CFCS logo
Focused certification exam prep
Start practice
Home / Study Resources / Domain Deep Dives / CFCS Domain 11: Investigations and Law

CFCS Domain 11: Investigations and Law Enforcement 2026

Updated 11 min read CFCS Exam Prep
Table of Contents
TL;DR
  • Domain 11 covers the full investigative lifecycle: case initiation, evidence handling, law enforcement coordination, and prosecution referral.
  • CFCS questions are scenario-based across 135 items in 4 hours - Domain 11 tests applied judgment, not textbook recall.
  • Investigators must understand Suspicious Activity Report (SAR) mechanics, financial intelligence unit (FIU) roles, and mutual legal assistance treaties (MLATs).
  • ACFCS requires 40 earned credits before you can sit the exam; investigation experience directly satisfies a portion of this threshold.

What Domain 11 Actually Covers

Among the twelve content areas tested on the Certified Financial Crime Specialist (CFCS) examination, Domain 11 - Investigations and Law Enforcement - is the domain that bridges theoretical financial crime knowledge with real-world operational practice. While earlier domains define the typologies and methods criminals use, Domain 11 asks: once you suspect something, what do you actually do about it?

The domain covers the investigative process from the moment an alert is triggered or a tip is received all the way through case closure, evidence preservation, agency referral, and coordination with domestic and international law enforcement. Candidates are expected to understand not only internal investigation procedures within a financial institution but also the mechanics of external cooperation - how compliance officers, private sector investigators, prosecutors, and law enforcement agencies interact within a shared framework.

Scope of Domain 11: This domain is not limited to criminal investigators or law enforcement professionals. Financial institution compliance officers, anti-fraud analysts, and AML specialists are equally tested on investigative procedures - because in a real financial crime event, all of them must understand how evidence is preserved, how referrals are made, and how their actions either support or undermine a prosecution.

Key subject areas within Domain 11 include:

  • Investigative planning and case management methodology
  • Evidence collection, chain of custody, and admissibility standards
  • The role of Suspicious Activity Reports (SARs) and how they feed into law enforcement intelligence
  • Financial Intelligence Units (FIUs) - their mandates, limitations, and how to engage them
  • Mutual Legal Assistance Treaties (MLATs) and international cooperation frameworks
  • Grand jury processes and prosecutorial referral in U.S. contexts
  • Witness interviews, document subpoenas, and search warrants
  • Confidentiality requirements, tipping-off prohibitions, and safe harbor protections
  • Coordination between private sector compliance and public law enforcement

Why This Domain Carries Real Weight on the CFCS

The CFCS is administered by the Association of Certified Financial Crime Specialists (ACFCS) and consists of 135 scenario-based multiple-choice questions delivered over four hours through Kryterion's Online Proctored (OLP) network. To pass, candidates must answer at least 88 of those 135 questions correctly - approximately 65%. ACFCS does not publicly disclose the exact percentage weight assigned to each domain, but Domain 11's operational and applied nature means it tends to generate questions that cut across multiple knowledge areas simultaneously.

Because questions are scenario-based rather than definition-based, Domain 11 is particularly unforgiving to candidates who understand concepts in isolation but struggle with applied judgment. A question may describe an investigator at a bank who has just escalated a case internally - and then ask what the correct next step is regarding law enforcement notification, tipping-off risk, and SAR confidentiality simultaneously. Getting this right requires integrating knowledge across investigations, regulatory compliance (Domain 10), and money laundering typologies (Domain 1).

Key Takeaway

Domain 11 rewards candidates who have internalized investigative process as a decision tree, not a checklist. Every scenario-based question is testing whether you understand the why behind each procedural step - not just the steps themselves.

Core Topics Candidates Must Master

Suspicious Activity Reports (SARs) and the Tipping-Off Prohibition

SARs are central to both investigative triggers and legal constraints. Candidates must understand who is required to file, the timelines involved, the safe harbor protection afforded to filers, and critically - the prohibition against disclosing a SAR's existence to the subject of the report. This prohibition has exceptions (e.g., sharing within a corporate family) that are frequently tested.

