ACAMS CAMS - Certified Anti-Money Laundering Specialist (CAMS7 the 7th edition)

A risk-based approach is central to AML/CFT programs and includes:

A: Creating detailed risk profiles for customers based on their behaviors and connections.

C: Applying controls that are tailored to the actual risk (not a one-size-fits-all approach).

D: Performing a thorough risk assessment, considering customer, transaction, and geographic factors.

“A risk-based approach involves risk profiling, tailored controls, and comprehensive risk assessment across key risk factors.”

(CAMS 6th Edition, Risk-Based Approach and Risk Assessment)

Incorrect:

B: Monitoring only flagged customers is not sufficient.

E: Equal allocation of resources ignores differing risk levels.

Law firms are classified as gatekeepers under FATF standards when they provide services such as company formation, trust creation, or management of client funds. These services can be misused to facilitate money laundering if proper due diligence is not conducted.

In this scenario, the law firm is establishing complex offshore structures with minimal documentation of source of funds and without questioning suspicious activity. This behavior directly enables the concealment of beneficial ownership and the layering of illicit proceeds, both core money laundering techniques.

Failing to apply scrutiny or report suspicious activity allows criminals to exploit legal services to move and disguise illicit funds under the appearance of legitimacy. This is a recognized vulnerability across multiple FATF typologies.

The behavior described is not merely aggressive tax planning or routine legal work; rather, it represents facilitation of illicit financial flows through professional services.

The FATF conducts mutual evaluations—a peer review process—whereby member countries assess each other’s AML/CFT systems. This includes on-site visits and reviews by international experts, with public reports containing recommendations for improvement. The process is not punitive and does not impose sanctions.

“FATF mutual evaluations are peer reviews in which experts from member countries assess another member's AML/CFT system and provide recommendations.”

(CAMS 6th Edition, International AML/CFT Standards; FATF Methodology, Recommendation 40)

A core requirement of applying a risk-based approach (RBA) in customer due diligence for legal entity clients is the identification and verification of beneficial ownership. FATF standards require financial institutions to take reasonable measures to identify and verify the identity of the natural persons who ultimately own or control a legal entity.

Understanding beneficial ownership is critical because complex corporate structures can be misused to conceal illicit ownership, launder money, or evade sanctions. The depth of verification required depends on the assessed risk level of the customer, with higher-risk entities requiring enhanced due diligence.

Information such as market competition or profitability is not relevant to AML/CFT risk assessment. While open-source information may support due diligence, relying solely on internet or social media sources is insufficient and inconsistent with regulatory expectations.

Therefore, verifying beneficial ownership is the most essential and regulator-mandated CDD measure under a risk-based approach.

Terms of Reference (ToR) are a fundamental governance document that define how a committee operates, makes decisions, and fulfills its responsibilities. Regulatory guidance and corporate governance best practices emphasize clarity and accountability in committee mandates.

The extent of power and decision-making authority must be clearly defined to ensure members understand what decisions they are authorized to make and where escalation is required. This prevents overlaps or governance gaps.

The composition and structure of the committee, including membership criteria and roles, ensures appropriate expertise and representation. This is essential for effective oversight, particularly in AML/CFT and risk committees.

Delegation of authority outlines how responsibilities may be assigned or escalated, supporting efficient decision-making while maintaining accountability.

Organization charts and company culture statements are not typically core components of a ToR, as they do not define operational authority or governance mechanics.