrorist financing, and associated serious crime. In the UK, SARs are submitted to the UK Financial Intelligence Unit (UKFIU), part of the National Crime Agency. In the 2023–24 reporting year, the UKFIU received approximately 901,000 SARs — the highest volume on record. Yet the quality of those reports, and the intelligence value they deliver, remains highly variable. Understanding how to produce SARs that are legally compliant, operationally useful, and genuinely valuable to law enforcement is a core professional skill for any MLRO.

The Legal Obligation to Report

The UK SAR obligation derives from the Proceeds of Crime Act 2002 (POCA 2002) and the Terrorism Act 2000 (TACT 2000). Section 330 of POCA creates the offence of "failure to disclose" for people in the regulated sector who, in the course of business, know, suspect, or have reasonable grounds to know or suspect that another person is engaged in money laundering, and who fail to disclose this as soon as practicable to their MLRO (internal report) or to the NCA (external SAR).

The threshold is "knows or suspects" — not proof, not certainty. Suspicion in the legal sense has a relatively low threshold: in Shah v HSBC (2010), the court confirmed that suspicion means more than a "mere fleeting thought," but does not require a firmly-formed belief. The key question is whether, at the time of the relevant activity, the reporter held a genuine and honestly held suspicion based on available information. Critically, knowledge of the legal threshold matters: "I didn't think it rose to the level of suspicion" is not a viable defence if a reasonable person in the reporter's position would have suspected money laundering.

Internal SAR Process

For most reporting entities, the SAR journey begins with an internal report to the MLRO. The firm's policies should set out clearly who can submit internal reports (typically any employee), the form that reports should take, and the timeline within which the MLRO must respond. The MLRO then decides whether to submit an external SAR to the NCA's UKFIU portal, decline to do so (and document the reason), or seek more information before making a decision.

The MLRO's decision must be documented regardless of outcome. Where the MLRO decides not to file a SAR, the reasons must be recorded in a manner that would withstand regulatory examination. Common legitimate reasons for not filing include: the activity has a satisfactory and verified explanation, the reporter misunderstood the legal threshold, or the matter relates to a tax issue outside the SAR perimeter. What is not acceptable is declining to file because the customer is valued, because filing would be commercially inconvenient, or because the MLRO assumes law enforcement won't be interested.

What Makes a Good SAR

The NCA and UKFIU have published extensive guidance on SAR quality, and the feedback from law enforcement has been consistent: too many SARs contain insufficient detail to be actionable intelligence, too many are filed as "defensive" reports to create a record rather than to provide genuine intelligence, and too many are so poorly structured that analysts cannot extract the key facts without significant effort.

A high-quality SAR should include:

• Clear identification of the subject: Full name, date of birth, address, account number, national identity number, and any other identifiers available. Incomplete subject details are one of the most common reasons SARs cannot be linked to NCA records or law enforcement databases.
• Specific suspicious activity: A precise description of what was done, when, and why it is suspicious. "Unusual transaction patterns" is not sufficient. "On 14 March 2026, the customer initiated 12 consecutive transfers totalling £47,000 to six different payees, none of which match any previously identified business counterparty, within 4 hours of receiving a single large inbound transfer from a third party not previously encountered" is useful intelligence.
• The predicate offence assessment: Where possible, identify the suspected predicate offence — is the suspicion related to drug trafficking proceeds, tax evasion, fraud, human trafficking? Law enforcement can allocate the report more effectively when a suspected category is identified, even if uncertain.
• Account history context: Note how the suspicious activity differs from the customer's established pattern of behaviour. If the customer has been a low-risk client for three years and the current activity is anomalous, say so.
• Supporting transactions: Include full transaction details — amounts, dates, counterparty identifiers — not just a narrative summary. The UKFIU portal allows structured data attachments; use them.

Tipping Off

Section 333A of POCA 2002 creates the tipping off offence: once a SAR has been submitted (or the MLRO knows a constable is considering making a SAR), it is an offence to disclose to the customer (or to any other person) that a SAR has been filed, or to disclose any information likely to prejudice any investigation that might be conducted. The maximum penalty is five years' imprisonment.

Tipping off is one of the most practically difficult aspects of SAR compliance, particularly where customers ask directly why their account has been restricted or why a payment has been delayed. Staff must be trained to respond to such enquiries without revealing the existence of a SAR — standard responses such as "we are conducting routine compliance checks" or "there is a processing delay" are generally acceptable, but any response that effectively confirms the existence of a SAR — even by implication — creates a risk of the tipping off offence.

There are statutory defences to tipping off, including disclosure within the firm's corporate group and disclosure to professional advisors seeking advice about SAR obligations. These defences are narrow and specific; legal advice should be sought before relying on them.

Consent SARs: The Moratorium Period

Where a firm wishes to proceed with a transaction that it suspects may involve money laundering proceeds, it may seek consent from the NCA before doing so — known as a "consent SAR" or "defence against money laundering" (DAML) request. Under section 335 of POCA, the NCA has seven working days from receipt of the DAML to refuse consent; if consent is not refused within that period, the firm may proceed without committing a money laundering offence. If consent is refused, the firm enters a 31-calendar-day moratorium period during which it must not proceed and law enforcement can obtain a court order to restrain the funds.

DAML SARs are particularly important for payment firms that identify suspicious activity mid-processing and must decide whether to execute or halt a payment. The UKFIU has resources specifically for urgent DAML requests where the seven-working-day timeline is commercially or practically unworkable — firms should understand the escalation process in advance.

Defensive vs Intelligence-Led Reporting

The NCA has been increasingly vocal about the distinction between "defensive" SARs — filed primarily to create a legal record that the firm has reported, without genuine intelligence content — and "intelligence-led" SARs that provide actionable information. High-volume defensive filing by large institutions is one reason why the UKFIU receives nearly a million SARs per year but can only investigate a fraction. Regulators and law enforcement both value a smaller number of high-quality, intelligence-rich SARs over a large volume of formulaic reports.

Compliance programmes should include quality control for SAR output — not just volume metrics. MLROs should review a sample of SARs filed by their teams and provide feedback on quality. Analyst training should emphasise the intelligence value of SARs, not just the legal compliance function. And SAR filing rates should be considered alongside conversion rates (the proportion of SARs that receive a substantive law enforcement response) as a measure of programme effectiveness.