CCO Cheat Sheet 2026

The 30 highest-yield CCO facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

110 questions
150 min time limit
60.00% to pass
  1. Which regulatory framework specifically requires financial institutions to conduct due diligence on third-party vendors who handle sensitive customer data? Gramm-Leach-Bliley Act (GLBA)
  2. What is the primary purpose of a corporate Code of Conduct? To define acceptable and unacceptable behaviors within the organization
  3. How should an organization prioritize risks in a risk management plan? By considering both the likelihood and impact of each risk
  4. Under the OCC's guidance on third-party risk management, which of the following is considered a 'critical activity' requiring heightened oversight? Outsourcing core banking processes or functions that could harm customers if disrupted
  5. What should a CCO do when they discover that a senior executive is violating the Code of Conduct? Report it to the appropriate governance body, such as the Audit Committee or Board
  6. What does a Suspicious Activity Report (SAR) require from a financial institution? Confidential filing with FinCEN when suspicious transactions are detected
  7. What is the role of a compliance officer in relation to regulatory changes? To ensure the organization adapts and complies with new regulatory requirements
  8. Which metric is most useful for measuring the effectiveness of an ethics hotline? Reports submitted, investigation closure rate, and substantiation rate
  9. What is 'structuring' in the context of AML? Deliberately breaking up transactions to avoid CTR reporting thresholds
  10. What is the maximum fine for a serious GDPR violation? €20 million or 4% of global annual turnover, whichever is higher
  11. What is the role of a whistleblower in the context of regulatory compliance? To report misconduct or violations within the organization
  12. Which of the following is a key component of an effective risk management framework? Regularly assessing and updating risk management policies and procedures
  13. What is the best practice when an employee faces pressure from a supervisor to falsify records? Refuse and report the incident through the compliance hotline or to the CCO
  14. Which body typically has ultimate oversight responsibility for a company's ethics program? The Board of Directors or Audit Committee
  15. Under FinCEN's Customer Due Diligence rule, covered financial institutions must identify beneficial owners holding what percentage or more of a legal entity? 25%
  16. Which component is essential for monitoring compliance within an organization? Implementing a robust internal audit program
  17. What is the principle of data minimization under GDPR? Collecting only the personal data that is necessary for the specified purpose
  18. Which type of risk is associated with regulatory changes and compliance requirements? Compliance risk
  19. What is the purpose of the Sarbanes-Oxley Act (SOX)? To protect investors by improving the accuracy and reliability of corporate disclosures
  20. Which element is typically included in a vendor contract's compliance addendum? Audit rights allowing the organization to inspect the vendor's compliance records
  21. Which phase of the third-party lifecycle is most critical for identifying compliance risks before a vendor relationship begins? Due diligence and onboarding
  22. Which regulation requires financial institutions to develop and implement a written information security plan? Gramm-Leach-Bliley Act (GLBA)
  23. How often should an organization's compliance policies and procedures be reviewed? Annually or as needed when regulations change
  24. Which of the following is an example of a facilitation payment? A small payment to a foreign official to expedite a routine government service
  25. Which action demonstrates a commitment to a culture of compliance within an organization? Providing transparent communication and support for compliance initiatives
  26. What is the primary purpose of a vendor risk tiering system in a compliance program? To allocate oversight resources proportionally based on the risk each vendor poses
  27. What is the significance of annual ethics certifications signed by employees? They confirm employee awareness and acknowledgment of ethics obligations
  28. What is the purpose of a risk register? To document and track identified risks, their impact, and mitigation strategies
  29. What is 'tone at the top' in the context of corporate ethics? Senior leadership's visible commitment to ethical behavior
  30. What is the role of internal audits in risk management? To independently assess and evaluate the effectiveness of risk management processes
Turn these facts into recall: