A Suspicious Activity Report (SAR) — or Suspicious Transaction Report (STR) in much of the EU — is the single most consequential document a financial crime function produces. Once filed to your financial intelligence unit (FIU), usually through the goAML platform, it becomes a legal record: the thing an FIU analyst reads, the thing an AMLA examiner reconstructs years later, and the thing your firm is accountable for under Regulation (EU) 2024/1624 (the AMLR) from 10 July 2027. This guide gives you a defensible template: the 5W1H narrative structure (who, what, when, where, why, how), a source-evidence checklist so every assertion is traceable, and tables of narrative fields and common filing pitfalls. It also draws the hard line that 2026 makes unavoidable — an AI agent may draft a SAR, but a human must approve before filing, and that approval must stay a two-person maker-checker gate, sealed at the moment of sign-off. You can build a SAR to this exact structure with our SAR/STR maker-checker generator. Govern by execution, not paperwork.
What a SAR/STR actually is — and why the template is a legal artefact, not a form
Strip away the acronyms and a SAR is a structured allegation. You are telling your FIU: we observed activity we cannot explain on a legitimate basis, here is the activity, and here is why we find it suspicious. That report is filed — in most EU jurisdictions through the UNODC's goAML portal — and from that moment it is a legal record. An FIU analyst reads it cold, with none of your context. A prosecutor may rely on it. An AMLA or national-supervisor examiner may pull it years later and ask you to reconstruct exactly what you knew, when you knew it, and who decided to file.
That is why a SAR template is not a convenience form. It is the structure that determines whether the report is defensible. A defensible SAR has two qualities: a narrative a stranger can follow without you in the room, and every factual assertion traceable to a source the firm can produce on demand. The AMLR sharpens the second point. Article 69(1) requires obliged entities to answer an FIU's request for information within five working days, and FIUs can compress that to under 24 hours in urgent cases. A five-day clock that collapses to one day is a test of whether your evidence was captured at the moment of the decision — not a feature you bolt on after the request arrives.
This guide treats the template as what it is: the durable interface between your investigation and the examiner who will read it later. Build it well once and reuse the structure for every filing. You can generate a report to this exact skeleton with the SAR/STR maker-checker generator.
The 5W1H narrative structure: who, what, when, where, why, how
FIU analysts and supervisors are explicit that the narrative is the heart of a SAR. Structured fields (amounts, account numbers, dates) tell the system what happened; the narrative tells a human why it is suspicious. The most reliable way to write a narrative a stranger can follow is the journalist's discipline — 5W1H — answered in plain, chronological language, with no jargon and no internal codes the FIU cannot decode.
Write each element so it stands alone. An analyst should be able to read the narrative top to bottom and never need to ask you a clarifying question — because a clarifying question to you is, in practice, an Article 69 request against a five-day clock.
- Who — every party: the subject (customer), counterparties, beneficial owners, intermediaries, and any third party who appears. Use full legal names, identifiers, and the relationship between them. Resolve aliases; never leave a counterparty as a bare account number.
- What — the activity and the instruments: transaction types, amounts, currencies, the products or accounts used, and any sanctions/PEP/adverse-media context. State the conduct, not a conclusion ("structured into nine deposits below the reporting threshold," not "money laundering").
- When — the timeline. Booking dates, the period of activity, when the alert fired, when the customer was onboarded, when KYC was last refreshed. Dates anchor the whole narrative and let the FIU sequence events against its own data.
- Where — geography and corridors: jurisdictions, branches, payment corridors, and any high-risk or sanctioned nexus. "KY→MC corridor" means nothing without expansion; spell out the jurisdictions.
- Why — the suspicion itself. This is the field analysts say is most often weak. State, specifically, what makes the activity inconsistent with the customer's known profile, expected behaviour, or a legitimate economic rationale. Tie it back to the Who/What/When/Where you have already laid out.
- How — the mechanism and the method of detection. How the funds moved, how the structure was assembled, and how you found it (which monitoring rule or screening hit raised the alert). The "how it was detected" half lets the FIU judge the reliability of the signal.
The narrative fields: good vs. weak examples
The difference between a SAR that an FIU acts on and one it deprioritises is almost always specificity. The table below pairs each narrative field with a weak formulation (vague, conclusory, or untraceable) and a good one (specific, sourced, defensible). The weak column is not invented for effect — these are the patterns that recur in poor filings.
