Welcome to the Compliance Cohort’s resource page for FinCEN SAR Guidance. If you are new to the Compliance Cohort, we are glad you are here and invite you to take a look at our free membership where members have access to free BSA training videos, articles, and other resources that are beneficial for BSA officers and other BSA professionals. You can learn more about our free membership here.
As a BSA professional responsible for completing and filing Suspicious Activity Reports, it is important to understand the rules and regulations that dictate how to do so correctly. To accomplish this, it is important to have all of the FinCEN SAR guidance issued over the years to ensure that nothing is missed when completing a Suspicious Activity Report.
FinCEN SAR Guidance Links and Other Resources
The following FinCEN SAR guidance links can be used by any BSA professional when completing Suspicious Activity Reports:
FinCEN SAR Advisories
When looking at FinCEN SAR Guidance, the first place one should look is to applicable SAR advisories released by FinCEN. To simplify this process for BSA professionals, we have compiled a list of the most relevant SAR advisories released by FinCEN. Each of these advisories from FinCEN provides guidance relating to a different applicable SAR topic and provides specific instructions for completing Suspicious Activity Reports for each topic.
Here is a listing of the most recent SAR advisories released from FinCEN and how they apply to completing Suspicious Activity Reports:
Topic: Timeshare Fraud Associated with Mexico-Based Transnational Criminal Organizations
Notice Name: FinCEN, OFAC, and FBI Joint Notice on Timeshare Fraud Associated with Mexico-Based Transnational Criminal Organizations
Notice Date: 7/16/2024
Notice Number: FIN-2024-NTC2
Notice Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this joint Notice by including the key term “FIN-2024-NTC2” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Financial institutions may highlight additional advisory, alert, or notice keywords in the narrative, if applicable.
Financial institutions should select SAR field 34(z) (Fraud – Other) as the associated suspicious activity type and include the term “TimeshareMX” in the text box. Financial institutions also should select all other relevant suspicious activity fields, such as those in SAR fields 36 (Money Laundering) and 38 (Other Suspicious Activities), if applicable.
Financial institutions should include all available information relating to the account(s) and location(s) involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity. Financial institutions also should provide all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
FinCEN notes that the tips below are best practices regarding filing a SAR for suspected timeshare fraud in Mexico and do not represent supervisory expectations or regulatory obligations:
Provide a justification for why the financial institution is filing the SAR (e.g., the financial institution suspects the customer is a victim of timeshare fraud in Mexico).
Do not include a victim’s information as the subject of the SAR.
Include a victim’s information (including contact information) in the SAR narrative.
Provide a statement in the SAR narrative documenting the age and location (county/city) of the target or victim. Provide details about the reporting entity’s response, e.g., whether accounts were closed, whether the person was warned that transactions appear to involve fraud, if the person was not permitted to conduct new transactions, etc.
Provide details about the amounts involved and whether any amounts were refunded to the customer (as of the submission date of the SAR).
Expedite responses to law enforcement requests for SAR supporting documents.
Clearly lay out all accounts and beneficiaries the funds were wired to in the SAR narrative.
Take advantage of the law enforcement contact field to indicate if the suspicious activity was also reported to law enforcement or Adult Protective Services, as well as the name and phone number of the contact person.
Provide direct liaisons or points of contact at the reporting entity related to the SAR so investigators can ask questions and request additional documentation in a timely manner.
Topic: Financing of Israeli Extremist Settler Violence Against Palestinians in the West Bank
Alert Name: Supplemental Alert: FinCEN Highlights Additional Red Flags Regarding Financing of Israeli Extremist Settler Violence Against Palestinians in the West Bank
Alert Date: 7/11/2024
Alert Number: FIN-2024-Alert002
Alert Link:
Applicable SAR Instructions:
Topic: Procurement of Precursor Chemicals and Manufacturing Equipment Used for the Synthesis of Illicit Drugs
Advisory Name: Supplemental Advisory on the Procurement of Precursor Chemicals and Manufacturing Equipment Used for the Synthesis of Illicit Fentanyl and Other Synthetic Opioids
Advisory Date: 6/20/2024
Advisory Number: FIN-2024-A002
Advisory Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate any connection between the suspicious activity being reported and the activities highlighted in this advisory by including the key term “FENTANYL FIN-2024-A002” in SAR field 2 (“Filing Institution Note to FinCEN”), as well as in the narrative.
Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions should include all available information relating to the account(s) and location(s) involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity.
Financial institutions also should provide all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Financing of Iran-Backed Terrorist Organizations
Advisory Name: FinCEN Advisory to Financial Institutions to Counter the Financing of Iran-Backed Terrorist Organizations
Advisory Date: 5/8/2024
Advisory Number: FIN-2024-A001
Advisory Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate any connection between the suspicious activity being reported and the activities highlighted in this advisory by including the key term “IRANTF2024-A001” in SAR field 2 (“Filing Institution Note to FinCEN”), as well as in the narrative. Financial institutions should select SAR Field 33(a) (Terrorist Financing-Known or suspected terrorist/terrorist organization) as the associated suspicious activity type.
Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions should include all available information relating to the account(s) and location(s) involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity..
Financial institutions also should provide all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Use of Counterfeit U.S. Passport Cards to Perpetrate Identity Theft and Fraud Schemes
Notice Name: FinCEN Notice on the Use of Counterfeit U.S. Passport Cards to Perpetrate Identity Theft and Fraud Schemes at Financial Institutions
Notice Date: 4/15/2024
Notice Number: FIN-2024-NTC1
Notice Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this notice by including the key term “FIN-2024-NTC1”in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Financial institutions may highlight additional advisory or notice keywords in the narrative, if applicable.
Financial institutions should select SAR Field 34(z) (FRAUD-Other) as the associated suspicious activity type and include the term “Passport Card” in the text box. Financial institutions also should select all other relevant suspicious activity fields, such as those in SAR Fields 36 (Money Laundering) and 38 (Other Suspicious Activities), if applicable.
Financial institutions should include all available information relating to the account and locations involved in the reported activity, identifying information related to other entities and persons involved in the depositing or cashing of suspicious checks and the status of their accounts with the institution. Financial institutions also should provide all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Israeli Extremist Settler Violence Against Palestinians
Alert Name: FinCEN Alert on Israeli Extremist Settler Violence Against Palestinians in the West Bank
Alert Date: 2/1/2024
Alert Number: FIN-2024-Alert001
Alert Link:
Applicable SAR Instructions:
Topic: COVID-19 Employee Retention Credit Fraud
Alert Name: FinCEN Alert on COVID-19 Employee Retention Credit Fraud
Alert Date: 11/22/2023
Alert Number: FIN-2023-Alert007
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this Alert by including the key term “FIN-2023-ERC” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions should select SAR Field 34(z) (FRAUD-Other) as the associated suspicious activity type and include the term “Employee Retention Credit” in the text box.
Financial institutions also should select all other relevant suspicious activity fields, such as those in SAR Fields 36 (Money Laundering) and 38 (Other Suspicious Activities), if applicable.
Financial institutions should include all available information relating to the account and locations involved in the reported activity, identifying information related to other entities and persons involved in the depositing or cashing of suspicious checks and the status of their accounts with the institution. Financial institutions also should provide all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: New Reporting Key Term Relating to Global Evasion of U.S. Export Controls
Notice Name: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Announce New Reporting Key Term and Highlight Red Flags Relating to Global Evasion of U.S. Export Controls
Notice Date: 11/6/2023
Notice Number: FIN-2023-NTC2
Notice Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this alert by including the key term “FIN2023-GLOBALEXPORT” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this alert.
Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable. For example, financial institutions should continue to use the key term “FIN-2022-RUSSIABIS” when filing SARs related to potential Russian export control evasion, and should consider using both codes if they believe, but are unsure, of whether certain export control evasion activity is related to Russia.
FinCEN also requests that financial institutions check box 38(z) (Other Suspicious Activity) and note “Export Evasion.”
If known, please also indicate in field 45(z) (Other Product Types) the appropriate North American Industry Code(s) (NAICs) for the involved product, and/or the appropriate financial instrument or payment mechanism in field 46.
Financial institutions should include any and all available information relating to the products or services involved in the suspicious activity, including all available transportation and trade financing documentation, accounts and locations involved, identifying information and descriptions of any legal entities or arrangements involved or associated with beneficial owners, and any information about related persons or entities (including transportation companies or services) involved in the activity. Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions and businesses or persons involved in the activity. Where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Hamas and its Terrorist Activities
Alert Name: FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities
Alert Date: 10/20/2023
Alert Number: FIN-2023-Alert006
Alert Link:
Applicable SAR Instructions:
Topic: Virtual Currency Investment Scam: “Pig Butchering”
Alert Name: FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering”
Alert Date: 9/8/2023
Alert Number: FIN-2023-Alert005
Alert Link:
Applicable SAR Instructions:
When filing a SAR in connection with this alert, FinCEN requests that financial institutions include the key term “FIN-2023-PIGBUTCHERING” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this alert
Financial Institutions should also select “Fraud-Other” under SAR field 34(z) with the description “Pig Butchering.”
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity.
Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Inclusion of Technical Cyber Indicators: When submitting a report pursuant to this alert, financial institutions should include any relevant technical cyber indicators related to cyber events and associated transactions within the available structured cyber event indicator fields on the SAR form or as part of the attachment field. Any data or information that helps identify the activity as suspicious can be included as an indicator. Examples include chat logs, phone numbers, and social media usernames used by the scammer; suspicious email addresses; type of virtual currency and digital assets involved; virtual currency and / or digital asset addresses and transaction hashes native to the blockchain(s) involved; apps used; and the URL, domain, and IP address of the service the victim was instructed to deposit into.
Topic: Payroll Tax Evasion and Workers’ Compensation Fraud
Notice Name: FinCEN Calls Attention to Payroll Tax Evasion and Workers’ Compensation Fraud in the Construction Sector
Notice Date: 8/15/2023
Notice Number: FIN-2023-NTC1
Notice Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this Notice by including the key term “FIN-2023-NTC1” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions should select SAR Field 34(z) (FRAUD-Other) as the associated suspicious activity type and include the term “Payroll tax evasion” and/or “workers compensation” in the text box. Financial institutions also should select all other relevant suspicious activity fields, such as those in SAR Fields 36 (Money Laundering) and 38 (Other Suspicious Activities), if applicable.
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information related to other entities and persons involved in the depositing or cashing of suspicious checks and the status of their accounts with the institution. Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Law enforcement has found the following types of information, when included as a part of the SAR or when kept as supporting documentation that law enforcement can request, valuable to their investigations:
Customer profile information for the shell company and owner.
Spreadsheet of transactional details associated with the suspicious activity.
Examples of deposited or cashed items described in the SAR, including copies of the fronts and backs of checks.
Examples of checks paid or cashed that were described in the SAR, including copies of the fronts and backs of checks.
Bank or MSB surveillance footage of the subject(s) of the SAR withdrawing cash or negotiating checks that has been taken inside the branch or agent location (particularly if the customer does not have a driver’s license as law enforcement may not have a picture of the person otherwise available), as well as outside before and after the transaction; this may capture footage of the meetings that frequently occur just outside the bank or MSB branch or agent location to disperse the cash to the contractor or crew bosses.
Any statements made by the subject(s) regarding the basis for the transaction(s).
IP address information associated with the subject’s online banking sessions.
Topic: Potential Russian Export Control Evasion Attempts
Alert Name: Supplemental Alert: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts
Alert Date: 5/19/2023
Alert Number: FIN-2023-Alert004
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this alert by including the key term “FIN 2022-RUSSIABIS” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this alert. Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable. FinCEN also requests that financial institutions check box 38(z) (Other Suspicious Activity) and note “Russia Export Restrictions Evasion”.
If known, please also indicate in field 45(z) (Other Product Types) the appropriate North American Industry Code(s) (NAICs) for the involved product, or the appropriate financial instrument or payment mechanism in field 46.
Financial institutions should include any and all available information relating to the products or services involved in the suspicious activity, including all available transportation and trade financing documentation, accounts and locations involved, identifying information and descriptions of any legal entities or arrangements involved or associated with beneficial owners, and any information about related persons or entities (including transportation companies or services) involved in the activity.
Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions and businesses or persons involved in the activity.
Where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity
Topic: Nationwide Surge in Mail Theft-Related Check Fraud Schemes
Alert Name: FinCEN Alert on Nationwide Surge in Mail Theft-Related Check Fraud Schemes Targeting the U.S. Mail
Alert Date: 2/27/2023
Alert Number: FIN-2023-Alert003
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this alert by including the key term “FIN-2023- MAILTHEFT” in SAR field 2 (“Filing Institution Note to FinCEN”), as well as in the narrative, and by selecting SAR Field 34(d) (check fraud). Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity.
Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Potential U.S. Commercial Real Estate Investments by Sanctioned Russian Elites
Alert Name: FinCEN Alert on Potential U.S. Commercial Real Estate Investments by Sanctioned Russian Elites, Oligarchs, and Their Proxies
Alert Date: 1/25/2023
Alert Number: FIN-2023-Alert002
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this alert by including the key term “FIN-2023-RUSSIACRE” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity.
Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Human Smuggling on the U.S. Southwest Border
Alert Name: FinCEN Alert on Human Smuggling along the Southwest Border of the United States
Alert Date: 1/13/2023
Alert Number: FIN-2023-Alert001
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this alert by including the key term “FIN-2023-HUMANSMUGGLING” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative, and by selecting SAR field 38(g) (human smuggling)
Financial institutions that suspect human trafficking activity should also select SAR field 38(h) (human trafficking) and highlight other advisory or alert keywords in the narrative, if applicable
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity.
Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Potential Russian and Belarusian Export Control Evasion Attempts
Alert Name: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Increased Vigilance for Potential Russian and Belarusian Export Control Evasion Attempts
Alert Date: 6/28/2022
Alert Number: FIN-2022-Alert003
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this alert by including the key term “FIN2022-RUSSIABIS” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this alert. Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
FinCEN also requests that financial institutions check box 38(z) (Other Suspicious Activity) and note “Russia Export Restrictions Evasion”.
If known, please also indicate in field 45(z) (Other Product Types) the appropriate North American Industry Code(s) (NAICs) for the involved product, and/or the appropriate financial instrument or payment mechanism in field 46.
Financial institutions should include any and all available information relating to the products or services involved in the suspicious activity, including all available transportation and trade financing documentation, accounts and locations involved, identifying information and descriptions of any legal entities or arrangements involved or associated with beneficial owners, and any information about related persons or entities (including transportation companies or services) involved in the activity.
Topic: Elder Financial Exploitation
Advisory Name: Advisory on Elder Financial Exploitation
Advisory Date: 6/15/2022
Advisory Number: FIN-2022-A002
Advisory Link:
Applicable SAR Instructions:
When filing a SAR, financial institutions should provide all pertinent available information about the activity in the SAR form and narrative. Reporting on how perpetrators of EFE communicate with and target older adults is also useful to law enforcement investigations.
FinCEN requests that financial institutions reference this advisory by including the key term “EFE FIN-2022-A002” in SAR field 2 (“Filing Institution Note to FinCEN”) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Financial institutions that suspect EFE activity should also mark the check box for Elder Financial Exploitation (SAR Field 38(d)).
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity.
Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Real Estate, Luxury Goods, and Other High-Value Assets Involving Russian Elites, Oligarchs, and their Family Members
Alert Name: FinCEN Alert on Real Estate, Luxury Goods, and Other HighValue Assets Involving Russian Elites, Oligarchs, and their Family Members
Alert Date: 3/16/2022
Alert Number: FIN-2022-Alert002
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this alert by including the key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this alert. Financial institutions may highlight additional advisory or alert keywords in the narrative, if applicable.
Financial institutions wanting to expedite their report of suspicious transactions that may relate to the activity noted in this alert should call the FinCEN Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day).
Financial institutions should include any and all available information relating to the account and locations involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity. Financial institutions also should provide any and all available information regarding other domestic and foreign financial institutions involved in the activity; where appropriate, financial institutions should consider filing a SAR jointly on shared suspicious activity.
Topic: Potential Russian Sanctions Evasion Attempts
Alert Name: FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts
Alert Date: 3/7/2022
Alert Number: FIN-2022-Alert001
Alert Link:
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this alert by including the key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this alert.
Financial institutions wanting to expedite their report of suspicious transactions that may relate to the activity noted in this alert should call the FinCEN Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day).
It is critical that financial institutions (including CVC exchanges) identify and immediately report any suspicious transactions associated with ransomware attacks. For purposes of meeting a financial institution’s SAR obligations, FinCEN and law enforcement consider suspicious transactions involving ransomware attacks to constitute “situations involving violations that require immediate attention.”
Financial institutions must subsequently file a SAR using FinCEN’s BSA E-filing System, providing as much of the relevant details around the activity as available at that time. Amended SARs should be filed to include additional information related to the same activity that is learned later; completely new activity should be filed in a new “initial” SAR filing.
Financial institutions also should include any relevant technical cyber indicators related to cyber events and associated transactions within the available structured cyber event indicator fields (42-44) on the SAR. Any data or information that helps identify the activity as suspicious can be included as an indicator. Examples include chat logs, suspicious IP addresses, suspicious email addresses, suspicious filenames, malware hashes, CVC addresses, command and control (C2) IP addresses, C2 domains, targeted systems, MAC address or port numbers.
Topic: Environmental Crimes and Related Financial Activity
Notice Name: FinCEN Calls Attention to Environmental Crimes and Related Financial Activity
Notice Date: 11/18/2021
Notice Number: FIN-2021-NTC4
Notice Link: https://www.fincen.gov/sites/default/files/2021-11/FinCEN%20Environmental%20Crimes%20Notice%20508%20FINAL.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference only this notice in SAR field 2 (Filing Institution Note to FinCEN) using keyword “FIN-2021-NTC4;” this keyword should also be referenced in the narrative portion of the SAR to indicate a connection between the suspicious activity being reported and the activities highlighted in this notice.
Financial institutions should also select SAR field 38(z) (Other Suspicious Activities - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and environmental crimes and use the most relevant keyword for suspicious activity such as “wildlife trafficking,” “illegal logging,” “illegal fishing,” “illegal mining,” or “waste trafficking.” If the suspicious activity involves multiple potential offenses, FinCEN also requests that filers include all relevant keywords in the narrative.
Financial institutions may consider sharing information on suspected environmental crimes offenses under Section 314(b) for the purposes of identifying and reporting money laundering activity.
On the SAR Narrative, FinCEN also requests that filers further detail how the suspicious activity relates to environmental crimes. Filers should provide any available details concerning how the illicit product, plant, or waste was solicited, acquired, stored, transported, financed, and paid for.
Filers also should provide all available details (such as names, identifiers, and contact information— including Internet Protocol (IP) and email addresses and phone numbers) regarding: (i) any actual purchasers or sellers of the illicit product, plant, waste or waste disposal services, and their intermediaries or agents; (ii) the volume and dollar amount of the transactions involving an entity that is—or may be functioning as—a supplier of illicit products, plants, waste or waste services; and (iii) any beneficial owner(s) of involved entities (such as shell companies).
In the case of illicit waste, filers should provide all available details and specific descriptions of the waste product and any known details about its origin, transport, and destination.
If known, filers should provide information about the place(s) where the reported individuals or entities are operating.
Topic: Ransomware and Ransom Payments
Advisory Name: Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
Advisory Date: 11/08/2021
Advisory Number: FIN-2021-A004
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2021-11 08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this advisory by including the key term “CYBER-FIN-2021-A004” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and ransomware-related activity.
Financial institutions should also select SAR field 42 (Cyber event) as the associated suspicious activity type, as well as select SAR field 42z (Cyber event - Other) while including “ransomware” as keywords in SAR field 42z, to indicate a connection between the suspicious activity being reported and possible ransomware activity.
Additionally, financial institutions should include any relevant technical cyber indicators related to the ransomware activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), (z).
Topic: Online Child Sexual Exploitation
Notice Name: FinCEN Calls Attention to Online Child Sexual Exploitation Crimes
Notice Date: 09/16/2021
Notice Number: FIN-2021-NTC3
Notice Link: https://www.fincen.gov/sites/default/files/shared/FinCEN%20OCSE%20Notice%20508C.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference only this notice in SAR field 2 (Filing Institution Note to FinCEN) using the keyword “OCSE-FIN-2021-NTC3”; this keyword should also be referenced in the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this notice. Financial institutions may highlight additional advisory keywords in the narrative, if applicable.
Financial institutions should also select SAR Field 38(z) (Other) as the associated suspicious activity type to indicate a connection between the suspicious activity reported and OCSE activity and include the term “OCSE” in the text box. If known, enter the subject’s internet based contact with the financial institution in SAR Field 43 (IP Address and Date).
If human trafficking or human smuggling are suspected in addition to OCSE activity, financial institutions should also select SAR Field 38(h) (Human Trafficking) or SAR Field 38(g) (Human Smuggling), respectively.
FinCEN asks that reporting entities use the Child Sexual Exploitation (CSE) terms and definitions in the appendix of the Advisory when describing suspicious activity, which will assist FinCEN’s analysis of the SARs.
For additional information on reporting cyber-enabled crimes, including on how to file SARs, please see: FAQs for Reporting Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information. Collaboration between Bank Secrecy Act (BSA)/anti-money-laundering (AML) and cybersecurity units within financial institutions is an effective practice for gathering information helpful to identifying OCSE offenders and victims. Please refer to FinCEN’s Advisory on Cyber-Events and Cyber-Enabled Crime, which contains examples of useful information to report including chat logs, IP addresses, email addresses, filenames, and CVC addresses, such as bitcoin. Financial institutions may consider sharing cyber-related information for the purposes of identifying and reporting money laundering and OCSE offenses.
Topic: Updated Deficient Countries
Advisory Name: Advisory on the Financial Action Task Force-Identified Jurisdictions with Anti-Money Laundering and Combating the Financing of Terrorism and Counter-Proliferation Deficiencies
Advisory Date: 03/11/2021
Advisory Number: FIN-2021-A003
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2021-03-11/FATF%20February%202021%20Advisory%20FINAL%20508.pdf
Applicable SAR Instructions:
Topic: Trade in Antiquities and Art
Notice Name: FinCEN Informs Financial Institutions of Efforts Related to Trade in Antiquities and Art
Notice Date: 03/09/2021
Notice Number: FIN-2021-NTC2
Notice Link: https://www.fincen.gov/sites/default/files/2021-03/FinCEN%20Notice%20on%20Antiquities%20and%20Art_508C.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference “FIN-2021-NTC2” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative portion of the SAR to indicate a connection between the suspicious activity being reported and the activities highlighted in this notice.
Financial institutions should also select SAR field 36(z) (Money Laundering - other) as the associated suspicious activity type, and note if the suspicious activity relates to “Antiquities,” “Art,” or both (in some instances, an object could be considered both an antiquity and a work of art.
FinCEN also requests that filers detail the reported activity in the narrative portion of the SAR, explaining how the suspicious activity relates to “Antiquities,” “Art,” or both.
Filers should provide any available details that may assist in the identification of (1) the objects connected to the financial transactions, (2) other transactions or proposed transactions that may involve antiquities or art, and (3) any other relevant information.
Filers should provide all available details (such as names, identifiers, and contact information—including Internet Protocol (IP) and email addresses and phone numbers) regarding (1) the actual purchasers or sellers of the property, and their intermediaries or agents, (2) the volume and dollar amount of the transactions involving an entity that is—or may be functioning as—a dealer in antiquities or art, and (3) any beneficial owner(s) of entities (such as shell companies).
In the case of stolen art or antiquities, filers should provide a detailed and specific description of the stolen item(s) and indicate whether photographs of the items are available.
Filers should also provide information about the place(s) where the reported individuals or entities are operating.
Topic: COVID-19 Economic Impact Payments
Advisory Name: Advisory on Financial Crimes Targeting COVID-19 Economic Impact Payments
Advisory Date: 02/24/2021
Advisory Number: FIN-2021-A002
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2021-02-24/Advisory%20EIP%20FINAL%20508.pdf
Applicable SAR Instructions:
Use the key term “FIN-2021-A002” SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
FinCEN also requests that filers mention “economic impact payment” in the SAR narrative along with any other relevant behavior, such as counterfeit checks, money mule activity, or identity theft, to indicate a connection between those activities and EIP frauds and thefts. Additionally, FinCEN requests that filers use this program-specific term and avoid relying on generalized key terms, such as “stimulus check.”
Financial institutions should also select SAR field 34(z) (Fraud - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. Financial institutions should include the type of fraud and/or name of the scam or product (e.g., economic impact payment) in SAR field 34(z).
FinCEN requests filers not report the potential victim of an EIP fraud scheme as the subject of the SAR. Rather, all available information on the victim should be included in the narrative portion of the SAR.
Please refer to FinCEN’s May 2020 Notice Related to the Coronavirus Disease 2019 (COVID-19) and February 2021 Consolidated COVID-19 Suspicious Activity Report Key Terms and Filing Instructions, which contain information regarding reporting COVID-19- related crime, and reminds financial institutions of certain BSA obligations.
Topic: COVID-19 Health Care and Insurance Fraud
Advisory Name: COVID-19 Health Insurance and Health Care-Related Fraud
Advisory Date: 02/02/2021
Advisory Number: FIN-2021-A001
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2021-02-02/COVID-19%20Health%20Care%20508%20Final.pdf
Applicable SAR Instructions:
Use the key term “FIN-2021-A001” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative portion of the SAR to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Financial institutions also should select SAR field 34(g) (health care – public or private health insurance) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. Financial institutions should include additional detail about the type of health care fraud (e.g., Medicare – services not provided) in the narrative.
FinCEN requests that financial institutions wishing to report potential health care fraud unrelated to COVID-19 should not include this advisory’s key term in SAR field 2 or the SAR’s narrative portion. Instead, please select field 34(g) and detail the activity in the narrative (e.g. addiction treatment – services not provided; or pain clinic – “marketing” fees).
Please refer to FinCEN’s May 2020 Notice Related to the Coronavirus Disease 2019 (COVID-19) which contains information regarding reporting COVID-19-related crime, and remind financial institutions of certain BSA obligations.
Topic: COVID-19 Vaccine Related Scams
Notice Name: FinCEN Asks Financial Institutions to Stay Alert to COVID-19 Vaccine-Related Scams and Cyberattacks
Notice Date: 12/28/2020
Notice Number: FIN-2020-NTC4
Notice Link: https://www.fincen.gov/sites/default/files/shared/COVID-19%20Vaccine%20Notice%20508.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference “FIN-2020-NTC4” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative portion of the SAR to indicate a connection between the suspicious activity being reported and the activities highlighted in this notice.
Financial institutions should also select SAR field 34(z) (Fraud - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. Financial institutions should include the type of fraud and/or name of the scam or product (e.g., vaccine scam or vaccine ransomware) in SAR field 34(z).
FinCEN requests that filers further detail the reported activity in the narrative portion of the SAR. If the activity is suspected of being a scam, filers should provide known details about how the scammers contacted the victim, how the victim provided or attempted to provide payment related to the scam, and any other available details including data related to the financial transactions or method of contact, such as Internet Protocol (IP) addresses and phone numbers. For guidance on ransomware attacks, see FinCEN Advisory, FIN-2020-A006, “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments,” (October 1, 2020).
