CISI Combating Financial Crime study guide for reporting obligations, with learning objectives, UK control cues, and exam traps.
Reporting obligations belongs to the CISI Combating Financial Crime The Role of the Financial Services Sector exam topic, weighted at 7%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Internal report | A staff escalation to the nominated officer, MLRO, compliance, sanctions, fraud, or other control function when suspicion or a reportable concern arises. |
| External report | A report to the relevant external authority when legal or regulatory criteria are met. |
| MLRO or nominated officer | The control role responsible for reviewing internal reports, assessing suspicion, deciding on external reporting, and maintaining evidence. |
| Tipping off | Improper disclosure that may alert a customer or other person and prejudice an investigation. |
| Documentation | The evidence that shows what was known, when it was escalated, who reviewed it, and why a decision was made. |
Reporting obligations start with internal escalation. Staff do not need to prove a crime before escalating; they need to recognize facts that may amount to suspicion or a reportable financial-crime concern. The MLRO or nominated officer then reviews the facts, seeks additional information where appropriate, decides whether external reporting is required, and controls next steps.
The exam often tests sequence. A front-office employee should not quietly resolve the issue with the customer, ignore the alert, or make an external report independently if the firm’s procedure requires internal escalation. The stronger answer preserves evidence and routes the concern to the right control function quickly.
Reporting is also evidence-sensitive. The firm should capture what was known at the time, who knew it, what documents or alerts supported the concern, whether any transaction was pending, and how customer communication was handled. A later reviewer should be able to reconstruct the decision without relying on staff memory.
| Step | What happens | Common exam trap |
|---|---|---|
| red flag appears | staff identify unusual activity, adverse media, sanctions proximity, fraud clue, or other concern | waiting until criminality is proved |
| internal escalation | concern is routed through the firm’s procedure | relationship manager handles it informally |
| evidence preservation | alerts, documents, communications, and transaction status are saved | key facts are left in chat or memory |
| MLRO or control review | facts are assessed and further information is requested where appropriate | MLRO review is treated as clerical approval |
| external decision | report, no report, consent-style request, or further monitoring is decided | no rationale is recorded |
| transaction handling | activity is paused, rejected, allowed, or restricted based on the legal and control position | business-as-usual processing continues automatically |
| post-decision control | no tipping off, monitoring, records, and follow-up are maintained | customer is told about suspicion or reporting |
| Stage | What should happen |
|---|---|
| Suspicious fact identified | Staff record the concern and escalate through the firm’s procedure. |
| Initial internal review | Control function confirms facts, preserves evidence, and assesses immediate risk. |
| MLRO or nominated-officer assessment | Decide whether suspicion exists and whether external reporting or consent handling is needed. |
| Transaction handling | Pause, continue, reject, freeze, or seek authority depending on the risk and legal framework. |
| Post-report management | Avoid tipping off, monitor further activity, and keep records of decisions and communications. |
Internal reporting is triggered by suspicion or a reportable concern, not by courtroom-level certainty. Staff should escalate when facts are unusual, inconsistent, or connected to financial-crime indicators.
| Red flag | Why it may need reporting review |
|---|---|
| unexplained third-party payments | may indicate layering, mule activity, or hidden beneficial ownership |
| adverse media tied to fraud or corruption | may affect source of funds, source of wealth, and relationship risk |
| activity inconsistent with customer profile | may show CDD is stale or the relationship purpose is false |
| sanctions proximity or ownership concern | may require urgent sanctions and reporting analysis |
| customer avoids source-of-funds questions | may indicate concealment or tipping-off sensitivity |
| false documents or inconsistent identity evidence | may indicate fraud, impersonation, or laundering risk |
| sudden urgency to move funds | may indicate dissipation risk or response to investigation pressure |
The MLRO or nominated officer does not merely rubber-stamp staff concerns. The role is to assess the facts, decide whether suspicion exists, determine whether external reporting or consent handling is required, and preserve a defensible decision record.
| MLRO question | Why it matters |
|---|---|
| What exactly is suspicious? | distinguishes vague discomfort from reportable facts |
| What evidence supports or weakens suspicion? | prevents overstatement and under-escalation |
| Is any transaction pending? | links reporting to transaction-handling and consent-style issues |
| Who else is connected? | captures counterparties, beneficial owners, introducers, and controllers |
| What can be said to the customer? | manages tipping-off and investigation prejudice |
| What records must be retained? | supports later audit, regulator, or law-enforcement review |
Tipping-off risk appears when staff tell a customer or third party that a report has been made, that a suspicion exists, or that an investigation is underway. The exam may use seemingly helpful behaviour as a trap: contacting the customer to “clarify” after an internal suspicion can be wrong if it alerts the person and prejudices an investigation.
