AML/CFT Compliance Quiz: FATF Standards, CDD, PEPs, Sanctions & Virtual Assets

13 – 44 Questions 9 min

This quiz reinforces mandatory AML/CFT training by applying the FATF 40 Recommendations to practical controls: risk-based CDD, beneficial ownership, PEP due diligence, sanctions screening, correspondent banking, and virtual asset transfer obligations. Strong execution prevents workplace compliance incidents such as missed escalations and prohibited payments. Non-compliance can lead to regulatory enforcement, significant penalties, and criminal exposure.

Start

Choose quiz length

1In AML/CFT, what does a “risk-based approach” primarily require?

2Customer due diligence (CDD) is an ongoing process that includes monitoring transactions and keeping customer information up to date.

True / False

3When should sanctions screening be performed in an effective compliance program?

4Being on the FATF grey list is the same thing as being subject to UN or domestic sanctions, so transactions must be blocked automatically.

True / False

5Which approach best fits FATF expectations for periodic CDD reviews?

6A long-time retail customer is elected to parliament and begins receiving large third-party transfers labeled “consulting fees” with limited documentation. What should you do first?

7If your institution does not offer crypto products, you can ignore virtual asset exposure entirely for AML/CFT purposes.

True / False

8You onboard a corporate client with layered ownership through holding companies and a trust. Which steps support identifying and verifying beneficial owners and controllers? Select all that apply.

Select all that apply

9Your monitoring system flags 18 cash deposits just under the reporting threshold over two weeks, followed by a wire transfer out. What is the most appropriate next step?

10You confirm a true sanctions match to a designated person and your jurisdiction requires asset freezing. What actions are appropriate? Select all that apply.

Select all that apply

11Arrange the CDD lifecycle activities in the most appropriate order for a new customer relationship.

Put in order

1Perform initial risk assessment

2Understand purpose and expected account activity

3Collect and verify customer/beneficial owner information

4Set ongoing monitoring and review triggers

5Approve onboarding per policy (including any EDD approvals)

12For a VASP-to-VASP virtual asset transfer where the Travel Rule applies, which data set is most directly required to be transmitted?

13Arrange the typical sanctions alert handling workflow in the best order.

Put in order

1Perform initial triage (name similarity and basic identifiers)

2Generate and queue the sanctions alert

3Decide: clear, reject, or block/freeze per law

4Collect additional identifiers (DOB, address, passport, entity data)

5Document rationale and file required reports

6Escalate potential true matches to sanctions/MLRO/legal

14Arrange the steps to identify and verify beneficial ownership for a client with layered ownership and a trust in the chain.

Put in order

1Collect corporate registry extracts and trust documentation

2Verify identified natural persons using independent, reliable sources

3Identify owners and separate controllers (directors, trustees, protectors)

4Map the full ownership/control chain to natural persons

5Resolve gaps (nominees, bearer-like features, missing documents)

6Document the UBO determination and risk rating rationale

15Which factor is most central to due diligence for a correspondent banking relationship?

16Your sanctions filter produces a potential match on a payment beneficiary name. The match score is high but date of birth differs. What is the best action?

17You provide correspondent banking services to Respondent Bank A. You learn Respondent A offers “payable-through” access to downstream institutions, but cannot clearly describe those downstream customers. What is the most appropriate control response?

Disclaimer

This quiz is for educational purposes only. It does not replace official safety training, certification, or regulatory compliance programs.

Frequent FATF CDD, PEP, Sanctions, and Virtual Asset Control Failures

1) Treating CDD as onboarding-only (instead of lifecycle due diligence)

A recurring weakness is completing CDD at account opening and then letting profiles “freeze” for years, even as ownership, geography, products, or transaction behavior changes.

Avoid it by: documenting a risk-based refresh cycle (periodic + trigger-based) and tying it to monitoring alerts, adverse media, and ownership changes.

2) Misapplying the risk-based approach (RBA)

Some teams apply identical controls to every customer, which wastes effort on low-risk clients while under-controlling complex structures (trusts, layered entities, nominee arrangements, high-risk jurisdictions).

Avoid it by: using clear risk factors (product, geography, customer type, delivery channel) and defining when Enhanced Due Diligence (EDD) is mandatory.

3) Weak beneficial ownership verification and control of “UBO uncertainty”

Collecting names is not the same as establishing beneficial ownership. Over-reliance on self-certification and failure to resolve gaps (missing IDs, unexplained control, inconsistent registries) produces false comfort.

Avoid it by: verifying against independent sources where available, documenting discrepancies, and escalating when control cannot be reasonably established.

