How to Write an iGaming Suspicious Activity Report (SAR) With 3 Complete Example Narratives

A good SAR narrative reads like a security camera clip you can’t see, but can still understand. It’s clear, time-stamped, and sticks to what happened, not what you think happened.

If you run an iGaming brand (or you’re building one), the iGaming suspicious activity report is one of the fastest ways to prove you take risk seriously. It’s also one of the easiest places to make mistakes that trigger follow-up questions from regulators, banks, and payment partners.

This guide shows a practical narrative structure, writing rules that keep you out of trouble, and three complete example narratives you can model.

What an iGaming SAR narrative must do (and what it must avoid)

A SAR narrative has one job: explain the suspicion using facts so an investigator can act without calling you back for basics.

Strong narratives share the same “spine”:

• A tight timeline (who did what, when, using what instruments).
• Why the activity doesn’t fit the customer profile or normal play.
• What checks you ran, what you found, and what you did next.

What to avoid:

• Legal conclusions (don’t label anyone “guilty”).
• Vague language (“many deposits,” “large amount,” “seems odd”).
• Missing identifiers (no payment instrument references, no device/IP notes, no timestamps).

For general narrative standards (useful even outside iGaming), these references are worth a skim: SAR narrative writing best practices and key components of a well-prepared SAR.

Before you write, lock down the facts (so the story is provable)

Think of your narrative like a receipt trail. If an external reviewer can’t reproduce your logic from your records, the SAR gets weak fast.

Pull these inputs into a simple case summary first:

• Customer profile: registration date, jurisdiction, KYC status, age verification status, PEP/sanctions screening results (as applicable), risk score, responsible gambling markers.
• Payment trail: deposit/withdrawal timestamps, amounts, currency, payment method type, masked instrument identifiers, chargeback or reversal activity.
• Gameplay behavior: bet volume, game types, wagering vs deposits, time-to-withdraw, unusual win/loss patterns tied to withdrawals.
• Link signals: shared device IDs, IP overlap, shared payment instruments, shared payout destinations, account clustering.
• Actions taken: enhanced due diligence steps, KYC requests, limits applied, account restrictions, bankroll holds, SAR decision notes.

If you’re still building your alert logic, this internal guide helps you map patterns to triggers: Simple transaction monitoring rules for iGaming operators. For founders, it also ties nicely into cash control basics, similar to what you’d do in treasury management for businesses, just with higher fraud pressure.

A narrative structure you can reuse for every iGaming SAR

Use this structure as a fill-in framework (it keeps you factual and complete):

1) Who: customer ID, account name (if allowed), jurisdiction, KYC status, account age.
2) What: the suspicious pattern (example: rapid deposit-to-withdraw with minimal play).
3) When/Where: clear timestamps, product vertical (casino/sportsbook), device/IP notes.
4) How: payment methods, instruments, destination, and any linked accounts.
5) Why suspicious: mismatch to profile, no economic purpose, signs of structuring, collusion, or third-party funding.
6) Action taken: blocks, holds, EDD, requests for documents, account review outcome.

If you can’t explain the “why” in two or three sentences, the narrative usually needs more facts, not more adjectives.

Writing rules that keep your SAR clear and defensible

Rules that work in practice:

• Lead with the pattern, then back it with the timeline.
• Use exact numbers (amounts, counts, time gaps). Replace “several” with “7.”
• Name the signals (shared device, same payout wallet, repeated failed deposits).
• Explain the review (what you checked and what the result was).
• Keep it third-person (“The customer deposited…”, not “I saw…”).

For broader guidance on SAR fields and expectations across regions, keep this bookmarked: Suspicious Activity Reports (SARs): a guide for compliance teams.

3 complete iGaming suspicious activity report example narratives (ready to model)

Example Narrative 1: Rapid deposit-to-withdraw with minimal wagering

Narrative: Customer ID 104882 (registered 2025-11-14, KYC verified 2025-11-15, jurisdiction: CA) deposited $4,950 via card ending 1842 between 2025-12-02 18:11 and 18:27 UTC (5 deposits, $990 each). Customer placed 6 casino bets totaling $73.50 between 18:29 and 18:33 UTC, then requested a withdrawal of $4,840 at 18:41 UTC to a different payout method (e-wallet ID ending 7721) not previously used on the account. Device ID D-88F1 and IP 73.214.x.x were first seen on this account on 2025-12-02. Customer did not provide source-of-funds information after an EDD request sent at 19:05 UTC. Account was restricted and withdrawal placed on hold pending review. Activity is suspicious due to high-velocity deposits, minimal wagering, and attempted rapid value exit to a new instrument.

Example Narrative 2: Multi-account bonus abuse with shared device and payment instrument

Narrative: Between 2025-12-06 09:10 and 12:45 UTC, four new accounts (Customer IDs 211903, 211944, 212008, 212061) registered from the same IP range 185.61.x.x and the same device ID D-3C72. Each account completed email verification but did not complete full KYC. All four redeemed the same welcome bonus and funded with a card ending 0097 (tokenized reference TKN-44A9) or cards that failed multiple times (11 failed attempts across the group). Within 30 minutes of funding, each account placed low-risk bets with near-identical stake sizes ($48 to $52) and then attempted to withdraw bonus-related balances to two e-wallets ending 3310 and 3310 (same destination). Accounts were frozen at 13:02 UTC and bonuses were removed per terms pending investigation. Activity is suspicious due to coordinated account creation, shared device/payment signals, and structured use of promotions to extract value.

Example Narrative 3: Possible chip dumping or collusion using linked accounts and unusual gameplay

Narrative: Customer ID 889210 (registered 2025-10-03, KYC verified 2025-10-04, jurisdiction: NJ) deposited $2,000 on 2025-12-09 21:06 UTC via e-wallet ending 5402. Within 18 minutes, customer joined three peer-to-peer poker tables repeatedly with Customer IDs 889877 and 890041. Across 12 hands (21:24 to 21:41 UTC), Customer ID 889210 made outsized calls and folds inconsistent with prior play history, resulting in net losses of $1,620 to Customer ID 889877. Both accounts shared device ID D-19B0 on prior logins and used the same IP 98.33.x.x on 2025-11-28. Customer ID 889877 attempted to withdraw $1,500 at 22:05 UTC to a newly added payout wallet ending 9918. Tables were reviewed, and both accounts were restricted at 22:20 UTC pending enhanced review. Activity is suspicious due to linked access signals, concentrated transfers through gameplay, and rapid withdrawal behavior.

Quality check before submission (fast, but strict)

Before filing, do a two-minute read-through using this checklist:

• Timeline is complete (first event to final action, with timestamps).
• Amounts tie out to your case file and transaction records.
• Identifiers exist (customer ID, instruments, devices, wallets, tables, ticket IDs).
• Rationale is stated in plain language, based on observed facts.
• Action taken is documented, including holds, restrictions, and EDD outreach.

Conclusion

A strong iGaming suspicious activity report doesn’t need fancy writing. It needs a clean timeline, specific data, and a calm explanation of why the activity doesn’t make sense for the customer or the product.

Use the structure above, model one of the example narratives, and make your next SAR easier to review, defend, and audit.