GOVERNANCE, GUIDANCE, AND REGULATION (20%)
1.1 definition and types of FinTechs (e.g., PSPs,
digital wallets, cryptocurrency exchanges) and
features of FinTechs that make them vulnerable
to financial crime

1.2 types of financial crime (e.g., money laundering, fraud (both first-party and third-party),
sanctions, terrorist financing) and predicate
crimes (e.g., bribery, tax evasion)

1.3 regulatory principles that apply to different
FinTech business models (e.g., registration,
licensing, banking charters) and differing
AML requirements, including the purpose and
guidance around sandbox usage

1.4 risk management framework (lines of defense,
policies and procedures, principles of assurance
and quality control, responsible party (e.g.,
MLRO))

1.5 best practices in handling sensitive/private
information, including definitions of PII and SPII,
privacy laws (e.g., GDPR, CCPA), reporting
cybersecurity breaches/incidents, the
consequences of inappropriate data handling

1.6 definitions and key components of risk-based
approach, risk assessment, and risk appetite
including their purpose and when to review and
update

1.7 types of sources available to reference to guide
the development of processes

1.8 how FinTechs are risk-categorized by more
traditional institutions and how to maintain the
relationships (onboarding and ongoing, derisking)

1.9 control framework to mitigate internal threat

1.10 types of risk (e.g., reputational, business,
operational, financial, regulatory)

DUE DILIGENCE ACROSS CUSTOMER TYPES (20%)
2.1 CIP/KYC/eKYC/CDD/EDD processes, including
definitions, core activities, and best practices (e.g., understanding account purpose and ownership, setting baseline activity), and how risk-based approach is applied

2.2 identification verification/digital identification
verification principles (e.g., matching data points)
including expected documents/document quality

2.3 data sources to verify customer information (e.g., online searching, open-source, private and public third- party data providers, fraud) and how to determine the reliability of these sources

2.4 data that can be used to verify customer information (e.g., IP address, GPS coordinates, MAC addresses, application completion time, copy/paste use)

2.5 principles and purpose of screening for sanctions (e.g., information that indicates a sanction concern, how to select the appropriate sanctions list), PEPs (the risks PEPs pose, foreign v. domestic PEPs), and fraudsters

2.6 risk ratings, including the types of risk factors (e.g., types of customers), the information to include in the risk rating, and how to access this information (e.g., internal and external data sources), how risk algorithms work

2.7 red flags for fraudulent activity in onboarding (e.g., spoofing, identity theft, counterfeit documentation)

PAYMENT SCREENING AND TRANSACTION MONITORING (25%)
3.1 purpose of transaction monitoring

3.2 purpose of and red flags in screening payments (e.g., sanctions and fraud) and the decisions to be made when screening

3.3 red flags of financial crimes in transaction monitoring (e.g., layering funds, integrating funds) and characteristics of suspicious transactions

3.4 common payment transaction methods, including cryptocurrency and other high-risk transactions (e.g., aggregation)

3.5 investigatory process for alerts (e.g., determining unusual/suspicious activity, determining escalation)

3.6 best practices in creating an audit trail (i.e.,
documentation) for all suspicious activities

3.7 types of transactions for FinTechs and associated risks (e.g., reversible v. non-reversible, convertible v. non-convertible, fund integrity, cryptocurrency (privacy coin))

3.8 transaction monitoring systems and software,
including how thresholds are set and adjusted, model validation, rule-based (e.g., pattern recognition) v. machine learning

3.9 best practices for communicating transaction
monitoring trends/results, including KPIs, OKRs, and other statistics

INVESTIGATIONS, INQUIRIES, AND REPORTING (20%)
4.1 appropriate customer communication (e.g., what questions can be asked of the customer, what information can be disclosed during investigations and offboarding)

4.2 how to review KYC information, transactions, opensource research, documentation to inform the investigation

4.3 analytical principles in an investigation (e.g.
confirmation bias)

4.4 SARs/STRs, including definitions, when and where they are required, why they are important, and best practices for writing them

4.5 how to work and communicate with third-parties (e.g., law enforcement, banking partners, regulators)

4.6 types of law enforcement requests (e.g., information, court order), both domestic and international)

4.7 how to communicate with customers for financial crime risk v. violation of company policy

4.8 how banking partners’ terms of service relate to FinTech’s terms

SCALING ANTI-FINANCIAL CRIME STRATEGIES (15%)
5.1 how to assess new products/additional features and associated potential risks and necessary controls (e.g., elements of new products that present particular risks (e.g., products moving from domestic to international, offering new types of accounts, changing payment processes, adding distribution channels)

5.2 importance of reviewing and updating the risk
assessment as a part of scaling

5.3 types of changes that should lead to a financial crime assessment review

5.4 methods and rules of record retention and data
storage

5.5 considerations of outsourcing controls (e.g.,
surge capacity, RegTechs, independent testing of
compliance framework)