CISI Combating Financial Crime study guide for specific responsibilities and governance roles, with learning objectives, UK control cues, and exam traps.
Specific responsibilities and governance roles belongs to the CISI Combating Financial Crime The Role of the Financial Services Sector exam topic, weighted at 7%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Board and senior management | Accountable for effective systems and controls, risk appetite, resources, oversight, and remediation. |
| MLRO or nominated officer | Reviews internal reports, assesses suspicion, controls external reporting decisions, and maintains reporting records. |
| First-line owners | Business and operations teams that operate onboarding, monitoring, payments, screening, and customer controls. |
| Compliance or financial-crime team | Sets standards, advises, monitors, tests, challenges, and escalates weaknesses. |
| Internal audit | Provides independent assurance over whether controls and remediation work. |
Senior management can delegate tasks but not accountability for the framework. A payment operations team may run screening, compliance may tune the rules, and an analyst may review alerts, but senior management remains responsible for ensuring the firm has effective systems, resources, governance, escalation, and oversight.
The exam often uses unclear ownership as a trap. If nobody owns sanctions list updates, transaction-monitoring tuning, onboarding standards, or suspicious-activity escalation, the firm has a governance gap even if each team assumes another team is responsible.
The strongest answers separate three ideas: who owns the risk, who performs the task, and who tests whether the task works. If all three are blurred, the firm may have a paper framework but no reliable control ownership.
| Governance layer | Main question | Common failure |
|---|---|---|
| accountable owner | who is ultimately responsible for the framework or control outcome? | senior management assumes a vendor, analyst, or MLRO owns everything |
| operational owner | who performs the day-to-day task? | staff operate controls without clear procedures or escalation routes |
| policy or standard owner | who defines what good looks like? | policy exists but does not match actual workflow |
| control challenger | who monitors, tests, and challenges weakness? | compliance findings are ignored or not escalated |
| independent assurance | who independently tests the framework? | audit findings are closed without evidence or retesting |
| Role | Main financial-crime responsibility |
|---|---|
| Board or senior management | Set risk appetite, approve framework, allocate resources, review MI, and ensure remediation. |
| MLRO or nominated officer | Handle internal reports, suspicion assessment, external reporting, consent-related decisions, and reporting records. |
| Business heads | Ensure controls operate in customer and transaction processes. |
| Compliance or financial-crime control | Build standards, advise, monitor, challenge, and escalate control weaknesses. |
| Operations | Execute screening, payments controls, record keeping, and exception handling. |
| Technology and data teams | Maintain systems, data feeds, access controls, and model or rule governance. |
| Internal audit | Independently test the control environment and remediation quality. |
| Role | Should do | Should not be treated as |
|---|---|---|
| Board or senior management | approve risk appetite, allocate resources, review MI, and require remediation | a passive recipient of compliance updates |
| MLRO or nominated officer | assess internal reports, suspicion, external reports, consent issues, and reporting records | the owner of every screening, onboarding, and monitoring process |
| First line | operate customer, product, payment, and transaction controls | a sales-only function with no financial-crime responsibility |
| Compliance or financial-crime team | set standards, advise, monitor, challenge, and escalate | a substitute for first-line ownership |
| Operations | run workflow, evidence, queue management, and exception handling | a mechanical processor that can ignore risk context |
| Technology and data | maintain systems, feeds, access, logs, and model/rule change controls | a purely IT function detached from financial-crime outcomes |
| Internal audit | test whether controls and remediation work | the team responsible for fixing the weakness it finds |
| Control area | Primary owner usually needs to be clear for… | Governance evidence |
|---|---|---|
| onboarding standards | CDD, EDD, approvals, risk rating, and acceptance criteria | procedure, file testing, exception logs, and senior approvals |
| sanctions screening | list feeds, matching rules, alert review, escalation, and reporting | rule ownership, data checks, alert rationale, and tuning evidence |
| transaction monitoring | scenarios, thresholds, data feeds, alert review, and model changes | tuning rationale, validation, closure testing, and MI |
| suspicious-activity reporting | internal escalation, MLRO assessment, external-report decision, and records | report logs, rationale, timing, and no-tipping-off controls |
| vendor or outsourced control | due diligence, service levels, incident escalation, and testing | contract controls, performance MI, assurance, and issue logs |
| remediation | root cause, owner, milestone, closure evidence, and retesting | action tracker, senior MI, independent validation, and overdue escalation |
| training | audience, content, completion, effectiveness, and follow-up | role map, test results, completion MI, and breach analysis |
| Fact pattern | Governance concern |
|---|---|
| Alert rules not reviewed because vendor owns the system | Outsourcing or vendor use does not remove firm accountability. |
| Business opens high-risk customers before EDD is complete | First-line ownership and approval controls are weak. |
| MLRO receives late or incomplete internal reports | Escalation routes and staff training are ineffective. |
| Audit findings stay open for months | Senior oversight and remediation governance are weak. |
| Screening, CDD, and monitoring teams use inconsistent customer data | Data ownership and control integration are unclear. |
The MLRO or nominated officer is central to suspicious-activity reporting, but that role should not be used as a catch-all answer. The MLRO may assess suspicion and external reporting, while other teams still own onboarding quality, sanctions data, transaction-monitoring rules, payment workflow, training, and remediation.