4) PEP controls that miss time-based changes

PEP status is dynamic (elections, appointments, close associates, and family changes). One-time screening at onboarding routinely misses newly elevated risk.

Avoid it by: ongoing PEP screening, documented senior management approval where required, and source-of-wealth/source-of-funds substantiation aligned to risk.

5) Sanctions and monitoring failures driven by “threshold thinking”

Analysts sometimes confuse AML thresholds (e.g., cash reporting) with suspiciousness, or treat sanctions screening as a periodic batch exercise rather than a real-time control with rigorous match resolution.

Avoid it by: calibrating scenarios for patterns (structuring, rapid in/out, circular flows), maintaining list update evidence, and recording alert disposition with a defensible rationale.

6) Virtual asset activity treated as out-of-scope

Assuming “crypto is handled elsewhere” leads to gaps in Travel Rule processes, counterparty/VASP risk assessment, and typology coverage (mixers, chain hopping, high-risk exposure).

Avoid it by: mapping virtual asset products to controls (CDD, monitoring, information sharing, escalation) and testing coverage end-to-end.

Operational Decision Drills: CDD Refresh, Sanctions Matches, PEP EDD, VASP Transfers

Use these short drills to practice the same decision points assessed in FATF-aligned AML/CFT programs: what to collect, what to verify, when to escalate, and how to document outcomes.

Layered ownership + PEP proximity: A new offshore holding company seeks multi-currency services. Ownership includes three entities and a trust; an ultimate controller is the sibling of a foreign deputy minister.
- What documents and independent sources do you use to establish beneficial ownership and control?
- What triggers EDD, and what would “source of wealth” corroboration look like for this risk level?
- Who must approve onboarding, and what ongoing monitoring intensity do you set?
Sanctions potential match: A payment beneficiary name partially matches an SDN entry; date of birth is missing and the country differs by one letter code.
- What is the minimum match-resolution workflow before release vs reject vs block (as applicable to your regime)?
- What evidence do you retain to show list currency, decision rationale, and escalation?
Correspondent banking relationship refresh: A respondent bank’s KYC questionnaire is 3 years old; transaction volumes and corridors have shifted toward higher-risk geographies.
- What “change of risk” triggers a review, and what must be re-assessed (nested relationships, payable-through accounts, downstream controls)?
- What monitoring KPIs would you require to keep the relationship defensible?
CDD vs suspicious activity: A long-tenured retail customer receives repeated third-party credits followed by rapid ATM cash-outs just under reporting thresholds.
- Which facts belong in an updated customer profile vs an investigation narrative?
- What red flags indicate structuring or mule activity, and when do you escalate for SAR/STR consideration?
Virtual asset transfer with a self-hosted wallet: A customer funds an exchange account from a self-hosted address and immediately sends to a new VASP in another jurisdiction.
- What Travel Rule data should be captured/shared where required, and what do you do when counterparty data is incomplete?
- Which blockchain analytics signals (exposure, typologies) would elevate risk and require EDD or restrictions?

Authoritative AML/CFT References: FATF, FinCEN, OFAC, Basel, and PEP Guidance

FATF Recommendations (the “FATF 40”) — The global AML/CFT standard, including interpretive notes that drive expectations for CDD, PEPs, correspondent banking, and more.
FinCEN Customer Due Diligence (CDD) Final Rule (Federal Register PDF) — U.S. baseline regulatory language for CDD program elements and beneficial ownership requirements for covered financial institutions.
OFAC: A Framework for OFAC Compliance Commitments (PDF) — Treasury’s guidance on the core components OFAC expects in a sanctions compliance program and common root causes of violations.
U.S. Agencies Joint Statement on BSA Due Diligence for PEP Customers — Clarifies risk-based expectations for identifying and managing PEP-related risk under U.S. AML frameworks.
Basel Committee: Sound management of risks related to ML/TF (PDF) — Prudential/supervisory perspective on governance, controls, and cross-border supervisory cooperation for banks’ ML/TF risk management.

Five Actions That Prevent AML/CFT Breakdowns Under FATF Standards

Define “ongoing due diligence” as a schedule plus triggers: set refresh frequencies by risk tier and enumerate specific trigger events (ownership change, new geography, product expansion, negative news, monitoring anomalies).
Separate identity collection from verification: require independent corroboration where feasible, document discrepancies, and treat unresolved beneficial ownership/control questions as escalation events—not “to be updated later.”
Operationalize PEP risk beyond name-screening: connect PEP flags to EDD steps (senior approval, source of wealth/funds checks, enhanced monitoring) and run continuous screening that captures new PEP status over time.
Make sanctions screening a controlled process, not a tool output: evidence list sources and update cadence, standardize match-resolution decisions, and retain a defensible audit trail for every true/false positive.
Bring virtual asset flows into your core AML model: map Travel Rule and blockchain analytics signals into monitoring and escalation playbooks, and treat VASP/counterparty risk as a first-class factor in your risk assessment.

