FinQub
Learn · Crypto

From Chainalysis alert to filed SAR: closing the multi-hour gap

A crypto SAR runs about three hours per case end to end, and most of that is not analysis. It is alt-tabbing between Chainalysis, KYC, and a case tool, compiling evidence out of six places. Here is where the hours go, and how one record per customer removes the assembly half of it.

Updated June 2026·8 min read

Where the hours go

The hard part of a crypto SAR is rarely the judgment. It is the assembly. Industry estimates put a single SAR at around three hours per case end to end, and the FinCEN form alone carries a roughly two-hour burden before any investigation. For crypto, the bulk of that time is mechanical: an alert fires in your blockchain-analytics tool, and the analyst opens the case system, the KYC console, the transaction-monitoring tool, and a spreadsheet, copying facts out of each into a narrative. A complex chain, with mixers, bridges, and cross-chain hops, runs longer.

This matters because the clock is on detection. For a registered MSB, the rule (31 CFR 1022.320) requires filing within 30 calendar days of initial detection. The 30-day extension to identify a subject that banks get under 31 CFR 1020.320 is not in the MSB rule, so an MSB works to a firm 30-day clock. Every hour spent reconstructing evidence by hand is an hour off that clock, and a queue of alerts means the assembly tax is paid over and over.

What an examiner expects in the file

A defensible crypto SAR is more than the narrative. The file behind it usually needs to show:

  • The subject and how they were identified.
  • The alert, and what specifically triggered it.
  • The wallet exposure that flagged, and from which analytics source.
  • The KYC result captured at onboarding, as it stood then.
  • The counterparty and transaction trail behind the flagged activity.
  • The disposition: what was decided, by whom, and on what basis.

None of that is exotic. The problem is that each piece is produced by a different vendor and lives in a different console, so the only way to put it in one place today is to copy it there by hand.

Why it is slow: the evidence lives in different consoles

Wallet exposure sits in Chainalysis, TRM, or Elliptic. Identity sits in your KYC vendor. The counterparty trail sits in the analytics tool again, or in your own ledger. The alert and the case sit in your case-management system. Each is a signal about the same customer, but none of them holds the others, so a SAR is assembled by stitching the consoles together every time.

It also means the answer is only as good as the analyst's memory of which tabs to open. The wallet a chain-analytics vendor flagged at the last minute, but your KYC vendor never saw, is exactly the kind of signal that goes unstitched.

One record per customer: every signal in one view

FinQub is the single source of truth for fintech risk decisions. It sits alongside your Chainalysis, TRM, KYC, screening, and case-management tools, and lands every signal each one produces on one record per customer. When an alert fires, the evidence is not scattered. It is already in one place.

One view, not six tabs. The transaction-monitoring rule that fired, the KYC result from onboarding, the wallet exposure score, and the counterparty trail are on one record, so your analyst works from a single unified view of the evidence instead of alt-tabbing across consoles. The SAR itself is still drafted and filed in your case tool. FinQub closes the assembly gap, not the filing.

The SAR decision lives on the record. The filing does not. A wallet-exposure score is a signal; a SAR is a decision. On the record that decision can be an outcome of FinQub's decision engine applying your rulebook to the whole record, or a disposition your case tool, like Hummingbird, reaches and writes back as a signal. Either way it is on the record, with who or what decided and the evidence it stood on. What FinQub does not do is draft the narrative or transmit the filing to FinCEN. That stays with your case tool and your analyst.

The file survives the exam. Because every signal, decision, and override is on the record with the policy version that applied, the look-back an examiner runs months later is a query and a signed exam packet, not a second round of console-stitching.

A checklist for tightening your SAR workflow

  • Measure the real number: how much of your time-per-SAR is judgment, and how much is evidence assembly?
  • List the consoles an analyst opens to draft one SAR. That count is your reconstruction tax.
  • Make sure the wallet-exposure signal lands on the same record as the KYC result and the counterparty trail, not in a separate tab.
  • Keep the disposition (what was decided, by whom, on what basis) with the evidence, not in a side document.
  • Confirm you can reproduce any past filing's evidence on one query against a 30-day clock, not a multi-week rebuild.

Frequently asked questions

How long do I have to file a crypto SAR?

For a registered MSB, the rule (31 CFR 1022.320) requires filing no later than 30 calendar days after initial detection of the facts that may form the basis for filing. Unlike the bank rule (31 CFR 1020.320), the MSB rule has no provision to extend to 60 days when no subject has been identified, so an MSB works to a firm 30-day clock. The clock runs on detection, not on when the evidence is finally assembled, which is why the assembly time matters. Confirm your own filing obligation against the rule that supervises you.

What evidence goes into a crypto SAR?

Typically the subject's identity, the alert and what triggered it, the wallet exposure that flagged, the KYC result captured at onboarding, the counterparty and transaction trail, and the disposition rationale with who decided. Today that lives across a blockchain-analytics tool, a KYC vendor, and a case system, so it gets compiled by hand.

Where does the SAR decision sit, and does FinQub file it?

FinQub does not draft the narrative or transmit the filing to FinCEN. That is your case tool and your analyst. But the SAR decision lives on the record. A SAR is a decision, and it can be an outcome of FinQub's decision engine applying your rulebook to the whole record, or a disposition your case tool, like Hummingbird, reaches and writes back to the record as a signal. FinQub holds the decision and the evidence; the case tool does the filing.

How does this work with Chainalysis and our case tool?

Chainalysis wallet exposure lands on the record as a signal, alongside KYC at onboarding, the counterparty trail, and your transaction-monitoring rule output. Your case tool reads from the record and writes the disposition back to it. You keep your own vendor accounts. FinQub never resells signals.

All of this runs on the vendors you already pay for. FinQub is the single source of truth for fintech risk decisions beneath your crypto stack. See how it sits beneath your case tool, or book a short walkthrough below.

Decide better in the moment. Defend every one of them after.

Every risk decision your team makes today is one someone will question later. The teams that answer instantly didn't work harder. They kept the record.