Enso Academy
Start the course
Back to courseCCAS Study Guide

Cryptoasset Anti-Financial Crime: CCAS Exam Preparation

The map of the exam: every domain it tests, the syllabus in order, and the vocabulary you are expected to use precisely. Built from the primary sources the exam itself is based on, FATF, the regulators, and real enforcement actions. Read it to see the whole shape of the exam; learn each topic in the interactive classroom.

Certifying body: Association of Certified Anti-Money Laundering Specialists (ACAMS) · 10 modules · 43 lessons · 279 terms

Part 1 · The exam at a glance

What the exam tests

Every domain the CCAS exam tests, taught from the primary sources the exam itself is built on: FATF, the regulators, and real enforcement actions. Not a rehash of a third-party study guide.

3 domains10 modules43 lessons100% coverage
1

Cryptoassets and Blockchain

30% of the exam
Covered

How cryptoassets and blockchains actually work: what cryptoassets are, how ledgers, keys, and transactions function, the ecosystem of exchanges, custodians, DeFi, and token types, and how blockchain analytics traces value on-chain.

  • Cryptoasset and Blockchain Foundations4 lessons
  • The Crypto Ecosystem: VASPs, DeFi, and Token Types4 lessons
  • Blockchain Analytics and On-Chain Investigation3 lessons
2

AML Foundations for Cryptoassets and Blockchain

35% of the exam
Covered

The AML foundations for crypto: the money-laundering cycle, terrorist and proliferation financing, fraud and typologies, the FATF standards, the Travel Rule and crypto sanctions, and the US, EU, and UK regulatory frameworks.

  • Financial Crime in the Cryptoasset Sector6 lessons
  • FATF, the Travel Rule, and Crypto Sanctions4 lessons
  • National and Regional Crypto Frameworks4 lessons
3

Risk Management Programs for Cryptoassets and Blockchain

35% of the exam
Covered

Building and running a cryptoasset anti-financial-crime programme: risk assessment, onboarding and KYC, customer risk rating, monitoring, screening and reporting, governance and audit, emerging risk, and lessons from enforcement.

  • Building a Cryptoasset AFC Program4 lessons
  • Monitoring, Screening, and Reporting4 lessons
  • Governance, Audit, and Emerging Risk4 lessons
  • Learning from Enforcement and Synthesis6 lessons

Domain structure and weighting follow the ACAMS CCAS exam blueprint (30 / 35 / 35). Enso Academy is independent and is not affiliated with, authorised by, or endorsed by ACAMS.

Part 2 · The syllabus

Every topic, in order

The full path through the course. Work it top to bottom, or jump to the area you need.

Module 1

Cryptoasset and Blockchain Foundations

Establishes the technical foundation a financial-crime professional needs: what cryptoassets are, how a blockchain actually works, how keys and wallets control value, and how an on-chain transaction moves from sender to recipient. Grounds the rest of the course in the mechanics that make crypto both transparent and hard to attribute.

  1. 01What Cryptoassets AreBuilds a precise working taxonomy of cryptoassets, separating the loose public vocabulary from the categories that matter for financial-crime risk.
  2. 02How Blockchains WorkExplains the distributed-ledger mechanics, blocks, consensus, nodes, immutability, without jargon, so the student understands what a blockchain guarantees and what it does not.
  3. 03Keys, Addresses, and WalletsTeaches public-key cryptography at the level a practitioner needs and maps the wallet landscape that determines who actually controls cryptoasset value.
  4. 04How On-Chain Transactions WorkFollows a transaction from creation to confirmation, introducing the UTXO and account models, fees, and the crucial distinction between pseudonymity and anonymity.
Module 2

The Crypto Ecosystem: VASPs, DeFi, and Token Types

Maps the participants and structures of the cryptoasset economy, exchanges and custodians, decentralised finance and smart contracts, stablecoins and tokenisation, and the privacy technologies built to defeat tracing, so the student can locate where value, control, and risk sit.

  1. 01Exchanges, Custodians, and the VASP LandscapeSurveys the intermediaries of the crypto economy and maps them to the FATF VASP definition, the regulatory pressure point of the whole sector.
  2. 02Decentralised Finance and Smart ContractsExplains smart contracts and the DeFi stack, DEXs, lending, liquidity pools, DAOs, and the hard question of who, if anyone, is the obliged entity.
  3. 03Stablecoins, NFTs, and TokenisationExamines the asset types that increasingly carry real value and real risk, stablecoins as the dominant settlement asset, NFTs, and the tokenisation of real-world assets.
  4. 04Privacy Coins, Mixers, and ObfuscationSurveys the technologies built to defeat tracing, privacy coins, mixers and tumblers, CoinJoin, and cross-chain bridges, and how regulators have responded.
Module 3

Blockchain Analytics and On-Chain Investigation

Develops the core investigative skill the CCAS domain demands: using the transparency of public blockchains, clustering, attribution, and exposure analysis, to trace cryptoasset flows, support investigations, and feed a compliance program. This is the cryptoasset analogue of the AFC 'tools and technologies' discipline.

