CISI Combating Financial Crime study guide for sanctions objectives and legal framework, with learning objectives, UK control cues, and exam traps.
Sanctions objectives and legal framework belongs to the CISI Combating Financial Crime Financial Sanctions exam topic, weighted at 4%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Financial sanctions | Legal restrictions on making funds, economic resources, financial services, or other benefits available to designated persons, entities, sectors, or jurisdictions. |
| Designated person | A person or entity listed under a sanctions regime. The risk may also extend to entities owned or controlled by that person. |
| Asset freeze | A restriction that prevents dealing with funds or economic resources belonging to, owned, held, or controlled by a designated person. |
| Ownership and control | The analysis that looks beyond the direct customer to beneficial owners, controllers, parent companies, signatories, counterparties, and connected entities. |
| Licensing | A legal permission route for limited activity that would otherwise be prohibited, subject to conditions. |
Financial sanctions are not just another form of customer due diligence. They are legal restrictions designed to support foreign-policy, national-security, counter-terrorism, human-rights, anti-proliferation, or conflict-related objectives. A firm may be required to stop activity even where the customer looks commercially legitimate and there is no ordinary AML suspicion.
The exam often tests this distinction. AML asks whether funds may be criminal property or whether suspicious activity should be reported. Sanctions asks whether the firm is prohibited from dealing with a person, entity, sector, jurisdiction, vessel, goods flow, service, or economic resource. The strongest answer keeps those questions separate, then coordinates them where both risks appear.
Sanctions are used for several public-policy purposes. The exact objective matters less for CFC than the practical result: the firm may be prohibited from dealing, making resources available, providing services, or processing activity unless a licence or exemption applies.
| Objective | Practical control implication |
|---|---|
| national security | stop activity connected to designated persons, entities, or restricted sectors |
| counter-terrorism | screen parties, beneficiaries, and payment routes even where funds may be lawful |
| anti-proliferation | identify goods, technology, shipping, financing, or trade-service exposure |
| human rights or conflict measures | consider jurisdictional, sectoral, ownership, and service restrictions |
| foreign-policy pressure | apply legal prohibitions even when the customer relationship appears commercial |
| asset freeze | prevent funds or economic resources from being moved, used, or made available |
The exam trap is to treat sanctions as a reputational preference. Sanctions are legal restrictions. If a prohibition applies, ordinary commercial attractiveness, customer importance, or absence of AML suspicion does not permit routine processing.
Use a prohibition-first sequence in sanctions questions:
| Step | Question to ask | Better exam response |
|---|---|---|
| identify the regime or restriction | is there a listed person, restricted sector, jurisdiction, service, vessel, or goods flow? | classify the issue as sanctions before generic AML |
| identify the direct party | is the customer, counterparty, bank, beneficiary, or issuer listed? | stop relying on customer risk rating alone |
| identify ownership and control | is a non-listed entity owned or controlled by a designated person? | escalate and pause relevant activity |
| identify what is being made available | funds, economic resources, services, securities, credit, advice, or other benefit | assess whether the firm would breach a prohibition |
| identify permissions | is there a licence, exemption, or permitted purpose? | verify exact terms before processing |
| document and escalate | who reviewed, what evidence was used, and what action was taken? | preserve audit trail and involve sanctions specialists |
This order prevents a common wrong answer: treating a sanctions issue as only “higher risk” and continuing while due diligence is improved. In sanctions, the first question is whether activity is legally allowed at all.
| Source or authority | Practical exam meaning |
|---|---|
| UN sanctions | International measures that member states implement through domestic or regional law. |
| UK sanctions framework | The legal basis for UK prohibitions, designations, licensing, reporting, and enforcement. |
| OFSI | The UK financial-sanctions authority associated with implementation guidance, licensing, reporting, and civil enforcement. |
| OFAC-style authority | A useful comparative cue for US sanctions exposure, especially where US persons, US dollars, or US nexus appears. |
| National list updates | The firm must maintain current screening data and apply changes promptly. |
Sanctions exposure can arise from more than a named customer. A question may hide the issue in payment data, ownership, services, products, or jurisdictional nexus.
| Exposure source | Example clue |
|---|---|
| customer or counterparty | direct name appears on a relevant sanctions list |
| beneficial owner or controller | parent, shareholder, trustee, or director is designated |
| beneficiary or payment bank | payment party or intermediary bank creates sanctions concern |
| sector or service | financing, advice, securities services, insurance, or trade support is restricted |
| jurisdiction or region | activity touches a restricted country, area, or route |
| vessel, goods, or shipping route | trade or transport data signals restricted goods or evasion |
| US nexus | US dollars, US persons, US technology, or US clearing may introduce additional exposure |
| licence condition | activity is allowed only within narrow terms and records |
The correct response is not to memorize every regime. It is to identify the exposure route and stop ordinary processing until the legal and control position is resolved.
For CFC, authority roles matter because they explain where lists, guidance, licences, and enforcement expectations come from.
| Authority or source | What it does in practical terms |
|---|---|
| UN | creates international measures that states implement through domestic or regional law |
| UK sanctions framework | sets UK prohibitions, designations, licensing powers, reporting duties, and enforcement mechanisms |
| OFSI | supports UK financial-sanctions implementation, guidance, licensing, reporting, and civil enforcement |
| FCA or firm regulator | assesses systems, controls, governance, and regulated-firm conduct where relevant |
| OFAC-style US authority | creates US sanctions exposure where US nexus exists |
| internal sanctions function | interprets the firm’s exposure, escalates matches, and controls processing |
Do not answer as if one authority alone solves the firm’s obligation. A UK firm may need to consider UK requirements, international list updates, customer location, transaction route, and any US or other nexus shown in the stem.
