Banking Compliance & Risk Management Quiz: Test Your Regulatory Knowledge

Q: How should a bank operationally separate CTR filing from SAR decisioning?

CTR filing is a reporting obligation tied to currency transaction criteria ; SAR decisioning is an unusual activity analysis based on pattern, context, and suspicion. Controls should prevent “CTR threshold anchoring” by requiring escalation when structuring indicators exist (e.g., repeated cash transactions designed to avoid reporting, unusual funneling, inconsistent business explanations). Your procedures should clearly state who owns each step (teller/branch, operations, investigations), what triggers escalation, and how narratives and approvals are documented.

Q: What makes a pricing or underwriting exception defensible from a fair lending perspective?

A defensible exception is pre-defined, consistently applied, and auditable . That typically means: clear eligibility criteria, standardized reason codes, documented support in the file, and second-level approvals when discretion is used. From a risk-management standpoint, you also need monitoring that looks for exception clustering by channel, decision-maker, branch, and prohibited-basis proxy indicators (where permitted) so you can detect disparate treatment risk early.

9 – 62 Questions 10 min

This quiz targets control decisions under the FFIEC BSA/AML Examination Manual, ECOA/Fair Housing Act fair-lending requirements, and CFPB UDAAP examination procedures. It reinforces mandatory training that prevents incidents like missed SAR escalation, discriminatory pricing exceptions, and harmful fee practices. Non-compliance can trigger MRAs, enforcement actions, civil money penalties, and restitution.

Start

Choose quiz length

1A Currency Transaction Report (CTR) is generally required for cash transactions totaling more than $10,000 in one business day for the same person.

True / False

2Internal audit provides independent assurance on the effectiveness of the control environment.

True / False

3Which set of elements is most associated with the CFPB’s “unfairness” standard?

4A customer makes three same-day cash deposits of $3,200 at different branches and tells staff to “keep each one under the limit.” What is the most appropriate next step?

5Compliance is asked to “run the control” for a business unit because staffing is short. Which response best preserves three-lines-of-defense independence?

6A customer deposits $11,500 in cash in one business day into their personal account. There are no suspicious indicators noted. What is the required filing action?

7A SAR generally must be filed no later than 30 calendar days after initial detection of facts that may constitute a basis for filing; if no suspect is identified, the filing may be delayed up to 60 days.

True / False

8Your bank is changing transaction-monitoring thresholds for a new product launch. In the three-lines-of-defense model, who should own executing and operating the monitoring process day-to-day?

9Arrange the basic compliance issue-management lifecycle in the correct order.

Put in order

1Assign an accountable owner and due date

2Identify and log the issue with a clear description and risk

3Implement the remediation and update procedures/training as needed

4Validate effectiveness (testing) and formally close with evidence

5Perform root-cause analysis and define corrective actions

10Transaction-monitoring alerts have a 45-day backlog, and operations proposes auto-closing low-dollar alerts without review to meet SLAs. Which risks does this create? Select all that apply.

Select all that apply

11A credit card landing page highlights “$0 annual fee” in large text, but the checkout flow adds a “membership fee” unless the customer unchecks a preselected box. Under CFPB UDAAP principles, what is the primary issue?

12Your underwriting policy allows exceptions (DTI overrides, pricing concessions) with manager discretion. Which controls help manage fair lending risk? Select all that apply.

Select all that apply

13Arrange the typical SAR workflow from first signal to record retention in the correct order.

Put in order

1Open a case and collect relevant facts (transactions, customer profile, KYC)

2Detect potential suspicious activity (e.g., alert or referral)

3Retain supporting documentation and rationale per recordkeeping rules

4File the SAR within required timelines (or document a no-file decision)

5Escalate for SAR decisioning under the bank’s procedures

14Arrange the steps for a strong pre-launch governance review of a new consumer promotion in the correct order.

Put in order

1Validate disclosures and operational readiness (servicing, support, fee posting)

2Obtain documented approvals per governance (business, compliance, legal as applicable)

3Perform UDAAP and fair lending risk review of claims, scripts, and UI

4Launch with monitoring triggers (complaints, conversion, reversals/refunds)

5Define the offer, eligibility, and key customer promises

6Map the end-to-end customer journey (including fees, timing, and cancellation)

15Your AML team proposes changing monitoring thresholds to reduce alert volume. Which governance step is most important to prevent monitoring from drifting away from the bank’s risk profile?

16Which practices best support independence across the three lines of defense? Select all that apply.

Select all that apply

17You are reviewing a new digital account opening flow for UDAAP risk. Which items should be included in the review? Select all that apply.

Select all that apply

18A long-tenured commercial customer suddenly begins sending wires to a new high-risk corridor and updates beneficial ownership. What control action best aligns with BSA/AML expectations?

