The correct answer is this approach. Under the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), firms are legally obligated to apply a risk-based approach to preventing financial crime. The primary purpose of Know Your Customer (KYC) and Customer Due Diligence (CDD) is to understand the client, their business, and their source of wealth to accurately assess the money laundering and terrorist financing (ML/TF) risk they pose. In this scenario, the client presents several high-risk indicators (high-risk jurisdiction, inconsistencies in SoW), mandating Enhanced Due Diligence (EDD) under Regulation 33 of the MLRs. The MLRO’s overriding responsibility, guided by the Financial Conduct Authority (FCA) and Joint Money Laundering Steering Group (JMLSG) guidance, is to protect the firm from being used as a conduit for illicit funds. The other options are incorrect as they represent secondary business objectives (marketing, relationship building) or confuse AML regulations with data protection rules enforced by a different body (the ICO).

Under the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), firms must apply Enhanced Due Diligence (EDD) to Politically Exposed Persons (PEPs), their family members, and known close associates. The correct answer demonstrates the proper application of the risk-based approach for a PEP who has left office. Regulation 35 of the MLRs 2017 states that a firm must continue to apply EDD for at least 12 months after a PEP leaves their prominent public function. After this period, the firm must conduct a risk assessment to determine if that person still poses a higher risk of money laundering or terrorist financing. Only when the firm is satisfied that the individual no longer poses such a risk can EDD measures be ceased. The correct option shows the firm correctly performing this risk assessment after the 12-month period and, based on the high-risk finding, appropriately continuing with EDD. The other options are incorrect: domestic PEPs (like a UK judge) require EDD; family members (like the spouse of an MP) are also considered PEPs and require EDD in their own right; and automatically ceasing EDD after exactly 12 months without a specific risk assessment is a direct breach of the MLRs 2017.

This question assesses the ability to differentiate between various potential red flags and identify the most critical indicator of trade-based money laundering (TBML). The correct answer is the scenario describing grossly over-valued goods. This is a classic TBML technique known as over-invoicing, used to move value and legitimise illicit funds by disguising them as payments for goods. The significant discrepancy between the invoiced price (£800) and the market value (£100) is a powerful indicator of value manipulation. The payment to an unrelated third party further obscures the money trail, strengthening the suspicion. Under UK regulations, specifically the Proceeds of Crime Act 2002 (POCA), a firm has an obligation to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) if it knows or suspects money laundering. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) mandate ongoing monitoring of business relationships to identify unusual or suspicious transactions. Guidance from the Joint Money Laundering Steering Group (JMLSG) provides practical help in recognising such red flags. The other options, while potentially noteworthy, are weaker indicators. Using different logistics partners could have commercial reasons, a gradual increase in turnover is expected for a new business, and while a PEP requires Enhanced Due Diligence (EDD), their involvement alone is not an automatic indicator of criminal activity, especially if they are from a low-risk jurisdiction.

The correct answer is the Proceeds of Crime Act 2002 (POCA). For the purposes of the UK CISI Combating Financial Crime exam, it is crucial to understand that POCA is the primary piece of UK legislation that criminalises money laundering and creates the key reporting obligations. Specifically, Section 330 of POCA establishes the offence of ‘failure to disclose’ for individuals working in the regulated sector. This offence occurs if a person knows, suspects, or has reasonable grounds for knowing or suspecting that another person is engaged in money laundering, and fails to make a disclosure (a Suspicious Activity Report or SAR) to the firm’s Nominated Officer (or directly to the National Crime Agency) as soon as is practicable. The Money Laundering Regulations 2017 set out the broader administrative framework for firms, including requirements for customer due diligence, policies, and controls, but the specific criminal offence for an individual failing to report a suspicion is defined under POCA. The Financial Services and Markets Act 2000 is the UK’s core financial services legislation, and the Bribery Act 2010 deals with offences of bribery, not money laundering reporting.

