CAMS: Global AFC Frameworks, Governance, and Regulations

Use this page to isolate Global AFC Frameworks, Governance, and Regulations before returning to mixed CAMS practice.

Topic snapshot

Sample questions

These questions are original Finance Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Global AFC Frameworks, Governance, and Regulations

An EU-based bank’s long-standing import customer asks the bank to issue a USD letter of credit for machine tools shipped from Singapore to Turkey. The goods are manufactured by a Russian company recently mentioned in sanctions-related news, and the payment would clear through a U.S. correspondent bank. What is the best action before issuing the letter of credit?

• A. Screen only the applicant and beneficiary against the bank’s domestic sanctions list.
• B. Proceed because the applicant is an existing customer and the shipment does not enter a sanctioned country.
• C. Ask the customer to change the payment currency so the U.S. correspondent bank is not involved.
• D. Escalate for sanctions review covering the parties, goods, jurisdictions, and payment route before processing.

Best answer: D

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: Sanctions awareness matters when a transaction has cross-border touchpoints, even if the bank’s direct customer is known. Here, the letter of credit involves an EU bank, USD clearing through a U.S. correspondent, goods moving between third countries, and a Russian manufacturer with sanctions-related concerns. The best action is not to assume the transaction is permitted or to route around one apparent issue. Sanctions compliance should assess all relevant parties, ownership or control, goods, vessels or transport if relevant, jurisdictions, and payment channels under applicable regimes before the bank commits to the trade finance transaction.

• Proceeding based on the customer’s existing relationship ignores transaction-specific sanctions risk.
• Screening only domestic lists is too narrow because cross-border payments may trigger other applicable regimes.
• Changing currency to avoid a correspondent bank can be viewed as sanctions evasion risk rather than a control.

Cross-border parties, goods, jurisdictions, and USD clearing create potential exposure to multiple sanctions regimes that must be assessed before issuance.

Question 2

Topic: Global AFC Frameworks, Governance, and Regulations

A national authority receives suspicious transaction reports and other disclosures from reporting entities, analyzes them with other available information, and disseminates financial intelligence to competent domestic authorities or foreign counterparts when appropriate. Which concept does this description match?

• A. Prosecutorial authority
• B. Financial intelligence unit (FIU)
• C. UN sanctions committee
• D. Prudential supervisor

Best answer: B

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: A financial intelligence unit is the national center for handling financial intelligence. Reporting entities submit suspicious activity or transaction reports and other required disclosures to the FIU. The FIU analyzes those reports, often combining them with additional data, and disseminates intelligence to law enforcement, supervisors, tax authorities, or foreign FIUs when appropriate. This differs from a sanctions body, which designates or oversees sanctions measures; a prudential supervisor, which focuses on safety, soundness, and compliance oversight; and prosecutors, who pursue criminal cases after investigative development.

• A UN sanctions committee is linked to sanctions designations and implementation oversight, not routine receipt and analysis of suspicious reports.
• A prudential supervisor may examine institutions’ AFC controls, but it is not the central hub for financial intelligence dissemination.
• A prosecutorial authority may use FIU intelligence in a case, but it does not perform the FIU’s central intake and analysis function.

An FIU is the central authority for receiving, analyzing, and disseminating financial intelligence related to suspected financial crime.

Question 3

Topic: Global AFC Frameworks, Governance, and Regulations

A global bank is refreshing its jurisdiction risk assessment for onboarding and ongoing monitoring. Country A was recently identified in a FATF-style regional body mutual evaluation as having weak beneficial ownership transparency and ineffective supervision of virtual asset service providers. FATF has also issued a public statement placing Country A under increased monitoring. What is the BEST action for the AFC team?

• A. Ignore the findings unless Country A becomes subject to sanctions or mandatory countermeasures.
• B. Lower Country A’s risk rating because increased monitoring means the jurisdiction is cooperating with FATF.
• C. Automatically exit all customers with any Country A nexus to avoid exposure to the identified deficiencies.
• D. Incorporate the findings into the jurisdiction risk methodology and adjust due diligence and monitoring for Country A exposure using a risk-based approach.

Best answer: D

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: FATF and FATF-style regional body outputs help institutions understand jurisdiction-level financial crime risk. A mutual evaluation identifies strengths and weaknesses in a country’s AML/CFT framework, while FATF public statements signal strategic deficiencies and the level of international concern. Placement under increased monitoring does not automatically require de-risking, sanctions treatment, or suspicious activity reporting for every customer. It should prompt the institution to reassess jurisdiction risk, consider affected customer, product, and channel exposures, and apply proportionate controls such as enhanced due diligence, beneficial ownership scrutiny, and monitoring where warranted.

