Regulators, Law Enforcement, and FIUs

Three Distinct Public-Sector Roles

CAMS routinely tests whether candidates can separate the regulator, law enforcement, and the Financial Intelligence Unit (FIU). They are different bodies with different powers, and choosing the wrong actor for a task is a designed distractor.

In the US, the regulators include the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Financial Crimes Enforcement Network for rule-making; the FIU is the Financial Crimes Enforcement Network (FinCEN); and law enforcement includes the FBI, IRS Criminal Investigation, and the Department of Justice.

What an FIU Is

An FIU is the national central agency that receives, analyzes, and disseminates suspicious transaction/activity reports (STRs/SARs) and other financial-crime information to competent authorities. FATF Recommendation 29 requires every country to establish an FIU as a central reception point. The FIU is the bridge between the private sector (which files reports) and law enforcement (which acts on intelligence). Crucially, most FIUs are intelligence bodies — they do not themselves prosecute.

FATF recognizes four FIU models, a high-yield CAMS fact:

• Administrative model — sits inside a regulator or ministry (e.g., FinCEN, AUSTRAC). Acts as a neutral buffer between institutions and law enforcement.
• Law-enforcement model — embedded in a police or enforcement agency (e.g., the UK National Crime Agency's FIU).
• Judicial/prosecutorial model — attached to the judiciary or public prosecutor.
• Hybrid model — combines features of the above.

The Egmont Group

Because launderers move money across borders, FIUs must exchange information internationally. The Egmont Group of Financial Intelligence Units, founded in 1995 at the Egmont Palace in Brussels with 24 founding FIUs, now connects roughly 170 member FIUs. It enables secure FIU-to-FIU exchange through the Egmont Secure Web and is built on the principle that information shared is used for intelligence purposes and protected by confidentiality. CAMS tests that the Egmont Group is the FIU network — not a regulator, not a court, and not part of FATF.

Common Traps

• An FIU analyzes intelligence; it does not generally arrest or prosecute. "The FIU prosecutes the launderer" is wrong.
• A regulator fines an institution for program failures; law enforcement charges the launderer for the crime. Do not swap these.
• The Egmont Group is the FIU network; do not confuse it with FATF (standards) or Interpol (police cooperation).
• A SAR/STR goes to the FIU, not directly to the prosecutor or the regulator, in the standard model.

The Intelligence Flow in Practice

Worked example: a compliance analyst detects structured cash deposits and files a SAR. In the standard administrative model the report goes to the FIU (FinCEN in the US), which analyzes it alongside other reports, builds a financial-intelligence picture, and disseminates leads to law enforcement (for example, the FBI or IRS-CI) for investigation and to the prosecutor for charging. Separately, the institution's regulator may later examine whether the bank's monitoring program was adequate and, if not, issue a consent order or civil penalty.

Four different actors, four different roles — and CAMS will test whether you can keep them apart.

A frequently tested nuance is the distinction between a regulatory enforcement action and a criminal prosecution. When a bank pays a large civil penalty for AML program deficiencies, that is the regulator acting against the institution. When an individual is charged with laundering, that is law enforcement and the prosecutor acting against the person for the predicate or laundering offense. A scenario that blends the two is testing this boundary.

Understand the FIU's gateway power too. FIUs can request additional information from reporting institutions, can postpone a transaction in some jurisdictions, and exchange intelligence with foreign FIUs through Egmont. But the FIU's product is intelligence, which becomes evidence only through the proper legal channel. The exam expects you to know that the chain runs private sector to FIU to law enforcement, and that the supervisor sits on a parallel track focused on program compliance rather than on the underlying crime.

Candidates should also recognize the cross-border dimension of FIU work. Because laundering networks span jurisdictions, an FIU frequently needs information held by a foreign counterpart, and the Egmont channel exists precisely so FIUs can exchange intelligence quickly without a formal treaty request. The receiving FIU must respect the reciprocity and confidentiality conditions attached to shared data and use it only for the agreed purpose.

This is why a SAR filed locally can ultimately help an investigation abroad, and why the FIU, not the individual bank, is the node that connects domestic reporting to the international intelligence picture. The supervisor, by contrast, coordinates with foreign supervisors on the soundness of the institution rather than on case intelligence.

Keep one more distinction straight for the exam: the FIU is operationally and analytically independent and protects the confidentiality of the reports it receives, which is why a filing institution generally receives no feedback on the outcome of its SAR. This is not a sign the report was useless; it reflects the intelligence nature of the FIU and the prohibition on tipping off. Candidates should resist any answer suggesting the bank may tell a customer that a SAR was filed or may demand status updates from the FIU.

The proper posture is to file with accuracy and completeness, maintain the supporting records, and continue monitoring the relationship while leaving the investigative path to the FIU and law enforcement.