ACAMS CCAS Certified Cryptoasset Anti-Financial Crime Specialist Examination Exam Practice Test

In risk-based AML/CFT programs — including those applied to Virtual Asset Service Providers (VASPs) — risk assessment determines the remaining exposure after applying mitigating measures.

Inherent Risk:The natural level of risk before applying any controls, based on factors like customer profile, transaction patterns, and jurisdiction.

Control Effectiveness:The degree to which implemented controls (e.g., CDD, EDD, sanctions screening, blockchain analytics) reduce risk.

Residual Risk:The risk that remains after controls are applied and is the level an organization must either accept, reduce further, or avoid.

The standard formula is:

Inherent Risk – Control Effectiveness = Residual Risk

This equation is emphasized in FATF’s risk-based approach guidance and reinforced in DIFC (DFSA) and ADGM (FSRA) AML rules to ensure ongoing monitoring and governance oversight of remaining risks.

A risk-based approach to customer due diligence requires considering all relevant risk factors including customer profile, the nature and purpose of the account or relationship, geographic risks, transaction patterns, and other relevant factors. This ensures that CDD intensity is commensurate with assessed risk.

Assessing only location (A) or transaction thresholds (B) is insufficient alone. Applying uniform CDD measures (C) contradicts the risk-based approach advocated by FATF and DFSA regulations.

DFSA AML guidance explicitly requires comprehensive risk assessment considering multiple variables to determine appropriate due diligence levels.

EDD is required when dealing with customers or transactions from jurisdictions identified as high-risk for ML/TF. This aligns with FATF Recommendation 19 and local UAE regulations.

Dusting involves sending tiny amounts of crypto to many addresses to later analyze transaction patterns, potentially deanonymizing users — a privacy and AML concern.

The FATF Travel Rule requires Virtual Asset Service Providers to share originator and beneficiary information for virtual asset transfers exceeding a certain threshold. Its purpose is to mitigate ML/TF risks by increasing transparency and enabling authorities to trace the movement of funds across institutions and jurisdictions.

It does not aim to slow transactions (B) or directly enhance CDD (A), although it supports the overall AML framework including CDD.

This rule is a cornerstone of FATF’s efforts to regulate virtual asset transfers effectively and is adopted by DFSA and other regulators.

The Board holds ultimate responsibility for policy approval under DFSA and FSRA AML rules, ensuring senior-level oversight.

The ultimate responsibility for risk oversight lies with the Board of Directors. Senior management and the board have the fiduciary and governance duty to ensure that an effective risk management framework, including AML/CFT controls and cryptoasset-specific risks, is in place and functioning properly.

The DFSA GEN Module and AML Module explicitly allocate the highest accountability for compliance and risk oversight to the Board of Directors, while first and second lines support implementation and oversight respectively. The Chief Risk Officer (CRO) supports risk management but the board maintains ultimate accountability.

Key extracts:

GEN Module, Chapter 5: “Responsibility for compliance lies with every member of senior management, with ultimate oversight by the Board.”

AML Module Section 1.2 & 4.1: “Senior management and Board must ensure appropriate systems and controls for AML/CFT risk management.”

FATF Recommendation 2 underscores that senior management and boards are accountable for effective AML governance【GEN/VER64/05-24: Chapter 5; AML/VER25/05-24: Sections 1.2, 4.1】.

Thus,Dis the correct answer.

Private blockchains are controlled by a single organization with full access restrictions. This model is often used for internal record-keeping but lacks the decentralized trust of public chains.

Stablecoins aim to maintain value stability by pegging to assets like fiat currency or commodities. Regulators stress monitoring stablecoin reserve transparency to prevent misuse for layering illicit funds.

Anonymity-enhanced cryptoassets employ specific technical features to obfuscate the details of transactions and the identities of users to reduce traceability and increase privacy. These include:

Automatic mixing (B):This refers to mechanisms such as coin mixers or tumblers that combine multiple transactions from different users into one batch and redistribute them, breaking the direct transaction link and obscuring the audit trail.

Cryptographic enhancements (D):Techniques such as zero-knowledge proofs, ring signatures, stealth addresses, and confidential transactions are cryptographic protocols that conceal sender, receiver, and transaction amount information, making the blockchain ledger less transparent.

Other options explained:

Proof-of-stake mining (A)is a consensus mechanism and not related to anonymity features.

Secure hashing algorithm 256 (C)is a cryptographic hash function standard but does not directly enhance anonymity.

MetaMask wallet (E)is a non-custodial wallet used mainly for Ethereum and tokens but is not an anonymity tool.

