CISI Combating Financial Crime study guide for background and risk characteristics, with learning objectives, UK control cues, and exam traps.
Background and risk characteristics belongs to the CISI Combating Financial Crime Terrorist Financing exam topic, weighted at 4%. Study it as the concept foundation for the terrorist-financing chapter. The exam often tests whether you can stop thinking only about large criminal proceeds and instead focus on purpose, destination, beneficiary, network, connected parties, and the harm that even small payments can support.
| Concept | What to know for CISI CFC review |
|---|---|
| Terrorist financing | Providing, collecting, moving, or making funds available where there is a terrorist purpose or terrorist connection. The funds may be clean, criminal, or mixed. |
| Predicate-source trap | Money laundering normally starts with criminal proceeds. Terrorist financing can start with legitimate donations, business income, or family support that is diverted to terrorist use. |
| Low-value risk | A small transfer can be material if it supports travel, equipment, communications, logistics, propaganda, or a designated person. |
| Channel risk | Charities, non-profit organizations, informal value transfer, prepaid products, cash couriers, cryptoasset services, and trade flows can be misused when controls are weak. |
| Context over size | Geography, counterparties, purpose, adverse media, ownership links, and customer behaviour may matter more than transaction amount. |
| Connected-party risk | The direct customer may appear low risk while the controller, beneficiary, local partner, signatory, trustee, or counterparty creates the concern. |
The exam commonly tests the difference between hiding proceeds and enabling harm. In a conventional laundering question, the starting point is usually criminal property: the customer is trying to place, layer, integrate, disguise, or enjoy proceeds. In a terrorist-financing question, the starting point may be lawful money, but the destination, beneficiary, control person, geography, or stated purpose makes the risk unacceptable.
That distinction changes the answer. Do not look only for large unexplained wealth. A modest series of transfers to a higher-risk area, donations routed through opaque intermediaries, unusual urgency, or a link to a designated individual can be more important than the absolute value of the payment.
| Issue | Money laundering emphasis | Terrorist-financing emphasis |
|---|---|---|
| starting point | criminal proceeds or suspected criminal property | lawful, unlawful, or mixed funds |
| main question | where did the money come from and how is it disguised? | where is the money going and what will it support? |
| value | may involve large proceeds or structured activity | may involve small repeated amounts |
| harm | legitimising or enjoying criminal property | supporting terrorist activity, networks, travel, propaganda, or logistics |
| key evidence | source of funds, source of wealth, layering, beneficial ownership | destination, purpose, beneficiary, route, connected parties, adverse information |
| controls | CDD, monitoring, suspicion escalation, records | CDD, sanctions screening, connected-party review, CFT escalation, records |
AML and CFT controls overlap because both require customer understanding, monitoring, escalation, and record keeping. The judgment differs because CFT may be destination-led or purpose-led rather than proceeds-led.
One of the most important exam traps is assuming that clean-source money cannot fund terrorism. A salary, legitimate business income, donations, or family support may still be used for terrorist purposes. The firm should not clear a concern solely because the source appears lawful.
| Lawful-source example | Why CFT risk may still arise |
|---|---|
| wages or salary | funds may be sent repeatedly to a concerning beneficiary or location |
| community donations | collections may be diverted from stated humanitarian purpose |
| business income | legitimate revenue may be used to support a prohibited network |
| family support | stated personal support may hide travel, logistics, or equipment funding |
| charity fundraising | end-use, governance, and local partner controls may be weak |
| investment proceeds | liquid assets can be moved quickly to unclear recipients |
The better exam answer asks whether the purpose, beneficiary, route, and connected parties make sense. It does not stop at source-of-funds evidence.
Terrorist financing can involve modest amounts because the immediate objective may be logistics rather than profit. Funds may support travel, documents, communications, accommodation, equipment, online activity, recruitment, propaganda, or small operational expenses.
| Low-value pattern | Why it matters |
|---|---|
| repeated small payments to one corridor | cumulative pattern may show support route |
| small donations to changing overseas partners | end-use and beneficiary may be unclear |
| many senders to one recipient | pooled support may be hidden across individual transfers |
| small payments followed by cash withdrawals | funds may be passed onward outside traceable systems |
| low-value cryptoasset transfers | value can move quickly through hard-to-identify wallets |
| prepaid or stored-value use | portability can matter more than transaction size |
The exam may include a statement such as “the amounts are too small to matter.” That is a cue to reject value-only reasoning. Size is a factor, but purpose, pattern, and destination can override it.
| Risk characteristic | Why it matters |
|---|---|
| Legitimate-source funds | Customer wealth or donation history does not eliminate the need to test purpose and destination. |
| Small repeated transfers | Repetition, routing, and beneficiary pattern can create a stronger alert than a single large payment. |
| Charitable or humanitarian narrative | Genuine charitable activity exists, so the control question is evidence, governance, and end-use assurance, not automatic suspicion. |
| Cross-border exposure | Jurisdiction, conflict zone, sanctions exposure, weak supervision, or correspondent-bank route can raise the risk profile. |
| Connected-party opacity | Unclear beneficial ownership, trustees, controllers, signatories, or intermediaries can hide the real destination of funds. |
| Urgency and secrecy | Pressure to bypass checks, reluctance to explain purpose, or resistance to documentation can support escalation. |
| Adverse information | Media, public notices, or typology alerts can make a weak fact pattern more serious. |
| Unusual purpose | Payment purpose does not fit the customer, charity mandate, product, or documented relationship. |
The strongest answer usually combines indicators. One weak signal may require inquiry; several weak signals can require enhanced review, escalation, and a decision not to process until the issue is resolved.
CFT typologies overlap with AML typologies but the exam emphasis is different. The risk is not only that proceeds are disguised; it is that funds, value, or services reach a terrorist actor or supporting network.
| Channel | CFT risk cue | Control response |
|---|---|---|
| bank transfers | destination, beneficiary, purpose, or frequency is inconsistent | review purpose, screen parties, and escalate unresolved concern |
| correspondent or payment routes | payment passes through higher-risk corridors | assess route, intermediary, and sanctions/CFT exposure |
| money-service or remittance-style channels | value moves quickly across borders | test sender, recipient, purpose, and pattern |
| charities and NPOs | local partner, beneficiary, or end use is unclear | review governance, project evidence, and screening results |
| cash couriers | funds move outside normal account transparency | assess source, destination, and law-enforcement indicators |
| prepaid or stored-value products | portability and anonymity may be higher | strengthen monitoring and customer understanding |
| cryptoasset services | wallet ownership, counterparties, and destination may be unclear | assess blockchain, sanctions, and customer-risk evidence where available |
| trade flows | invoices, goods, values, or counterparties do not fit | review trade documentation and possible diversion risk |
The firm should avoid a channel-only conclusion. Charities, remittances, trade, and digital transfers are legitimate in many cases. The exam asks whether the facts show enough risk to require stronger evidence or escalation.
Charities and non-profit organizations deserve careful analysis. They may operate in conflict zones or high-risk areas because that is where relief is needed. That legitimate role does not remove the risk of diversion, abuse of local partners, pressure from armed groups, or weak end-use evidence.
| Review area | What the firm should understand |
|---|---|
| governance | who controls the charity and approves payments |
| purpose | what project, relief effort, or beneficiary is being funded |
| local partner | who receives, distributes, or implements activity on the ground |
| payment route | why this bank, corridor, intermediary, or method is used |
| end-use evidence | invoices, project reports, beneficiary records, or credible activity evidence |
| screening | names of trustees, controllers, signatories, partners, and beneficiaries where relevant |
| adverse media | whether information is credible, current, and connected to the transaction |
The stronger response is evidence-sensitive. Do not assume a charity is suspicious merely because of sector type. Do not process automatically because the stated purpose is humanitarian. Ask what evidence supports the purpose and whether unresolved CFT or sanctions concerns remain.
Geography matters because terrorist groups, conflict zones, sanctions exposure, weak supervision, corruption, and fragile banking systems can increase CFT risk. Geography alone is not proof. It is a risk driver that changes the level of evidence and monitoring required.
| Geographic cue | Exam implication |
|---|---|
| conflict-affected destination | stronger review of beneficiary, purpose, and end use |
| high-risk jurisdiction identified by external body | update risk assessment and consider EDD |
| payment corridor inconsistent with customer profile | review rationale and transaction history |
| sanctioned territory or listed group nearby | sanctions and CFT analysis may overlap |
| correspondent route through weak controls | assess intermediary and payment-message information |
| rapid change in destination pattern | review whether customer purpose has changed |
When geography, unclear beneficiaries, weak records, and urgency combine, the answer should usually escalate rather than process routinely.