Sanctions risk can sit behind the customer. A company may not be named on a sanctions list, but it may be owned or controlled by a designated person. A payment may not name a sanctioned customer, but the beneficiary, bank, vessel, director, beneficial owner, or counterparty may create a prohibition.
For exam purposes, do not stop at the first name screen. Ask:
| Red flag | Why it matters |
|---|---|
| complex holding company | designated ownership may be hidden above the customer |
| nominee shareholder or director | real control may not match legal title |
| voting rights or board appointment powers | control may exist without simple majority ownership |
| sudden ownership transfer after designation | possible sanctions evasion or circumvention |
| trust, foundation, or opaque vehicle | beneficiaries and controllers may be difficult to identify |
| customer refuses ownership evidence | firm cannot complete sanctions analysis |
| payment benefits a connected party | resources may indirectly reach a designated person |
The exam may use “controlled by” rather than “owned by” for a reason. Control can arise through voting rights, appointment powers, contractual influence, family relationships, or practical ability to direct the entity. A clean customer-name screen does not resolve those issues.
Sanctions questions often turn on what the firm would make available. The restricted benefit may not be cash alone.
| Item | Example |
|---|---|
| funds | cash, payments, securities, dividends, interest, or account balances |
| economic resources | assets that can be used to obtain funds, goods, or services |
| financial services | brokerage, custody, lending, payment services, insurance, or advisory services |
| securities activity | settlement, transfer, redemption, distribution, or corporate action |
| credit or financing | loans, guarantees, trade finance, or delayed payment terms |
| professional support | structuring, arranging, facilitating, or advising on restricted activity |
This is why the stronger answer may stop account closure, redemption, or return of funds. Sending money away can still make funds available to a restricted person.
Sanctions obligations apply across the customer lifecycle. Screening only at onboarding is not enough because lists, ownership structures, counterparties, and transactions change.
| Lifecycle point | Sanctions-control expectation |
|---|---|
| Onboarding | Screen customers, beneficial owners, controllers, directors, and relevant connected parties. |
| Ongoing monitoring | Refresh screening when lists or customer data change. |
| Payment processing | Screen payment parties, messages, banks, vessels, goods, routes, and jurisdictions where relevant. |
| Corporate action or restructuring | Reassess ownership and control after acquisitions, transfers, or governance changes. |
| Exit or closure | Avoid releasing funds or resources in a way that breaches an asset freeze. |
| Lifecycle scenario | Better response |
|---|---|
| new customer screens clear but parent is later identified | escalate ownership/control analysis and pause relevant activity |
| list update creates match for existing customer | rescreen exposure and assess freeze, reporting, and licence implications |
| payment includes restricted bank in message field | stop processing and investigate payment-party exposure |
| customer requests immediate account closure after designation news | do not release funds until sanctions position is resolved |
| licence is produced for limited activity | verify scope, parties, value, timing, and reporting conditions |
| corporate acquisition changes ownership | refresh ownership/control review before continuing activity |
| sector restriction applies without name match | assess the service or product restriction, not just name screening |
| AML question | Sanctions question |
|---|---|
| are funds criminal property or suspicious? | is the firm prohibited from dealing? |
| should activity be reported to the MLRO or FIU? | must funds be frozen, blocked, reported, rejected, or licensed? |
| does customer risk require CDD or EDD? | does a listed or controlled party create a legal restriction? |
| can monitoring continue while risk is assessed? | should ordinary processing stop until the prohibition is resolved? |
| is the issue suspicious movement of value? | is making value available legally restricted? |
Some scenarios include both. For example, a designated person using nominees may raise sanctions, laundering, and evasion concerns. The correct answer should still treat sanctions as a prohibition-first issue.
Licences and exemptions are narrow. They do not make the customer “safe” generally, and they do not remove the need for controls.
| Licence issue | Better response |
|---|---|
| licence covers only legal fees | do not use it for unrelated payments |
| licence covers a specific party | verify the customer, beneficiary, and intermediaries match the permission |
| licence has reporting conditions | retain records and comply with reporting requirements |
| licence period expires | stop relying on it unless renewed or varied |
| customer says licence exists but cannot provide details | escalate and verify before processing |
| activity falls outside stated purpose | treat as unresolved sanctions risk |
A UK firm onboards a trading company that is not itself listed. Later due diligence shows that a designated person may control the company’s parent through voting rights and board appointment powers. What is the best sanctions-control response?
A. Continue business because only exact name matches matter. B. Treat the case as ordinary AML only and ignore sanctions unless criminal proceeds are identified. C. Escalate the ownership/control issue, pause relevant activity where required, assess whether funds or economic resources may be made available, and consider reporting or licensing obligations. D. Close the file without documenting the analysis because the customer name is clear.
Answer: C. Sanctions analysis extends beyond exact customer-name matching. Ownership and control can create a prohibition or reporting issue even where the direct customer is not listed.
For final review, write “sanctions = prohibition first.” The first question is whether the firm is legally restricted from dealing, making resources available, processing, releasing funds, or providing services. Only after that should you layer AML, CDD, suspicious activity, or wider financial-crime analysis.
Also practise naming the exposure route: listed customer, controlled entity, payment party, restricted sector, restricted jurisdiction, licence condition, or US nexus. That prevents generic “high-risk customer” answers when the scenario is really a legal prohibition problem.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.