CRYPTOASSET AND BLOCKCHAIN (30%)
1.1 The definition and history of cryptoassets and
how they are different than virtual or digital
assets (e.g., why regulators use the word virtual
asset versus cryptoasset; why cryptoassets are
needed; virtual assets that are not cryptoassets
such as stable coins, central bank digital
currencies (CBDCs); virtual assets that are not
based on a blockchain)

1.2 Limitations and advantages of cryptoassets
compared to fiat methods of payment

1.3 The definition of cryptoasset miners and how
miners operate (e.g., how miners operate in
the ecosystem and how they are relevant to
the process; history of miners; how miners
build blocks; advantages of freshly mined
cryptoassets vs. standard ones)

1.4 The definition of virtual asset service provider
(VASP), and the categories, types, and functions
of VASPs (e.g., crypto ATMs; P2P exchanges;
initial; centralized and decentralized exchanges;
third-party payment processors; the role of
VASPs in crypto and fiat; what banks can do
to make them a VASP; the use of cryptoasset
tumblers/mixers and mixing services)

1.5 Types, characteristics, and purposes of different
blockchains (e.g., account-based vs. UTXObased) (includes why to engage in blockchain
technologies; differences between centralized
systems and blockchain including resilience,
digital uniqueness)

1.6 How different blockchains are used to store
cryptoassets

1.7 Vulnerabilities and risks associated with different
blockchains (e.g., 51% attack, smart contract
flaws)

1.8 How different blockchain transactions operate
(e.g., interactions with smart contracts; lightning
network)

1.9 The purpose of smart contracts (e.g., the
deployment of different smart contracts across
different blockchains)

1.10 How to assess the risks associated with a DeFi
protocol or smart contract (e.g., whether a
security audit has been completed, who the
development team is, how and where to look for
a security audit; due diligence for organizations
and individuals behind the projects including
how to recognize the white paper)

1.11 Consensus methods including proof of
work vs. proof of state (includes degree of
decentralization based on consensus methods)

1.12 Decentralized autonomous organizations (DAOs) and decentralized applications (DApps)

1.13 How a user can purchase and acquire
cryptoassets (e.g., different payment rails; on
ramps and off ramps; how fiat currency is used
to buy Bitcoin)

1.14 The definition of a blockchain wallet, and the types and characteristics of different blockchain
wallets (e.g., definition of a hot and cold wallet;
Bitcoin vs. Ethereum wallet, key management/
key control)

1.15 The definition of attribution, sources of
attribution data, and clustering of addresses
(e.g., understanding of nested exchanges;
confidence and reliability regarding the sources
of attribution data; the definition of clustering
and how clustering works; clustering heuristics
and benefits of UTXO tracing)

AML FOUNDATIONS FOR CRYPTOASSET AND BLOCKCHAIN (35%)
2.1 Common financial crime typologies (e.g.,
smurfing, money mules, trade-based money
laundering, mirror trading, prepaid cashcards)

2.2 How cryptoassets can be used in different
financial crime typologies and risks associated
with different cryptoassets (e.g., fraud, tax
evasion, sanctions, NFTs)

2.3 How smart contracts can be exploited for
financial crime (e.g., their relationship to fraud
schemes)

2.4 Categories of risks (e.g., customer, product,
channel, jurisdiction) and examples of risks
within each category

2.5 How reputational risk can impact an
organization (e.g., risk related to not having an
AML compliance program)

2.6 Types of cryptoasset risk factors and how to
identify and assess relevant risk factors (e.g.,
customer risk, products and services risk,
geographic risk) (includes common high-risk
customer types)

2.7 The risk-based approach to business (e.g., how
to implement and understand an organization’s
risk appetite, using specific organizational
policies to assess risk appetite)

2.8 Creating risk assessment frameworks/models
(e.g., how to measure inherent risk, residual risk,
controls effectiveness)

2.9 KYC/CDD standards and best practices (e.g.,
type of business; expected behavior (are they
investing) and expected transaction activity;
licensing requirements) (includes knowing your
VASPs and institutions you interact with)

2.10 Types of red flags and which red flags apply to
different organizations and different products

2.11 Red flags generally associated with cryptoassets (e.g., traditional red flags, dark markets, AEC, FinCen red flags, ransomware, FATF Virtual Assets Red Flag Indicators)

2.12 Responsibilities of compliance roles within an
organization (e.g., controlling risk, residual risk
equation, risk-based escalation, dual controls)

RISK MANAGEMENT PROGRAMS FOR CRYPTOASSET AND BLOCKCHAIN (35%)
3.1 How to risk rate multiple cryptoassets within
one’s own organization using third-party tools

3.2 Risk factors associated with different customer
types and common high-risk customer types
(e.g., high volume/high amount users across
different business models)

3.3 Risk factors associated with VASP types (e.g.,
Binance vs. Gemini)

3.4 Regulations related to cryptoassets and crossjurisdictional regulatory requirements based
on an organization’s jurisdiction and product
jurisdiction (e.g., FinCEN’s definition of exchange
vs. FATF’s definition of VASPs and examples;
travel rule; challenges/nuances related to
obtaining and moving information with the
transaction; regulations prohibiting tipping off)

3.5 Differences between policies and procedures
and when to review and update policies and
procedures (e.g., the cadence with which
policies should be reviewed/retested, changes to
legislations)

3.6 The relationship between the customer risk
assessment and the level of KYC/CDD

3.7 How to determine source of funds and source
of wealth (e.g., coins, wallet, fiat) (including
recognizing mined cryptoassets in the ledger)
and how to document source of funds

3.8 Sources of information that can be used during
customer research (e.g., customer, organization
data, open-source data, internal data)

3.9 Available information one can access publicly on the blockchain

3.10 Investigation methods for different blockchains
(e.g., Ethereum vs. blockchain)

3.11 How to identify hot wallet addresses of
cryptocurrency exchanges for the purpose of
assessing risk (e.g., using blockchain analytics;
using a sanctions list)

3.12 Blockchain analytics tools and how to use
them for research, monitoring, and customer
risk assessment (e.g., open source blockchain
explorers, how to use analytics to find
transaction history, dashboards, methods of
attribution/attribution of addresses, use of
Anonymity Enhanced Cryptocurrency (AEC)/
obfuscation techniques)

3.13 Tracking and tracing and how to read and
interpret transactions in order to follow the
flow of funds (e.g., on ledger/off ledger; best
practices for when to stop tracing a coin; when
to terminate an investigation; how mixing
services apply to investigations; risks associated
with tumblers/mixing services; how privacy coins
impact tracking and tracing)

3.14 The definition of risk scores, and what they mean in risk rating transactions

3.15 Procedures for transaction monitoring (e.g.,
retuning; threshold setting based on emerging
trends and typologies; the relation between
an organization’s risk appetite and thresholdsetting; risks related to indirect exposure)

3.16 Applications of machine learning and artificial
intelligence (i.e., how to justify and explain
decisions based on these models to regulators)

3.17 Internal procedures for escalation and
investigations (e.g., working with relevant
stakeholders/teams)

3.18 Different types of law enforcement and civil
requests (e.g., legal gateways, types of requests,
responding to law enforcement requests, how
requests inform the Compliance program/how
to handle requests)

3.19 Suspicious activity/transaction reporting related to cryptoassets (i.e., elements of a SAR/STR-
narrative, supporting documents, data points;
how filing a cryptoasset SAR/STR can differ from
filing a traditional financial SAR/STR)