AML Compliance  ·  Session Seven of Nine

Reporting Suspicious Activity

40 minute read UK · New Zealand · Australia PDF available below

---

The obligation to report suspicious activity is one of the most important duties in the AML framework. It is also one of the most misunderstood. Some firms treat it as a compliance formality and file reports to protect themselves without thinking hard enough about quality. Others under-report because staff are unsure where the threshold lies or worry about damaging a client relationship.

Neither approach is acceptable. Under-reporting keeps useful financial crime intelligence from law enforcement. Poor-quality reporting floods the system with unusable material. This session explains what the reporting obligation requires, how internal and external reporting work, what a good suspicious activity report looks like, how the defence against money laundering process operates, and how to manage the tipping-off risk once a report has been made.

The legal obligation to report

The POCA framework

The reporting obligation for the regulated sector flows primarily from section 330 of the Proceeds of Crime Act 2002. A person in the regulated sector commits an offence if they know or suspect, or have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering, and they do not make the required disclosure as soon as practicable.

The key phrase is reasonable grounds for knowing or suspecting. The section 330 test is objective in part. It is not limited to actual suspicion. A compliance professional who genuinely had no suspicion, but ought to have had one given the information available, can still be liable. Wilful blindness is no protection.

The obligation to disclose is to the nominated officer, which in practice means the MLRO or their deputy. An employee who reports internally to the MLRO has complied with their obligation. It then falls to the MLRO to decide whether to make an external disclosure to the National Crime Agency.

Section 330POCA 2002	Failure to disclose: the core reporting offence for the regulated sector. Applies where there is knowledge, suspicion, or reasonable grounds for suspicion of money laundering.
Section 331POCA 2002	Failure to disclose by a nominated officer: the equivalent offence for the MLRO, who receives internal reports and decides whether to report externally to the NCA.
Section 332POCA 2002	Failure to disclose: other nominated officers. Applies in some specific supervisory and institutional contexts.
Sections 19 to 21BTerrorism Act 2000	Parallel disclosure obligations for terrorist financing. The same internal reporting structure applies, but the suspicion concerns terrorist property rather than the proceeds of crime.

What constitutes suspicion

The threshold for suspicion is deliberately low. The leading case is R v Da Silva [2006] EWCA Crim 1654, which held that suspicion requires a possibility that is more than fanciful: a vague feeling of unease is not enough, but neither certainty nor even a firm belief is required. The UKFIU's December 2025 SAR guidance confirms that this remains the practical starting point.

In practice, this means regulated firms and their staff are expected to report when something does not feel right, even if they cannot yet point to a specific proven fact. The obligation is to disclose a suspicion, not to investigate it to the point of resolution. Trying to investigate first, rather than reporting and then cooperating with any investigation, risks tipping off the subject and delaying the disclosure.

Indicators of suspicious activity

No list of red flags is exhaustive, and indicators should always be assessed in context. The presence of a single indicator does not automatically raise suspicion, and many indicators have innocent explanations. What matters is the overall picture. Common indicators include:

• A customer who is reluctant or unable to provide satisfactory identification documentation, or who provides documents that appear inconsistent or altered.
• Transactions that are inconsistent with the customer's known business, personal circumstances or established transaction patterns.
• Unexplained changes in a customer's financial position or sudden large movements of funds without a clear commercial rationale.
• Instructions to conduct transactions in a complex or unusual way that appears designed to obscure the flow of funds.
• Transactions involving high-risk jurisdictions without an obvious business reason.
• Cash-intensive activity that is disproportionate to the nature of the customer's business.
• A customer who appears unusually concerned about confidentiality, particularly in relation to the identity of the ultimate beneficial owner.
• Payments to or from third parties who have no apparent connection to the transaction.
• Structures that appear designed to distance the ultimate owner from the asset, with no clear commercial purpose for the complexity.

Internal reporting

The role of the nominated officer

The nominated officer, in practice the MLRO, is the central point for all internal suspicious activity reports. Under section 331 of POCA, the MLRO commits an offence if they receive an internal report, know or suspect that another person is engaged in money laundering, and fail to disclose to the NCA as soon as practicable.

When an internal report is received, the MLRO must consider it properly and record that consideration. If they decide not to report externally, they should record why. That record matters. In any later investigation or supervisory review, the MLRO may need to show that the decision not to report was reasoned and defensible, rather than a failure to engage.

What internal reporting procedures must contain

The MLR 2017 require firms to have internal reporting procedures that allow staff to disclose knowledge or suspicion to the MLRO. Those procedures should be documented, communicated to all relevant staff, and tested periodically. At a minimum, they should cover:

• How to make an internal report, including the format and route.
• Who the MLRO and deputy MLRO are, and how to reach them.
• What happens once an internal report is made, including expected timelines.
• The protection available to staff who make internal reports in good faith.
• The tipping-off prohibition and how it affects communications once a report has been made.

External reporting: the SAR regime

The SAR Portal

External reports to the NCA are made through the SAR Portal, the secure online system operated by the UK Financial Intelligence Unit within the NCA. The current UKFIU guidance on using the portal was issued in November 2025. The practical guidance on submitting SARs and making DAML or DATF requests was updated in December 2025. Users of the legacy SAR Online system must register separately for the SAR Portal.

The NCA recommends that organisations use a shared inbox for DAML and DATF-related communications. This reduces the risk of a time-sensitive response being missed because it landed in one person's inbox while they were away. Given the short statutory timetable for a defence request, that is a practical safeguard, not an administrative detail.