19Auto loan APR “markups” vary by dealer with broad discretion and limited documentation. Which control most directly reduces fair lending risk?

Disclaimer

This quiz is for educational purposes only. It does not replace official safety training, certification, or regulatory compliance programs.

Regulatory-Grade Misses in Banking Compliance: Where Programs Fail in Execution

Most incorrect answers (and real-world findings) come from treating compliance requirements as documentation exercises instead of time-bound, evidencable controls. The mistakes below map directly to common exam, audit, and issue-management failures.

1) Confusing “policy exists” with “control works”

What goes wrong: A BSA/AML or UDAAP policy is current, but there is no reliable evidence of execution (e.g., incomplete alert disposition logs, missing QA results, no independent validation artifacts).
How to avoid it: Tie each requirement to an owner, an SLA, and a repeatable evidence set (case notes, approvals, QA sampling results, change tickets, and remediation validation).

2) Misapplying CTR vs. SAR decision logic in frontline escalations

What goes wrong: Staff anchor on the CTR threshold and stop analyzing pattern + intent, missing structuring indicators or failing to escalate unusual activity.
How to avoid it: Train and QA for narratives that address who/what/why-now, include comparable historical behavior, and document the escalation rationale and timing.

3) Letting transaction monitoring drift from the risk profile

What goes wrong: Scenarios/thresholds aren’t tuned for new products (RTP, P2P, fintech partnerships), new customer segments, or new geographies—creating false negatives and alert fatigue.
How to avoid it: Maintain governance for tuning, back-testing, and independent challenge; require documented approvals and post-change performance checks.

4) Underestimating fair lending risk in “exceptions,” discretion, and overrides

What goes wrong: Relationship pricing, manual underwriting exceptions, and fee waivers are applied inconsistently, creating disparate treatment risk even when the written policy looks neutral.
How to avoid it: Enforce second-level approvals, standardized reason codes, and outcome testing that focuses on exception clusters and decision-maker patterns.

5) Treating UDAAP as a disclosure check instead of a consumer-harm analysis

What goes wrong: Dense terms are used to “cure” misleading marketing or fees consumers can’t reasonably avoid; complaint themes are ignored.
How to avoid it: Review net impression, key screens/scripts, consumer journey friction points, and complaint drivers before launch and after changes.

6) Blurring the three lines of defense

What goes wrong: Compliance/risk builds the business process, or audit performs continuous monitoring; independence erodes and issues stagnate.
How to avoid it: Keep ownership with the first line, challenge with the second, and independent assurance with audit—supported by clear escalation and board-level reporting.

Real-World Decision Drills: SAR Escalation, Fair Lending Exceptions, and UDAAP Controls

Use each prompt to practice the same judgment calls the quiz targets. For every scenario, state: (1) required action, (2) evidence to retain, and (3) escalation path (first line → compliance/risk → audit/board as applicable).

BSA/AML and suspicious activity controls

Structuring pattern with multiple channels: A business customer makes repeated cash deposits just under $10,000 across two branches and an ATM over eight days, with no change in stated business activity. Decide whether this is “normal cash management” or unusual activity requiring escalation, and what pattern evidence you would preserve.
Alert backlog vs. filing timelines: Transaction monitoring alerts are 18 days behind due to staffing. Determine what immediate governance actions are required (triage, staffing, scope review), and how you document risk acceptance (or refusal) while restoring SLA performance.
Correspondent/foreign risk spike: A long-tenured customer begins sending frequent wires to a higher-risk jurisdiction through a new beneficiary, with memo fields that don’t match the customer profile. Identify what enhanced due diligence you would trigger, when you escalate, and how you document your “why now” rationale.
SAR confidentiality test: A relationship manager asks if an account is “under SAR” because the customer is complaining about holds and account closures. Decide what you can and cannot disclose, and what internal steps you take to protect confidentiality while managing the customer interaction.

Fair lending (ECOA/FHA) operational decisions

Discretionary pricing exception: A mortgage LO requests a rate concession for a “VIP” customer, citing relationship value, but provides no standard documentation. Decide what approvals and reason codes are required and what testing you expect compliance to perform on similar exceptions.
Adverse action specificity: An underwriting team uses broad reasons (“insufficient creditworthiness”) in adverse action notices to reduce operational effort. Determine what must change in the reason coding and controls so notices are accurate, consistent, and supported by underwriting documentation.

