4.1 What CDD measures are
s.19(3), Sch. 2 4.1.1 The AMLO defines what CDD measures are (see paragraph 4.1.3) and also prescribes the circumstances in which an AI should carry out CDD (see paragraph 4.2). This Chapter provides guidance in this regard. Wherever possible, this Guideline gives AIs a degree of discretion in how they comply with the AMLO and put in place procedures for this purpose. In addition, an AI should, in respect of each kind of customer, business relationship, product and transaction, establish and maintain effective AML/CFT Systems for complying with the CDD requirements set out in this Chapter.
4.1.2 An AI should apply an RBA when conducting CDD measures and the extent of CDD measures should be commensurate with the ML/TF risks associated with a business relationship. Where the ML/TF risks are high, the AI should conduct enhanced due diligence (EDD) measures (see paragraph 4.9). In low risk situations, the AI may apply simplified due diligence (SDD) measures (see paragraph 4.8).
s.2(1), Sch. 2 4.1.3 The following are CDD measures applicable to an AI:
(a) identify the customer and verify the customer’s identity using documents, data or information provided by a reliable and independent source (see paragraph 4.3);
(b) where there is a beneficial owner in relation to the customer, identify and take reasonable measures to verify the beneficial owner’s identity so that the AI is satisfied that it knows who the beneficial owner is, including, in the case of a legal person or trust12, measures to enable the AI to understand the ownership and control structure of the legal person or trust (see paragraph 4.4);
(c) obtain information on the purpose and intended nature of the business relationship (if any) established with the AI unless the purpose and intended nature are obvious (see paragraph 4.6); and
(d) if a person purports to act on behalf of the customer:
(i) identify the person and take reasonable measures to verify the person’s identity using documents, data or information provided by a reliable and independent source; and
(ii) verify the person’s authority to act on behalf of the customer (see paragraph 4.5).
12 For the purpose of this Guideline, a trust means an express trust or any similar arrangement for which a legal-binding document (i.e. a trust deed or in any other forms) is in place.
4.1.4 The term “customer” is defined in the AMLO to include a client.
The meaning of “customer” and “client” should be inferred from its everyday meaning and in the context of the industry practice.
4.1.5 In general, the term “customer” refers to the party, or parties, with whom a business relationship is established, or for whom a transaction is carried out by an AI. This generally excludes the third parties of a transaction. For example, an ordering AI in an outward wire transfer transaction does not regard the beneficiary (who has no other relationship with the AI) as its customer.
4.1.6 Hong Kong is an international financial centre, and it is not uncommon for a customer relationship to be managed by an AI but the account of that customer to be booked outside Hong Kong.
Whether this relationship should be considered as a business relationship as defined in the AMLO, a major consideration is whether the relationship is managed in substance by the AI. If there is a business relationship, the AI should comply with relevant requirements set out in the AMLO and this Guideline in relation to that customer13.
4.2 When CDD measures should be carried out
s.3(1), Sch. 2 4.2.1 An AI should carry out CDD measures in relation to a customer:
(a) at the outset of a business relationship;
(b) before performing any occasional transaction14:
(i) equal to or exceeding an aggregate value of $120,000, whether carried out in a single operation or several operations that appear to the AI to be linked; or
(ii) a wire transfer equal to or exceeding an aggregate value of $8,000, whether carried out in a single operation or several operations that appear to the AI to be linked;
(c) when the AI suspects that the customer or the customer’s account is involved in ML/TF15; or
(d) when the AI doubts the veracity or adequacy of any information previously obtained for the purpose of identifying the customer or for the purpose of verifying the customer’s identity.
s.1, Sch. 2 4.2.2 “Business relationship” between a person and an AI is defined in the AMLO as a business, professional or commercial relationship:
(a) that has an element of duration; or
13 For the avoidance of doubt, a business relationship always exists whenever an account is booked in Hong Kong.
14 Occasional transactions may include for example, wire transfers, currency exchanges, purchase of cashier orders or gift cheques.
15 This criterion applies irrespective of the $120,000 or $8,000 threshold applicable to occasional transactions set out in paragraphs 4.2.1(b)(i) and 4.2.1(b)(ii) respectively.
(b) that the AI, at the time the person first contacts it in the person’s capacity as a potential customer of the AI, expects to have an element of duration.
s.1, Sch. 2 4.2.3 “Occasional transaction” is defined in the AMLO as a transaction between an AI and a customer who does not have a business relationship with the AI.
4.2.4 An AI should be vigilant to the possibility that a series of linked occasional transactions could meet or exceed the CDD thresholds of $8,000 for wire transfers and $120,000 for other types of transactions. Where the AI become aware that these thresholds are met or exceeded, CDD measures should be carried out.