Please refer to FinCEN’s May 2020 Notice Related to the Coronavirus Disease 2019 (COVID-19), which contains information regarding reporting COVID-19-related crime, and reminds financial institutions of certain BSA obligations.
Topic: FATF Identified Deficient Jurisdictions
Advisory Name: Advisory on the Financial Action Task Force-Identified Jurisdictions with Anti-Money Laundering, Combating the Financing of Terrorism, and Proliferation Deficiencies
Advisory Date: 11/06/2020
Advisory Number: FIN-2020-A009
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-11-06/FATF%20October%202020%20Advisory%20FINAL%20508.pdf
Applicable SAR Instructions:
Topic: Human Trafficking and Related Activity
Advisory Name: Supplemental Advisory on Identifying and Reporting Human Trafficking and Related Activity
Advisory Date: 10/15/2020
Advisory Number: FIN-2020-A008
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-10-15/Advisory%20Human%20Trafficking%20508%20FINAL_0.pdf
Applicable SAR Instructions:
A potential victim of human trafficking should not be reported as the subject of a SAR. Rather, all available information on the victim should be included in the narrative portion of the SAR.
Use the key term: “HUMAN TRAFFICKING FIN-2020-A008” in SAR field 2 (Filing Institution Note to FinCEN) to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Additional information to include behavioral indicators, email addresses, phone numbers, and IP addresses also should be included when possible to aid law enforcement investigations.
Topic: COVID-19 Unemployment Insurance Fraud
Advisory Name: Advisory on Unemployment Insurance Fraud During the Coronavirus Disease 2019 (COVID-19) Pandemic
Advisory Date: 10/13/2020
Advisory Number: FIN-2020-A007
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-10-13/Advisory%20Unemployment%20Insurance%20COVID%2019%20508%20Final.pdf
Applicable SAR Instructions:
Use the key term “COVID19 UNEMPLOYMENT INSURANCE FRAUD FIN-2020-A007” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Financial institutions also should select SAR field 34(z) (Fraud - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. When addressing unemployment fraud in a SAR, financial institutions should include the keywords “unemployment fraud” in SAR field 34(z).
Please refer to FinCEN’s May 18, 2020 Notice Related to the Coronavirus Disease 2019, which contains information regarding reporting COVID-19-related crime and FinCEN’s Rapid Response Program, and reminds financial institutions of certain BSA obligations.
Topic: Ransomware and Ransom Payments
Advisory Name: Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments
Advisory Date: 10/01/2020
Advisory Number: FIN-2020-A006
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf
Applicable SAR Instructions:
Use the key term: “CYBER-FIN-2020-A006” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and ransomware-related activity.
Financial institutions should also select SAR field 42 (Cyber event) as the associated suspicious activity type, as well as select SAR field 42z (Cyber event - Other) while including “ransomware” as keywords in SAR field 42z, to indicate a connection between the suspicious activity being reported and possible ransomware activity.
Additionally, financial institutions should include any relevant technical cyber indicators related to the ransomware activity and associated transactions within the available structured cyber event indicator SAR fields 44(a)- (j), (z).
Topic: COVID-19 Cybercrime and Cyber-Enabled Crime
Advisory Name: Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic
Advisory Date: 7/30/2020
Advisory Number: FIN-2020-A005
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-07-30/FinCEN%20Advisory%20Covid%20Cybercrime%20508%20FINAL.pdf
Applicable SAR Instructions:
Use the key term “COVID19-CYBER FIN-2020-A005” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Financial institutions that suspect fraudulent COVID-19-related activity should mark all appropriate check boxes on the SAR form to indicate a connection between COVID-19 and the suspicious activity being reported. For example, if the activity includes a COVID-19- related account takeover involving an ACH transfer, financial institutions can select SAR field 38a and 38z, and note in the “other” box, “COVID-19 account takeover fraud – ACH.”
Financial institutions should also include any relevant technical cyber indicators related to cyber events and associated transactions reported in a SAR within the available structured cyber event indicator fields. For example, for a COVID-19-related cyber event against a financial institution, financial institutions can select SAR fields 42a and 42z (noting in the “other” box the COVID-19-related cyber event), and SAR fields 44(a)-(j), (z), including email or CVC wallet addresses, malicious domains or URLs, and any other known cyber event indicators.
For cyber-enabled crime involving fraud driven by COVID-19, financial institutions should select SAR field 34z (Fraud – other) as the associated suspicious activity type. Additionally, financial institutions should include the type of cybercrime or scheme as a keyword (e.g., “COVID 19 BEC Fraud,” “EAC fraud,” or “BEC data theft”) in SAR field 34(z).
Please refer to FinCEN’s May 18, 2020 Notice Related to the Coronavirus Disease 2019, which contains information regarding reporting COVID-19-related crime and FinCEN’s Rapid Response Program, and reminds financial institutions of certain BSA obligations.
Topic: Convertible Virtual Currency Scam Involving Twitter
Alert Name: FinCEN Alerts Financial Institutions to Convertible Virtual Currency Scam Involving Twitter
Alert Date: 7/16/2020
Alert Number: FIN-2020-Alert001
Alert Link: https://www.fincen.gov/sites/default/files/2020-07/FinCEN%20Alert%20Twitter_508%20FINAL.pdf
Applicable SAR Instructions:
Topic: COVID-19 Imposter Scams and Money Mule Schemes
Advisory Name: Advisory on Imposter Scams and Money Mule Schemes Related to Coronavirus Disease 2019 (COVID-19)
Advisory Date: 7/7/2020
Advisory Number: FIN-2020-A003
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-07-07/Advisory_%20Imposter_and_Money_Mule_COVID_19_508_FINAL.pdf
Applicable SAR Instructions:
Use the key term “COVID19 MM FIN-2020-A003” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Financial institutions should also select SAR field 34(z) (Fraud - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. Financial institutions should include the type of fraud and/or name of the scam or product (e.g., imposter scam or money mule scheme) in SAR field 34(z). In addition, FinCEN encourages financial institutions to report certain types of imposter scams and money mule schemes using fields such as SAR field 34(l) (Fraud- Massmarketing), or SAR field 38(d) (Other Suspicious Activities- Elder Financial Exploitation), as appropriate with the circumstances of the suspected activity.
Please refer to FinCEN’s Notice Related to the Coronavirus Disease 2019 (COVID-19), which contains information regarding reporting COVID-19-related crime, and reminds financial institutions of certain BSA obligations.
Topic: Medical Scams Related to Coronavirus Disease 2019
Advisory Name: Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19)
Advisory Date: 5/18/20
Advisory Number: FIN-2020-A002
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2020-05-18/Advisory%20Medical%20Fraud%20Covid%2019%20FINAL%20508.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this advisory by including the key term “COVID19 FIN-2020-A002” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
Financial institutions should also select SAR field 34(z) (Fraud - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. Financial institutions should include the type of fraud and/or name of the scam or product (e.g., Product Fraud – non delivery scam) in SAR field 34(z).