  1. 01Transparency, Pseudonymity, and the Tracing PremiseEstablishes why blockchain investigation is possible at all, and the precise boundary where on-chain certainty ends and off-chain attribution begins.
  2. 02Clustering, Attribution, and Exposure AnalysisTeaches the analytical methods that turn raw addresses into actors and risk scores, clustering heuristics, entity attribution, and counterparty exposure.
  3. 03Conducting an On-Chain InvestigationIntegrates the analytics skills into a structured investigation, anchored to a real public case where blockchain tracing produced a result.
Module 4

Financial Crime in the Cryptoasset Sector

Surveys how the full range of financial crime, money laundering, terrorist and proliferation financing, fraud and scams, tax evasion, ransomware, and darknet activity, actually manifests in cryptoassets, and consolidates the red-flag indicators a practitioner uses to spot it.

  1. 01The Money-Laundering Cycle in CryptoMaps placement, layering, and integration onto cryptoasset rails, showing where crypto compresses or reshapes the classical laundering model.
  2. 02Terrorist and Proliferation Financing in CryptoSeparates terrorist financing and proliferation financing from money laundering in the crypto context, including the state-sponsored theft model exemplified by the DPRK.
  3. 03Crypto-Enabled Fraud and ScamsExamines the fraud typologies that dominate crypto victim losses and the fraud, AML nexus, the convergence the AFC discipline treats as one problem.
  4. 04Tax Evasion and the Crypto AFC NexusCovers tax evasion as a predicate offence and financial-crime risk in cryptoassets, the dimension the AFC framework names explicitly alongside money laundering and fraud, including the transparency regimes built to close the gap.
  5. 05Ransomware, Darknet, and Illicit MarketplacesExamines the criminal economies that run on crypto rails, ransomware, darknet markets, and sanctioned exchanges, and the compliance obligations they trigger.
  6. 06Crypto Typologies and Red-Flag IndicatorsConsolidates the laundering and offramp typologies and turns the FATF red-flag indicators into a working detection toolkit.
Module 5

FATF, the Travel Rule, and Crypto Sanctions

Develops the global regulatory standard for cryptoassets: the FATF VASP regime under Recommendation 15, the Travel Rule under Recommendation 16 and its revised data elements, the cross-border implementation problem, and the application of sanctions to cryptoassets.

  1. 01FATF Recommendation 15 and the VASP DefinitionEstablishes the foundational global standard: how FATF brought virtual assets and VASPs into the AML/CFT regime through Recommendation 15 and its Interpretive Note.
  2. 02The Travel Rule: Recommendation 16 and INR.16Teaches the single most operationally demanding crypto obligation, the Travel Rule, including the revised INR.16 data elements applicable to virtual-asset transfers.
  3. 03The Sunrise Problem and Counterparty VASP Due DiligenceAddresses the central implementation gap of the Travel Rule, inconsistent global adoption, and the counterparty due diligence a VASP must perform.
  4. 04Sanctions and CryptoassetsApplies the sanctions framework to cryptoassets, designated addresses, screening, and the obligations a VASP carries, using the leading public crypto-sanctions matters.
Module 6

National and Regional Crypto Frameworks

Applies the major national and regional cryptoasset regimes, the United States, the European Union (MiCA and the Transfer of Funds Regulation), and the United Kingdom, to practitioner decisions, and teaches a method for mapping crypto obligations onto any jurisdiction.

  1. 01The United States Crypto FrameworkMaps the fragmented US approach, FinCEN's money-transmission regime over convertible virtual currency, the BSA, the SEC/CFTC jurisdictional split, and state regimes.
  2. 02The EU Crypto Framework: MiCA and the Transfer of Funds RegulationTeaches the EU's comprehensive, directly-applicable crypto regime, MiCA for market/prudential regulation and the Transfer of Funds Regulation for the crypto Travel Rule, within the wider AML package.
  3. 03The United Kingdom Crypto FrameworkMaps the UK regime, FCA cryptoasset AML registration, the Money Laundering Regulations and the UK Travel Rule, and POCA, and the perimeter it draws.
  4. 04Mapping Crypto Rules to Any JurisdictionEquips the student with a transferable method: use the FATF baseline and a small set of questions to reason about crypto obligations in any jurisdiction, rather than memorising one country.
Module 7

Building a Cryptoasset AFC Program

Begins the program-design domain: how a cryptoasset business builds the foundations of an anti-financial-crime program, the risk assessment, customer onboarding and KYC, wallet attribution, customer risk rating, and the licensing/perimeter decisions that scope it all.

  1. 01The Cryptoasset Risk AssessmentTeaches how a crypto business builds its enterprise-wide ML/TF/sanctions risk assessment and sets risk appetite, using crypto-specific risk factors.
  2. 02Onboarding and KYC for CryptoTeaches customer due diligence in a crypto business, identity verification, wallet attribution, and the difficult question of source of funds for on-chain wealth.
  3. 03Customer Risk Rating in CryptoTeaches how a crypto business translates risk factors into a workable customer risk rating that incorporates on-chain exposure.
  4. 04The Regulatory Perimeter and LicensingTeaches how a crypto business determines which obligations apply to it, the licensing, registration, and perimeter decisions that scope the whole program.
Module 8

Monitoring, Screening, and Reporting

Teaches the operational engine of a cryptoasset AFC program, wallet and transaction monitoring, sanctions and watchlist screening, Travel Rule implementation, and suspicious-activity investigation and reporting, the crypto application of the AFC tools-and-technologies discipline.