4.2.5 The factors linking occasional transactions are inherent in the characteristics of the transactions – for example, where several payments are made to the same recipient from one or more sources over a short period, where a customer regularly transfers funds to one or more destinations. In determining whether the transactions are in fact linked, an AI should consider these factors against the timeframe within which the transactions are conducted.
4.2.6 Where cash transactions are undertaken by an AI for non-account holders of that AI, e.g. when cash is deposited into an existing account by a person whose name does not appear on the mandate of that account, care and vigilance are required. Where the transaction involves an amount equal to or exceeding $120,000, or is otherwise unusual, the person should be asked to produce positive evidence of identity, and a copy should be retained on file.
4.3 Identification and verification of identity – customer
s.2(1)(a), Sch. 2 4.3.1 An AI should identify the customer and verify the customer’s identity by reference to documents, data or information provided by a reliable and independent source:
(a) a governmental body;
(b) the HKMA or any other relevant authority (RA);
(c) an authority in a place outside Hong Kong that performs functions similar to those of the HKMA or any other RA; or (d) any other reliable and independent source that is recognised
by the HKMA.
Customer that is a natural person16
s.2(1)(a), Sch. 2 4.3.2 For a customer that is a natural person, an AI should identify the customer by obtaining at least the following identification information:
(a) full name;
(b) date of birth;
(c) nationality; and
(d) unique identification number (e.g. identity card number or passport number) and document type.
s.2(1)(a), Sch. 2 4.3.3 In verifying the identity of a customer that is a natural person, an AI should verify the name, date of birth, unique identification number and document type of the customer by reference to documents, data or information provided by a reliable and independent source, examples of which include:
(a) Hong Kong identity card or other national identity card;
(b) valid travel document (e.g. unexpired passport); or
(c) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body).
4.3.4 The identification document obtained by an AI should contain a photograph of the customer. In exceptional circumstances where an AI is unable to obtain an identification document with a photograph, the AI may accept an identification document without a photograph if the associated risks have been properly assessed and mitigated.
4.3.5 An AI should obtain the residential address information of a customer that is a natural person17.
Customer that is a legal person18
s.2(1)(a), Sch. 2 4.3.6 For a customer that is a legal person, an AI should identify the customer by obtaining at least the following identification information:
(a) full name;
(b) date of incorporation, establishment or registration;
(c) place of incorporation, establishment or registration
16 For the purpose of this Guideline, the terms “natural person” and “individual” are used interchangeably.
17 For the avoidance of doubt, an AI may, under certain circumstances, require verification (on top of collection) of residential address from a customer for other purposes (e.g. group requirements, other local or overseas legal and regulatory requirements). In such circumstances, the AI should communicate clearly to the customer the reasons of requiring verification of address.
18 Legal person refers to any entities other than natural person that can establish a permanent customer relationship with an AI or otherwise own property. This can include companies, bodies corporate, foundations, anstalt, partnerships, associations or other relevantly similar entities.
(including address of registered office);
(d) unique identification number (e.g. incorporation number or business registration number) and document type; and (e) principal place of business (if different from the address of
registered office).
s.2(1)(a), Sch. 2 4.3.7 In verifying the identity of a customer that is a legal person, an AI should normally verify its name, legal form, current existence (at the time of verification) and powers that regulate and bind the legal person by reference to documents, data or information provided by a reliable and independent source, examples of which include19:
(a) certificate of incorporation;
(b) record in an independent company registry;
(c) certificate of incumbency;
(d) certificate of good standing;
(e) record of registration;
(f) partnership agreement or deed;
(g) constitutional document; or
(h) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body).
4.3.8 For a customer that is a partnership or an unincorporated body, confirmation of the customer’s membership of a relevant professional or trade association is likely to be sufficient to verify the identity of the customer as required in paragraph 4.3.7 provided that:
(a) the customer is a well-known, reputable organisation;
(b) the customer has a long history in its industry; and
(c) there is substantial public information about the customer, its partners and controllers.
4.3.9 In the case of associations, clubs, societies, charities, religious bodies, institutes, mutual and friendly societies, co-operative and provident societies, an AI should satisfy itself as to the legitimate purpose of the organisation, e.g. by requesting sight of the constitution.
Customer that is a trust or other similar legal arrangement20
s.2(1)(a), Sch. 2 4.3.10 In respect of trusts, an AI should identify and verify the trust as a customer in accordance with the requirements set out in
19 In some instances, an AI may need to obtain more than one document to meet this requirement. For example, a certificate of incorporation can only verify the name and legal form of the legal person in most circumstances but cannot act as a proof of current existence.
