Blog
A (Maybe) Lesser-Known SAR Requirement: Reporting Demands to Produce SARs
Published: Jul 1, 2026
Most banks know that the Bank Secrecy Act requires them to file Suspicious Activity Reports and to keep those reports strictly confidential. No one at the bank can disclose anything that might reveal a SAR even exists. But there is another requirement that often flies under the radar: when a bank receives a discovery request or subpoena seeking SARs or SAR-related information, the bank also must report that request to the relevant federal agencies.
First, a little background. The Currency and Foreign Transactions Reporting Act was passed back in 1970, partly to tackle concerns about deposits involving currency of questionable origins.[1] Over the years, through various amendments and related statutes, it became known as the “Bank Secrecy Act” or the “Anti-Money Laundering law” (the “BSA”).[2] The BSA is codified at 12 U.S.C. §§ 1829b, 1951-1960, 31 U.S.C. §§ 5311-5314, 5316-5336. The Office of the Comptroller of the Currency (“OCC”) provides regulatory guidance in 12 C.F.R. §§ 21.11-.21[3], and the Financial Crimes Enforcement Network (“FinCEN”) provides separate regulatory guidance in 31 C.F.R. Chapter X[4].
The BSA aims to (1) ensure banks produce reports that are useful for criminal and regulatory investigations, as well as intelligence and counterintelligence work; (2) prevent money laundering and financial terrorism; (3) help track money tied to criminal activity or intended to fund criminal or terrorist operations; and (4) protect the U.S. financial system and national security.[5] Suspicious Activity Reports (“SARs”) help advance these goals. Banks must file SARs whenever they “detect a known or suspected violation of Federal law or a suspicious transaction related to a money laundering activity or a violation of the Bank Secrecy Act.”[6]
Because the purpose of a SAR is to support investigations into criminal or terrorist activity and intelligence operations, and we would not want such operations to be compromised, it makes sense that SARs must remain confidential. Which is why, with only narrow exceptions, a bank and its directors, officers, employees, and agents are all prohibited from disclosing SARs or any information that would reveal one exists.[7] So, if someone subpoenas a bank for a SAR or even information that would reveal the existence of a SAR, the bank must refuse, citing 12 C.F.R. § 21.11 and 31 U.S.C. § 5318(g)(2)(A)(i) as the basis for the refusal.[8]
The rule against disclosing SARs is clear-cut. But not everyone knows about it, including government prosecutors, other government agents, and litigation attorneys.[9] So it is common for banks to get subpoenas or production requests asking for SARs or SAR-related information.[10] Sometimes the questions come orally or in writing, and sometimes they even come from the bank’s own lawyers.
This means that banks need to make sure the right people are prepared. In-house legal response teams, anyone testifying on the bank’s behalf, and anyone who might field a request for a SAR or SAR-related information should know how they must respond. While they may share underlying information that was used to prepare the SAR[11], they may not share the SAR itself or anything that would reveal its existence.
Just denying the request is not enough, however. Banks also must notify the applicable agency of such a request, as well as the bank’s response to the request. National banks must notify the OCC’s Director of the Litigation Division and FinCEN of the receipt of a request for SAR or SAR-related information, as well as their response to such request.[12] State Member Banks have a similar obligation, but they report to the Board of Governors of the Federal Reserve System.[13] Likewise, State non-Member Banks report to the appropriate FDIC regional office.[14]
Most people in the industry know SARs cannot be disclosed, but far fewer know about the obligation to report the request itself. The criteria for when to file a SAR, the filing deadlines, and other reporting mechanics have been fleshed out over the years through statutes,[15] regulations,[16] and agency guidance.[17] But, aside from identifying who to contact[18], the exact method for reporting a request seeking a SAR or SAR-related information has not been similarly clarified. While we await such clarity, reaching out to the agencies by phone, email, or other confidential reporting mechanisms should get the job done.[19]
The bottom line is that banks should never disclose anything that reveals whether a SAR exists. And when someone asks for that information, banks should decline to produce it and should report the request to the appropriate regulatory agency as quickly as possible. To ensure compliance and avoid exposure, banks should put internal training programs or standard operating procedures in place so that everyone knows how to handle these situations, and so no confidential information slips through the cracks.
FOOTNOTES
[1] 2A I.R.M. Abr. & Ann. § 4.26.5.2(1).
[2] Id.
[3] Bank Secrecy Act (BSA), Office of the Comptroller of the Currency (June 7, 2026), https://www.occ.gov/topics/supervision-and-examination/bsa/index-bsa.html.
[4] The Bank Secrecy Act, Financial Crimes Enforcement Network (June 7, 2026), https://www.fincen.gov/resources/statutes-and-regulations/bank-secrecy-act.
[5] 31 U.S.C. § 5311(1)-(4).
[6] 12 C.F.R. § 21.11(a).
[7] 12 C.F.R. § 21.11(k).
[8] 12 C.F.R. § 21.11(k)(1)(i).
[9] Paul R. Foster & Carrie L. Foster, Banking Law and Ethics Issues for the Commercial Law Practitioner, Part One, 69 CONFLQR 202, 210 (2015).
[10] Id.
[11] Id.
[12] 12 C.F.R. § 21.11(k)(1)(i).
[13] 12 C.F.R. § 208.62(j).
[14] 12 C.F.R. § 353.3(g).
[15] E.g., 31 U.S.C. § 5313.
[16] E.g., 12 C.F.R. §§ 21.11-.21 and 31 C.F.R. §§ 1010.100-1060.800.
[17] E.g., Guidance, Financial Crimes Enforcement Network (June 7, 2026), https://www.fincen.gov/resources/statutes-regulations/guidance.
[18] See, e.g., 12 C.F.R. § 21.11(k)(1)(i), 12 C.F.R. § 208.62(j), and 12 C.F.R. § 353.3(g).
[19] See, e.g., FinCEN, FIN-2012-A002, SAR Confidentiality Reminder for Internal and External Counsel of Financial Institutions (Mar. 2, 2012), at p. 2, https://www.fincen.gov/sites/default/files/advisory/FIN-2012-A002.pdf.