CAMS Questions and Answers

The first step in designing an effective controls framework using a risk-based approach is conducting a risk assessment. This identifies and evaluates inherent risks, providing the basis for determining which controls are necessary and how they should be prioritized.

Casinos are recognized as high-risk entities under AML/CFT frameworks due to their exposure to large cash volumes and convertible instruments such as chips. Regulators and FATF guidance highlight minimal or no gaming activity combined with rapid cash-out as a major red flag.

In this scenario, the player purchases a large amount of chips using multiple funding methods, including an international wire transfer, does not engage in any gambling, and then immediately cashes out. This behavior is consistent with placement and layering techniques, where a casino is used as a pass-through to legitimize illicit funds.

The absence of gaming activity strongly suggests that the intent was not entertainment but financial manipulation. Casinos are frequently misused for this exact purpose due to their ability to convert cash into “winnings.”

The other scenarios describe activity that may be higher risk but are consistent with legitimate casino behavior when properly documented.

The risk-based approach (RBA) is a foundational principle of FATF standards. It requires countries, regulators, and financial institutions to identify, assess, and understand their money laundering and terrorist financing risks.

Once risks are understood, entities must apply proportionate mitigation measures. Higher risks require stronger controls, while lower risks may justify simplified measures. However, no risk is ignored or exempted from mitigation.

Regulators do not expect all residual risks to be reduced to low; rather, risks must be managed within an acceptable risk appetite. Resource allocation under an RBA prioritizes AML/CFT activities, not unrelated tasks.

Therefore, the correct definition of an RBA focuses on understanding and managing risk proportionately.

Corruption risks in the supply of goods and services often arise when contractors receive preferential treatment, enabling inflated margins, and when procurement processes lack sufficient oversight, making it easier for bribes or kickbacks to influence tender outcomes.

Verifying a customer’s identity is a fundamental CDD requirement under the FATF Recommendations, ensuring you know who your customer is.

Identifying the beneficial owner is required to uncover the natural persons ultimately controlling or benefiting from an account, closing the gap that would allow misuse of corporate vehicles.

FATF Recommendation 29 states that an FIU should serve as a national center for the receipt and analysis of suspicious transaction reports and other information relevant to money laundering and terrorist financing.

“The FIU should serve as a national center for the receipt and analysis of suspicious transaction reports (STRs) and other information relevant to ML/TF, and for the dissemination of the results of that analysis.”

(CAMS 6th Edition, Role of the FIU; FATF Recommendation 29)

Proliferation financingrefers to the act of providing financial services or funds for thedevelopment, acquisition, or delivery of nuclear, chemical, or biological weapons. The core threat involvesnetworks of individuals and entities using the financial systemto obtain sensitive technologies, materials, or knowledge forweapons of mass destruction (WMDs).

TheFinancial Action Task Force (FATF)identifies this as a major international security threat and requires institutions to assess and mitigate such risks.

Key challenges in adopting new AML/CFT technologies are:

A: Data privacy—new tech often requires processing more personal data, raising privacy/regulatory concerns.

C: The Travel Rule—meeting global standards for information sharing in payments is a technology challenge.

D: Data quality—effective systems rely on accurate, comprehensive, timely data.

E: Complexity—integrating and managing new technology can increase operational complexity.(CAMS 6th Edition, Technology in AML/CFT; FATF Guidance on Digital ID and Fintech)

Law firms are classified as gatekeepers under FATF standards when they provide services such as company formation, trust creation, or management of client funds. These services can be misused to facilitate money laundering if proper due diligence is not conducted.

In this scenario, the law firm is establishing complex offshore structures with minimal documentation of source of funds and without questioning suspicious activity. This behavior directly enables the concealment of beneficial ownership and the layering of illicit proceeds, both core money laundering techniques.

Failing to apply scrutiny or report suspicious activity allows criminals to exploit legal services to move and disguise illicit funds under the appearance of legitimacy. This is a recognized vulnerability across multiple FATF typologies.

The behavior described is not merely aggressive tax planning or routine legal work; rather, it represents facilitation of illicit financial flows through professional services.

The second line of defense is responsible for compliance functions, including interpreting new AML regulations and updating policies, procedures, and training programs. This ensures that client-facing staff, such as relationship managers, remain informed and aligned with regulatory expectations.

Public-private partnerships (PPPs) are a key component of modern AML/CFT frameworks and are strongly encouraged by FATF and national regulators. Their primary benefit lies in enhancing timely and effective information sharing between financial institutions, regulators, law enforcement, and financial intelligence units (FIUs).

Through PPPs, authorities can share typologies, red flags, and emerging threat intelligence, while private institutions contribute operational insights derived from real transaction data. This rapid exchange of information on risks, high-risk activities, and suspicious actors significantly improves the detection and prevention of money laundering and terrorist financing.

PPPs do not exist to source staffing resources, provide salaries, or ensure basic understanding of regulatory concepts such as PEPs, which are already addressed through standard AML requirements. Their true value is the speed, quality, and relevance of shared intelligence, allowing participants to respond more effectively to evolving financial crime threats.