This question assesses understanding of the mandatory Enhanced Due Diligence (EDD) requirements introduced by the EU’s Fifth Anti-Money Laundering Directive (5MLD) and their transposition into UK law. For the CISI Combating Financial Crime exam, it is crucial to know that while the UK’s AML/CFT regime is founded on a risk-based approach, certain situations mandate the application of EDD. 5MLD, which was implemented into UK law through amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), explicitly requires firms to apply EDD to any business relationship or transaction involving a high-risk third country. These are countries identified by the European Commission (and post-Brexit, by the UK government in its own list) as having strategic deficiencies in their national AML/CFT regimes. The correct answer correctly identifies that the client’s connection to a designated high-risk third country is the determining factor that triggers a set of non-discretionary, mandatory EDD measures. These measures, as stipulated in Regulation 33 of the MLR 2017, include, as a minimum: obtaining additional information on the customer and their beneficial owner, the intended nature of the business relationship, the source of funds and wealth, and the reasons for the transactions; and obtaining senior management approval for establishing or continuing the relationship. The other options are incorrect as they misrepresent the regulations: the firm does not have discretion in this specific scenario, PEP status is a separate trigger for EDD, and transaction value thresholds are not the primary determinant for applying EDD to an entire relationship based on country risk.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 is a significant piece of US legislation with extraterritorial reach, impacting UK firms with a US nexus (e.g., listed on a US exchange). A key component relevant to combating financial crime is its whistleblower program, administered by the Securities and Exchange Commission (SEC). This program offers substantial financial rewards (10-30% of monetary sanctions exceeding $1 million) and anti-retaliation protections to individuals who provide original information about securities law violations. The correct answer identifies the primary strategic risk for a firm: the powerful financial incentive for an employee to bypass internal procedures and report directly to the SEC. This circumvents the firm’s ability to investigate and remediate the issue internally, meaning its first notification of a serious problem could be from the US regulator. For the purposes of the UK CISI exam, it is crucial to understand how such US laws create parallel obligations and risks for UK firms, operating alongside UK-specific frameworks like the Public Interest Disclosure Act 1998 (PIDA) and the regulatory expectations of the Financial Conduct Authority (FCA). While PIDA offers protection in the UK, it does not provide the same level of financial incentive as Dodd-Frank, making the US route highly attractive to potential whistleblowers in multinational firms.

The correct answer is The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). This is the primary piece of UK legislation that sets out the detailed procedural requirements for regulated firms to prevent money laundering and terrorist financing. The scenario specifically mentions failures in risk assessment and customer due diligence (CDD) procedures that have not been updated since 2016. The MLR 2017, which came into force in June 2017, significantly enhanced the UK’s AML/CTF framework by implementing the EU’s Fourth Money Laundering Directive. It mandated a more rigorous, documented, and evidence-based risk-based approach, requiring firms to conduct and record a firm-wide risk assessment and update their policies, controls, and procedures accordingly. The other options are incorrect as they govern different aspects of financial crime: the Proceeds of Crime Act 2002 (POCA) establishes the principal money laundering offences and the Suspicious Activity Reporting (SARs) regime; the Terrorism Act 2000 (TACT) focuses on terrorist financing offences; and the Bribery Act 2010 deals specifically with bribery and corruption.

The correct answer is ‘Pump and dump’. This is a classic form of market manipulation explicitly prohibited under the UK’s Market Abuse Regulation (MAR). The scenario describes the two key phases: the ‘pump’, where the firm artificially inflates the price of a security it owns by disseminating false and misleading positive information; and the ‘dump’, where the firm sells its holding at the inflated price. This conduct gives a misleading impression as to the value of the shares, deceiving other market participants. Under the UK’s financial crime framework, this behaviour constitutes market abuse under MAR (a civil regime) and could also be a criminal offence under the Financial Services Act 2012 (misleading statements) or the Fraud Act 2006. Insider dealing is incorrect as the information used was false and publicly disseminated, not non-public inside information. Spoofing involves manipulating the market by placing and then cancelling orders with no intention to execute, which is not what occurred. An abusive squeeze involves securing a controlling position over the supply of an asset to dictate prices, which is different from creating artificial demand through false rumours.

