The Shifting Threshold for Suspicious Activity Reporting

Practical guidance for compliance teams

Financial institutions and other obliged entities face ongoing tension between the need to report suspicious activity promptly and the obligation to ensure reports are complete and useful. Recent practitioner guidance clarifies key concepts that shape how compliance teams should assess, document and transmit suspicious activity reports. This article translates those practical points into everyday compliance actions, focusing on how to balance immediacy and completeness, how internal research should be handled, what to include in reports so analysts can work with them, and how to manage communications with customers and peer institutions without breaching prohibitions on tipping-off.

The nature and role of the central reporting office

The central reporting office that receives suspicious activity reports functions as an administrative hub rather than as a criminal investigative authority. It does not itself conduct criminal prosecutions or routine law enforcement operations; instead, it collects, prioritizes and analyses incoming reports, and where appropriate refers cases to law enforcement. That administrative role matters because it lowers the psychological threshold for filing reports: a report is not a criminal charge but a regulatory reporting obligation triggered by indicators that warrant further review. Compliance teams should therefore treat reporting as part of regulatory duty rather than as an accusation.

Prioritization and initial screening

Incoming reports are triaged. A dedicated screening team examines each submission and decides whether it warrants deeper analysis or referral. Not every report receives an operational deep-dive at first glance, but nothing is simply ignored: screening is intended to filter and route cases so that investigative resources are used efficiently. This filtering process means that a report that does not immediately reach law enforcement can still be incorporated into an information pool and later combined with other reports to form a stronger case. Compliance officers should not assume that lack of immediate onward transmission equals failure of the report; often the value of a report is realized later when other data points are combined with it.

Bastian Schwind-Wagner _Follow

"Timely reporting protects institutions and supports effective investigations by ensuring that potential risks are escalated before evidence dissipates. Compliance teams should prioritise clear, structured submissions so analysts can act on the information provided.

At the same time, internal enquiries must remain proportionate and stop once the reporting threshold is reached to avoid delaying mandatory filing. Documented decision rules and consistent data entry practices make reports more useful and reduce supervisory exposure."

When to prioritise speed over fuller research – the reporting threshold

A central practical clarification is the relationship between the point at which the reporting threshold is met and the duty to submit a report without undue delay. If, at any stage of review or limited internal research, the threshold for suspicion is already met, the report should be filed promptly – on the same day or, at the latest, the next business day. The obligation to be prompt then outweighs the obligation to continue investigative-style information gathering. In short, once the internal standard for suspicion is reached, the compliance team should prepare a report sufficient for an analyst to understand the case and send it without further delay.

Allowed internal enquiries and their limits

Before the reporting threshold is met, compliance teams are expected and encouraged to conduct reasonable internal enquiries to determine whether the indicators amount to suspicion. Such enquiries should focus on plausibilising sources of funds, verifying economic relationships and checking the customer’s known financial profile against the transactions or assets in question. However, these enquiries must be proportionate and must not substitute for law enforcement functions. Once the threshold is met, further investigative behaviour should cease and reporting should be prioritised.

Uncertainty about precise deadlines and the need for internal policies

Guidance remains intentionally flexible on many timing questions, which means obliged entities must design and document their own pragmatic internal timelines. For example, where a customer is asked to provide proof of source of funds, compliance teams should set and publish a clear internal deadline for the response, such as seven to fourteen days for entities able to communicate digitally, or a slightly longer window for more complex cases or smaller firms with limited customer contact options. If the customer does not respond, non-response alone does not automatically create a reporting obligation; the officer must reassess whether the reporting threshold is now met. These internal deadlines and decision rules should be contained in a recorded policy so decisions can be justified during audits or examinations.

