Anonymity-enhanced cryptoassets employ specific technical features to obfuscate the details of

transactions and the identities of users to reduce traceability and increase privacy. These include:

Automatic mixing (B): This refers to mechanisms such as coin mixers or tumblers that combine

multiple transactions from different users into one batch and redistribute them, breaking the direct

transaction link and obscuring the audit trail.

Cryptographic enhancements (D): Techniques such as zero-knowledge proofs, ring signatures, stealth

addresses, and confidential transactions are cryptographic protocols that conceal sender, receiver,

and transaction amount information, making the blockchain ledger less transparent.

Other options explained:

Proof-of-stake mining (A) is a consensus mechanism and not related to anonymity features.

Secure hashing algorithm 256 (C) is a cryptographic hash function standard but does not directly

enhance anonymity.

MetaMask wallet (E) is a non-custodial wallet used mainly for Ethereum and tokens but is not an

anonymity tool.

Reference from official crypto AML guidance and typology papers:

DFSA AML Module and thematic reviews highlight these anonymity techniques as high-risk indicators

requiring enhanced due diligence (EDD).

UAE typology papers and FATF virtual asset guidance emphasize the risk posed by anonymity-

enhanced cryptoassets using automatic mixing and cryptographic enhancements to circumvent AML

controls【AML/VER25/05-24: Sections 6.4, 7.3; 31.92._TFS_Typology_Paper_Eng__4.pdf】.

The ultimate responsibility for risk oversight lies with the Board of Directors. Senior management

and the board have the fiduciary and governance duty to ensure that an effective risk management

framework, including AML/CFT controls and cryptoasset-specific risks, is in place and functioning

properly.

The DFSA GEN Module and AML Module explicitly allocate the highest accountability for compliance

and risk oversight to the Board of Directors, while first and second lines support implementation and

oversight respectively. The Chief Risk Officer (CRO) supports risk management but the board

maintains ultimate accountability.

Key extracts:

GEN Module, Chapter 5: “Responsibility for compliance lies with every member of senior

management, with ultimate oversight by the Board.”

AML Module Section 1.2 & 4.1: “Senior management and Board must ensure appropriate systems

and controls for AML/CFT risk management.”

FATF Recommendation 2 underscores that senior management and boards are accountable for

effective AML governance【GEN/VER64/05-24: Chapter 5; AML/VER25/05-24: Sections 1.2, 4.1】.

Thus, D is the correct answer.

National risk assessments conducted across various jurisdictions consistently report that money

laundering risks related to cryptoasset activities are rising. The growing adoption, complexity, and

use of cryptoassets for illicit purposes contribute to elevated risk levels.

While geography (B), awareness (C), and digital banking adoption (D) can influence risk factors, the

overarching trend is an increase in ML risks tied to cryptoassets.

This conclusion is supported by FATF’s global guidance and numerous national risk assessment

reports reviewed by the DFSA and related authorities

Money laundering risk increases if the business operates in or near high-risk jurisdictions (D) or

regions associated with narcotics production (C), as these are common sources of illicit funds.

An increase in volume and users (A) or supporting various cryptoassets (B) alone does not necessarily

increase ML risk. Recent licensing (E) may indicate regulatory compliance, potentially lowering risk.

Direct sending to a scam cluster indicates active involvement by the customer in potentially

transferring funds associated with fraudulent activities. Sending funds directly to known scam

addresses is a strong indicator of complicity or direct engagement.

Indirect flows (A and B) could be less conclusive, and direct receiving (D) may indicate victimhood

rather than active involvement.

AML typologies and DFSA guidance identify direct outgoing transactions to scam clusters as

significant red flags.

Privacy tokens are specifically designed to obfuscate transaction details such as sender, recipient,

and amounts, making them inherently high risk for money laundering and terrorist financing. Their

anonymity-enhanced features pose significant challenges to AML efforts.

