Part 2 of our "CASP Compliance Toolkit" series. Our walkthrough From On-Chain Trigger to FIU SAR in 48 Hours covered the time-critical path to filing. This piece is about the document itself: what a Financial Intelligence Unit actually wants in a crypto SAR, and why so many are quietly useless.
A suspicious activity report is only worth filing if the FIU can act on it. Many can't be — not because the suspicion was wrong, but because the report was a paragraph of narrative with no evidence an analyst could follow. Crypto SARs have a specific failure mode and a specific opportunity: the underlying evidence is public and permanent, so a good one can hand the FIU a trail it can verify and extend.
What an FIU Actually Wants
Most EU FIUs receive reports through structured systems, frequently the UNODC goAML platform, which means a SAR is a set of fields plus a narrative plus attachments — not an email. A report an FIU can work carries:
- Structured subject data — the customer, accounts, and identifiers in the FIU's schema, complete and correctly typed
- The crypto identifiers — the specific wallet addresses, transaction hashes, amounts, assets, and dates — the things that make a crypto SAR uniquely verifiable
- A narrative that explains the suspicion — what was observed, why it is suspicious, and what typology it matches, in plain language an analyst can follow without reverse-engineering it
- The on-chain evidence — the fund-flow trail and counterparty attributions, so the FIU sees the picture you saw and can extend it
The Mistakes That Get Reports Sent Back
- Narrative without evidence — "the customer's activity appeared suspicious" with no addresses, amounts, or trail. The most common and most fatal failing.
- No reason for the suspicion — a report that states a conclusion but not the grounds for it; the FIU can't assess what it can't see reasoned.
- Defensive over-reporting — filing on everything to cover yourself, which buries the real reports in noise and signals a monitoring system that isn't calibrated.
- Missing the crypto specifics — omitting the wallet addresses and txids that are the whole point of a crypto SAR, leaving the FIU with a generic and unverifiable report.
- Late filing — reporting long after the suspicion formed, by which time the funds have moved and the report is a historical note rather than an intervention.
The on-chain evidence is the SAR's superpower
A traditional-finance SAR often relies on the FIU to subpoena records to verify it. A crypto SAR doesn't have to: the addresses and transactions are public, so a well-built report hands the FIU a trail it can confirm immediately and follow further. That is the single biggest quality lever — not better prose, but the fund-flow graph and the attributed counterparties attached to the filing. "Suspicious customer" goes in a pile; "these funds, from this cluster, through these hops, on these dates, graph attached" gets worked.
Building the Evidence
How BA helps. BA produces the evidence layer a strong SAR needs — the traced fund flow across 80+ chains, counterparty attributions against a 1B+ label graph, and an exportable graph of the suspicious activity — in a form that drops into the narrative and the goAML attachment. The remember-the-tipping-off-prohibition discipline still applies: none of this is shared with the customer. For the end-to-end filing path, see From On-Chain Trigger to FIU SAR in 48 Hours.
Next in the series: Crypto Customer Risk Scoring, the model that decides which customers generate the alerts that become these reports.
Attach the on-chain evidence that makes a SAR actionable
Screen wallets, monitor entities, and generate compliance reports with 1B+ labeled addresses and 305+ data sources.
See Monitoring Solutions