The UKFIU has national responsibility for receiving, analysing and disseminating intelligence submitted through the SAR regime. It is the central gateway for reports made under the UK suspicious activity reporting framework.

What a SAR must contain

A SAR should clearly identify who is being reported and why. The UKFIU's December 2025 best practice guidance sets out what a good SAR looks like:

• The identity of the person or entity being reported, with as much detail as is available: full name, date of birth, address, account numbers, and any previous SAR reference numbers if the person has been reported before.
• A clear description of the suspicious activity, explaining what happened and why it gives rise to suspicion. The focus should be on the activity and what it indicates, not on attempting to prove a predicate offence.
• The relevant glossary codes, which help the UKFIU and law enforcement identify priority reports and analyse emerging trends. The codes available on the SAR Portal are updated periodically and should be checked each time a report is filed.
• All relevant detail entered in the correct fields in the portal. Attachments cannot be uploaded: everything that matters must be in the SAR itself.

Glossary codes and alerts

The SAR Portal includes a glossary of codes that reporters can use to identify the nature of the suspected activity. Codes cover categories including money laundering, terrorist financing, fraud, bribery and corruption, and proliferation financing. Using the right code matters. It helps the UKFIU prioritise the report and direct it to the right part of law enforcement.

The NCA also issues alerts, including JMLIT alerts, where it has identified specific risks or typologies. Where a SAR is filed as a result of information in an NCA alert, reporters should tick the relevant box in the portal and provide the alert code. This connects the report directly to the intelligence picture the NCA is building.

The DAML and DATF process

What a DAML is

A Defence Against Money Laundering, or DAML, is the process by which a firm reports a suspicion to the NCA and seeks a defence before proceeding with a transaction that might otherwise constitute a principal money laundering offence under sections 327 to 329 of POCA. The equivalent for terrorist financing is a Defence Against Terrorist Financing, or DATF, made under the Terrorism Act 2000.

A DAML is not the same as an ordinary SAR. An ordinary SAR reports a suspicion about another person's money laundering. A DAML is made when the firm itself intends to carry out an act that may involve criminal property and wants a defence before doing so.

How the DAML process works

When filing a DAML, the reporter must indicate in the SAR Portal that they are seeking a defence. The NCA then has seven working days, starting on the day after the DAML is received, to refuse. If it does not refuse within that period, the defence is treated as available.

Where consent is refused, the NCA has a further period, known as the moratorium period, during which it can investigate before the firm is required to either proceed or terminate the transaction. The moratorium period under POCA is 31 days from the day consent is refused.

The NCA may contact the firm for further information during the seven-day notice period. Failure to respond promptly can lead to the request being closed, which may leave the firm without the defence it was seeking. This is why a shared inbox for DAML communications is strongly recommended.

The section 339A threshold

Section 339A of POCA provides threshold exemptions in two situations. First, deposit-taking bodies, electronic money institutions and payment institutions may in certain circumstances operate an account without committing a principal money laundering offence where the value does not exceed the threshold amount. Second, following later amendments, a person carrying on business in the regulated sector may in certain circumstances return money or other property to a customer or client in order to end the business relationship, again subject to the threshold. From 31 July 2025, following the Proceeds of Crime (Money Laundering) (Threshold Amount) (Amendment) Order 2025, the threshold was raised from £1,000 to £3,000.

This provision does not remove the obligation to report a suspicion. It simply means that certain low-value transactions can be processed without first obtaining a DAML. The reporting obligation under section 330 remains in place regardless of the threshold.

The tipping-off prohibition

What tipping off means

Section 333A of POCA makes it a criminal offence to disclose to a person that a suspicious activity report has been made, or that an investigation is being contemplated or carried out, in circumstances where that disclosure is likely to prejudice any investigation. On indictment, the maximum penalty is two years' imprisonment.

Once a SAR has been filed, the subject of the report must not be told. That creates an immediate practical challenge in client-facing situations, especially where the client asks why a transaction has been delayed or why the firm is asking further questions.

Managing the tipping-off risk

Firms need clear procedures for handling client conversations when there is a live SAR or a pending DAML. The key principles are:

• Do not tell the client that a SAR has been filed or that one is being considered.
• Do not tell the client that the transaction is paused because of a suspicion relating to them specifically.
• Legitimate business reasons can be cited to explain a delay, provided they are not used to mislead in a way that prejudices an investigation.
• Where a client is persistent, escalate to the MLRO rather than letting the conversation continue with front-line staff who may inadvertently say too much.
• SAR records should be kept separately from client files to reduce the risk of accidental disclosure.

The professional privilege exemption

The tipping-off prohibition includes an exemption for legal professional privilege. A disclosure made by a professional legal adviser to their client is not a tipping-off offence if it is made to dissuade the client from engaging in conduct amounting to an offence. This is a narrow exemption. It is not a general licence to discuss a SAR with a client. Firms should take legal advice if they are unsure whether the exemption applies in a specific case.

Coming up in Session Eight

Session Eight covers staff training. The obligation to train staff on AML requirements is not a box-ticking exercise. It is how the wider compliance programme is given practical effect. Session Eight explains what training must cover, how to design it to work in practice, how to evidence it, and how to test its effectiveness.

Further reading and resources

The following primary sources are worth reading alongside this session. All are publicly available.