How to Write a SAR Narrative: What FinCEN, FCA and EBA Actually Want to See: Most SAR rejections come down to the narrative — not the detection. A practical guide to writing a SAR narrative that meets FinCEN, FCA and EBA expectations.
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
Filing a SAR is not a box-ticking exercise. A SAR that gets filed but is poorly written, vague, or internally inconsistent is worse than useless — it creates a record that you identified suspicious activity but failed to describe it clearly enough for a financial intelligence unit to act on.
The narrative section is where most SARs fail. It is also the section that no software tool can fully automate — because it requires a human analyst to synthesise information, draw reasonable conclusions, and describe behaviour in a way that reads as credible to an experienced investigator.
This guide explains what each major regulator looks for, how to structure a narrative that works, and the patterns that cause SARs to be returned or flagged as low quality.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related HubSecure platform resources
Continue with HubSecure platform, secure client portal, compliance CRM, security and trust center, book a HubSecure demo.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
What a SAR narrative is actually for
A SAR narrative has one audience: a financial intelligence unit (FIU) analyst who may be reading dozens of SARs that day, looking for actionable intelligence about financial crime. They are not evaluating your compliance programme. They are trying to decide whether the activity you've described warrants investigation.
Write with that reader in mind. Your narrative should answer: what happened, why is it suspicious, who is involved, what money moved, and what do you think is going on?
Everything else — your internal ticket number, your onboarding date, your account reference — is supporting data. The narrative is the human-readable explanation that ties it together.
What FinCEN, FCA and EBA each require
FinCEN (United States)
FinCEN's SAR guidance requires narratives to include the "5 Ws and 1 H": who, what, when, where, why suspicious, and how conducted. Specifically:
- A description of the suspicious activity in detail — specific transactions, dates, amounts, counterparties
- A clear statement of why the activity is suspicious — not just that a rule fired, but what behaviour concerns you
- Information about any investigation steps taken, including whether law enforcement has been contacted
- A description of any related accounts or subjects not named in the header fields
FinCEN explicitly states that narratives should be written in plain English, in chronological order where possible, and should avoid abbreviations or internal jargon that the FIU analyst would not understand.
FCA (United Kingdom)
The UK's National Crime Agency (NCA), which receives SARs in the UK, and the FCA both look for narratives that are specific and evidence-based. The most common feedback on inadequate SARs is:
- "Activity described is too vague to be actionable"
- "No explanation of why the filer believes this constitutes suspicious activity"
- "Narrative does not match the transaction data attached"
The FCA has also emphasised that a SAR should describe the filer's suspicion — not their certainty. You do not need to prove that a crime occurred. You need to explain why you suspect it might have.
EBA (European Union)
The EBA's joint guidelines on the characteristics of a risk-based approach to AML/CFT supervision (updated 2022) require that suspicious transaction reports contain sufficient detail to enable the FIU to assess whether the information may be relevant to a money laundering or terrorist financing investigation. This mirrors the FinCEN approach — specificity, chronology, and a clear statement of the basis for suspicion.
Key principle across all three: The narrative should describe the activity, not just the alert. "Our system flagged this transaction" is not a narrative. "The customer transferred €45,000 to an unrelated third party in a high-risk jurisdiction, inconsistent with their stated business as a domestic retail trader, two days after receiving the funds" — that is a narrative.
Structure: how to organise a SAR narrative
There is no mandatory structure, but this framework works well across jurisdictions and is consistent with FIU analyst expectations:
- Subject summary — who is the customer, what type of entity, when did the relationship start, what is their stated business or profile
- Description of suspicious activity — what happened, in chronological order. Specific dates, amounts, counterparties, transaction types. Not "multiple large transfers" — name the dates, the amounts, the recipients
- Why it is suspicious — the mismatch between the activity and the customer's known profile. This is the most important section. Be specific about what you expected and what you observed
- Aggravating factors — any additional risk indicators: PEP links, adverse media, high-risk jurisdictions, previous suspicious activity, unusual explanation offered by the customer
- Action taken — what your firm has done in response: account review, escalation, exit, restriction. Do not include details that could constitute tipping off
Example: weak vs strong narrative
On 4 April 2026, the account received an inbound transfer of £340,000 from an entity named Talbot Capital SRL, registered in Romania (unknown beneficial owner). No prior transactions with this counterparty. The transfer was not consistent with the customer's stated business activity.
Between 5–7 April 2026, three outbound transfers totalling £335,000 were made to accounts in Lithuania, Cyprus, and UAE respectively. The customer was contacted by telephone on 9 April 2026 and stated the transfers were for "import orders" but could not name the suppliers or provide any supporting documentation.
The pattern — a large inbound transfer from an unfamiliar source, immediately broken into multiple outbound transfers to different high-risk jurisdictions, with no supporting documentation — is consistent with layering activity. The customer's explanation was not credible given their stated business profile.
We have restricted the account pending this filing and do not intend to continue the business relationship.
Common mistakes that weaken a SAR
1. Describing the alert, not the activity
A SAR that says "our system generated an alert on this customer" tells the FIU nothing useful. They cannot act on a software flag. They can act on a description of what actually happened. Always translate the alert into human-readable behaviour.
2. Using internal terminology
References to your internal systems, code names, case numbers, or product codes are meaningless to an FIU analyst. Write as if the reader has no knowledge of your organisation or systems.
3. Hedging excessively
Phrases like "it is possible that", "we cannot rule out", or "this may potentially suggest" weaken the narrative. You are not required to be certain. You are required to explain why you are suspicious. State your suspicion clearly and support it with facts.
4. Omitting amounts, dates and counterparties
Vague narratives — "several large transfers to foreign accounts over a period of weeks" — are consistently flagged as inadequate. If you know the amounts, dates, and counterparty names, include them. If you don't know, say so explicitly.
5. Including tipping-off risk
Do not include information in the narrative that could alert the subject to the filing. Descriptions of investigation activity, account monitoring measures, or planned actions against the customer can constitute tipping off in some jurisdictions.
Timelines: when you must file
Filing deadlines vary by jurisdiction:
- USA (FinCEN) — within 30 calendar days of detecting the suspicious activity; extended to 60 days if no subject is identified. Continuing activity SARs required every 90 days
- UK (NCA) — no fixed statutory deadline, but the FCA expects prompt filing. Firms should file as soon as reasonably practicable after suspicion arises. Delay without reason is a regulatory concern
- EU (AMLD national implementations) — varies by member state; typically promptly after detection. Some jurisdictions specify 24 hours for urgent cases (potential terrorist financing)
- Norway (Finanstilsynet) — immediately or as soon as possible after suspicion arises
On CTRs vs SARs: A Currency Transaction Report (CTR) is a different filing — required for transactions above a threshold (e.g., $10,000 in the US), regardless of whether they are suspicious. CTR filing is largely automatic once the threshold is met. SAR filing is judgment-based and requires a narrative. Do not confuse the two obligations.
SAR filing — without leaving your compliance workflow
HubSecure Sentinel includes a guided SAR workflow with case evidence, narrative drafting, filing deadlines, and a complete audit trail. Your team focuses on the judgement; Sentinel handles the documentation.
Start free trial → See it in action