CISI Combating Financial Crime study guide for fatf and the risk-based approach, with learning objectives, UK control cues, and exam traps.
FATF and the risk-based approach belongs to the CISI Combating Financial Crime Money Laundering exam topic, weighted at 8%. Study this page as the bridge between international AML standards and practical firm controls. The exam may test whether you know what FATF does, what it does not do, why mutual evaluations matter, and how a risk-based approach changes customer due diligence, monitoring, escalation, and control depth.
| Concept | What to know for CISI CFC review |
|---|---|
| FATF | The Financial Action Task Force, the main international standard setter for AML, counter-terrorist financing, and proliferation-financing controls. |
| Recommendations | A framework covering national risk assessment, criminal offences, preventive measures, transparency, supervision, sanctions, and international cooperation. |
| Mutual evaluation | FATF and FATF-style bodies assess both technical compliance and effectiveness, influencing national reform and supervisory pressure. |
| High-risk jurisdictions | Jurisdictional concern is a risk factor that may require enhanced measures, but it does not replace customer-specific assessment. |
| Risk-based approach | Firms should identify, assess, understand, and mitigate risk using controls proportionate to customer, product, channel, geography, and transaction risk. |
| Enhanced due diligence | Stronger checks, senior approval, more frequent review, and tighter monitoring where risk is elevated or cannot be understood through standard controls. |
| Simplified due diligence | Reduced control intensity may be appropriate only where lower risk is evidenced and legal or regulatory conditions allow it. |
FATF is not a police force and does not supervise an individual UK investment firm directly. Its importance is that it shapes the international baseline that countries build into national law, regulation, guidance, and supervisory practice. CISI questions often use FATF to test whether you can separate standard setting from firm-level compliance.
FATF-style thinking is practical: countries should understand their financial-crime risks, maintain laws and authorities that can respond, supervise firms, require preventive measures, make beneficial ownership more transparent, and cooperate internationally. Firms then translate those expectations into customer due diligence, monitoring, escalation, training, governance, and record keeping.
The exam often tests role confusion. Use the following map before choosing an answer.
| Actor | Main role | What it does not do |
|---|---|---|
| FATF | sets international AML, CFT, and proliferation-financing standards; evaluates jurisdictions | does not receive a UK firm’s SAR and does not approve individual customers |
| FATF-style regional bodies | promote and assess standards in regional networks | do not replace domestic regulators |
| domestic government and legislature | implement laws, offences, powers, and national policy | do not perform daily firm-level monitoring |
| domestic regulator or supervisor | supervises regulated firms and tests compliance | does not investigate every predicate crime itself |
| FIU or equivalent body | receives and analyses suspicious activity reports | does not set FATF Recommendations |
| regulated firm | applies CDD, monitoring, escalation, records, and internal controls | does not conduct national mutual evaluations |
If an answer says the firm should “report to FATF” or wait for FATF to approve a customer, it is usually wrong. A firm applies domestic law and internal procedures influenced by FATF standards; it does not interact with FATF as its day-to-day supervisor.
The FATF Recommendations form a broad framework rather than a single customer checklist. They cover the national system, the private-sector control environment, transparency of ownership, supervision, sanctions, and cooperation.
| Recommendation theme | Exam meaning |
|---|---|
| risk assessment and policy coordination | countries and firms should understand the risks they face and coordinate responses |
| criminal offences and confiscation | laundering, terrorist financing, and proliferation financing should be addressed through law and asset measures |
| preventive measures | regulated firms should perform CDD, identify beneficial ownership, monitor activity, report suspicion, and keep records |
| transparency of legal persons and arrangements | authorities and firms should be able to understand ultimate ownership and control |
| supervision and sanctions | supervisors should assess firms and impose consequences for poor controls |
| international cooperation | countries should exchange information, assist investigations, and support cross-border enforcement |
| targeted financial sanctions | systems should support sanctions implementation for terrorism and proliferation financing |
For CISI CFC, the important move is translating the theme into a firm control. Beneficial-ownership transparency becomes customer due diligence and ownership verification. Supervision becomes policies, management information, training, assurance, and remediation. International cooperation becomes careful records and escalation where cross-border facts are relevant.