Please refer to FinCEN’s Notice Related to the Coronavirus Disease 2019 (COVID-19) May 18 Notice Related to COVID-19, which contains information regarding reporting COVID-19-related crime, and reminds financial institutions of certain BSA obligations.
Topic: Fentanyl & Other Synthetic Opioids
Advisory Name: Advisory to Financial Institutions on Illicit Financial Schemes and Methods Related to the Trafficking of Fentanyl and Other Synthetic Opioids
Advisory Date: 8/21/2019
Advisory Number: FIN-2019-A006
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2019-08-21/Fentanyl%20Advisory%20FINAL%20508.pdf
Applicable SAR Instructions:
When filing a SAR, financial institutions should provide all pertinent available information in the SAR form and narrative. FinCEN requests that financial institutions use only the updated mandatory SAR form (as of February 1, 2019) and reference this advisory using the following key term in SAR field 2 (Filing Institution Note to FinCEN): “FENTANYL FIN-2019-A006” to indicate a possible connection between the suspicious activities being reported and activities highlighted in this advisory.
Topic: Updated Email Compromise Fraud Schemes
Advisory Name: Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes
Advisory Date: 7/16/2019
Advisory Number: FIN-2019-A005
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2019-07-16/Updated%20BEC%20Advisory%20FINAL%20508.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this advisory and include the following key terms in the SAR narrative: “BEC FRAUD” when businesses or organizations are the scheme victims “EAC FRAUD” when individuals are the scheme victims Financial institutions should also select SAR field 42 (Cyber event) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and possible BEC or EAC fraud. Financial institutions should include one or both key terms to the extent they are able to distinguish between BEC and EAC fraud. Additionally, financial institutions should include any relevant technical cyber indicators related to the email compromise fraud and associated transactions within the available structured cyber event indicator SAR fields 44(a)-(j), (z). In instances of reporting of BEC schemes that result in the communication of information that could be used to facilitate future fraudulent transactions, which may be voluntary, FinCEN requests that financial institutions include the following key term in the SAR narrative: “BEC DATA THEFT”
NOTE: There is a large amount of info in the advisory that FinCEN states would be useful to include in each SAR on this topic.
Topic: Convertible Virtual Currency
Advisory Name: Advisory on Illicit Activity Involving Convertible Virtual Currency
Advisory Date: 5/9/19
Advisory Number: FIN-2019-A003
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2019-05-10/FinCEN%20Advisory%20CVC%20FINAL%20508.pdf
Applicable SAR Instructions:
FinCEN requests that financial institutions reference this advisory by including the key term: “CVC FIN-2019-A003” in the SAR narrative to indicate a connection between the suspicious activity being reported and possible illicit activity involving CVC. Using the new, mandatory SAR Form that took effect on January 1, 2019, financial institutions should reference this advisory using the above key term in SAR field 2 (“Filing Institution Note to FinCEN”)
Topic: Venezuela Corruption
Advisory Name: Updated Advisory on Widespread Public Corruption in Venezuela
Advisory Date: 5/3/19
Advisory Number: FIN-2019-A002
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2019-05-08/Venezuela%20Advisory%20FINAL%20508.pdf
Applicable SAR Instructions:
When filing a SAR, financial institutions should provide all pertinent available information in the SAR form and narrative. FinCEN requests financial institutions only use the updated mandatory SAR form (as of February 1, 2019). FinCEN further requests that financial institutions select SAR field 38(m) (“Suspected Public/Private Corruption (Foreign)”) and reference this advisory by including the key term: “Venezuela Corruption FIN-2019-A002” in SAR field 2 (“Filing Institution Note to FinCEN”) to indicate a connection between the suspicious activity being reported and the persons and activities highlighted in this advisory.
Topic: Iranian Activities
Advisory Name: Advisory on the Iranian Regime’s Illicit and Malign Activities and Attempts to Exploit the Financial System
Advisory Date: 10/11/2018
Advisory Number: FIN-2018-A006
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2018-10-12/Iran%20Advisory%20FINAL%20508.pdf
Applicable SAR Instructions:
When filing a SAR, financial institutions should provide all pertinent available information in the SAR form and narrative. FinCEN further requests that financial institutions reference this advisory by including the key term: “Iran FIN-2018-A006” to indicate a connection between the suspicious activity being reported and the persons and activities highlighted in this advisory.
Topic: Nicaragua Corruption
Advisory Name: Advisory to Financial Institutions on the Risk of Proceeds of Corruption from Nicaragua
Advisory Date: 10/4/18
Advisory Number: FIN-2018-A005
Advisory Link: https://www.fincen.gov/sites/default/files/advisory/2018-10-04/Nicaragua_Advisory_FINAL_508_0.pdf
Applicable SAR Instructions:
When filing a SAR, financial institutions should provide all pertinent available information in the SAR form and narrative. FinCEN further requests that financial institutions select SAR field 35(l) (“Suspected Public/Private Corruption (Foreign)”) and reference this advisory by including the key term: “Nicaragua FIN-2018-A005” in the SAR narrative and in SAR field 35(z) (“Other Suspicious Activity-Other”) when using the SAR Form on or prior to December 31, 2018. Beginning January 1, 2019, when using the new, mandatory SAR Form, financial institutions should select SAR field 38(m) (“Suspected Public/Private Corruption (Foreign)”) and reference this advisory using the above key term in SAR field 2 (“Filing Institution Note to FinCEN”) to indicate a connection between the suspicious activity being reported and the persons and activities highlighted in this advisory.
Topic: Corrupt Foreign PEPs
Advisory Name: Advisory on Human Rights Abuses Enabled by Corrupt Senior Political Figures and their Financial Facilitators
Advisory Date: 6/12/18
Advisory Number: FIN-2018-A003 Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2018-a003
Applicable SAR Instructions:
See FIN-2008-G005
When filing, select SAR field 35(I) and include term "Financial Facilitator FIN-2018-A003" in SAR narrative and in SAR field 35(z)
If transactions may potentially relate to a terrorist activity, call the FI Hotline at 866-556-3974 to expedite delivery of said information.
