CISI Combating Financial Crime study guide for record-keeping obligations, with learning objectives, UK control cues, and exam traps.
Record-keeping obligations belongs to the CISI Combating Financial Crime The Role of the Financial Services Sector exam topic, weighted at 7%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Record keeping | Maintaining reliable evidence of customer identity, risk assessment, controls, alerts, reviews, decisions, training, and remediation. |
| Reconstruction | The ability to show what happened, what the firm knew, who decided, and why the decision was defensible. |
| Audit trail | System and documentary evidence that supports review by compliance, internal audit, regulators, or law enforcement. |
| Data integrity | Records must be accurate, complete, accessible, protected, and retained in line with requirements. |
| Defensible decision | A decision supported by facts, rationale, approval, timing, and evidence rather than undocumented judgment. |
Financial-crime controls are only as defensible as the records behind them. A firm may have performed CDD, screened a payment, escalated an alert, or reviewed a suspicious transaction, but if it cannot reconstruct the decision, the control may look ineffective. CISI questions often turn on this gap: the firm may have done something, but the evidence is missing, inconsistent, or not retained.
Good records support investigations, regulatory responses, customer reviews, audit testing, SAR decisions, sanctions alert handling, training evidence, and remediation. They also protect the firm when a decision was reasonable at the time even if later facts changed.
The exam usually treats record keeping as a control, not clerical storage. A record should show the decision trail: what facts were known, which checks were performed, who reviewed them, what rationale was used, when the decision was made, whether escalation occurred, and what follow-up was required.
| Record function | What it helps prove |
|---|---|
| customer understanding | identity, ownership, purpose, expected activity, and risk profile |
| control operation | screening, monitoring, alert review, escalation, and approval actually happened |
| decision rationale | why a firm accepted, rejected, escalated, or reported a matter |
| timing | whether the firm acted promptly or allowed avoidable delay |
| accountability | who owned the review, approval, escalation, or remediation |
| investigation support | later reviewers can reconstruct transactions, communications, and evidence |
| regulatory response | the firm can answer questions accurately and consistently |
| remediation proof | weaknesses were fixed, retested, and closed with evidence |
| Record type | Why it matters |
|---|---|
| CDD and EDD material | Shows how the firm identified and understood the customer, beneficial owners, purpose, and risk. |
| Screening results | Shows alert generation, review, false-positive logic, and escalation. |
| Transaction-monitoring alerts | Shows unusual activity, investigation steps, and decision rationale. |
| Internal reports and MLRO decisions | Shows suspicion handling, reporting rationale, and timing. |
| Consent or DAML-related records | Shows proposed activity, facts, request, outcome, and conditions. |
| Training and attestations | Shows staff were informed of obligations and escalation routes. |
| Audit and remediation evidence | Shows whether weaknesses were identified, fixed, and retested. |
| Process | Strong record should include |
|---|---|
| onboarding | identity evidence, ownership/control, risk rating, purpose, expected activity, and approvals |
| EDD | trigger, additional evidence, senior approval, source-of-funds/source-of-wealth rationale, and review frequency |
| sanctions screening | data checked, match logic, reviewer rationale, escalation, false-positive reasoning, and timestamps |
| transaction monitoring | alert trigger, facts reviewed, customer profile comparison, investigation steps, and closure rationale |
| internal reporting | red flags, staff observations, documents attached, escalation time, and recipient |
| MLRO or nominated-officer review | suspicion assessment, external-report decision, consent handling, and no-tipping-off controls |
| consent or DAML process | proposed activity, risk facts, request, outcome, conditions, and transaction handling |
| training | audience, content, date, completion, testing, and follow-up for failures |
| remediation | root cause, owner, deadline, action taken, evidence, and retesting result |
A defensible record does not need to be long, but it must be specific. It should allow a second reviewer to understand the same decision without relying on memory.
| Weak note | Stronger note |
|---|---|
| “OK to proceed.” | Identifiers checked, no match on date reviewed, rationale recorded, reviewer and approver named. |
| “Customer explained.” | Explanation summarized, evidence attached, inconsistency assessed, and follow-up documented. |
| “Not suspicious.” | Red flags considered, profile compared, reason for no suspicion recorded, and reviewer identified. |
| “EDD complete.” | EDD trigger, documents obtained, senior approval, risk decision, and review date recorded. |
| “Training done.” | Staff group, content, completion, test result, and remediation for non-completion recorded. |
Weak records are often worse than short records. A concise, accurate record can be defensible; a vague, contradictory, or backfilled record can create new risk. Red flags include missing timestamps, unclear ownership, unexplained alert closures, undocumented overrides, inconsistent customer data, missing beneficial-owner evidence, and decisions recorded only in informal chat.
