What is tipping off in AML?

The full answer

Tipping off in AML is the criminal act of telling a suspect, or someone connected to them, that a suspicious activity report has been filed or that they're under investigation for money laundering. The offense applies to both direct disclosure ("we've reported you to the FIU") and indirect disclosure that would lead a reasonable person to conclude a report was made.

The legal framework is consistent across major AML regimes. In the UK, Section 333A of the Proceeds of Crime Act 2002 creates the offense for regulated-sector firms, with a maximum of five years' imprisonment. Two elements must be proved: the defendant knew or suspected a protected disclosure had been made, and their own disclosure was likely to prejudice any investigation arising from it.

In the US, 31 U.S.C. § 5318(g)(2) prohibits any institution or employee from notifying a person involved in a transaction that a SAR has been filed. This prohibition runs indefinitely. The civil and criminal safe harbor for SAR filers under § 5318(g)(3) is conditioned on secrecy: disclose the SAR's existence, and the protection falls away.

The EU's Fourth Anti-Money Laundering Directive (2015/849, Article 39) and FATF Recommendation 21 follow the same logic. FATF Recommendation 21 is worth reading in full because it shows the interdependency: STR filers get legal protection precisely because the confidentiality obligation is binding. One cannot exist without the other.

The offense covers more than obvious cases. Partial or coded disclosures can meet the threshold. UK courts have confirmed this. In Shah v. HSBC Private Bank [2012] EWCA Civ 1556, the Court of Appeal held that SAR confidentiality survives civil disclosure obligations absent a court order, and set out how institutions should respond to litigation that risks revealing a SAR was filed.

Statutory exceptions exist. Under POCA Sections 333B-D, intra-group disclosures for AML purposes are permitted, as are disclosures to legal advisers for legal advice, and disclosures to supervisors or law enforcement. These carve-outs are narrow and specific. They don't create a general right to discuss SAR filings beyond those directly involved in AML compliance.

Why this matters

The tipping off prohibition creates practical pressure at several points in the AML workflow.

EDD interviews. When running enhanced due diligence on a high-risk customer, compliance teams need information. Certain questions signal suspicion. The standard protocol is to frame EDD requests as routine periodic reviews, not as responses to specific transactions. This isn't deception; it's a required operational safeguard.

Account closure. A bank that files a SAR and then closes the account citing "financial crime concerns" has arguably tipped off the customer. Most compliance teams use a generic "commercial decision" letter with no AML reference. Some jurisdictions allow "de-risking" language. None allow direct disclosure of the AML basis.

The SAR filing window. Because banks have a fixed timeframe to file a SAR after identifying suspicious activity, the tipping off risk is highest during that window, when the institution may still be interacting with the customer normally. Alert investigations and EDD requests can both run in parallel with an active SAR process, which requires clear internal protocols about what can be communicated externally.

Correspondent banking. When a correspondent bank blocks a payment and the respondent asks why, the correspondent is in a difficult position. Sanctions screening blocks are sometimes publicly traceable to OFAC lists. SAR-driven blocks are not. The correspondent cannot disclose the SAR basis, even when asked directly by a counterparty it trusts.

Regulatory exam risk. Tipping off failures surface during AML examinations. Examiners review account closure letters, EDD interview scripts, and litigation response procedures. An institution that can't demonstrate a documented tipping off protocol is exposed. Bank failures on AML exams frequently cite breakdowns in SAR confidentiality controls among the contributing factors.

Automated systems. AI-based transaction monitoring can generate alerts, trigger EDD workflows, and block transactions without direct human involvement. That automation doesn't change the tipping off rule. Firms need controls to ensure that automated customer communications, including payment rejection messages, don't inadvertently disclose that an alert or report was triggered.

Related questions

• Who files a SAR: the MLRO or the compliance officer?
• How long do banks have to file a SAR?
• How does FinCEN define suspicious activity?
• What is the difference between a SAR and an STR?
• What happens when a bank fails an AML exam?

Related concepts and regulations

• What is the difference between CDD and EDD?
• What percentage of AML alerts are false positives?
• How does sanctions screening work?
• Can AI be used for AML transaction monitoring?
• What triggers a regulatory exam?