Free Practice Questions for ACAMS CCAS Exam

In risk-based AML/CFT programs — including those applied to Virtual Asset Service Providers (VASPs) — risk assessment determines the remaining exposure after applying mitigating measures.

Inherent Risk:The natural level of risk before applying any controls, based on factors like customer profile, transaction patterns, and jurisdiction.

Control Effectiveness:The degree to which implemented controls (e.g., CDD, EDD, sanctions screening, blockchain analytics) reduce risk.

Residual Risk:The risk that remains after controls are applied and is the level an organization must either accept, reduce further, or avoid.

The standard formula is:

Inherent Risk – Control Effectiveness = Residual Risk

This equation is emphasized in FATF’s risk-based approach guidance and reinforced in DIFC (DFSA) and ADGM (FSRA) AML rules to ensure ongoing monitoring and governance oversight of remaining risks.

Effective risk mitigation requires VASPs to obtain sufficient information about counterpart VASPs to assess the quality of their regulatory supervision and controls. This helps determine the risk of transactions and build a risk-based framework for correspondent relationships.

Having no requirements (A) or engaging with poorly regulated jurisdictions (B) increases risk. Blanket high-risk classification (C) without proper assessment is inefficient.

FATF Recommendation 15 and DFSA guidance emphasize due diligence on counterparties as a critical control.

Ethereum uses an account-based ledger model where balances are maintained per account, similar to bank accounts, and transactions update balances directly. This differs from Bitcoin, Litecoin, and Monero, which use the UTXO (Unspent Transaction Output) model.

Understanding ledger models is important for AML transaction monitoring and blockchain analytics, as account-based systems enable different tracking and risk assessment approaches.

The primary purpose of a security audit for smart contracts is to protect investors’ funds by identifying vulnerabilities, coding errors, and weaknesses in the smart contract or underlying protocol that could be exploited. This proactive approach helps prevent hacks, exploits, and financial loss.

While performance issues (B) may be noted, the critical concern is security. Identifying bad actors (C) is not within the scope of a code audit but is a broader operational issue. Copyright concerns (A) are unrelated.

AML and crypto governance frameworks underline the importance of security audits to mitigate operational risks in DeFi and other smart contract-based applications.

Unhosted wallets are self-custody wallets controlled directly by the user without third-party oversight, posing higher anonymity and AML risks.

The risk-based approach requires tailoring AML/CFT controls to the level of assessed risk, enhancing due diligence for higher-risk customers.

Hash immutability means that altering any transaction would require changing all subsequent blocks and achieving majority consensus. This security property underpins blockchain integrity and forensic traceability, crucial in AML investigations.

The main red flag is the customer’s failure to cooperate with requests to provide information on the origin of funds, which undermines transparency and raises suspicion regarding the legitimacy of the funds.

While an unconnected IP address (D) is suspicious, non-cooperation (C) is a stronger indicator of potential money laundering.

Public blockchain data is pseudonymous, meaning wallet addresses alone do not reveal the owner’s identity. To identify the natural person controlling the wallet, the VASP must acquire additional information, typically through customer due diligence (CDD) processes or data obtained from exchanges and counterparties, linking the wallet address to an individual.

Periodic review (A), transaction screening (C), and obtaining transactional data (D) support ongoing monitoring but do not alone establish identity.

AML and FATF guidance emphasize that ownership linkage requires collecting identifying information beyond blockchain data to comply with AML regulations.

Criminals often move cryptoassets through multiple intermediary wallets (many “hops”) rapidly to obfuscate the transaction trail and avoid clustering, which blockchain analytics use to link related addresses.

Simply receiving large amounts (A), holding assets (B), or splitting movements (D) are less effective at preventing clustering.