Public-private partnerships facilitate strategic information exchange between FIUs and obliged entities and operational information sharing between public authorities and obliged entities, improving collaboration and effectiveness in detecting and preventing financial crime.

Establishing a surveillance program with periodic risk assessments, access controls, and regular compliance reviews for employees, vendors, and third parties is the most effective way to mitigate insider threats and ensure ongoing adherence to AML regulations. This proactive approach continuously monitors risk rather than relying solely on initial checks or self-certifications.

Cross-border money laundering investigations frequently encounter obstacles arising from differences in legal systems, data protection laws, and investigative procedures. International AML/CFT guidance, including FATF recommendations, emphasizes the importance of formal legal cooperation mechanisms to overcome these challenges.

A Mutual Legal Assistance Treaty (MLAT) provides a structured and legally recognized framework for cooperation between jurisdictions. MLATs allow competent authorities to lawfully exchange information, obtain evidence, and coordinate investigative actions while respecting domestic legal requirements and data privacy obligations. This formal mechanism ensures that information shared is admissible and enforceable across jurisdictions.

Relying solely on informal communication channels is insufficient for complex investigations involving sensitive data and legal constraints. Engaging third-party consultants does not address legal barriers and may introduce confidentiality risks. Centralizing an investigation under a single jurisdiction would undermine sovereignty and is not consistent with international cooperation principles.

Therefore, establishing or utilizing an MLAT is the most effective and regulator-aligned approach to enhance cross-border cooperation in complex money laundering investigations.

Technology plays a critical role in strengthening AML/CFT programs by improving efficiency, consistency, and scalability. Regulators encourage the responsible use of technology while maintaining governance and oversight.

One major benefit is processing large volumes of data efficiently, helping institutions eliminate investigative backlogs and manage increasing transaction volumes. Technology also automates repetitive tasks, reducing human error and improving data accuracy, allowing compliance professionals to focus on higher-value investigative work.

Technology does not eliminate privacy concerns, and front-end search tools alone are not sufficient to drive effectiveness. Human oversight remains essential for decision-making, investigations, and regulatory reporting.

Perpetual KYC (pKYC) involves real-time monitoring of data triggers, such as static changes or behavioral anomalies, and prioritization based on client-specific data rather than fixed refresh schedules. This dynamic approach enhances risk management by responding more quickly to changes in client risk profiles.

Financial institutions must conduct thorough background checks on employees in sensitive roles (e.g., private banking) to mitigate fraud, insider trading, and money laundering risks.

Option A (Correct):Past employment records help verify work history and identify any red flags related to prior financial misconduct.

Option D (Correct):Internet and media searches reveal any negative press, regulatory issues, or connections to illicit activity.

Option E (Correct):Criminal history searches help screen for prior convictions related to financial crimes.

Why Other Options Are Incorrect:

Option B (Incorrect):Personal references are less reliable and may not uncover objective risk factors.

Option C (Incorrect):A resume is self-reported and should be verified using independent sources.

Best Practices for Employee Background Screening:

Conduct enhanced due diligence for high-risk roles (e.g., private bankers, compliance officers).

Use reliable background screening tools and legal databases.

Verify employment history and check against regulatory blacklists.

Appointing individuals to serve in official capacities poses a higher money laundering risk because it can be used to obscure the true beneficial ownership and control of the company, making it easier to conceal illicit activities or the identity of those directing the business.

The Financial Action Task Force (FATF) is the global standard-setter for AML/CFT and counter-proliferation financing. Its mandate is focused on standard-setting, assessment, and international coordination, not enforcement or prosecution.

One of FATF’s primary functions is developing international standards, known as the FATF Recommendations, which form the basis of national AML/CFT regimes worldwide.

FATF also identifies high-risk and non-cooperative jurisdictions with strategic AML/CFT deficiencies and works with them to address these weaknesses. Public identification encourages reform and enhances global financial integrity.

Additionally, FATF maintains strong engagement with international organizations, regional bodies, and the private sector to promote consistent implementation of standards.

FATF does not prosecute countries or suspend membership based on evaluation outcomes.

Trust and Company Service Providers (TCSPs) pose the greatest financial crime risks when they use trusts to obscure beneficial ownership, promote complex corporate structures that make tracing ownership difficult, and establish shell companies that can be used to hold and move illicit funds. These activities can facilitate money laundering, tax evasion, and other financial crimes by concealing the true origin and control of assets.

Policies outline the guiding principles and objectives of an organization’s AML framework, setting the tone for compliance. Procedures translate these policies into detailed, actionable steps that staff must follow. Both are essential for effective AML compliance.

Criminals may target accountants because they have the capability to create and structure companies, falsify accounts, and manipulate financial statements, which can be exploited to disguise illicit funds and facilitate money laundering.

A global organization must ensure its group policies accommodate compliance with each country’s specific AML and sanctions regulations to effectively manage risks across multiple jurisdictions.

