Study financial crime risk management for CISI Combating Financial Crime, with a UK-specific reading frame built around the official chapter structure and exam weighting.
This chapter shifts from offence categories to control design. Financial-crime risk management is where the qualification becomes operational: how a firm identifies exposure, calibrates controls, trains staff, monitors behaviour, escalates problems, and keeps governance credible. The strongest answers think in programmes rather than one-off fixes. They recognise that a firm’s product set, delivery channels, geography, customer mix, and culture all shape the control framework it needs.
| Check | What matters |
|---|---|
| Official topic weighting | 8% |
| Core distinction under pressure | separate risk identification from control design, and separate formal policy from the practical safeguards that actually reduce exposure. |
| Strongest use of this page | read it before timed sets so questions about framework, safeguards, and risk assessment feel connected rather than procedural |
| UK note | Keep the UK frame active: enterprise financial-crime risk assessment, FCA expectations, MLRO, training, monitoring, governance, and GBP when a monetary example helps. |
The exam usually tests whether the candidate can build a sensible financial-crime control response from the firm’s risk profile. A payments firm, wealth manager, private bank, broker, and online onboarding platform do not face identical risks or need identical safeguards.
It also tests whether you understand that controls work as a system. Risk assessment, due diligence, sanctions screening, transaction monitoring, training, escalation, internal reporting, governance, and audit trail all need to reinforce each other.
| Section | Main exam angle |
|---|---|
| Considerations for the financial-services sector | If the firm type, channel, geography, or customer base matters, the question is usually about risk profile |
| Risk identification and assessment | If the stem asks how a firm should judge exposure, think enterprise assessment before control selection |
| Practical business safeguards | If the question asks what to implement, move into monitoring, training, screening, governance, and escalation |
Financial-services firms differ in how criminals may try to use them. High-volume payments create different laundering and sanctions risks from long-term wealth products. Cross-border client bases, non-face-to-face onboarding, politically exposed customer exposure, and complex legal structures all change the control demand.
The stronger answer usually starts by asking what type of firm or service is described and why that changes the risk picture.
Financial-crime risk assessment should be structured and revisited regularly. The point is not to produce a decorative document. It is to identify where the firm is vulnerable across customer, product, geography, transaction, channel, delivery model, and third-party dimensions.
A good assessment supports proportional control. It should also inform governance, resource allocation, training focus, monitoring intensity, and review cycle.
Safeguards include CDD, EDD, screening, transaction monitoring, staff training, whistleblowing channels, escalation routes, management information, governance committees, record keeping, and periodic independent review. The exam often tests whether the candidate can choose the control that best matches the risk rather than listing every control available.
A strong answer also recognises the human dimension. Well-written procedures fail if staff are undertrained, unsupported, or discouraged from escalating concerns.
flowchart TD
A["Business model, customers, products, channels, geographies"] --> B["Financial-crime risk assessment"]
B --> C["Proportionate controls and safeguards"]
C --> D["Monitoring, escalation, and management information"]
D --> E["Governance review and control improvement"]
A digital investment platform expands into several new jurisdictions and introduces fully remote onboarding. Which is the strongest first control step?
Answer: B.
New jurisdictions and remote onboarding can materially change exposure. The strongest first step is to refresh the firm’s assessment and then align controls to the revised risk profile.