This question assesses knowledge of the UK Bribery Act 2010, a cornerstone of UK financial crime legislation and a key topic in the CISI Combating Financial Crime syllabus. The correct answer is based on Section 7 of the Act, which introduced the corporate offence of ‘failing to prevent bribery’. A commercial organisation (‘the UK parent company’) is guilty of an offence if a person ‘associated’ with it (the overseas subsidiary) bribes another person intending to obtain or retain business or a business advantage. The Act has extra-territorial reach, meaning it applies to bribery committed overseas by a UK company or an associated person of a UK company. Crucially, the UK Bribery Act 2010 makes no exception for ‘facilitation payments’ (small bribes to expedite routine government action); they are treated as bribes. The only defence for the company is to prove it had ‘adequate procedures’ in place designed to prevent such conduct. The lack of a specific policy addressing these payments severely undermines this potential defence, making the company liable for prosecution.

The Financial Action Task Force (FATF) Recommendation 1 is foundational to modern anti-money laundering and counter-terrorist financing (AML/CFT) regimes. It mandates that financial institutions must apply a Risk-Based Approach (RBA). This means that firms cannot use a uniform, ‘one-size-fits-all’ method for customer due diligence. Instead, they must identify and assess the specific ML/TF risks they face and apply AML/CFT measures that are commensurate with those risks. For clients or situations identified as higher risk, the firm must apply Enhanced Due Diligence (EDD). Conversely, where risks are proven to be lower, simplified measures may be permissible. The scenario described, where a firm applies the exact same level of scrutiny to all clients, is a clear violation of this principle. In the UK, this FATF standard is enshrined in law, primarily through Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), which requires firms to conduct a written risk assessment of their business and apply appropriate risk-sensitive policies and procedures.

UK regulations, specifically The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), require firms to conduct a comprehensive, business-wide risk assessment. For a large, complex institution as described, best practice, as guided by the Joint Money Laundering Steering Group (JMLSG), involves a hybrid approach. A purely top-down approach risks missing granular, operational-level risks specific to individual business units. Conversely, a purely bottom-up approach can lack strategic coherence and a consistent firm-wide perspective, making it difficult for senior management to meet their governance obligations under the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) sourcebook. The hybrid model effectively combines strategic direction and risk appetite set by senior management (top-down) with detailed risk identification from the business lines that are closest to the risks (bottom-up). This ensures the assessment is both strategically aligned and operationally relevant, providing a holistic and accurate view of the firm’s financial crime risk exposure.

This question tests the candidate’s understanding of the personal legal obligations under the UK’s Proceeds of Crime Act 2002 (POCA), specifically the offence of ‘failure to disclose’ in the regulated sector (Section 330). For the CISI Combating Financial Crime exam, it is crucial to know that the duty to report is a personal, statutory obligation that cannot be overridden by a manager’s instructions. The correct action for Sarah, as an employee in the regulated sector, is to make an internal report to the firm’s Nominated Officer (also known as the Money Laundering Reporting Officer or MLRO). The threshold for reporting is ‘suspicion,’ not concrete proof. The information from the efficiency study provides reasonable grounds for suspecting that the senior manager’s clients may be engaged in money laundering. Failing to report this suspicion would put Sarah at risk of committing a criminal offence under s.330 of POCA, which can lead to imprisonment and/or a fine. Following her manager’s instruction (Incorrect Option 2) would not be a valid defence and would constitute a breach of her personal legal duty. Reporting directly to the National Crime Agency (NCA) (Incorrect Option 3) bypasses the required internal procedure; the Nominated Officer is responsible for evaluating internal reports and deciding whether to submit a Suspicious Activity Report (SAR) to the NCA. Attempting to conduct a further investigation (Incorrect Option 4) is also incorrect as it goes beyond the ‘suspicion’ threshold and could risk committing the offence of ‘tipping off’ under Section 333A of POCA.

