CISI Combating Financial Crime study guide for compliance and culture, with learning objectives, UK control cues, and exam traps.
Compliance and culture belongs to the CISI Combating Financial Crime The Role of the Financial Services Sector exam topic, weighted at 7%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Compliance function | Designs, advises on, monitors, challenges, tests, and improves financial-crime controls. |
| Culture | The practical behaviour of the firm: what leaders reward, what staff escalate, and how control breaches are handled. |
| First line | Business and operations teams that own risks in day-to-day customer, transaction, and product activity. |
| Second line | Compliance and financial-crime control teams that set standards, advise, monitor, and challenge. |
| Consequence management | The use of remediation, escalation, discipline, and incentives to make policy real. |
Compliance cannot be the only part of the firm that owns financial-crime risk. Relationship managers, operations staff, payment teams, product owners, technology teams, senior managers, and control functions all create or control risk. The exam often tests this by describing a business team that ignores alerts because “compliance will catch it later.” That is weak governance.
A sound framework embeds financial-crime controls into customer onboarding, payment processing, product design, vendor selection, digital channels, trade activity, sanctions screening, and suspicious-activity escalation. Compliance should challenge and monitor those controls, but the business must operate them.
In exam terms, compliance is a control function, not a magic repair function. If the first line opens a high-risk customer with incomplete EDD, releases payments before alerts are cleared, or designs a product without assessing financial-crime risk, the answer is not simply “send it to compliance.” The stronger answer assigns ownership, stops or escalates the unsafe step, documents the issue, and fixes the process that allowed the bypass.
| Function | What it should do | What it should not be used for |
|---|---|---|
| First line business and operations | own day-to-day customer, product, payment, onboarding, and transaction risk | outsource judgment to compliance after controls have already been bypassed |
| Compliance or financial-crime second line | set standards, advise, monitor, challenge, test, and escalate weaknesses | personally operate every alert, file, or payment control |
| MLRO or nominated officer | assess internal suspicion reports and control external reporting decisions | become the default owner for every financial-crime process |
| Senior management | set risk appetite, resources, incentives, MI review, and remediation expectations | treat culture as a poster or policy statement |
| Internal audit or assurance | independently test whether controls and remediation work | replace management ownership of weaknesses |
| Business process | Culture-positive control behaviour | Culture-negative control behaviour |
|---|---|---|
| customer onboarding | high-risk files wait for complete EDD and approval | revenue pressure leads to opening before ownership is understood |
| payment processing | unusual or sanctioned-party matches are escalated before release | staff clear alerts with generic notes to meet service targets |
| product launch | financial-crime risk assessment is completed before launch | controls are added only after suspicious activity appears |
| vendor use | firm tests data quality, rules, and escalation handoffs | management assumes the vendor owns all risk |
| relationship management | staff document source-of-wealth concerns and escalate early | staff avoid difficult questions to protect a relationship |
| remediation | owners, deadlines, root cause, and retesting are tracked | audit findings are closed because a policy was rewritten |
| Culture signal | What it tells you |
|---|---|
| Leaders override alerts for revenue | Tone from the top is undermining controls. |
| Staff escalate early without fear | Speak-up culture supports detection and prevention. |
| Training is role-specific | Staff understand the red flags they actually face. |
| Repeat breaches have no consequence | Policies may exist but behaviour is not changing. |
| Compliance challenge is ignored | Second-line oversight lacks authority or senior backing. |
| Good decisions are documented | The firm can show how judgment was applied. |
Culture is observable. Strong CISI answers rely on evidence rather than slogans.
| Evidence | What it can show |
|---|---|
| override logs | whether exceptions are rare, justified, approved, and reviewed |
| alert closure quality | whether staff investigate or merely clear workflow queues |
| escalation rates and outcomes | whether staff feel safe escalating and whether escalation is useful |
| training records and test results | whether training is role-specific and understood |
| disciplinary or consequence records | whether control breaches have real consequences |
| remuneration and sales incentives | whether revenue is rewarded even when controls are bypassed |
| management information | whether leaders see overdue items, breaches, trends, and remediation progress |
| whistleblowing or speak-up data | whether issues can be raised without retaliation |
| audit and compliance findings | whether challenge identifies root causes and tracks fixes |
Tone from the top matters, but culture is also shaped by middle managers and team leads. Senior leaders may approve strong policies, while middle managers still signal that alerts are a nuisance, CDD delays are unacceptable, or suspicious activity should not disrupt a valuable customer. The exam may test this gap by showing formal policy strength and practical behaviour weakness in the same stem.
