top of page

Suspicious Activity Reports

Organizational Context

This case examines Suspicious Activity Report (SAR) handling across the U.S. Treasury and financial regulatory ecosystem, including FinCEN, federal and state banking regulators, law enforcement partners, and reporting financial institutions.


SARs enter the system through mandatory filings by financial institutions, covering potential money laundering, fraud, terrorist financing, sanctions evasion, and other illicit financial behavior.


• SAR volumes are extremely high relative to investigative capacity.

• Most SARs do not lead to enforcement action.

• Signals range from minor anomalies to indicators of serious crime.

• Regulatory and law enforcement priorities evolve continuously.


How the Work Was Intended to Function

From a financial integrity perspective, SAR handling was expected to function as a filtering and prioritization mechanism:

• Institutions file SARs when thresholds are met.

• Regulators and FinCEN aggregate and analyze filings.

• High-risk patterns are surfaced for investigation.

• Law enforcement receives actionable intelligence.

• Deterrence improves through visibility and enforcement.


Because reporting obligations, analytics platforms, and interagency partnerships existed, the system appeared governed at an aggregate level.


What Was Actually Happening

Observed reality diverged materially:

• High volumes obscured truly dangerous activity.

• Low-risk SARs consumed disproportionate analytic attention.

• Escalation thresholds varied by institution and regulator.

• Feedback loops to reporting institutions were weak.

• After-action narratives focused on filing counts rather than impact.


The underlying issue was not compliance diligence, but the absence of a shared way to interpret one SAR before committing investigative and enforcement resources.


How FLOW Was Introduced

Leadership sought a stabilizing lens that preserved financial crime judgment while improving consistency. Specifically, they needed:

• A common language to explain why SARs behave differently.

• A method to separate filing volume from true financial risk.

• A unit-centered lens instead of managing raw report counts.

• Governance aligned to impact breadth rather than compliance optics.


FLOW was introduced as a classification lens applied early in SAR triage—before detailed investigation, referral, or enforcement posture was set.


Identifying the Unit of Effort

The organization anchored analysis on a single, stable unit of work:

• Unit of Effort: one suspicious activity pattern or case represented by a SAR.

• Multiple SAR filings may inform the same unit.

• Parallel analytic reviews do not create new units.

• The unit remains constant as understanding and response deepen.


How Complexity Was Determined

Complexity was defined strictly as the amount of judgment required to interpret intent, behavior, and legal exposure.


• Low complexity: clear anomaly with known explanation or low-risk typology.

• Higher complexity: layered transactions or obfuscation techniques.

• Higher complexity: cross-border activity or shell structures.

• Higher complexity: uncertain linkage to predicate offenses.


This definition of complexity was applied uniformly across all FLOW levels.


How Scale Was Determined

Scale was defined as the breadth of potential impact created by one suspicious activity pattern.

• Dollar value and transaction volume involved.

• Number of accounts, institutions, or jurisdictions affected.

• Potential linkage to organized crime or national security threats.

• Extent to which the activity undermines financial system integrity.


Isolated, low-value anomalies were treated as low scale; patterns affecting multiple institutions or high-value flows were treated as higher scale.


Other Measures of Scale Considered

• Media or political attention.

• Regulatory scrutiny.

• Institutional reputation risk.

• Case age or backlog pressure.


These measures were operationally visible, but were not used as the primary definition of scale in this walkthrough.


Applying FLOW to SAR Handling

With complexity and scale definitions fixed, each suspicious activity pattern was classified using the same logic. The unit remains constant across all examples below—this is still one suspicious activity case.

• Classify complexity first.

• Classify scale second.

• Assign the single FLOW classification that best fits the unit.


FLOW A — Local, Contained Anomalies

This example involves one SAR-related activity pattern. The unit does not change.


Example: a one-off transaction anomaly with benign explanation.


• Complexity: low (cause and explanation are clear).

• Scale: low (isolated exposure).

• Handling implication: documentation and closure.


Built-out handling: the SAR is reviewed, context is documented, and no further action is taken.


FLOW B — Broader Financial Exposure from One Pattern

This example still involves one suspicious activity pattern. The unit remains the same; the impact surface expands.


Example: repeated suspicious transactions across multiple accounts at one institution.


• Complexity: low (known typology).

• Scale: moderate (broader financial exposure).

• Handling implication: coordinated review.


Built-out handling: analysts coordinate across compliance and regulators, monitor patterns, and assess need for referral.


FLOW C — Complex, Judgment-Driven Patterns

This example still involves one suspicious activity pattern. Judgment requirements increase.


Example: layered transactions involving shell entities with unclear intent.


• Complexity: high (interpretation and hypothesis testing required).

• Scale: low-to-moderate (impact uncertain but misclassification risk is high).

• Handling implication: deliberate analysis before escalation.


Built-out handling: analysts assess typologies, seek additional intelligence, and advise on investigative posture.


FLOW D — System-Level Financial Integrity Threats

This example still involves one suspicious activity pattern. The unit remains unchanged; dependency becomes enterprise-wide.


Example: coordinated laundering operation spanning multiple institutions and jurisdictions.


• Complexity: variable.

• Scale: high (system-wide exposure).

• Handling implication: elevated governance.


Built-out handling: Treasury leadership coordinates law enforcement, international partners, and policy actions. One pattern constrains many downstream decisions.


FLOW S — Exceptional Financial Threats

This example still involves one suspicious activity pattern, but normal governance pathways are insufficient.


Example: imminent terrorist financing or sanctions evasion threat.


• Complexity and scale vary.

• Handling implication: explicit emergency authority.

• Key risk: bypassing controls without accountability.


Built-out handling: emergency actions are taken, financial channels are disrupted immediately, and executive oversight is direct.


What Changed After FLOW Classification

• SAR triage became more consistent.

• High-risk patterns surfaced earlier.

• Low-impact filings moved faster.

• Investigative resources aligned to true risk.


Organizational Implications

• Financial crime oversight became more defensible.

• Regulatory burden was better balanced.

• Law enforcement received clearer leads.

• System integrity improved.

© SolveBoard 2026

bottom of page