Money laundering has far-reaching consequences that extend beyond individual institutions and directly affect national and global economic stability. FATF and international bodies consistently highlight that large-scale money laundering can undermine political and economic systems.

One of the most significant impacts is the destabilization of legitimate governments. Money laundering enables organized crime, corruption, and terrorist financing, which can weaken public institutions, distort policy-making, and erode public trust. In extreme cases, criminal organizations gain influence over governments, law enforcement, or key economic sectors.

While money laundering can indirectly affect inflation and growth, it does not directly cause declining money supplies. “Sectoral polarization” is not a standard or widely recognized economic impact in AML literature. The most consistently recognized systemic consequence is the erosion of governance, rule of law, and institutional integrity.

Therefore, destabilization of legitimate governments is the most accurate and regulator-supported answer.

The United Nations develops sanctions regimes primarily to support the peaceful resolution of conflicts, deter unconstitutional or non-democratic changes in governments, and promote the protection of human rights. These objectives aim to maintain international peace, security, and uphold global norms.

Public-private partnerships help develop a culture of compliance across sectors and improve the quality and quantity of data through information sharing, enhancing the collective ability to detect and prevent financial crime.

The Financial Action Task Force (FATF) develops and promotes international standards to combat money laundering and terrorist financing, and it evaluates and monitors countries’ compliance with these standards while providing recommendations for improvement.

AML/CFT (Anti-Money Laundering/Countering the Financing of Terrorism) applications are heavily influenced by various laws and regulations. The most impactful areas include:

Information security, data privacy, and cybersecurity – AML/CFT compliance relies on collecting and analyzing financial data. Data protection laws (e.g., GDPR) impact how financial institutions store, share, and protect sensitive customer information while ensuring that AML measures remain effective.

Foreign exchange control, and precious gemstone and metal dealing – Criminals often launder money through foreign currency transactions, gold, diamonds, and other high-value assets. Regulations governing these sectors help prevent financial crime.

Consumer protection, financial inclusion, and ESG – AML/CFT frameworks must balance risk mitigation with ensuring access to financial services (financial inclusion). Additionally, ESG policies play a growing role in identifying illicit financial.

Real estate transactions are vulnerable to ML/TF risks, particularly when there is limited transparency or unusual payment methods:

Cross-border purchases (A):“Purchases by foreign buyers, especially from high-risk jurisdictions, are a red flag for money laundering in the real estate sector.”(CAMS 6th Edition, Real Estate Money Laundering Risks; FATF, Money Laundering and Terrorist Financing through the Real Estate Sector, 2007)

Non-financed purchases (D):“Non-financed (all-cash) purchases can indicate the introduction of illicit funds into the financial system, bypassing the controls of mortgage lenders.”(CAMS 6th Edition, Real Estate ML/TF Risks)

Incorrect Options:

B: Purchasing in the name of a natural person is standard and not inherently risky.

C: Paying the true market price does not raise ML/TF risk.

The Bank Secrecy Act (BSA) is the foundational Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) law in the United States. Enacted in 1970, the BSA requires financial institutions to establish and maintain effective AML programs designed to detect and prevent money laundering and terrorist financing.

Under the BSA and its implementing regulations, financial institutions must implement key controls such as Customer Identification Programs (CIP), customer due diligence (CDD), enhanced due diligence (EDD) for higher-risk customers, transaction monitoring, record-keeping, and the filing of Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) with FinCEN.

While the USA PATRIOT Act expanded AML obligations—particularly in relation to terrorist financing—it amended and strengthened the BSA rather than replacing it. The Money Laundering Control Act criminalized money laundering activities but does not establish the operational compliance framework. MiCA is an EU regulation and does not apply in the U.S.

Therefore, the BSA remains the cornerstone of U.S. AML/CFT compliance requirements.

Risks tied to the misuse of gaming accounts include transferring illicit funds between players undetected, structuring transactions to avoid reporting thresholds, and providing false personal information to evade KYC and regulatory oversight, all of which can facilitate money laundering and other financial crimes.

The Egmont Group is an international network of Financial Intelligence Units (FIUs) established to promote cooperation and information exchange in the fight against money laundering and terrorist financing. One of its core principles is to facilitate secure, timely, and lawful information sharing between FIUs.

The Egmont Group provides a framework, standards, and secure channels—such as the Egmont Secure Web—that allow FIUs to exchange intelligence related to suspicious transactions, typologies, and emerging financial crime risks across borders. This cooperation is essential given the transnational nature of money laundering and terrorist financing.

The Egmont Group does not publish reporting standards, act as a regulator, or publicly disclose investigation outcomes. Its role is operational and intelligence-focused, supporting FIUs while respecting confidentiality and national legal frameworks.

Therefore, arranging information-sharing protocols between FIUs is a fundamental principle of the Egmont Group.

The Basel Committee on Banking Supervision (BCBS) requires that the board of directors establish and oversee the compliance function and approve the bank's AML/CTF compliance policies and procedures, including processes for identifying, assessing, monitoring, and reporting compliance risks.