This question tests the ability to identify a specific type of financial crime from a given scenario. The activity described—channelling funds through complex structures (layering) to obscure their illicit origin and then using them to purchase a legitimate asset (integration)—is the classic definition of money laundering. Under UK law, specifically the Proceeds of Crime Act 2002 (POCA), money laundering involves concealing, disguising, converting, transferring, or removing criminal property. The other options are incorrect. Bribery, governed by the Bribery Act 2010, involves offering or accepting an inducement for improper performance. Market abuse, covered by the Market Abuse Regulation (MAR), involves behaviour such as insider dealing or market manipulation. Terrorist financing, primarily governed by the Terrorism Act 2000 (TACT), involves providing or raising funds for the purposes of terrorism. While the methods can overlap, the scenario’s focus on legitimising the source of funds for personal enrichment points directly to money laundering.

This question assesses the application of a risk-based approach to source of funds (SoF) and source of wealth (SoW) assessment, a core principle under UK anti-money laundering regulations. The correct answer is to escalate for Enhanced Due Diligence (EDD). The scenario presents several high-risk indicators: the client is from a high-risk jurisdiction, the transaction is significant, and the evidence provided for the SoW is weak and not independently verifiable. Under the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), firms must apply EDD measures in situations which by their nature can present a higher risk of money laundering. Guidance from the Joint Money Laundering Steering Group (JMLSG) clarifies that this includes dealing with clients from high-risk jurisdictions and situations where the SoW is complex or opaque. Simply accepting a notarized letter without further corroboration (other approaches) fails to satisfy the firm’s obligation to understand and verify the client’s wealth. Proceeding with standard monitoring (other approaches) is inadequate given the elevated risk profile. Filing a SAR and terminating the relationship immediately (other approaches) is a premature step; the firm’s first duty is to conduct sufficient due diligence to understand the client. If, after EDD, the firm cannot satisfy itself as to the legitimacy of the funds and suspicion remains, then a SAR would be the appropriate course of action.

This question assesses understanding of the UK’s internal and external financial crime reporting framework. The correct answer is that the practice breaches the internal reporting obligations mandated by the Proceeds of Crime Act 2002 (POCA). Under POCA, employees in the regulated sector must report knowledge or suspicion of money laundering to the firm’s nominated officer, the Money Laundering Reporting Officer (MLRO). The decision to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) rests with the MLRO, not junior staff. By closing alerts based on a personal threshold, the analysts are usurping the MLRO’s function and preventing suspicions from being formally assessed, which could lead to the firm failing in its legal duty to file a SAR. This is a significant breach of both POCA and the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) sourcebook, which requires firms to have effective risk management and AML systems. ‘Tipping off’ (POCA s.333A) involves alerting a person that a SAR has been made, which is not what is happening. While it may indicate a training or procedural weakness, the most significant failure is the direct breach of the statutory reporting channel.

Under the UK’s Terrorism Act 2000 (TA 2000), individuals in the regulated sector have a legal obligation to report any knowledge or suspicion of terrorist financing to their firm’s Nominated Officer (or MLRO) as soon as is reasonably practicable. This internal report enables the Nominated Officer to assess the suspicion and, if required, submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA). The scenario describes a clear breakdown in this process. The analyst’s failure to escalate their suspicion constitutes a potential ‘failure to disclose’ offence under Section 19 of TA 2000. A critical principle of the UK’s CTF regime is that there is no ‘de minimis’ or minimum financial threshold for reporting; even very small amounts can be used to fund terrorist activities. The other options are incorrect because the primary failure is the lack of internal reporting (a TA 2000 issue), not a failure to get a DAML (a POCA 2002 consideration for proceeding with a transaction), a confirmed sanctions breach (SAMLA 2018/OFSI), or a CDD failure (MLRs 2017), although these could be related issues.

