CISI Combating Financial Crime study guide for fraud concepts and the UK Fraud Act 2006, with learning objectives, UK control cues, and exam traps.
Fraud concepts and the UK Fraud Act 2006 belongs to the CISI Combating Financial Crime Fraud and Market Abuse exam topic, weighted at 4%. Study this page as the legal and control foundation for fraud scenarios. The exam is unlikely to ask for courtroom pleading detail, but it can test whether you recognise dishonest conduct, classify the route under the Act, identify the intended gain or loss, and choose a defensible firm response.
| Concept | What to know for CISI CFC review |
|---|---|
| Fraud | Dishonest conduct intended to make a gain, cause a loss, or expose another person to risk of loss. |
| False representation | A dishonest statement or representation that is untrue or misleading, including by words, conduct, or electronic communication. |
| Failure to disclose | Dishonestly failing to disclose information where there is a legal duty to disclose it. |
| Abuse of position | Dishonestly abusing a position in which a person is expected to safeguard, or not act against, another person’s financial interests. |
| Gain or loss | The fraud analysis focuses on intended financial or property advantage, actual loss, or exposure to risk of loss. |
| Articles for use in fraud | Documents, credentials, templates, devices, or data may be relevant if held or made for dishonest use. |
| Control implication | Fraud prevention depends on verification, approvals, segregation of duties, reconciliation, access control, and escalation. |
The UK Fraud Act 2006 is useful for CISI CFC because it organizes fraud around dishonest behaviour, not only physical theft. A fraud scenario may involve a customer, employee, supplier, intermediary, issuer, adviser, cyber-enabled impostor, or connected third party. The conduct may appear in a loan application, payment instruction, procurement file, client onboarding pack, trade support process, expense claim, or digital account-change request.
For exam purposes, the Act gives you a classification map. The three core fraud routes are false representation, failure to disclose information, and abuse of position. Other related offences, such as possession or supply of articles for use in fraud and obtaining services dishonestly, help explain why preparatory tools, credentials, and dishonest access to services can matter even before a firm sees a simple cash theft.
Start with three questions:
The strongest answer normally combines all three. A response that says only “this is fraud” is too thin. A response that identifies a false representation, links it to a payment or onboarding decision, pauses the transaction, preserves evidence, and escalates to the correct function is closer to the exam standard.
Use a short decision sequence when a question gives several facts. This keeps the legal classification connected to the practical control response.
| Step | Question | Why it matters |
|---|---|---|
| identify the statement, omission, or role | What did the person say, hide, or misuse? | separates false representation, failure to disclose, and abuse of position |
| test dishonesty indicators | Is the conduct inconsistent with an honest explanation? | prevents treating every error or poor process as fraud |
| identify intended gain or loss | Who benefits and who is exposed to loss? | links the behaviour to the Act’s gain-or-loss logic |
| identify the process attacked | onboarding, payments, procurement, trading support, expenses, reconciliations, or client service | points to the control that should have challenged the conduct |
| preserve evidence | Which records, logs, instructions, approvals, or communications matter? | protects the investigation and any reporting decision |
| escalate and contain | Who has authority to stop, investigate, report, or remediate? | avoids informal handling by staff who may damage evidence |
| Category | Typical financial-services example | Control angle |
|---|---|---|
| Fraud by false representation | A customer submits false identity documents, a supplier submits false invoices, or an employee misstates payment details. | verification, authentication, invoice matching, document validation, and independent confirmation |
| Fraud by failing to disclose information | A person with a duty to disclose a material fact hides it to obtain a benefit or avoid a loss. | disclosure obligations, declarations, attestations, exception review, and supervisory challenge |
| Fraud by abuse of position | An employee uses account access, approval authority, procurement influence, or client trust for personal gain. | segregation of duties, access review, conflict controls, approvals, reconciliation, and monitoring |
| Possession or use of articles for fraud | A person holds tools, credentials, templates, forged documents, malware, or data intended for dishonest use. | information security, credential controls, device monitoring, document controls, and investigation |
| Making or supplying articles for fraud | A person creates or distributes templates, false documents, credential packs, or other fraud-enabling tools. | vendor controls, cyber controls, staff conduct review, and linked-case analysis |
| Services obtained dishonestly | A person obtains services without intending to pay or by dishonest means. | customer due diligence, payment controls, onboarding checks, and credit or service approval controls |
False representation is the most visible fraud route. A representation can be made by words, conduct, documents, electronic messages, data input, or system use. It does not have to be a formal signed statement. In financial services, a false representation may be embedded in an application form, identity document, beneficial-owner declaration, invoice, trade instruction, settlement account change, employment record, expense claim, or supplier certification.
