Other Author Alexandra Kinross, Regional Director of Knowledge Management - Asia
On 15 August 2023, the Hong Kong Monetary Authority (HKMA) imposed a penalty of HK$16 million on a Hong Kong bank (the "Bank") for breaching five provisions of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) between 2016 and 2018 (one provision), and between 2012 to 2018 (four provisions).
The penalty was the outcome of an investigation and disciplinary proceedings by the HKMA that found significant control deficiencies in the Bank's customer due diligence (CDD) and on-going monitoring of business relationships with customers.
Hong Kong CDD Requirements
Financial institutions (FIs) and designated non-financial businesses and professions (DNFBPs) must comply with the CDD requirements in AMLO and the Guidelines issued by relevant authorities or regulatory bodies for the operation of AMLO. FIs and DNFPs should take all reasonable steps to ensure proper safeguards exist to prevent any contravention of Schedule Part 2 and to mitigate money laundering and counter-financing of terrorism risks.
In summary, Schedule 2, Part 2 of AMLO prescribes CDD requirements, including the following:
- Proper identification and verification of the customer's, and any beneficial owner's, identity at various points in time (sections 2(1) and 3(3)).
- A duty to continuously monitor customer relationships by periodically reviewing and obtaining updated documents, data and information on the customer and to scrutinise transactions carried out for the customer for suspicious activity (section 5).
- Special CDD requirements are listed for: where a customer is not physically present for identification purposes (section 9); a "politically exposed" customer or beneficial owner (sections 10 and 19(1)); Insurance Policies (section 11); wire transfers (sections 12 and 19(2)); remittance transactions (section 13); virtual asset transfers (sections 14 and 19(2A)); correspondent banking relationships (section 14); other high risk situations (section 15).
- Record keeping and retention requirements (sections 20 and 21).
Further, AMLO prohibits FIs and DNFBPs from:
- opening, or maintaining, an anonymous account, or an account in a fictitious name for any customer (section 16); and
- establishing, or continuing, a correspondent banking relationship with shell banks (section 17).
CDD Deficiencies in this Case
The CDD deficiencies in the recent disciplinary action included the Bank's failure to:
- complete timely verification of over a hundred customers’ identities, including "higher risk clients", once transferred from another FI, and their beneficial owners (section 3(3) of Schedule 2 of the AMLO);
- terminate business relationships with customers whose beneficial owners the Bank was unable to verify the identities of, in a timely fashion (sections 3(1) and 3(4) (b) of Schedule 2 of the AMLO);
- properly and continuously monitor the business relationships with customers, including "higher risk customers", and carry out trigger event reviews of customers transacting in unusual amounts (section 5(1)(a) of Schedule 2 of the AMLO); and
- establish and maintain effective internal CDD procedures (section 19(3) of Schedule 2 of the AMLO).
In deciding the penalty, the HKMA considered the seriousness of the findings, the need to send a clear deterrent message, the remedial and enhancement measures taken by the Bank to address the deficiencies, and the cooperation and clean prior disciplinary record of the Bank.
The HKMA’s latest enforcement action reiterates the importance of effective and robust anti-money laundering/counter-financing of terrorism (AML/CFT) internal policies, procedures and controls. Written policies and procedures must be sufficiently detailed for staff to conduct CDD activities to the required legal and regulatory standards. In addition, regular assurance aids the early detection of any weaknesses in internal controls—crucial for remediation and reducing the risk of exposure to legal or regulatory action.