• Waiting for sanctions or countermeasures misses the risk-awareness value of mutual evaluations and public statements.
• Automatic exit is not a risk-based response and may create inappropriate blanket de-risking.
• Cooperation with FATF does not erase the identified strategic deficiencies; it remains a relevant risk factor.

Mutual evaluations and FATF public statements are credible inputs for jurisdiction risk awareness and should inform risk-based controls.

Question 4

Topic: Global AFC Frameworks, Governance, and Regulations

A bank’s AFC team is calibrating country-risk scoring. It reviews an independent civil-society report that compares countries by perceived public-sector corruption and weak governance, then uses the report as one input when deciding where enhanced due diligence may be appropriate. Which concept best matches this source of risk insight?

• A. Internal governance insight from board-approved risk appetite
• B. Non-governmental risk insight from civil-society research
• C. Public-sector risk insight from an FIU typology bulletin
• D. Private-sector risk insight from shared customer transaction patterns

Best answer: B

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: Public, private, and non-governmental groups contribute different kinds of AFC risk insight. Public-sector bodies such as FIUs, regulators, and law enforcement may provide typologies, enforcement priorities, sanctions measures, or national risk assessments. Private-sector firms may contribute insight from observed customer behavior, payments, fraud patterns, or information-sharing partnerships. Non-governmental organizations and civil-society groups often provide independent research on corruption, human rights abuses, trafficking, conflict, environmental crime, and governance weaknesses. In this scenario, the source is an independent civil-society report on perceived corruption and governance, so it is best mapped to non-governmental risk insight.

• FIU typology insight would usually come from a government or public authority, not an independent civil-society report.
• Shared customer transaction patterns are a private-sector contribution, not the described corruption and governance research.
• Board-approved risk appetite guides internal decision-making but is not an external source of country-risk insight.

Independent NGO or civil-society research can provide open-source insight into corruption, governance, and related financial-crime risks.

Question 5

Topic: Global AFC Frameworks, Governance, and Regulations

A bank is assessing emerging human-trafficking risk in cross-border remittances. It has three inputs: an FIU advisory on mule-account typologies, a peer-bank forum summary on suspicious corridor and structuring patterns, and an NGO report describing recruitment routes and victim-control methods. Which is the BEST action for AFC compliance to take?

• A. Combine the inputs by risk-insight type, compare them with the bank’s own customer and transaction data, and update monitoring, EDD, and investigation guidance where supported.
• B. Prioritize only the FIU advisory because public-sector information is authoritative and other sources may be unverified.
• C. Send customer-level alert details to the NGO so it can confirm whether the bank’s customers are linked to victims.
• D. Adopt the NGO report as the primary risk model because NGOs are closest to affected communities.

Best answer: A

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: Different groups contribute different risk insights. Public authorities such as FIUs can provide typologies, threat alerts, and law-enforcement-informed indicators. Private-sector peers can identify transaction patterns, corridor behavior, product vulnerabilities, and practical control issues seen across institutions. NGOs may add ground-level context about exploitation methods, vulnerable populations, routes, and non-financial indicators. The strongest AFC response is not to treat one source as automatically sufficient, but to integrate and corroborate these insights against the institution’s own risk profile, customer base, and transaction data. If supported, the bank can refine monitoring scenarios, EDD questions, investigator red flags, and escalation criteria.

• Relying only on the FIU advisory ignores useful private-sector and NGO intelligence that can improve risk understanding.
• Making the NGO report the primary model overstates one source and skips validation against bank data.
• Sharing customer-level alert details with an NGO may breach confidentiality and is not the proper way to validate suspicious activity.

This uses public, private, and NGO sources for their distinct insights while validating and operationalizing them through the institution’s risk-based controls.

Question 6

Topic: Global AFC Frameworks, Governance, and Regulations

A bank files a suspicious transaction report after identifying payments that appear structured to evade a UN sanctions measure. The FIU acknowledges receipt and states that the information may be shared with competent authorities. Senior management asks what role law enforcement would play if the matter proceeds. What is the best explanation?

