CISI CFC — CISI Combating Financial Crime Quick Review
Quick-review quick review for the Chartered Institute for Securities & Investment CISI Combating Financial Crime exam code CISI CFC.
CISI CFC exam identity and review purpose
This quick review is for candidates preparing for the Chartered Institute for Securities & Investment exam CISI Combating Financial Crime, exam code CISI CFC.
Use it as a fast consolidation tool before moving into topic drills, mock exams, and detailed explanations. It is independent companion practice support and is not affiliated with the Chartered Institute for Securities & Investment.
Best use: review one section, then answer original practice questions on that topic. Do not rely on memorised buzzwords only; the exam commonly tests whether you can choose the most appropriate control, escalation, or risk-based action in a scenario.
High-yield financial crime map
| Area | Core idea | What exam questions often test |
|---|---|---|
| Money laundering | Criminal property is disguised so it appears legitimate | Stages, suspicion, CDD, reporting, tipping-off, monitoring |
| Terrorist financing | Funds are used to support terrorism; source may be legal or illegal | Difference from money laundering, small-value patterns, sanctions links |
| Proliferation finance | Financing movement or development of weapons of mass destruction | Trade finance red flags, sanctions, dual-use goods, indirect networks |
| Sanctions | Legal restrictions on dealing with named persons, entities, sectors, goods, or jurisdictions | Screening, ownership/control, false positives, asset freezes, escalation |
| Bribery and corruption | Improper advantage offered, requested, given, or received | Gifts, hospitality, agents, facilitation payments, public officials |
| Fraud | Deception or dishonest conduct for gain or to cause loss | Identity theft, internal fraud, cyber fraud, investment scams |
| Tax evasion facilitation | Helping another person evade tax | Evasion vs avoidance, staff/agent involvement, prevention controls |
| Market abuse | Misuse of securities markets or confidential information | Insider dealing, manipulation, spoofing, front-running, information barriers |
| Governance and controls | Firm-wide systems to prevent, detect, report, and remediate crime | Risk-based approach, three lines of defence, MLRO/nominated officer, records |
The core decision model: risk-based control
Most financial crime questions reduce to a simple chain:
Identify the parties and activity
Who is involved? Customer, beneficial owner, controller, agent, payee, issuer, employee, counterparty, intermediary?Assess inherent risk
Consider customer type, geography, product, delivery channel, transaction behaviour, and sanctions exposure.Apply proportionate controls
Standard due diligence for normal risk; enhanced due diligence for higher risk; simplified measures only where permitted and justified.Monitor and refresh
Risk changes after onboarding. Monitoring must detect unusual behaviour, not just collect documents.Escalate suspicion or legal restriction
Suspicion, sanctions matches, bribery concerns, fraud alerts, or market abuse indicators must be escalated through the correct internal process.Record the rationale
A good decision is weak if the firm cannot evidence why it made it.
flowchart TD
A[Customer, transaction, or employee activity] --> B[Identify parties and purpose]
B --> C[Assess risk factors]
C --> D{Risk acceptable?}
D -- No --> E[Decline, restrict, exit, or escalate]
D -- Yes --> F[Apply CDD / EDD / screening]
F --> G[Monitor activity]
G --> H{Unusual, suspicious, or prohibited?}
H -- No --> I[Continue with periodic review]
H -- Yes --> J[Internal escalation]
J --> K[SAR/STR, sanctions escalation, fraud response, or other action]
K --> L[Record decision and avoid tipping-off]
Money laundering essentials
The three classic stages
| Stage | Meaning | Typical examples | Common exam trap |
|---|---|---|---|
| Placement | Introducing criminal proceeds into the financial system | Cash deposits, prepaid products, money service businesses, purchase of assets | Placement is not always physical cash |
| Layering | Creating distance between funds and criminal origin | Multiple transfers, offshore entities, complex trades, crypto movements, securities transactions | Layering can occur through normal-looking investment activity |
| Integration | Reintroducing funds as apparently legitimate wealth | Property purchases, business income, investment returns, loans | Integration does not mean the risk is over |
Key concepts to know
- Predicate offence: the underlying crime that generated the proceeds.
- Criminal property: property representing benefit from criminal conduct.
- Suspicion: more than a vague feeling, less than proof. The exact legal threshold depends on jurisdiction, but exam scenarios usually test whether a reasonable person should escalate.
