ABA · CAFP
The ABA CAFP certifies financial professionals in anti-money laundering and fraud prevention within U.S. banking institutions. It validates expertise across assessment, investigation, reporting, and remediation of financial crimes.
Questions
750
Duration
180 minutes
Passing Score
500/800
Difficulty
ProfessionalLast Updated
Mar 2026
Use this CAFP practice exam to prepare for Certified AML and Fraud Professional (CAFP) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 750 questions for ABA CAFP, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as BSA/AML Compliance, Fraud Detection and Prevention, Financial Crimes Assessment, Investigations, and Regulatory Reporting. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ABA Certified AML and Fraud Professional (CAFP) is an advanced-level credential issued by the American Bankers Association (ABA) that validates a financial professional's expertise in anti-money laundering (AML) and fraud prevention within U.S. banking institutions. The certification tests competency across the full lifecycle of financial crimes response: assessing risk and identifying suspicious activity, conducting thorough investigations, fulfilling regulatory reporting obligations, and executing remediation strategies. It is grounded in U.S. laws and regulations, including the Bank Secrecy Act (BSA), the USA PATRIOT Act, and federal fraud statutes.
The CAFP was developed by an advisory board of financial crimes practitioners to reflect real-world job tasks performed by competent professionals in the field. It covers traditional AML and fraud disciplines as well as emerging threats such as cyber-enabled financial crimes. The credential signals to employers that a professional possesses both the theoretical knowledge and practical application skills required to protect banking institutions from money laundering, fraud, terrorist financing, and related financial crimes.
The CAFP is designed for experienced financial crimes professionals employed within U.S. banking institutions. Suitable candidates include BSA/AML compliance officers, fraud investigators, financial crimes analysts, risk managers, internal auditors, compliance consultants, and state or federal bank examiners and law enforcement personnel working with financial institutions. The certification is also relevant for professionals in legal, operations, and cyber units who deal with financial crimes detection or response.
Candidates are expected to have hands-on, U.S.-based banking experience in BSA/AML compliance, fraud detection, or cyber-enabled financial crimes. Because the exam is grounded in U.S. laws and regulations, it is specifically suited to professionals operating within the U.S. banking regulatory environment, rather than general financial services or international practitioners.
ABA requires candidates to meet one of three eligibility pathways before sitting for the CAFP exam. The first pathway requires a minimum of two years of qualifying U.S. banking financial crimes experience plus completion of at least one approved BSA/AML or fraud training program. The second pathway requires a minimum of two years of qualifying experience plus current holding of at least one approved professional certification (such as CAMS, CFE, CRCM, CIA, or CBAP). The third pathway is available to candidates with five or more years of qualifying financial crimes experience, with no additional training or certification requirement.
All candidates must have direct experience in BSA/AML compliance, fraud detection, and/or cyber-enabled financial crimes within a U.S. banking context. Non-U.S. experience does not satisfy the eligibility criteria. Candidates must also agree to the ABA Professional Certifications Code of Ethics upon application. ABA reviews applications and notifies candidates of approval or denial within approximately two weeks of submission.
The CAFP exam consists of 150 multiple-choice questions to be completed within 180 minutes (3 hours). The exam is scored on a scale with a passing score of 500 out of 800. Calculators are provided at testing sites. Exams are administered through Meazure Learning either at physical U.S. test sites or via live remote proctoring (LRP) through the ProctorU platform, which allows candidates to test from a private location with a live remote proctor, provided they meet the technical requirements.
The exam is offered during a defined testing window (for example, July 1–31 of a given year), and candidates must apply by the published application deadline. For most computer-based exams taken at test sites, candidates receive an instant Pass/Fail result upon completion. Official score reports are delivered via email within six weeks after the close of the exam window. The exam fee is $575 USD, and a non-refundable $100 application fee is retained if an application is denied.
Earning the CAFP positions professionals for advancement into senior financial crimes roles such as BSA Officer, AML Program Manager, Fraud Director, Chief Compliance Officer, or Financial Crimes Consultant. The designation demonstrates a validated, practitioner-level competency in a specialized and increasingly regulated domain, differentiating holders from peers who rely solely on general compliance or audit credentials. Employers in the U.S. banking sector — including commercial banks, credit unions, and federal regulatory agencies — actively seek professionals who can demonstrate this level of expertise as financial crimes compliance obligations intensify.
The credential is issued by the American Bankers Association, the principal trade association for U.S. banks, lending it strong industry recognition among domestic banking employers and regulators. Holding the CAFP alongside or in place of related credentials such as CAMS (ACAMS) or CFE (ACFE) can broaden a professional's appeal, as CAFP is uniquely focused on the intersection of both AML and fraud within the U.S. banking regulatory framework. Continuing education requirements for renewal ensure that certified professionals maintain current knowledge, reinforcing the credential's long-term value to employers.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 750 questions.
Preview — answers shown1. Litware Savings Bank is implementing a new Customer Identification Program to comply with Section 326 of the USA PATRIOT Act. A non-U.S. person applies to open a savings account. The CIP officer needs to collect the minimum required data elements. Which combination of identifying information must the bank collect from this individual? (Select one!)
Explanation
Section 326 and 31 CFR 1020.220 require banks to collect four minimum data elements for CIP: name, date of birth, address, and identification number. For non-U.S. persons, acceptable identification numbers include a passport number and country of issuance, alien identification card number, or another government-issued document showing nationality or residence with a photograph. A Social Security Number is required for U.S. persons, not non-U.S. persons. The CIP rule does not require two forms of photo identification. Employer verification is not one of the four minimum CIP data elements.
