CCO Cheat Sheet 2026
The 30 highest-yield CCO facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
110 questions
150 min time limit
60.00% to pass
- Which regulatory framework specifically requires financial institutions to conduct due diligence on third-party vendors who handle sensitive customer data? → Gramm-Leach-Bliley Act (GLBA)
- What is the primary purpose of a corporate Code of Conduct? → To define acceptable and unacceptable behaviors within the organization
- How should an organization prioritize risks in a risk management plan? → By considering both the likelihood and impact of each risk
- Under the OCC's guidance on third-party risk management, which of the following is considered a 'critical activity' requiring heightened oversight? → Outsourcing core banking processes or functions that could harm customers if disrupted
- What should a CCO do when they discover that a senior executive is violating the Code of Conduct? → Report it to the appropriate governance body, such as the Audit Committee or Board
- What does a Suspicious Activity Report (SAR) require from a financial institution? → Confidential filing with FinCEN when suspicious transactions are detected
- What is the role of a compliance officer in relation to regulatory changes? → To ensure the organization adapts and complies with new regulatory requirements
- Which metric is most useful for measuring the effectiveness of an ethics hotline? → Reports submitted, investigation closure rate, and substantiation rate
- What is 'structuring' in the context of AML? → Deliberately breaking up transactions to avoid CTR reporting thresholds
- What is the maximum fine for a serious GDPR violation? → €20 million or 4% of global annual turnover, whichever is higher
- What is the role of a whistleblower in the context of regulatory compliance? → To report misconduct or violations within the organization
- Which of the following is a key component of an effective risk management framework? → Regularly assessing and updating risk management policies and procedures
- What is the best practice when an employee faces pressure from a supervisor to falsify records? → Refuse and report the incident through the compliance hotline or to the CCO
- Which body typically has ultimate oversight responsibility for a company's ethics program? → The Board of Directors or Audit Committee
- Under FinCEN's Customer Due Diligence rule, covered financial institutions must identify beneficial owners holding what percentage or more of a legal entity? → 25%
- Which component is essential for monitoring compliance within an organization? → Implementing a robust internal audit program
- What is the principle of data minimization under GDPR? → Collecting only the personal data that is necessary for the specified purpose
- Which type of risk is associated with regulatory changes and compliance requirements? → Compliance risk
- What is the purpose of the Sarbanes-Oxley Act (SOX)? → To protect investors by improving the accuracy and reliability of corporate disclosures
- Which element is typically included in a vendor contract's compliance addendum? → Audit rights allowing the organization to inspect the vendor's compliance records
- Which phase of the third-party lifecycle is most critical for identifying compliance risks before a vendor relationship begins? → Due diligence and onboarding
- Which regulation requires financial institutions to develop and implement a written information security plan? → Gramm-Leach-Bliley Act (GLBA)
- How often should an organization's compliance policies and procedures be reviewed? → Annually or as needed when regulations change
- Which of the following is an example of a facilitation payment? → A small payment to a foreign official to expedite a routine government service
- Which action demonstrates a commitment to a culture of compliance within an organization? → Providing transparent communication and support for compliance initiatives
- What is the primary purpose of a vendor risk tiering system in a compliance program? → To allocate oversight resources proportionally based on the risk each vendor poses
- What is the significance of annual ethics certifications signed by employees? → They confirm employee awareness and acknowledgment of ethics obligations
- What is the purpose of a risk register? → To document and track identified risks, their impact, and mitigation strategies
- What is 'tone at the top' in the context of corporate ethics? → Senior leadership's visible commitment to ethical behavior
- What is the role of internal audits in risk management? → To independently assess and evaluate the effectiveness of risk management processes
Turn these facts into recall: