What needs to be in a SAR?

Suspicious Activity Reports (SARs) are a legal mechanism for reporting knowledge or suspicion of money laundering, terrorist financing or proliferation financing. 

The requirement to submit a SAR is set out in UK law and forms a core part of the anti-money laundering framework under the Money Laundering Regulations 2017 (as amended) (MLRs), alongside the Proceeds of Crime Act 2002 and the Terrorism Act 2000.

When done well, a SAR gives the UK Financial Intelligence Unit (UKFIU) (part of the National Crime Agency) usable intelligence that can be analysed quickly and acted on. Without enough evidence included, it risks delays, missed opportunities and follow-up questions from supervisors.

What a SAR is trying to achieve

A SAR is not an accusation and it’s not a conclusion that a crime has taken place. It is a report of suspicion, based on what you know in the course of your regulated work.

The UKFIU’s focus is practical. They need enough information to understand the situation quickly, assess risk, link reports together and decide whether the intelligence should be passed on to law enforcement or other agencies.

That means your SAR should answer six simple questions clearly:

• Who is involved
• What has happened
• When it happened
• Where it happened
• How the activity was carried out
• Why it is suspicious

If those six elements are present and well explained, you’re already a long way towards a good-quality SAR.

Internal SARs and the role of the MLRO

In regulated businesses, staff don’t submit SARs directly to the NCA. They submit an internal SAR to the MLRO or equivalent nominated officer.

A good internal SAR (also known as an internal escalation report) should contain the same core information as an external SAR. That allows the MLRO to:

• assess the suspicion properly;
• decide whether an external SAR is required;
• add context or additional information if needed; and
• document the decision-making process.

This is where having a structured internal SAR process really matters. If information is missing at the internal stage, it often leads to delays, follow-up questions or weaker external reports.

The core information every SAR must include

Who is involved

You should identify all relevant parties, not just your client. This includes:

• the main subject of suspicion;
• any associated individuals or entities;
• beneficial owners, directors or trustees where relevant; and
• third parties involved in transactions.

Use full names, dates of birth, addresses, company numbers and account details where you have them. If you don’t know something, don’t guess. Just leave it out. Clarity matters more than completeness. Accurate identifiers help the UKFIU connect your report with others.

What is suspicious

This is the factual description of the activity that caused concern. Focus on what you observed, not what you think it means. Avoid emotive language. Stick to what happened and what you’ve witnessed. For example:

• unusual transactions or payment patterns;
• inconsistencies between the client’s profile and their activity;
• reluctance or refusal to provide information;
• explanations that change over time; or
• transactions that appear to have no clear economic or legal purpose.

When it happened

Dates and timeframes are critical, and if the activity is ongoing say so clearly. Be as specific as you can with:

• exact transaction dates;
• periods during which suspicious behaviour occurred; and
• when concerns first arose.

Where it happened

This includes:

• relevant jurisdictions;
• bank accounts and financial institutions;
• property addresses; and
• countries involved in transactions or ownership structures.

Jurisdictional detail is particularly important where overseas entities, high-risk countries or sanctions exposure may be relevant.

How the activity was carried out

This is where many SARs are weak. The UKFIU needs to understand the mechanics. Explain:

• how funds moved from A to B;
• how structures were set up or used;
• how the client interacted with you or others; and
• how transactions were funded or routed.

Why it is suspicious

This is the most important section. You should clearly explain why, in your professional judgement, the activity raised suspicion. This is not the place to quote legislation or guidance. It’s about showing your reasoning. Link it to:

• the client’s known profile;
• what you would normally expect to see;
• relevant red flags or risk indicators; and
• gaps, inconsistencies or implausible explanations.

The importance of a clear narrative

The UKFIU strongly encourages reporters to use the free-text narrative section properly. This is where you pull everything together. A good narrative:

• follows a logical order;
• uses plain English;
• avoids jargon and internal abbreviations; and
• explains context, not just transactions.

Imagine you’re explaining the situation to someone who has never seen the client before. That’s effectively what you’re doing.

What not to include in a SAR

There are some common mistakes that reduce SAR quality. Avoid:

• speculation about criminal offences you can’t evidence;
• irrelevant background information;
• copying internal risk assessments verbatim;
• defensive language explaining why you acted correctly; and
• mentioning that a SAR has been or will be filed.

Never let a client know that a SAR has been made, known as ‘tipping off’. This includes subtle hints or changes in behaviour that could reasonably alert them. It’s an offence and could see you being prosecuted too.

Record keeping and audit trails

Submitting a SAR is not the end of the process. Under the MLRs, firms are legally required to keep appropriate records relating to suspicious activity reporting and the decisions taken around it.

This record keeping duty sits alongside your wider AML obligations and is essential for demonstrating that your firm applies a proper risk-based approach in practice, not just on paper.

You must retain clear records of:

• internal SARs raised by staff, including the information provided at the time;
• decisions made by the MLRO or nominated officer after reviewing the internal SAR;
• the rationale for submitting, or deciding not to submit, an external SAR to the NCA; and
• any Defence Against Money Laundering (DAML) report or Defence against Terrorist Financing (DATF) report submitted and the outcomes, including consent granted or refused.

These records must be kept securely so you can produce them promptly if needed. Supervisors routinely review SAR logs and decision records during AML inspections, to assess whether suspicions are being identified, escalated and handled appropriately.

Using technology to support better SARs

Technology can’t replace professional judgement, but it can support consistency and completeness.

A structured internal SAR process helps staff know what information to include and prompts them to think through the six key questions. It also helps MLROs manage reports, track decisions and maintain clear audit trails.

For firms using AMLCC, the Internal SAR Portal is designed to do exactly that as it includes identical information to the NCA’s external SAR portal. It guides staff through the information needed, centralises reporting and links SARs to client risk assessments and records. That makes it easier to produce higher-quality external SARs and demonstrate compliance during reviews.

Final thoughts

A good SAR is clear, focused and grounded in professional judgement. It doesn’t need to be long or legalistic, but it does need to explain the story behind the suspicion.

If you can clearly answer who, what, when, where, how and why, you are meeting the UKFIU’s expectations and protecting both your firm and the wider financial system.

Treat SAR reporting as part of your risk management process, not a last-minute task. The quality of your SARs says a lot about the quality of your AML framework overall.