From On-Chain Trigger to FIU SAR in 48 Hours

This is part 6 — the close — of our "Tools for Compliance" series. Part 3, Ongoing Wallet Monitoring, covered generating and calibrating the alert. This one is what happens after a confirmed one: the time-critical path from a trigger to a filed suspicious activity report, and why the hard part is the on-chain investigation in the middle.

Once an analyst forms a suspicion, a clock starts. The AMLR's reporting obligation (Art. 69) requires reporting to the Financial Intelligence Unit promptly, and pairs it with a duty to refrain from carrying out transactions tied to the suspicion until the FIU is notified. "Promptly" is not a number, but the operational reality sets one: funds on-chain move in minutes, the refrain-from-transaction duty freezes part of your business while the case is open, and an FIU that receives a thin, late report files it under "technically compliant, operationally useless." A 48-hour target from trigger to filing is not a legal deadline; it is the discipline that keeps the report fast enough to matter and complete enough to be actioned.

Hour 0: What Starts the Clock

The trigger is a confirmed signal, not a raw alert. It arrives from one of a few places: a monitoring alert that survived analyst triage, a sanctions screening hit, a law-enforcement request, or adverse media tying a customer to an event. The moment it is confirmed as a genuine suspicion, two things are simultaneously true: the reporting clock is running, and the refrain-from-transaction duty has attached to any pending movement connected to it. Logging the trigger — what it was, when it was confirmed, who confirmed it — is the first line of the case file and the timestamp every later step is measured against.

Hours 0–24: The On-Chain Investigation

This is the work, and it is where most of the 48 hours goes. A SAR without an on-chain case behind it is an assertion; a SAR with one is evidence. The investigation has to establish:

• Source of funds — where did the value originate, and how many hops back does a high-risk origin sit? Tracing upstream through the transaction graph, past pass-through and consolidation addresses, to the funding source
• Destination and intent — where was the value going, and does the path show obfuscation: peel chains, bridge hops, conversion to privacy assets, mixer deposits
• Counterparty attribution — what are the addresses on either side: exchange deposit addresses, sanctioned clusters, darknet markets, known fraud infrastructure. Unlabelled addresses are the gaps the FIU will ask about
• The cluster picture — is the suspect address one of many controlled by the same actor; does the activity fit a recognised typology (structuring, layering, money-muling)
• Quantification — the amounts, the timeline, the number of transactions — the figures that turn a narrative into a structured filing

The output of this phase is a defensible reconstruction: this value came from there, moved like this, to there, and here is why that pattern is suspicious. That reconstruction is the SAR.

Hours 24–36: The Decision

The investigation produces facts; the MLRO produces the decision. The standard is suspicion, not proof — the question is whether there are reasonable grounds to suspect, not whether a crime is provable. The decision step covers:

• Is it reportable — does the reconstructed picture meet the "knew or suspected" threshold; if yes, the obligation to report is not discretionary
• What else fires — a sanctions nexus triggers asset-freezing and competent-authority notification in parallel with the SAR; the answer is often more than one obligation at once
• The refrain decision — whether to execute, hold, or block the tied transaction, and the documented basis for it
• Sign-off — the MLRO's determination, recorded with rationale, is the document an examiner walks first

Hours 36–48: Filing

EU FIUs increasingly receive reports through structured systems — many on the UNODC goAML platform — which means a SAR is not a free-text email. It is structured fields plus a narrative plus attachments. A filing that lands well carries:

• The structured data — subjects, accounts, addresses, amounts, dates, transaction references, in the FIU's schema
• The narrative — the reconstruction in plain language: what was observed, why it is suspicious, what typology it matches
• The on-chain evidence — the fund-flow graph, the traced path, the counterparty labels and their basis, exported so the FIU analyst sees what you saw
• The internal record — retained for the statutory period (AMLR Art. 77), retrievable, tying the filing back to the trigger that started the clock

The difference between a SAR an FIU can act on and one it cannot is almost always the evidence layer. "We found this customer suspicious" goes in a pile; "these funds came from this sanctioned cluster, through these three hops, in this amount, on these dates, and here is the graph" gets worked.

The Duties Running in Parallel

Three obligations run alongside the filing and are tested independently:

• Refrain from the transaction — the movement tied to the suspicion is not executed until the FIU is informed, unless refraining is impossible or would frustrate the investigation (a documented judgement, not a default)
• Tipping-off prohibition — the customer must not learn a SAR was filed or contemplated (AMLR Art. 54); this has to be trained into front-line staff, not just held by compliance
• Asset freeze, where there is a sanctions nexus — runs on its own faster clock, with its own notification to the competent authority, independent of the SAR timeline

How BA Does It

The 36 hours of investigation collapse when the tracing is a tool rather than a manual reconstruction. BA's investigation tooling traces funds upstream and downstream across 80+ chains from any trigger address, resolves counterparties against a graph of 1B+ labelled addresses — exchanges, sanctioned clusters, mixers, fraud infrastructure — surfaces the actor's cluster, and renders the whole fund flow as a graph you can annotate and export as SAR evidence. The path that took an analyst a day in a block explorer is a query, and the output is already in the shape the FIU narrative and the goAML attachment need. Combined with the monitoring that generates the trigger (part 3) and the screening that often is the trigger (part 2), the trigger-to-filing path becomes one continuous workflow instead of three disconnected scrambles.

This closes the "Tools for Compliance" series — six obligations, six workflows, from the Travel Rule to the SAR. Each piece maps one rule to the tool that satisfies it; together they are the operational spine of a crypto compliance programme.