“The board of directors should establish a compliance function and approve compliance policies and processes for identifying, assessing, monitoring, and reporting compliance risks throughout the organization.”

(CAMS 6th Edition, Corporate Governance and Oversight; BCBS, Corporate Governance Principles for Banks, Principle 6)

A risk appetite statement defines the amount and type of risk an organization is willing to accept in pursuit of its objectives. It must be clearly communicated to all stakeholders and supported by corresponding controls and processes to ensure it is embedded in day-to-day decision-making and risk management.

UN sanctions regimes are not punitive but aim to:

B: “Support peaceful resolution of conflicts.”

D: “Deter non-democratic and unconstitutional changes of government.”

E: “Promote respect for human rights and humanitarian law.”(CAMS 6th Edition, United Nations Sanctions; UN Security Council Mandates)

Incorrect:

A: The UN does not impose sanctions to force regime type.

C: Sanctions are not for punishing weak AML controls.

A (ISO): Ensures information security controls are aligned with AFC efforts, protecting sensitive data and reducing the risk of cyber-enabled financial crime.

D (DPO): Helps ensure compliance with data privacy laws and enables secure, lawful information-sharing for AML purposes.

“Collaboration with the ISO and DPO is critical to maintaining data security and privacy within AFC compliance frameworks.”(CAMS 6th Edition, Governance and Cross-Functional Collaboration)

C: “The system must be adequate and proportionate to the bank’s size, activities, complexity, and risk profile. A one-size-fits-all solution is not appropriate.”

D: “Effective monitoring systems should support the detection of unusual trends and business relationships, facilitating meaningful analysis and alerts.”(CAMS 6th Edition, Transaction Monitoring System Requirements)

Incorrect:

A: Vendor internal controls are important, but not a top selection criterion for AML system effectiveness.

B: Permissions should be appropriate for the bank’s structure, not just compared to other banks.

Trade-based money laundering red flags include third-party involvement in transactions, amended letters of credit without clear justification, and non-standard settlement arrangements, all of which can indicate attempts to disguise illicit fund movements or the true nature of the trade.

A: The first step in any suspicious activity investigation is to review the transaction history and other relevant account information to establish context, identify patterns, and determine if the behavior is consistent with known typologies of money laundering.

“The initial phase of an AML investigation is to review relevant account information and transaction activity to assess whether a SAR filing is warranted.”

This approach ensures that any subsequent decisions, such as escalation, SAR filing, or customer outreach, are based on a comprehensive understanding of the facts.

The US Department of the Treasury identifies money services businesses (MSBs) and non-profit organizations with international operations as high money laundering risks when they lose access to traditional financial institutions, as this can push them toward less regulated channels that are more vulnerable to abuse.

Reference data screening is a core element of AML/CFT programs and typically covers:

Customers (B):“All customers must be screened against sanctions, PEP, and adverse media lists as part of onboarding and ongoing due diligence.”(CAMS 6th Edition, Due Diligence and Screening)

Third-party service providers (C):“Screening should extend to relevant third parties, such as agents and service providers, to prevent indirect exposure to sanctioned entities.”(CAMS 6th Edition, Third-Party Screening; FATF Recommendations)

Incorrect Options:

A: Types of payment messages are not screened; the entities/individuals are.

D: Customer spouses may be screened in some KYC processes but are not a standard dataset for reference screening.

Shell companies and other high-risk business structures are commonly associated with money laundering schemes designed to obscure ownership and transaction purpose. FATF guidance identifies several red flags indicative of such misuse.

A mismatch between goods or services and the company’s stated business profile suggests fictitious or manipulated transactions. Insufficient information on originators or beneficiaries of funds transfers further increases suspicion, as transparency is a core AML requirement. Additionally, payments lacking a clear purpose or meaningful description may indicate layering or attempts to conceal illicit activity.

Conversely, well-documented transactions with established partners and legitimate audit trails are indicators of lower risk. While structuring below reporting thresholds can be suspicious, it must also be inconsistent with standard business practices to qualify as a red flag.

Customer segmentation is a foundational element of effective transaction monitoring and is strongly aligned with the risk-based approach promoted by FATF and national regulators.

Customers differ significantly in their transaction behavior depending on factors such as customer type, industry, geography, products used, and transaction volumes. By grouping customers into similar peer segments, institutions can more accurately establish expected behavior and identify anomalies that may indicate suspicious activity.

Comparing customers across a single large population would mask meaningful deviations and generate excessive false positives or missed risks. Segmentation improves alert quality, efficiency, and investigative focus.

Customer segmentation is not limited to sanctions compliance; it is a core AML transaction monitoring practice used to detect money laundering, terrorist financing, and other financial crimes.

Before opening for business, a bank must have independent compliance testing to ensure controls are functioning, qualified staff who understand AML/CFT requirements, and documented policies and procedures to guide day-to-day compliance. These are foundational elements of an effective AML/CFT framework.

