CCA AML section — how different is crypto AML from traditional AML?
I hold a CAMS certification and have years of bank AML experience. Now studying for the certified cryptocurrency auditor designation, and I'm trying to identify what's genuinely new versus what maps to existing knowledge. Some of it — risk-based approach, transaction monitoring, SAR filing — is familiar territory. But the blockchain-native elements clearly differ.
Specifically, I'm curious how the CCA handles pseudonymity (no named accounts, just addresses), the absence of a central intermediary in many DeFi transactions, and the multi-jurisdictional nature of on-chain activity where transactions route through multiple countries simultaneously. Traditional AML geography is relatively clean; crypto compliance geography is murky.
Working through the CCA Anti-Money Laundering and Financial Crime in Crypto practice set has been useful. The travel rule questions in particular are more nuanced than I expected — it actually distinguishes between custodial and non-custodial wallet treatment. CAMS holders: what was your learning curve?
CAMS holder here who took the CCA last quarter. Learning curve was moderate — maybe 60% familiar territory. The genuinely new material is: on-chain transaction monitoring logic (risk scoring heuristics for mixers, bridges, darknet exposure), NFT-based layering schemes, and the emerging regulatory frameworks for DeFi. The exam tests all of these at a solid depth. Your CAMS background will definitely accelerate the AML sections.
The mental model that clicked for me was thinking of blockchain as a permanent, public audit trail that paradoxically makes tracing harder because of layering through mixers, chain-hops, and privacy coins — not easier. With traditional bank AML you're chasing records that might not exist; with crypto you're drowning in records that are pseudonymous and deliberately obfuscated. The FATF guidance on virtual assets (specifically Recommendation 15 and the Travel Rule) is where a lot of exam questions live, and if you already know FATF cold from your CAMS prep, re-read it specifically through the lens of how VASPs are supposed to implement it versus how they actually do.
The most concrete study tip I can give: build a side-by-side comparison table of traditional red flags versus crypto-specific red flags. Things like "rapid movement of funds through multiple accounts" maps directly to chain-hopping across five wallets in ten minutes — same typology, different rails. But then there are genuinely new flags: use of non-custodial wallets immediately after exchange withdrawal, transactions sized just under exchange KYC thresholds, interactions with flagged smart contract addresses. Once you physically write those parallels out, the gaps become obvious and you stop wasting time re-studying the stuff you already know cold from banking.
For SAR filing specifically, the CCA exam goes deeper on the mechanics of what constitutes "knowledge" when the counterparty is a smart contract rather than a person — worth spending extra time there. The blockchain analytics tools section (Chainalysis, Elliptic, TRM Labs) also tends to trip up people with traditional backgrounds because the exam expects familiarity with risk scoring methodology, not just the concept that such tools exist.
Related Discussions
- Which section of the ISACA is hardest? My breakdown after taking it5 replies
- How close are ADA practice tests to the real exam? My honest review5 replies
- Finally passed the CCCP last week — here's what actually moved the needle for me5 replies
- DeFi vs CeFi auditing — what does the CCA exam actually test?5 replies
- Which section of the ARM is hardest? My breakdown after taking it5 replies