Notice the through-line in the good column: it names parties, dates, amounts, and sources; it describes conduct rather than asserting a legal conclusion; and it never relies on a code or system shorthand an outside reader cannot decode.
| Field (5W1H) | Weak example | Defensible example |
|---|---|---|
| Who | "The customer received funds from a related party." | "The subject, BRIGHTHAVEN HOLDINGS LTD (customer ref CMB-CUST-43117, onboarded 2019), received funds from counterparty MERIDIAN TRADE SA, which shares a registered beneficial owner (J. Okонкwo) per the corporate registry pulled 22 Apr 2026." |
| What | "Several large suspicious transfers were observed." | "Two incoming wire transfers of EUR 920,000 (22 Apr 2026) and EUR 950,000 (23 Apr 2026), both from the same counterparty, in a customer whose declared annual turnover is EUR 400,000." |
| When | "Recently / over the past period." | "Activity occurred 22–23 Apr 2026; the monitoring alert fired 23 Apr 2026; the customer's KYC was last refreshed 15 Sep 2023 and is now stale." |
| Where | "From a high-risk jurisdiction." | "Funds originated from an account in the Cayman Islands (KY) routed to the customer's account in Monaco (MC); the corridor is inconsistent with the customer's stated UK-only trading footprint." |
| Why | "The activity is suspicious and may involve money laundering." | "The transfers are inconsistent with the customer's profile: amounts ~4.7x declared annual turnover, structured just under the EUR 1m internal review threshold on consecutive days, with no commercial documentation provided on request." |
| How | "Detected by our systems." | "Detected by transaction-monitoring rule TM-LARGE-TRANSFER and corroborated by a strong sanctions match (EU consolidated list, effective 30 Apr 2026) on the counterparty; funds moved via two same-counterparty SWIFT wires." |
The source-evidence checklist: every assertion must be traceable
A narrative is only as defensible as the evidence behind it. The discipline is simple to state and easy to skip under deadline pressure: no assertion in the narrative without a source the firm can produce. When an FIU comes back under Article 69, you are not re-investigating — you are retrieving. That only works if you captured the evidence references as you wrote, sealed alongside the report.
Run every draft SAR against this checklist before it goes to the checker. Each item is a class of source you should be able to point to for the claims in your narrative.
- Transaction records — the actual booked transactions (IDs, amounts, currencies, value dates, counterparties), not a summary you cannot trace back.
- KYC / CDD file — the customer profile, risk rating, expected activity, and the date of the last refresh. A stale KYC is itself a fact worth stating.
- Beneficial-ownership / UBO evidence — registry extracts or ownership data that substantiate any related-party or shared-owner claim, with the date pulled.
- Sanctions / PEP / adverse-media screening results — the list, the entity matched, the match strength, and the effective date of the hit.
- Counterparty and network data — links to related parties, shared owners, or known typology patterns you assert in the narrative.
- Detection provenance — which monitoring rule or screening process raised the alert, and when. This lets the FIU weigh the signal.
- Prior SARs / case history — any earlier reporting on the same subject, so the FIU sees the pattern, not a single snapshot.
- Analyst reasoning and uncertainty — what you concluded, what you could not confirm, and any gaps. Honest uncertainty is more defensible than false confidence.
The practical move is to attach evidence references to each narrative claim, not to dump documents. The reference is the contract: it says "this assertion is backed by this record, and we can produce it." Our AML Agent Control & Evidence Map lays out how those references map to the controls an examiner expects.
Why filing must stay a maker-checker gate — and why an agent may draft but never file
Here is the line that 2026 makes unavoidable. Agentic AI now drafts SAR narratives at machine speed — assembling evidence, summarising transactions, and producing a first-pass narrative in minutes. That is a genuine productivity gain, and it is fine: drafting is reversible, and a draft is just a proposal. Filing is not reversible, and it is not a proposal. The filed report is a legal record submitted to a state authority. So the act of filing must stay a maker-checker control — two people, or one agent as maker and a named human as checker — with the human approving before anything reaches the FIU.
This is not a stylistic preference; it is what firm accountability requires. The Wolfsberg Group's AI/ML principles (1 December 2022) state plainly that "FIs are responsible for their use of AI/ML, including for decisions that rely on AI/ML analysis, regardless of whether the AI/ML systems are developed in-house or sourced externally." An autonomously-filed SAR is a decision that relies on AI/ML analysis with no human who can be held accountable for it. Where the EU AI Act applies, Article 14 adds meaningful human oversight including the ability to intervene and override — and a human-in-the-loop who cannot actually stop the filing is decoration, not oversight.
The maker-checker gate has to be sealed at approval, not reconstructed afterwards. When the checker signs off, the record that gets sealed is the whole unit: the narrative, the evidence references, the policy that required approval, and the identity of the approving human, captured at that instant and tamper-evident from then on. That is what makes the filing defensible to an FIU analyst or an AMLA examiner who reads it later — they are not asked to trust a dashboard's after-the-fact account; they can verify what was approved, by whom, and on what basis.
