The 30-day SAR filing requirement sits in 31 CFR 1020.320(b)(3) — a rule most compliance officers can recite from memory. What they're less certain about is when that clock actually starts. We've reviewed enough look-back analysis requests during BSA examinations to know the ambiguity is real, it's expensive, and it isn't resolved by simply reading the statute a second time.
The Statutory Clock vs. the Detection Clock
Under the Bank Secrecy Act, a financial institution has 30 calendar days after the date of initial detection to file a SAR. That phrase — initial detection — is where most digital banks develop compliance exposure they don't notice until an examiner surfaces it.
FinCEN guidance clarifies that the 30-day window begins when a financial institution knows, or should know, that a transaction requires further review. It does not begin at the moment you decide to file. That distinction matters enormously in practice. If an automated alert fires on October 3rd and your analyst marks it "pending review" until October 25th before escalating, the clock likely began on October 3rd — not October 25th.
We're not saying a pending-review queue is itself a violation. The issue is when that queue has no documented SLA and alerts sit for two to three weeks before a human touches them. That gap is what examiners call a program deficiency, and in repeat examinations it becomes grounds for a Matter Requiring Attention (MRA).
The 60-Day Extension: Useful Tool, Frequent Misuse
There is a separate 60-day provision for cases where, on initial detection, you cannot identify a subject. FinCEN allows the filing window to extend to 60 days in that circumstance. What institutions sometimes do is treat this as a default window rather than a contingency. That is a misreading.
The 60-day extension applies to cases where subject identification is genuinely not possible at initial detection — not to cases where the analyst was busy, or where the case was deprioritized because the dollar amount was modest. If your case management system defaults every alert to the 60-day track as a matter of convenience, you are creating exactly the documentation pattern an examiner will flag.
In practice, neobanks operating at high transaction velocity will have a meaningful percentage of alerts where the subject is identifiable immediately. Those go on the 30-day clock. The 60-day track should be a deliberate, documented decision made at the time of initial detection — not a fallback applied uniformly to the backlog.
Where Manual Workflows Collapse
Consider a neobank processing roughly 2 million transactions per month. Their rule engine fires approximately 800 alerts in a given month. A two-person compliance team with no automated case management is triaging alerts in a shared spreadsheet. This is not hypothetical — we've seen it.
What happens in that setup: alert dates are not always recorded accurately. Escalation events — the moment a human recognizes suspicious activity requiring SAR evaluation — are conflated with the initial alert date or the final filing date, rather than recorded as the distinct events they are. When an examiner requests a case-by-case timeline during a look-back, the team cannot reconstruct the initial detection date with confidence. That's an examination finding waiting to happen.
The FFIEC BSA/AML Examination Manual is explicit that institutions must maintain records documenting the date suspicious activity was initially detected, the date a SAR decision was made, and the date of filing. These are three separate timestamps, and the burden of reconstruction falls entirely on the institution.
Continuing Activity SARs and the 90-Day Trap
A SAR filed on an initial suspicious pattern does not close the compliance obligation. If the suspicious activity continues, FinCEN's guidance calls for a continuing activity SAR filed within 90 days of the prior filing. Digital banks often handle initial filings adequately but lose track of the continuing-activity obligation.
The scenario plays out like this: an analyst files a SAR in March for structuring behavior on a particular account. No one flags the account for rescreening. The account continues transacting in a similar pattern. In June, the account should have triggered a continuing-activity filing. By the time an examiner asks, 120 days have elapsed since the original filing with no subsequent SAR — and the transaction record shows activity consistent with the original pattern the entire time.
This is a preventable gap. The fix is straightforward at the process level: every filed SAR should create a follow-on surveillance window in your monitoring system, with a soft trigger at 75 days to allow review time before the 90-day hard deadline.
What Examiners Actually Look At During Look-Back
When FinCEN or a prudential regulator orders a look-back analysis, the mechanics are less about whether you filed SARs and more about whether the program operated with adequate controls. Examiners will pull a sample of alerts that were closed without a SAR and work backward to determine whether the initial detection date was recorded, whether the escalation pathway was documented, and whether the disposition rationale is defensible.
Institutions that have clean documentation — even if they filed a SAR that was technically a day or two late — tend to fare significantly better than institutions where the underlying records are incomplete or contradictory. A 32-day filing with a documented, coherent case trail is a much smaller problem than a 28-day filing where the case notes suggest the alert was known about for 45 days.
The 30-day window is as much a documentation discipline as it is a calendar obligation. Examiners know the clock starts at detection. Your records need to show the same understanding.
Building a Clock-Aware Program
The practical requirements aren't complicated, but they do require deliberate design. Every alert needs an immutable creation timestamp that represents the detection event — not the analyst assignment date. Every case needs a documented status history showing when it moved from alert to active investigation. Every SAR decision — file or no-file — needs a rationale tied to the alert date, not retrospectively constructed.
Neobanks using legacy case management tools borrowed from generic ticketing systems often lack these capabilities out of the box. A Jira board, however well-organized, does not produce the BSA-compliant audit trail an examiner expects. The same issue applies to shared document folders or even dedicated compliance platforms that weren't purpose-built for BSA/AML case management.
The 30-day window is manageable. We've seen digital banks operate it cleanly with 5-person compliance teams. The prerequisite is that the process design — alert timestamping, case escalation, disposition documentation, continuing-activity tracking — was thought through before the first examiner visit rather than reconstructed during it.
