30 free CySEC Advanced Chapter 7 flashcards. Tap a card to flip, or use the arrow keys to move through the deck.
Card 1 of 30The ML process
1 / 30
Tap the card to flip · use ← → arrow keys to navigate
All 30 cards in this deck
The ML process
What are the three stages of money laundering?
Placement (introducing dirty cash into the financial system), layering (complex transactions to disguise the audit trail), and integration (returning the 'cleaned' funds to the economy as apparently legitimate).
What is 'structuring' as a placement technique?
Breaking a large transaction into several smaller ones, each below the reporting threshold, so they are less likely to attract attention. Done by one person.
What is 'smurfing', and how does it differ from structuring?
Smurfing uses multiple individuals ('smurfs') making multiple deposits into multiple accounts at different institutions. Structuring is done by a single person splitting transactions; smurfing spreads it across many people to further obscure the trail.
Classify: FX purchase with illicit cash, converting cash to monetary instruments, buying real estate.
Purchasing foreign exchange with illegal funds is placement; converting deposited cash into monetary instruments is layering; investing in real estate is integration.
ML vs terrorist financing
How do money laundering and terrorist financing differ in the origin and motivation of funds?
Money laundering always starts with dirty money and is motivated by profit. Terrorist financing can use clean, legitimately obtained funds and is driven by ideology.
How do ML and TF differ in money trail and scale?
ML is circular (funds return to the originator) and typically involves large, structured amounts. TF is linear (funds are spent on attacks and often unrelated to the initiator) and often uses small, unstructured amounts — making it harder to detect.
CDD thresholds
What transaction amount triggers customer due diligence for a standard business?
€15,000 or more, whether in a single operation or in several linked operations.
What are the special CDD thresholds for wire transfers, gambling, and goods traders?
Wire transfers over €1,000; gambling service transactions of €2,000 or more; occasional cash transactions of €10,000 or more for persons trading in goods.
When must CDD be carried out regardless of any threshold?
Whenever there is suspicion of money laundering or terrorist financing, or doubt about the veracity or adequacy of previously obtained customer identification data.
CDD & risk-based approach
What are the four components of customer due diligence?
Identify the customer; identify the beneficial owner; assess the purpose and intended nature of the business relationship; and conduct ongoing monitoring of the relationship, including scrutiny of transactions.
What does the risk-based approach (RBA) to AML mean?
Resources and controls are focused proportionately on the areas of highest ML/TF risk — it is explicitly not a one-size-fits-all approach. The extent of CDD is calibrated to customer, product, transaction and geographic risk.
Which international body's guidelines must be considered, and what are the key risk-assessment factors?
The FATF (Financial Action Task Force). The key risk factors are customer type, geographical area, products/services/transactions, and delivery channels.
Recordkeeping
For how long must client and transaction records be kept?
Five years following the end of the business relationship or the date of an occasional transaction.
Simplified due diligence
What is simplified due diligence (SDD), and is it an exemption?
SDD is applied where the risk is lower. It is NOT an exemption from CDD — the entity may adjust the amount, timing or type of measures, but sufficient ongoing monitoring to detect unusual/suspicious transactions must always continue.
To which customers may SDD apply?
Sufficiently regulated entities (e.g. EEA-listed companies subject to disclosure requirements, other licensed EEA financial institutions), public bodies, and customers resident in lower-risk geographical areas.
Enhanced due diligence
Name situations that trigger mandatory enhanced due diligence (EDD).
High-risk third countries, PEPs, correspondent banking, non-face-to-face customers, bearer/nominee shares, cash-intensive businesses, unusual circumstances, unclear fund destinations, complex ownership structures, and personal asset-holding vehicles.
What EDD measures apply to a politically exposed person (PEP), and to whom do they extend?
Senior management approval to establish/continue the relationship, establishing the source of wealth and funds, and enhanced ongoing monitoring. The measures also extend to the PEP's immediate family members and known close associates.
For how long must PEP measures continue after the person leaves public office?
For at least 12 months after they cease to exercise significant public functions, until they are deemed to pose no further specific PEP risk.
What is required before establishing a cross-border correspondent relationship with a third-country institution?
Senior management approval; gathering sufficient information to understand the respondent's business and reputation; assessing the quality of its AML/CFT controls; and documenting the respective responsibilities of each institution — all before the relationship begins.
When does EDD NOT automatically apply to an entity in a high-risk third country?
Where the entity is a branch or majority-owned subsidiary of an EU-regulated obliged entity and fully complies with EU group-wide AML policies and procedures.
Governance & responsibilities
What are the board of directors' key AML responsibilities?
Approve the risk management and procedures manual; assess and approve the compliance officer's annual report and take remedial action on identified weaknesses; appoint the compliance officer, alternate and assistants; designate a responsible board member; and ensure the compliance officer has full access to data.
What is the compliance officer's status and what documents does the officer produce?
The compliance officer must belong to senior management. The officer prepares the risk management and procedures manual, designs the internal AML policies/procedures/controls, and develops the customer acceptance policy (submitted to the board for approval).
How does the compliance officer handle a suspicious transaction, and who is the external contact?
The officer evaluates the internal report with the informer and their superiors — not every report is filed. If warranted, a report is sent to MOKAS as soon as possible (with a justified decision either way). The compliance officer is the first point of contact with MOKAS.
To whom do employees report a suspected money-laundering transaction?
Internally to the compliance officer — not directly to MOKAS or CySEC. The compliance officer then evaluates and decides whether to file with MOKAS.
How many risk categories must the customer acceptance policy contain at minimum?
At least three: low, normal and high risk. This is a floor — more granular categorisation is permitted.
How often does internal audit review the AML framework, and can compliance and internal audit be combined?
At least annually, reporting findings in writing to the board (then the report and remedial measures go to CySEC). The compliance and internal audit functions cannot be combined — internal audit must independently review compliance.
Sanctions
What is the maximum administrative fine CySEC may impose for AML non-compliance?
Up to €1,000,000, plus €1,000 for each day a breach continues. Where the benefit derived exceeds the cap, the fine may be at least twice the benefit.
What higher penalties apply to credit/financial institutions, and to failing to report a suspicious transaction?
Credit and financial institutions may be fined up to €5,000,000 or 10% of total annual turnover. Failure to make a suspicious transaction report carries a specific fine of €512,580.
Red flags & group scope
Give examples of suspicious-transaction indicators.
A large cash transaction as an initial deposit, a wire transfer from abroad into a newly opened account, an address at a significant distance from the institution, customers who move frequently without reason, and unrelated customers sharing the same address or IP.
Do EU AML obligations extend outside the EEA, and what does the compliance officer submit to CySEC?
Yes — EU AML rules apply to branches and subsidiaries outside the EEA of European companies, and the compliance officer must ensure their compliance. The officer submits a monthly prevention statement and an annual AML report to CySEC.