Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Anti-money laundering: reconciling the HKMA and SFC's

Amidst the Panama Papers leak and the increasing regulatory scrutiny on anti-money laundering (AML) controls, the recent announcements made by the HKMA and SFC may have left banks feeling even more confused and apprehensive. We analyse what these seemingly contradictory announcements mean, and provide practical tips on staying compliant with the expectations of both financial regulators.

18 October 2016

Publication

SFC and HKMA’s approach to AML/CTF so far

In 2012, the HKMA and SFC issued identical guidelines on Anti-Money Laundering and Counter-Terrorism Financing (Guidelines)1. Under the Guidelines, both regulators require financial institutions (FIs) to apply a risk-based approach (RBA) when accepting business from customers, and because the HKMA and SFC Guidelines were identical, there was a tendency for FIs to apply the same client on-boarding standards for activities regulated by the HKMA and the SFC.

RBA has over the years been defined by the regulators to mean strict adherence to the Guidelines, as can be seen from the enforcement actions taken by the SFC2 and the HKMA3. In their press releases, both regulators emphasised that enforcement action would be taken to deter any failing on the part of FIs, suggesting a zero tolerance for AML/CTF breaches.

Given the clear message from the regulators, FIs were compelled to sever ties with and decline business from customers who did not meet all of the requirements of the Guidelines, a practice that has been termed “de-risking”. This has taken a toll on the financial markets, but more recently, a spike in the number of complaints to the HKMA of financial exclusion has made de-risking the talk of the town, including the Legislative Council4. In light of this, the HKMA revisited its interpretation of RBA on 08 September 2016.

HKMA’s change in tack - Circular of 08 September 2016

On 08 September 2016, the HKMA issued a Circular entitled “De-risking and Financial Inclusion” asking institutions under its supervision (Authorised Institutions, or “AIs”) to stop de-risking, and clarifying that the HKMA does not expect a “zero failure” regime that eliminates all risks. Instead, AIs need only ensure they have effective AML/CFT controls with no “material failings” in their systems5.

The HKMA Circular also cites examples of disproportionate and over-zealous client due diligence measures, presumably taken from the complaints received by the HKMA. However, these examples should not be read in isolation. When analysed in the context of the Guidelines, the examples may be justified in some situations, especially in relation to customers who are overseas corporates from higher-risk locations or from jurisdictions which are not members of the Financial Action Task Force (FATF). For a list of the HKMA’s examples mapped against the provisions of the Guidelines, click here.

Scroll horizontally to browse

Our analysis of the HKMA Circular

In our view, the HKMA’s reinterpretation of RBA is a logical move because:

  • Activities regulated by the HKMA: the HKMA regulates the provision of traditional banking services typically offered by retail and commercial banks (as opposed to investment activities carried out by wealth management, often dealing with high net-worth individuals, which are regulated by the SFC). These services are basic and essential to any financial centre, and should be readily available to the majority of the public. As such, the HKMA accepts that some degree of risk must be assumed in order for banking services to be made available to retail or commercial banking customers (both existing and prospective).

  • RBA: The term RBA itself suggests that the risk of on-boarding each customer should be assessed on a case-by-case basis, rather than adopting a “one-size fits all” approach. This resonates with the Guidelines, which allows AI's to apply client due diligence to the extent it considers necessary, based on the AIs risk assessment of a client.

  • The requisite standard: Risk assessments undertaken by FIs should be reasonable in the circumstances, and the process and decisions made should be properly documented.

  • Vigilance still required: Although the HKMA now accepts that internal controls need not produce a “zero failure” regime, FIs should not read HKMA’s Circular as an encouragement to relax controls because enforcement action (such as that seen in the State Bank of India) will still be taken for any systemic failures in internal AML controls and procedures.

The HKMA, having lowered the bar for client on-boarding for basic banking services, will no doubt expect the level of approved client applications for banking services to gradually pick up. If all goes as planned, and the right systems are put in place for true RBA, FIs should see a gradual increase in client on-boarding for retail and commercial banking account opening. This will be a welcomed outcome for FIs, customers and the regulators.

SFC maintains its tack - Announcement of 21 September 2016

In contrast to the banking services that the HKMA regulates, which are deemed essential and should be accessible to a wider number of customers, access to investment services provided by FIs regulated by the SFC have and will continue to receive a very different treatment.