• A. Law enforcement would investigate the suspected criminal activity, use lawful powers to gather evidence, and work toward criminal outcomes such as arrest, prosecution support, or asset restraint.
• B. Law enforcement would act as the FIU by receiving, analyzing, and disseminating all suspicious transaction reports.
• C. Law enforcement would replace the bank’s sanctions controls and decide whether the customer should remain onboarded.
• D. Law enforcement would issue UN sanctions designations and supervise the bank’s compliance program.

Best answer: A

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: In a global AFC framework, law enforcement is responsible for investigating suspected criminal activity and helping pursue criminal outcomes. After an FIU receives and analyzes suspicious reporting, it may disseminate intelligence to law enforcement or other competent authorities. Law enforcement can then use legal powers—such as interviews, production orders, searches, arrests, or asset restraint where authorized—to build an evidentiary case and work with prosecutors. The bank’s role remains to maintain controls, preserve records, comply with reporting and sanctions obligations, and respond appropriately to lawful requests without tipping off the customer.

• Replacing the bank’s controls confuses law enforcement’s investigative role with the institution’s compliance responsibilities.
• Receiving and analyzing STRs is generally the FIU’s role, not law enforcement’s primary role.
• Issuing UN sanctions designations and supervising compliance programs are functions of sanctions authorities and regulators, not criminal investigators.

Law enforcement’s core role is to investigate suspected crimes and support the pursuit of criminal outcomes through lawful investigative powers.

Question 7

Topic: Global AFC Frameworks, Governance, and Regulations

A national risk assessment is updated to identify trade-based money laundering involving import/export companies, third-party payments, and rapid cross-border movement of funds as a rising threat. A regional bank’s last institutional risk assessment rates trade finance and correspondent banking as moderate risk. The bank recently expanded services to small import/export customers. What is the BEST action for the AFC compliance team?

• A. Exit all small import/export customers and correspondent banking relationships to eliminate the newly identified risk.
• B. Update the institutional risk assessment to evaluate the bank’s exposure to the highlighted typology and adjust relevant customer, product, geography, and control ratings as needed.
• C. File suspicious activity or transaction reports on all import/export customers because the sector is now identified as higher risk.
• D. Leave the institutional risk assessment unchanged until the national authority issues a binding regulation on trade-based money laundering.

Best answer: B

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: National and sector risk assessments help institutions calibrate their own risk-based approach. A new national finding does not automatically make every customer suspicious or require blanket de-risking. The bank should determine whether and how the identified typology affects its own business model, customers, products, channels, and geographies. Because the bank has trade finance, correspondent banking, and recent growth in import/export customers, the finding is relevant and should trigger an update to the institutional risk assessment, including reassessment of inherent risk, control effectiveness, and any needed enhancements to monitoring, due diligence, or escalation processes.

• Waiting for a binding regulation ignores the purpose of national risk assessments as inputs to a risk-based AFC program.
• Filing reports on all customers in a sector confuses higher inherent risk with specific suspicion based on facts and activity.
• Exiting entire customer segments is blanket de-risking and is not the risk-based response required by the facts.

The new national risk finding should be mapped to the institution’s actual exposure and reflected in risk ratings and control priorities.

Question 8

Topic: Global AFC Frameworks, Governance, and Regulations

A bank’s investigations team identifies a possible mule-account network involving rapid credits and outgoing transfers to accounts at two other banks. The country has an FIU-sponsored public-private information-sharing gateway that permits participating firms to exchange AML/CFT intelligence under confidentiality and data-minimization rules. A relationship manager suggests directly messaging a former colleague at one of the other banks to compare customer names before escalating. What is the best action?

• A. Have the relationship manager contact the peer bank informally and exchange full KYC files to speed up confirmation of the network.
• B. Tell the suspected customers that their information may be shared so they can explain the transfers before any escalation.
• C. Decline all peer and FIU collaboration unless a court order is received, because AML intelligence cannot be shared by private firms.
• D. Use the approved information-sharing gateway after AFC/legal review, sharing only relevant indicators under confidentiality while continuing required internal escalation and reporting analysis.

Best answer: D

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: Private-sector collaboration can be valuable in detecting cross-institution financial-crime networks, but it must occur through lawful and controlled channels. An FIU-sponsored or otherwise authorized information-sharing gateway provides a governance framework for purpose limitation, confidentiality, data minimization, documentation, and protection against tipping off. The bank should not rely on informal personal contacts or over-share customer records. Collaboration also does not replace the bank’s own investigation, escalation, and suspicious activity or transaction reporting analysis.

• Informal peer contact bypasses approved governance and risks unauthorized disclosure or excessive data sharing.
• Notifying suspected customers can create tipping-off risk and compromise the investigation.
• Refusing all collaboration is too restrictive where an authorized AML/CFT sharing mechanism exists.

