On 15 September 2021, Hong Kong’s Securities and Futures Commission (SFC) published its conclusions (the Consultation Conclusions) from last year's consultation (the Consultation) on its proposed amendments to the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) (the AML/CFT Guideline). The Consultation Conclusions set out the SFC’s analysis of the responses to the Consultation, as well as the final amendments to the AML/CFT Guideline. The revised AML/CFT Guideline has taken effect from 30 September 2021, except for the new requirements of cross-border correspondent relationships, which will come into effect from 30 March 2022 after a six-month transition period.
In this Legal Update, we provide a high-level overview of SFC's proposed amendments to the AML/CFT Guideline and highlight key takeaways from the Consultation Conclusions.
Overview of the Proposed Amendments
The proposed amendments to the AML/CFT Guideline aim to align with the Financial Action Task Force’s (FATF) standards amplified by its Guidance for a Risk-Based Approach for the Securities Sector (the "RBA Guidance for Securities Sector") published on 26 October 2018 while providing practical guidance to facilitate the implementation of AML/ CFT measures by Financial Institutions (FIs) in a risk-sensitive manner.
The key proposed amendments1 are:
- Institutional risk assessment: FIs are required to establish and implement adequate and appropriate AML and CFT policies, procedures and controls, taking into account the products and services offered, types of customers, geographical locations and other factors prescribed in the AML/CFT Guideline. Further, FIs should conduct an institutional risk assessment at least once every two years or more frequently upon the occurrence of trigger events which materially impact the FI's business and risk exposure. FIs operating overseas branches and subsidiaries should also conduct a group-wide AML/CFT risk assessment to facilitate the FI to design and implement group-wide AML/CFT systems.
- Risk indicators for institutional and customer risk assessments: FIs are required to assess the AML/CFT risks associated with the customer and the business relationship when conducting an institutional or customer risk assessment. In determining the level of overall risk that the FI is exposed to, the FI should holistically consider a range of factors, including but not limited to country risk, customer risk, product/service/transaction risk as well as delivery/distribution channel risk associated with the customer.
- Due diligence for cross-border correspondent relationships: While the proposed amendments received broad support, a considerable number of comments were made on the requirements for cross-border correspondent relationships. In response, the SFC has provided greater clarity and additional flexibility in meeting the requirements for cross-border correspondent relationships. For example, the SFC has provided a streamlined approach for cross-border correspondent relationships with affiliated companies. Pursuant to this approach, FIs may apply additional due diligence and risk mitigating measures by assessing whether their group policy and AML/CFT programme applicable to an affiliated company are in line with the FATF standards.
In addition, given the cross-border correspondent relationships requirements are new, the SFC has given a six-month transition period (from the date of gazettal of the revised AML/CFT Guideline) for FIs to establish policies and procedures to implement the cross-border correspondent relationships provisions for their new and pre-existing business relationships.
- Simplified and enhanced measures under a risk-based approach: The SFC has limited the type and extent of customer due diligence (CDD) measures that are used for identity verification of low risk customers. For these customers, the SFC has suggested reducing the frequency of review of the existing CDD records and the degree of ongoing monitoring of transactions based on a reasonable monetary threshold. In contrast, the SFC has required FIs to adopt enhanced CDD measures for high risk customers and politically exposed persons.
- Red-flag indicators for suspicious transactions and activities: As part of the suspicious activity identification process, FIs are expected to take further steps and obtain additional information (for example, asking the customers appropriate questions, evaluating any justifications provided by customers and checking their records) to assess if the potentially suspicious transaction or activity is in line with the FI’s knowledge of the customer. In this regard, in the revised AML/CFT Guideline, the SFC has provided a list of non-exhaustive illustrative indicators of suspicious transactions and activities to facilitate FIs determining whether there are grounds for suspicion about the relevant customer.
- Third-party deposits and payments: FIs are required to take all reasonable measures to mitigate the AML and CFT risks associated with transactions involving third-party deposits and payments, having regard to the list of illustrative indicators of suspicious transactions and activities referenced in the above. Further, FIs should only accept third-party deposits or payments under exceptional circumstances and when they are reasonably in line with the customer’s profile and normal commercial practices. Before an FI accepts any third-party deposit or payment arrangement, it should ensure that adequate policies and procedures and due diligence process are put in place to mitigate the inherently high risk and meet all applicable legal and regulatory requirements.
In the revised AML/CFT Guideline, the SFC has also addressed the industry’s concerns about practical difficulties in completing third-party deposit due diligence prior to settling transactions with deposited funds. According to the SFC, FIs are permitted to delay third-party deposit due diligence only under exceptional situations where there is no suspicion of AML and CFT risks and where appropriate risk management policies and procedures are in place.
- Person purporting to act on behalf of the customer: In determining whether a person is purporting to act on behalf of the customer (PPTA), FIs should assess the AML/CFT risks associated with that person's roles and the activities which the person is authorised to conduct, as well as the AML/CFT risks in connection with the business relationship. In addition, FIs should implement clear policies for determining who is considered to be a PPTA and identify a PPTA in line with the identification requirement set out in the policies.
To help the industry better understand the application of the AML and CFT requirements set out in the Consultation Conclusions, the SFC will issue an updated set of FAQs following the implementation of the AML/CFT Guideline. This should facilitate the implementation of risk-based AML and CFT measures by industry participants more effectively.
The management of AML and CFT risks continues to be a focus area for financial regulators. The SFC's amendments to the AML/CFT Guidelines is consistent with this trend. Some of the key proposed amendments align with, for example, common themes arising out of the UK Financial Conduct Authority's recent assessments of banks' financial crime systems and controls. For a more detailed discussion, please see our Legal Update.
The Hong Kong Monetary Authority also recently released two notes regarding (a) Supporting the Use of New Technologies for AML/CFT: Suggested Actions for the Hong Kong Banking Sector (hkma.gov.hk) and (b) Key observations and good practices in the use of external information and data in Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) systems (hkma.gov.hk). In response to heightened regulatory expectations globally, FIs are reminded to continue to improve their overall AML and CFT frameworks in line with prevailing regulatory requirements and remain proactive.