The correct answer is that large-scale money laundering distorts the property market, leading to inflated asset prices and a misallocation of economic resources. This is a core concept in understanding the wider impact of financial crime, a key area for the CISI Combating Financial Crime exam. When illicit funds are channelled into a specific sector like property, it creates artificial demand that is not based on legitimate economic fundamentals. This inflates prices, making housing unaffordable for legitimate buyers and diverting capital and investment away from more productive sectors of the economy. This distortion undermines the integrity and stability of the financial system, which is a primary concern for UK regulators like the Financial Conduct Authority (FCA). The UK’s anti-money laundering regime, principally governed by the Proceeds of Crime Act 2002 (POCA) and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs), is designed specifically to prevent such negative macroeconomic consequences by protecting the financial system from abuse. While loss of tax revenue and reputational damage to firms are also negative outcomes, the fundamental distortion of an entire economic sector represents the most significant macroeconomic impact.

The correct answer identifies the specific corporate offence under Section 7 of the UK Bribery Act 2010: ‘Failure of a commercial organisation to prevent bribery’. In this scenario, the UK-based firm is a ‘relevant commercial organisation’. The overseas agent, acting on the firm’s behalf to secure business, is considered an ‘associated person’. The Act has extra-territorial reach, meaning it applies to the conduct of UK firms globally. The red flags (high commission, vague invoices, high-risk jurisdiction) strongly suggest that the agent may be using part of their fee to bribe a foreign public official to secure the contract. Even if the firm’s management was not directly aware of the bribe, the firm itself can be held strictly liable for failing to prevent it. The only defence against a Section 7 charge is to prove that the firm had ‘adequate procedures’ in place to prevent bribery, which the lack of due diligence and payment controls in this case clearly indicates were missing. Bribing a foreign public official (Section 6) is the underlying act, but the specific offence for the corporation in this context is the failure to prevent that act. Receiving a bribe (Section 2) and facilitation payments (which are also illegal bribes under the Act) are incorrect based on the scenario’s details.

This question assesses understanding of the core Customer Due Diligence (CDD) requirements for corporate entities under the UK’s anti-money laundering regime. The correct answer is based on the principles outlined in the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the guidance provided by the Joint Money Laundering Steering Group (JMLSG). Under MLR 2017, when dealing with a corporate body, a firm must identify the customer and verify its identity. This includes obtaining and verifying the company’s name, registration number, and registered office. For a UK company, using the official Companies House register is a primary and reliable independent source. Crucially, firms must also identify the ‘beneficial owners’. Regulation 5 of MLR 2017 defines a beneficial owner in relation to a corporate body as any individual who ultimately owns or controls more than 25% of the shares or voting rights, or who otherwise exercises control over the management of the body. The firm must then take adequate, risk-based measures to verify the identity of these beneficial owners. The correct option accurately reflects this two-part process: verifying the entity itself and then taking risk-based steps to identify and verify its ultimate beneficial owners based on the specified threshold. The other options are incorrect because they represent common KYC failings: – Relying solely on a director’s declaration fails the requirement for independent verification. – Only verifying the company’s legal existence without identifying beneficial owners is a major breach of MLR 2017. – Insisting on face-to-face verification for every single shareholder is not a risk-based approach and is overly prescriptive, going beyond the typical requirements of JMLSG guidance for standard-risk clients.

The correct answer is to apply mandatory Enhanced Due Diligence (EDD). This is a core requirement under UK anti-financial crime legislation, specifically The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Regulation 33 of MLR 2017 explicitly requires firms to apply EDD measures to manage the risks arising from business relationships or transactions with individuals or entities based in high-risk third countries. The Financial Action Task Force (FATF) list of ‘Jurisdictions Under Increased Monitoring’ (the ‘grey list’) serves as a primary indicator for identifying such high-risk countries. The Joint Money Laundering Steering Group (JMLSG) guidance, which is approved by HM Treasury and followed by UK firms to meet their regulatory obligations, provides practical steps for implementing EDD. These steps include obtaining additional information on the customer, source of funds, and source of wealth; seeking senior management approval for the relationship; and conducting enhanced ongoing monitoring. Simply ceasing all business is a de-risking strategy, which may be a commercial decision but is not the required regulatory first step. Submitting a SAR for every transaction is incorrect as a SAR should only be filed based on actual suspicion of money laundering or terrorist financing under the Proceeds of Crime Act 2002 (POCA), not automatically based on jurisdiction. Awaiting instructions from the FCA is also incorrect, as the regulator expects firms to have their own proactive risk-based approach and systems and controls (as per the FCA’s SYSC sourcebook) to manage identified risks.

The correct answer is The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). For the UK CISI Combating Financial Crime exam, it is crucial to distinguish between the different pieces of primary legislation. The MLR 2017 (as amended) are the cornerstone of the UK’s anti-money laundering and counter-terrorist financing regime, implementing the EU’s Money Laundering Directives. Specifically, Regulation 33 of MLR 2017 mandates that firms must apply Enhanced Due Diligence (EDD) measures to manage and mitigate risks in situations identified as high-risk, such as those involving complex corporate structures and clients from high-risk jurisdictions. While the Proceeds of Crime Act 2002 (POCA) establishes the primary money laundering offences and the Suspicious Activity Reporting (SAR) regime, it does not prescribe the specific preventative due diligence measures firms must undertake. The Bribery Act 2010 is focused on bribery and corruption offences, and the Criminal Finances Act 2017 introduced Unexplained Wealth Orders and the corporate offence of failing to prevent tax evasion, but neither dictates the core CDD/EDD framework like the MLR 2017.

In the UK, the Money Laundering Reporting Officer (MLRO) has a critical, legally defined role under the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000. The MLRO is the focal point for all internal anti-money laundering activity and is personally responsible for the firm’s compliance. When an employee has a suspicion of money laundering, they must submit an internal Suspicious Activity Report (SAR) to the MLRO. The MLRO’s duty is not to simply forward every internal report to the National Crime Agency’s UK Financial Intelligence Unit (UKFIU). Instead, the MLRO must apply their expertise to evaluate the internal report, conduct further enquiries where necessary, and determine if there are objective grounds for suspicion. Submitting a high volume of low-quality SARs externally (‘defensive reporting’) burdens the UKFIU and can mask genuinely significant intelligence. Conversely, failing to report when suspicion exists can lead to a criminal offence for the MLRO under POCA (s.331 – failure to disclose in the regulated sector). Therefore, the most appropriate first step when facing a high volume of internal reports with a low external submission rate is to address the quality of the entire process. This involves improving the input from staff through training and guidance, and refining the MLRO’s own analysis and decision-making framework. Punishing staff is counter-productive as it discourages reporting, while simply forwarding all reports abdicates the MLRO’s key responsibility of evaluation.

This question assesses the understanding of a core concept in financial crime risk management: the risk-based approach (RBA). The RBA is a mandatory requirement under UK law, specifically Regulation 18 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). The Joint Money Laundering Steering Group (JMLSG) provides guidance on implementing this approach. A risk matrix is a key tool used in an RBA. It distinguishes between ‘inherent risk’ (the level of risk before controls are applied) and ‘residual risk’ (the risk remaining after controls are implemented). A high inherent risk, such as that associated with Politically Exposed Persons (PEPs), indicates a significant vulnerability to financial crime. The goal of a firm’s control framework is to mitigate this inherent risk to an acceptable level. A low residual risk demonstrates that the controls (e.g., enhanced due diligence, senior management approval, ongoing monitoring) are well-designed and operating effectively. Therefore, the combination of high inherent risk and low residual risk is the desired outcome, indicating a successful risk management process.

