Submitting a Suspicious Activity Report to the National Crime Agency is one of the most consequential acts a regulated firm can perform. It is also one of the most poorly understood. Staff freeze on the question of whether a "feeling" meets the threshold; partners worry about tipping off; MLROs receive vague internal reports they cannot reasonably act on. This guide walks through the legal threshold, the internal-to-external flow, and how to actually write a SAR the NCA financial intelligence unit can use.
The statutory framework
SAR obligations for the regulated sector flow primarily from sections 330-332 of the Proceeds of Crime Act 2002 (POCA) and section 21A of the Terrorism Act 2000. Section 330 makes it an offence for a person in the regulated sector to fail to disclose to the firm's nominated officer information that gives them knowledge, suspicion, or reasonable grounds for knowledge or suspicion that another person is engaged in money laundering.
The MLRO then assesses the internal disclosure and, where the threshold is met, submits an external SAR to the NCA via the SAR Online portal. The firm - through the MLRO - submits the SAR. No practice management system, AI tool, or compliance vendor can submit on the firm's behalf, and any vendor claiming otherwise should be treated with scepticism.
The threshold: suspicion, not proof
Staff often delay internal reporting because they believe they need evidence of laundering. They do not. The threshold is suspicion - defined by the courts as "a positive feeling of actual apprehension or mistrust" that is more than fanciful, even if it falls well short of proof.
"Reasonable grounds to suspect" is an objective test layered on top: would a reasonable person in the same position, with the same training, have suspected? If yes, the obligation crystallises whether or not the individual personally suspected. This is why training matters - untrained staff are a defence the firm cannot rely on.
Internal reporting: making it frictionless
Internal SARs need to be easy to file or staff will not file them. The mechanism should be a single named form (or system entry) routed exclusively to the MLRO and deputy MLRO. No "discussing with my line manager first" - that is a tipping-off risk in waiting.
The internal report should capture: the client, the matter, the specific activity that gave rise to suspicion, the date, any documents that evidence the activity, and the reporter's name. The MLRO's decision (escalate to NCA, decline with reasoning, request further information) must be recorded against the same case.
When the MLRO decides not to submit externally
Not every internal report becomes an external SAR. Many internal reports turn out, on review, to be explicable activity, duplicate intelligence already covered by another report, or below the suspicion threshold once context is added.
The MLRO's decision not to escalate must be documented in writing, with reasoning, and retained for the same five-year period as other AML records. This file is one of the first things a supervisor will ask to see - it demonstrates that the MLRO is exercising independent judgement rather than acting as either a rubber stamp or a refusal machine.
DAML requests - the consent regime
Where the firm intends to perform a transaction or act that might constitute a money laundering offence (for example, completing a deal where there are reasonable grounds to suspect proceeds of crime), a Defence Against Money Laundering (DAML) request must be made to the NCA. The NCA then has seven working days to refuse consent; if no refusal is received, consent is deemed to be granted. If consent is refused, a further 31 calendar-day moratorium period kicks in.
DAML requests are submitted through the same SAR Online portal but flagged as DAML. The seven-day window cannot be shortened, and pressuring the NCA for an expedited decision rarely works - plan transaction timelines accordingly.
How to write a SAR the NCA can use
NCA financial intelligence officers triage tens of thousands of SARs each month. A SAR written as a vague narrative will be deprioritised; a SAR written with specific, actionable detail moves to the front. Structure the narrative around five facts: who, what, when, where, and why suspicious.
Use the glossary codes - XXSAR for standard SARs, XXS1S2 for SARs requiring urgent attention, XXF1 for terrorist financing, and the current published glossary for sector-specific codes. Putting the right code in the first line of the reason for suspicion field is the single biggest predictor of whether the SAR will be acted on quickly.
Avoiding the tipping-off offence
Section 333A POCA makes it an offence to disclose to a third party that an internal or external SAR has been made, where the disclosure is likely to prejudice an investigation. The classic trap is the partner who, post-submission, becomes noticeably distant with the client or refuses to take instructions without explanation - that change in behaviour can itself constitute tipping off.
Train staff to continue normal client interactions where lawful, to never reference the SAR in correspondence with the client, and to route any client questions about delays through the MLRO. Internal references to SARs in firm systems should be tightly access-controlled.
Record-keeping after submission
Retain a copy of the SAR, the underlying evidence, the MLRO's decision rationale, and any DAML response for at least five years from the end of the business relationship or the date of the occasional transaction (Regulation 40 MLR 2017). Access should be restricted to the MLRO, deputy MLRO, and named senior management.
A practice management platform that lets you tag a client record with a restricted-access "regulatory" flag is useful here. Accupe's role-based access controls let firms isolate SAR-related records to a narrow group without removing the underlying client profile from the rest of the team.
Quality over quantity
The NCA has stated publicly that it prefers fewer, better-targeted SARs over high-volume defensive reporting. "Defensive SARs" - reports submitted purely to cover the firm rather than because suspicion is genuinely held - clog the system and weaken the value of the regime. A firm submitting one or two well-evidenced SARs a year may be performing better than a firm submitting twenty thin ones.
Closing
SAR writing is a skill, and skills decay without practice. Run an annual SAR-writing workshop using anonymised case studies - including DAML scenarios - and have the MLRO grade the outputs. The first time your firm has to file a real SAR under time pressure should not be the first time anyone has written one.