FATF ¦ R.21 Tipp­ing-Off and Con­fi­den­ti­al­i­ty

Recommendation 21: Tipping-Off and Confidentiality in Financial Crime Compliance

Tipping-off and confidentiality lie at the heart of effective anti–money laundering and counter-terrorist financing (AML/CFT) frameworks. Recommendation 21 sets out how financial institutions, and the people who work in them, should be protected when they report suspicions, while at the same time ensuring that customers and third parties are not alerted to ongoing investigations. For financial crime professionals, understanding this balance is critical to designing compliant processes and training frontline staff.

Legal Protection for Good-Faith Reporting

The first part of Recommendation 21 focuses on legal protection. Financial institutions and their directors, officers and employees should be protected by law from both criminal and civil liability when they report suspicious activity in good faith to the financial intelligence unit (FIU).

This protection is essential for several reasons. Employees are often bound by confidentiality obligations arising from contracts, professional codes, or national legislation such as banking secrecy laws or data protection rules. Without an explicit safe harbour, staff may fear that sharing information with the FIU could expose them or their institution to legal claims, including breach of contract, breach of confidentiality or violations of secrecy rules.

Recommendation 21 tackles this head-on. If a report is made in good faith, those involved should not face liability for breaching any restriction on disclosure. This applies:

• Even if the employee or institution did not know the precise nature of the underlying criminal activity. It is enough that they had a reasonable suspicion that something was wrong.
• Regardless of whether illegal activity actually occurred. An STR can turn out to be unfounded; what matters is that it was filed honestly and on reasonable grounds.

In practice, this protection encourages a “report rather than ignore” culture. Staff are more likely to err on the side of caution, which is exactly what regulators and FIUs want. Institutions, for their part, can design internal reporting channels that encourage escalation without forcing employees to choose between legal risk and regulatory expectations.

Bastian Schwind-Wagner_Follow

"Recommendation 21 reinforces a core message for financial institutions: report suspicions promptly and in good faith, and the law should protect you. At the same time, strict rules on tipping-off ensure that customers are not alerted and investigations are not compromised. This balance is central to an effective AML/CFT framework.

For practitioners, Recommendation 21 is not abstract – it shapes policies, staff training, system design and how you speak to customers every day. When applied properly, it creates a culture where employees feel safe to report, and criminals find it harder to detect that they are under scrutiny."

Prohibition on Tipping-Off

While Recommendation 21 protects those who report suspicions, it also imposes a strict limit: financial institutions and their staff must be prohibited by law from disclosing that a suspicious transaction report or related information has been or will be submitted to the FIU. This is commonly known as the tipping-off prohibition.

The rationale is straightforward. If a customer or third party learns that they have been reported to the FIU, they may rapidly move or hide assets, destroy evidence or abandon compromised accounts or channels. That can seriously undermine ongoing investigations and make it much harder for law enforcement to trace funds, identify accomplices and secure convictions.

This prohibition typically covers:

• Direct disclosure, such as telling a customer, “We filed an STR about your transactions”.
• Indirect or implied disclosure, where the customer can reasonably infer that an STR has been filed, for instance through unusual comments or hints from staff.
• Situations where a pattern of behaviour by the institution (such as suddenly freezing all accounts while giving a suggestive explanation) amounts in practice to a warning.

For compliance teams, this means internal policies must be very clear on what can and cannot be communicated to customers when an account is under review or when a transaction has been reported. Staff, especially customer-facing employees, need practical guidance and scripted explanations that avoid tipping-off while remaining consistent with consumer protection and fair treatment standards.

Good Faith as the Key Condition

Recommendation 21 emphasizes that the protection against liability applies when suspicions are reported in good faith. Good faith means the person genuinely believed that the information indicated potential criminal activity, based on what was reasonably available to them at the time.

This has several implications:

• Employees must act honestly, not file STRs to retaliate against customers, colleagues or competitors.
• Institutions should support staff with clear guidance on what constitutes suspicion, and provide training on typical red flags.
• Documentation of the reasoning behind an internal suspicion and the eventual STR is important. It helps demonstrate that the report was grounded in objective indicators and not made arbitrarily or maliciously.

