You Suspect Fraud. You Can’t Prove It. Now What?

Every BSA officer has the file. The activity looks wrong. The story doesn't hold together. Everyone in the room agrees something is off, and nobody can point to a piece of objective evidence that proves it. Meanwhile the account stays open, the exposure grows, and the question sits on the desk: file the SAR? Close the account? On what basis?

The paralysis usually comes from applying the wrong standard. So start there.

The standards are lower than the instinct says

A Suspicious Activity Report requires suspicion, documented and reasonable, not proof. The filing threshold is knowing, suspecting, or having reason to suspect. Certainty is not in the regulation, and examiners fault banks far more often for late or absent SARs than for filed ones that didn't pan out.

Account closure runs on a lower standard still. A bank generally doesn't need to prove fraud to end a relationship; it needs documented, reasonable judgment that the risk exceeds its appetite, applied consistently with its own policies. The file has to show the judgment was grounded, not that a prosecutor could win with it.

The SAR standard is documented suspicion, not proof. The closure standard is reasonable judgment, not a conviction.

What both standards demand is the same thing the frustrated room is missing: objective material in the file. That's the real problem to solve, and it splits into what you can build now and what you should have captured at the start.

Building the evidence file now

For the account already under suspicion, the work is converting narrative into specifics:

Behavioral documentation. Not "activity seems inconsistent with the customer's profile" but the specific transactions: dates, amounts, counterparties, and the pattern they form. Vague narrative reads as opinion; enumerated transactions read as evidence.

Divergence from the onboarding profile. Whatever the customer told you at account opening, expected activity, occupation, source of funds, is a baseline. Documented divergence from it is among the most defensible observations a file can contain, because the customer supplied the baseline themselves.

The written request for explanation. Ask the customer, in writing, to explain the activity. A credible answer resolves the case. An implausible one, or silence, is itself file material, and either way the bank has demonstrated the reasonable diligence the standard asks for.

Identity re-verification. Run the identity and account checks available today: does the SSN hold up against issuance records, is the funding account still theirs, does anything about the identity picture corroborate or contradict? A clean result narrows the theory; a flag can be the objective anchor the file was missing.

The structural fix happens at onboarding

Here's the uncomfortable pattern behind most of these files: the evidence gap was created at account opening, when the bank accepted typed-in answers and filed documents instead of capturing verified data.

The evidence file you need at month eighteen is mostly built in the first five minutes of the relationship, or it isn't.

A verification-first onboarding produces, automatically, the objective baseline the suspicious-activity file later depends on: identity validated against authoritative sources with the results timestamped, fraud and synthetic-identity risk scores at opening, a verified funding account with its age and standing recorded, and stated income or occupation backed by source data instead of a form field. When activity later diverges, the file already contains what it diverges from, in evidence grade rather than anecdote.

That transforms the month-eighteen conversation. Instead of "we suspect but can't prove," it becomes: identity risk signals at opening were X, the customer's verified profile said Y, the observed activity is Z, the divergence is documented transaction by transaction, and the written explanation was requested on this date. Whether that file supports a SAR, a closure, or a clean bill, it supports something, which is exactly what the stuck file never does.

The suspicion you can't prove today is, more often than not, the verification you didn't run then. Banks fix the second one and discover the first mostly stops happening.