CCAS Sample Questions Answers

A 51% attack refers to a situation where a single miner or group controls more than 50% of the blockchain network’s computational (hashing) power. This majority control allows them to manipulate the blockchain ledger by double-spending or blocking transactions.

This term is widely recognized in blockchain security contexts and is referenced in typology papers on crypto financial crime risks, including those issued by UAE authorities and FATF.

Supporting extracts:

DFSA AML thematic reviews mention the risk of manipulation and double spending in blockchains susceptible to 51% attacks.

Typology reports on cryptoasset risks highlight computational power concentration as a core vulnerability.

“51% refers to the percentage of total mining power or computational power in the network” is the standard definition across crypto AML/CFT frameworks【31.92._TFS_Typology_Paper_Eng__4.pdf; AMLCFT_Guidance_for_FIs.pdf】.

Thus,Cis correct.

Sharing of the same IP address by multiple customers during onboarding can indicate potential fraud, identity manipulation, or collusion, and should be flagged for further investigation. This can be a sign of synthetic identities or multiple accounts controlled by the same person.

Receipt of law enforcement requests (A) usually occurs post-onboarding, while the location (B) or use of foreign IDs (C) is not inherently suspicious.

A token burn is the deliberate removal of tokens from circulation by sending them to an unspendable address. While sometimes legitimate, burns can also be misused for market manipulation.

Sanctions breaches require immediate reporting to competent authorities and freezing of assets where legally mandated.

The FATF Travel Rule requires Virtual Asset Service Providers to share originator and beneficiary information for virtual asset transfers exceeding a certain threshold. Its purpose is to mitigate ML/TF risks by increasing transparency and enabling authorities to trace the movement of funds across institutions and jurisdictions.

It does not aim to slow transactions (B) or directly enhance CDD (A), although it supports the overall AML framework including CDD.

This rule is a cornerstone of FATF’s efforts to regulate virtual asset transfers effectively and is adopted by DFSA and other regulators.

The primary purpose of a security audit for smart contracts is to protect investors’ funds by identifying vulnerabilities, coding errors, and weaknesses in the smart contract or underlying protocol that could be exploited. This proactive approach helps prevent hacks, exploits, and financial loss.

While performance issues (B) may be noted, the critical concern is security. Identifying bad actors (C) is not within the scope of a code audit but is a broader operational issue. Copyright concerns (A) are unrelated.

AML and crypto governance frameworks underline the importance of security audits to mitigate operational risks in DeFi and other smart contract-based applications.

Staff must report any suspicious activity immediately to the designated Money Laundering Reporting Officer (MLRO) or equivalent within their organization. The MLRO is responsible for assessing the suspicion and deciding on escalation to the relevant authorities.

Informing customers (A) could compromise investigations. Reporting directly to financial investigation units (B) is not the staff member’s role. Monitoring transactions without reporting (D) delays required action and risks regulatory non-compliance.

DFSA AML Module and FATF Recommendations emphasize timely internal reporting to designated officers as the first step in managing suspicious activity.

Bitcoin and Ethereum have fundamental differences important to investigators:

Variety of applications, assets, and networks (B): Ethereum supports diverse decentralized applications (dApps), multiple tokens (ERC-20, ERC-721), and various networks, complicating transaction tracing compared to Bitcoin’s primary use as a cryptocurrency.

Ledger model (D): Ethereum uses an account-based ledger model, while Bitcoin uses a UTXO (unspent transaction output) model, affecting how transactions are recorded and analyzed.

Transaction cost (A) and address length (C) differ but are less relevant for fund flow investigations.

Chain hopping involves moving between blockchains to make tracing harder, often exploiting regulatory gaps.

The EU’s Markets in Crypto-Assets Regulation (MICA) applies specifically to:

Electronic Money Tokens (B): Tokens that fulfill the definition of electronic money under the E-Money Directive.

Cryptoassets (D): Broad category including digital representations of value that are not covered by existing financial services legislation.

Asset-Referenced Tokens (E): Tokens that purport to maintain a stable value by referencing one or several assets.

Meme coins (A) and privacy coins (C) are not separately classified under MICA but may fall under broader cryptoasset categories subject to other regulations.

DFSA AML Module requires the Board to approve and oversee the firm’s business-wide risk assessment, ensuring accountability at the highest governance level.

FATF standards specify that Virtual Asset Service Providers (VASPs) must keep records related to transactions and customer due diligence for at least 5 years after the completion of the transaction or end of the business relationship. This retention period facilitates effective AML investigations and regulatory reviews.

DFSA AML Module aligns with this timeframe, reinforcing that comprehensive record retention supports audit trails and compliance verification.