Map this onto how a runtime control plane enforces it. A Policy Builder rule treats the file action as `require_approval`, never `allow`. The agent's attempt to file is routed to a Decision Desk two-person approval queue. The human approves, rejects, or sends it back. Only on approval does the report file — and the sealed lineage lands in the Evidence Room. The agent's hard constraint, in plain terms, is the one our own AML triage template encodes: never file a SAR. It drafts and routes; the human decides.
Common filing pitfalls — and how to avoid them
Most SAR weaknesses are not exotic. They are a small set of recurring failures that an FIU analyst or examiner spots immediately. The table below names the pitfall, the consequence, and the fix. Read it as a pre-flight check before any SAR goes to the checker.
Several of these are amplified, not reduced, by agentic drafting: an agent that drafts fast can file fast and wrong if filing is not gated, and can produce a fluent narrative with assertions it cannot source if evidence references are not captured. The maker-checker gate is the structural answer to both.
| Pitfall | Consequence | Fix |
|---|---|---|
| Conclusory narrative ("this is money laundering") | FIU cannot assess the underlying facts; the report is deprioritised | Describe observable conduct and the specific inconsistency; let the FIU draw the legal conclusion |
| Assertions with no traceable source | Article 69 request becomes a re-investigation against a 5-day clock | Attach an evidence reference to every claim; seal references with the report at approval |
| Jargon, internal codes, unexplained corridors | Analyst must come back to you to decode the narrative | Write in plain language; expand every code, alias, and corridor |
| Filed by an agent with no human sign-off | No accountable human; fails Wolfsberg firm-accountability and AI Act Art. 14 oversight | Make filing a maker-checker gate: agent drafts, named human approves before filing |
| No sealed record of who approved and why | Cannot reconstruct the decision for an AMLA examiner | Seal the narrative, evidence, policy, and approver identity at the moment of approval, tamper-evident |
| Tipping-off / confidentiality breach | Legal exposure; SAR confidentiality is a statutory duty | Restrict SAR access; never disclose the report or its existence to the subject; mind GDPR lawful-basis and confidentiality |
| Missing timeline / dates | FIU cannot sequence events against its own intelligence | State booking dates, alert date, onboarding and last-KYC-refresh dates explicitly |
| Late or untimely filing | Breach of the reporting obligation | Gate for speed and sign-off — a fast draft plus a same-day checker, not an autonomous file |
Tie to the AMLR (10 July 2027), AMLA, and goAML practice
The template above is not a generic best practice; it is shaped by what the incoming European regime will expect. The AMLR (Regulation (EU) 2024/1624) applies from 10 July 2027 as a directly-applicable single rulebook, and AMLD6 (Directive (EU) 2024/1640) carries the same general transposition deadline. The new EU Anti-Money Laundering Authority, AMLA, is seated in Frankfurt, has operated since 1 July 2025, and will begin direct supervision of a first wave of high-risk cross-border firms from 2028 after a 2027 selection. The supervisory bar is rising, and it is harmonising across the Union.
Two operational facts should anchor how you build SARs today. First, goAML — the UNODC's reporting platform used by most EU FIUs — is where your report lands, in structured XML plus narrative. That means your template should map cleanly onto goAML's structured fields and carry a narrative that stands alone; do not let the structured data and the narrative tell different stories. Second, AMLR Article 69(1)'s five-working-day FIU response window, compressible to under 24 hours, is the reconstruction test. If your SAR's evidence references were sealed at approval, the request is a retrieval. If they were not, it is a fire drill.
This is also why operational-resilience law is part of the SAR story even though it is not AML law. Under DORA (Regulation (EU) 2022/2554, applicable since 17 January 2025), the systems supporting AML reporting can qualify as critical or important ICT functions — and DORA presumes you can reconstruct precisely what those systems did and why. A SAR pipeline whose evidence is sealed at the moment of approval satisfies the AMLR's reconstruction clock and DORA's resilience expectation with the same control. For the wider control map across DORA, the AMLR, and the AI Act, see Governing AML & payments agents.
Build your SAR/STR to this structure
You do not have to assemble the 5W1H narrative, the evidence checklist, and the maker-checker sign-off from scratch each time. The SAR/STR maker-checker generator takes the structure in this guide and turns it into a working report: it prompts each 5W1H field, holds you to a source for every assertion, and — the part that matters most — keeps filing behind a two-person approval so the draft and the sign-off are never the same act. An agent (or an analyst) drafts as the maker; a named human approves as the checker; the approved report and its sealed evidence become the record an FIU or AMLA examiner reads later.