  • SAR confidentiality under the Bank Secrecy Act and equivalent international regimes
  • When law enforcement may access SAR data versus when it must be requested
  • The investigative value of SAR filings in building financial intelligence

Financial Intelligence Units (FIUs) and the Egmont Group

FIUs serve as the national hub for receiving, analyzing, and disseminating financial intelligence. The Egmont Group facilitates international FIU cooperation. Domain 11 tests candidates on how FIUs interact with both the private sector and law enforcement, their analytical versus operational roles, and the limits of what FIU data can be used for.

  • Distinction between administrative, judicial, law enforcement, and hybrid FIU models
  • How to request information from a foreign FIU via Egmont Group channels
  • Spontaneous disclosures versus request-based information sharing

International Cooperation: MLATs and Letters Rogatory

Cross-border financial crime almost always requires international evidence-sharing. Candidates must understand the Mutual Legal Assistance Treaty (MLAT) process, its timelines, limitations, and alternatives such as letters rogatory and informal law enforcement cooperation. This topic intersects directly with asset recovery (Domain 8) and terrorist financing (Domain 9).

  • MLAT request process: which authority submits, what can be obtained
  • Challenges with offshore jurisdictions and secrecy-law conflicts
  • Informal intelligence sharing versus formal legal assistance

Evidence Standards and Chain of Custody

Financial investigations generate vast volumes of documentary and digital evidence. Candidates must understand what makes evidence admissible, how to preserve digital evidence without contaminating it, and the chain of custody requirements that will survive courtroom challenge.

  • Difference between intelligence (actionable internally) and evidence (courtroom-admissible)
  • Forensic imaging standards for electronic devices and records
  • Document holds, litigation preservation orders, and legal consequences of destruction

How Domain 11 Questions Are Structured

Understanding the question format for Domain 11 is not a minor detail - it is central to exam strategy. The CFCS uses scenario-based questions that place you inside an organizational role and ask you to choose the best course of action. For Domain 11 specifically, scenarios tend to involve:

  • Competing priorities: A compliance officer has evidence of fraud but reporting it may alert the subject. What do you do first?
  • Jurisdictional complexity: A transaction originates in one country, routes through a second, and the suspect is in a third. Which cooperation mechanism applies?
  • Procedural sequencing: At what stage in an internal investigation is it appropriate to contact law enforcement - and who within the institution has authority to make that call?
  • Legal constraints: A law enforcement agency asks your institution to continue processing transactions for a suspect under surveillance. What are your obligations and protections?

With 135 questions and 4 hours on the clock, you have roughly 1 minute and 47 seconds per question. Domain 11 scenarios tend to be longer than definitional questions, so practicing time management specifically against scenario-length prompts is essential. The CFCS practice test platform offers scenario-format questions that mirror the actual exam structure, which is the best preparation tool for this question style.

Who Hires CFCS Holders for Investigation Roles

The CFCS credential is respected across both public and private sectors, but Domain 11 expertise makes it particularly valuable in roles where investigation is a core function. Organizations that actively seek CFCS-certified professionals for investigative and law enforcement liaison roles include:

  • Financial institutions: Banks, payment processors, and money service businesses employing financial crime investigation teams, often embedded within AML or fraud operations units
  • Government agencies: Financial Intelligence Units, regulatory agencies (such as FinCEN, HMRC, AUSTRAC), and law enforcement agencies with financial crime mandates (FBI, IRS-CI, DEA, NCA)
  • International organizations: FATF, UNODC, the World Bank, and regional development banks with financial integrity programs
  • Consulting firms: The Big Four and specialist financial crime consulting practices that conduct internal investigations on behalf of corporate clients
  • Cryptocurrency exchanges and fintech firms: Increasingly required to build investigation capabilities equivalent to traditional financial institutions

Notably, ACFCS offers reduced examination fees for government sector candidates - $750 to $850 versus the standard $1,195 for existing ACFCS members - recognizing that law enforcement and regulatory professionals are core constituents for this credential. If you are a government employee with investigative experience, that experience can directly count toward the 40 credits required before you can register for the exam.

How Domain 11 Connects to the Rest of the Exam

Domain 11 does not exist in isolation. The CFCS is deliberately designed so that a financial crime professional must see the full spectrum - from typology identification through to investigative resolution. Understanding these cross-domain connections will help you answer questions that appear to be about investigations but are actually testing knowledge from adjacent domains.

Adjacent Domain Connection to Domain 11 Example Overlap Topic
Domain 1: Money Laundering Layering and integration patterns must be traced during investigation Following the transaction trail through shell companies
Domain 8: Asset Recovery Investigative findings directly trigger civil and criminal forfeiture actions Restraint orders, Mareva injunctions, and preservation of proceeds
Domain 9: Terrorist Financing Terrorist financing investigations involve distinct legal authorities and inter-agency protocols OFAC coordination, classified intelligence integration
Domain 10: Regulatory Compliance Regulatory obligations govern what investigators can and cannot do without triggering liability Record retention requirements, exam cooperation obligations
Domain 2: Fraud Fraud investigations share evidence standards with financial crime cases Interview techniques, documentary evidence in procurement fraud

Reviewing the CFCS Domain 11: Investigations and Law Enforcement 2026 content in parallel with asset recovery and terrorist financing materials will sharpen your ability to answer multi-domain scenario questions efficiently. Similarly, once you have a firm grasp of investigation mechanics, transitioning your study focus to CFCS Domain 12: Monitoring and Adjusting Study Guide 2026 creates a natural logical flow - investigations generate findings that then feed program-level monitoring and adjustment decisions.

A Domain-Sequenced Preparation Approach

The CFCS spans twelve domains and 135 questions in four hours. A structured study sequence matters - here is a four-week block specifically designed around Domain 11 and its closest neighbors, using spaced repetition to reinforce cross-domain connections.

Week 1

Foundation: Money Laundering + Fraud Typologies (Domains 1 and 2)

  • Understand the transaction patterns that will later need to be traced in investigations
  • Learn document types (wire records, account statements, beneficial ownership filings) you will encounter as evidence
  • Complete 20 practice questions on typology identification from the CFCS practice platform
Week 2

Investigative Mechanics: Domain 11 Deep Dive

  • Master the SAR filing process, tipping-off prohibition, and safe harbor protections
  • Study FIU models and the Egmont Group's role in cross-border intelligence sharing
  • Work through MLAT and letters rogatory processes using real-world case examples
  • Practice 30 scenario-based questions specifically on investigation sequencing and law enforcement coordination
Week 3

Adjacent Domains: Asset Recovery (Domain 8) and Terrorist Financing (Domain 9)

  • Map how investigative findings in Domain 11 connect to asset restraint and forfeiture in Domain 8
  • Understand the distinct legal authorities that apply when an investigation touches terrorist financing
  • Revisit Domain 11 materials and note where your understanding has deepened through Domain 8 and 9 context
Week 4

Compliance Integration + Full Practice Exams

  • Study Regulatory Compliance (Domain 10) with a focus on how compliance obligations shape what investigators can do
  • Run two full timed practice exams targeting the 88/135 passing threshold
  • Review all missed questions by domain and identify whether gaps are in Domain 11 or in the domains it connects to

Common Knowledge Gaps Candidates Overlook

Based on the structure of CFCS scenario questions, several knowledge areas within Domain 11 consistently trip up candidates who feel otherwise well-prepared:

The "Parallel Construction" Problem: Some candidates are unaware of the legal and ethical issues surrounding law enforcement's use of classified intelligence to initiate investigations, then building an independent evidentiary record to obscure the original source. The CFCS may test your awareness of why this creates legal vulnerability in prosecutions and what compliance professionals should understand about the information they receive from law enforcement.
  • Underestimating the tipping-off prohibition's reach: Many candidates know that you cannot tip off a SAR subject directly. Fewer understand the nuances - that discussing a SAR with a compliance officer at a correspondent bank in certain contexts can also constitute prohibited disclosure.
  • Confusing intelligence sharing with legal assistance: Informal information sharing between law enforcement agencies moves quickly; MLAT requests move slowly. Understanding when each mechanism is appropriate - and what can be achieved through each - is frequently tested.
  • Overlooking the private sector's investigative role boundaries: Financial institution investigators have significant capabilities but operate under constraints that law enforcement does not. Candidates sometimes answer questions as if a bank compliance team has law enforcement authority.
  • Neglecting international FIU model differences: The Egmont Group includes FIUs organized under four different legal models. A question may hinge on whether a particular FIU can share information spontaneously or only upon request.
  • Missing the documentation requirements during investigation: Investigations that result in prosecution require contemporaneous documentation. Candidates who are practitioners sometimes assume their real-world approach is correct when the exam is testing a specific international standard.
Registration Reminder: Before you can schedule any part of the CFCS exam, you must hold active ACFCS membership and have earned 40 credits across financial crime experience, education, training, and professional certifications. Investigation experience - whether in a financial institution, regulatory agency, or law enforcement - directly satisfies a meaningful portion of this requirement. Once purchased, you have a 12-month window to schedule and sit the exam through Kryterion's Online Proctored platform from any suitable location.

Candidates who actively work in financial crime investigation often underestimate Domain 11 precisely because it feels familiar - and then miss scenario questions that require knowledge of the formal legal frameworks surrounding their day-to-day work. Practitioners benefit enormously from structured review of the legal and procedural architecture they operate within, not just the operational mechanics they know from experience. The CFCS practice test platform is specifically built to expose these blind spots in scenario format before exam day.

Frequently Asked Questions

Does Domain 11 apply to me if I work in compliance rather than investigations?

Absolutely. The CFCS is designed for financial crime professionals across functions, and Domain 11 tests how compliance professionals interact with the investigative process - including SAR filing obligations, tipping-off prohibitions, and law enforcement cooperation. Compliance officers are regularly tested on these topics because they make these decisions operationally.

How many questions on the CFCS exam come from Domain 11?

ACFCS does not publicly disclose the percentage weight assigned to each of the twelve domains. The exam contains 135 scenario-based questions in total, and because Domain 11 overlaps with several other domains, many questions will draw on investigations knowledge even when primarily categorized under another content area.

Can law enforcement experience count toward the 40 credits required to register?

Yes. ACFCS recognizes professional experience in financial crime and related fields as one of the four credit-earning categories. Law enforcement professionals with investigative experience in financial crime should review ACFCS's credit guidelines to determine how their specific role translates into earned credits toward the eligibility threshold.

What is the best way to prepare for scenario-based questions in Domain 11?

The most effective preparation combines deep reading of the underlying legal frameworks (SAR statutes, MLAT processes, FIU mandates) with heavy practice on scenario-format questions. Generic study notes are insufficient - you need to practice making decisions under time pressure. Working through domain-specific practice exams on the CFCS Domain 11 content areas and reviewing why each answer choice is right or wrong builds the judgment the exam requires.

How does the CFCS renewal requirement affect Domain 11 knowledge?

CFCS certification is valid for three years, and renewal requires 60 continuing education credits along with active ACFCS membership. The financial crime and investigations landscape changes rapidly - new FATF guidance, evolving MLAT practices, and expanded FIU cooperation frameworks mean that staying current in Domain 11 is not just a renewal requirement but a professional necessity. Refer to the CFCS Domain 12: Monitoring and Adjusting Study Guide 2026 for how ongoing program adjustment connects to maintaining investigative effectiveness over time.

Continue reading:

Ready to pass your CFCS exam?

Put this into practice with free CFCS questions across every exam domain.