CISI CFC: Financial Sanctions

Topic snapshot

Sample questions

These questions are original Securities Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Financial Sanctions

In sanctions screening, a firm reviews alerts triggered by common names, transliteration differences, or missing identifiers, then uses further data to clear false positives or escalate genuine matches quickly and record the outcome. Which control does this describe?

• A. Sanctions alert investigation and resolution
• B. Suspicious activity reporting escalation
• C. Screening-engine calibration and tuning
• D. Periodic customer due diligence review

Best answer: A

What this tests: Financial Sanctions

Explanation: The described function is the post-alert review process, not the screening system itself. It uses additional identifiers to distinguish false positives from genuine sanctions matches and must operate quickly so the firm avoids both unnecessary delays and missed risks.

False positives are common in sanctions screening because systems may match similar names, aliases, transliterations, or records with incomplete data. Firms therefore need a sanctions alert investigation and resolution process: staff review extra identifiers such as date of birth, address, nationality, account details, or ownership information, then either clear the alert or escalate it as a potential true hit.

This process must be timely. If alerts sit unresolved, legitimate transactions may be delayed and backlogs can build up; equally, weak or slow review increases the risk that a genuine designated person is not stopped before business proceeds. The key distinction is that screening creates alerts, while investigation and resolution determine whether the alert is actionable.

• Calibration vs review: Screening-engine tuning affects how many alerts are generated, but it is not the case-by-case process for deciding whether one alert is a false positive.
• Periodic review: Customer due diligence refresh updates customer information over time; it is not the immediate handling of a live sanctions match.
• Reporting threshold: Suspicious activity reporting concerns suspicion of crime, whereas many sanctions alerts are simply false positives that are cleared after investigation.

This is the workflow for assessing screening alerts, clearing false positives, and escalating possible true sanctions matches promptly.

Question 2

Topic: Financial Sanctions

A firm screens customers and payments against sanctions lists, uses CDD data to assess beneficial ownership and control, and escalates alerts suggesting possible sanctions evasion to the MLRO for possible suspicious-activity reporting. Which description best matches the purpose of this integrated control?

• A. It makes sanctions action dependent on first submitting a suspicious activity report.
• B. It links sanctions screening with ownership checks and suspicious-activity escalation.
• C. It treats beneficial ownership as irrelevant once name screening is complete.
• D. It allows sanctions screening to replace AML monitoring for low-risk customers.

Best answer: B

What this tests: Financial Sanctions

Explanation: Sanctions compliance is more than name screening. Firms need CDD to understand who is behind a customer and AML escalation routes when behaviour suggests sanctions evasion or related criminal activity. The integrated control therefore connects screening, customer information, and suspicious-activity handling.

The core concept is that sanctions controls cannot operate effectively in isolation. A name-screening hit may be inconclusive unless the firm has reliable CDD information on beneficial ownership and control, and a clean name-screen may still miss sanctions exposure if a designated person is using intermediaries or complex structures. Integrating sanctions with AML processes helps the firm understand the customer, assess ownership and control relationships, monitor behaviour, and escalate possible evasion through the MLRO or nominated officer for consideration of internal reporting and any external reporting obligations.

A standalone screening tool is therefore not enough; it must be supported by good customer data and suspicious-activity escalation. The closest distractor wrongly assumes screening can replace broader AML monitoring, when in practice the controls are complementary.

• Replacing AML monitoring with screening is wrong because sanctions alerts and AML monitoring address different but connected risks.
• Making sanctions action wait for a suspicious activity report is wrong because firms must act on sanctions risk immediately under their sanctions obligations.
• Ignoring beneficial ownership is wrong because sanctions exposure may arise through ownership or control, not only direct name matches.

Sanctions exposure can arise through ownership, control, or evasion, so screening must work with CDD and escalation processes.

Question 3

Topic: Financial Sanctions

A firm’s sanctions engine uses fuzzy matching and generates frequent alerts on payments involving common names and spelling variants. Most are cleared after analysts compare date of birth, address and other identifiers. Backlogs are increasing, and operations proposes releasing any unreviewed “repeat false-positive” alert at close of business. Which response best applies sound sanctions-screening practice?