The remote gambling sector presents unique money laundering and terrorist financing risks due to its online, non-face-to-face nature, as recognized in FATF and national regulatory guidance.

A major risk is that customers are not physically present for identification, which increases impersonation and identity fraud risks and requires robust digital onboarding controls.

Another significant risk is the use of anonymous prepaid cards or other anonymous payment methods. These instruments reduce traceability and can be used to introduce illicit funds into gambling platforms with limited customer identification.

Additionally, numerous low-level transactions may indicate structuring behavior designed to avoid enhanced due diligence thresholds and monitoring controls. This tactic allows criminals to layer transactions while appearing consistent with normal gambling behavior.

Large cash deposits are less relevant in remote gambling, as transactions are typically electronic. Betting beyond affordability may indicate problem gambling but is not, by itself, a core AML risk indicator.

An effective name screening process is a critical component of sanctions and AML compliance. Regulators expect financial institutions to implement strong governance, risk-based design, and ongoing validation.

Clearly defining the screening scope, frequency, and alert adjudication procedures in policies ensures consistency, transparency, and accountability across the organization.

Conducting a risk assessment allows institutions to make informed, proportionate decisions on which data attributes to screen (e.g., names, aliases, addresses), how frequently to screen, and which databases to use. This aligns with the risk-based approach.

Regular testing and validation ensure that screening systems continue to perform as intended, detect true matches, and minimize false positives or missed hits.

Selecting the most popular database or assigning a single individual for control ownership does not ensure effectiveness and may introduce governance risk.

A rules-based approach to transaction monitoring relies on predefined rules that flag specific patterns and on setting thresholds that trigger automated alerts when exceeded. These techniques are fundamental to identifying potentially suspicious activities in a structured, deterministic way.

When developing and maintaining AML policies, standards, and procedures, banks should rely on the National Risk Assessment, regulatory guidance or publications, and guidance issued by international bodies to ensure their frameworks align with both domestic and global best practices and risk considerations.

Public-private partnerships allow public organizations to gain insights from the private sector to shape effective policies and legislation. Additionally, strong data protection and privacy frameworks help create secure information-sharing protocols within PPPs, enhancing collaboration while preventing unauthorized access.

Customer loyalty program tracking and product usage analysis can uncover unusual patterns or behaviors that deviate from expected norms. These insights may help detect suspicious activity or hidden risks, making them valuable tools for supporting AML compliance even if not directly linked to traditional monitoring systems.

Application Programming Interfaces (APIs)are tools that enableinterconnectivity and data exchangebetween different software applications. In AML contexts, APIs are commonly used tointegrate third-party systems, such as screening tools, customer databases, and transaction monitoring platforms, ensuring real-time and accurate flow of information.

This technological capability supports enhancedautomation, agility, and efficiencyin AML processes.

A national risk assessment can identify high-risk sectors requiring enhanced due diligence and guide resource allocation to mitigate financial crime risks effectively, helping organizations align their risk-based approach with national priorities and threats.

Virtual Asset Service Providers (VASPs) are considered higher-risk customers due to their exposure to anonymity, speed, and cross-border transactions. FATF guidance highlights several red flags indicative of potential money laundering activity.

The use of shell companies to move funds into and out of a VASP is a strong indicator of attempts to conceal beneficial ownership and obscure transaction flows. Similarly, frequent use of mixers and tumblers is a well-recognized technique used to break transaction trails and hinder blockchain tracing.

Receiving funds from jurisdictions with weak AML frameworks significantly increases geographic risk, particularly when combined with other red flags.

By contrast, peer-to-peer infrastructure use and market volatility are inherent features of the virtual asset ecosystem and do not, on their own, indicate money laundering.

Independent testing is critical for the third line of defense to provide unbiased and effective oversight, ensuring that reviews and audits are objective and free from influence by the first or second lines of defense.

Analyzing the most recent National Proliferation Financing Risk Assessment from the relevant authority provides an organization with authoritative, up-to-date insights into current threats, high-risk sectors, and jurisdictional exposures, enabling better understanding and mitigation of proliferation financing risks.

Customer onboarding is a critical AML/CFT process that must balance regulatory compliance with customer experience. Excessive friction can lead to customer dissatisfaction and abandonment.

Implementing internal or external tools—such as digital onboarding platforms, document collection tools, and workflow automation—can significantly streamline information gathering and reduce delays while maintaining compliance standards.

Additionally, consistent training of all employees involved in onboarding ensures that information requests are clear, consistent, and proportionate. Well-trained staff reduce rework, confusion, and unnecessary follow-ups, improving customer trust and efficiency.

Restricting decision-making to managers can slow processes, and delaying updates to processes reduces adaptability to evolving risks and regulatory expectations.

Data encryption protects sensitive information from unauthorized access, while privacy-enhancing technologies (PETs) enable secure and compliant data sharing with third parties, helping financial institutions meet privacy and data protection regulations.

Nominee shareholders may be used for legitimate commercial reasons; however, FATF guidance identifies nominee arrangements as a significant money laundering risk when they obscure beneficial ownership.