Under the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), firms are required to conduct ongoing monitoring of business relationships. The Joint Money Laundering Steering Group (JMLSG) guidance provides practical assistance in implementing these regulations. The scenario described points to several red flags, but the most significant indicator of a deliberate attempt to launder funds is the structuring of transactions. Structuring, also known as ‘smurfing’, is the practice of breaking down a large financial transaction into a series of smaller transactions to avoid scrutiny and reporting requirements. The use of multiple, seemingly unrelated individuals (money mules) to make these deposits is a classic hallmark of this technique, designed to obscure the true origin and ownership of the funds. While the other options are also concerning (use of a new account, rapid fund movement, and transactions inconsistent with the client’s profile), the coordinated use of multiple third parties for structured deposits is a highly specific and compelling indicator of organised money laundering.

The correct answer is the Proceeds of Crime Act 2002 (POCA). For the UK CISI Combating Financial Crime exam, it is crucial to distinguish between the primary legislation that creates criminal offences and the regulations that impose preventative obligations on firms. POCA 2002 is the cornerstone of the UK’s anti-money laundering regime, establishing the three principal money laundering offences in sections 327 (concealing, disguising, converting, transferring or removing criminal property), 328 (entering into or becoming concerned in an arrangement), and 329 (acquisition, use and possession of criminal property). The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) are secondary legislation that implements the EU’s Money Laundering Directives into UK law. They do not create the primary money laundering offences but instead mandate the systems and controls that regulated firms must implement to prevent money laundering, such as conducting customer due diligence (CDD), risk assessments, and staff training. The Terrorism Act 2000 (TACT) creates specific offences related to terrorist financing, which are distinct from the general money laundering offences under POCA. The Bribery Act 2010 deals specifically with offences of bribery and corruption.

The correct answer identifies the specific criminal offence committed by the analyst, David, under the UK’s primary legislation for insider dealing, the Criminal Justice Act 1993 (CJA 1993). The CJA 1993 establishes three main offences: 1. Dealing: An insider deals in price-affected securities based on inside information. 2. Encouraging: An insider encourages another person to deal in price-affected securities based on inside information. 3. Disclosing: An insider discloses inside information to another person, otherwise than in the proper performance of their employment. In this scenario, the analyst (David) became an insider by acquiring confidential, price-sensitive information through his employment. By passing this information to his brother (Mark), who then traded on it, David committed the offences of improper disclosure and encouraging another to deal. Mark committed the offence of dealing. Therefore, ‘Encouraging another to deal based on inside information’ is the most accurate description of the analyst’s criminal act under the CJA 1993. Incorrect Options Analysis: – Market manipulation under MAR: This is incorrect. Market manipulation involves actions like spreading false information or creating a misleading impression of supply and demand. The scenario describes the misuse of confidential information, which is insider dealing, not market manipulation. – Money laundering under POCA 2002: While the profits from the illegal trade constitute criminal property and could become the subject of a money laundering offence, the primary crime committed is insider dealing, which is the predicate offence. – A breach of the firm’s personal account dealing policy only: This is an understatement. While it is almost certainly a breach of internal policy, the act is a serious criminal offence under UK law, punishable by imprisonment and/or an unlimited fine, not merely an internal compliance issue.