Where good faith is present, Recommendation 21 expects national law to shield reporters even if investigations later show there was no criminal conduct. This removes the pressure to be “right” every time and instead promotes reasonable vigilance.

Interaction with Bank Secrecy and Confidentiality Laws

Many jurisdictions have long-standing banking secrecy or professional secrecy regimes, backed by criminal penalties for unauthorized disclosure of customer information. Without a specific carve-out for AML/CFT reporting, these rules can conflict with the duty to report suspicious transactions.

Recommendation 21 responds to this by making clear that AML/CFT reporting obligations should override secrecy and confidentiality constraints, at least where reports are made in good faith to the FIU. Legislatures are expected to:

• Explicitly state in law that the disclosure of information for the purpose of filing STRs does not constitute a breach of secrecy or confidentiality.
• Protect both the institution and individual employees from civil suits, such as claims for damages by customers who object to being reported.
• Clarify that these protections apply even if the suspected criminal activity is not ultimately proven.

For financial institutions, this means policies should reference the legal basis for STR filings and reassure staff that they are operating within the law when fulfilling their reporting duties.

Ensuring Confidentiality Within the Institution

Tipping-off is not only a risk in customer interactions. It can also arise from poor internal handling of STR-related information. Recommendation 21 implies a need for strong internal confidentiality around suspicious activity reports and any associated data.

Effective practice usually includes:

• Restricting access to STR files and related communications to the compliance function and a small number of senior managers who genuinely need to know.
• Using secure systems for logging internal suspicious activity reports and communications with the FIU.
• Avoiding references to “STR” or “suspicion” in customer-facing account notes or records that could be visible beyond the compliance team.
• Coordinating with legal and operational teams on how to manage account restrictions, transaction delays or terminations in a way that does not inadvertently alert the customer to the existence of an STR.

These measures support both the prohibition on tipping-off and the overall integrity of investigations.

No Barrier to Information Sharing Under Recommendation 18

Recommendation 21 ends with an important clarification: the tipping-off prohibition is not intended to inhibit information sharing under Recommendation 18.

Recommendation 18 focuses on internal controls and foreign branches and subsidiaries, including group-wide information sharing for AML/CFT purposes. Group-level financial crime risk management depends on the ability to share relevant information within a corporate group, such as:

• Alerts and red flags involving particular customers, counterparties or typologies.
• Information necessary to manage group-level risks and ensure consistent AML/CFT standards across jurisdictions.
• Data needed to support consolidated monitoring and sanctions screening.

The tipping-off restriction should not be interpreted so strictly that it prevents this kind of legitimate internal or intra-group sharing, as long as such sharing is done:

• For AML/CFT and risk management purposes.
• In line with data protection and secrecy rules as modified by AML/CFT laws.
• With appropriate safeguards so that sensitive details are not improperly disclosed to individuals who might, in turn, alert customers.

The key distinction is between sharing information within the financial group or organization to manage risk and comply with AML/CFT obligations, which is allowed and even encouraged, and disclosing to the customer or external parties that an STR was filed, which is prohibited.

Practical Implications for Financial Institutions

For institutions looking to align with Recommendation 21, several practical steps are essential:

• Ensure domestic legislation provides explicit safe harbours for good-faith STR reporting, and understand how those protections apply in all jurisdictions where the group operates.
• Embed the legal protections and tipping-off rules into internal policies, procedure manuals and employment contracts where appropriate.
• Train staff, especially frontline and relationship managers, on how to handle customer questions about delays, blocked transactions or account closures without hinting that an STR has been filed.
• Create secure channels for internal escalation of suspicions, and control who can see STR-related information.
• Coordinate with group compliance functions to allow responsible information sharing that does not conflict with tipping-off restrictions.

Conclusion

Recommendation 21 aims to strike a careful balance: encourage robust reporting of suspicious activity by shielding institutions and staff from liability when they act in good faith, while protecting investigations through a clear prohibition on tipping-off. For financial crime professionals, this recommendation underpins the legal and operational framework of day-to-day AML work. When implemented properly, it supports a culture where suspicions are reported promptly and confidently, without compromising the confidentiality essential to effective law enforcement and regulatory action.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link