- Concealment: hiding source, ownership, location, movement, or control of criminal property.
- Acquisition/use/possession: money laundering risk can arise from holding or using criminal property, not just moving it.
Money laundering red flags
| Red flag | Why it matters |
|---|---|
| Customer cannot explain source of funds or purpose | May indicate criminal proceeds or front activity |
| Complex structure with no clear commercial purpose | May hide beneficial ownership or control |
| Rapid movement in and out of accounts | Layering risk |
| Third-party payments inconsistent with profile | Possible mule, nominee, fraud, or sanctions evasion |
| Reluctance to provide documents | Possible concealment |
| Transactions just below reporting or control thresholds | Structuring/smurfing risk |
| Unusual use of securities or insurance products | Potential laundering through investment products |
| High-risk jurisdiction links without rationale | Increased exposure to corruption, sanctions, or weak controls |
Terrorist financing and proliferation finance
Money laundering vs terrorist financing
| Point | Money laundering | Terrorist financing |
|---|---|---|
| Source of funds | Usually criminal proceeds | May be legal, illegal, or mixed |
| Objective | Make criminal property appear legitimate | Fund terrorist activity or organisations |
| Transaction size | Can be large or complex | Can be small, low-value, repeated |
| Timing | Often after predicate offence | Often before harmful act |
| Key risk | Conceal origin of funds | Conceal destination or purpose of funds |
Terrorist financing indicators
- Small but repeated transfers to high-risk locations.
- Use of charities or non-profit organisations without transparent purpose.
- Funds moved through family, community, or informal value transfer networks.
- Customers with unclear travel, cash withdrawal, or remittance patterns.
- Links to sanctioned persons, extremist organisations, or conflict zones.
- Sudden change in account use inconsistent with customer profile.
Proliferation finance indicators
- Trade involving dual-use goods or controlled technology.
- Unusual shipping routes, trans-shipment points, or vague goods descriptions.
- Shell companies in trade chains.
- Inconsistent documentation: invoices, bills of lading, end-user certificates.
- Counterparties linked to sanctioned jurisdictions, military end-users, or front companies.
- Overly complex payment paths inconsistent with the trade.
Customer due diligence: CDD, EDD, SDD
CDD purpose
Customer due diligence is not just document collection. It is the process of understanding:
- Who the customer is.
- Who ultimately owns or controls the customer.
- Why the customer wants the product or service.
- How the relationship is expected to operate.
- Whether the activity is consistent with the customer’s risk profile.
Identification vs verification
| Term | Meaning | Example |
|---|---|---|
| Identification | Obtain identity information | Name, date of birth, address, company details |
| Verification | Confirm identity using reliable evidence | Passport, registry extract, independent electronic check |
| Beneficial ownership identification | Find the natural persons who ultimately own or control | Shareholders, controllers, trustees, protectors |
| Purpose and intended nature | Understand why the relationship exists | Investment objective, expected transactions, source of funds |
Trap: A company registry document may identify the legal entity, but it may not fully identify the natural persons who ultimately own or control it.
CDD timing and trigger points
CDD is commonly required or refreshed when:
- Establishing a business relationship.
- Carrying out certain occasional transactions where rules require it.
- There is suspicion of financial crime.
- Existing documents or information are unreliable or outdated.
- Customer activity changes significantly.
- There is a material change in ownership, control, geography, product use, or risk profile.
Simplified, standard, and enhanced due diligence
| Level | When appropriate | Key point |
|---|---|---|
| Simplified due diligence | Lower-risk situations where allowed | Not “no due diligence”; still need a basis for lower risk |
| Standard CDD | Normal risk relationships | Identify, verify, understand purpose, screen, monitor |
| Enhanced due diligence | Higher-risk customers, products, geographies, or behaviours | More evidence, senior approval where required, deeper source checks, closer monitoring |
Beneficial ownership and control
What to remember
Beneficial ownership is about ultimate natural person ownership or control. The exam may test scenarios where legal ownership differs from real control.
| Structure | What to look for |
|---|---|
| Company | Shareholders, voting rights, control through agreements, directors, nominees |
| Trust | Settlor, trustees, beneficiaries, protectors, persons exercising ultimate control |
| Partnership | Partners, managing partners, controllers |
| Fund or investment vehicle | Manager, general partner, investors where relevant, control rights |
| Foundation or charity | Controllers, trustees, donors, beneficiaries, purpose |
Common traps
- A nominee shareholder may not be the true beneficial owner.
