Download Latest CAMS Questions

Paying a large amount in cash for an art purchase is a typical red flag of potential money laundering, as it may indicate an attempt to avoid traceability and reporting requirements. Cash transactions are often used by criminals to launder illicit funds, as they are difficult to track and verify. According to the FATF guidance on money laundering and terrorist financing risks in the art trade, cash payments above a certain threshold should be subject to enhanced due diligence and reporting obligations by art market participants (AMPs). AMPs should also be wary of customers who provide insufficient or inconsistent information about the source of funds, the purpose of the transaction, or the identity of the beneficial owner.

The activities that could be considered a potential spear phishing scam are:

A courier delivers a duplicate invoice to a business that contains updated payment details of an existing supplier. This could be a way of diverting funds to a fraudulent account by impersonating a legitimate vendor and exploiting the trust relationship between the business and the supplier1.

Payroll receives an external email from an employee looking to update their bank account information. This could be a way of stealing money from the employee or the employer by pretending to be the employee and requesting a change in the payment method or destination2.

An employee receives an email that asks to download an attachment, but the attachment is a malware. This could be a way of infecting the employee’s computer or network with malicious software that could compromise sensitive data, disrupt operations, or demand ransom3.

The other options are not necessarily spear phishing scams, although they may be other types of fraud or deception. For example:

An employee receives a phone call requesting that money be sent to assist someone in trouble. This could be a vishing scam, which is a form of voice phishing that uses phone calls to solicit personal or financial information or to request money transfers4.

A business sends its employees an email warning that email passwords must be changed to prevent cyber-fraud. This could be a legitimate security measure, or it could be a phishing scam, which is a form of email phishing that targets a broad audience and tries to trick them into revealing their credentials or clicking on malicious links.

Members of a religious organization receive a donation request by email claiming to be from their leader. This could be a genuine appeal, or it could be a social engineering scam, which is a form of manipulation that exploits the human factor and relies on the victim’s emotions, trust, or sympathy.

AML compliancemust balancedata privacy lawswithfinancial crime prevention.

Option A (Correct):FIUsmust document the purpose of SAR-related data sharingunderFATF Recommendation 29andGDPR compliance standards.

Option B (Incorrect):Customers do not have the rightto request redaction of personal data in SARs, as this wouldcompromise AML enforcement.

Option C (Incorrect):Many jurisdictions permit information sharingfor AML purposes underformal agreements (e.g., 314(b) USA PATRIOT Act, GDPR exemptions).

Option D (Incorrect):AML reporting requirementsoverride opt-in privacy preferencesdue to thelegal obligation to report suspicious activity.

AML audit findings must beanalyzed and addressed through remedial actions based on root cause analysis.

Option D (Correct):Root cause analysis helps develop effective corrective measures to prevent recurring AML deficiencies.

Option A (Incorrect):Retesting controls may be useful, but addressing deficiencies is more critical.

Option B (Incorrect):While the board oversees compliance, the responsibility for implementing fixes lies with AML teams.

Option C (Incorrect):Audit teams provide findings but do not execute corrective actions.

Best Practices for Addressing AML Audit Findings:

Identify the root cause of AML control failures.

Develop risk-based remediation plans.

Implement and monitor corrective actions.