In the context of the UK Chartered Institute for Securities & Investment (CISI) Combating Financial Crime exam, this question tests the corporate offence under Section 7 of the UK Bribery Act 2010. The correct answer is ‘Failure of a commercial organisation to prevent bribery’. Under the UK Bribery Act 2010, a commercial organisation (‘C’) is guilty of an offence if a person ‘associated’ with C bribes another person intending to obtain or retain business or a business advantage for C. In this scenario, the overseas subsidiary’s employee is an ‘associated person’. The payment to the official, even if a small ‘facilitation payment’, constitutes a bribe under the Act, as it is intended to induce the official to perform their function improperly for a business advantage (expedited processing). The UK Bribery Act has extra-territorial reach, meaning it applies to UK companies operating anywhere in the world. The UK parent company, ‘Innovate UK PLC’, is liable under Section 7 because it failed to prevent this bribery. The only defence against a Section 7 charge is to prove that the organisation had ‘adequate procedures’ in place to prevent bribery. The scenario explicitly states the company’s procedures were ‘poorly implemented and not tailored to overseas risks’, meaning this defence would fail. The other options are incorrect as the parent company itself did not directly commit the act of bribing a foreign official (Section 6) or the general offence of bribery (Section 1); its liability stems from its failure to prevent the act.

This question assesses understanding of the core principle of the UK’s risk-based approach (RBA) to combating financial crime, as mandated by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). The primary regulatory objective of optimising a risk assessment process is to ensure that controls are proportionate to the risks identified. A dynamic, data-driven model allows a firm to better understand the specific money laundering and terrorist financing risks posed by each client relationship and to apply customer due diligence (CDD) measures accordingly. This aligns with Regulation 28 of MLR 2017, which requires the extent of CDD to be determined on a risk-sensitive basis. The Joint Money Laundering Steering Group (JMLSG) guidance further elaborates that firms should focus their resources on the areas of highest risk, applying Enhanced Due Diligence (EDD) where necessary. Reducing costs is a business benefit, not the primary regulatory driver. Automating sanctions screening is only one component of a much broader risk assessment. Creating a standardised process for all customers would be a direct violation of the risk-based approach, which requires a tailored application of controls.

This question assesses the understanding of the risk-based approach (RBA), a cornerstone of the UK’s anti-money laundering and counter-terrorist financing (AML/CTF) regime. The UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) mandate that firms must adopt an RBA. This means firms must identify, assess, and understand the specific financial crime risks they face and apply AML/CTF measures that are proportionate to those risks. The scenario describes a firm allocating its compliance resources—such as the level of automated scrutiny and the intensity of manual review—based on the perceived risk of different clients and transactions. High-risk activities (e.g., involving FATF-listed jurisdictions or complex structures) receive enhanced attention, while low-risk activities are monitored less intensively. This is the practical application of an RBA as guided by the Joint Money Laundering Steering Group (JMLSG) and expected by the Financial Conduct Authority (FCA). The other options are incorrect: a ‘rules-based’ approach is the opposite of an RBA, applying the same rules to all situations regardless of risk; the firm is applying Enhanced Due Diligence (EDD), not exclusively Simplified Due Diligence (SDD); and ‘de-risking’ would involve terminating relationships with high-risk clients, not managing them with appropriate controls.

This question tests the application of the UK’s risk-based approach to customer due diligence (CDD) as required by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and detailed in the Joint Money Laundering Steering Group (JMLSG) Guidance. When standard electronic verification fails for a plausible reason, such as a client being new to the country, a firm should not automatically reject the client or file a SAR. Instead, it must take alternative, reasonable measures to verify the client’s identity. The JMLSG Guidance explicitly allows for the use of a combination of documents to build a picture of the client’s identity. Requesting additional certified documents, like a bank statement from another regulated UK firm and a letter from a reputable employer, is a proportionate and compliant way to corroborate the information provided and satisfy CDD obligations. Applying Simplified Due Diligence (SDD) is incorrect as the client’s circumstances (high-net-worth, non-face-to-face) do not automatically suggest low risk. Terminating the relationship and filing a SAR is an overreaction, as a failed check with a logical explanation does not constitute suspicion. Onboarding the client before completing verification is a breach of Regulation 30 of MLR 2017, which requires verification to be completed before the business relationship is established.