- Control can exist without majority ownership.
- A complex structure is not automatically suspicious, but it must have a plausible commercial purpose.
- Listed or regulated status may reduce some risks, but it does not eliminate the need to understand the relationship.
- If ownership cannot be understood, the firm may need to decline or exit, depending on policy and law.
Source of funds vs source of wealth
| Concept | Question answered | Example evidence |
|---|---|---|
| Source of funds | Where did this specific money come from? | Bank statement, sale contract, payslip, dividend statement |
| Source of wealth | How did the customer build overall wealth? | Business ownership, inheritance, career earnings, investment history |
Exam trap: A customer saying “business income” may help explain source of wealth, but it may not prove the source of funds for a specific transaction.
Politically exposed persons: PEPs
PEP risk logic
A politically exposed person is not automatically criminal. The risk is that a person with prominent public functions, or their family/close associates, may have access to public funds, influence, procurement, licensing, or corrupt networks.
High-yield PEP review
| Issue | Correct exam logic |
|---|---|
| PEP identified | Apply required enhanced measures; do not assume automatic rejection |
| Family member or close associate | Treat as connected risk; understand relationship and funds |
| Domestic vs foreign vs international organisation PEP | Risk level may differ, but PEP controls still matter where required |
| Former PEP | Risk may reduce over time, but does not disappear automatically |
| Senior management approval | Often required for higher-risk PEP relationships under firm policy/rules |
| Source of wealth and funds | Usually central to PEP EDD |
PEP red flags
- Wealth inconsistent with known public salary or career history.
- Use of relatives, associates, companies, or trusts.
- Links to procurement, extractive industries, defence, infrastructure, or state-owned enterprises.
- Unexplained payments from government contractors or politically connected entities.
- Pressure to bypass normal onboarding or monitoring.
Sanctions screening and asset-freezing
What sanctions controls cover
Sanctions controls may apply to:
- Customers and prospective customers.
- Beneficial owners and controllers.
- Directors, trustees, signatories, and authorised persons.
- Payees, beneficiaries, remitters, intermediaries, and counterparties.
- Issuers, securities, vessels, goods, sectors, or jurisdictions.
- Ownership and control by sanctioned persons or entities.
Sanctions screening decision table
| Result | Meaning | Correct response |
|---|---|---|
| No apparent match | No obvious sanctions issue | Continue normal risk process |
| False positive | Similar name/details but not the listed person | Record rationale and continue if appropriate |
| Possible match | Insufficient information to clear | Escalate; do not ignore |
| True match | Listed person/entity or owned/controlled party | Freeze/restrict as required, escalate, report where required |
| Circumvention concern | Activity designed to evade sanctions | Escalate as suspicious/prohibited activity |
Common sanctions traps
- Screening only the customer and ignoring beneficial owners.
- Treating a name mismatch as clearance without checking date of birth, address, nationality, identifiers, ownership, or control.
- Assuming sanctions apply only to countries, not individuals, entities, sectors, goods, or services.
- Continuing a transaction while a possible true match is unresolved.
- Missing indirect ownership or control through layered entities.
- Failing to rescreen when lists change.
Suspicion, escalation, SARs and STRs
Internal escalation
When staff identify suspicious activity, they normally escalate internally to the MLRO, nominated officer, financial crime team, or equivalent role under the firm’s procedures.
The staff member does not need to prove a crime. The key issue is whether the facts create suspicion or reasonable grounds for concern.
SAR/STR quality
A strong suspicious activity report or suspicious transaction report usually explains:
| Element | Question |
|---|---|
| Who | Customer, beneficial owner, counterparties, employees involved |
| What | Transactions, products, behaviours, documents |
| When | Dates, sequence, timing, urgency |
| Where | Countries, accounts, branches, channels |
| Why suspicious | Red flags and inconsistency with expected profile |
| How | Methods used: layering, structuring, third parties, false documents |
| Evidence | Documents, alerts, communications, transaction records |
Tipping-off and confidentiality
Do not disclose to the customer or third party that a report has been made, is being considered, or that an investigation may occur if that could prejudice an investigation.