The exam may signal false representation through mismatched documents, altered dates, fabricated invoices, unverifiable identities, false source-of-funds explanations, misleading ownership information, false client instructions, or inconsistent digital evidence. The better response is not simply to ask for a new document if the facts show active dishonesty. The firm should decide whether to pause the process, verify independently, preserve the record, and escalate for financial-crime review.
| False-representation clue | Stronger control response |
|---|---|
| identity document does not match database checks | pause onboarding and escalate for enhanced verification |
| supplier invoice lacks contract, purchase order, or delivery evidence | match invoice to independent procurement records before payment |
| payment instruction comes from a lookalike domain | use trusted contact details and do not rely on the suspicious channel |
| employee enters false adjustment code | preserve system logs and review approval and reconciliation controls |
| client states funds are salary but documents show unexplained third-party transfers | challenge source-of-funds explanation and consider AML escalation |
The key exam distinction is error versus dishonest representation. A typographical mistake may require correction. A fabricated document, repeated inconsistent story, or deliberate use of a false channel points to a fraud concern and should trigger evidence-preserving escalation.
Fraud by failing to disclose information is narrower than simply staying silent. The exam cue is usually a duty to disclose. That duty may arise from the legal relationship, contractual terms, regulatory requirements, application process, internal policy, employment role, or explicit declaration. The person dishonestly withholds information to obtain a benefit, avoid a loss, or expose another party to risk.
In a financial-services setting, omission risk can appear when a client conceals beneficial ownership, an employee fails to disclose a conflict, a supplier hides a related-party relationship, an applicant omits previous sanctions exposure, or a staff member does not disclose outside business activity connected to firm transactions.
| Omission scenario | Why it matters |
|---|---|
| employee approves a vendor while hiding a family relationship | conflict concealment may support fraud and corruption concerns |
| client omits controlling-party information on an onboarding form | customer due diligence and beneficial-ownership controls may be defeated |
| supplier hides that services were not delivered | invoice approval may be based on a false commercial position |
| staff member fails to declare personal interest in a transaction | firm cannot manage conflict, market-abuse, or fraud risk |
| customer hides material account-control information | account opening, service provision, or transaction approval may be distorted |
The control response should focus on declarations, attestations, supervisory review, conflict registers, beneficial-owner checks, procurement due diligence, and escalation when a hidden fact appears material. A weak answer treats nondisclosure as only an administrative issue. A stronger answer asks whether the person had a duty to disclose and whether the omission was used to obtain an advantage or avoid a loss.
Abuse of position is especially important for financial-services controls because many fraud risks arise from trust, access, and authority. The person may be expected to safeguard another person’s financial interests or at least not act against them. An employee, manager, adviser, procurement officer, operations user, trustee-like role holder, or third-party service provider may misuse that position even if the external paperwork appears normal.