UDAAP and consumer-harm control decisions

“No-fee” marketing vs. conditional fees: A digital account is marketed as “no monthly fee,” but customers incur a maintenance fee unless they meet a deposit requirement that is only disclosed late in the flow. Decide what constitutes the net impression risk and what pre-launch evidence (screenshots, scripts, legal/compliance sign-off) you require.
Complaints as a control input: Complaints rise after a fee change, but the business argues fees were disclosed and therefore “compliant.” Decide what UDAAP analysis you perform (avoidable harm, consumer understanding, operational friction), and what remediation and monitoring you require post-change.

Primary Source Library: FFIEC, FinCEN, CFPB, and HUD References

FFIEC BSA/AML Examination Manual — Core examiner expectations for BSA/AML programs, risk assessments, monitoring, SAR/CTR controls, and governance. ([bsaaml.ffiec.gov](https://bsaaml.ffiec.gov/manual?utm_source=openai))
FinCEN: Educational Pamphlet on the Currency Transaction Reporting (CTR) Requirement — Practical CTR overview you can use to align frontline guidance and customer-facing explanations. ([fincen.gov](https://www.fincen.gov/fincen-educational-pamphlet-currency-transaction-reporting-requirement?utm_source=openai))
CFPB: UDAAP Examination Procedures — How CFPB frames unfairness, deception, and abusiveness in exams, including risk areas and control expectations. ([consumerfinance.gov](https://www.consumerfinance.gov/compliance/supervision-examinations/unfair-deceptive-or-abusive-acts-or-practices-udaaps-examination-procedures/?utm_source=openai))
CFPB: 12 CFR Part 1002 (Regulation B) — ECOA’s implementing regulation with official interpretations and commentary useful for adverse action and underwriting/pricing controls. ([consumerfinance.gov](https://www.consumerfinance.gov/rules-policy/regulations/1002/?utm_source=openai))
HUD: Fair Housing Act (as amended) PDF — Statutory text and definitions that anchor prohibited-basis and housing-related credit compliance analyses. ([hud.gov](https://www.hud.gov/sites/dfiles/FHEO/documents/fairhousingact.pdf?utm_source=openai))

Bank Compliance & Risk FAQ: Evidence, Escalation, and Exam-Ready Controls

What do examiners expect to see as evidence for SAR investigations and escalation decisions?

Examiners typically look for a complete decision trail: alert generation date/time, triage rationale, investigative steps performed, supporting data used (transaction history, customer profile, peer comparisons), documented conclusions, and timely approvals/escalations consistent with your procedures. Strong programs also show QA results, management reporting (volumes, aging, outcomes), and documentation of any backlog mitigation and re-testing after tuning changes.

How should a bank operationally separate CTR filing from SAR decisioning?

CTR filing is a reporting obligation tied to currency transaction criteria; SAR decisioning is an unusual activity analysis based on pattern, context, and suspicion. Controls should prevent “CTR threshold anchoring” by requiring escalation when structuring indicators exist (e.g., repeated cash transactions designed to avoid reporting, unusual funneling, inconsistent business explanations). Your procedures should clearly state who owns each step (teller/branch, operations, investigations), what triggers escalation, and how narratives and approvals are documented.

What makes a pricing or underwriting exception defensible from a fair lending perspective?

A defensible exception is pre-defined, consistently applied, and auditable. That typically means: clear eligibility criteria, standardized reason codes, documented support in the file, and second-level approvals when discretion is used. From a risk-management standpoint, you also need monitoring that looks for exception clustering by channel, decision-maker, branch, and prohibited-basis proxy indicators (where permitted) so you can detect disparate treatment risk early.

When does a fee practice become UDAAP risk even if it’s disclosed in the terms?

Disclosure does not automatically eliminate UDAAP risk. If the net impression of marketing or a digital flow misleads consumers, if a material condition is buried or presented too late, or if consumers cannot reasonably avoid the fee in practice, UDAAP risk can remain. Strong controls include pre-launch reviews of scripts/screens, “most prominent claims” testing, complaint theme analysis, and post-change monitoring that looks for unexpected consumer outcomes (repeat fees, re-presentments, account closures, error rates).

How should the three lines of defense work together on monitoring-model or rules tuning changes?

The first line should own the business process and execution (including change requests and operational rollout). The second line should challenge the design and risk tradeoffs (coverage vs. alert volume) and set minimum control expectations (documentation, approvals, QA). Audit should provide independent assurance that governance, testing, and evidence are working as designed. A common pitfall is letting the second line “build” the monitoring process or letting audit become the day-to-day monitor—both reduce independence.

Which related quizzes are best if I want deeper practice on AML typologies and controls?

For more repetition on alert triage, investigations, and filing logic, use AML Practice Questions - Free Anti-Money Laundering Compliance Quiz. If you need a broader international framing of AML/CFT program expectations and risk-based controls, pair that with AML/CFT Compliance Quiz - FATF Standards Practice Questions.