  1. 01Wallet and Transaction MonitoringTeaches how a crypto business monitors activity, combining blockchain analytics, behavioural rules, and exposure scoring, and the model-risk discipline behind it.
  2. 02Sanctions and Watchlist Screening for CryptoTeaches the design of a crypto screening program across designated addresses, names, and geolocation, including fuzzy matching and list management.
  3. 03Travel Rule Implementation, OperationallyMoves from the Travel Rule as a standard to the Travel Rule as a working system, data standards, protocols, counterparty handling, and self-hosted wallets.
  4. 04Suspicious-Activity Investigation and Reporting in CryptoTeaches the investigation-to-report lifecycle in a crypto business, alert triage, on-chain investigation, and a defensible suspicious-activity report.
Module 9

Governance, Audit, and Emerging Risk

Completes the program with the governance that holds it accountable, roles and the three lines of defence, independent testing, training, vendor and model risk, and the horizon scanning a crypto program needs for DeFi, DAOs, CBDCs, and incident response.

  1. 01Governance, Roles, and the Three Lines in CryptoApplies the three-lines-of-defence model and compliance-function roles to a crypto business, including the governance of analytics models and board oversight.
  2. 02Independent Testing, Training, and Vendor RiskTeaches the assurance and capability layers, independent audit/testing of a crypto program, role-based training, and the management of the analytics vendors a crypto program depends on.
  3. 03Emerging Risks: DeFi, DAOs, and the HorizonEquips the student to reason about the risks the rules have not yet caught up to, DeFi and DAOs, cross-chain, privacy technology, CBDCs, and real-world-asset tokenisation.
  4. 04Incident Response and Program ResilienceTeaches how a crypto program responds when something goes wrong, a hack, a sanctioned counterparty, a stablecoin depeg, and how resilience is built in.
Module 10

Learning from Enforcement and Synthesis

Consolidates the course through the public enforcement record, how to read a crypto enforcement action, four defining cases (Tornado Cash, Binance, BitMEX, Lazarus/DPRK), and a synthesis that prepares the candidate to apply the whole course to exam-style and real scenarios.

  1. 01How to Read a Crypto Enforcement ActionTeaches the practitioner skill of reading a settlement, order, or indictment for the controls that failed and the lessons that transfer.
  2. 02Case: Tornado CashExamines the Tornado Cash matter end to end, the OFAC designation, the Van Loon litigation and delisting, and the DOJ founders prosecution, for what it teaches about sanctions, obfuscation services, and the limits of designation.
  3. 03Case: Binance (2023)Examines the 2023 Binance resolution, the largest crypto enforcement matter, as a study in what happens when scale outruns the AFC program.
  4. 04Case: BitMEXExamines the BitMEX enforcement actions as the cleaner illustration of the perimeter-and-program lesson, a derivatives platform that served users it was not registered to serve, with no real AML program.
  5. 05Case: Lazarus Group and DPRK Cryptoasset TheftExamines state-sponsored cryptoasset theft as the apex threat the whole program defends against, the Lazarus Group model, the Ronin bridge hack, and the laundering infrastructure, including the Bangladesh Bank heist as one early example.
  6. 06Course Synthesis and Exam PreparationSynthesises the whole course into practitioner judgment and prepares the candidate to apply it under exam conditions, with integrating scenarios spanning all three domains.
Part 3 · Glossary

The vocabulary, defined

The terms the exam expects you to use precisely. Review them the night before.

