How to Write a SAR Narrative That Holds Up

Q: What should a SAR narrative include?

A complete SAR narrative identifies the five essential elements (who is conducting the activity, what instruments or mechanisms are used, when and where it occurred, and why the activity is suspicious) plus how it was carried out. It should be chronological, specific (real dates, amounts, account numbers), self-contained, and free of unexplained jargon or conclusory statements.

Q: What are the most common SAR narrative mistakes?

The most common failures are conclusory statements without support ('the activity appeared suspicious'), missing or vague specifics (no dates, amounts, or account identifiers), unexplained internal jargon and alert codes, no clear statement of why the activity is suspicious, and copy-paste boilerplate that does not match the actual facts. Each invites follow-up or a finding.

The short version

A SAR is only as good as its narrative. The structured fields capture the data. The narrative tells the story, and it's the part law enforcement reads first. A strong one answers five questions plainly (who, what, when, where, why) plus how, leads with a one-sentence summary of what you filed and why, and backs every claim with specific, chronological facts. The fastest way to draw a finding is a conclusory narrative: "the activity appeared suspicious," with nothing behind it.

Every BSA officer has felt it. The alert is decided, the filing decision is made, and now there's a blank narrative box and the quiet knowledge that an investigator or an examiner could be reading this paragraph two years from now. The narrative is the one part of a Suspicious Activity Report that can't be reduced to a checkbox. It's where judgment shows.

This guide is a practitioner's walk through writing a narrative that holds up: the standard elements regulators expect, the anatomy of a strong one, a before/after example, the mistakes that draw scrutiny, and a checklist you can run before you file.

What a SAR narrative is, and why it carries the filing

A Suspicious Activity Report has two halves. The structured fields record the facts a system can categorize: subjects, accounts, dates, dollar amounts, instrument types. The narrative is the free-text section that explains what those facts mean and why they're suspicious. FinCEN has been explicit for years that the narrative is the heart of the report. A thorough, accurate narrative is what makes a SAR useful to law enforcement, and a thin one can render an otherwise-complete filing useless.

The data says what happened. The narrative says why it matters. Examiners read narratives to judge whether your program actually reasons about risk or just files paper.

The five W's and how

The durable standard, drawn from FinCEN's guidance on preparing complete and sufficient narratives, makes sure the reader can answer six questions without leaving the page:

Element	What it answers
Who	Who is conducting the activity? Subjects, their roles, account relationships, and any connected parties.
What	What instruments or mechanisms were used? Wires, ACH, cash, cards, crypto, and the dollar amounts.
When	When did the activity occur? The date range, and the sequence of events in order.
Where	Where did it happen? Branches, channels, counterparties, jurisdictions, and beneficiary locations.
Why	Why is it suspicious? The specific deviation from expected behavior or known typology. This is the crux of the filing.
How	How was the activity carried out? The method: structuring, rapid movement, pass-through, layering.

The "why" is where most narratives are weakest. It is not enough to describe activity. You must connect it to what made it suspicious: the KYC profile it contradicts, the typology it matches, or the pattern that has no business explanation.

Anatomy of a strong narrative

A narrative that reads well has a shape: a summary up top, the facts in the middle, and a clear close. Lead with the conclusion. Investigators triage hundreds of filings and decide in the first two sentences whether to keep reading.

Part	Job
Introduction	One or two sentences: who the institution is, what type of activity is being reported, the total amount, and the period. State plainly that the institution is filing because the activity is suspicious.
Body	The chronological account. Specific dates, amounts, account numbers, counterparties, and, alongside the facts, the explanation of why each element is suspicious against the customer's known profile.
Conclusion	What the institution did (account actions, prior filings on the same subject), whether activity is continuing, and any information available on request. Note law-enforcement contact only if applicable.

A before / after

Specificity and a stated reason for suspicion are what separate the two.

✗ Weak

"The customer conducted several large transactions that appeared suspicious. The activity was inconsistent with normal account behavior. A SAR is being filed."

✓ Strong

"Between March 3 and March 19, 2026, the customer received nine incoming wires totaling $487,000 from three unrelated entities in two jurisdictions, then moved 96% of the funds out via same-day outgoing wires to a single beneficiary. The account, opened as a sole-proprietor consulting business with stated monthly revenue under $20,000, shows no prior activity at this scale and no apparent business rationale for the pass-through pattern."

The strong version names dates, amounts, counterparties, the pattern of rapid pass-through, and the specific reason it's suspicious: it contradicts the stated KYC profile. An investigator can act on it. The weak version forces them to come back and ask.

The mistakes that draw scrutiny

Conclusory statements. "The activity was suspicious" asserts the conclusion without the facts that support it. State the facts; let them carry the conclusion.
Missing specifics. No dates, no amounts, no account identifiers. A vague narrative can't be investigated, and it reads as a program that didn't look closely.
Unexplained jargon and internal codes. Alert IDs, model scores, and internal shorthand mean nothing to an outside reader. Translate them.
No stated reason for suspicion. The activity is described but never tied to the profile, typology, or pattern that triggered the filing.
Boilerplate that doesn't match the facts. Copy-pasted templates that carry language from a different case are worse than no template. They signal the narrative wasn't written for this filing.
Burying the lede. The reason for the filing shows up in the last paragraph instead of the first sentence.

A pre-filing checklist

Run this before any SAR leaves the queue:

The first sentence states what is being filed and why.
All five W's and the "how" are answered without the reader leaving the page.
Every claim is backed by a specific date, amount, account, or counterparty.
The narrative explains why the activity is suspicious, tied to the KYC profile or a known typology.
It reads chronologically and a stranger could follow it cold.
Internal jargon, alert codes, and model scores are translated into plain language.
Dollar amounts in the narrative reconcile with the structured fields.
It states what the institution did and whether activity is continuing.
No boilerplate from a different matter survived the draft.
A qualified human has reviewed and owns the final narrative.

Writing flair has nothing to do with it. The goal is a record that a busy investigator can act on and a future examiner can read as evidence that your program reasons: that someone looked closely and explained what they found. That's what holds up.

Common questions

What is a SAR narrative?

A SAR narrative is the written portion of a Suspicious Activity Report that explains, in plain language, the who, what, when, where, why, and how of the suspicious activity. The structured fields capture the data; the narrative tells the story and is the part law enforcement reads first. A SAR is only as useful as its narrative.

What should a SAR narrative include?

A complete narrative identifies the five essential elements (who is conducting the activity, what instruments or mechanisms are used, when and where it occurred, and why the activity is suspicious) plus how it was carried out. It should be chronological, specific (real dates, amounts, account numbers), self-contained, and free of unexplained jargon or conclusory statements.

How long should a SAR narrative be?

As long as it needs to be to tell the story completely, and no longer. Completeness and clarity are the measure, not length. Lead with a one- or two-sentence summary of what was filed and why, then support it with specific, chronological detail. Padding with boilerplate weakens it.

What are the most common SAR narrative mistakes?

Conclusory statements without support, missing or vague specifics, unexplained internal jargon and alert codes, no clear statement of why the activity is suspicious, and copy-paste boilerplate that doesn't match the actual facts. Each invites follow-up or a finding.

Can AI write SAR narratives?

AI can draft a SAR narrative from the underlying transaction and KYC data, but a qualified human must review and own the final filing. The defensible model is AI-drafts, human-decides: the machine produces a complete, specific first draft grounded in the actual data, and a compliance professional verifies, edits, and attests to it before filing.