How should an investigator use transaction history to determine whether cryptoassets were
previously involved in money laundering?
C
Explanation:
In the context of AML/CFT frameworks for cryptoassets, the investigation of transaction histories
involves blockchain analysis tools to trace the flow of funds to and from crypto addresses.
Specifically, it is essential to assess whether the addresses involved have had prior exposure to illicit
activities such as known darknet marketplaces, ransomware payments, or sanctioned entities. This
form of "address screening" helps identify potentially tainted cryptoassets.
The DFSA AML Module and associated guidance emphasize that transaction monitoring for
cryptoassets requires analyzing the provenance of funds, not just ownership. While identifying the
owner is part of customer due diligence (CDD), the transactional exposure itself reveals laundering
risks embedded in the chain of transfers.
Extract from DFSA AML Module and COB Module on Crypto Business Rules:
"Transaction monitoring systems must include blockchain analysis to detect suspicious activity
related to crypto tokens, including tracing transactions against known illicit sources."
"Enhanced due diligence (EDD) is required when a cryptoasset transaction involves addresses or
wallets with a history of illicit activity."
"Risk-based approaches must integrate forensic review of transaction histories to assess financial
crime risks in crypto asset transfers"
AML/VER25/05-24: Sections 6.3, 7.3, 13.3; COB/VER45/05-24:
【
Sections 6.13, 15
.
】
Therefore, assessing the receiving exposure of cryptoasset addresses to illicit activity (Option C) is
the most direct and effective method to detect laundering.
A compliance officer at an exchange who is conducting an annual risk assessment identifies an
increased volume of transactions to and from unhosted wallets. Based on Financial Action Task Force
guidance, which inherent risk rating would be most appropriate for the compliance officer to assign
to such activities?
D
Explanation:
The Financial Action Task Force (FATF) guidance on Virtual Assets and Virtual Asset Service Providers
(VASPs) explicitly highlights that transactions involving unhosted wallets (wallets not held or
controlled by a regulated entity) pose a high inherent risk for money laundering and terrorist
financing. This is because unhosted wallets are more difficult to monitor and control, lack identifiable
customer information, and are often exploited for illicit activities.
The DFSA AML Module, aligned with FATF recommendations, mandates that Relevant Persons
incorporate this risk into their business-wide risk assessments. The increased volume of transactions
to and from unhosted wallets should therefore be assigned a high inherent risk rating to trigger
enhanced controls such as enhanced due diligence (EDD) and transaction monitoring.
Supporting extracts include:
FATF Guidance on Virtual Assets (October 2021) states: "Unhosted wallets or transactions with them
represent a high risk of ML/TF due to limited or no access to identifying information."
DFSA AML Module (AML/VER25/05-24) Section 4.1 & 6.1 on Risk-Based Approach: mandates firms to
assess and rate risks posed by customers and products, explicitly including virtual assets and
unhosted wallets as high risk.
COB Module also requires heightened controls and disclosures when dealing with transactions
involving unhosted wallets
AML/VER25/05-24: Sections 4.1, 6.1, COB/VER45/05-24: Sections 6.13,
【
15.6
.
】
Thus, option D (High) is the correct risk rating.
Which features are used by anonymity-enhanced cryptoassets to reduce transparency of transactions
and identities? (Select Two.)
B, D
Explanation:
Anonymity-enhanced cryptoassets employ specific technical features to obfuscate the details of
transactions and the identities of users to reduce traceability and increase privacy. These include:
Automatic mixing (B): This refers to mechanisms such as coin mixers or tumblers that combine
multiple transactions from different users into one batch and redistribute them, breaking the direct
transaction link and obscuring the audit trail.
Cryptographic enhancements (D): Techniques such as zero-knowledge proofs, ring signatures, stealth
addresses, and confidential transactions are cryptographic protocols that conceal sender, receiver,
and transaction amount information, making the blockchain ledger less transparent.
Other options explained:
Proof-of-stake mining (A) is a consensus mechanism and not related to anonymity features.
