SAR Writing Tips: A 5W1H Playbook for Clear, Defensible Narratives

Great SARs read like tight police reports: short, factual, and easy to follow. Use the 5W1H framework (Who, What, When, Where, How, and Why) to turn messy activity into a narrative law enforcement can act on.

WHO

Keep identities straight and consistent the whole way.

• Primary subject(s): legal name, role relationship to your FI.

• If subject(s) is unknown, be sure to include a detailed physical description

• Associated parties: beneficiaries, payees, senders, money mules, caregivers, “romance partners,” businesses tied to the person.

• Victims: clearly label victims vs suspects (e.g., elder member is the victim; caregiver is suspected).

Tip: Pick one label per party and stick to it (e.g., “Member,” “Caregiver,” “Counterparty-1”).

WHAT

What exactly happened?

• Describe the activity itself (e.g., large cash deposits, structured withdrawals, fraudulent checks).

• State if the activity is ongoing or a one-time event.

WHEN

When did it happen?

• Provide dates and times.

• If there’s a pattern, explain the timeframe (daily, weekly, over several months).

WHERE

Where did the activity take place?

• Specify branch locations, online banking, ATM, or mobile deposit.

• If multiple locations were used, highlight that.

HOW

How was the suspicious activity conducted?Specify branch locations, online banking, ATM, or mobile deposit.

• Mention methods used (cash, wires, checks, P2P apps, etc.).

• If there were attempts to avoid detection (structuring, multiple accounts, different locations), make that clear.

WHY

Why Does The Filer Think The Activity Is Suspicious?

• Explain why the activity is unusual for the customer or why it raises red flags.

• Tie it back to risk indicators (e.g., no known source of income, use of third-party checks, activity inconsistent with profile).