SAR and CTR investigation workflows for California virtual asset businesses

Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) are filing outcomes. Examiners spend more time on the path that led there: alert generation, analyst triage, investigator notes, legal review, and management decisioning. Under DFAL-shaped supervision, that path must make sense for virtual asset activity—wallet clustering, travel patterns, and partner notifications—not only for traditional wire rooms.

California’s framework sits atop federal BSA obligations while giving DFPI visibility into how you protect consumers and mitigate illicit finance in products Californians actually use. A workflow that works for fiat-only MSBs but breaks when withdrawals settle on-chain will fail reviews even if your SAR count looks healthy.

This guide is educational, not legal advice. Confirm filing thresholds, timelines, and form requirements with counsel and FinCEN publications, and align consumer-facing processes with DFPI materials at https://dfpi.ca.gov/regulated-industries/digital-financial-assets/.

Investigations begin with alerts worth human time. Tune rules using typologies you see in California corridors: romance scam funding, pig-butchering cash-outs, account takeover bursts, and elder abuse patterns surfaced by support—not only blockchain heuristics.

Define routing by severity and skill. Tier-one analysts disposition low-risk noise with mandatory rationale fields; tier-two investigators handle multi-hop chain tracing and counterparty outreach. If every alert lands in one queue, aging becomes your enemy and true positives drown.

Document tuning changes. When you loosen a rule to reduce false positives, capture the business justification and the metric you will watch for thirty days. Examiners ask about tradeoffs; memory is not evidence.

A case file should tell a story without Slack archaeology: customer profile snapshot, alert history, blockchain analytics outputs, support tickets, device signals, and counterparty notes. Use consistent case IDs that survive handoffs between shifts and vendors.

Set SLAs by risk tier: scam-in-progress cases may need freeze authority within minutes; complex structuring reviews may need days—but never indefinite limbo. Escalate aging automatically to the BSA officer when SLAs breach.

Separate “facts collected” from “conclusions.” Investigators who blend narrative and opinion without labeling sources create rework during legal review and weaken SAR quality.

SAR filing decisions need clear criteria: what combinations of red flags trigger referral, who approves filing, and how you handle continuing activity after a SAR is filed. FinCEN’s timelines are unforgiving; your internal clocks should be tighter.

Train staff on confidentiality rules. Reputation damage from SAR leaks is severe; access controls and need-to-know policies should be testable. If engineering can query “SAR flag” fields in production databases without logging, fix that before an exam.

Where appropriate, use 314(b) information sharing with peer institutions—but document what was shared, when, and how it influenced the narrative. Ad hoc phone calls without case notes do not survive scrutiny.

CTR obligations still apply where your activity meets federal definitions, but VA businesses often struggle with aggregation across rails—fiat deposits, crypto buys, and peer transfers that look fragmented in separate systems. Map aggregation logic explicitly in procedures and test it with sample customers who use multiple products.

Exceptions and backfills hurt credibility. Run periodic reconciliation between transaction ledgers and CTR filing logs. If you discover missed filings during testing, file remedially with counsel guidance and show corrective controls—not quiet fixes.

Train front office staff on CTR-adjacent scenarios: customers structuring below thresholds, split tickets across support channels, and kiosk cash paths that bypass online monitoring.

DFPI supervision connects AML outcomes to consumer harm. Investigations tied to scams should link to refund policies, hold procedures, and complaint records. If you froze funds but never documented why support told the customer “pending review,” you created UDAAP and AML risk simultaneously.

Coordinate with legal on communications. Customers under investigation should receive accurate, non-misleading statuses without tipping off sophisticated criminals in ways that compromise cases—templates help.

Track elder financial abuse escalations as a distinct metric. Public AML orientation emphasizes vulnerable customer protection; show how investigations feed product blocks and education campaigns.

Sample closed cases monthly for narrative quality, timeliness, and supporting artifacts. Score them with a simple rubric investigators understand. Publish trends to the AML committee with remediation owners.

Run thematic lookbacks after major incidents: exchange hack fallout, new chain support, or partner bank exit. Ask whether rules would have fired; if not, adjust typologies and document why.

Preserve records for the full retention period. Vault naming should make retrieval during DFPI requests fast—date, case ID, disposition, filing reference.

Retain investigation records, SAR filings, and CTR submissions for the full statutory period, with indices that support rapid retrieval. When DFPI requests a sample, you should be able to produce complete case files—not partial exports with missing blockchain attachments.

Redact thoughtfully for internal QA but preserve full copies for regulatory production under counsel direction. Inconsistent redaction practices have caused teams to lose chain-of-custody narratives during lookbacks.

Align retention with your evidence vault taxonomy: case ID, customer internal identifier, disposition, filing reference, and date closed. Naming discipline saves days during stress.

If you operate kiosks or partner white-label flows, investigations often span multiple systems—device logs, partner settlement files, and online account records. Document how case managers stitch those sources and what SLAs apply when partners respond slowly.

Run a tabletop where a scam victim deposits cash at a kiosk and attempts an immediate on-chain withdrawal. If your workflow cannot freeze across rails within your stated policy, fix operations before marketing “instant” transfers.

Automate repetitive steps—address clustering pulls, duplicate alert merges, and template narratives for common typologies—but require human sign-off before SAR filing and before permanent offboarding. Machines accelerate; humans remain accountable.

Log model-assisted summaries separately from investigator conclusions so legal review can see what was machine-generated versus verified.

When you deploy new automation, run parallel manual review for thirty days and compare disposition rates before cutting investigator headcount.

Teams outgrow spreadsheets when case volume, chain complexity, and licensing evidence requirements collide. You need SAR traceability that connects to policies, testing results, and management reporting without re-keying.

CompliFi sequences deep AML modules alongside vault discipline and calendars tuned to DFAL-shaped rhythms—so investigators, the BSA officer, and licensing leads reference the same case IDs and artifacts.

If your SAR/CTR workflow still lives in five tools and a shared drive, join the CompliFi waitlist for early access to workflows built for California virtual asset operators preparing for examinations—not just initial applications.