References from official crypto AML guidance and typology papers:

DFSA AML Module and thematic reviews highlight these anonymity techniques as high-risk indicators requiring enhanced due diligence (EDD).

UAE typology papers and FATF virtual asset guidance emphasize the risk posed by anonymity-enhanced cryptoassets using automatic mixing and cryptographic enhancements to circumvent AML controls【AML/VER25/05-24: Sections 6.4, 7.3; 31.92._TFS_Typology_Paper_Eng__4.pdf】.

The Travel Rule, part of FATF Recommendation 16, requires VASPs to share sender and recipient information for virtual asset transfers above USD/EUR 1,000. The aim is to enable tracing and detection of illicit funds.

Monero is a privacy-focused blockchain designed with built-in features like ring signatures, stealth addresses, and confidential transactions to obfuscate sender, receiver, and transaction amounts, making tracing difficult.

Cardano, Polygon, and Ethereum are not designed primarily with these privacy features and have publicly traceable ledgers, although privacy solutions may be layered on.

Decentralized exchanges lack a central counterparty responsible for AML compliance, making it difficult to enforce KYC/CDD, monitor transactions, or implement controls. This structural characteristic increases inherent AML risk compared to centralized exchanges, which have accountable operators.

Transaction cost (A), validator nodes (B), or asset types (D) are less impactful in the compliance risk rating.

Red flags include private sharing of NFTs without public trading (A), indicating potential lack of transparency, and new coins with untested protocols controlled by few wallets (C), signaling possible manipulation or fraud.

Tokens endorsed by celebrities with price increases (D) or active social media presence (E) are less directly indicative of fraud but require monitoring. Low social media presence with wide ownership and original whitepapers (B) is typically less suspicious.

Chain hopping involves moving between blockchains to make tracing harder, often exploiting regulatory gaps.

Indirect exposure occurs when funds pass through one or more intermediary wallets before reaching a known illicit destination. This requires enhanced monitoring to capture risks that are not directly linked but are part of the transaction chain.

Machine learning (ML) and artificial intelligence (AI) are applied within compliance frameworks to enhance the efficiency of monitoring and detection processes and to allow skilled compliance resources to focus on higher-value activities such as complex investigations and strategic decision-making. ML/AI tools can process vast amounts of transaction data to identify suspicious patterns faster than manual processes.

They do not reduce the fundamental requirement for risk assessment (A) nor are they intended primarily to reduce headcount (C), but rather to optimize resource allocation.

AML and DFSA guidance emphasize leveraging technology to improve the effectiveness and efficiency of AML controls while maintaining robust risk management.

FATF defines VASPs as entities that conduct one or more of the following activities:

Exchanging one or more forms of virtual assets (B),

Providing financial services related to initial coin offerings (ICOs) (C),

Exchanging virtual assets for fiat currencies or vice versa (D).

Mining operations (A) and software creation (E) are excluded from the VASP definition as they do not involve financial intermediation. Initial public offerings (IPOs) (F) pertain to traditional securities and are outside the scope of VASP activities.

This definition aligns with FATF Recommendation 15 and DFSA regulatory frameworks.

Fuzzy matches require further review to confirm whether the match is a true hit or a false positive, ensuring compliance accuracy.

To effectively mitigate money laundering risks in the virtual asset sector, countries must ensure that Virtual Asset Service Providers (VASPs) are subject to AML regulations (B), which provide the legal framework for risk-based customer due diligence and reporting suspicious activities. Additionally, VASPs must maintain effective monitoring systems (C) that enable the detection and reporting of suspicious transactions.

While connection to regulated financial institutions (A) and beneficial ownership evaluation (E) are important components of AML frameworks, the foundational requirements per FATF and DFSA guidance focus on regulatory oversight and operational controls.

Jurisdictional regulatory expectations (D) influence enforcement but do not replace the need for direct AML regulatory application on VASPs.

Enhanced international cooperation in VA crime investigations is most effective when jurisdictions designate and empower Financial Intelligence Units (FIUs) that can share intelligence, coordinate cross-border investigations, and liaise with counterparts internationally.

While FATF membership (A) facilitates cooperation, the operational hub for investigations is the FIU. Establishing new agencies (B) or smart contracts for sharing (C) are not established or effective methods.

DFSA guidance and FATF recommendations stress the central role of FIUs in enhancing cooperation and intelligence sharing for AML/CFT, including virtual assets.

Misconfigured or poorly designed smart contracts can enable rug pull scams, where developers create fraudulent decentralized finance (DeFi) projects or tokens and then withdraw liquidity or funds abruptly, leaving investors with worthless assets.

