What is tipping off in AML?

The full answer

Tipping off is a criminal offense committed when someone discloses that a suspicious activity report (SAR) has been filed, or that a money laundering investigation is underway, in circumstances likely to prejudice that investigation.

The word "prejudice" is doing real work in that definition. Courts and regulators don't require proof that the investigation was actually harmed. The question is whether the disclosure could reasonably have altered the subject's behavior. That's a low bar, and it catches far more people than compliance teams expect.

UK law. Section 333A of the Proceeds of Crime Act 2002 is the primary offense. Maximum sentence: five years' imprisonment plus an unlimited fine. The offense applies to anyone in the "regulated sector," a category covering banks, payment firms, lawyers, accountants, and estate agents.

US law. 31 U.S.C. § 5318(g)(2) prohibits any financial institution or its officers, employees, and agents from notifying any person involved in a reported transaction that the transaction has been reported. Violations can result in criminal prosecution and civil penalties up to $1 million per violation under the Bank Secrecy Act.

EU law. Article 39 of Directive 2015/849/EU (the Fourth Anti-Money Laundering Directive) prohibits disclosure to the customer or third parties that a suspicious transaction report has been transmitted. The Sixth AMLD extended criminal liability to legal persons, not just individuals.

The prohibition is consistent across all three regimes: don't tell the subject, and don't tell anyone who might tell the subject.

What actually counts as tipping off

The test is not whether you said the words "a SAR has been filed." Courts look at the totality of what was communicated. A relationship manager who tells a high-value client their account is "under internal review for unusual transactions" has, in practice, communicated that something AML-related is happening.

The FCA's Financial Crime Guide addresses this directly. When exiting customers for AML reasons, the stated reason must not signal that a SAR has been, or is about to be, filed. Firms frequently get this wrong when relationship managers feel pressure from clients who demand an explanation.

Common scenarios where tipping off occurs:

• Account closure with a reason that implies suspicious activity review
• Holding a payment and telling the customer it's "with compliance"
• A front-line employee mentioning that a cash transaction was "flagged"
• A subject access request (DSAR) response that inadvertently includes SAR-related records
• An insider disclosing SAR activity to the investigation subject in exchange for payment

That DSAR scenario catches banks off guard. UK data protection law allows firms to withhold SAR-related documents from DSAR responses, but only if the MLRO actively reviews each response before it goes out. When data protection and compliance teams operate in silos, this breaks down.

The MLRO carries primary responsibility for managing tipping-off risk. That includes overseeing account closures for AML reasons, signing off on DSAR responses, and maintaining appropriate SAR filing timelines without creating operational pressure that leads to disclosure errors. Understanding how FinCEN defines suspicious activity and the difference between a SAR and an STR is part of that required knowledge base.

Safe harbors

Not every disclosure is an offense. POCA 2002 Sections 333B-D define permitted disclosures:

• Within-group disclosure (Section 333B): Sharing SAR information with another entity in the same corporate group is permitted, provided the recipient is subject to equivalent AML controls, which typically means an EEA or FATF-equivalent jurisdiction.
• Between institutions (Section 333C): Two credit institutions handling the same transaction may share SAR-related concerns with each other under defined conditions.
• Legal professional privilege (Section 333D): Lawyers advising clients on their legal position are generally exempt, but not when the advice concerns facilitating the transaction being reported.

In the US, the FinCEN safe harbor at 31 U.S.C. § 5318(g)(2) protects the act of filing but doesn't protect deliberate disclosure to the subject. The 314(b) voluntary information-sharing program allows institutions to exchange SAR-related information with each other, provided they've filed a 314(b) notice with FinCEN.

Why this matters

Most tipping-off incidents aren't deliberate decisions to break the law. They're operational failures: a relationship manager who didn't receive clear guidance, a data protection team that didn't loop in the MLRO before sending a DSAR response, a front-line employee who said too much when a customer asked why their payment was held.

That operational reality is exactly what regulators examine. Regulatory examinations specifically probe whether tipping-off controls are fit for purpose: SAR access logs, account closure procedures, DSAR review processes. Gaps in any of these can escalate an exam into a formal enforcement matter. In serious cases, regulators have imposed monitorships on institutions where SAR confidentiality controls were found to be systemically inadequate.

There's also a detection quality dimension. When transaction monitoring generates high volumes of false positives, operational pressure builds across compliance, operations, and relationship teams. Staff look for shortcuts to manage the volume. That pressure and tipping-off risk are correlated. Teams that reduce alert noise also reduce the conditions that produce disclosure errors.

The controls that work:

Standardized account exit language. Give front-line staff and relationship managers pre-approved scripts. "We've made a business decision to exit this relationship" is legally defensible. "There's a compliance issue with your transactions" is not.

SAR system access controls. Restrict access to the MLRO, deputy MLROs, and designated analysts. Every access event should generate an audit log entry.

DSAR review checkpoints. Build a formal step into every subject access request process: the MLRO reviews the full response package before it goes out. This should be a named, documented, mandatory step, not an informal check.

Tipping-off training. Annual e-learning isn't enough. Front-line staff, private bankers, and relationship managers need practical examples of what to say, what not to say, and what to do when a client pushes back. Abstract definitions don't change behavior.

The EDD process for high-risk customers intersects with tipping-off risk in a specific way. Enhanced due diligence requires asking customers for more information, and structuring those requests so they don't signal AML concern requires deliberate care in how questions are framed.

The penalty for a missed CTR illustrates how seriously US regulators treat reporting obligations generally. Tipping off is treated with at least the same seriousness and, in cases involving deliberate disclosure to an investigation subject, considerably more.

Related questions

• Who files a SAR: the MLRO or the compliance officer?
• How long do banks have to file a SAR?
• How does FinCEN define suspicious activity?
• What is the difference between a SAR and an STR?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What triggers a regulatory exam?
• What is a monitorship and when is one imposed on a bank?
• What is the difference between CDD and EDD?
• Can AI be used for AML transaction monitoring?
• What is the penalty for a missed CTR?