Updated June 2025

 Q &A on FIU/Revenue webinar 12 February 2025 on suspicious transaction reporting (STRs)

What is and who must make a Suspicious Transaction Report (STR)?  What are the dual reporting obligations?

Under  section 42 of the CJA 2010 (as amended ), a “designated person” who knows, or suspects, or has reasonable grounds to suspect that another person has been or is engaged in an offence of money laundering or terrorist financing, is obliged to report that knowledge or suspicion or those reasonable grounds. This is the statutory obligation to make a suspicious transaction report  or STR.

The obligation to make STRs is a dual one to both FIU Ireland and the Irish Revenue Commissioners. The Financial Intelligence Unit, (FIU Ireland) is a division of an Garda Síochána and is responsible for receiving (through goAML) and analysing, suspicious transaction reports and other information relevant to money laundering or terrorist financing.  

“designated persons” includes an auditor, external accountant or tax adviser and a trust or company service provider. The definition of tax adviser has been widened under the CJA 2021.

Further information on when to report is available within the CCAB-I Anti Money Laundering Guidance for members TR01/2019 (updated March 2022).

Who must and how do you register for goAML?

goAML is an online reporting mechanism and  is available to Financial Intelligence Units of Member States to support their work.  It is used by the FIU Unit of an Garda Síochána since June 2017 for “designated persons” to submit money laundering suspicion reports to the FIU Ireland. Previously accepted paper reporting is no longer possible.

Prior to being able to submit an STR for the first time to the FIU, the designated person must be registered for goAML. FIU Ireland has published guidance as to how to register which should be consulted. This includes the Reporting Entity registration guide and the go AML Quick reference reporting guide. There is also a useful FAQ document  available and  a document on how to revert and amend reports submitted, which have been rejected by FIU Ireland. Entities registered on goAML, will, in addition to receipt of acknowledgment of an STR, receive alerts and dissemination of  trends and typologies from the FIU and it is  recommended that the message board is checked regularly.

Additional Mandatory reporting of STRs to the Irish Revenue Commissioners

STRs must also be reported to the Irish Revenue Commissioners. Since September 2020, reporting to revenue must be online, see  Revenue reporting guidelines . The designated person must be registered for Revenue Online Service (ROS) to submit an STR to Revenue. ROS login details and a valid ROS digital certificate is required. More detailed information is available as to how to register and complete STR reporting to the Revenue Commissioners. The Revenue Commissioners also have a ‘Quick Guide to Submitting STRs Online’ available on the Revenue website.

Also, see the Report on the Accounts of the Public Services 2020 which is available from the Office of the Comptroller and Auditor General (OCAG). Chapter 13 deals with Suspicious Transaction Reports. In chapter 13 the OCAG writes “Suspicious transaction reports (STRs) are received by the Office of the Revenue Commissioners. STRs can assist in identifying tax evasion, tax fraud, and provide new ways to assess risk and to target tax audits.  Our report examines the processes in place in Revenue on receipt of an STR and Revenue’s effectiveness in managing the STR process”.

The Office of the Comptroller and Auditor General has also produced a short video which is available on their YouTube channel. In it  the OCAG says STRs are a useful source of information and provide new ways to assess risk and target tax audits. STRs are risk rated and matched to tax payers where possible.

Other guidance on registering for GoAML and with the Revenue

The FIU and Revenue have  jointly produced a guide to generating XML reports which readers may find useful.

Please click here to view a useful webinar on go AML and revenue reporting of suspicious transactions.

Click here for the aml compliance webpages of the Irish Dept. of Justice which has some useful information on suspicious transaction reporting.

What are the statistics for STRs?

See recently published figures on the FIU Ireland website for some interesting information on this.

In 2021, FIU Ireland  received a total of 38,712 STRs and 47,421 in 2022. While the quality of the content of STRs submitted since 2017 has improved following the acquisition of goAML, FIU Ireland  view the level of reporting from some sectors as low, especially the Designated Non-Financial Businesses and Professions. The 2019  National Risk Assessment - Money laundering and Terrorist Financing states (para 6.89) that  STR reporting is low relative to the scale of the accountancy services sector, the nature of the services provided, the scale of transactions involved and the diversity of the sector’s client base.

Recent statistics show that less than 1% of all STRs reported were raised by accountancy service providers. As of 31 January 2024 there were 4,120  reporting entities registered on goAML 543 of those are accountants and  54 auditors . FIU Ireland  would like to see enhanced levels of registration on goAML and members are encouraged to get set up and registered on the goAML and ROS systems. See above for guidance as to how you can do this.

UK Reporting Obligations-Suspicious Activity Reports (SARs)

In the UK, persons in the regulated sector with knowledge or suspicion of money laundering must, under part 7 of the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000, make a suspicious activity report (SAR).

A SARs reform programme was carried out by the National Crime Agency in the UK in 2023. There is now a new reporting channel for organisations to submit SARs, namely a new SAR Portal to replace SAR Online, providing a more streamlined, comprehensive, user-friendly means of submitting SARs. Read more on this in issue 24 of the UKFIU’s SARs in action magazine published in January 2024 and which is also focussed on SARs regime reporters.

All reporting organisations should now solely be using the SAR Portal to submit SARs. The SAR Online System is due to be decommissioned in early 2024.The UK National Crime Agency has provided detailed guidance on Suspicious Activity Reports on its webpages. It has issued the UK FIU Guidance note on good quality SARS (last updated in 2023) which should be consulted in connection with making a SAR and see frequently asked questions here on portal registration and account management.

From time to time the NCA updates its booklet on suspicious activity report glossary codes and reporting routes. The latest edition of that booklet is April 2023. Please click here to access the NCA 2024 Reporter Booklet and here to access an UKFIU Podcast on Anti- money laundering compliance in the Accountancy sector.

Please also refer to the CCAB UK Anti-Money Laundering and Counter-Terrorist and Counter Proliferation Financing Guidance for the Accountancy Sector 2023. Section 6 provides further detailed information in this area.

Suspicious activity/transaction reporting and data protection obligations

While the making of a suspicious activity/transaction  report is mandatory, those sharing information must also consider obligations under the data protection regime and must comply with their data protection obligations.

In Ireland and the UK, those obligations are  primarily found in the EU General Data Protection Regulation (“GDPR”), and the Data Protection Acts enacted in both jurisdictions in 2018.

At EU level the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals. For designated persons, this lawful basis for processing data (for example by making an STR) is found in Article 6(1)(c) of GDPR, which provides that processing is lawful where it is necessary for compliance, with a legal obligation to which the controller is subject.

Part 5 of the Irish and Part 3 of the UK Data Protection Act 2018 make provision for  the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.

These pages are provided as resources and information only and nothing in these pages purports to provide professional or legal advice or definitive legal interpretation(s) or opinion(s) on the applicable legislation or legal or other matters referred to in the pages. If the reader is in doubt on any matter in this complex area further legal or other advice must be obtained. While every reasonable care has been taken by the Institute in the preparation of these pages, we do not guarantee the accuracy or veracity of any resource, guidance, information or opinion, or the appropriateness, suitability or applicability of any practice or procedure contained therein. The Institute is not responsible for any errors or omissions or for the results obtained from the use of the resources or information contained in these pages.