| Level | Good signal | Bad signal |
|---|---|---|
| Board or senior management | asks for MI, resources remediation, and supports control decisions | praises revenue while ignoring repeated breaches |
| Middle management | protects staff who escalate and enforces procedures | pressures teams to clear queues without evidence |
| Front line | asks difficult customer questions and records concerns | treats red flags as compliance paperwork |
| Compliance leadership | challenges weak controls and escalates unresolved issues | accepts vague business explanations without evidence |
Compliance should test whether controls work in practice. That can include file reviews, alert-quality testing, thematic reviews, sanctions-alert sampling, transaction-monitoring tuning, training completion checks, root-cause analysis, and management-information review. If monitoring identifies a problem, the firm should assign an owner, fix the root cause, and retest.
For CISI CFC, the strongest answer often selects a control improvement rather than a slogan. “Improve culture” is too vague unless it is tied to leadership action, escalation safety, training, monitoring, governance, and consequences.
| Finding | Weak response | Stronger response |
|---|---|---|
| CDD files missing beneficial-owner evidence | remind staff to be careful | assign owner, fix files, train affected teams, review root cause, and retest |
| alerts closed with generic comments | accept the closure rate as efficient | sample closures, improve investigation standards, and challenge poor rationales |
| high-risk customers approved by junior staff | update the policy wording only | enforce approval limits and review existing high-risk relationships |
| sanctions false positives are excessive | switch off or weaken screening | tune rules with documented risk rationale and quality assurance |
| staff do not escalate suspicion | repeat annual training | test escalation channels, protect staff, and review management pressure |
| audit findings stay open | extend deadlines repeatedly | escalate overdue remediation to senior management and track closure evidence |
Use this pattern when the question shows weak behaviour despite written policies:
This sequence prevents the vague answer “improve culture” from replacing a real control fix.
Culture becomes exam-relevant when it changes a decision. A firm with a sound culture will delay revenue to resolve a sanctions alert, reject incomplete CDD for a high-risk customer, support staff who escalate suspicion, and discipline repeated control bypasses. A weak culture does the opposite: it treats controls as obstacles, rewards exceptions, and leaves compliance challenge unsupported.
| Fact pattern | What the exam is probably testing |
|---|---|
| sales manager pressures staff to release blocked payments | incentives and tone undermine sanctions or monitoring controls |
| compliance raises repeated findings but no one acts | weak senior backing and remediation governance |
| policy is strong but staff are not trained for their role | formal design without operating effectiveness |
| alerts are closed quickly with no rationale | efficiency metric is overriding investigation quality |
| staff fear retaliation for reporting suspicion | speak-up culture and escalation safety are weak |
| vendor tool is trusted without testing | automation is being used as a substitute for oversight |
| repeated breaches have no consequences | policy is not changing behaviour |
A sales team repeatedly asks operations to release payments before sanctions alerts are reviewed. Managers praise the team for retaining revenue, and compliance challenge is ignored. What is the strongest diagnosis?
A. A strong compliance culture because the firm has a policy document. B. A culture and governance weakness: business incentives and senior behaviour are undermining financial-crime controls. C. A technology issue only, because sanctions alerts are automated. D. No issue unless a regulator has already imposed a penalty.
Answer: B. Culture is shown by behaviour. If revenue pressure overrides alerts and compliance challenge is ignored, the firm has a governance and culture problem even if formal policies exist.
For final review, connect culture to evidence: escalation rates, override logs, training quality, management information, disciplinary outcomes, audit findings, challenge records, and remediation closure. Culture questions are usually about what the firm does, not what it says.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.