Picture the moment: a transaction analyst, somewhere in a mid-sized bank's back office, is staring at a wire transfer that doesn't add up. A shell company registered in a jurisdiction famous for its discretion has sent $340,000 to a correspondent account, routed through a larger American bank, bound for a real-estate holding firm that opened its account six weeks ago. The analyst flags it internally. What happens next has almost nothing to do with the law and almost everything to do with who that analyst reports to.

That is the quiet truth about Suspicious Activity Reports, or SARs. The legal obligation to file one sits in statute. The actual decision to file, or not to file, lives in an org chart.

The Tier Nobody Talks About

Correspondent banking works by layering. A smaller regional bank, call it the respondent, lacks the infrastructure to settle transactions in foreign currencies or to reach payment networks directly, so it buys access through a larger institution, the correspondent, which holds a nostro account on the respondent's behalf and processes payments through its own pipes. The correspondent bank is, in effect, vouching for its client's clients: the people whose money moves through the respondent's books.

This creates a compliance problem that is genuinely hard. The correspondent bank's anti-money-laundering team sits at one remove from the underlying customer. They see aggregate flows, not individual faces. A compliance officer at a global correspondent might be reviewing activity across hundreds of respondent relationships simultaneously, each one representing thousands of end customers. The volume is not metaphorically large. It is structurally overwhelming.

So the correspondent bank builds a hierarchy. At the base are transaction monitoring analysts, usually junior, working off automated alerts generated by rules-based systems or, increasingly, machine-learning models. Above them sit senior analysts or investigators who review escalated cases. Above them are the compliance officers with SAR-filing authority. And above them, in most large institutions, is a Chief Compliance Officer whose sign-off is required on any filing that carries significant relationship or reputational risk.

Each layer in that chain is a gate. Gates cut both ways.

How a Filing Actually Gets Made (or Doesn't)

Consider a scenario that is, by now, almost routine. A correspondent bank's monitoring system flags an unusual pattern: a respondent bank in Central America has processed twelve wire transfers in thirty days, each just under $10,000, all from the same beneficial owner, all going to the same counterparty in Southeast Asia. The structuring pattern is textbook. An analyst opens a case.

At a bank where the compliance team reports directly to the General Counsel's office, with a clear escalation path and no revenue accountability, that analyst's job is straightforward: document, escalate, recommend filing. The General Counsel's office has no P&L to protect.

At a different institution, one where the compliance function sits inside the business line that manages correspondent relationships, the same analyst faces a different room. The senior investigator escalating that case may share a floor, and sometimes a budget conversation, with the relationship manager whose bonus depends partly on retaining the Central American respondent. No one needs to say anything explicit. The institutional gravity is already pulling.

This is not speculation. The U.S. Senate's Permanent Subcommittee on Investigations documented exactly this dynamic in its examination of HSBC's correspondent banking failures, still the most detailed public anatomy of how compliance hierarchy shapes outcomes. Relationship managers in that case had the ability to override compliance risk ratings on respondent banks. The compliance team's formal authority was real; its practical authority was eroded by where it sat in the org chart. History has a way of rhyming with the present tense.

The Threshold Problem

Even in a well-structured compliance hierarchy, the SAR decision is not binary. It is calibrated, and the calibration is set by people who have institutional interests.

Most large correspondent banks operate with internal de facto thresholds below which cases are closed rather than filed, even when the underlying suspicion is genuine. A SAR, once filed, is a permanent record. It can surface in regulatory examinations. It can, in theory, alert the subject through inadvertent disclosure. Filing too many SARs on marginal cases is sometimes characterized internally as "alert fatigue" for regulators. Not filing enough is a federal crime. The space between those two failure modes is where compliance hierarchies do their real work, quietly, and largely out of sight.

Think about what happens when a bank sets its "reasonable suspicion" bar at the investigator level versus the senior compliance officer level. If an investigator can recommend a filing and have it proceed with minimal review, the filing rate for borderline cases will be higher. If every borderline case requires sign-off from a Chief Compliance Officer who is also managing a relationship with a respondent generating $2 million in annual fee revenue, the filing rate for those same cases will be lower. The legal standard hasn't changed. The organizational friction has, and that friction is not accidental; it is, in many institutions, the point.

Ask yourself: do you think regulators are unaware of this? They are not. The Financial Crimes Enforcement Network's examination guidance explicitly asks about the compliance function's independence from business lines. The Federal Reserve's enhanced prudential standards for large banks require that compliance risk management be organizationally separate from revenue-generating functions. The rules exist precisely because the incentive problem is well understood. That they exist and are still routinely tested says something about the distance between a written standard and a lived one.

What People Get Wrong About the SAR System

The common assumption is that SAR filing is essentially automatic once suspicious activity is detected: the algorithm flags it, the human reviews it, the report goes out. That model treats compliance as a pipe. It is, in fact, a bureaucracy, with all the distortions bureaucracies produce.

A SAR requires a human judgment call at every stage, and human judgment is shaped by institutional context. The analyst who works for a team that files aggressively and gets praised for it will develop different instincts than the analyst whose previous filings were quietly discouraged as "premature." Neither analyst is corrupt. Both are rational. Institutions do not need to instruct people to shade their judgment; they need only reward some outcomes more than others, consistently, over time, and the shading happens on its own, like water finding the low ground.

The second common misunderstanding is that compliance independence is a binary condition: either the compliance team reports to the right executive and is independent, or it reports to a business line and is compromised. In practice, the independence question is granular. A compliance team can report to the right executive and still lack budget autonomy. It can have formal authority and lack the investigative staff to exercise it. A correspondent bank with a compliance-to-relationship-manager ratio of one to forty is structurally different from one with a ratio of one to ten, regardless of where the org chart lines run.

A third misconception: that the problem is concentrated in rogue institutions. Some of the most significant SAR-filing gaps have occurred at banks with sophisticated compliance programs on paper, because sophistication on paper is exactly what a poorly structured hierarchy produces. The org chart is written by people who understand that regulators will read it. The gap between the document and the culture is precisely where the risk lives.

The transaction analyst flagging that wire transfer will eventually make a call. Whether it becomes a SAR filed with FinCEN, a case closed with a note, or a pattern quietly absorbed into the background noise of a busy quarter depends less on the law than on what institution that analyst works inside, who they answer to, and what they have learned, through a hundred small signals, that their institution actually rewards. The compliance hierarchy is invisible until it fails. When it fails, the money has already moved, and the org chart, on paper, will have looked entirely reasonable.