AML/CFT Terms Used in FATF-Based Programs

CDD (Customer Due Diligence): Controls used to identify the customer, understand the relationship purpose, and assess ML/TF risk at onboarding and throughout the relationship. Example: “CDD identified the customer’s expected monthly turnover and jurisdictions, which informed monitoring thresholds.”
EDD (Enhanced Due Diligence): Additional, risk-driven steps for higher-risk customers/activities (e.g., PEPs, complex ownership, high-risk geographies). Example: “EDD required corroborating source of wealth and documenting senior management approval.”
UBO (Ultimate Beneficial Owner): The natural person(s) who ultimately owns or controls a legal entity, directly or indirectly (ownership and/or control tests). Example: “The UBO was identified through trust documentation and corporate registries.”
PEP (Politically Exposed Person): An individual entrusted with prominent public functions, along with applicable family members and close associates, requiring heightened risk management in many frameworks. Example: “A newly appointed minister triggered PEP status and a monitoring uplift.”
Sanctions screening: Checking customers and transactions against sanctions lists and applying defined actions (e.g., escalation, reject, block/freeze) per jurisdictional rules. Example: “A near match was escalated for additional identifiers before payment release.”
SAR/STR (Suspicious Activity/Transaction Report): A regulatory filing reporting suspected ML/TF or other suspicious activity, supported by a clear narrative and objective facts. Example: “The SAR narrative described structuring behavior across multiple cash deposits.”
Correspondent banking: Provision of banking services by one bank to another (respondent), creating indirect exposure to the respondent’s customers and controls. Example: “Corridor changes prompted a correspondent relationship review and control testing.”
Travel Rule (virtual asset context): Requirements to transmit certain originator/beneficiary information with transfers, adapted for virtual asset transfers between obliged entities/VASPs in many regimes. Example: “Missing beneficiary information triggered a hold and data request to the counterparty VASP.”
Structuring: Breaking transactions into smaller amounts or patterns to evade reporting/controls, often detected through behavior over time rather than a single transaction size. Example: “Repeated deposits just below a reporting threshold were reviewed as potential structuring.”

AML/CFT Implementation FAQs: CDD Lifecycle, PEPs, Sanctions, Correspondent Banking, and Travel Rule

What does “ongoing CDD” require in practice under FATF-aligned programs?

It means you keep customer information current and continuously assess whether activity matches the customer’s risk profile. Practically, that includes a documented refresh cadence by risk tier and clear trigger events (e.g., ownership changes, new geographies/products, adverse media hits, monitoring anomalies) that force a review and re-rating.

How should PEP risk be handled beyond a one-time screen?

PEP controls are only effective when they connect to actions: enhanced identification/verification, senior management approval (where required by policy/regulation), credible source-of-wealth/source-of-funds corroboration, and increased monitoring intensity. Because PEP status changes, continuous screening and periodic re-assessment are essential.

Is a FATF “grey-list” country the same as a sanctioned country?

No. FATF listing signals strategic AML/CFT deficiencies and typically implies heightened ML/TF risk and the need for stronger controls, not automatic prohibition. Sanctions designations are legal restrictions administered by relevant authorities and can prohibit dealings. Treat grey-list status as a risk factor that drives EDD and monitoring, not as a blanket ban.

When should suspicious activity be escalated for a SAR/STR decision?

Escalate when you observe activity inconsistent with the customer’s profile, attempts to obscure ownership or flow of funds, or typologies such as structuring, rapid movement across accounts, or unexplained third-party involvement. The escalation package should separate facts (who/what/when/where) from analysis (why it’s suspicious) and document what you asked the business/customer and what was (not) resolved. For more pattern-focused practice, use the Terrorist Financing Red Flags Quiz.

How do virtual assets change CDD and monitoring expectations?

Virtual asset activity should be reflected in your risk assessment and monitoring typologies (mixing services, chain hopping, exposure to high-risk entities, fast in/out). Where Travel Rule obligations apply, you need a process to capture and transmit required originator/beneficiary data, handle missing information, and document counterparty/VASP controls. If your organization is building a broader risk framework, the Banking Compliance Quiz complements this focus by reinforcing risk assessment logic.