• A. Restrict matching to exact names to cut the alert volume.
• B. Auto-release repeat common-name alerts if earlier cases were false positives.
• C. Freeze all flagged payments until the sanctions list changes.
• D. Review promptly, use extra identifiers, record closure, and govern rule tuning.

Best answer: D

What this tests: Financial Sanctions

Explanation: False positives often arise from common names, spelling differences and fuzzy matching, but that does not justify unattended backlog release. Good practice is prompt alert investigation using additional identifiers, with documented decisions and controlled tuning for recurring non-matches.

The core principle is disciplined sanctions alert handling. Common names, transliteration, abbreviations, incomplete data and fuzzy matching can all create false positives, but firms still need timely investigation and resolution so that genuine matches are not missed inside a growing backlog. Analysts should review alerts promptly, use additional identifiers to confirm or clear the match, and record the rationale for the decision. If the same non-match repeatedly triggers, the firm should make tested, approved tuning or suppression changes under proper governance rather than bypassing review altogether.

A blanket reduction in sensitivity may lower volumes, but it weakens the screening control and increases the risk of missing a designated person.

• Auto-release risk: Prior false positives do not prove future alerts are harmless; counterparties, data quality and screening context may differ.
• Exact-match error: Limiting screening to exact names may reduce noise, but it can create false negatives and miss spelling variants or transliterations.
• Overblocking: Freezing every alert until the list changes is disproportionate; firms should investigate promptly and resolve based on evidence.

Common names and spelling variants cause many false positives, but each alert still needs prompt investigation, documented disposition and controlled tuning rather than blanket release.

Question 4

Topic: Financial Sanctions

Under financial sanctions screening, which finding most clearly requires escalation for possible blocking or rejection rather than routine processing?

• A. A company is 60% owned by a designated person
• B. A payment involves a high-risk country with no sanctions restriction
• C. A customer is identified as a domestic PEP
• D. A name alert is disproved by conflicting identifiers

Best answer: A

What this tests: Financial Sanctions

Explanation: The key concept is sanctions ownership and control. Even without an exact name match, an entity that is owned by a designated person may itself be subject to sanctions implications, so the alert should be escalated for a decision on blocking, rejection, or other restrictions rather than processed routinely.

Sanctions controls do not stop at simple name matching. A firm must consider whether a customer or counterparty is owned or controlled by a designated person, because that can bring the entity within the sanctions risk framework and requires escalation to the appropriate sanctions or compliance function. That is very different from a routine false positive.

A strong escalation trigger is:

• direct or majority ownership by a designated person
• evidence of control by a designated person
• any situation where processing could make funds or economic resources available in breach of sanctions

By contrast, a disproved name match is normally cleared, and PEP or general country risk belongs to other financial-crime controls rather than being, by itself, a sanctions hit.

• PEP confusion: A domestic PEP raises AML and corruption risk, not an automatic sanctions blocking decision.
• Country-risk confusion: A high-risk country may justify EDD or monitoring, but not sanctions action if no restriction applies.
• False positive: When identifiers show the alert is not the listed person, the match can usually be cleared rather than escalated for blocking or rejection.

Majority ownership by a designated person creates a clear sanctions risk that must be escalated and not treated as a routine alert.

Question 5

Topic: Financial Sanctions

An internal audit reviews the firm’s customer sanctions-screening control.

Sanctions screening note
- Screening runs at onboarding and daily thereafter
- Named control owner: not recorded
- Last documented control test: none on file
- Analysts may close false-positive alerts; rationale field optional
- MI to management: total alerts and closures only

Which action is most strongly supported by the note?

• A. Formalise ownership, document testing, and mandate alert-closure reasons.
• B. Send every false-positive closure to the MLRO.
• C. Treat current MI as sufficient evidence of effectiveness.
• D. Increase screening frequency and leave governance unchanged.

Best answer: A

What this tests: Financial Sanctions

Explanation: The exhibit shows that screening takes place, so the main weakness is not frequency. The firm lacks clear ownership, documented testing, and a reliable audit trail for alert closures, which are core elements of an effective sanctions control.