CFT analysis often requires network thinking. The direct customer may be only one part of the risk picture. The relevant concern may sit with the controller, signatory, donor, beneficiary, local partner, intermediary, recipient, or related account.
| Connected party | Why it matters |
|---|---|
| beneficial owner or controller | may be linked to a designated or high-risk network |
| trustee or signatory | may control the movement of funds |
| overseas partner | may receive or distribute funds on the ground |
| beneficiary | may be the real recipient of value |
| donor or fundraiser | may be collecting for a hidden purpose |
| intermediary bank or payment service | may create route or sanctions exposure |
| related account | may reveal pooling, splitting, or onward movement |
The exam may reward the answer that says “screen and review relevant connected parties,” not only “screen the customer.”
Start with classification. If the facts point to terrorist financing, the answer should not drift into generic fraud or ordinary money-laundering language. Then decide what the firm can do immediately: gather missing information, apply enhanced due diligence, screen relevant names, review connected parties, stop or delay activity where required, escalate internally, and preserve records.
The strongest response usually combines controls. For example, a payment by a charity to a supplier in a higher-risk region may require purpose evidence, beneficiary understanding, screening of controllers and counterparties, adverse-media review, and MLRO escalation if suspicion remains. A blanket refusal without analysis may be weak; so is processing the payment because the amount is small.
| Step | Practical action |
|---|---|
| classify | decide whether the issue is CFT, sanctions, AML, fraud, or combined risk |
| evidence | collect purpose, beneficiary, route, ownership, and communication records |
| screen | check customer, owners, controllers, signatories, beneficiaries, and counterparties where relevant |
| assess | compare activity with customer profile, geography, and expected purpose |
| pause where needed | do not release funds while a serious unresolved CFT or sanctions issue remains |
| escalate | route to financial crime, sanctions, MLRO, legal, or senior management as appropriate |
| record | preserve rationale, evidence reviewed, decisions, and next steps |
| Fact pattern clue | Better exam response |
|---|---|
| Small transfers to a higher-risk area | Do not dismiss by value; assess destination, purpose, frequency, and connected parties. |
| Charity account with weak end-use evidence | Seek evidence of governance, beneficiaries, project purpose, and payment route. |
| Customer linked to adverse media or designated names | Escalate quickly, screen all relevant names, and consider sanctions or reporting obligations. |
| Transaction purpose is vague or inconsistent | Do not process routinely; obtain explanation and evidence, then escalate if unresolved. |
| Staff believe the payment is harmless because funds came from wages | Remember that lawful-source funds can still finance terrorism. |
| Payment is urgent and customer resists questions | Treat urgency and reluctance as behavioural risk indicators. |
A small charity customer asks a firm to send several modest payments to a new overseas partner in a region associated with terrorist activity. The charity says the funds are for relief work but cannot explain the end beneficiary or provide project records. Which response is most consistent with a sound CFT control approach?
A. Process the payments because terrorist financing usually involves large criminal proceeds. B. Decline all charity customers in higher-risk regions without further review. C. Treat the amount as the main risk factor and process the payments if each one is below the firm’s normal monitoring threshold. D. Obtain purpose and beneficiary evidence, screen relevant parties, apply enhanced scrutiny, and escalate if the concern remains unresolved.
Answer: D. Terrorist-financing risk often depends on purpose, destination, connected parties, and end-use evidence rather than transaction size alone. The firm should not assume wrongdoing, but it should not process blindly when the facts create unresolved CFT concern.
For revision, build a two-column distinction between money laundering and terrorist financing. Put “criminal proceeds” under laundering, “lawful or unlawful funds” under terrorist financing, and then list the facts that make a small payment high risk: destination, beneficiary, purpose, ownership, adverse media, urgency, and missing evidence.
Use this quick distinction:
| If the facts show… | Think first about… |
|---|---|
| lawful-source funds | still test destination, purpose, and beneficiary |
| small repeated transfers | pattern and route may matter more than value |
| charity or humanitarian explanation | evidence-sensitive review, not automatic clearance |
| high-risk destination | EDD and connected-party review |
| possible designated or conflict-linked party | sanctions/CFT escalation before release |
| vague beneficiary or project records | unresolved end-use risk |
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.