The greatest risk arises when nominee shareholders provide anonymity to the true beneficial owner, preventing transparency in public registers and complicating due diligence. Criminals may exploit this opacity to conceal ownership, evade sanctions, launder illicit proceeds, or avoid tax and regulatory scrutiny.

The ability to hide ownership undermines one of the core objectives of AML/CFT frameworks: identifying and verifying beneficial owners. As a result, regulators require enhanced due diligence and clear documentation when nominee shareholders are involved.

Other features—such as administrative efficiency, compliance with local laws, or ease of share transfer—do not inherently increase financial crime risk when transparency and disclosure requirements are met.

Money Services Businesses (MSBs)are commonly recognized by regulatory and supervisory authorities as havinghigher inherent AML/CFT risk, particularly due to certain business characteristics.

Option B – The prevalence of international wire transfers:

MSBs often facilitatecross-border transactions, which present a higher money laundering and terrorist financing risk due to challenges in verifying customer identity, the origin of funds, and the end destination—especially when dealing with higher-risk jurisdictions.

Option D – The cash-intensive nature of the services offered:

Many MSBs deal primarily incash, which increases the risk ofanonymous transactionsandfunds layering, making it harder to trace illicit activity. Cash is the most vulnerable medium for placement of illicit funds into the financial system.

Option AandOption E, while involving modern technologies,can actually reduce riskwhen implemented with proper controls (e.g., secure digital onboarding and traceable payments enhance auditability).

Option Cdoes not in itself signal high AML risk unless combined with other red flags.

Risk assessment is the foundation of an effective AML compliance program. It enables an organization to identify, understand, and prioritize its exposure to money laundering and terrorist financing risks, which in turn informs the development of appropriate controls, including policies, procedures, and customer due diligence measures.

A primary objective of public sector groups in combating money laundering is to establish and enforce legal and regulatory frameworks that enable the detection, prevention, and punishment of money laundering and related financial crimes, ensuring the integrity of the financial system.

Early surrender of a policy can be used to quickly access and integrate illicit funds, while funding an insurance policy with cryptocurrencies or other non-fiat currencies can obscure the source of funds, both of which are recognized money laundering risk factors in insurance products.

Best practices for senior management involvement include setting the tone from the top to promote a strong compliance culture and establishing clear criteria for escalations, ensuring that significant financial crime issues are promptly brought to their attention for action.

The Office of Foreign Assets Control (OFAC), part of the U.S. Department of the Treasury, is responsible for theadministration and enforcement of economic and trade sanctions. These sanctions are based on U.S. foreign policy and national security objectives and target:

Foreign countries and regimes

Terrorist organizations

Narcotics traffickers

Individuals and entities engaged in activities related to the proliferation of weapons of mass destruction

OFAC acts under various authorities, including national emergency powers granted by the President and specific legislation. One of its primary tools is theSpecially Designated Nationals(SDN) List, which identifies individuals and entities whose assets are blocked and with whom U.S. persons are generally prohibited from dealing.

It is important to note that OFAC is not responsible for designating jurisdictions as primary money laundering concerns (a task handled by FinCEN under Section 311 of the USA PATRIOT Act), nor does it manage trade agreements.

The United Nations Security Council (UNSC) is authorized under the UN Charter to imposebinding sanctions measureson member states. These sanctions may target countries, entities, or individuals and can include arms embargoes, travel bans, asset freezes, and restrictions on trade or financial services.

Statement Ais correct:

Circumventing or evading UNSC sanctionsmay constitute a criminal offenseif the jurisdiction has incorporated UN obligations into domestic law. While the UNSC does not directly impose criminal penalties,member states must implement these measures locally, andmany jurisdictions have lawsthat make such violations criminal acts.

Statement Bis incorrect:

The UNSC is empowered toimpose broad restrictions, includingtrade bans beyond arms, such as on luxury goods, fuel, or specific commodities. Therefore, the idea that it cannot prohibit exports beyond arms is inaccurate.

Statement Cis correct:

Member countries of the United Nations are expected to implement and enforce UNSC sanctions, in accordance with their obligations under the UN Charter (specifically Chapter VII). Countries are responsible for transposing these sanctions into their national legal frameworks.

Statement Dis incorrect:

Although member countries are required to enforce sanctions,not all countries automatically consider breaches a criminal offense. Whether a violation is criminal depends on how each country enacts UN sanctions domestically.

Once there is reasonable suspicion of money laundering, the next critical step is to draft and file a suspicious activity report (SAR) with the relevant financial intelligence unit within the required regulatory timeframe. The SAR should contain a clear chronology of transactions, relevant customer details, and the rationale for suspicion to support potential investigation by authorities.

Regulatory frameworks and enforcement actions consistently emphasize individual accountability at the highest levels of governance when AML/CFT compliance programs are deficient in design or implementation.