Responsible collaboration uses an authorized mechanism with governance, confidentiality, data minimization, and no delay to reporting obligations.

Question 9

Topic: Global AFC Frameworks, Governance, and Regulations

A country’s latest national risk assessment states that cross-border remittance providers serving conflict-affected corridors present elevated terrorism-financing risk. A bank has a licensed remittance customer in that sector. The latest review shows activity consistent with the customer’s profile, no sanctions matches, and no adverse media. The relationship manager asks whether the assessment requires an immediate suspicious activity report. What is the best action?

• A. Use the national risk assessment as an external risk input to reassess the customer’s risk rating and controls, and escalate only if customer or transaction evidence supports suspicion.
• B. Exit the relationship because continuing to bank a sector named in the assessment would be inconsistent with a risk-based approach.
• C. File a suspicious activity report because the national risk assessment identifies the customer’s sector as high risk.
• D. Make no changes unless the transaction-monitoring system generates an internal alert on the customer.

Best answer: A

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: National and sector risk assessments provide external insight into typologies, vulnerable sectors, jurisdictions, and products. They should feed the institution’s enterprise risk assessment, customer risk scoring, due diligence depth, monitoring scenarios, and management reporting. However, an external assessment does not by itself prove that a particular customer is suspicious. In this scenario, the customer is licensed, activity is consistent with its profile, and there are no sanctions or adverse-media concerns. The best action is to incorporate the external risk signal into the bank’s risk-based controls while continuing to look for customer- or transaction-specific evidence before escalating for suspicious activity reporting.

• Filing solely because the sector is high risk confuses external risk insight with specific suspicion.
• Exiting the relationship solely on sector exposure is blanket de-risking, not risk-based management.
• Waiting for an automated alert ignores the need to incorporate national risk assessment findings into risk assessment and control design.

External risk assessments inform risk-based controls, but suspicious reporting generally requires customer- or transaction-specific grounds for suspicion.

Question 10

Topic: Global AFC Frameworks, Governance, and Regulations

A regional bank’s transaction monitoring system flags small, repeated transfers from a salary-account customer to a charity operating near a conflict zone. The activity is inconsistent with the customer’s stated account purpose. The customer and known counterparties have been screened against the UN Security Council Consolidated List as implemented in the bank’s jurisdiction, and there is no true sanctions match. What is the BEST action for compliance?

• A. Submit only a sanctions-list report to the sanctions authority without evaluating suspicious-reporting criteria.
• B. Close the alert because no party is on the sanctions list and no sanctions-freeze obligation applies.
• C. Continue a CFT-focused investigation and escalate for suspicious activity or transaction reporting if the facts support suspicion.
• D. Freeze the account solely because the charity operates near a conflict zone.

Best answer: C

What this tests: Global AFC Frameworks, Governance, and Regulations

Explanation: Sanctions-list obligations are generally triggered by a true match to a designated person, entity, vessel, or other listed target under applicable sanctions measures, often requiring freezing, blocking, rejection, or reporting to the competent sanctions authority. Broader AML/CFT obligations are different: institutions must monitor for unusual or suspicious activity, investigate alerts, document decisions, and report to the FIU or other competent authority when suspicion is formed. Here, there is no true UN sanctions-list match, so the facts do not support a list-based freeze solely on that basis. However, repeated transfers inconsistent with the customer’s profile and involving a charity near a conflict zone are CFT-relevant red flags that require investigation and possible suspicious reporting.

• Closing the alert confuses a negative sanctions screen with the end of CFT monitoring duties.
• Freezing solely due to conflict-zone exposure overstates sanctions obligations and may amount to an unsupported blanket action.
• A sanctions-only report misses the need to assess whether the pattern creates suspicious activity or transaction reporting obligations.

A negative sanctions-list screen does not remove the bank’s separate AML/CFT obligation to investigate unusual activity and report suspicion where warranted.

Continue with full practice

Use the CAMS Practice Test page for the full Finance Prep practice bank, mixed-topic practice, timed mock exams, and explanations.

Related focused pages

• Free CAMS Full-Length Practice Exam
• CAMS: Understanding the Risks and Methods of Financial Crime
• CAMS: Building an Anti-Financial Crime Compliance Program
• CAMS: Tools and Technologies to Fight Financial Crime

Free review resource

Use the full Finance Prep practice page above for the latest review links and practice page.