Things to look for:
Use of third parties when it is not normal business practice
Use of third parties when it appears to shield the identity of a PEP
Use of family members or close associates as legal owners
Use of corporate vehicles (legal entities and legal arrangements) to obscure ownership, involved industries, and/or countries
Declarations of information from PEPs that are inconsistent with other information, such as publicly available asset declarations and published official salaries
The PEP or facilitator seeks to make use of the services of a financial institution or a designated non-financial business or profession (DNFBP) that would normally not cater to foreign or high-value clients
The PEP or facilitator repeatedly moves funds to and from countries with which the PEP does not appear to have ties
The PEP or facilitator has a substantial authority over or access to state assets and funds, policies, and operations
The PEP or facilitator has an ownership interest in or otherwise controls the financial institution of DNFBP (either privately or ex officio) that is a counterparty or a correspondent in a transaction
Transactions involving government contracts that are directed to companies that operate in an unrelated line of business (e.g., payments for construction projects directed to textile merchants)
Transactions involving government contracts that originate with, or are directed to, entities that are shell corporations, general “trading companies,” or companies that appear to lack a general business purpose
Documents corroborating transactions involving government contracts (e.g., invoices) that include charges at substantially higher prices than market rates or that include overly simple documentation or lack traditional details (e.g., valuations for goods and services)
Payments involving government contracts that originate from third parties that are not official government entities (e.g., shell corporations)
Transactions involving property or assets expropriated or otherwise taken over by corrupt regimes, including individual senior foreign officials or their croneis
Topic: Email Compromise Fraud Schemes
Advisory Name: Advisory to Financial Institutions on Email Compromise Fraud Schemes
Advisory Date: 9/6/16
Advisory Number: FIN-2016-A003 Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a003
Applicable SAR Instructions:
When filing, provide all available information, including cyber-related information, in the SAR narrative. Specifically, provide the following information:
Scheme Details
Dates and amounts of suspicious transactions
Sender’s identifying information, account number, and financial institution
Beneficiary’s identifying information, account number, and financial institution
Correspondent and intermediary financial institutions’ information, if applicable
Relevant e-mail addresses and associated Internet Protocol (IP) addresses with their respective timestamps and
Description and timing of suspicious e-mail communications
Communication with other FI’s under the auspices of Section 314(b) is encouraged by FinCEN when determining if a SAR filing is necessary
Reference advisory FIN-2016-A003 and include the key terms “BEC Fraud” when a business is the scheme victim and/or “EAC Fraud” when an individual is the scheme victim in the SAR narrative and SAR field 31(z) to indicate a connection between the suspicious activity being reported and possible BAC or EAC fraud. Include one or both terms to the extent a distinction is able to be made.
Topic: Human Smuggling and Human Trafficking
Advisory Name: Guidance on Recognizing Activity that May be Associated with Human Smuggling and Human Trafficking – Financial Red Flags
Advisory Date: 9/11/2014
Advisory Number: FIN-2014-A008
Advisory Link: https://www.fincen.gov/sites/default/files/shared/FIN-2014-A008.pdf
Applicable SAR Instructions:
Include one or both of the following terms in the Narrative and Suspicious Activity Information to the extent that a distinction is able to be made.
Include an explanation of why the institution knows, suspects, or has reason to suspect that the activity is suspicious.
Do not identify the potential victim of human smuggling or trafficking as the subject of the SAR. Rather, include the potential victim’s information in the narrative portion of the SAR.
Topic: Funnel Accounts and TBML in Mexico; BMPE; MX Restriction
Advisory Name: Update on US Currency Restrictions in Mexico: Funnel Accounts and TBML
Advisory Date: 5/28/14
Advisory Number: FIN-2014-A005
Advisory Link: https://www.fincen.gov/sites/default/files/shared/FIN-2014-A005.pdf
Applicable SAR Instructions:
Include “MX Restriction” in SAR narrative and Suspicious Activity Information sections of SARs to indicate a possible connection between the suspicious activity being reported and the enacted US currency restrictions on Mexican financial institutions
Include specific reference to the terms “funnel account” and/or “TBML” where appropriate.
Topic: St. Kitts and Nevis Passport
Advisory Name: Abuse of the Citizenship-by-Investment Program Sponsored by the Federation of St. Kitts and Nevis
Advisory Date: 5/20/14
Advisory Number: FIN-2014-A004
Advisory Link: https://www.fincen.gov/sites/default/files/shared/FIN-2014-A004.pdf
Applicable SAR Instructions:
Include the term SKN Passport in both the narrative portion and in the “Other” fields in Part II items 29 through 38, as applicable
Be sure to consider any OFAC obligations if they believe that customers using the SKN passports are blocked persons
Topic: Tax Refund Fraud
Advisory Name: Tax Refund Fraud and Related Identity Theft
Advisory Date: 3/30/12
Advisory Number: FIN-2012-A005
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2012-a005
Applicable SAR Instructions:
Topic: Tax Refund Fraud
Advisory Name: Update on Tax Refund Fraud and Related Identity Theft
Advisory Date: 2/26/13
Advisory Number: FIN-2013-A001
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2013-a001
Applicable SAR Instructions:
Include the term “tax refund fraud” in the narrative section of the SAR and provide a detailed description of the activity
As these are time sensitive transactions, a FI may contact their local IRS Criminal Investigation Field Office to alert them that a SAR has been filed related to tax refund fraud
Topic: Third-Party Payment Processors
Advisory Name: Risk Associated with Third-Party Payment Processors
Advisory Date: 10/22/12
Advisory Number: FIN-2012-A010
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2012-a010
Applicable SAR Instructions:
Topic: Mexican Currency Restriction
Advisory Name: Newly Released Mexican Regulations Imposing Restrictions on Mexican Banks for Transactions in U.S. Currency
Advisory Date: 6/21/12
Advisory Number: FIN-2010-A007
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2010-a007
Applicable SAR Instructions:
If a financial institution has determined that a transaction is suspicious and thus has an obligation to file a SAR with FinCEN; AND if the facts and circumstances of the transaction lead the financial institution to suspect that the transaction is being entered into as a result of the Mexican currency restrictions, then the financial institution should include the specific term "MX Restriction" within the narrative portion of the SAR filing and highlight the exact dollar amount(s) associated with the suspicious activity
Include all information available for each party suspected of engaging in this activity (including the individual or company name, address, phone number, and any other identifying information)
If currency is shipped from Mexico, include information on the common carrier, courier, or shipper of the currency, and information on the point of exportation of the currency from Mexico and the point of importation in the United States, if known
Topic: Mexican Currency Restriction
Advisory Name: Update on US Currency Restrictions in Mexico
Advisory Date: 7/18/12
Advisory Number: FIN-2012-A006
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2012-a006
Applicable SAR Instructions:
Topic: Account Takeover Fraud
Advisory Name: Account Takeover Activity
Advisory Date: 12/19/11
Advisory Number: FIN-2011-A016
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2011-a016
Applicable SAR Instructions:
Include the term “account takeover fraud” in the narrative section of the SAR and provide a detailed description of the activity
If the account takeover involves computer intrusion, check the box for "computer intrusion." In addition, financial institutions can check the "other" box and note "account takeover fraud" in the space provided