Exam trap: Asking a customer routine clarification questions may be appropriate, but telling them “your transaction has been reported as suspicious” is a serious problem.
Bribery and corruption
Core bribery concepts
Bribery involves offering, promising, giving, requesting, agreeing to receive, or accepting an advantage intended to induce or reward improper performance.
It can involve:
- Public officials.
- Private-sector employees.
- Agents and intermediaries.
- Gifts, hospitality, travel, entertainment, donations, sponsorship, employment offers, or facilitation payments.
- Direct or indirect benefits.
Bribery risk indicators
| Indicator | Why it matters |
|---|---|
| Unusual commission or success fee | May be disguised bribe |
| Agent refuses anti-bribery clauses | Weak control and possible intent |
| Payments to offshore account unrelated to work | Concealment risk |
| “Urgent” payment to secure licence/permit | Public official bribery risk |
| Excessive hospitality before contract award | Improper influence risk |
| Charitable donation linked to decision-maker | Possible indirect benefit |
| Consultant with no clear service provided | Sham intermediary risk |
Gifts and hospitality decision rules
| Question | If answer is concerning |
|---|---|
| Is it proportionate and reasonable? | Escalate or decline |
| Is there a legitimate business purpose? | If no, high bribery risk |
| Is it during a tender, negotiation, or approval? | Higher risk |
| Could it influence a decision? | Higher risk |
| Is it transparent and recorded? | If no, higher risk |
| Is a public official involved? | Apply stricter scrutiny |
Trap: Hospitality is not automatically a bribe, but lavish, secret, repeated, or decision-linked hospitality is a major red flag.
Fraud and cyber-enabled financial crime
Common fraud types
| Fraud type | Description | Control focus |
|---|---|---|
| Identity fraud | False or stolen identity used to access services | Verification, biometric/electronic checks, document validation |
| Account takeover | Criminal gains control of legitimate account | Strong authentication, behavioural monitoring |
| Authorised push payment fraud | Victim is tricked into sending funds | Confirmation, warnings, transaction monitoring |
| Internal fraud | Employee abuses access or position | Segregation of duties, access controls, surveillance |
| Investment fraud | False or misleading investment opportunity | Due diligence, suspicious promotion monitoring |
| Boiler room scam | High-pressure sale of worthless or unsuitable investments | Client education, transaction controls |
| Invoice fraud | Payment instructions are manipulated | Callback controls, payee verification |
| Cyber fraud | Phishing, malware, credential theft | Cyber controls, incident response, staff training |
Fraud exam traps
- Fraud may create money laundering risk because fraud proceeds become criminal property.
- A genuine customer can still be a fraud victim or fraudster.
- Cyber indicators are financial crime indicators when they affect funds, identity, transactions, or market integrity.
- Internal fraud requires escalation outside the normal line manager if the manager may be involved.
Market abuse and securities-related financial crime
Key concepts
| Conduct | Meaning | Typical indicator |
|---|---|---|
| Insider dealing | Trading using inside information | Trade before announcement |
| Unlawful disclosure | Improperly sharing inside information | Tip to friend, client, or colleague |
| Market manipulation | Creating false or misleading market signals | Wash trades, matched orders, ramping |
| Spoofing/layering | Placing orders to mislead, then cancelling | Large non-genuine orders away from market |
| Front-running | Trading ahead of client order using knowledge of it | Employee/client order timing pattern |
| Pump-and-dump | Promoting price then selling | Hype followed by insider selling |
Control tools
- Information barriers.
- Restricted and watch lists.
- Personal account dealing controls.
- Order and trade surveillance.
- Communication monitoring.
- Escalation of suspicious orders and transactions.
- Conflicts of interest management.
- Staff training on inside information.
Trap: Market abuse does not always require a completed profit. Attempted manipulation or misuse of information can still be serious.
Tax evasion facilitation
Avoidance vs evasion
| Concept | Meaning | Exam logic |
|---|---|---|
| Tax planning/avoidance | Arranging affairs within the law, though sometimes aggressive | Not automatically criminal |
| Tax evasion | Dishonestly evading tax | Criminal conduct risk |
| Facilitation | Helping another person evade tax | Firm/staff/agent control issue |
Red flags
- Customer requests false invoices or misleading descriptions.