Sanctions controls must be both operated and evidenced. In the note, onboarding and daily screening already exist, but there is no named control owner, no documented effectiveness test, and no mandatory reason recorded when analysts clear alerts. That means the firm may struggle to show who is accountable, whether the control has been tested, and why individual alerts were dismissed.

• A named owner supports accountability and change control.
• Documented testing shows the control still works as intended.
• Recorded closure reasons create an audit trail for challenge and review.
• MI should support oversight, not just count activity.

More frequent screening or blanket MLRO sign-off would not fix the core governance and evidencing gap.

• More frequency: The note already says screening runs at onboarding and daily thereafter, so frequency is not the main deficiency shown.
• Automatic MLRO escalation: Analysts can clear false positives in many firms; the real issue here is the lack of mandatory rationale and documented oversight.
• MI equals effectiveness: Volumes of alerts and closures show activity, but they do not prove ownership, testing, or defensible alert decisions.

The note shows screening is already happening, but missing ownership, test evidence, and closure rationales weaken governance and auditability.

Question 6

Topic: Financial Sanctions

A firm wants a safeguard whose main function is to prevent staff using local spreadsheets, unsupported screening overrides, or outdated sanctions lists. Which control best matches that purpose?

• A. Internal suspicious activity escalation to the MLRO or nominated officer
• B. Enhanced due diligence for higher-risk customers and PEPs
• C. Centralised list management with approved overrides and full audit trails
• D. Transaction monitoring for unusual payment patterns

Best answer: C

What this tests: Financial Sanctions

Explanation: Manual workarounds and poor list management weaken sanctions controls because screening may become inconsistent, outdated, or impossible to evidence properly. Centralised list governance with controlled overrides and audit trails is the safeguard specifically designed to keep sanctions screening accurate, consistent, and reviewable.

The core concept is sanctions-control governance. If staff use personal spreadsheets, local watchlists, or ad hoc overrides, the firm cannot be confident that all customers and payments are screened against the same current sanctions data. It also becomes difficult to show who changed a rule or overrode a match, and why.

A centralised list-management process with restricted override permissions, approval workflow, and audit trails is the control that directly addresses this risk. It helps ensure:

• sanctions lists are updated once and applied consistently
• overrides are exceptional and properly authorised
• changes can be tested, evidenced, and independently reviewed

EDD, suspicious activity escalation, and transaction monitoring are all important controls, but they do not solve weak sanctions-list governance. The key point is that sanctions screening must run through controlled, supportable processes rather than manual workarounds.

• EDD mismatch: Enhanced due diligence helps assess higher-risk customers, but it does not control list versioning or prevent undocumented screening overrides.
• Escalation mismatch: Reporting suspicions to the MLRO or nominated officer supports AML escalation, not the governance of sanctions lists and override rights.
• Monitoring mismatch: Transaction monitoring may detect unusual behaviour, but it does not ensure sanctions screening uses current lists or properly approved changes.

This control preserves list integrity and ensures any override is authorised, recorded, and reviewable.

Question 7

Topic: Financial Sanctions

A UK payment firm’s policy says parties on the sanctions list, and entities 50% or more owned by them, must be blocked and escalated. After repeated data-feed failures, operations staff keep a local spreadsheet of sanctioned names and apply ad hoc “suppress future alerts” overrides without second-line approval or periodic review. A payment to a company 60% owned by a designated person is later processed because the spreadsheet was outdated. What is the single best explanation of why this setup is weak?

• A. Experienced analysts may suppress repeat alerts without formal approval in low-risk cases.
• B. The arrangement is acceptable if the official vendor list is reconciled at end of day.
• C. Only directly named parties need blocking, so ownership does not matter here.
• D. Manual lists and ungoverned overrides can miss updates, create inconsistent screening, and leave a weak audit trail.

Best answer: D

What this tests: Financial Sanctions

Explanation: The core weakness is loss of control effectiveness. A local spreadsheet and unsupported alert suppressions can become outdated, apply inconsistently, and leave little evidence of challenge or approval, so a true sanctions exposure can pass through screening.

