Certified Financial Crime Specialist (CFCS)

Correct: For top-heavy testing purposes, a Key Employee is defined as any employee who, during the plan year, was a 5% owner, a 1% owner earning over $150,000, or an officer earning more than the inflation-adjusted threshold ($215,000 for 2023). Since the individual was an officer during the year and their compensation exceeded the threshold, they meet the definition regardless of their lack of ownership or the fact that they were not an officer for the full twelve months.

Incorrect: The assertion that 1% ownership is required for an officer to be a Key Employee is incorrect; ownership and officer status are independent criteria. The requirement to hold officer status for the entire year is not supported by IRS regulations, as serving as an officer at any time during the plan year is sufficient. While there is a limit on the number of officers (the lesser of 50 or 10% of employees), there is no evidence in the scenario that this limit was reached or that this specific individual would be the one excluded if it were.

Takeaway: An employee is classified as a Key Employee if they meet the officer compensation threshold at any point during the plan year, independent of ownership requirements.

Correct: The correct approach involves implementing a dynamic risk assessment model where specific trigger events, such as the filing of a Suspicious Activity Report (SAR) or the identification of significant red flags, necessitate an immediate re-evaluation of the customer’s risk rating. This aligns with the Financial Action Task Force (FATF) recommendations and the risk-based approach (RBA), which dictate that risk profiles must reflect the current understanding of the threat posed by a customer. Relying solely on periodic reviews ignores the reality that a customer’s risk can change instantly based on their behavior or external factors. By mandating an out-of-cycle assessment, the firm ensures that its mitigation strategies, such as Enhanced Due Diligence (EDD), are applied proportionally to the actual risk.

Incorrect: Increasing the frequency of periodic reviews for certain segments, such as moving to an annual cycle, is a positive step but still fails to address the immediate risk posed by a specific incident occurring between those reviews. Automated scoring adjustments based on a fixed percentage are often too simplistic and may not trigger the necessary qualitative analysis or Enhanced Due Diligence required for high-risk scenarios. Conducting quarterly look-backs by internal audit is a detective control for compliance but does not solve the primary issue of the business line and compliance department failing to update the active risk profile and mitigation strategy in real-time during the incident response phase.

Takeaway: Effective customer risk management requires a dynamic framework where risk ratings are updated in response to specific trigger events rather than relying exclusively on calendar-based periodic reviews.

Correct: The most appropriate fiduciary response is to evaluate and potentially amend the plan design to better align with the plan’s objectives. Plan sponsors have the authority to modify optional forms of benefit, such as in-service withdrawals. By conducting a study and following formal amendment procedures—including the distribution of a Summary of Material Modifications (SMM)—the sponsor can legally and ethically adjust the withdrawal strategy to promote long-term retirement security.

Incorrect: Implementing a discretionary hold without plan document authorization is an operational failure and a breach of fiduciary duty. Retroactively changing a vesting schedule is a violation of the anti-cutback rules under IRC Section 411(d)(6) and ERISA. While a plan can be amended to remove certain in-service withdrawal provisions prospectively, doing so ‘immediately’ without proper notice or consideration of protected benefits, and redirecting funds in that manner, ignores the required procedural requirements for plan amendments and participant disclosure.

Takeaway: Fiduciaries should manage plan withdrawal strategies through formal plan design reviews and documented amendments rather than ad-hoc administrative restrictions.

Correct: Under the Pension Protection Act of 2006 (PPA), participants must be immediately eligible to diversify elective deferrals and employee after-tax contributions that are invested in publicly traded employer securities. Unlike employer-sourced contributions, which can be subject to a three-year service requirement, employee-sourced contributions have no such permissible delay. Restricting the diversification of elective deferrals based on service years is a compliance failure.

Incorrect: Restricting the diversification of employer-source contributions, such as matching or nonelective contributions, until a participant has three years of service is permitted under PPA rules. Offering at least three investment alternatives (the plan offers four) and allowing diversification at least quarterly are standard requirements for compliance. Furthermore, plans are permitted to impose reasonable restrictions to prevent market timing, such as a 30-day restriction on reinvesting into the same employer stock fund after a divestment.

Takeaway: While employer contributions may be subject to a three-year service requirement for diversification, elective deferrals invested in publicly traded employer securities must be diversifiable at all times without service requirements.

Correct: Under Internal Revenue Code Section 411(d)(3), a plan must provide that upon its termination, the rights of all affected employees to benefits accrued to the date of such termination, to the extent funded, or the amounts credited to the employees’ accounts, are nonforfeitable (100% vested). Additionally, the IRS requires that plan assets be distributed as soon as administratively feasible after the plan termination date, which is generally considered to be within a 12-month period.

Incorrect: The requirement for full vesting upon plan termination is not dependent on a participant’s years of service or their status as an active employee; it applies to all affected participants. There is no requirement to wait until the next plan year-end to begin distributions; in fact, delays can jeopardize the ‘as soon as administratively feasible’ standard. While a successor plan rule exists that can restrict distributions of elective deferrals, the timeframe for that rule is generally 12 months, not six, and it does not override the 100% vesting requirement.

Takeaway: The termination of a qualified 401(k) plan triggers mandatory 100% vesting for all affected participants and requires the distribution of all plan assets as soon as administratively feasible.

Correct: According to Treasury Regulation 1.401(k)-1(f), a contribution is only treated as a designated Roth contribution if it is designated as such by the employee no later than the time of the deferral election and is treated by the employer as includible in the employee’s income at the time the employee would have received the amount in cash. This designation must be irrevocable and made before the compensation is currently available. Retroactively changing the tax treatment after the payroll period has closed violates these fundamental qualification requirements.

Incorrect: The idea of a 90-day look-back for reclassification is not a standard regulatory provision; corrections usually involve the Voluntary Correction Program (VCP) rather than simple retroactive reclassification. The anti-cutback rule protects accrued benefits and optional forms of benefit, but tax characterization of elective deferrals is not typically viewed as an anti-cutback issue in this context. Finally, Roth contributions are included in the ADP test just like pre-tax contributions, so the claim that they are excluded is factually incorrect.

Takeaway: Roth deferral designations must be made before compensation is earned and cannot be changed retroactively once the payroll period has been processed.

Correct: In scenarios involving Politically Exposed Persons (PEPs) and complex corporate structures like shell companies, international standards such as the FATF Recommendations require Enhanced Due Diligence (EDD). This includes verifying the Source of Wealth (SoW) and Source of Funds (SoF) to ensure the money is not derived from corruption or bribery. Identifying the Ultimate Beneficial Owner (UBO) is critical to prevent the layering stage of money laundering, where illicit funds are obscured through multiple legal tiers. This approach ensures that the insurer is not facilitating the integration of proceeds from grand corruption into the financial system.

Incorrect: Focusing exclusively on sanctions screening is insufficient because it fails to address the underlying risks of money laundering and corruption which may not result in a sanctions list match. Immediate rejection of all PEPs is inconsistent with a risk-based approach, which advocates for managing risks through enhanced controls rather than wholesale de-risking, provided the risks can be mitigated and understood. Accepting funds before completing due diligence, even into a holding account, risks facilitating the placement stage of money laundering and may complicate the legal return of funds if the transaction is later deemed illicit or subject to seizure.

Takeaway: Effective financial crime prevention requires a holistic assessment of PEP status, shell company transparency, and source of wealth to mitigate the combined risks of corruption and money laundering.

Correct: The correct approach involves implementing a multi-tiered verification process that ensures the identification of natural persons who ultimately own or control the legal entity. According to FATF Recommendation 10 and 24, financial institutions must look through corporate layers to identify the ultimate beneficial owner (UBO) and verify their identity using reliable, independent source documents. For entities involving high-risk jurisdictions or complex structures, enhanced due diligence (EDD) is a regulatory necessity to mitigate the risk of shell companies being used for money laundering or sanctions evasion. This approach aligns with the risk-based approach by focusing resources on higher-risk ownership structures while ensuring the core KYC requirement of transparency is met.

Incorrect: The approach of flagging all corporate applicants for manual review while maintaining self-attestation for domestic entities is flawed because it creates an operational bottleneck without necessarily improving the quality of verification for the specific risk identified. Increasing the frequency of periodic reviews is a reactive measure that fails to address the fundamental failure at the onboarding stage, leaving the institution exposed to illicit activity during the initial months of the relationship. Relying on a legal opinion from the applicant’s counsel is insufficient because it outsources the institution’s regulatory responsibility to an interested third party and does not constitute independent verification as required by global AML standards.

Takeaway: Effective KYC procedures must mandate the identification and independent verification of natural persons behind complex corporate layers to prevent the misuse of legal entities for financial crime.

Correct: The Internal Revenue Service (IRS) requires that a qualified plan be operated in strict accordance with its written terms. When an operational failure occurs—such as failing to follow the plan’s vesting and break-in-service rules—the sponsor must use the Employee Plans Compliance Resolution System (EPCRS). Under the Self-Correction Program (SCP) or Voluntary Correction Program (VCP), the sponsor must restore the plan to the position it would have been in had the failure not occurred, which typically involves seeking repayment of overpayments or making corrective allocations.

Incorrect: Retroactive amendments to match an error are generally prohibited if they reduce benefits or violate anti-cutback rules, and they do not automatically cure an operational failure. Updating the Summary Plan Description (SPD) or notifying the DOL does not correct the underlying operational failure to follow the plan document. Labeling a systemic failure to update recordkeeping software as a ‘scrivener’s error’ is inappropriate, as scrivener’s errors are typically limited to clerical typos in the document itself, not operational deviations from a correctly written document.

Takeaway: Operational compliance requires strict adherence to the written plan document, and any deviations must be corrected using the IRS-approved Employee Plans Compliance Resolution System (EPCRS).