The exam often signals abuse of position through one person controlling too many steps, unexplained overrides, unusual access, suppressed reconciliation breaks, vendor relationships, dormant-account activity, manual adjustments, or customer instructions handled outside normal channels.
| Abuse-of-position clue | Control implication |
|---|---|
| same employee creates vendor, approves invoice, and reconciles payment | segregation of duties is ineffective |
| account manager changes client contact details before a withdrawal | access and independent confirmation controls should be reviewed |
| supervisor suppresses repeated exception reports | escalation and management review are not operating effectively |
| employee uses dormant client account for transfers | account monitoring and access controls require urgent review |
| procurement officer receives gifts from successful supplier | conflict, gifts-and-hospitality, and procurement controls are engaged |
For CISI CFC, abuse of position links legal classification with operational governance. The answer should not only name the fraud route. It should identify how the role was misused and which controls should be strengthened: access review, approval hierarchy, conflict checks, mandatory leave, independent reconciliation, whistleblowing, and management-information review.
Fraud analysis does not require a neat completed theft in the question stem. The Act’s logic includes intended gain, intended loss, and exposure to risk of loss. That is why a firm can treat a stopped payment, attempted account takeover, false invoice, or attempted vendor change as serious even if the money has not left the firm.
For exam purposes, identify the intended economic effect:
| Fact pattern | Gain/loss analysis |
|---|---|
| false invoice approved but not yet paid | intended gain for vendor or insider; firm exposed to risk of loss |
| account details changed before settlement | potential gain for fraudster; client or firm exposed to loss |
| employee hides reconciliation break | loss may already exist or be concealed from management |
| customer uses false identity to obtain services | dishonest access to services and potential credit, AML, or fraud loss |
| forged document used in onboarding | firm may be exposed to financial, regulatory, and reputational loss |
The exam trap is to wait for completed loss before escalating. If the facts show dishonest conduct and a realistic risk of loss, evidence preservation and containment may be required before the loss crystallizes.
Fraud controls should match the route of attack. Identity fraud needs verification and authentication. Payment fraud needs callback controls, account-change controls, transaction monitoring, and confirmation of beneficiary details. Procurement fraud needs vendor due diligence, invoice matching, segregation of duties, and conflict checks. Employee fraud needs access controls, monitoring, mandatory leave, reconciliations, whistleblowing, and independent review.
| Control area | What it prevents or detects |
|---|---|
| Segregation of duties | One person cannot initiate, approve, and reconcile the same activity. |
| Reconciliation | Differences between records, cash, positions, invoices, and client instructions are identified promptly. |
| Access management | Employees cannot use systems or data beyond their role. |
| Approval thresholds | Higher-risk payments, vendors, refunds, and account changes receive independent review. |
| Exception reporting | Overrides, urgent requests, failed authentication, and unusual patterns are escalated. |
| Evidence preservation | Logs, documents, communications, and audit trails are retained for investigation. |
The fraud route should drive the control choice. This is where CISI questions often separate a plausible answer from the best answer.
| If the route is… | Look for… | Stronger control answer |
|---|---|---|
| false representation | false document, misleading statement, spoofed instruction, false data entry | verify independently, pause reliance on the statement, preserve the original record |
| failure to disclose | hidden conflict, omitted beneficial owner, concealed relationship, missing declaration | challenge the duty to disclose, review declarations and approvals, escalate material omission |
| abuse of position | excessive access, override, one-person control, conflicted approval | restrict access, preserve logs, review segregation, investigate linked activity |
| articles for fraud | credential packs, templates, forged documents, tools, malware, stolen data | secure evidence, involve cyber or fraud specialists, assess linked exposure |
| dishonest services | service obtained through false identity or no intention to pay | review onboarding, payment assurance, credit controls, and suspicious activity indicators |
Avoid choosing the most familiar control automatically. Callback controls are strong for payment-instruction fraud, but they do not solve a procurement conflict if the real weakness is vendor approval and invoice matching. Access review is critical for insider abuse, but it does not replace customer verification when the issue is synthetic identity.
