Confidentiality and Tipping-off – or the Big-Bang Theory

According to FATF Recommendation no. 21 (Confidentiality and Tipping-off), Authorities should protect by law “Financial Institutions, their directors, officers and employees” when they “report their suspicions in good faith to the FIU” (21 a).

At their turn, “Financial Institutions, their directors, officers and employees are prohibited by law from disclosing (tipping-off) the fact that a suspicious transaction report (STR) or related information is being filed with the FIU” (21 b).

In Romania, this Recommendation was taken very seriously and tipping-off is considered a crime, punished by prison from 6 months to 3 years (art. 31.1 from Law 656/2002).


surprised emoji

But what do we do when the Authorities are the ones tipping-off?



The same Romanian law (656/2002, art. 25) states that the personnel from the FIU cannot further send the information received during their job, except in the conditions of the law. Otherwise, they can are subject to the same sanctions – prison from 6 months to 3 years.

At the first glance, we would consider things fair. If everybody does their job and respects the law, then it is ok. We are all equal in front of the law, prohibited from tipping-off and subject to the same sanctions.

But …. (because there is always a but)

cant believe it emojiWhat do you answer to an angry customer who comes to the bank and makes a formal complaint asking why he was reported with suspicious transactions and saying that he read his entire STR at the Police Office, where he was asked to come and make a statement?

Where is the confidentiality and tipping-off from the law here? Who is punishable here?

The FIU personnel further sent the STR to the Police in the conditions of the law, so they are clean to go. And, the police personnel are not included in the categories covered by Law 656/2002. So…. Yes, there are probably some laws applicable to the Police regarding confidentiality and a code of conduct (I didn’t find anything very precise after long searches) and yes, the FIU personnel most probably should have anonymized the FIU before sending it to the Police Office. But…

For the above situation we will assume that it was just a person’s fault. Maybe a beginner, maybe a small police clerk who made a mistake.

graduate emojiBut what do you do when on the first page of the Seizure Ordinance (the one that is also given to the customer) the prosecutor clearly states that “the bank agency personnel had suspicions, did not perform the transaction and filed a STR to the FIU”?

Where is the confidentiality and tipping-off from the law here? Who is punishable here?

Can we still consider that it was just a person’s fault? We are now talking about a prosecutor, not about a beginner or a simple clerk. A prosecutor with whom we spent a lot of time talking on the phone and asking him to remove that tipping-off phrase and the only argument he had for refusing us was – “it is already signed and I couldn’t go back and have it signed again”.

We are also talking about “bank agency personnel”. They are easily identifiable by the person who ordered the suspicious transaction and then eceived the seizure ordinance. The same “bank agency personnel” who respected the law, announced the suspicions and then had to face the customer and be perfectly professional when the angry customer was asking why his money did not arrive to the destination after such a long time (24 hrs + 48 hrs + 72 hrs – these are the legal suspension periods from the Romanian law for transactions reported as suspicious before executing them).


In my career as a Compliance Officer I encountered many situations when the Authorities themselves tipped-off the customers.

The first time I was furious and spent a lot of time searching for laws that I could use in order to “have justice”. I was decided to do something, to make official letters asking for explanations, to have someone admit the mistake, to see a change.

furious emoji tipping-off

It was a lot of time spent in vain. As I discovered by myself, the law itself has many loopholes on behalf of the Authorities and the Authorities have a difficult time applying the law/sanctions to themselves. Plus, as I was advised by a colleague, if you mess with them too much, you risk having a rough approach when they come to control if your organization respects the law (the same one that they don’t).

The Authorities prefer letting the dust settle and pretend that nothing serious happened. As I once heard from a FIU representative, “why are you so worked up? It’s just the bank’s name mentioned, not the person’s name”. They ignore that the persons’ names can be easily guessed.


I once read that maturity comes when you know when it is time to let go. So, after many useless efforts I realized that in this situation, I just have to find a way to protect my organization, myself and my colleagues in the conditions of the law. A good example is that, in the STR description of the transactions and suspicious elements, I am extremely careful that the name of the bank is never mentioned. You would be surprised how many times the information sent by the FIU to other Authorities is a simple copy-paste from the STR with no anonymization at all.


The law is the start and essence of any correct and fruitful interaction with the Authorities. But when the law allows loopholes for the Authorities, topped with the situations when the Authorities do not respect the law…

It all started with the Big Bang!

By Andreea Tampu, ACAMS

This article is property of the author and may not be duplicated, copied, modified or used in any way without my written permission.

1 Comment
  1. Definitely a Bing Bang!

Leave a reply