Red flags related to anonymity include transactions where virtual assets are cashed out at exchanges from peer-to-peer hosted wallets with no clear business rationale. Such behavior indicates attempts to obscure the origin or destination of funds, characteristic of laundering activities.

Executing high-value transactions after inactivity (A) or frequent transfers to known VASPs (C) may be suspicious but are less directly linked to anonymity. Exchanging at a loss (D) is a different type of red flag.

FATF’s red flag indicators list (2021) highlights (B) as a key sign of anonymity-related risk.

Monero is a privacy-focused blockchain designed with built-in features like ring signatures, stealth addresses, and confidential transactions to obfuscate sender, receiver, and transaction amounts, making tracing difficult.

Cardano, Polygon, and Ethereum are not designed primarily with these privacy features and have publicly traceable ledgers, although privacy solutions may be layered on.

FATF guidance sets the threshold for Customer Due Diligence (CDD) on occasional transactions at USD/EUR 10,000 or equivalent. This means that when a cryptoasset exchange processes a one-off transaction exceeding this amount, it must apply appropriate CDD measures.

This aligns with FATF Recommendation 10 and is adopted by DFSA and FSRA frameworks governing virtual asset service providers, ensuring transactions over this limit are subject to identity verification and risk assessment.

Extracts from AML and COB modules emphasize this threshold as the trigger for CDD on occasional transactions to prevent laundering through high-value single transfers.

Stablecoins aim to maintain value stability by pegging to assets like fiat currency or commodities. Regulators stress monitoring stablecoin reserve transparency to prevent misuse for layering illicit funds.

Code uniqueness is critical because reuse or replication of vulnerable code exposes protocols to known exploits. Unique, well-audited, and secure code minimizes compromise risk in decentralized finance (DeFi) and smart contracts.

Security standards (A), authentication (B), and regulation (C) are important but secondary to the fundamental security of the code itself.

Funds moving through multiple intermediary wallets before arriving at the client’s wallet indicate layering techniques used to obscure the source of funds, a classic money laundering tactic.

Transferring funds quickly (A) or declaring wealth (B) are less definitive indicators. An untraceable IP (C) raises concerns but is less conclusive than complex transactional layering.

Smart contracts execute predetermined conditions automatically on blockchain, enabling decentralized applications and services.

Ransomware schemes are categorized as cyber-enabled financial crimes. AML/CFT frameworks require that such risks be assessed and mitigated through blockchain analytics, sanctions screening, and transaction monitoring for known ransomware wallet addresses.

Layering involves creating complex transaction chains to disguise the illicit origin of funds. In crypto, this may involve multiple wallet hops, cross-chain swaps, and the use of privacy-enhancing technologies.

An effective AML CDD program must include:

Staff training on gathering CDD (A)

Maintaining complete information to support risk profiling (B)

Procedures to address situations where the customer's true identity is unclear or questionable (F)

Annual client reviews (D) and IP address monitoring (E) may be part of broader AML controls but are not fundamental CDD requirements. Maintaining a list of high-risk virtual assets (C) is important but relates more to product risk management than direct CDD.

Indirect exposure refers to connections through one or more hops to illicit addresses. This requires robust transaction chain analysis to detect hidden ML/TF risk.

Money laundering risk increases if the business operates in or near high-risk jurisdictions (D) or regions associated with narcotics production (C), as these are common sources of illicit funds.

An increase in volume and users (A) or supporting various cryptoassets (B) alone does not necessarily increase ML risk. Recent licensing (E) may indicate regulatory compliance, potentially lowering risk.

Direct sending to a scam cluster indicates active involvement by the customer in potentially transferring funds associated with fraudulent activities. Sending funds directly to known scam addresses is a strong indicator of complicity or direct engagement.

Indirect flows (A and B) could be less conclusive, and direct receiving (D) may indicate victimhood rather than active involvement.

AML typologies and DFSA guidance identify direct outgoing transactions to scam clusters as significant red flags.

Mining generates new cryptoassets (A) by rewarding miners for solving complex cryptographic puzzles. It also validates transactions on the blockchain (D) by confirming and recording them in blocks, ensuring the integrity of the ledger.

While mining indirectly contributes to network security, the core security mechanisms involve consensus protocols beyond mining alone (B). Optimizing network functionality (C) is usually a development task rather than a mining function.

The FinCEN 2019 guidance clarifies that money transmitters include entities that exchange digital tokens or convertible virtual currencies as part of their business activities. This includes exchanges and platforms that transfer virtual currencies.

Providing infrastructure services (B), operating clearance systems solely among regulated institutions (C), or acting as payment processors for goods/services (D) without handling value transfer do not fall under the money transmitter definition per this guidance.