Fraud cases can be weakened by premature confrontation, informal file changes, missing logs, or poor record handling. In an exam scenario, a junior employee should not usually interview a suspected fraudster, delete suspicious records, amend documents to correct the file, or alert an employee who may destroy evidence. The better answer is controlled escalation.
| Evidence source | Why it matters |
|---|---|
| original documents and applications | shows what representation or omission was made |
| email, chat, and call records | shows instructions, pressure, timing, and possible collusion |
| system logs | shows who created, changed, approved, or deleted records |
| payment and account-change records | shows whether funds moved or exposure remains |
| vendor master-file history | shows supplier creation, bank changes, and approval path |
| reconciliation records | shows whether losses or breaks were hidden |
| access-rights records | shows whether the actor had excessive or inappropriate permissions |
| linked-account or linked-vendor data | shows whether the incident is isolated or part of a pattern |
The investigation discipline is simple: preserve, contain, escalate, and then investigate through the proper function. That may involve financial crime, compliance, legal, HR, information security, procurement, senior management, or law enforcement depending on the facts.
Fraud under the Act can be internal, external, or collusive. The classification matters because the evidence and controls differ.
| Fraud source | Typical facts | Control emphasis |
|---|---|---|
| external fraud | impostor, false customer, fake supplier, spoofed instruction, cyber actor | verification, authentication, external confirmation, monitoring, and customer protection |
| internal fraud | employee override, false adjustment, account misuse, expense fraud, procurement abuse | segregation, access review, surveillance, mandatory leave, whistleblowing, and HR escalation |
| collusive fraud | employee and supplier, customer and staff member, or multiple linked accounts | link analysis, conflict review, controlled investigation, and wider remediation |
Collusion is important because it can defeat single controls. A callback may fail if the callback contact has been compromised. An approval may fail if the approver is part of the scheme. Reconciliation may fail if the same person controls the records being reconciled. The answer should therefore consider whether independent controls are genuinely independent.
The stronger answer is rarely “continue processing and monitor later” when the facts show active fraud risk. A firm should pause or control the transaction where appropriate, escalate internally, preserve evidence, protect customers, assess whether other accounts or vendors are affected, and consider regulatory or law-enforcement reporting routes if required.
Use these exam cues:
| Cue in the question | Better interpretation |
|---|---|
| “urgent and confidential” | pressure tactic; do not bypass normal controls |
| “same employee approved and reconciled” | abuse-of-position and segregation risk |
| “no contract or purchase order” | false invoice or procurement fraud risk |
| “employee’s relative owns vendor” | conflict concealment and possible abuse of position |
| “documents look genuine but data conflicts” | false representation may still exist |
| “loss has not occurred yet” | risk of loss can still justify escalation |
| “suspected person asks to fix the file” | preserve records before any correction |
An operations employee can create new vendor records, approve invoices, and reconcile payment reports. A review finds payments to a new vendor with no contract and bank details linked to the employee’s relative. What is the strongest fraud-control response?
A. Treat the issue only as a minor procurement error because the vendor record exists. B. Escalate suspected fraud, preserve records, review access and segregation-of-duties failures, and investigate the vendor payments. C. Ask the employee to explain the payments before retaining system logs. D. Continue payments while waiting for the next annual audit.
Answer: B. The facts point to possible abuse of position, procurement fraud, and weak segregation of duties. A sound response escalates, preserves evidence, investigates, and remediates control weaknesses.
For revision, map fraud scenarios to both the Fraud Act route and the control that would have stopped or detected them. Use three columns: act, gain or loss, and control.
Example revision format:
| Scenario | Route | Control focus |
|---|---|---|
| false identity documents in onboarding | false representation | verification, document validation, and escalation |
| hidden employee relationship with supplier | failure to disclose and possible abuse of position | conflict declarations, procurement review, and investigation |
| staff member changes beneficiary details then approves payment | abuse of position and possible false representation | access review, segregation, callback, and evidence preservation |
| forged invoice template found on employee device | article for use in fraud | evidence preservation, cyber or HR escalation, and linked-payment review |
That habit converts broad fraud law into practical exam decision-making. The paper is testing whether you can move from legal concept to controlled response without losing the audit trail.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.