2. Northwind Community Bank's fraud monitoring system flags a high-risk alert: a customer's online banking credentials were used to log in from an IP address associated with a known VPN hosting provider in Eastern Europe, followed by a wire transfer request to a previously unknown beneficiary. The customer's historical login pattern shows access exclusively from a single U.S. metropolitan area using the same device identifier. Which investigative steps should the fraud team prioritize? (Select two!)
Multiple correct answersExplanation
Analyzing the IP address, user agent string, device identifier, and hosting provider is critical for determining whether an account takeover has occurred. If the IP traces to a VPN or hosting provider frequently associated with fraudulent activity rather than a residential ISP, and the device identifier does not match the customer's known devices, these cyber indicators strongly suggest credential compromise. Contacting the customer through a previously verified phone number — not one associated with the suspicious session or recent account changes — is essential to confirm whether the login and wire transfer were authorized. Together, these steps follow FinCEN guidance on incorporating cyber-related information into investigations and align with standard account takeover investigation protocols. Immediately closing the account without investigation is premature and does not follow proper investigative procedures, as the activity may have an innocent explanation. Filing a SAR based solely on a foreign IP address without further investigation does not meet the standard of knowing, suspecting, or having reason to suspect suspicious activity, because additional analysis is needed to determine whether the access is truly unauthorized. Dismissing the alert ignores that the customer's established pattern shows exclusively domestic access from a consistent device, making a foreign VPN login with an unfamiliar device identifier a significant deviation warranting thorough investigation.
3. Tailspin Heritage Bank's fraud team receives a report from a branch manager about an elderly customer. The customer, who previously managed her own accounts independently, has been accompanied to the branch three times in the past month by a new acquaintance who insists on being present during all transactions. During the most recent visit, the customer appeared confused and signed documents authorizing a $75,000 wire transfer to an account controlled by the acquaintance. What actions should the bank take? (Select two!)
Multiple correct answersExplanation
Per FinCEN Advisory FIN-2022-A002, institutions should file a SAR using the elder financial exploitation checkbox in SAR Field 38(d) and include the key term 'EFE FIN-2022-A002' in SAR Field 2 when reporting suspected elder financial exploitation. The advisory emphasizes that the victim — the elderly customer — should NOT be reported as the SAR subject. Instead, the individual suspected of exploitation (the new acquaintance) should be identified as the subject. Many states require mandatory reporting to Adult Protective Services when elder financial exploitation is suspected, making this an important complementary action. Taking no action ignores clear red flags of exploitation including the sudden appearance of a new acquaintance, behavioral changes, and large transfers to the acquaintance's account. Immediate account closure without proper investigation could harm the victim by cutting off access to her own funds.
4. Litware Savings Bank's internal audit team is planning the annual independent testing of the BSA/AML program. The audit director proposes that the BSA compliance officer should define the scope and methodology of the independent test to ensure all critical areas are covered. Is this approach appropriate? (Select one!)
Explanation
Independent testing is one of the five pillars of BSA/AML compliance, and its effectiveness depends on the independence of the review. Allowing the BSA compliance officer to define the scope and methodology of independent testing compromises that independence, as the officer has a vested interest in the program's evaluation. The testing party — whether internal audit or an external firm — must independently determine what to test, how to test it, and the risk-based scope of the review. The BSA officer's knowledge of the program is relevant but should inform the testing party's understanding, not dictate the scope. Board approval of an officer-defined scope does not cure the independence problem. Independent testing can be performed by qualified internal audit staff, provided they are independent of the BSA/AML function — it does not require an external firm.
5. Northwind Community Bank's fraud and BSA team jointly reviews an alert involving three apparently unrelated personal accounts that each initiated small-value wire transfers totaling $4,700 to recipients in a FATF grey-listed jurisdiction. No single transfer exceeds $2,000. The bank's transaction monitoring system flagged the activity, and a review of online banking session logs reveals all three accounts accessed the platform from the same IP address within a 30-minute window. What investigation approach should the team prioritize? (Select one!)
Explanation
Conducting link analysis using the shared IP address is the correct investigative priority because cyber indicators such as IP addresses are critical tools for identifying connections between seemingly unrelated accounts. A shared IP address linking three accounts that independently send small-value wires to a high-risk jurisdiction strongly suggests coordinated activity — potentially account takeover through credential compromise, a single individual controlling multiple accounts, or organized terrorist financing using sub-threshold transfers to avoid detection. The investigation should correlate the IP address data with timestamps, device identifiers, and customer due diligence profiles before making a SAR filing decision. Dismissing the alert because individual amounts fall below the Travel Rule threshold ignores that the suspicious pattern itself — not the dollar amount — is the red flag, and the aggregate $4,700 amount is within the $5,000 SAR threshold range warranting investigation. Filing three separate SARs without investigating the IP connection fails to conduct the analysis needed to accurately characterize the suspicious activity and identify the true scope of the scheme. Escalating to OFAC is incorrect because FATF grey-listed jurisdictions and OFAC-sanctioned countries are fundamentally different designations — FATF grey listing indicates increased monitoring commitments but does not trigger OFAC blocking requirements under U.S. sanctions law.
Certified Financial Marketing Professional (CFMP)
CFMP · 750 questions
Certified Enterprise Risk Professional (CERP)
CERP · 749 questions
Certified IRA Services Professional (CISP)
CISP · 700 questions
Certified Regulatory Compliance Manager (CRCM)
CRCM · 700 questions
Certified Trust and Fiduciary Advisor (CTFA)
CTFA · 699 questions
$17.99
One-time access to this exam