Sanctions controls depend on complete, current list data and properly governed decisions. In this scenario, the firm replaced a controlled screening source with a manual spreadsheet and allowed ad hoc suppressions without approval or review. That weakens the framework because updates may be missed, ownership-based exposures may be overlooked, and the firm may be unable to show why an alert was suppressed. Here, the customer met the firm’s own ownership threshold, yet the payment was processed because the workaround was stale. That is exactly how poor list management and unsupported overrides undermine sanctions-control effectiveness.

End-of-day reconciliation or staff experience does not make an uncontrolled workaround equivalent to a governed screening control.

• Reconciling to the vendor list later may identify an error, but it does not stop a prohibited payment being processed in the meantime.
• Focusing only on directly named parties ignores the firm’s stated ownership rule, which is material to sanctions exposure.
• Prior false positives and analyst experience do not remove the need for documented approval, rationale, and periodic review of suppressions.

Manual workarounds and unsupported suppressions reduce completeness, consistency, and evidential quality, so genuine sanctions exposure can be missed.

Question 8

Topic: Financial Sanctions

A UK investment firm screened a corporate client and its owners before opening an account and found no sanctions issue. Four months later, the client’s 60% owner changes, and the new ultimate owner is then designated under UK sanctions. The client now instructs the firm to send out the remaining cash and close the account. What is the best explanation of the firm’s sanctions obligation?

• A. Sanctions duties run across the whole lifecycle, including onboarding checks, rescreening for ownership or list changes, and exit payments.
• B. Sanctions duties end once the customer asks to close the account, so the remaining cash can be returned.
• C. Sanctions duties begin only after the account is opened, so pre-onboarding screening is only a CDD matter.
• D. Sanctions duties matter only when the customer name appears on a list, not when a 60% owner becomes designated.

Best answer: A

What this tests: Financial Sanctions

Explanation: Sanctions screening is a lifecycle control, not a one-off admission test. The firm must check before account opening, reassess when ownership or sanctions status changes, and consider the final payment at closure because it must not make funds available to a designated person.

The core concept is that sanctions obligations are continuous and event-driven, not a one-off onboarding check. Before a relationship is opened, the firm must screen the customer and relevant owners so it does not deal with a designated person. During the relationship, exposure can arise later because sanctions lists are updated, ownership or control changes, or a transaction creates a new sanctions nexus. In this scenario, the new 60% ultimate owner becomes designated, so the firm must reassess whether the corporate client is owned or controlled by a sanctioned person. The closure request does not remove the risk: releasing the remaining cash could mean making funds available to a designated person, so the firm may need to freeze, escalate, and report as required. Passing onboarding screening is therefore not sufficient.

• Post-opening only: Pre-onboarding screening is still a sanctions obligation because firms must avoid establishing a prohibited relationship.
• Name matching only: Sanctions exposure can arise through ownership or control, not just a direct name hit on the customer.
• Closure ends duties: Offboarding does not permit release of funds if a designated person may benefit from the payment.

Sanctions duties are ongoing, so new designations, ownership changes, and closure payments must all be assessed, not just the initial onboarding.

Question 9

Topic: Financial Sanctions

A UK broker is onboarding an overseas company. Name screening shows no direct sanctions match, but CDD indicates a designated person may control 55% of the company through a nominee structure. The client also provides inconsistent source-of-wealth evidence and requests an urgent GBP 900,000 payment to a bank in a country subject to UK financial sanctions. What is the single best reason sanctions compliance should be integrated with AML, CDD and suspicious-activity processes?

• A. Because a clear name-screening result means sanctions risk is closed unless OFSI later confirms a match.
• B. Because sanctions matters should be handled separately from AML reviews so SAR decisions remain independent.
• C. Because sanctions exposure may arise through ownership or control, and the same facts can require EDD, payment controls and suspicious-activity escalation.
• D. Because source-of-wealth concerns become relevant only after a sanctions match has been confirmed.

