RFIs, Tipping Off, and Customer Communication

The Tipping-Off Prohibition

Tipping off is the unlawful disclosure - to a customer or any unauthorized third party - of the fact that a suspicious activity report (SAR) or suspicious transaction report (STR) has been, is being, or will be filed, or that an investigation is underway. It is prohibited globally by FATF Recommendation 21, which requires that financial institutions and their directors, officers, and employees be prohibited by law from disclosing that an STR or related information is being filed with the FIU.

In the United States, the SAR confidentiality rule under the Bank Secrecy Act makes unauthorized disclosure a violation that can carry civil and criminal penalties.

The rationale is operational: if the subject learns they have been reported, they can move or hide assets, destroy evidence, abandon compromised accounts, or flee. Tipping off defeats the entire purpose of reporting. On the exam, any answer that involves telling the customer about a SAR, a freeze, or an investigation is wrong.

What counts as tipping off is broad. The following are all prohibited disclosures:

Note a key distinction: filing a SAR is not tipping off; only the disclosure of that filing to unauthorized parties is. Sharing a SAR with regulators, FinCEN, or in response to a proper law-enforcement request is permitted.

RFIs, Customer Communication, and the Safe Harbor

Institutions routinely send Requests for Information (RFIs) to customers to refresh CDD - asking for updated source-of-funds, source-of-wealth, business purpose, or beneficial ownership details. The CAMS discipline is to frame an RFI as a routine, periodic due-diligence update, never as a response to suspicion. The customer's reaction to a neutral RFI (evasiveness, refusal, an implausible explanation) can itself be intelligence that supports a SAR - but the RFI must not signal why the institution is asking.

Use these rules when communicating with a customer who is, or may become, a SAR subject:

• Do ask neutral, standard CDD questions and document the responses.
• Do keep the account open and behave normally unless law enforcement directs otherwise, to avoid signaling.
• Do not reference a SAR, a hold, an investigation, suspicion, or monitoring alerts.
• Do not coach the customer toward an explanation that defeats the report.
• Escalate the file internally to the AML/BSA Officer rather than resolving suspicion at the front line.

The counterweight to all this risk is the safe harbor. FATF Recommendation 21 and US BSA law protect institutions and staff from civil and criminal liability for disclosures made in good faith when filing a SAR - even if the suspicion proves unfounded and even if they did not know the precise underlying crime. The safe harbor is what makes confident, timely reporting possible; CAMS expects you to pair the tipping-off prohibition with the safe-harbor protection.

Worked scenario: A relationship manager wants to call a customer to say, "Compliance is reviewing your wires for suspicious activity - can you justify them so we don't have to report you?" Every clause of that is wrong: it tips off, reveals suspicion, and coaches the customer. CAMS-correct action: send a neutral CDD RFI if appropriate, document the response, escalate to the AML Officer, file a SAR if suspicion is supported, keep the account behaving normally, and disclose to no one. This communication discipline sits in the 20%-weighted governance and information-sharing domain and is one of the highest-yield exam behaviors.

Permitted Disclosures, Edge Cases, and Cross-Border Nuance

The tipping-off prohibition is strict but not absolute - certain disclosures are permitted, and the exam tests whether you can tell them apart from unlawful ones. Sharing a SAR or its underlying information is allowed when it goes to the FIU (FinCEN), to the institution's regulators, to law enforcement under a proper request, within the institution to those who need it to manage the relationship, and - in the US - among affiliates within the same corporate family under FinCEN guidance. Sharing the existence of a SAR with an unaffiliated institution, even a 314(b) partner, is not permitted.

Three edge cases recur on the exam. Subpoenas: if a customer's attorney subpoenas records, the institution must not produce the SAR itself and should notify FinCEN; the SAR is privileged. Account closure: closing an account is allowed, but the reason must not reveal a SAR or investigation. Employee references: when an employee leaves under suspicious circumstances, references must not disclose SAR activity.

Cross-border practice adds nuance. The tipping-off concept is near-universal because it derives from FATF Recommendation 21, but the precise legal boundaries differ by country - some define a narrower offense, some attach criminal penalties, some allow limited disclosure to home-country supervisors. The CAMS-correct instinct is to apply the strictest applicable standard and consult the relevant FIU or counsel when a multinational situation is unclear.

Worked scenario: A customer demands, "Did you report me to the authorities?" The CAMS-correct response is a neutral non-confirmation - the institution neither confirms nor denies any SAR, continues normal handling, documents the interaction, and escalates internally. Confirming, denying, or hinting all risk tipping off. Pairing strict confidentiality with the good-faith safe harbor lets institutions report aggressively while shielding both the investigation and themselves.