If the account takeover involved other delivery channels such as telephone banking or fraudulent activities such as social engineering, financial institutions can check the "other" box, note "account takeover fraud," and include a short description of the additional information in the space provided
If the account takeover involves a wire transfer, then in addition to selecting the "other" box and noting "account takeover fraud," the box for "wire transfer fraud" should be checked
If the account takeover involves an ACH transfer, financial institutions can check the "other" box and note "account takeover fraud - ACH"
Account takeovers often involve unauthorized access to PINs, account numbers, and other identifying information. Financial institutions may need to check the box for "identity theft," in addition to selecting the "other" box and noting "account takeover fraud." Additional boxes should be checked if appropriate (e.g. "terrorist financing")
Topic: Bankruptcy
Advisory Name: The US Trustee Program’s Civil Enforcement Activity Targets Bankruptcy-Related Mortgage Fraud and Mortgage Rescue Schemes (SAR Activity Review – October 2011)
Advisory Date: 10/12/11
Advisory Number: SAR Activity Review – October 2011
Advisory Link: https://www.fincen.gov/sites/default/files/shared/sar_tti_20.pdf#page=61
Topic: Commercial Real Estate Fraud (CREF)
Advisory Name: Advisory on Activities Potentially Related to CREF
Advisory Date: 3/30/11
Advisory Number: FIN-2011-A007
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2011-a007
Applicable SAR Instructions:
Include the term CREF within the narrative portion of all relevant SAR filings, even though the SAR form lists “commercial loan fraud” as a check box
Report the exact dollar amounts associated with the commercial real estate activity
Include all information available for all parties suspected of participating in this fraudulent activity in the Suspect/Subject Information Section
Topic: Elder Financial Exploitation
Advisory Name: Advisory to Financial Institutions on Filing Suspicious Activity Reports Regarding Elder Financial Exploitation
Advisory Date: 2/22/11
Advisory Number: FIN-2011-A003
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2011-a003
Applicable SAR Instructions:
Select the appropriate characterization of suspicious activity in the Suspicious Activity Information section of the SAR
Include the term “elder financial exploitation” in the narrative portion of all SARs filed
Include an explanation of why the institution knows, suspects, or has reason to suspect that the activity is suspicious in the narrative section
The potential victim should not be reported as the subject of the SAR, but rather included in the narrative portion of the SAR
Topic: Informal Value Transfer System (IVTS)
Advisory Name: Informal Value Transfer Systems
Advisory Date: 9/1/10
Advisory Number: FIN-2010-A011
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2010-a011
Applicable SAR Instructions:
File a SAR if an FI knows, suspects, or has reason to suspect that an IVTS is operating in violation of the registration requirement under the BSA for money transmitters and not acting solely as agents of others, or, even if registered, is being used in the illegal transmittal of funds
Check the appropriate box indicating the type of suspicious activity being reported
Note the abbreviation “IVTS” in the narrative
Include an explanation as to why the FI knows, suspects, or has reason to suspect that an IVS may be involved in the reported activity in the narrative section of the SAR
Topic: Home Equity Conversion Mortgage (HECM)/Federal Housing Authority (FHA)
Advisory Name: Advisory to Financial Institutions on Filing Suspicious Activity Reports Regarding Home Equity Conversion Mortgage Fraud Schemes
Advisory Date: 4/27/10
Advisory Number: FIN-2010-A005
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2010-a005
Applicable SAR Instructions:
Provide complete and sufficient descriptions of known or suspected criminal violations or suspicious activity in the SAR narrative sections
Include the term “HECM” within the narrative portions of all relevant SAR filings
Highlight the exact dollar amounts associated with the HECM loan proceeds
Include all information available for each party suspected of engaging in this fraudulent activity in the Suspect/Subject Information Section of the SAR
If the FI is aware of any other type of FHA-insured mortgage fraud, include the term “FHA” in the narrative portions of the relevant SAR filings
If a senior homeowner is a victim of the scam, do not include them as a suspect unless there is reason to believe the homeowner knowingly participated in the fraudulent activity
When a senior homeowner is simply a victim of a scam, include sufficient information in the narrative portion of the SAR about the senior homeowner and his or her property to assist law enforcement in investigating and prosecuting these potential crimes
Topic: Trade Based Money Laundering (TBML); Black Market Peso Exchange (BMPE)
Advisory Name: Advisory to Financial Institutions on Filing Suspicious Activity Reports regarding Trade-Based Money Laundering
Advisory Date: 2/18/10
Advisory Number: FIN-2010-A001
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2010-a001
Applicable SAR Instructions:
Check the appropriate box in the Suspicious Activity Information section of the SAR form
Include the abbreviation “TBML” or “BMPE” in the narrative portion of all relevant SARs filed
Include an explanation of why the institution suspects, or has reason to suspect, that the customer is participating in this type of activity in the narrative section
Topic: SIGTARP (Special Inspector General for the Trouble Asset Relief Program)
Advisory Name: Advisory to Financial Institutions on Filing Suspicious Activity Reports Regarding TARP-related Programs
Advisory Date: 10/14/09
Advisory Number: FIN-2009-A006
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2009-a006
Applicable SAR Instructions:
Check the appropriate box on the SAR form to indicate the type of suspicious activity
Include the term “SIGTARP” in the narrative portion of the SAR
Include all information available for each party suspected of engaging in the suspicious activity in the Suspect/Subject Information Section of the SAR
Topic: Foreclosure Rescue Scam
Advisory Name: Guidance to Financial Institutions on Filing Suspicious Activity Reports regarding Loan Modification/Foreclosure Rescue Scams
Advisory Date: 4/6/09
Advisory Number: FIN-2009-A001
Advisory Link: https://www.fincen.gov/resources/statutes-regulations/guidance/guidance-financial-institutions-filing-suspicious-activity
Applicable SAR Instructions:
Provide complete and sufficient descriptions of known or suspected criminal violations or suspicious activity in the narrative section
Include the term “foreclosure rescue scam” in the narrative portions of all relevant SARs filed
Include all information available for each party suspected of engaging in this fraudulent activity in the Suspect/Subject Information Section of the SAR
The homeowner should not be listed as a subject when they are simply a victim, but rather should have their information listed in the narrative section of the SAR
If there is reason to believe the homeowner knowingly participated in the fraudulent activity, they should be listed in the subject section of the SAR
Topic: Foreclosure Rescue Scam
Advisory Name: Updated Advisory to Financial Institutions on Filing Suspicious Activity Reports Regarding Loan Modification/Foreclosure Rescue Scams
Advisory Date: 6/17/10
Advisory Number: FIN-2010-A006
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2010-a006
Applicable SAR Instructions:
Include the term “foreclosure rescue scam”
Include all information available for each party suspected of engaging in suspected fraudulent activity
Include information such as individual or company name, address, phone number, and any other identifying information
When the homeowner is believed to be simply a victim, include all available information in the narrative portion of the SAR about the homeowner and his or her property
Topic: Foreign Corruption
Advisory Name: Guidance to Financial Institutions on Filing Suspicious Activity Reports regarding the Proceeds of Foreign Corruption
Advisory Date: 4/17/08
Advisory Number: FIN-2008-G005
Advisory Link: https://www.fincen.gov/resources/advisories/fincen-guidance-fin-2008-g005
Applicable SAR Instructions: