CISI Combating Financial Crime study guide for screening, designation, and enforcement, with learning objectives, UK control cues, and exam traps.
Screening, designation, and enforcement belongs to the CISI Combating Financial Crime Financial Sanctions exam topic, weighted at 4%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Screening | Comparing customer, counterparty, beneficial-owner, payment, and connected-party data against relevant sanctions data. |
| False positive | A potential match that is resolved as not being the listed person or entity, with documented reasoning. |
| Possible match | An unresolved alert requiring investigation, escalation, and controlled handling before activity continues. |
| Confirmed match | A match that triggers sanctions procedures such as freezing, blocking, reporting, rejection, or licensing analysis. |
| Data quality | The completeness and accuracy of names, dates, addresses, identifiers, ownership data, and payment fields used for screening. |
Sanctions screening is wider than customer-name matching. In a financial-services firm, screening can involve customers, beneficial owners, controllers, directors, trustees, signatories, introducers, counterparties, payment beneficiaries, ordering institutions, correspondent banks, vessels, goods descriptions, locations, and free-text payment messages.
The correct exam answer usually depends on the point in the workflow. Onboarding screening tests whether the relationship can be opened. Payment screening tests whether a transaction can proceed. Ongoing screening tests whether a new designation, ownership change, or list update has changed the risk profile.
The first exam decision is usually where the sanctions risk appears. A customer-onboarding alert, a payment-screening hit, and a post-list-update match do not have identical operational consequences, but all require controlled handling.
| Workflow point | What should be screened | Better control question |
|---|---|---|
| onboarding | customer, beneficial owners, controllers, directors, trustees, signatories, and introducers | can the relationship be opened without making funds or services available to a restricted party? |
| periodic review | refreshed customer data, ownership changes, new directors, and changed business activity | has the customer’s sanctions exposure changed since onboarding? |
| payment processing | payer, payee, banks, agents, references, vessels, routes, locations, and free-text fields | can the transaction proceed before the alert is resolved? |
| corporate action | issuers, custodians, intermediaries, beneficial owners, and distributions | would an entitlement or payment benefit a designated person? |
| exit or account closure | recipient, account destination, owner, and any frozen or restricted asset | would returning funds breach an asset freeze or licence condition? |
| list update | existing customers, counterparties, owners, pending transactions, and open alerts | does a new designation create immediate exposure? |
The strongest answer ties screening to a business process. A firm that screens only the named customer at onboarding may still miss a sanctioned beneficial owner, payment beneficiary, vessel, intermediary bank, or newly designated connected party.
Name screening asks whether a party appears to be the same person or entity as a sanctions-list entry. Ownership and control screening asks whether a non-listed entity may still be restricted because a designated person owns or controls it. CISI questions often test this second point because the direct customer can appear clean while the parent, controller, trustee, or beneficiary creates the issue.
| Screening angle | What to compare | Common trap |
|---|---|---|
| exact or fuzzy name match | names, aliases, dates of birth, addresses, nationalities, identifiers | clearing a weak match without checking identifiers |
| beneficial ownership | shareholders, voting rights, ownership percentages, trusts, nominees | assuming the direct customer name is enough |
| control | board appointments, veto rights, management influence, contractual control | treating control as only share ownership |
| payment party | originator, beneficiary, banks, agents, message fields | screening only the firm’s direct customer |
| goods, vessel, or location | shipment data, vessel names, ports, goods descriptions, jurisdictions | missing sectoral or trade-related sanctions exposure |
In exam scenarios, “not listed” is not the end of the analysis. The better answer asks who benefits, who controls the entity, who receives the resources, and whether the activity falls within a restricted sector, service, or jurisdiction.
| Alert stage | Better control response |
|---|---|
| Initial alert | Do not assume it is false; compare identifiers and preserve the system record. |
| False-positive review | Document why the alert is not the listed person or entity. |
| Possible match | Escalate to sanctions specialists or compliance; do not process routinely. |
| Confirmed match | Apply the relevant freeze, block, reject, report, or licence process. |
| Post-event review | Test why the alert arose, whether similar exposure exists, and whether rules or data need improvement. |
The exam often turns on whether the firm has enough evidence to clear an alert. A false positive is not a mere inconvenience; it is a documented conclusion that the alerted party is not the listed party. A possible match is unresolved and should not be processed as ordinary business. A confirmed match moves the firm into sanctions procedures.
| Alert status | Evidence position | Typical action |
|---|---|---|
| false positive | identifiers reasonably distinguish the party from the listed person or entity | document the rationale and release only if no other restriction applies |
| possible match | data is incomplete, conflicting, or too close to clear | pause routine processing and escalate to sanctions specialists |
| confirmed match | identifiers or ownership/control analysis support a match | freeze, block, reject, report, or seek licence guidance as applicable |
| inconclusive ownership | entity is not listed but may be owned or controlled by a designated person | escalate and avoid making funds or resources available until resolved |
| stale-list uncertainty | system or list update may be out of date | verify against authoritative data and remediate list-management weakness |
Customer reassurance rarely resolves an alert on its own. A customer may be mistaken, self-interested, or unaware of ownership and control restrictions. The firm needs independent evidence, documented reasoning, and the correct escalation route.
| Investigation item | Why it matters |
|---|---|
| full legal name and aliases | sanctions lists often include aliases, spelling variations, and transliterations |
| date and place of birth | helps distinguish common-name false positives |
| nationality and address | supports match analysis and jurisdictional context |
| registration number or identifier | helps compare entities with similar names |
| ownership and control information | identifies non-listed entities restricted through designated owners or controllers |
| transaction purpose and parties | determines whether funds or services are being made available |
| payment route and intermediaries | identifies banks, agents, locations, or message fields with sanctions exposure |
| list source and update time | confirms whether the system used current data |
| decision rationale | creates audit evidence for clearance, escalation, blocking, or reporting |
The investigation should be proportionate but not casual. A low-quality note such as “not our customer” or “client says okay” is weak because it does not show how the firm resolved the alert.
Designation means a person or entity has been listed under a sanctions regime. Delisting or variation changes the legal position but should not be assumed from rumour, customer assertion, or media reports alone. A licence may permit specific activity, but only within its terms. The firm should not treat a licence as a general exemption from sanctions controls.
For CISI scenarios, watch for questions where a customer claims an exemption, asks the firm to process urgently, or provides incomplete evidence of delisting. The stronger answer is controlled escalation and verification against authoritative information.
Designation changes the legal position immediately for affected activity. Delisting or variation can also change the position, but firms should verify it through reliable sources and update systems in a controlled way. A rumour, press article, or customer letter does not replace formal evidence.
| Fact pattern | Better exam response |
|---|---|
| new designation appears after onboarding | rescreen existing exposure, stop relevant activity, and assess reporting/freezing obligations |
| customer says they have been delisted | verify against authoritative information before changing restrictions |
| entity name is similar but identifiers differ | document false-positive reasoning if evidence supports clearance |
| entity is not listed but owned by a designated person | escalate ownership/control analysis and pause relevant activity |
| licence permits a specific payment | process only within the licence terms and retain evidence |
| licence conditions are unclear | escalate to sanctions/legal specialists before processing |
Sanctions handling is not one universal action. Depending on the regime and facts, a firm may need to freeze assets, block or reject a payment, refrain from providing services, report to an authority, seek a licence, or maintain restrictions until the legal position is clarified.
| Action concept | What it means in practice | Exam trap |
|---|---|---|
| freeze | restrict dealing with funds or economic resources | releasing funds during account closure |
| block or stop | prevent processing of a transaction or service | allowing payment because it is urgent |
| reject | decline or return a transaction where appropriate | returning funds to a restricted beneficiary |
| report | notify the relevant authority or internal function where required | treating a match as only an internal operations issue |
| licence | rely on specific permission for limited activity | treating a licence as a blanket exemption |
| monitor | continue controlled oversight after a decision | assuming one clearance resolves future list changes |
The exact legal requirement depends on the sanctions regime and circumstances. For exam purposes, the safe principle is to stop ordinary processing while the possible prohibition is unresolved and route the matter to the appropriate sanctions-control function.
