CCAS Certified Cryptoasset Anti-Financial Crime Specialist Examination Questions and Answers

Ransomware schemes are categorized as cyber-enabled financial crimes. AML/CFT frameworks require that such risks be assessed and mitigated through blockchain analytics, sanctions screening, and transaction monitoring for known ransomware wallet addresses.

An effective AML CDD program must include:

Staff training on gathering CDD (A)

Maintaining complete information to support risk profiling (B)

Procedures to address situations where the customer's true identity is unclear or questionable (F)

Annual client reviews (D) and IP address monitoring (E) may be part of broader AML controls but are not fundamental CDD requirements. Maintaining a list of high-risk virtual assets (C) is important but relates more to product risk management than direct CDD.

Sharing of the same IP address by multiple customers during onboarding can indicate potential fraud, identity manipulation, or collusion, and should be flagged for further investigation. This can be a sign of synthetic identities or multiple accounts controlled by the same person.

Receipt of law enforcement requests (A) usually occurs post-onboarding, while the location (B) or use of foreign IDs (C) is not inherently suspicious.

Proof of Work (PoW) consensus achieves network consensus by requiring participants (miners) to solve complex cryptographic puzzles, which verifies transactions and secures the blockchain. This computational work makes it difficult and costly to alter the blockchain.

Dependency on electricity (A) is a criticism rather than an advantage. PoW promotes decentralization rather than centralization (B). It provides strong security for large networks rather than small ones (D).

This principle is fundamental in Bitcoin and many other cryptocurrencies and is frequently referenced in AML/CFT guidance to understand the transaction validation process and network security.

Ongoing monitoring is the continuous analysis of customer activity to detect unusual or suspicious patterns over time.

Anonymity red flags in crypto include the use of:

Decentralized or hardware wallets (A): These wallets are often unhosted and can facilitate anonymous transfers across borders, complicating AML controls.

Mixing services (B): These obscure transaction trails by blending multiple users’ funds, enhancing anonymity and increasing ML risk.

Privacy-oriented email services (C), fraudulent scheme-linked assets (D), and unusual sign-on activity (E) are also risk indicators but not specifically tied to anonymity in cryptoasset transactions.

AML guidance and thematic reviews emphasize A and B as key anonymity-related red flags.

DFSA AML Module requires the Board to approve and oversee the firm’s business-wide risk assessment, ensuring accountability at the highest governance level.

The most critical information enabling FIUs to address anonymity risks is data linking a virtual address to the real-world identity of its owner. Without this association, blockchain addresses remain pseudonymous, hindering effective AML efforts.

While transaction timing (A), identity of receiver (B), and transaction-to-address mapping (C) are useful, ownership linkage (D) is essential to break anonymity.

FATF and DFSA guidance prioritize obtaining ownership information through KYC and intelligence sharing.

Consortium blockchains are semi-private networks where governance is shared among authorized participants, offering a balance between decentralization and access control.

Privacy coins like Monero use cryptographic features to obscure transaction details, increasing AML risk and regulatory scrutiny.

Ethereum uses an account-based ledger model where balances are maintained per account, similar to bank accounts, and transactions update balances directly. This differs from Bitcoin, Litecoin, and Monero, which use the UTXO (Unspent Transaction Output) model.

Understanding ledger models is important for AML transaction monitoring and blockchain analytics, as account-based systems enable different tracking and risk assessment approaches.

Effective risk mitigation requires VASPs to obtain sufficient information about counterpart VASPs to assess the quality of their regulatory supervision and controls. This helps determine the risk of transactions and build a risk-based framework for correspondent relationships.

Having no requirements (A) or engaging with poorly regulated jurisdictions (B) increases risk. Blanket high-risk classification (C) without proper assessment is inefficient.

FATF Recommendation 15 and DFSA guidance emphasize due diligence on counterparties as a critical control.

EDD is required when dealing with customers or transactions from jurisdictions identified as high-risk for ML/TF. This aligns with FATF Recommendation 19 and local UAE regulations.

Direct sending to a scam cluster indicates active involvement by the customer in potentially transferring funds associated with fraudulent activities. Sending funds directly to known scam addresses is a strong indicator of complicity or direct engagement.

Indirect flows (A and B) could be less conclusive, and direct receiving (D) may indicate victimhood rather than active involvement.

AML typologies and DFSA guidance identify direct outgoing transactions to scam clusters as significant red flags.

Bitcoin and Ethereum have fundamental differences important to investigators:

Variety of applications, assets, and networks (B): Ethereum supports diverse decentralized applications (dApps), multiple tokens (ERC-20, ERC-721), and various networks, complicating transaction tracing compared to Bitcoin’s primary use as a cryptocurrency.

Ledger model (D): Ethereum uses an account-based ledger model, while Bitcoin uses a UTXO (unspent transaction output) model, affecting how transactions are recorded and analyzed.

Transaction cost (A) and address length (C) differ but are less relevant for fund flow investigations.

In the context of AML/CFT frameworks for cryptoassets, the investigation of transaction histories involves blockchain analysis tools to trace the flow of funds to and from crypto addresses. Specifically, it is essential to assess whether the addresses involved have had prior exposure to illicit activities such as known darknet marketplaces, ransomware payments, or sanctioned entities. This form of "address screening" helps identify potentially tainted cryptoassets.