Stablecoins (B), platform tokens (C), and security tokens (D) have varying risk profiles but generally

provide more transparency or are subject to regulatory frameworks, reducing inherent AML risk

compared to privacy tokens.

FATF and DFSA AML frameworks highlight privacy tokens as a priority for enhanced due diligence and

risk mitigation due to their abuse potential.

The Financial Action Task Force (FATF) guidance on Virtual Assets and Virtual Asset Service Providers

(VASPs) explicitly highlights that transactions involving unhosted wallets (wallets not held or

controlled by a regulated entity) pose a high inherent risk for money laundering and terrorist

financing. This is because unhosted wallets are more difficult to monitor and control, lack identifiable

customer information, and are often exploited for illicit activities.

The DFSA AML Module, aligned with FATF recommendations, mandates that Relevant Persons

incorporate this risk into their business-wide risk assessments. The increased volume of transactions

to and from unhosted wallets should therefore be assigned a high inherent risk rating to trigger

enhanced controls such as enhanced due diligence (EDD) and transaction monitoring.

Supporting extracts include:

FATF Guidance on Virtual Assets (October 2021) states: "Unhosted wallets or transactions with them

represent a high risk of ML/TF due to limited or no access to identifying information."

DFSA AML Module (AML/VER25/05-24) Section 4.1 & 6.1 on Risk-Based Approach: mandates firms to

assess and rate risks posed by customers and products, explicitly including virtual assets and

unhosted wallets as high risk.

COB Module also requires heightened controls and disclosures when dealing with transactions

involving unhosted wallets【AML/VER25/05-24: Sections 4.1, 6.1, COB/VER45/05-24: Sections 6.13,

15.6】.

Thus, option D (High) is the correct risk rating.

SARs should include detailed transactional information to support investigations, including all types

and aggregate amounts of cryptocurrencies purchased, along with fiat currency equivalents. This

information provides a clear picture of the subject’s activity and financial scale.

Owner names of destination wallets (B) may not be available; onboarding info (D) is supplementary,

and fiat aggregate totals (C) alone are insufficient.

FATF and DFSA guidance recommend comprehensive transactional data inclusion in SARs to facilitate

law enforcement.

FATF Recommendation 13 (Correspondent Banking and Similar Relationships) and its application to

VASP–VASP relationships require enhanced due diligence before onboarding. This is because such

arrangements carry elevated ML/TF risk, especially in cross-border settings.

Required CDD practices include:

Assess the nature and purpose of the VASP relationship (C): Understand why the relationship is being

established and the expected services/products.

Obtain approval from senior management (D): Senior management oversight ensures risk is accepted

at the appropriate governance level.

Assess the VASP’s supervision and if a license/registration is needed (E): Confirm regulatory

oversight, licensing, and compliance with AML/CFT obligations.

Options A and B are not core FATF requirements for CDD in this context — local authority approval

may be a domestic regulatory requirement in some countries, but not a FATF baseline, and

profitability assessment is a business decision, not an AML measure.

A restricted blockchain is one where participation—either in transaction validation, data access, or

both—is limited to selected entities rather than being open to the public.

Consortium blockchain (D) is a common type of restricted blockchain in which multiple pre-approved

organizations collectively manage the network. It offers partial decentralization but with controlled

membership, making it suitable for regulated environments such as financial services, supply chain

tracking, and interbank settlements.

Other options explained:

Hybrid (A): Combines elements of public and private chains, but not necessarily “restricted” in the

strict governance sense.

Public (B): Open to anyone to join, read, and write data; not restricted.

Private (C): While private blockchains are also restricted, in AML/CFT guidance, “restricted

blockchain” generally refers to consortium arrangements involving multiple vetted participants,

rather than a single organization’s closed chain.

Regulatory and technical literature in DIFC/ADGM contexts note that consortium blockchains allow

for compliance controls, participant vetting, and transaction monitoring—making them particularly

suitable for financial ecosystems where controlled access is essential.