Above-the-line and below-the-line testing
Testing fired alerts for false positives and silent activity for misses.
Account model
Ethereum's model where each account holds a running balance.
Address
An on-chain identifier for sending or receiving value; pseudonymous, not a name.
Address clustering
Grouping the addresses one entity controls into a single, probabilistic cluster.
Address screening
Checking deposit and withdrawal wallets against designated and high-risk lists.
Alert disposition
The outcome of working an alert: close with reason, escalate, or report.
Alert investigation
Working an alert from triage to a documented disposition.
Algorithmic stablecoin
A reserve-free stablecoin that holds its peg by an automated mechanism, and can fail.
AMLA
The EU AML supervisor established by Regulation (EU) 2024/1620.
Asset seizure
Taking traced value via the keys or a custodian within legal reach.
Asset-referenced token
A MiCA stablecoin referencing a basket of values or rights.
Backward tracing
Following value back to its origin to establish source of funds.
Bangladesh Bank heist
The 2016 SWIFT theft attributed to Lazarus; the same playbook on pre-crypto rails.
Bank Secrecy Act
The U.S. AML statute FinCEN administers; it reaches crypto money transmitters.
Behavioural fingerprint
Usage patterns like change-address habits and timing that reinforce a cluster.
Behavioural transaction monitoring
Rules and scenarios testing whether a customer's activity is in character.
Beneficial owner
The natural person who ultimately owns or controls a customer.
Beneficiary VASP
The receiving VASP that checks the incoming information and handles gaps on a risk basis.
Binance resolution
The 2023 multi-agency Binance resolution; the largest crypto enforcement matter.
BitLicense
New York's demanding virtual-currency licence, on top of federal FinCEN registration.
BitMEX
The offshore derivatives exchange with no-information onboarding; the clean perimeter-and-program case.
Blockchain
A distributed, append-only ledger secured by consensus and cryptographic linking.
Blockchain bridge
A cross-chain protocol that pools value and trust in the keys securing it.
Blocked property
Property of a designated person that may not be dealt in; includes value at a designated address.
Board oversight
The board's duty to set appetite, demand honest information, and hold the lines accountable.
Central bank digital currency
State-issued digital fiat; excluded from the FATF virtual-asset definition.
Centralised exchange
A company-run exchange that holds funds and runs an order book; a textbook VASP.
Chain of inference
The documented, defensible record of each link and confidence level in a trace.
Chain-hopping
Moving value across blockchains to break a single-chain trace at the bridge.
Change address
The address that receives the leftover value of a UTXO spend; a clustering signal.
Coin
A cryptoasset native to its own blockchain.
CoinJoin
A collaborative transaction that defeats the common-input heuristic and creates false clusters.
Commodity Futures Trading Commission
The U.S. commodities regulator; treats Bitcoin and Ether as commodities.
Common-input-ownership heuristic
Inputs co-spent in one transaction are almost always one owner; a strong rule of thumb.
Compliance officer
The senior officer anchoring the second line; real only with authority, a board line, and resources.
Composability
How DeFi protocols chain together, enabling fast automated layering.
Comprehensively sanctioned jurisdiction
A country under broad country-level sanctions, whose users a bound firm must identify and restrict.
Confidence level
The recorded strength of an inference, propagated into every conclusion that relies on it.
Confirmation
A block inclusion that moves a transaction toward finality.
Consensus mechanism
How a decentralised network agrees on the ledger's contents.
Control effectiveness
How much controls reduce risk in practice, not on paper.
Control or sufficient influence
FATF's fact-specific test for whether someone behind a decentralised arrangement is a VASP.
Control or sufficient influence test
FATF's substance-over-label test for who behind a DeFi protocol may be an obliged VASP.
Control, cause, carry-forward
The three-step method: name the failed control, diagnose the cause, carry the lesson forward.
Convertible virtual currency
Crypto that has value in or substitutes for real currency; the subject of FinCEN's guidance.
Correspondent-banking due diligence
The banking practice of vetting another institution before relying on it; the model for counterparty VASP diligence.
Counterparty attribution
Establishing from analytics what is behind a destination address before a transfer.
Counterparty VASP due diligence
Vetting the counterparty institution before exchanging Travel Rule data and value with it.
Cross-chain bridge
A service moving value between chains, used for chain-hopping to break a trace.
Cross-chain bridge and chain-hopping
Bridges move value between chains; chain-hopping abuses them rapidly to break a trace's continuity.
Crypto ATM
A cash-to-crypto kiosk; a fiat on-ramp and a VASP when run as a business.
Crypto-Asset Reporting Framework (CARF)
The OECD standard for automatic cross-border exchange of crypto transaction data.
Crypto-asset service provider
The EU's MiCA term for a crypto-service business requiring authorisation.
Crypto-collateralised stablecoin
A stablecoin backed by an over-collateralised pool of other cryptoassets in smart contracts.
Cryptoasset
A digital, ledger-based asset such as a coin or token.
Cryptoasset mixer
A service that pools and re-sends cryptoassets to obscure their trail; a frequent sanctions target.
Custodial mixer
A mixer whose operator takes custody and transfers value for others; a money transmitter with AML duties.
Custodial wallet
A wallet where a provider holds the keys; the point where AML obligations attach.
Custodian
A business that holds keys and safekeeps cryptoassets for others; a VASP by safekeeping alone.
Customer baseline
The expected profile against which behaviour is judged in or out of character.
Customer due diligence
