CISI Combating Financial Crime study guide for best-practice guidance and control expectations, with learning objectives, UK control cues, and exam traps.
Best-practice guidance and control expectations belongs to the CISI Combating Financial Crime The Background and Nature of Financial Crime exam topic, weighted at 5%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Risk-based approach | Controls should match the assessed financial-crime risk rather than applying identical effort to every relationship. |
| Industry guidance | Practical material, such as JMLSG-style guidance, helps firms translate legal duties into operating procedures. |
| Control framework | The combined set of governance, policies, procedures, systems, training, monitoring, reporting, records, and assurance. |
| Proportionality | Lower-risk cases may justify simpler measures; higher-risk cases require stronger evidence and oversight. |
| Continuous improvement | Controls must evolve as products, customers, channels, technology, and typologies change. |
Best practice is not a gold-plated checklist. In CFC, it means a firm can show that its controls are risk-based, proportionate, documented, monitored, challenged, and improved. The question is not only whether a policy exists, but whether it works in the actual business model.
Industry guidance helps firms interpret legal and regulatory expectations. It can shape customer due diligence, enhanced due diligence, suspicious-activity reporting, reliance, record keeping, and training. A firm still needs to apply judgment to its own products, geographies, customers, delivery channels, and threats.
The exam often tests the difference between a formal control and an effective control. A formal control appears in a policy or procedure. An effective control has an owner, a trigger, a workflow, evidence, quality review, management information, escalation, and remediation. Strong answers usually move from stated intention to operating proof.
| Component | What exam answers should look for |
|---|---|
| Governance | Senior ownership, risk appetite, management information, and accountability. |
| Risk assessment | Customer, product, geography, transaction, channel, and delivery-risk analysis. |
| Policies and procedures | Practical instructions that staff can apply, not generic statements. |
| CDD and EDD | Risk-based identification, verification, ownership, purpose, and source checks. |
| Monitoring and screening | Transaction monitoring, sanctions screening, alert workflow, and tuning. |
| Escalation and reporting | Clear internal routes, MLRO review, external reporting decisions, and no tipping off. |
| Training and culture | Role-specific training, escalation safety, and consequence management. |
| Assurance | Compliance monitoring, audit testing, remediation, and retesting. |
Best-practice guidance is not a substitute for law or regulation, but it helps firms turn broad obligations into workable procedures. In UK-focused questions, JMLSG-style guidance is especially important because it shows how firms can apply customer due diligence, enhanced due diligence, beneficial-ownership checks, reliance, monitoring, and reporting expectations in a proportionate way.
| Source or influence | What it contributes | Exam trap |
|---|---|---|
| Legislation and regulations | legal duties, offences, and minimum obligations | treating guidance as if it can override the law |
| FCA rules and expectations | regulated-firm conduct, systems, controls, and senior accountability | naming the FCA without explaining the control failure |
| JMLSG-style guidance | practical AML/CFT procedures and risk-based application | applying it mechanically without firm-specific risk assessment |
| National risk assessments | threat patterns, sectors, products, and vulnerabilities | ignoring external typologies when business risk changes |
| Sanctions and law-enforcement alerts | emerging names, tactics, jurisdictions, and evasion methods | updating lists without changing workflow or staff awareness |
| Internal incidents and assurance findings | control failures, near misses, and remediation priorities | treating audit findings as paperwork rather than control evidence |
The risk-based approach starts with the firm’s business model. A retail investment platform, private bank, crypto-exposed firm, correspondent-banking service, and trade-finance desk do not need identical controls. The same principle applies inside a firm: lower-risk customers may need standard checks, while politically exposed persons, complex offshore structures, higher-risk jurisdictions, unusual source of wealth, or high-risk delivery channels require deeper evidence and senior review.
| Risk driver | Control implication |
|---|---|
| Customer type | adjust CDD depth, beneficial-ownership checks, PEP screening, and ongoing review frequency |
| Geography | consider sanctions, corruption, terrorism-financing, tax-evasion, and weak-supervision risks |
| Product | consider anonymity, liquidity, transferability, leverage, and ease of value movement |
| Delivery channel | remote onboarding and non-face-to-face activity need stronger identity and fraud controls |
| Transaction pattern | monitoring rules should detect activity inconsistent with profile, purpose, or expected use |
| Intermediary or introducer | reliance and third-party controls need due diligence, agreements, and oversight |
| Technology change | new systems should be tested before launch and monitored after launch |
Risk-based does not mean optional. It means the firm can explain why controls are lighter in one case and stronger in another, and can evidence that the explanation is reasonable.