The DFSA AML Module and associated guidance emphasize that transaction monitoring for cryptoassets requires analyzing the provenance of funds, not just ownership. While identifying the owner is part of customer due diligence (CDD), the transactional exposure itself reveals laundering risks embedded in the chain of transfers.

Extract from DFSA AML Module and COB Module on Crypto Business Rules:

"Transaction monitoring systems must include blockchain analysis to detect suspicious activity related to crypto tokens, including tracing transactions against known illicit sources."

"Enhanced due diligence (EDD) is required when a cryptoasset transaction involves addresses or wallets with a history of illicit activity."

"Risk-based approaches must integrate forensic review of transaction histories to assess financial crime risks in crypto asset transfers"【AML/VER25/05-24: Sections 6.3, 7.3, 13.3; COB/VER45/05-24: Sections 6.13, 15】.

Therefore, assessing the receiving exposure of cryptoasset addresses to illicit activity (Option C) is the most direct and effective method to detect laundering.

Blockchain’s immutability ensures that all transactions remain permanently recorded and tamper-proof, enabling blockchain analytics to trace illicit funds. This property is leveraged in crypto forensic investigations and AML monitoring.

Monero is a privacy-focused blockchain designed with built-in features like ring signatures, stealth addresses, and confidential transactions to obfuscate sender, receiver, and transaction amounts, making tracing difficult.

Cardano, Polygon, and Ethereum are not designed primarily with these privacy features and have publicly traceable ledgers, although privacy solutions may be layered on.

Criminals often move cryptoassets through multiple intermediary wallets (many “hops”) rapidly to obfuscate the transaction trail and avoid clustering, which blockchain analytics use to link related addresses.

Simply receiving large amounts (A), holding assets (B), or splitting movements (D) are less effective at preventing clustering.

Liquidity risk assessment focuses on the ability to execute trades without large price swings, which is reflected in order book depth and bid-ask spreads.

Small-value repeated payments to known extremist donation wallets are a terrorism financing indicator noted in FATF typology reports.

FATF defines VASPs as entities that conduct certain specified activities involving virtual assets. Licensing or registration as a VASP is required primarily for entities engaged in activities such as safekeeping and/or administration of virtual assets or conducting exchanges between one or more forms of virtual assets.

Cryptocurrency mining operations (A) and operating blockchain nodes (C) are generally excluded from the VASP definition because they do not involve handling customer funds or providing financial services. Virtual money service businesses (D) is a broader term that may include VASPs but not all such businesses fall under VASP regulations unless they meet the activity criteria.

This aligns with the DFSA AML Module and FATF Recommendation 15, which regulate entities providing virtual asset custody or exchange services to customers and require them to be licensed or registered.

Hash immutability means that altering any transaction would require changing all subsequent blocks and achieving majority consensus. This security property underpins blockchain integrity and forensic traceability, crucial in AML investigations.

Anonymity-enhanced cryptoassets employ specific technical features to obfuscate the details of transactions and the identities of users to reduce traceability and increase privacy. These include:

Automatic mixing (B):This refers to mechanisms such as coin mixers or tumblers that combine multiple transactions from different users into one batch and redistribute them, breaking the direct transaction link and obscuring the audit trail.

Cryptographic enhancements (D):Techniques such as zero-knowledge proofs, ring signatures, stealth addresses, and confidential transactions are cryptographic protocols that conceal sender, receiver, and transaction amount information, making the blockchain ledger less transparent.

Other options explained:

Proof-of-stake mining (A)is a consensus mechanism and not related to anonymity features.

Secure hashing algorithm 256 (C)is a cryptographic hash function standard but does not directly enhance anonymity.

MetaMask wallet (E)is a non-custodial wallet used mainly for Ethereum and tokens but is not an anonymity tool.

References from official crypto AML guidance and typology papers:

DFSA AML Module and thematic reviews highlight these anonymity techniques as high-risk indicators requiring enhanced due diligence (EDD).

UAE typology papers and FATF virtual asset guidance emphasize the risk posed by anonymity-enhanced cryptoassets using automatic mixing and cryptographic enhancements to circumvent AML controls【AML/VER25/05-24: Sections 6.4, 7.3; 31.92._TFS_Typology_Paper_Eng__4.pdf】.

The Board holds ultimate responsibility for policy approval under DFSA and FSRA AML rules, ensuring senior-level oversight.

The ability to monitor the cryptoasset for unusual activity directly impacts the residual AML risk, as effective monitoring enables detection and prevention of illicit transactions. Even if a blockchain is public or private (A), or the asset is profitable (B), the lack of proper monitoring mechanisms increases risk. The number of exchanges supporting the asset (D) is less significant than monitoring capability.

AML frameworks and DFSA guidance stress that risk mitigation depends heavily on effective transaction monitoring.

FATF Recommendation 13 (Correspondent Banking and Similar Relationships) and its application to VASP–VASP relationships require enhanced due diligence before onboarding. This is because such arrangements carry elevated ML/TF risk, especially in cross-border settings.

Required CDD practices include:

Assess the nature and purpose of the VASP relationship (C):Understand why the relationship is being established and the expected services/products.

Obtain approval from senior management (D):Senior management oversight ensures risk is accepted at the appropriate governance level.

Assess the VASP’s supervision and if a license/registration is needed (E):Confirm regulatory oversight, licensing, and compliance with AML/CFT obligations.

Options A and B arenotcore FATF requirements for CDD in this context — local authority approval may be a domestic regulatory requirement in some countries, but not a FATF baseline, and profitability assessment is a business decision, not an AML measure.