- Payments routed to hide beneficial ownership.
- Assets held in names of relatives, nominees, or shell companies without rationale.
- Employee or agent suggests hiding income or assets.
- Customer asks for documents to misrepresent residence, income, or ownership.
- Structures have no commercial purpose other than concealment.
Prevention controls
- Clear policies on tax evasion facilitation.
- Staff training on red flags.
- Due diligence on agents and intermediaries.
- Approval controls for higher-risk structures.
- Monitoring and escalation.
- Evidence of reasonable decision-making.
Governance: roles and responsibilities
Three lines of defence
| Line | Main responsibility | Examples |
|---|---|---|
| First line | Own and manage risk in the business | Onboarding, customer contact, transaction review, escalation |
| Second line | Set policy, advise, monitor, challenge | Compliance, financial crime team, sanctions team, MLRO function |
| Third line | Independent assurance | Internal audit, control testing, governance reviews |
Senior management and board responsibilities
Senior leadership must ensure the firm has proportionate systems and controls. This includes:
- Risk appetite.
- Policies and procedures.
- Adequate resourcing.
- Training.
- Reporting and management information.
- Independent review.
- Culture and tone from the top.
- Remediation of weaknesses.
Trap: Outsourcing a process does not outsource responsibility. The firm remains accountable for ensuring controls are effective.
Firm-wide risk assessment
A firm-wide financial crime risk assessment usually considers:
| Risk factor | Examples |
|---|---|
| Customer risk | PEPs, cash-intensive businesses, complex structures, charities, MSBs |
| Geographic risk | High corruption, sanctions exposure, weak AML controls, conflict zones |
| Product risk | Private banking, trade finance, correspondent banking, crypto exposure, prepaid products |
| Delivery channel risk | Non-face-to-face onboarding, intermediaries, digital channels |
| Transaction risk | Large, complex, rapid, unusual, cross-border, third-party activity |
| Employee/agent risk | Sales incentives, remote agents, weak supervision |
Inherent, control, and residual risk
| Risk type | Meaning |
|---|---|
| Inherent risk | Risk before controls |
| Control effectiveness | How well policies, systems, monitoring, training, and governance reduce risk |
| Residual risk | Risk remaining after controls |
Exam trap: A high-risk customer is not automatically unacceptable. The question is whether risk can be understood, mitigated, monitored, and accepted within policy and law.
Transaction monitoring
What monitoring should detect
- Activity inconsistent with known customer profile.
- Unusual size, frequency, route, or purpose.
- Rapid movement of funds.
- Transactions involving high-risk jurisdictions.
- Third-party payments without rationale.
- Structuring or threshold avoidance.
- Sanctions or PEP changes.
- Unusual securities trading patterns.
- Fraud or cyber-related behaviour.
Alert handling
| Step | Good practice |
|---|---|
| Triage | Check whether alert is explainable using known facts |
| Investigation | Gather transaction history, customer profile, documents, communications |
| Decision | Close with rationale, escalate, restrict, or report |
| Documentation | Record evidence and reasoning |
| Feedback | Tune scenarios, update risk profile, improve controls |
Trap: Closing alerts because “the customer is long-standing” is weak. Long-standing customers can become suspicious if behaviour changes.
Recordkeeping and evidence
Records should allow the firm and reviewers to understand what happened, what was considered, and why a decision was made.
| Record type | Why it matters |
|---|---|
| CDD and verification evidence | Shows identity and ownership checks |
| Risk assessments | Shows risk-based rationale |
| Screening results | Shows sanctions/PEP/adverse media handling |
| Monitoring alerts | Shows investigation and closure reasoning |
| Internal reports | Shows escalation |
| SAR/STR records | Shows reporting decisions |
| Training records | Shows staff awareness |
| Governance minutes and MI | Shows oversight |
| Remediation plans | Shows weaknesses were addressed |
Controls: preventive, detective, corrective
| Control type | Purpose | Examples |
|---|---|---|
| Preventive | Stop risk before it occurs | CDD, EDD, approval limits, sanctions screening, segregation of duties |
| Detective | Identify problems | Transaction monitoring, trade surveillance, exception reports, audits |
| Corrective | Fix issues and reduce recurrence | SAR/STR filing, account restriction, exit, discipline, remediation, retraining |
Exam tip: If the question asks what should happen before onboarding, choose preventive controls. If it asks about unusual activity after onboarding, choose monitoring, investigation, and escalation.