When the stem asks whether a framework is adequate, look for proof that controls actually run. Evidence can be more important than a long policy.
| Evidence type | What it demonstrates |
|---|---|
| completed CDD files | identity, ownership, purpose, and risk-rating steps were performed |
| EDD approvals | high-risk relationships received senior or specialist review |
| transaction-monitoring alert logs | alerts were generated, investigated, closed, escalated, or tuned with reasons |
| sanctions-screening records | list updates, matching logic, false-positive handling, and escalation routes operated |
| SAR or internal-report records | suspicion was escalated to the MLRO and handled without tipping off |
| training records and testing | staff received relevant training and understood escalation triggers |
| management information | senior management saw risk themes, overdue items, and control weaknesses |
| assurance reports | compliance, audit, or independent testing challenged the framework |
| remediation tracking | weaknesses were fixed, owned, timed, and retested |
Best practice requires visible ownership. A firm should be able to identify who owns financial-crime risk, who approves high-risk cases, who reviews suspicious activity, who receives management information, and who ensures remediation is completed. A vague statement that “compliance handles it” is weak because financial-crime controls depend on the first line, compliance, senior management, operations, technology, and audit working together.
| Role or group | Expected contribution |
|---|---|
| Front office or operations | identify unusual customer behaviour and follow escalation procedures |
| Compliance and financial-crime team | design standards, advise the business, monitor controls, and review escalations |
| MLRO or nominated officer | assess suspicion, reporting obligations, consent issues, and tipping-off risk |
| Senior management | set risk appetite, allocate resources, challenge MI, and own weaknesses |
| Technology and data teams | maintain screening, monitoring, workflow, data quality, and access controls |
| Internal audit or assurance | independently test whether controls work as intended |
Use this pattern for scenario questions:
This order prevents the common mistake of choosing a control that sounds strict but does not address the actual weakness.
A recurring exam trap is to treat a policy as proof of compliance. Best practice asks whether controls operate. Are alerts reviewed on time? Are high-risk customers approved at the right level? Are sanctions lists updated? Are staff trained for their role? Are findings remediated? Is management information used? Are decisions evidenced?
| Weak answer | Stronger answer |
|---|---|
| “The firm should have a policy.” | Assign owner, operate procedure, test effectiveness, and evidence decisions. |
| “Train staff annually.” | Provide role-specific training and test whether staff escalate correctly. |
| “Monitor transactions.” | Calibrate scenarios, review alerts, document decisions, and tune rules. |
| “Use guidance.” | Apply guidance proportionately to the firm’s actual risk profile. |
| Fact pattern | Stronger control response |
|---|---|
| new remote onboarding product launched without risk assessment | update product/channel risk assessment, test identity controls, train staff, and monitor early exceptions |
| sanctions lists updated but screening rules unchanged | confirm list ingestion, matching logic, alert workflow, and escalation evidence |
| high-risk customers approved by junior staff | require senior approval, EDD evidence, and quality review |
| transaction alerts closed with generic notes | improve investigation standards, require rationale, and test closure quality |
| audit finds repeated overdue CDD reviews | assign ownership, remediate files, report MI, and retest completion |
| staff do not escalate suspicious behaviour | refresh role-specific training and test whether escalation channels are understood |
| risk assessment does not cover new jurisdictions | update geographic risk assessment and adjust CDD, EDD, and monitoring rules |
A firm has a written AML policy but has not updated its risk assessment after launching instant payments and remote onboarding. Alerts are reviewed late and high-risk customers receive the same checks as low-risk customers. What is the strongest conclusion?
A. The written policy alone demonstrates best practice. B. The framework is weak because controls are not updated, risk-based, monitored, or evidenced effectively. C. Best practice applies only to regulators, not firms. D. Remote onboarding removes the need for CDD.
Answer: B. Best practice requires operating effectiveness, proportionality, governance, monitoring, and adaptation to changing products and risks.
For final review, use the phrase “policy plus proof.” A firm needs written standards and evidence that those standards are applied, challenged, improved, and understood by staff.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.