The board of directors is ultimately responsible for oversight of the institution’s AML/CFT framework. This includes approving policies, setting risk appetite, and ensuring that adequate resources and governance structures are in place. Failure to fulfill these responsibilities can result in regulatory findings and personal accountability.

Senior management is responsible for implementing the board-approved AML/CFT strategy and ensuring that controls operate effectively in practice. This includes overseeing compliance functions, addressing identified weaknesses, and ensuring timely remediation. Deficiencies in program design—such as inadequate risk assessments or ineffective controls—often lead regulators to hold senior management accountable.

While the compliance department plays an important role in execution and advisory functions, accountability for program design and effectiveness rests with the board and senior management, not committees or individual departments.

Paying premium several years in advance and terminating early for a refund (A):“A typical red flag is when a policyholder pays large premiums up front and then seeks early termination to receive a refund. This can be used to launder illicit funds by integrating them into the financial system and then retrieving ‘clean’ money.”(CAMS 6th Edition, Life Insurance ML/TF Risks; FATF Guidance for a Risk-Based Approach for the Life Insurance Sector)

Regularly switching policies and accepting penalties (D):“Frequent changes in insurance policies or products, even at a financial loss, are considered suspicious. This may indicate an attempt to obscure the money trail or integrate illicit proceeds.”(CAMS 6th Edition, ML/TF Red Flags in Life Insurance)

Incorrect Options:

B: Having multiple policies is common and not itself a red flag.

C: High premiums/payouts are not inherently suspicious.

E: Beneficiary payouts to elderly people are not ML/TF red flags.

Correspondent banking relationships are recognized as higher risk under FATF guidance primarily because transactions are cross-border and conducted on behalf of third-party customers.

In correspondent banking, a respondent bank may process transactions for customers that the correspondent bank does not have a direct relationship with. This reduces transparency and limits the correspondent’s ability to fully assess customer identity, beneficial ownership, and transaction purpose.

While correspondent transactions may involve high-risk jurisdictions, this is not always the case. They are not anonymous by design, and payment messaging standards often require significant information. However, the indirect customer relationship and cross-border nature introduce complexity, jurisdictional risk, and reliance on the respondent bank’s controls.

Therefore, third-party and cross-border exposure is the key driver of heightened risk.

A, B, C, D are all identified by CAMS 6th Edition and FATF as primary financial crime risks for e-commerce platforms:

A: Platforms can be exploited to launder money by processing the movement of criminal proceeds under the guise of legitimate sales.

B: Use of stolen credit/debit cards for online purchases is a common fraud and ML technique.

C: Fraud schemes (such as chargebacks or fake listings) are widespread on e-commerce platforms.

D: E-commerce platforms can serve as fronts for illicit goods or services, masking the true nature of transactions.

E and F are not commonly cited as principal inherent risks in AML/CTF guidance.

Conducting a periodic enterprise-wide risk assessment (EWRA) is the most effective approach to identifying, assessing, and mitigating financial crime risks. It ensures all inherent risks across areas like AML, CFT, sanctions, fraud, ABC, and tax evasion are evaluated, existing controls are assessed, and residual risks are identified. This comprehensive view enables a cohesive and proactive risk management strategy aligned with regulatory expectations.

The relationship manager is in the best position to identify and report money laundering risks due to their direct and ongoing interaction with clients. They have detailed knowledge of clients’ profiles, financial behaviors, and any unusual activities that may raise red flags.

Adverse media screening is an important component of customer due diligence, but reliance on general search engines presents several limitations recognized by AML practitioners and regulators.

Search engines typically provide unstructured data, which makes it difficult to systematically analyze and document results for compliance purposes. Information may be incomplete, duplicated, or lack context.

The process is also time-consuming and highly manual, particularly for institutions screening large customer populations. Manual reviews increase operational burden and introduce inconsistency and human error.

Additionally, search engine algorithms vary, meaning results can differ depending on timing, location, and personalization, leading to inconsistent outcomes that are difficult to audit or reproduce.

While language coverage and relevance may be challenges, the most critical limitations relate to lack of structure, inefficiency, and inconsistent results.

One of the central pillars of the EU AML Package adopted in June 2024 is theEU AML Regulation. This regulation introduces directly applicable AML/CFT rules across all EU member states, replacing the previous approach where AML directives were transposed into national laws. This shift addresses regulatory fragmentation and strengthens enforcement across borders.

The complete AML Package includes the following four pillars:

EU AML Regulation (directly applicable rulebook)

6th AML Directive (not the 7th)

Establishment of a new EU Anti-Money Laundering Authority (AMLA)

Revised Transfer of Funds Regulation, especially concerning crypto-asset service providers

The EU AML Regulation aims to unify and streamline the application of AML/CFT measures across the EU, ensuring a consistent and effective framework.

BSA/AML compliance staff should report to the compliance function or another second line of defense internal control function to maintain independence from business line management, ensuring objective oversight and effective compliance controls.

AML/CFT frameworks require financial institutions to balance effective compliance with customer data protection, in line with regulatory expectations and data privacy laws. Using a combination of appropriate data security and governance measures ensures both objectives are met.