Common exam traps and best-answer rules
| Trap | Better answer logic |
|---|---|
| “No proof, so no report” | Suspicion does not require proof |
| “PEPs must always be rejected” | PEPs require enhanced risk management, not automatic rejection |
| “CDD is complete once documents are collected” | CDD includes understanding ownership, purpose, and ongoing monitoring |
| “Sanctions screening is only at onboarding” | Rescreening and transaction screening may be needed |
| “A false positive can be ignored” | It must be resolved and documented |
| “Small terrorist financing transactions are too minor” | TF may involve low values |
| “Complex structure equals money laundering” | Complexity is a risk indicator; assess purpose and control |
| “Gifts are acceptable if local custom permits them” | Local custom does not remove bribery risk |
| “The customer is regulated, so no risk exists” | Risk may be lower, not zero |
| “Only compliance owns financial crime risk” | First line owns risk; compliance advises and monitors |
| “If outsourced, the vendor is responsible” | The firm remains responsible for oversight |
| “Source of funds and source of wealth are the same” | They answer different questions |
| “Tipping-off only means telling the customer a SAR was filed” | Any disclosure that prejudices an investigation may be problematic |
| “Tax avoidance and tax evasion are identical” | Evasion is dishonest/criminal; avoidance may be legal but still risky |
| “Market abuse only matters if profit is made” | Attempts and misleading signals can still be serious |
Rapid scenario review
Scenario 1: unexplained third-party payment
A new investment client receives a large payment from an unrelated third party and asks for it to be invested immediately.
Best response:
- Do not process automatically.
- Ask for commercial rationale and source of funds evidence.
- Consider third-party payment, layering, and fraud risk.
- Escalate if explanation is weak or suspicious.
- Document the decision.
Scenario 2: possible sanctions name match
A customer name partially matches a sanctions list, but the date of birth is missing from the customer file.
Best response:
- Treat as a possible match.
- Obtain or verify additional identifiers if appropriate.
- Escalate according to sanctions procedures.
- Do not assume false positive without evidence.
Scenario 3: PEP with legitimate wealth
A PEP provides credible evidence of wealth from a long-standing business.
Best response:
- Do not automatically reject.
- Apply required EDD.
- Verify source of wealth and source of funds.
- Obtain approvals where required.
- Apply ongoing monitoring.
Scenario 4: suspicious client communication
A client says, “Please do not ask questions about where the money came from; just split it into smaller transfers.”
Best response:
- Recognise structuring and concealment risk.
- Escalate internally.
- Avoid tipping-off.
- Do not assist the activity while concerns are unresolved.
Scenario 5: agent requests unusual commission
An overseas consultant asks for a success fee paid to an offshore account after helping obtain a government contract.
Best response:
- Treat as bribery/corruption risk.
- Perform enhanced due diligence on the agent.
- Review contract, services, payment rationale, and approvals.
- Escalate if unexplained or policy-breaching.
Last-week review priorities
Use this checklist before mock exams:
- Can you explain placement, layering, and integration with examples?
- Can you distinguish money laundering from terrorist financing?
- Can you identify beneficial ownership and control risks?
- Can you separate source of funds from source of wealth?
- Can you choose between CDD, EDD, SDD, monitoring, escalation, and exit?
- Can you resolve sanctions false positives vs possible true matches?
- Can you identify tipping-off risk?
- Can you spot bribery through gifts, agents, donations, or facilitation payments?
- Can you recognise fraud, cyber fraud, and market abuse indicators?
- Can you explain the roles of first line, second line, third line, MLRO/nominated officer, and senior management?
- Can you justify decisions using a risk-based approach?
How to connect this review to practice
After reviewing each section, use a question bank in this order:
- Topic drills for weak areas: CDD, sanctions, bribery, SAR/STR, fraud, market abuse.
- Mixed sets to practise switching between financial crime topics.
- Mock exams to build timing and best-answer discipline.
- Detailed explanations to understand why attractive wrong answers are wrong.
Your next step: choose one high-yield topic from this page, complete a short set of original practice questions, then review every explanation before moving to the next topic.