Identify and verify the customer and beneficial owner, understand the relationship, and monitor it.
Customer risk rating
A per-customer risk score that drives scrutiny and enhanced due diligence.
DAC8
The EU directive (2023/2226) implementing CARF and extending tax-information exchange to crypto providers.
Darknet marketplace
Crypto-settled e-commerce for illegal goods on anonymising networks, often with escrow.
De-minimis threshold
The low-value cutoff below which a lighter, unverified Travel Rule data set may travel.
Decentralised autonomous organisation
A token-governed structure steering a protocol; the ownerless label does not settle who is responsible.
Decentralised exchange
A contract-driven exchange with no operator holding funds; the hard obliged-entity case.
Decentralised finance
Intermediary-free financial software that challenges the obliged-entity assumption.
Defence against money laundering
The UK consent mechanism a firm uses before acting where a transaction might be an offence.
Deferred prosecution agreement
A criminal resolution with admitted facts, a penalty, and undertakings such as a monitor.
Delisting
Removal from the SDN List; ends the sanctions status, not the money-laundering risk.
Delivery channel
How customers are reached and served; a risk-assessment dimension.
Deposit-address tagging
First-hand deposits reveal a service's addresses; the highest-yield attribution method.
Designated address
A wallet address on a sanctions list; a direct dealing with it must be blocked.
Detection scenario
A typology expressed as a testable monitoring rule with a threshold.
Digital payment token service
Singapore's licensed crypto-service category under the Payment Services Act.
Digital-asset broker reporting
US section 6045 rules requiring custodial crypto intermediaries to report customer transaction data to the tax authority.
Direct and indirect exposure
Direct exposure is a straight transaction to a flagged address; indirect is a few hops away.
Direct exposure
Value sent to or received from an illicit cluster with no intermediary; the strongest signal.
Dynamic risk scoring
Re-rating customers on events, not only on the calendar, because crypto risk moves fast.
E-money token
A MiCA stablecoin referencing a single official currency.
Effective anti-money-laundering program
The required AML program of identity, monitoring, reporting, screening, and a compliance function.
Employee due diligence
Screening staff at hiring and, for sensitive roles, on an ongoing basis.
Enforcement action
A government account of a failed program, penalty attached; the field's post-mortem.
Enhanced due diligence
Heightened due diligence for higher-risk customers and situations.
Enterprise-wide risk assessment
The document that identifies and scores a firm's financial-crime risk; the foundation of the program.
Entity attribution
Naming the entity behind a cluster, with a recorded confidence level.
EU Anti-Money Laundering Regulation
Regulation (EU) 2024/1624, the EU AML single rulebook applying from 10 July 2027.
Exposure
That funds touched high-risk infrastructure such as a mixer; a defensible finding that survives obfuscation.
Exposure analysis
Measuring a wallet's connection to attributed illicit clusters to score risk.
Exposure scoring
Scoring a transaction's direct or indirect connection to flagged addresses.
Exposure threshold
A documented, risk-based limit on tolerated exposure; owned by the institution, not universal.
False negative
Failing to tag a genuinely illicit cluster, so dirty value passes as clean.
False positive
Wrongly tagging a clean cluster as illicit; the counterpart is the missed illicit cluster.
FATF Recommendation 15 and INR.15
The FATF standard setting the VASP perimeter, licensing, and preventive measures for crypto.
FCA cryptoasset registration
The UK's mandatory FCA anti-money-laundering registration for crypto firms.
Fiat on-ramp and off-ramp
The regulated conversion points between fiat and crypto; the chokepoints where a program can act.
Fiat-collateralised stablecoin
A reserve-backed stablecoin whose safety depends on the issuer actually holding sufficient reserves.
Financial Conduct Authority
The UK regulator for AML registration of in-scope cryptoasset businesses.
Financial Crimes Enforcement Network
The U.S. AML regulator that applies the Bank Secrecy Act to crypto money transmitters.
Financial intelligence unit
The national body that receives suspicious-transaction reports.
FinCEN
The US bureau a crypto value transmitter registers with as a money services business.
FinCEN consent order
A settled order naming AML program failures and assessing a civil money penalty.
First line of defence
The business itself, including crypto product and engineering teams, that owns risk where it arises.
Flash loan
An uncollateralised loan taken and repaid within one transaction, or it reverts.
Forward tracing
Following value onward toward its destination and cash-out.
Fraud-AML nexus (FRAML)
Fraud and laundering as two readings of one on-chain flow; the case for joining the two functions.
Funds-transfer Travel Rule
The pre-crypto Bank Secrecy Act rule that the crypto Travel Rule is modelled on.
Fuzzy matching
Scoring name closeness rather than requiring an exact match.
Geolocation controls
Checking where a customer transacts from, continuously, not just at onboarding.
Geolocation screening
Using IP and location signals to identify and block users in comprehensively sanctioned jurisdictions.
Guilty plea
A criminal resolution in which the defendant admits the charged conduct.
Hop
One intermediate address in an exposure path; read what is in it, not just the count.
Horizon scanning
Watching typologies and regulatory signals to reason about a risk before the rulebook catches up.
Hot and cold wallets
Hot wallets are online and exposed; cold wallets are offline and safer but slower.
Howey analysis
The U.S. test for a security, used to decide whether a token falls to the SEC.
Identity bridge
The step that links a traced on-chain flow to a named real-world person.
Identity verification
Confirming a customer's identity, done remotely in crypto through digital verification tools.