Data encryption protects sensitive customer information from unauthorized access or breaches, both during transmission and storage. This is a critical safeguard for AML systems that handle personal and financial data.

Data minimization ensures that institutions collect and retain only the data necessary to meet AML and regulatory requirements. This reduces privacy risks and aligns with global data protection principles while still supporting effective customer due diligence.

Access controls restrict sensitive customer information to authorized personnel only, reducing the risk of internal misuse or data leakage and supporting strong governance over AML operations.

In contrast, comprehensive data collection beyond what is required is inconsistent with data protection principles, and retaining customer data beyond regulatory requirements increases compliance and privacy risks.

Using encryption, minimization, and access controls together represents best practice for secure and compliant AML operations.

The susceptibility of a company or jurisdiction to ML/TF abuse is significantly increased by:

Permissibility of bearer shares (B):“Bearer shares make it easy to hide ownership and control, presenting a major risk for misuse by criminals.”(CAMS 6th Edition, Beneficial Ownership and Company Transparency)

Rules governing the disclosure of beneficial ownership by the jurisdiction (C):“Weak requirements or loopholes in beneficial ownership disclosure are frequently exploited to conceal criminal involvement in corporate structures.”(CAMS 6th Edition, Chapter: Legal Persons and Arrangements)

Incorrect Options:

A: High or low fees are not a significant ML/TF risk driver.

D: Ease of travel is unrelated to ML/TF risk related to company structures.

Explainable artificial intelligence (AI) and machine learning (ML) technologies are increasingly adopted within AML/CFT compliance to enhance effectiveness while maintaining regulatory transparency. Regulators emphasize that explainability and human oversight are essential when using advanced analytics.

One key benefit is the ability to process and analyze large volumes of data quickly and accurately. AML programs must review massive transaction datasets, customer profiles, and behavioral patterns. AI and ML models improve detection capabilities by identifying complex patterns and anomalies that may not be evident through traditional rule-based systems.

Another critical benefit of explainable AI is improved auditability, accountability, and governance. Explainable models allow compliance teams, auditors, and regulators to understand how decisions are made, why alerts are generated, and how risks are assessed. This transparency supports regulatory compliance and model governance requirements.

AI systems are not intended to replace human involvement or eliminate compliance staff. Human judgment remains essential for investigations, decision-making, and regulatory reporting.

E-commerce platforms face KYC challenges due to a global and diverse customer base, making due diligence complex, while criminals may exploit identity fraud to pass KYC checks and facilitate layering in money laundering schemes. These factors increase the financial crime risks for such businesses.

FIUs rely on formal cooperation mechanisms to exchange information lawfully and efficiently across borders. One of the most widely used mechanisms is a Memorandum of Understanding (MOU) between FIUs in different jurisdictions.

MOUs establish the terms, scope, confidentiality protections, and procedures for sharing financial intelligence. They enable FIUs to exchange information directly, quickly, and securely while respecting data protection and domestic legal requirements. This structure significantly reduces bureaucratic delays and supports effective cross-border investigations.

FATF and regional bodies are standard-setters and evaluators, not operational information-sharing hubs. The Wolfsberg Group is a private-sector association and does not facilitate FIU-to-FIU communication. MLATs are used primarily by law enforcement and judicial authorities for criminal proceedings and arrests—not for FIU intelligence exchange.

Therefore, MOUs are the correct and most appropriate mechanism for FIU cooperation.

Effective oversight of transaction monitoring includes:

Periodic review of client profiles to ensure up-to-date information for high-risk clients (B):“Reviewing and updating customer profiles is essential to ensure that monitoring scenarios are based on current risk data.”(CAMS 6th Edition, Transaction Monitoring and Customer Due Diligence)

Periodic review of transaction monitoring scenarios and productivity to ensure appropriate AML typologies are reflected (D):“Firms should periodically review the parameters and output of transaction monitoring systems to ensure they continue to identify relevant ML/TF risks and typologies.”(CAMS 6th Edition, Monitoring and Surveillance)

Incorrect Options:

A: Cooperation with the legal team is important, but not a core strategy for monitoring governance.

C: SARs filed with FinCEN should not be withdrawn unless new evidence requires it; review should focus on process, not withdrawal.

Terms of Reference (ToR) are a fundamental governance document that define how a committee operates, makes decisions, and fulfills its responsibilities. Regulatory guidance and corporate governance best practices emphasize clarity and accountability in committee mandates.

The extent of power and decision-making authority must be clearly defined to ensure members understand what decisions they are authorized to make and where escalation is required. This prevents overlaps or governance gaps.

The composition and structure of the committee, including membership criteria and roles, ensures appropriate expertise and representation. This is essential for effective oversight, particularly in AML/CFT and risk committees.

Delegation of authority outlines how responsibilities may be assigned or escalated, supporting efficient decision-making while maintaining accountability.

Organization charts and company culture statements are not typically core components of a ToR, as they do not define operational authority or governance mechanics.