Best answer: C

What this tests: Financial Sanctions

Explanation: Sanctions controls should not operate in isolation. Here, the absence of a direct name match does not remove sanctions risk, because ownership or control by a designated person, weak source-of-wealth evidence and the urgent payment request all engage wider CDD, EDD and suspicious-activity processes.

The core concept is that sanctions risk often emerges through the same customer and transaction information used for AML controls. In this scenario, screening alone is not enough because CDD suggests possible ownership or control by a designated person through a nominee structure. The inconsistent source-of-wealth evidence and urgent payment to a sanctioned country add wider financial-crime concerns.

An integrated process allows the firm to:

• assess beneficial ownership and control properly
• apply EDD where the risk profile justifies it
• decide whether the payment must be blocked, rejected or escalated
• refer the matter internally to the MLRO or nominated officer to consider suspicious-activity reporting

Treating sanctions as only a name-screening task would miss connected risks and weaken both sanctions and AML controls.

• Relying on a clean direct-name screen is insufficient because sanctions exposure can arise through ownership or control, not just an exact match.
• Separating sanctions from AML review is poor practice because the same red flags may require both sanctions action and suspicious-activity escalation.
• Waiting for a confirmed sanctions match before considering source of wealth is wrong; weak source-of-wealth evidence is already a material AML risk indicator.

Integration is needed because sanctions risk is not limited to direct name matches, and the wider AML red flags may also require EDD and internal suspicious-activity escalation.

Question 10

Topic: Financial Sanctions

A bank’s periodic review of a corporate customer finds a new 55% beneficial owner added since onboarding. The owner’s name is a close sanctions-screening match, and recent payments have been unusually large and sent to higher-risk jurisdictions. Under the firm’s policy, unresolved sanctions alerts must be escalated before payments are processed. Which action best applies good anti-financial-crime practice?

• A. Close the account immediately without further review to avoid any sanctions exposure.
• B. Treat the issue as sanctions-only and leave the customer’s CDD profile unchanged.
• C. Escalate the alert, refresh beneficial ownership CDD, hold the payments, and assess MLRO reporting.
• D. Process the payments unless the owner is an exact name match on a sanctions list.

Best answer: C

What this tests: Financial Sanctions

Explanation: The changed ownership and unusual payment activity make this more than a simple screening alert. Good practice is to connect sanctions controls with CDD and AML monitoring by refreshing beneficial ownership information, pausing processing under policy, and escalating for possible suspicious-activity review.

Sanctions compliance should not operate as a standalone name-screening process. In this scenario, the new majority beneficial owner creates a potential ownership or control risk, while the unusual cross-border payment pattern adds an AML concern. The best response is therefore integrated: refresh CDD to verify the new ownership, follow the firm’s sanctions-escalation rule before processing payments, and consider whether the combined facts require internal escalation to the MLRO for suspicious-activity assessment.

Focusing only on an exact name match is too narrow, because sanctions risk can arise through ownership and control as well as direct naming. Leaving CDD unchanged or exiting the customer without proper review would also weaken governance, record-keeping, and audit trail. The key principle is that sanctions, AML, CDD, and escalation processes must work together.

• Exact-match trap: looking only for an exact listed name ignores beneficial ownership risk and the suspicious payment pattern.
• Silo trap: treating sanctions separately from CDD misses the material ownership change that should trigger a review.
• Exit-without-review trap: ending the relationship may seem cautious, but it does not replace proper escalation, documentation, and suspicious-activity assessment.

This integrates sanctions screening with CDD, transaction monitoring, and suspicious-activity escalation before further processing.

Continue with full practice

Use the CISI CFC Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Related focused pages

• Free CISI CFC Full-Length Practice Exam
• CISI CFC: The Background and Nature of Financial Crime
• CISI CFC: Money Laundering
• CISI CFC: Terrorist Financing
• CISI CFC: Bribery and Corruption
• CISI CFC: Fraud and Market Abuse
• CISI CFC: Tax Evasion
• CISI CFC: Financial Crime Risk Management
• CISI CFC: The Role of the Financial Services Sector

Free review resource

Read the CISI CFC guide on SecuritiesMastery.com, then return to Securities Prep for timed practice.