Secure hashing algorithm 256 (C) is a cryptographic hash function standard but does not directly
enhance anonymity.
MetaMask wallet (E) is a non-custodial wallet used mainly for Ethereum and tokens but is not an
anonymity tool.
Reference from official crypto AML guidance and typology papers:
DFSA AML Module and thematic reviews highlight these anonymity techniques as high-risk indicators
requiring enhanced due diligence (EDD).
UAE typology papers and FATF virtual asset guidance emphasize the risk posed by anonymity-
enhanced cryptoassets using automatic mixing and cryptographic enhancements to circumvent AML
controls
AML/VER25/05-24: Sections 6.4, 7.3; 31.92._TFS_Typology_Paper_Eng__4.pdf
.
【
】
What is indirect exposure in regards to blockchain analytics transaction monitoring?
B
Explanation:
Indirect exposure refers to a situation where cryptoassets are not directly associated with illicit
activity but have transactional links through other addresses that are associated with risky or illicit
behavior. Blockchain analytics tools detect these indirect links to flagged addresses, allowing firms to
assess risk based on network connections rather than direct ownership or activity.
The DFSA AML guidance and international FATF Virtual Assets guidance explain that indirect exposure
is a critical concept for transaction monitoring as it broadens the detection scope beyond direct
transactions, flagging assets that might be “tainted” through intermediary addresses.
Reference:
FATF Guidance on Virtual Assets and VASPs emphasizes monitoring both direct and indirect exposure
of wallets to illicit activity.
DFSA AML Module Section 13 on Suspicious Activity Reports requires firms to incorporate indirect
exposure assessments in their monitoring systems
AML/VER25/05-24: Sections 4.1, 6.3, 13.3; FATF
【
VA Guidance 2021
.
】
Therefore, B is the correct definition.
Which level of an organization is ultimately responsible for risk oversight?
D
Explanation:
The ultimate responsibility for risk oversight lies with the Board of Directors. Senior management
and the board have the fiduciary and governance duty to ensure that an effective risk management
framework, including AML/CFT controls and cryptoasset-specific risks, is in place and functioning
properly.
The DFSA GEN Module and AML Module explicitly allocate the highest accountability for compliance
and risk oversight to the Board of Directors, while first and second lines support implementation and
oversight respectively. The Chief Risk Officer (CRO) supports risk management but the board
maintains ultimate accountability.
Key extracts:
GEN Module, Chapter 5: “Responsibility for compliance lies with every member of senior
management, with ultimate oversight by the Board.”
AML Module Section 1.2 & 4.1: “Senior management and Board must ensure appropriate systems
and controls for AML/CFT risk management.”
FATF Recommendation 2 underscores that senior management and boards are accountable for
effective AML governance
GEN/VER64/05-24: Chapter 5; AML/VER25/05-24: Sections 1.2, 4.1
.
【
】
Thus, D is the correct answer.
Which is the first action a virtual asset service provider (VASP) should take when it finds out that its
customers are engaging in virtual asset (VA) transfers related to unhosted wallets and peer-to-peer
(P2P) transactions?
C
Explanation:
Upon identifying customer engagement with unhosted wallets or P2P transfers, the first step a VASP
should take is to collect and assess data on such transactions. This assessment helps determine if
these activities fall within the firm's risk appetite and what enhanced controls or actions may be
needed.
Immediate account freezing (B) is not the first step without assessment; neither is allowing transfers
(A) without risk consideration. Enhancing risk frameworks (D) is important but follows from an initial
data-driven risk assessment.
Relevant guidance:
FATF Recommendations and DFSA AML Module require VASPs to maintain a risk-based approach that
begins with data collection and risk assessment on unhosted wallet transactions.
The DFSA’s 2023 Dear MLRO letters and thematic reviews stress proportionality and evidence-based
responses rather than immediate punitive measures.
Enhanced due diligence (EDD) and risk mitigation measures, including potentially freezing accounts,
come after assessment of the risk level
AML/VER25/05-24: Sections 4.1, 6.4, 13;
【
20230406Dear_MLRO_Letter_re_IEMS.pdf
.