Good reporting controls separate information gathering from uncontrolled disclosure. Staff should follow approved scripts, escalate before contacting the customer where the risk is sensitive, and avoid sharing internal suspicions outside authorized channels.
| Proposed communication | Better response |
|---|---|
| “We are considering a suspicious activity report.” | do not disclose suspicion or reporting activity |
| “Your payment is delayed because compliance is investigating you.” | use approved wording and escalate difficult conversations |
| “Can you explain this transaction?” after suspicion is live | check with the control function before further contact |
| “We have reported you to the authorities.” | avoid tipping off and prejudicing investigation |
| customer threatens complaint or legal action | preserve records, use approved channels, and do not bypass controls |
| staff discuss suspicion in a broad team chat | limit information to authorized people with a need to know |
A defensible internal report should include the customer or transaction details, the red flags, dates, documents reviewed, staff observations, known connected parties, transaction status, immediate risk, and any steps already taken. It should not overstate facts, speculate as if proven, or omit inconvenient evidence.
| Weak report | Stronger report |
|---|---|
| “Customer seems suspicious.” | Specific facts, dates, transaction values, counterparties, and why behaviour is unusual. |
| No evidence attached | Relevant documents, alerts, communications, and account history preserved. |
| Customer contacted without control review | Escalation before further contact where tipping-off risk exists. |
| Decision not recorded | MLRO or control-function rationale documented. |
| Report element | Why it matters |
|---|---|
| customer and account identifiers | links concern to the correct relationship |
| beneficial owners and connected parties | identifies controllers, counterparties, and related risk |
| transaction details | shows dates, values, currencies, accounts, and payment routes |
| red flags | explains why the matter is unusual or suspicious |
| documents and alerts reviewed | supports the factual basis for the decision |
| customer explanations | records what was said without relying on memory |
| pending activity | highlights consent-style or transaction-hold issues |
| staff actions already taken | shows whether evidence was preserved and whether communication risk exists |
| decision rationale | supports why an external report was or was not made |
Reporting decisions often overlap with transaction handling. If funds are pending, a firm may need to pause, reject, restrict, freeze, seek consent-style protection, or proceed only after controlled review. The correct answer depends on the facts and legal framework, but the wrong answer is usually to process automatically while saying a report can be considered later.
| Transaction status | Better control question |
|---|---|
| payment not yet released | should it be held pending MLRO or sanctions review? |
| redemption requested | does converting value involve suspected criminal property? |
| account closure requested | would returning funds create the same risk as transferring them? |
| customer asks for explanation | what can be said without tipping off? |
| suspicious funds already moved | what reporting, monitoring, and record preservation are required now? |
| repeated attempts to move funds | does urgency strengthen suspicion or require escalation? |
| Fact pattern | Better exam response |
|---|---|
| staff have adverse media plus unusual payments | escalate internally and preserve evidence; proof is not required |
| relationship manager wants to ask about a possible SAR | avoid tipping off and use the firm’s reporting procedure |
| MLRO decides no external report is needed | record rationale and continue monitoring where appropriate |
| transaction is pending when suspicion arises | pause routine processing and assess consent-style or transaction-handling risk |
| staff make an external report directly | route through the MLRO or nominated officer unless procedure says otherwise |
| customer asks why account activity is restricted | use approved wording and avoid confirming suspicion |
| evidence is scattered across emails and chats | centralize and preserve records for defensible reporting |
A relationship manager notices unusual payments and adverse media suggesting possible money laundering. Before escalating, the manager wants to call the customer and say the firm is considering a suspicious activity report. What is the best response?
A. Call the customer because transparency always overrides reporting controls. B. Escalate internally through the firm’s financial-crime procedure and avoid disclosures that could tip off or prejudice an investigation. C. Ignore the concern unless the manager can prove the funds are criminal. D. Post about the issue in a team chat so colleagues can decide informally.
Answer: B. Staff should escalate suspicions internally, preserve evidence, and avoid communications that may tip off the customer or prejudice an investigation.
For final review, use this sequence: suspicion, internal report, MLRO assessment, external reporting decision, transaction handling, no tipping off, record keeping. Most exam traps break that sequence.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.