DFSA AML Module requires the Board to approve and oversee the firm’s business-wide risk assessment, ensuring accountability at the highest governance level.

A risk-based approach to customer due diligence requires considering all relevant risk factors including customer profile, the nature and purpose of the account or relationship, geographic risks, transaction patterns, and other relevant factors. This ensures that CDD intensity is commensurate with assessed risk.

Assessing only location (A) or transaction thresholds (B) is insufficient alone. Applying uniform CDD measures (C) contradicts the risk-based approach advocated by FATF and DFSA regulations.

DFSA AML guidance explicitly requires comprehensive risk assessment considering multiple variables to determine appropriate due diligence levels.

Upon identifying customer engagement with unhosted wallets or P2P transfers, the first step a VASP should take is to collect and assess data on such transactions. This assessment helps determine if these activities fall within the firm's risk appetite and what enhanced controls or actions may be needed.

Immediate account freezing (B) is not the first step without assessment; neither is allowing transfers (A) without risk consideration. Enhancing risk frameworks (D) is important but follows from an initial data-driven risk assessment.

Relevant guidance:

FATF Recommendations and DFSA AML Module require VASPs to maintain a risk-based approach that begins with data collection and risk assessment on unhosted wallet transactions.

The DFSA’s 2023 Dear MLRO letters and thematic reviews stress proportionality and evidence-based responses rather than immediate punitive measures.

Enhanced due diligence (EDD) and risk mitigation measures, including potentially freezing accounts, come after assessment of the risk level 【 AML/VER25/05-24: Sections 4.1, 6.4, 13; 20230406Dear_MLRO_Letter_re_IEMS.pdf 】 .

Hence, C is the appropriate first action.

The Board holds ultimate responsibility for policy approval under DFSA and FSRA AML rules, ensuring senior-level oversight.

FATF Recommendation 20 mandates that STRs be filed whenever there is suspicion or reasonable grounds to suspect criminal proceeds, regardless of the transaction value. This is mirrored in DFSA and FSRA AML regulations, ensuring that the reporting obligation is triggered by suspicion, not just thresholds.

Criminals often move cryptoassets through multiple intermediary wallets (many “hops”) rapidly to obfuscate the transaction trail and avoid clustering, which blockchain analytics use to link related addresses.

Simply receiving large amounts (A), holding assets (B), or splitting movements (D) are less effective at preventing clustering.

Dusting involves sending tiny amounts of crypto to many addresses to later analyze transaction patterns, potentially deanonymizing users — a privacy and AML concern.

Consortium blockchains are semi-private networks where governance is shared among authorized participants, offering a balance between decentralization and access control.

The ultimate responsibility for risk oversight lies with the Board of Directors. Senior management and the board have the fiduciary and governance duty to ensure that an effective risk management framework, including AML/CFT controls and cryptoasset-specific risks, is in place and functioning properly.

The DFSA GEN Module and AML Module explicitly allocate the highest accountability for compliance and risk oversight to the Board of Directors, while first and second lines support implementation and oversight respectively. The Chief Risk Officer (CRO) supports risk management but the board maintains ultimate accountability.

Key extracts:

GEN Module, Chapter 5: “Responsibility for compliance lies with every member of senior management, with ultimate oversight by the Board.”

AML Module Section 1.2 & 4.1: “Senior management and Board must ensure appropriate systems and controls for AML/CFT risk management.”

FATF Recommendation 2 underscores that senior management and boards are accountable for effective AML governance 【 GEN/VER64/05-24: Chapter 5; AML/VER25/05-24: Sections 1.2, 4.1 】 .

Thus, D is the correct answer.

On-chain forensic analysis uses blockchain data to detect illicit wallet patterns and cluster associations.