】
Hence, C is the appropriate first action.
In a blockchain 51% attack, what does 51% refer to?
C
Explanation:
A 51% attack refers to a situation where a single miner or group controls more than 50% of the
blockchain network’s computational (hashing) power. This majority control allows them to
manipulate the blockchain ledger by double-spending or blocking transactions.
This term is widely recognized in blockchain security contexts and is referenced in typology papers on
crypto financial crime risks, including those issued by UAE authorities and FATF.
Supporting extracts:
DFSA AML thematic reviews mention the risk of manipulation and double spending in blockchains
susceptible to 51% attacks.
Typology reports on cryptoasset risks highlight computational power concentration as a core
vulnerability.
“51% refers to the percentage of total mining power or computational power in the network” is the
standard definition across crypto AML/CFT frameworks
31.92._TFS_Typology_Paper_Eng__4.pdf;
【
AMLCFT_Guidance_for_FIs.pdf
.
】
Thus, C is correct.
How does law enforcement use Suspicious Activity Reports (SARs)? (Select Two.)
C, D
Explanation:
Suspicious Activity Reports (SARs) are a critical tool for law enforcement agencies. They are primarily
used to develop intelligence on potential new criminal targets and to confirm or expand information
about existing investigations. SARs do not serve as direct evidence of money laundering in court but
provide leads and context that enable law enforcement to build cases.
The DFSA’s thematic reviews and AML guidance clarify that SARs assist in identifying emerging crime
patterns and help intelligence units track suspicious transactions over time. They also allow law
enforcement to corroborate data from other sources.
SARs help:
Develop intelligence on new targets (C) by revealing previously unknown suspicious behavior.
Confirm or develop information on existing targets (D) by adding transactional data and context.
Identifying regulatory failings (A) is primarily a supervisory function, and SARs themselves are not
evidence for prosecution (B) but intelligence inputs.
Therefore, options C and D are correct.
Based on Financial Action Task Force guidance, when a cryptoasset exchange carries out an
occasional transaction, the exchange is required to conduct CDD when the transaction is above:
C
Explanation:
FATF guidance sets the threshold for Customer Due Diligence (CDD) on occasional transactions at
USD/EUR 10,000 or equivalent. This means that when a cryptoasset exchange processes a one-off
transaction exceeding this amount, it must apply appropriate CDD measures.
This aligns with FATF Recommendation 10 and is adopted by DFSA and FSRA frameworks governing
virtual asset service providers, ensuring transactions over this limit are subject to identity verification
and risk assessment.
Extracts from AML and COB modules emphasize this threshold as the trigger for CDD on occasional
transactions to prevent laundering through high-value single transfers.
In considering particular virtual asset products, services, or activities, which features should be
considered by management?
A, B, C, D
Explanation:
Management must consider a comprehensive set of features when evaluating virtual asset products
and services, including:
Ability for other VASPs to utilize the service (A): This increases risk exposure as services may be used
indirectly by unknown parties.
Ability to mingle funds within wider pools (B): Mixing services or pooled wallets increase anonymity
and laundering risk.
Regulatory expectations (C): Management must ensure compliance with all applicable laws and
guidelines.
Transaction volumes (D): High transaction volumes can increase operational risk and require
enhanced monitoring.
The DFSA AML and COB Modules, as well as FATF guidance, stress that a risk-based approach requires
consideration of all these features in product/service risk assessments.
An analyst at a virtual asset service provider (VASP) that white-labels its exchange solution to other
cross-border VASPs is developing a VASP onboarding procedure. Under Financial Action Task Force
Recommendation 13, which CDD practices should be applied to such relationships? (Select Three.)
C, D, E
Explanation:
FATF Recommendation 13 (Correspondent Banking and Similar Relationships) and its application to
VASP–VASP relationships require enhanced due diligence before onboarding. This is because such
arrangements carry elevated ML/TF risk, especially in cross-border settings.
