Free ACAMS CCAS Practice Exam with Questions & Answers | Set: 3

In risk-based AML/CFT programs — including those applied to Virtual Asset Service Providers (VASPs) — risk assessment determines the remaining exposure after applying mitigating measures.

Inherent Risk:The natural level of risk before applying any controls, based on factors like customer profile, transaction patterns, and jurisdiction.

Control Effectiveness:The degree to which implemented controls (e.g., CDD, EDD, sanctions screening, blockchain analytics) reduce risk.

Residual Risk:The risk that remains after controls are applied and is the level an organization must either accept, reduce further, or avoid.

The standard formula is:

Inherent Risk – Control Effectiveness = Residual Risk

This equation is emphasized in FATF’s risk-based approach guidance and reinforced in DIFC (DFSA) and ADGM (FSRA) AML rules to ensure ongoing monitoring and governance oversight of remaining risks.

FATF Recommendation 13 (Correspondent Banking and Similar Relationships) and its application to VASP–VASP relationships require enhanced due diligence before onboarding. This is because such arrangements carry elevated ML/TF risk, especially in cross-border settings.

Required CDD practices include:

Assess the nature and purpose of the VASP relationship (C):Understand why the relationship is being established and the expected services/products.

Obtain approval from senior management (D):Senior management oversight ensures risk is accepted at the appropriate governance level.

Assess the VASP’s supervision and if a license/registration is needed (E):Confirm regulatory oversight, licensing, and compliance with AML/CFT obligations.

Options A and B arenotcore FATF requirements for CDD in this context — local authority approval may be a domestic regulatory requirement in some countries, but not a FATF baseline, and profitability assessment is a business decision, not an AML measure.

Sharing of the same IP address by multiple customers during onboarding can indicate potential fraud, identity manipulation, or collusion, and should be flagged for further investigation. This can be a sign of synthetic identities or multiple accounts controlled by the same person.

Receipt of law enforcement requests (A) usually occurs post-onboarding, while the location (B) or use of foreign IDs (C) is not inherently suspicious.

Upon identifying customer engagement with unhosted wallets or P2P transfers, the first step a VASP should take is tocollect and assess dataon such transactions. This assessment helps determine if these activities fall within the firm's risk appetite and what enhanced controls or actions may be needed.

Immediate account freezing (B) is not the first step without assessment; neither is allowing transfers (A) without risk consideration. Enhancing risk frameworks (D) is important but follows from an initial data-driven risk assessment.

Relevant guidance:

FATF Recommendations and DFSA AML Module require VASPs to maintain a risk-based approach that begins with data collection and risk assessment on unhosted wallet transactions.

The DFSA’s 2023 Dear MLRO letters and thematic reviews stress proportionality and evidence-based responses rather than immediate punitive measures.

Enhanced due diligence (EDD) and risk mitigation measures, including potentially freezing accounts, come after assessment of the risk level【AML/VER25/05-24: Sections 4.1, 6.4, 13; 20230406Dear_MLRO_Letter_re_IEMS.pdf】.

Hence,Cis the appropriate first action.

DFSA AML Module requires the Board to approve and oversee the firm’s business-wide risk assessment, ensuring accountability at the highest governance level.

PEPs require enhanced scrutiny under FATF Recommendation 12, including senior management approval and source of funds verification.

Blockchain’s immutability ensures that all transactions remain permanently recorded and tamper-proof, enabling blockchain analytics to trace illicit funds. This property is leveraged in crypto forensic investigations and AML monitoring.

Machine learning (ML) and artificial intelligence (AI) are applied within compliance frameworks to enhance the efficiency of monitoring and detection processes and to allow skilled compliance resources to focus on higher-value activities such as complex investigations and strategic decision-making. ML/AI tools can process vast amounts of transaction data to identify suspicious patterns faster than manual processes.

They do not reduce the fundamental requirement for risk assessment (A) nor are they intended primarily to reduce headcount (C), but rather to optimize resource allocation.

AML and DFSA guidance emphasize leveraging technology to improve the effectiveness and efficiency of AML controls while maintaining robust risk management.

Decentralized exchanges lack a central counterparty responsible for AML compliance, making it difficult to enforce KYC/CDD, monitor transactions, or implement controls. This structural characteristic increases inherent AML risk compared to centralized exchanges, which have accountable operators.

Transaction cost (A), validator nodes (B), or asset types (D) are less impactful in the compliance risk rating.

A 51% attack refers to a situation where a single miner or group controls more than 50% of the blockchain network’s computational (hashing) power. This majority control allows them to manipulate the blockchain ledger by double-spending or blocking transactions.

This term is widely recognized in blockchain security contexts and is referenced in typology papers on crypto financial crime risks, including those issued by UAE authorities and FATF.

Supporting extracts:

DFSA AML thematic reviews mention the risk of manipulation and double spending in blockchains susceptible to 51% attacks.

Typology reports on cryptoasset risks highlight computational power concentration as a core vulnerability.

“51% refers to the percentage of total mining power or computational power in the network” is the standard definition across crypto AML/CFT frameworks【31.92._TFS_Typology_Paper_Eng__4.pdf; AMLCFT_Guidance_for_FIs.pdf】.

Thus,Cis correct.