On 21 September 2016 the SFC avowed its hard line against inadequate AML internal controls, warning the industry to enhance their AML internal controls immediately. The SFC warns that licensees have had ample time to develop internal controls since the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (AMLO) and the corresponding SFC Guideline came into force in 2012, and cite the following examples of poor AML/CTF controls identified to date:

  • failure to scrutinise cash and third party deposits into customer accounts
  • ineffective monitoring of transactions in customer accounts
  • failure to take adequate measures to continuously monitor business relationships with customers which present a higher risk of money laundering
  • inadequate enquiries made to assess potentially suspicious transactions to determine whether or not it is necessary to make a report to the Joint Financial Intelligence Unit, and lack of documentation of the assessment results, and
  • failure to monitor and supervise the ongoing implementation of AML/CTF policies and procedures.
Scroll horizontally to browse

Our analysis of the SFC Announcement

  • Activities regulated by the SFC: The SFC regulates activities that are sought by a smaller proportion of the market, and are arguably non-essential investment activities that will not create undue inconvenience if access to these were restricted to some investors who do not meet the SFC’s requirements.

  • High risk financial services/products: Some of the services/products offered by SFC-licensed FIs, such as corporate finance, leveraged FX trading and dealings in derivatives makes it easier to place, layer and integrate dirty money, and to conceal the true source of funds and the identities of beneficiaries.

  • Dr Jekyll & Mr Hyde: For dual-regulated FIs, is there a dichotomy created by the banking customer assessed as low risk on the HKMA’s reinterpretation of RBA, but is deemed risky by the SFC’s standards? If looked at out of context, yes. However, bearing in mind what is said about the higher risk of AML/CTF through the financial products offered by SFC-licensed FIs, it makes sense that more scrutiny should be applied.

Although the SFC has yet to take any disciplinary action against licensees for breaches of the AMLO or its Guidelines, we remind ourselves of the enforcement actions for non-compliance of the Client Identity Rule Policy (and early example of AML driven regulation), and expect the SFC will make good their threat of enforcement action to demonstrate how seriously they take AML/CTF.

Takeaways: manage the risks, don’t avoid them

Some key points to bear in mind:

  • Do what is right, not what is expected. FIs should continue to be in strict compliance with the AMLO and Guidelines issued by the SFC and HKMA.
  • Adopt a risk-based approach, avoid de-risking. FIs should not avoid risk by generically rejecting entire classes of customers. The FCA in the UK earlier this year criticised this approach and gave helpful guidance that it expects banks to recognise that risks associated with different business relationships within a single broad category can vary, and that banks should manage those risks appropriately. We would expect the SFC to take a similar view.
  • Exercise judgement and use common sense. Best practice is to exercise judgement and document the thought process rather than blindly follow a checklist. The relevant back office team should receive adequate training so they understand the rationale behind the AML legislation and Guidelines issued by SFC/HKMA.
  • Document the process. If a client is assessed as being low-risk, the RM should document the reasons and conclusion. In the event the FI does become an accessory to money laundering, it will be able to demonstrate to the SFC it had a well-documented process and good reason to take certain decisions.
  • Better coordination between front and back office. Front office staff should avoid over-promising how quickly customers can be on-boarded because the reality is that back office staff need time to conduct adequate customer due diligence.
  • For dual-regulated FIs. FIs who are dual regulated may wish to consider adopting a two tier approach to assessing AML/CFT risk:
    • When dealing with non-SFC regulated activities, FIs are encouraged to take into account their business relationship with the client. Consequently, dual regulated FIs may find it appropriate to conduct less stringent customer due diligence on customers who do not require SFC regulated services, although reasons for applying less stringent standards should always be documented. 
*   FIs are however reminded that when an existing customer requests for further services which are SFC regulated, this changes the nature of their business relationship with the client and could trigger an increase in a customer’s risk level, FIs are reminded that their systems should be sufficiently robust to detect such change in risk-level and to apply appropriate customer due diligence measures accordingly.
Scroll horizontally to browse

 

 “Disproportionate” measures identified by the HKMA Obligation to be met by the FI Provisions from the HKMA Guidelines
(i) Requiring all directors and beneficial owners of an overseas corporate to be present at account opening. FIs should identify all beneficial owners of a customer (4.3.5), record names of all directors and verify identities of directors on a risk-based approach (4.9.9).

FIs should take additional measures to compensate for risks associated with customers not physically present for identification purposes.