Documenting the decision – the three-part narrative

A concise, structured narrative helps both internal reviewers and external analysts. A helpful documentation approach has three elements: trigger, research and conclusion. The trigger explains how the suspicious indicator was first detected. The research section summarises what internal checks or enquiries were undertaken to assess plausibility. The conclusion (votum) states whether the reporting threshold has been met and why. Even when a determination is that no report is necessary, documenting this triad provides an audit trail showing the decision was reasoned and proportionate. If a report is submitted, include the same structure so the receiving analyst quickly grasps the context.

What belongs in the report – make reports machine-useful and analyst-friendly

Reports should be both complete and structured. Completeness means providing the key facts as discrete data as well as in narrative form. All persons, organisations and transactional details related to the case should be entered as structured fields in the reporting system rather than only appearing in attachments. IBANs, account numbers, transaction references, names, dates of birth and corporate identifiers must be populated in the report fields so automated searches and cross-references against databases work effectively. Relying on attached documents alone slows analysis and reduces the chance that the report will generate useful automated hits. Structured, legible, and properly coded inputs materially increase the usefulness of a report.

Quality matters – and affects supervisory feedback

Analysts rate reports for both content and form. Persistent patterns of incomplete or poor-quality reporting can generate supervisory attention. That means compliance teams should prioritise accurate, well-populated reports. Where factual or formal deficiencies recur, reporting institutions may face scrutiny or enforcement consequences. Conversely, good reports improve the likelihood of timely downstream action, and also increase the chance of receiving meaningful aggregate feedback from the central reporting office.

Information exchange with peer obliged parties

Sharing information with counterparts in other obliged entities is both permitted and commonly practised to clarify transactional origins or to verify counterparty circumstances. Many institutions resolve queries via secure hotlines or direct contacts rather than by involving customers, and such exchanges are widely accepted. When exchanging information internally between obliged parties, ensure legal constraints and confidentiality rules are observed; some groups are exempt from certain restrictions, but it is essential to confirm legal permissibility before sharing.

Communicating with the customer without tipping-off

Requests to customers for additional documentation are routine, but teams must craft communications carefully to avoid unintentionally alerting a customer to the existence of a suspicion (tipping-off). Requests should be neutral and framed as normal due diligence or routine verification, omitting language that would reveal that a formal report is being considered or filed. If an enquiry would itself make the customer aware of a suspicion, or otherwise compromise investigation, do not pose it before filing the report. If, after a neutral request, the customer fails to respond, assess whether the non-response changes the suspicion calculus and whether a report is needed.

Feedback expectations – aggregate rather than case-by-case

Individual case feedback will generally not be provided due to the volume of reports. Instead, obliged entities may receive periodic aggregate feedback depending on reporting frequency and the central office’s publication rhythm; large reporting entities are more likely to receive regular summaries. Lack of a direct response does not mean a report was valueless; reports can later be combined with other sources and become part of a successful referral to investigators.

Practical recommendations for compliance teams

Compliance teams should adopt a pragmatic, documented approach that strikes the right balance between speed and substance.

1. Adopt a written internal policy on response deadlines for customer queries tied to suspicious indicators.
2. Ensure every report uses the trigger–research–conclusion format so receiving analysts can quickly understand why the report was filed.
3. Require that all essential identifiers and transaction details be entered as structured data, not only as attachments.
4. Train investigators to stop investigative-style enquiries once the reporting threshold is met and to prioritise filing.
5. Establish secure lines for peer-to-peer information exchange with other obliged entities and document any such queries.
6. Maintain records demonstrating how non-responses or partial responses were treated so decisions are defensible during audits.

Conclusion

Modern reporting practice emphasises both timeliness and usefulness. The core obligation is to report promptly once a reasonable suspicion exists, while ensuring reports are sufficiently complete and structured for analysts to take further action. Compliance functions must therefore build clear internal rules around timing, documentation and data-entry standards, and train staff to differentiate between proportionate pre-report enquiries and investigation-like behaviour that would delay timely reporting. Doing so reduces defensive over-reporting, supports more effective analysis by the central office and lowers regulatory risk for the reporting entity.