Immutability
Confirmed ledger records cannot be quietly changed; it preserves history, not identity.
Incident response
The existing controls run fast and in sequence: contain, investigate, report, decide.
Independent testing
A periodic independent review that tests whether the program really works, including its models.
Indictment
A charging document that alleges, not proves, a defendant's conduct.
Indirect exposure
An illicit link running through hops; weaker with distance and with what sits in the path.
Inherent risk
Risk by nature, scored before any credit for controls.
Insider threat
The risk that staff with access and keys subvert controls; managed by segregation and access monitoring.
Instant exchanger
A no-KYC swap service that converts assets without customer due diligence.
Integration
The re-emergence of laundered value in apparently legitimate form.
International Emergency Economic Powers Act
The statute underpinning US sanctions and the blocking of property.
Interoperability protocols
Off-chain messaging that carries and reconciles the Travel Rule message.
Interpretive Note to Recommendation 15
The 2019 Interpretive Note that requires countries to license, supervise, and impose preventive measures on VASPs.
Investigation indicator
The starting signal an investigation begins from, such as an alert or a victim report.
Issuer freeze
A central issuer's ability to freeze stablecoin tokens at a specific address; a rare crypto interdiction lever.
IVMS101
The shared data model for Travel Rule originator and beneficiary information.
John Doe summons
A summons compelling an intermediary to identify unknown taxpayers within a defined class.
Key risk indicator
A tracked measure, such as backlogs or overdue reviews, showing whether the program keeps pace.
Law-enforcement referral
Passing a documented trace to authorities who hold subpoena, warrant, and arrest powers.
Layering
Moving value to disguise its origin; automated and compressed on crypto rails.
Lazarus Group
The DPRK state-sponsored hacking group; the course's integrating threat.
Legal Entity Identifier
A unique official identifier used to identify a legal-person party in Travel Rule data.
Lending and borrowing protocol
DeFi contracts for lending and borrowing against crypto collateral, enforced automatically by code.
Liquidity pool
A user-supplied pot of tokens, held as a contract, that swaps and loans are priced against.
List management
Keeping lists current and re-screening the book when they change.
Liveness detection
Confirming a live person is present at onboarding, not a photo or replay.
Management information
The honest performance reporting the board needs to oversee the program, not a wall of green.
Market event
A depeg or counterparty failure that triggers heightened monitoring, not only a treasury problem.
Mempool
The pool of broadcast, unconfirmed transactions awaiting inclusion in a block.
MiCA
Regulation (EU) 2023/1114; EU market regulation for CASPs, separate from the AML duties.
Mixer
A pooling service that breaks the input-to-output link; it degrades tracing, not defeats it.
Model governance
Governing analytics models with an owner, validation, documented limits, and a human in the loop.
Model risk discipline
Governing monitoring as a model: coverage, tuning, testing, governance.
Money Laundering Regulations 2017
The UK AML rulebook for registered crypto firms; the reporting duty sits in POCA.
Money services business
The US category for a crypto value transmitter; registers with FinCEN plus state licences.
Money services business registration
The FinCEN registration that puts a money transmitter inside the US perimeter.
Money transmitter
A business that exchanges or transmits crypto for others; a covered money services business.
Money-laundering cycle
Placement, layering, and integration: the classical model of how illicit value is washed.
Mule network
People lending their accounts to move illicit value; a borrowed off-ramp identity.
Multi-jurisdiction perimeter
Overlapping regimes that apply at once to a global business, adding rather than substituting.
Multi-signature wallet
A wallet needing multiple keys to authorise a transfer, splitting control.
Name screening
Checking customer and counterparty names against sanctions and watchlists.
Nesting
Running a crypto service through a larger exchange's accounts to hide behind its perimeter.
Non-custodial mixing protocol
A mixing protocol that combines users' transactions without taking custody; a hard obliged-entity case.
Non-face-to-face onboarding
Onboarding without meeting the customer; the standard condition in crypto.
Non-fungible token
A unique token whose subjective value can mask wash trading and value transfer.
Obliged entity
A business a regime regulates; in crypto, one that exchanges, transfers, or custodies for others.
OFAC settlement
A settled sanctions matter describing apparent violations and the screening failure.
Off-chain attribution
External evidence that turns a pseudonymous address into a named actor.
Off-ramp
The regulated conversion point where a pseudonymous address can become a named person.
Off-ramp chokepoint
A regulated cash-out point stolen value must pass through, where it can be frozen.
Office of Foreign Assets Control
The U.S. Treasury sanctions authority that maintains the SDN List.
On-chain analytics
Tracing value across a blockchain to attribute addresses and measure exposure to illicit or designated sources.
On-chain evidence
Verifiable ledger evidence: addresses, hashes, traced flows, and exposure.
On-chain exposure
The risk in a customer's on-chain counterparties, scored as direct or indirect exposure.
On-chain transparency
Public-chain transactions are open, permanent, and continuous, so value can be followed freely.
On-ramp and off-ramp
Where crypto meets fiat; the crossing points that concentrate risk and the chance to intervene.
Ongoing due diligence
Keeping the customer picture current over the life of the relationship.
Originating VASP
The sending VASP that collects, holds, and transmits the Travel Rule information.
Originator and beneficiary information