Required CDD practices include:
Assess the nature and purpose of the VASP relationship (C): Understand why the relationship is being
established and the expected services/products.
Obtain approval from senior management (D): Senior management oversight ensures risk is accepted
at the appropriate governance level.
Assess the VASP’s supervision and if a license/registration is needed (E): Confirm regulatory
oversight, licensing, and compliance with AML/CFT obligations.
Options A and B are not core FATF requirements for CDD in this context — local authority approval
may be a domestic regulatory requirement in some countries, but not a FATF baseline, and
profitability assessment is a business decision, not an AML measure.
A compliance officer is conducting a customer risk review. Which statements represent the highest
level of customer risk? (Select Two.)
B, D
Explanation:
When determining highest-risk customers under a risk-based approach, firms must consider
transaction patterns, jurisdictions, counterparties, and destinations:
B: Large deposits by a student, rapidly converting to crypto and sending to another VASP, suggest
potential layering and third-party funding risk.
D: Daily inbound transfers from a foreign VASP to a private (unhosted) wallet indicate consistent
high-risk exposure — especially cross-border transactions involving unregulated or weakly regulated
jurisdictions.
While VPN use (A) can be a red flag, on its own it is lower risk than significant suspicious fund flows.
Paying suppliers in crypto (C) can be legitimate for businesses. A large donation to a charity (E) could
be flagged depending on jurisdiction and cause, but is generally less inherently suspicious than B and
D unless linked to high-risk entities.
FATF, DFSA, and FSRA AML rules stress that ongoing monitoring should identify these high-frequency,
high-value, cross-border crypto flows as priority for Enhanced Due Diligence (EDD) and possible
Suspicious Transaction Reports (STRs).
Which token type should be considered as carrying the highest risk when assessing the AML risks
related to the customer's source of funds?
A
Explanation:
Privacy tokens are specifically designed to obfuscate transaction details such as sender, recipient,
and amounts, making them inherently high risk for money laundering and terrorist financing. Their
anonymity-enhanced features pose significant challenges to AML efforts.
Stablecoins (B), platform tokens (C), and security tokens (D) have varying risk profiles but generally
provide more transparency or are subject to regulatory frameworks, reducing inherent AML risk
compared to privacy tokens.
FATF and DFSA AML frameworks highlight privacy tokens as a priority for enhanced due diligence and
risk mitigation due to their abuse potential.
A compliance officer Is assigned a group of customers. Which action should the officer fake to
determine the appropriate level of customer due diligence apply to each customer?
D
Explanation:
A risk-based approach to customer due diligence requires considering all relevant risk factors
including customer profile, the nature and purpose of the account or relationship, geographic risks,
transaction patterns, and other relevant factors. This ensures that CDD intensity is commensurate
with assessed risk.
Assessing only location (A) or transaction thresholds (B) is insufficient alone. Applying uniform CDD
measures (C) contradicts the risk-based approach advocated by FATF and DFSA regulations.
DFSA AML guidance explicitly requires comprehensive risk assessment considering multiple variables
to determine appropriate due diligence levels.
According to me Financial Action Task Force's (FATF's> definition of virtual asset service provider
(VASP), for which activity is an entity required to be licensee or registered as a VASP in the
jurisdiction(s) where they are created?
B
Explanation:
FATF defines VASPs as entities that conduct certain specified activities involving virtual assets.
Licensing or registration as a VASP is required primarily for entities engaged in activities such as
safekeeping and/or administration of virtual assets or conducting exchanges between one or more
forms of virtual assets.
Cryptocurrency mining operations (A) and operating blockchain nodes (C) are generally excluded
from the VASP definition because they do not involve handling customer funds or providing financial
services. Virtual money service businesses (D) is a broader term that may include VASPs but not all
such businesses fall under VASP regulations unless they meet the activity criteria.
This aligns with the DFSA AML Module and FATF Recommendation 15, which regulate entities
providing virtual asset custody or exchange services to customers and require them to be licensed or
registered.