The exam may ask what a firm should improve after a control failure. A strong answer includes evidence retention and decision documentation, not just better policies or staff reminders.
| Signal | Why it is a control problem |
|---|---|
| no timestamp | timing of detection, escalation, or approval cannot be proven |
| no named reviewer | accountability for the decision is unclear |
| generic closure note | rationale cannot be tested by compliance, audit, or regulators |
| missing attachments | decision may rely on evidence that cannot be inspected later |
| inconsistent customer data | screening and monitoring may have used unreliable inputs |
| overwritten records | original decision trail may be lost |
| informal chat-only approval | records may be incomplete, hard to retrieve, or outside retention controls |
| backfilled rationale | creates integrity and candour concerns |
| missing retesting evidence | remediation may be only a promise, not a proved fix |
Records must also be retrievable. A firm that stores evidence across personal inboxes, spreadsheets, local drives, and chat threads may struggle to respond to a regulator or law-enforcement request even if the information technically exists. Good record keeping includes ownership, retention period, access controls, version control, and a clear link between the record and the financial-crime decision it supports.
For CISI CFC, treat record quality as part of governance. If the firm cannot find the evidence quickly, explain the decision, or show who approved it, the control is weaker than it looks.
| Control | Why it matters |
|---|---|
| defined record owner | someone is responsible for completeness and maintenance |
| retention schedule | records are kept long enough and not deleted casually |
| searchable storage | evidence can be retrieved for audit, regulator, or law-enforcement review |
| access controls | sensitive information is protected and changes are controlled |
| version history | reviewers can see what changed and when |
| audit logs | system activity, approvals, and overrides can be reconstructed |
| migration controls | records are not lost when systems or vendors change |
| data-quality checks | source records remain accurate enough for screening and monitoring |
When suspicious activity, sanctions exposure, fraud, or market abuse is later investigated, records become the evidence trail. They show whether the firm escalated promptly, avoided tipping off, preserved relevant material, and made a reasoned decision.
| Investigation question | Record needed |
|---|---|
| Who was the customer or beneficial owner? | CDD, EDD, ownership, and screening records |
| Why was activity considered normal or unusual? | expected-activity profile and monitoring notes |
| Who reviewed the alert? | reviewer identity, timestamp, workflow, and approval record |
| Why was a report made or not made? | internal report, MLRO rationale, and external-report decision |
| Was the customer warned? | communication records and approved scripts |
| Were controls fixed after failure? | remediation action, owner, deadline, and retesting evidence |
| Fact pattern | Better exam response |
|---|---|
| sanctions alert cleared with no rationale | reconstructing the decision is impossible; improve screening records and review controls |
| CDD evidence stored in personal inboxes | centralize records with retention, access control, and retrieval capability |
| transaction alert closed from memory | require evidence, profile comparison, and documented rationale |
| system migration loses case notes | treat as record-keeping and audit-trail failure requiring remediation |
| MLRO decision not recorded | document suspicion assessment, reporting rationale, and timing |
| audit finding closed without proof | require remediation evidence and retesting before closure |
| customer data differs between systems | fix data quality because screening and monitoring may be unreliable |
A regulator asks why a sanctions alert was cleared. The firm says an analyst reviewed it, but there is no saved evidence of identifiers checked, rationale, second review, or timestamped approval. What is the main weakness?
A. The alert was automatically harmless because an analyst looked at it. B. The firm cannot reconstruct and evidence the decision, so the control is not defensible. C. Record keeping matters only for customer onboarding, not screening. D. The firm should recreate the rationale from memory and backdate it.
Answer: B. Financial-crime records must show what was reviewed, who decided, when, and why. Without that evidence, the firm cannot demonstrate that the control operated effectively.
For final review, connect each financial-crime process to its evidence: onboarding has CDD records; monitoring has alert records; reporting has MLRO records; sanctions has screening records; training has attendance and content records; remediation has closure and retesting records.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.