The identity fields that the Travel Rule requires to accompany a transfer.
Over-the-counter desk
A private desk for large off-order-book trades; a VASP warranting enhanced due diligence.
Passporting
One MiCA authorisation that lets a CASP serve the whole EU.
Payment processor
A business that lets merchants accept crypto; typically a VASP that moves value for others.
Peel chain
A long chain of small peel-offs used to bury a large sum in many hops.
Peer-to-peer trading
Direct individual-to-individual crypto-for-cash trading; a channel for moving value outside controlled venues.
Personal liability for AML program failures
Individuals who run the firm can be criminally liable for a failed AML program.
Phishing and approval-draining
Tricking a victim into signing an approval, then sweeping their own wallet in one transfer.
Pig-butchering
A romance-plus-investment long con that funnels victims to a fake platform.
Placement
The entry of illicit value into the system; frequently minimal in crypto because value is born on-chain.
Ponzi and high-yield scheme
Paying earlier participants from later deposits until inflows stop and the scheme fails.
Predicate offence
An underlying crime whose proceeds, when moved or hidden, become money laundering.
Privacy coin
An asset engineered to conceal transaction data at the protocol level.
Privacy service
A mixer or privacy protocol severing source from destination; exposure is a strong risk signal.
Private key
The secret key that controls and can spend the assets at an address.
Proceeds of Crime Act 2002
The UK law defining money-laundering offences and the SAR regime; criminal property includes crypto.
Program resilience
Absorbing an incident and closing the loop into the risk assessment, scenarios, and appetite.
Proliferation financing
Funding a weapons-of-mass-destruction programme; governed by FATF Recommendation 7.
Proof of stake
Consensus by staking coins to validate blocks, rewarded with new coins.
Proof of work
Consensus by expending computing power to add blocks, rewarded with new coins.
Pseudonymity
Activity tied to visible addresses rather than names; traceable but not self-identifying.
Public key
A shareable key used to verify signatures, from which an address is derived.
Ransom payment risk
Paying or processing a ransom can be a sanctions violation across the whole payment chain.
Ransomware
Crypto-settled extortion: compromise, ransom demand, payment, laundering, cash-out.
Ransomware-as-a-service
Ransomware run as a business, with operators, affiliates, and split proceeds.
Re-anchoring
Matching a flow across a deliberate break instead of abandoning the trace.
Recall and precision tradeoff
The screen's balance between catching true matches and avoiding false alarms.
Recommendation 15
The FATF Recommendation that brought virtual assets and VASPs into the AML/CFT regime.
Recommendation 16
The FATF wire-transfer Recommendation that sets the Travel Rule, applied to VA transfers through INR.15.
Red-flag indicator
An observable sign of a possible typology; conclusive only in combination and context.
Reflex exit
Refusing or exiting a customer with no analysis; usually de-risking.
Regulation versus Directive
A Regulation binds all EU states directly; a Directive is transposed into national law.
Regulatory arbitrage
Trying to escape the perimeter by staying offshore while serving strict-jurisdiction users; it fails.
Regulatory perimeter
The analysis of which obligations apply to a business, and where.
Residual risk
The risk left after controls; what the business actually carries.
Risk appetite
A documented, board-approved statement of what risks the business will and will not accept.
Risk factors
The four dimensions scored in a risk assessment: customer, product, geography, and channel.
Risk-based approach
Applying controls in proportion to identified risk, per FATF Recommendation 1.
Ronin bridge hack
The March 2022 Ronin bridge theft attributed to the Lazarus Group.
Rug pull
An exit scam in which insiders drain a token or DeFi liquidity pool they control.
Sanctioned and nested exchanges
Illicit-facing and piggybacking exchanges that cash out crime; increasingly designated by name.
Sanctions screening
Screening parties and geolocation against designation lists to stop prohibited dealings.
Scale without a program
Growth that outruns controls; the sector's recurring failure mode.
Scenario coverage
How well the rule set covers the program's full list of typologies.
SDN List
OFAC's list of designated persons, entities, and wallet addresses whose property is blocked.
Second line of defence
The independent compliance and risk function that challenges the first line and can say no.
Securities and Exchange Commission
The U.S. securities regulator; reaches tokens that are securities under Howey.
Segregation of duties
Splitting a process so no one person controls it end to end; concentration of control is a red flag.
Self-hosted wallet
A wallet where the user holds their own keys; no intermediary, raising the unhosted-wallet problem.
Self-hosted wallet transfer handling
Collecting from your own customer, and verifying control, when there is no counterparty provider.
Sixth Anti-Money-Laundering Directive
Directive (EU) 2024/1640, the transposed part of the EU AML package.
Slashing
Destroying a validator's staked coins as a penalty for cheating in proof-of-stake.
Small-value flows
Many small, below-threshold contributions to one address; the terrorist-financing signature.
Smart contract
Self-executing on-chain code that moves value automatically, with no human judgment at execution.
Smart-contract designation
Sanctioning smart-contract addresses themselves rather than a person or company.
Smart-contract risk
Exposure from funds moving under a protocol's code, where flaws or exploits shape the risk.
Smart-contract wallet
A wallet governed by on-chain code, adding programmable controls and contract-code risk.
Source of funds
The origin of the specific assets funding an account.
Source of wealth
How a customer became wealthy overall; tested against the chain, not taken on faith.
Specially Designated Nationals and Blocked Persons List