Phishing (A) and SIM attacks (B) relate to social engineering and telecom fraud, respectively, and ransomware (D) is malware demanding payment. Rug pulls specifically exploit smart contract vulnerabilities.

The DFSA and AML thematic reviews on crypto highlight rug pull scams as a key operational and financial crime risk linked to smart contract vulnerabilities.

Sharing of the same IP address by multiple customers during onboarding can indicate potential fraud, identity manipulation, or collusion, and should be flagged for further investigation. This can be a sign of synthetic identities or multiple accounts controlled by the same person.

Receipt of law enforcement requests (A) usually occurs post-onboarding, while the location (B) or use of foreign IDs (C) is not inherently suspicious.

The main red flag is the customer’s failure to cooperate with requests to provide information on the origin of funds, which undermines transparency and raises suspicion regarding the legitimacy of the funds.

While an unconnected IP address (D) is suspicious, non-cooperation (C) is a stronger indicator of potential money laundering.

A 51% attack refers to a situation where a single miner or group controls more than 50% of the blockchain network’s computational (hashing) power. This majority control allows them to manipulate the blockchain ledger by double-spending or blocking transactions.

This term is widely recognized in blockchain security contexts and is referenced in typology papers on crypto financial crime risks, including those issued by UAE authorities and FATF.

Supporting extracts:

DFSA AML thematic reviews mention the risk of manipulation and double spending in blockchains susceptible to 51% attacks.

Typology reports on cryptoasset risks highlight computational power concentration as a core vulnerability.

“51% refers to the percentage of total mining power or computational power in the network” is the standard definition across crypto AML/CFT frameworks【31.92._TFS_Typology_Paper_Eng__4.pdf; AMLCFT_Guidance_for_FIs.pdf】.

Thus,Cis correct.

In the context of AML/CFT frameworks for cryptoassets, the investigation of transaction histories involves blockchain analysis tools to trace the flow of funds to and from crypto addresses. Specifically, it is essential to assess whether the addresses involved have had prior exposure to illicit activities such as known darknet marketplaces, ransomware payments, or sanctioned entities. This form of "address screening" helps identify potentially tainted cryptoassets.

The DFSA AML Module and associated guidance emphasize that transaction monitoring for cryptoassets requires analyzing the provenance of funds, not just ownership. While identifying the owner is part of customer due diligence (CDD), the transactional exposure itself reveals laundering risks embedded in the chain of transfers.

Extract from DFSA AML Module and COB Module on Crypto Business Rules:

"Transaction monitoring systems must include blockchain analysis to detect suspicious activity related to crypto tokens, including tracing transactions against known illicit sources."

"Enhanced due diligence (EDD) is required when a cryptoasset transaction involves addresses or wallets with a history of illicit activity."

"Risk-based approaches must integrate forensic review of transaction histories to assess financial crime risks in crypto asset transfers"【AML/VER25/05-24: Sections 6.3, 7.3, 13.3; COB/VER45/05-24: Sections 6.13, 15】.

Therefore, assessing the receiving exposure of cryptoasset addresses to illicit activity (Option C) is the most direct and effective method to detect laundering.

SARs should include detailed transactional information to support investigations, including all types and aggregate amounts of cryptocurrencies purchased, along with fiat currency equivalents. This information provides a clear picture of the subject’s activity and financial scale.

Owner names of destination wallets (B) may not be available; onboarding info (D) is supplementary, and fiat aggregate totals (C) alone are insufficient.

FATF and DFSA guidance recommend comprehensive transactional data inclusion in SARs to facilitate law enforcement.

Red flags related to anonymity include transactions where virtual assets are cashed out at exchanges from peer-to-peer hosted wallets with no clear business rationale. Such behavior indicates attempts to obscure the origin or destination of funds, characteristic of laundering activities.

Executing high-value transactions after inactivity (A) or frequent transfers to known VASPs (C) may be suspicious but are less directly linked to anonymity. Exchanging at a loss (D) is a different type of red flag.

FATF’s red flag indicators list (2021) highlights (B) as a key sign of anonymity-related risk.

The risk-based approach requires tailoring AML/CFT controls to the level of assessed risk, enhancing due diligence for higher-risk customers.

National risk assessments conducted across various jurisdictions consistently report that money laundering risks related to cryptoasset activities are rising. The growing adoption, complexity, and use of cryptoassets for illicit purposes contribute to elevated risk levels.

While geography (B), awareness (C), and digital banking adoption (D) can influence risk factors, the overarching trend is an increase in ML risks tied to cryptoassets.

This conclusion is supported by FATF’s global guidance and numerous national risk assessment reports reviewed by the DFSA and related authorities