The principle underneath the tool is the one this whole guide argues for: the control and the evidence belong in the execution path, at the moment of filing, not in a policy PDF or a dashboard reviewed the next morning. A SAR you can defend is a SAR whose narrative a stranger can follow, whose every claim is sourced, and whose filing was approved by an accountable human and sealed as it happened. Build the next one that way.
Frequently Asked Questions
What is the difference between a SAR and an STR?
They name the same instrument in different jurisdictions. A Suspicious Activity Report (SAR) is the common term in the US and UK; a Suspicious Transaction Report (STR) is more common across the EU and in FATF terminology. Both are the structured report an obliged entity files to its financial intelligence unit (FIU) when it identifies activity it suspects may relate to money laundering or terrorist financing. The 5W1H narrative structure and the maker-checker filing discipline in this guide apply to both.
What should a SAR narrative include?
A defensible SAR narrative answers 5W1H in plain, chronological language: Who (all parties, beneficial owners, relationships), What (the activity, amounts, instruments, sanctions/PEP context), When (the timeline of activity, alert, onboarding, last KYC refresh), Where (jurisdictions and payment corridors), Why (the specific reason the activity is suspicious, tied to the customer's profile), and How (the mechanism of the activity and how it was detected). State observable conduct rather than legal conclusions, and make every assertion traceable to a source the firm can produce.
Can an AI agent file a SAR automatically?
An agent can draft a SAR narrative autonomously, but it should never file one without human approval. Filing is irreversible and produces a legal record submitted to a state authority, so it must stay a maker-checker (two-person) gate: the agent drafts as the maker, a named human approves as the checker before anything reaches the FIU. Under the Wolfsberg Principles, firms are accountable for decisions that rely on AI/ML analysis regardless of whether systems are built or bought, and where the EU AI Act applies, Article 14 requires meaningful human oversight including the ability to intervene before the action executes.
Why does SAR filing have to be a maker-checker gate?
Because the filed report is a legal record and the act of filing cannot be undone. A maker-checker (two-person) gate puts a named, accountable human between the draft and the filing, which is what firm accountability under the Wolfsberg Principles and human oversight under EU AI Act Article 14 require. Practically, the approval should be sealed at the moment of sign-off — the narrative, evidence references, the policy that required approval, and the approver's identity captured together and tamper-evident — so an FIU analyst or AMLA examiner can later verify exactly what was approved, by whom, and on what basis.
How does the AMLR affect SAR filing and recordkeeping?
The AMLR (Regulation (EU) 2024/1624) applies from 10 July 2027 as a directly-applicable single rulebook, with AMLA in Frankfurt operating since 1 July 2025 and direct supervision of a first wave of firms from 2028. The sharpest operational provision for SARs is Article 69(1): obliged entities must answer an FIU's request for information within five working days, compressible to under 24 hours in urgent cases. That clock is a reconstruction test — if your SAR's source evidence was sealed at the moment of approval, the request is a retrieval; if not, it is a re-investigation against a deadline.
What is goAML and how does it relate to my SAR template?
goAML is the reporting platform developed by the UNODC and used by most EU financial intelligence units to receive suspicious activity/transaction reports. Reports are submitted as structured data plus a narrative. Your SAR template should map cleanly onto goAML's structured fields while carrying a 5W1H narrative that stands alone — and the structured data and the narrative must tell the same story. Because the goAML submission becomes the FIU's and the examiner's primary record, the discipline of sourcing every assertion and gating the filing behind a human approval is what keeps the report defensible.
How do I avoid a tipping-off breach when filing a SAR?
SAR confidentiality is a statutory duty: you must not disclose the report, or the fact that one was made or is being considered, to the subject of the report. Restrict access to the SAR to the people who need it, keep the report out of customer-facing systems and communications, and handle any personal data in line with GDPR's lawful-basis and confidentiality requirements. Building the SAR in a controlled, access-restricted workflow — rather than in shared documents or email — reduces both tipping-off and data-protection exposure.
Key Takeaways
A Suspicious Activity Report is the most consequential document a financial crime function files, because the moment it reaches your FIU through goAML it stops being a draft and becomes a legal record an examiner can pull years later. Defensibility comes from three things this guide has set out: a 5W1H narrative a stranger can follow without you in the room, a source for every assertion so an Article 69 request is a retrieval and not a fire drill, and a filing decision that stays a maker-checker gate sealed at approval. Agentic AI changes the speed of the first two and makes the third non-negotiable — an agent may draft, but a named, accountable human must approve before anything is filed, and that approval must be sealed as it happens for the FIU and the AMLA examiner who will read it under the AMLR from 10 July 2027. Put the control and the evidence in the execution path, not in a binder. Build your next SAR to this structure with the SAR/STR maker-checker generator, and govern by execution, not paperwork.