OFAC's list of designated persons and blocked property, including crypto addresses.
Stablecoin
A cryptoasset engineered to hold a stable price against a reference asset.
State-sponsored cryptoasset theft
A sanctioned state stealing crypto as its funding mechanism, as in the Lazarus Group model.
Strict liability
Liability that attaches to the dealing itself, regardless of intent or knowledge.
Strict liability (sanctions)
Sanctions liability regardless of intent; a listed-address match is a hard stop.
Structuring and smurfing
Fragmenting value into many small transfers to beat thresholds; a fan-out or fan-in pattern.
Sunrise problem
The gaps that arise because jurisdictions implemented the Travel Rule at different times.
Suspicion standard
Reports are triggered by a formed suspicion, not by proof of a crime.
Suspicious activity report
A report of suspicion, not proof, filed to the financial intelligence unit.
Suspicious-activity report
A regulated institution's report of detected illicit exposure to its financial-intelligence unit.
Targeted financial sanctions
Freeze-and-prohibit measures against designated persons and property; R.6 for terrorism, R.7 for proliferation.
Tax avoidance
Lawfully reducing tax owed through disclosed, legitimate planning; not a crime.
Tax evasion
Deliberately concealing income or gains to escape tax owed; a predicate offence.
Taxable event
A disposal or income event, such as selling, swapping, spending, or earning crypto, that may create a tax liability.
Terrorist financing
Moving value, often clean and small, toward a violent end; concerned with purpose, not origin.
The sanctions engine and the suspicion engine
Block on a confirmed listed match; investigate on analytics exposure short of one.
Third line of defence
Independent audit that assures the board the first two lines are working.
Third-party due diligence
Assessing a critical vendor's methodology, coverage, reliability, security, and failure contingency.
Three lines of defence
The model splitting control responsibility into business, independent compliance, and independent audit.
Threshold tuning
Calibrating the level at which a rule fires, on evidence not instinct.
Tipping off
Alerting the subject that they are under scrutiny; a program acts without tipping off the customer.
Tipping-off
Improperly disclosing a report or investigation to the subject; often an offence.
Token
A cryptoasset issued on a host chain, usually via a smart contract.
Tokenisation of real-world assets
Representing an off-chain asset as a token; the risk lives in the seam with the off-chain legal right.
Tornado Cash
An Ethereum mixer OFAC designated in 2022 and delisted in 2025 after the Van Loon ruling.
Tracing premise
The chain hands the investigator the route for free, but never the identity.
Training effectiveness
Judging training by role-based competence and changed behaviour, not by completion rates.
Transaction monitoring
The control that watches a live customer's activity and raises alerts.
Transfer of Funds Regulation
Regulation (EU) 2023/1113; carries the crypto Travel Rule in the EU, separate from MiCA.
Travel Rule
The rule that originator and beneficiary information must travel with a transfer between institutions.
Travel Rule operations
The operational process of exchanging sender and recipient identity off-chain.
Typology
A repeatable criminal method; paired with indicators to build a detection toolkit.
UTXO model
Bitcoin's model where coins are unspent outputs consumed and recreated when spent.
Value obfuscation
Overpaying for a no-objective-price asset to move money under the cover of a purchase.
Van Loon v. Department of the Treasury
The 2024 Fifth Circuit ruling that immutable smart contracts are not blockable property under IEEPA.
Vendor over-reliance
Treating one vendor's label as ground truth instead of a probabilistic estimate to corroborate.
Vendor risk
The dependency on external analytics vendors; the analysis can be outsourced but not the accountability.
Verification of wallet control
Proving a customer controls a self-hosted wallet, by signed message or verification transfer.
Virtual asset
The FATF term for an in-scope cryptoasset; excludes digital fiat and already-covered securities.
Virtual asset service provider
A business that exchanges, transfers, or custodies cryptoassets for others.
Virtual-currency mixer
A service that pools funds to break the on-chain source-to-destination link.
Wallet attribution
Linking a customer to the addresses they control, and screening those addresses.
Wash trading
Linked wallets trading an asset among themselves to fabricate value and move money under cover of a sale.
Watchlist
A non-sanctions list whose match triggers scrutiny, not a strict-liability block.
Part 4 · Before exam day

How to pass, not just cram

  • Block out the full exam time without interruption when you sit a full simulation. The clock does not pause.
  • Read each scenario question twice. The exam tests judgment, so the best answer is usually a close call between two plausible options.
  • When two answers look right, pick the one that reflects the risk-based approach and the institution’s actual obligation, not the harshest or most literal reading.
  • Keep clear which source recommends (FATF) and which one requires (national law). The exam separates the global standard from the local statute.
  • Be able to place every control in the customer lifecycle: onboarding, due diligence, ongoing monitoring, screening, and reporting.
  • Review the glossary the night before. Most wrong answers come from a term used loosely, not from a gap in reasoning.
  • Run at least one full simulation under real conditions, and reach the readiness signoff, before exam day.

This is the map. The course is the classroom.

This guide shows you the whole exam. The course teaches every lesson interactively, with a lecturer that adapts to what you know and a faithful simulation that tells you when you are ready.

Start the course

Enso Academy is independent and is not affiliated with, authorised by, or endorsed by the certifying body. This guide is original material built from primary and public sources.