Screening effectiveness depends on data quality. Poor name capture, missing dates of birth, incomplete ownership records, transliteration variation, aliases, abbreviations, and incomplete payment fields can create false negatives or excessive false positives. A system can be technically in place but still ineffective if the input data is poor or the matching rules are badly calibrated.
| Data issue | Exam implication |
|---|---|
| Missing beneficial owner | Screening misses the person who actually controls the customer. |
| Name transliteration variation | Fuzzy matching and alias logic become important. |
| Incomplete payment message | The firm may not detect a restricted bank, vessel, location, or beneficiary. |
| Overly narrow matching | Possible sanctions exposure may be missed. |
| Overly broad matching with poor review | Alerts may be cleared without meaningful investigation. |
Screening tools require governance. If thresholds are too narrow, true matches may be missed. If thresholds are too broad, staff may face high alert volumes and clear alerts mechanically. The exam may describe either problem as a control weakness.
| Control area | What good practice looks like |
|---|---|
| list management | timely ingestion of relevant lists, testing after updates, and exception reporting |
| matching rules | documented thresholds that reflect risk, products, jurisdictions, and data quality |
| alert workflow | clear ownership, deadlines, escalation levels, and maker-checker review |
| quality assurance | sample testing of false-positive closures and possible-match escalations |
| management information | alert volumes, overdue items, true matches, overrides, and tuning changes |
| change control | documented approval and testing before major rule or data changes |
| staff training | role-specific guidance for payments, onboarding, operations, and relationship teams |
An exam answer that says “install screening software” is usually incomplete. The stronger answer adds governance, tuning, review quality, escalation, and evidence.
Enforcement risk usually arises when the firm fails to stop, freeze, report, or control activity after a sanctions issue becomes apparent. It can also arise from poor systems, stale data, unsupported overrides, weak list management, or failure to identify ownership and control.
| Enforcement cue | Why it matters |
|---|---|
| alert was overridden without evidence | suggests governance and audit-trail failure |
| list updates were not loaded | system may have missed a new designation |
| payment released while match unresolved | possible breach of sanctions prohibition |
| ownership data was missing | firm could not screen the real controller |
| staff relied on customer reassurance | independent verification was absent |
| licence condition was ignored | permitted activity may have become prohibited |
| repeated false-positive closures were poor | quality assurance and training may be ineffective |
Enforcement scenarios normally require more than fixing the individual alert. The firm should preserve the audit trail, assess whether a breach occurred, report or notify where required, remediate the control weakness, and test whether similar failures exist elsewhere.
| Scenario cue | Better answer pattern |
|---|---|
| urgent payment with possible match | pause ordinary processing and investigate before release |
| customer says the alert is a common-name issue | compare identifiers and document the decision; do not rely only on assertion |
| listed person may control parent company | escalate ownership/control analysis and restrict relevant activity |
| new sanctions list update after onboarding | rescreen affected customers, counterparties, and pending transactions |
| free-text payment field mentions restricted location | investigate payment details, not only named parties |
| licence is provided for one transaction | verify terms and process only within the permitted scope |
| alert backlog leads to manual releases | treat as a sanctions governance and possible breach issue |
A payment-screening system flags a beneficiary name as a possible sanctions match. The payment is urgent, and the relationship manager says the customer has used the beneficiary before without problems. What is the best next step?
A. Process the payment because previous payments were not stopped. B. Clear the alert if the customer confirms the beneficiary is legitimate. C. Pause ordinary processing, investigate the alert using relevant identifiers, escalate if unresolved, and document the decision before any release of funds. D. Disable fuzzy matching to reduce operational delay.
Answer: C. A possible sanctions match requires controlled investigation and escalation. Previous activity or customer reassurance does not clear the alert without evidence.
For final review, memorize the alert ladder: alert, false positive, possible match, confirmed match. The exam usually turns on whether the firm documents a false-positive clearance or escalates a possible match instead of processing routinely.
Add a second ladder for lifecycle coverage: onboarding, ongoing monitoring, payment screening, list update, and exit. Sanctions risk can appear at any stage, and a correct answer usually stops routine processing until the relevant stage-specific question has been resolved.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.