Learning objectives

By the end of this module, you will understand:

•  How suspicious activity is identified, 

• How reporting decisions are made, 

• How escalation and confidentiality work in practice. 

You’ll feel confident about when and how to raise concerns appropriately.

Introduction: Removing uncertainty around reporting

Suspicious activity reporting is often one of the most intimidating parts of AML, especially for early-stage teams. 

The fear of getting it wrong can lead to hesitation or avoidance.

Regulators do not expect firms to identify every instance of financial crime. They expect firms to recognize when activity does not align with what they know about a customer, review it thoughtfully, and escalate concerns when appropriate. This module focuses on building that confidence.

Section 1: What suspicious activity looks like in practice

Suspicious activity is identified through context, not isolated facts. An activity becomes suspicious when it does not make sense given what you know about the customer, the product, and the expected use of your service.

Common indicators that may prompt internal review include:

• Activity that deviates from the customer’s expected behavior.

• Sudden changes in transactions’ size, frequency, or purpose.

• Use of products or features in ways that were not anticipated.

• Reluctance to provide explanations or supporting information.

• Links to higher-risk jurisdictions or counterparties

A single indicator does not necessarily indicate wrongdoing. It means the activity warrants further review. 

For a more exhaustive list of indicators tailored to different sectors, you can refer to this guide on AML red flags, which categorizes common suspicious behaviors.

Pause and reflect.

Consider your current escalation process.

If you noticed an activity that did not make sense, would you know where to raise it?
Do you know who is responsible for reviewing and deciding whether escalation is required?

Section 2: When reporting obligations arise

Reporting obligations arise when a firm has formed a reasonable suspicion that activity may involve money laundering, terrorist financing, or another financial crime.

It is important to understand that suspicion does not require certainty. Firms are not expected to investigate or prove criminal behavior. They are expected to act once suspicion is reasonably formed, based on the available information.

Regulators assess whether reporting decisions are timely, consistent, and supported by documentation. Failing to report when required is generally viewed more seriously than reporting in good faith. 

To understand the specific legal thresholds and filing deadlines for different jurisdictions, see this deep dive into suspicious activity reports (SARs).

Section 3: How reporting fits into the broader AML framework

Suspicious activity reporting is the outcome of multiple AML controls working together. It does not stand alone.

Typically, concerns are identified through onboarding checks or ongoing monitoring. These concerns are then reviewed internally, escalated where necessary, and assessed to determine whether reporting is required.

Regulators look for clear connections between monitoring, escalation, and reporting. They want to see that information flows logically through the program and that responsibilities are clearly defined.

Section 4: Escalation and internal decision making

Not every concern results in a report. Firms should have clear internal processes that explain how concerns are escalated and reviewed.

Effective escalation relies on clear ownership, defined review steps, and documented outcomes. 

In most firms, this responsibility ultimately falls to the Money Laundering Reporting Officer (MLRO), who acts as the final arbiter for reporting decisions and the primary contact for law enforcement.

From a regulatory perspective, a well-structured escalation process is evidence that a firm takes financial crime risk seriously, even when the final decision is not to report.

Section 5: Confidentiality and handling sensitive information

Suspicious activity reporting is subject to strict confidentiality requirements. Firms must not disclose that a report has been filed or is being considered.

Teams should understand who is permitted to access reporting information and how it is protected. Confidentiality is critical to maintaining the integrity of investigations and protecting the firm from regulatory breaches.

Clear procedures and limited access help ensure that sensitive information is handled appropriately.

Learning checkpoint: What good looks like after step 7

At the end of this module, you should:

• Feel confident identifying activity that may warrant internal review.

• Understand when suspicion is formed and when reporting obligations arise.

• Know how concerns are escalated and reviewed within your organization.

• Understand the importance of confidentiality and controlled access to information.

• Be able to explain your reporting process clearly and consistently.

If you can articulate these points and describe how they work in practice, you are meeting regulatory expectations at this stage.

Preparing for step 8

In the next module, you will focus on record keeping and audit trails, which regulators rely on to understand how decisions were made and whether controls are working as intended.

Further reading & resources:

•  The SAR guide

• Common AML red flags

• The MLRO handbook