Suggested measures are contained in 4.12.2 eg further verification based on data provided by a governmental body or relevant authority.
(ii) Mandating that all documents of overseas corporates are certified by a Hong Kong certifier. FIs should verify an overseas company’s information from sources listed in 4.9.11.

a) Where a customer is not in Hong Kong, there are increased risks (4.12.1).

b) It is not sufficient for the document to be self-certified by the customer (footnote 22 & 23).

c) Suitable certifiers are listed in 4.12.4 (eg a member of the judiciary in an equivalent jurisdiction).

d) FIs remain liable for failure to carry out prescribed customer due diligence and must exercise caution when accepting certified copy documents, especially if originating from a country representing a high risk or from an unregulated entity (4.12.6).
(iii) Requesting a start-up to provide the same degree of detail on its track record, business plan and revenue projections as a long-established company. FIs are expected to understand the purpose and intended nature of the business relationship; relevant information may include initial and ongoing sources of wealth/income (4.6.1 and 4.6.2).

a) Extensive customer due diligence may be required for high risk customers eg customers whose source of wealth is unclear or who requires the setting up of complex structures (3.2).

b) For high risk customers, FIs should decide which measures it deems reasonable, in accordance with its assessment of risks, to establish the source of funds/wealth (4.13.12).
(iv) Requiring detailed information on source of wealth sometimes going back decades irrespective of risks presented by the relationship or type of service offered (e.g. basic banking services with small balances) which is difficult/impossible for the customer to provide.
(v) Expecting a Hong Kong business registration certificate for all applicants or evidence of a Hong Kong office for all overseas corporates, irrespective of business model or mode of operation. FIs are required to verify the information listed in 4.9.10 (eg that the company is still registered and not dissolved) and obtain information listed in 4.9.8 (eg copy of certificate of incorporation and business registration). The information obtained should be verified with sources listed in 4.9.11 eg Hong Kong Company Registry report for local companies, or comparable reports that are certified for overseas companies.
(vi) Rejecting account opening based on unreasonably high benchmarks such as expected or actual sales turnover. There is no underlying provision in the Guidelines but paragraph 5(b) of the HKMA’s Circular reminds AIs that they “should not use AML/CFT as the ground for closing or rejecting an account when it is actually for other considerations.”

1The SFC’s Guideline can be found here, and the HKMA’s can be accessed here. The SFC and HKMA both made revisions to their Guideline in 2015.

2See for example Sassoon Securities Limited (March 2000) and Guotai Junan Securities (Hong Kong) Limited (May 2016). Although the SFC’s enforcement actions were with reference to the SFC Client Identity Rule Policy, it is noted that this policy closely relates to client identity requirements under the AMLO and the Guidelines. Sassoon and Guotai were sanctioned for failing to provide information about the ultimate beneficiary of a listed security transaction to the SFC within two days of its request, because knowing the client and the source of funds is at the heart of AML controls.

3See for example where the HKMA ordered the State Bank of India, Hong Kong Branch to pay HK$7.5m for breach of the AMLO and HKMA Guideline. This was for their failure to:

  • obtain the prescribed information set out in the Guidelines when conducting customer due diligence in respect of 28 corporate customers such as copies of business registration, certified copies of documents similar to a company report or certificate of incumbency
  • take measures to verify the identities of the beneficial owners in SBI’s account opening process by failing to obtain the prescribed information set out in the Guidelines in respect of 22 accounts and identify the ultimate beneficial owners of direct customers in respect of 17 accounts
  • set up effective on-going monitoring to identify unusual transactions, or conduct periodic reviews of a customer’s money laundering risk
  • screen customers periodically or before establishing a business relationship, and
  • adopt the Guidelines in a manner reflecting SBI’s own business practices.

4De-risking is also in itself a risky approach and the Financial Action Task Force in its 2014/15 annual report discouraged it. The decision to de-risk, or rather to avoid risk, by restricting business relationships with an entire category of customers should be distinguished from the more preferable practice of mitigating risks in a way that is proportionate to the nature and complexity of risks imposed by specific customers within that category.

5The HKMA urges AIs in its circular to adopt a “risk-based approach” (taking enhanced measures when customers are assessed to have higher risks, and simplified measures when risks are lower) instead of adopting a “one-size-fits-all” approach. It also said that AIs should work on their risk identification to “lessen the side effects of de-risking”.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.