The risk-based approach is a disciplined way to allocate control effort. It does not mean doing less because the firm wants less friction. It means the firm can explain why a customer or activity is lower, standard, or higher risk and can show that the control depth matches that assessment.
| Risk factor | Lower-risk cue | Higher-risk cue | Likely control effect |
|---|---|---|---|
| Customer | transparent, regulated, simple ownership | PEP, nominee, cash-intensive, opaque ownership | enhanced CDD and more frequent review |
| Product | simple, low movement, limited features | complex, transferable, high liquidity, third-party funding | tighter monitoring and source-of-funds checks |
| Geography | well-supervised, transparent jurisdiction | weak AML controls, sanctions exposure, high corruption indicators | enhanced measures and senior review |
| Channel | face-to-face, verified source documents | non-face-to-face, intermediated, remote onboarding gaps | stronger verification and fraud controls |
| Transaction | matches expected profile | rapid movement, circularity, unusual third parties | investigation and possible MLRO escalation |
The risk-based approach requires two kinds of discipline. First, higher risk must lead to deeper evidence, stronger approvals, closer monitoring, or a decision not to proceed. Second, lower-risk treatment must be justified by evidence and legal conditions, not convenience. Simplified due diligence is not a shortcut when ownership, purpose, or source of funds remains unclear.
Controls should become stronger as uncertainty, opacity, speed, value movement, or jurisdictional concern increases.
| Control area | Standard approach | Enhanced approach |
|---|---|---|
| identity and verification | verify customer identity using reliable information | obtain additional evidence, use independent checks, and resolve inconsistencies |
| beneficial ownership | identify and verify ownership and control to the required standard | look through complex structures and require senior review where opacity remains |
| source of funds | understand the funds used for the transaction or relationship | obtain documentary evidence and test consistency with wealth, business, or activity |
| source of wealth | understand how overall wealth was generated when relevant | collect stronger evidence for PEPs, high-risk wealth, adverse media, or complex structures |
| approval | normal onboarding approval | senior management or specialist financial-crime approval with documented rationale |
| monitoring | monitor against expected activity | tighter thresholds, more frequent review, tailored scenarios, and event-driven review |
| review cycle | periodic review according to risk | more frequent and deeper review with refreshed evidence |
| exit or restriction | continue if risk is understood and lawful | restrict activity or exit if risk cannot be understood, mitigated, or lawfully maintained |
The exam may ask for the “best” response after a new risk factor appears. The answer is often not immediate exit. It may be enhanced due diligence, senior escalation, monitoring changes, or restriction pending review. Exit becomes more likely when the risk cannot be understood, evidence is unreliable, activity is unlawful, sanctions apply, or suspicion cannot be managed within the firm’s risk appetite.
FATF mutual evaluations matter because they assess whether a country’s framework exists on paper and whether it works in practice. A country can have laws but still perform weakly if supervision, enforcement, beneficial-ownership transparency, suspicious-reporting quality, asset recovery, or international cooperation is ineffective.
Technical compliance asks whether the required laws, rules, and institutions exist. Effectiveness asks whether the system produces the intended results. CISI questions may use this distinction to test whether you understand that a formal legal framework is not enough if firms are not supervised, ownership is not transparent, or suspicious activity is not acted on.
| Evaluation idea | Exam significance |
|---|---|
| technical compliance | the legal and institutional framework exists |
| effectiveness | the framework works in practice and produces financial-crime outcomes |
| mutual evaluation report | highlights strengths, weaknesses, ratings, and recommended actions |
| follow-up process | jurisdictions may be expected to remediate deficiencies |
| market perception | banks, investors, correspondent parties, and firms may reassess exposure |
| supervisory focus | domestic supervisors may increase attention on weak areas after findings |
In an exam question, a FATF concern about a jurisdiction is usually an input into risk assessment, not the whole answer. The firm should consider the country, customer, product, transaction, channel, beneficial ownership, and purpose of the relationship together.
FATF public statements and monitoring processes can identify jurisdictions with strategic deficiencies or heightened concern. These labels influence how firms and supervisors think about geography risk, but they should not be used mechanically.
| Jurisdiction cue | Better firm response |
|---|---|
| high-risk call for action | apply required enhanced measures, assess legality, and consider restrictions or exit where appropriate |
| increased monitoring | treat as a heightened geography risk factor and review customer-specific exposure |
| not currently listed | do not assume every customer from the jurisdiction is automatically low risk |
| weak beneficial-ownership transparency | strengthen ownership and control checks |
| sanctions overlap | apply sanctions screening and legal restrictions separately from AML risk scoring |
| corruption or tax-secrecy concerns | consider source-of-wealth, bribery, tax-evasion, and adverse-media exposure |
A customer in a generally lower-risk jurisdiction can still present high risk, and a customer connected to a higher-risk jurisdiction may need enhanced controls rather than automatic rejection if the relationship is lawful and can be understood. The risk-based answer depends on the full facts.