| Scenario | Better role analysis |
|---|---|
| late internal suspicious-activity reports | training and escalation routes may be weak, not just MLRO workload |
| incomplete CDD file | first-line and onboarding governance issue before it becomes an MLRO issue |
| unclear sanctions rule tuning | sanctions, compliance, technology, data, and senior oversight issue |
| external report decision undocumented | MLRO or nominated-officer record-keeping weakness |
| staff warn a customer after escalation | no-tipping-off training and communication controls are weak |
| suspicious activity continues after report | post-report monitoring and transaction-handling governance are needed |
Governance roles need reliable management information. Senior management cannot oversee financial-crime risk if reports omit overdue EDD, repeat alert overrides, stale CDD, sanctions false-positive trends, suspicious-activity escalation delays, or open audit actions. Good MI should show risk, control performance, breaches, remediation, and whether deadlines are being met.
Escalation routes should also be clear. Staff need to know whether a matter goes to the MLRO, sanctions team, fraud team, compliance, legal, senior management, or a regulator-facing process. Unclear routing can turn a manageable red flag into a governance failure.
| MI item | What it helps senior management see |
|---|---|
| overdue CDD or EDD reviews | customer-risk knowledge may be stale |
| alert volumes and closure quality | monitoring may be under- or over-generating work |
| sanctions false positives and true matches | screening quality, data quality, and escalation discipline |
| internal report timing | whether staff escalate suspicion promptly |
| repeated overrides | whether culture or incentives are weakening controls |
| open audit or compliance actions | whether weaknesses are being fixed on time |
| vendor incidents | whether outsourced controls are reliable |
| training failures | whether staff understand obligations and escalation routes |
| high-risk customer approvals | whether risk appetite is being followed |
| Issue | Likely route |
|---|---|
| suspected money laundering | internal report to MLRO or nominated officer through the firm’s procedure |
| potential sanctions match | sanctions team, legal/compliance, and transaction hold process |
| fraud involving customer account access | fraud operations, compliance, legal, and possibly MLRO depending on facts |
| market-abuse concern | surveillance or compliance escalation, evidence preservation, and regulator-facing assessment |
| customer complaint about blocked payment | customer-handling route plus sanctions/AML confidentiality controls |
| data-feed failure in screening tool | technology, data owner, compliance, and senior incident governance |
| overdue remediation | accountable owner, senior management, and assurance escalation |
| Fact pattern | Better exam response |
|---|---|
| everyone assumes another team owns list updates | define ownership, oversight, testing, and escalation |
| vendor operates a screening tool but data quality is poor | firm remains accountable for data and vendor oversight |
| MLRO is blamed for late front-office reports | examine staff training, escalation routes, and first-line ownership |
| senior MI reports green status despite overdue findings | MI quality and governance challenge are weak |
| compliance identifies a gap but business refuses change | escalate unresolved challenge and assign senior accountability |
| audit closes an issue without retesting | assurance and remediation governance are weak |
| technology changes monitoring thresholds without approval | model/rule governance and change control are weak |
A firm uses a vendor for sanctions screening. The vendor updates lists, operations clears alerts, compliance writes the policy, and no one owns rule tuning or data-quality testing. A breach occurs after a list update fails. What is the strongest governance conclusion?
A. The vendor alone is accountable, so the firm has no governance issue. B. The MLRO is automatically responsible for every operational task. C. The firm has unclear ownership and insufficient oversight of outsourced and operational controls. D. Screening does not require governance if the software is automated.
Answer: C. Outsourcing and automation do not remove firm accountability. The firm needs clear ownership for list updates, rules, data quality, alert review, testing, escalation, and remediation.
For final review, separate “who is accountable” from “who performs the task.” Senior managers own the framework; first line operates controls; compliance challenges and monitors; MLRO controls reporting; audit provides assurance.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.