Country risk is important because legal systems, supervision, corruption exposure, sanctions risk, conflict, terrorism-financing activity, secrecy, and cooperation quality vary. But jurisdiction labels do not replace the firm’s assessment.
| Weak answer | Stronger answer |
|---|---|
| “The country is not listed, so the customer is low risk.” | “The country label is relevant, but customer ownership, product use, funding, channel, and behaviour still need assessment.” |
| “The country is high risk, so every relationship is illegal.” | “High-risk country exposure may require enhanced measures or restrictions, depending on legal requirements and the facts.” |
| “FATF will decide whether the customer can be onboarded.” | “The firm must apply domestic rules, internal risk appetite, CDD, escalation, and records.” |
| “Transaction monitoring can solve all country risk.” | “Monitoring helps, but onboarding evidence, ownership, screening, and approval are also needed.” |
| “A policy score is enough.” | “The firm needs documented rationale and evidence supporting the score and control decision.” |
This distinction is high-yield because exam stems often include one reassuring fact and several risk facts. The reassuring fact may be that the jurisdiction is not prohibited, the product is familiar, or the customer was introduced by a known intermediary. Do not let that single fact override opaque ownership, third-party funding, adverse media, unusual activity, or sanctions proximity.
FATF-style regional bodies help extend consistent standards beyond FATF membership. They participate in mutual evaluations, typology work, technical assistance, and regional cooperation. For exam purposes, their role is to support the same standard-setting and evaluation ecosystem. They do not turn a private firm into an international regulator, and they do not replace the firm’s domestic legal obligations.
The practical implication is consistency. Criminals exploit uneven controls across jurisdictions. Regional bodies help reduce gaps by encouraging countries to implement and test comparable AML, CFT, and proliferation-financing frameworks.
A risk-based approach is only defensible if the firm can show its reasoning. A high-risk customer file should show what the risk factors were, what evidence was obtained, who approved the decision, what conditions were imposed, how monitoring was adjusted, and when the relationship will be reviewed. A lower-risk file should also show why reduced intensity is justified.
| Documentation area | Why it matters |
|---|---|
| risk-rating rationale | explains why the firm classified the customer or activity as lower, standard, or higher risk |
| CDD and EDD evidence | shows the facts used to understand identity, ownership, wealth, funds, purpose, and expected activity |
| approvals | shows that the right level of authority accepted or rejected the risk |
| monitoring profile | links expected activity to alert thresholds or review triggers |
| exception handling | shows why gaps were accepted, remediated, or escalated |
| periodic and event-driven reviews | shows that the risk view changed when facts changed |
| management information | lets senior management see patterns, backlogs, overrides, and control pressure |
The exam may include a policy that looks good but is not evidenced. A firm that records “risk-based approach applied” without explaining the evidence and control decision is not applying the approach in a defensible way.
| Scenario cue | Best answer direction |
|---|---|
| customer from non-listed country has opaque ownership | do not rely only on jurisdiction label; perform beneficial-ownership and source checks |
| customer from higher-risk jurisdiction has clear ownership and lawful purpose | consider enhanced measures rather than automatic rejection if permitted |
| policy applies simplified due diligence to all regulated firms | check whether the customer, product, geography, and transaction facts still support lower risk |
| mutual evaluation identifies weak supervision in a country | treat as geography-risk input and review affected exposure |
| firm reduces onboarding checks to speed growth | risk-based approach is being misused as a convenience argument |
| high-risk customer is approved verbally | require documented rationale, senior approval, conditions, and monitoring |
| alert thresholds are identical for every customer | control depth may not reflect risk profile |
The best answer normally uses proportionate escalation. If the risk is unclear, gather more evidence and escalate. If the risk is understood but elevated, apply enhanced controls and approvals. If the risk is unlawful, prohibited, or cannot be mitigated within appetite, restrict or exit.
A firm’s AML policy says customers from a particular jurisdiction are always low risk because the country is not subject to a current FATF high-risk call. A new customer from that country is a private investment vehicle with unclear beneficial owners and funding from multiple third parties. What is the best criticism of the policy?
A. It wrongly treats the absence of a FATF high-risk designation as a complete risk assessment. B. It should reject all customers from countries that have not been reviewed by FATF in the current year. C. It should rely only on transaction monitoring after onboarding. D. It should report the customer directly to FATF.
Answer: A. FATF jurisdiction status is relevant, but the risk-based approach requires customer, ownership, product, funding, transaction, and channel risks to be assessed together. The unclear ownership and third-party funding may require enhanced due diligence and escalation.
For final review, write FATF in one line: international standard setter, not firm supervisor. Then write risk-based approach in one line: identify, assess, understand, and mitigate risk with evidence-backed control depth.
Use this sequence for scenario questions:
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.