20 Examples of legal arrangement include fiducie, treuhand and fideicomiso.
paragraphs 4.3.11 and 4.3.12. The AI should also regard the trustee as its customer if the trustee enters into a business relationship or carries out occasional transactions on behalf of the trust, which is generally the case if the trust does not possess a separate legal personality. In such a case, the AI should identify and verify the identity of the trustee in line with the identification and verification requirements for a customer that is a natural person or a legal person, where applicable.
s.2(1)(a), Sch. 2 4.3.11 For a customer that is a trust or other similar legal arrangement, an AI should identify the customer by obtaining at least the following identification information:
(a) name of the trust or legal arrangement;
(b) date of establishment or settlement;
(c) the jurisdiction whose laws govern the trust or legal arrangement;
(d) unique identification number (if any) granted by any applicable official bodies and document type (e.g. tax identification number or registered charity or non-profit organisation number); and
(e) address of registered office (if applicable).
s.2(1)(a), Sch. 2 4.3.12 In verifying the identity of a customer that is a trust or other similar legal arrangement, an AI should normally verify its name, legal form, current existence (at the time of verification) and powers that regulate and bind the trust or other similar legal arrangement by reference to documents, data or information provided by a reliable and independent source, examples of which include:
(a) trust deed or similar instrument21;
(b) record of an appropriate register22 in the relevant country of establishment;
(c) written confirmation from a trustee acting in a professional capacity23;
(d) written confirmation from a lawyer who has reviewed the relevant instrument; or
(e) written confirmation from a trust company which is within the same financial group as the AI, if the trust concerned is managed by that trust company.
21 Under exceptional circumstance, the AI may choose to retain a redacted copy.
22 In determining whether a register is appropriate, the AI should have regard to adequate transparency (e.g. a system of central registration where a national registry records details on trusts and other legal arrangements registered in that country). Changes in ownership and control information would need to be kept up-to-date.
23 “Trustees acting in their professional capacity” in this context means that they act in the course of a profession or business which consists of or includes the provision of services in connection with the administration or management of trusts (or a particular aspect of the administration or management of trusts).
Reliability of documents, data or information
4.3.13 In verifying the identity of a customer, an AI needs not establish accuracy of every piece of identification information collected in paragraphs 4.3.2, 4.3.6 and 4.3.11.
4.3.14 An AI should ensure that documents, data or information obtained for the purpose of verifying the identity of a customer as required in paragraphs 4.3.3, 4.3.7 and 4.3.12 is current at the time they are provided to or obtained by the AI.
4.3.15 When using documents for verification, an AI should be aware that some types of documents are more easily forged than others, or can be reported as lost or stolen. Therefore, the AI should consider applying anti-fraud procedures that are commensurate with the risk profile of the person being verified.
4.3.16 If a natural person customer or a person representing a legal person, a trust or other similar legal arrangement to establish a business relationship with an AI is physically present during the CDD process, the AI should generally have sight of original identification document by its staff and retain a copy of the document. However, there are a number of occasions where an original identification document cannot be produced by the customers (e.g. the original document is in electronic form). In such an occasion, the AI should take appropriate measures to ensure the reliability of identification documents obtained.
4.3.17 Where the documents, data or information being used for the purposes of identification are in a foreign language, appropriate steps should be taken by the AI to be reasonably satisfied that the documents, data or information in fact provide evidence of the customer’s identity.
Connected parties
4.3.18 Where a customer is a legal person, a trust or other similar legal arrangement, an AI should identify all the connected parties24 of the customer by obtaining their names.
4.3.19 A connected party of a customer that is a legal person, a trust or other similar legal arrangement:
(a) in relation to a corporation, means a director of the customer;
(b) in relation to a partnership, means a partner of the customer;
(c) in relation to a trust or other similar legal arrangement, means a trustee (or equivalent) of the customer; and
24 For the avoidance of doubt, if a connected party also satisfies the definition of a customer, a beneficial owner of the customer or a person purporting to act on behalf of the customer, the AI has to identify and verify the identity of that person with reference to relevant requirements set out in this Guideline.
(d) in other cases not falling within subsection (a), (b) or (c), means a natural person holding a senior management position or having executive authority in the customer.
4.4 Identification and verification of identity – beneficial owner
s.2(1)(b), Sch. 2 4.4.1 A beneficial owner is normally a natural person who ultimately owns or controls the customer or on whose behalf a transaction or activity is being conducted. An AI should identify any beneficial owner in relation to a customer, and take reasonable measures to verify the beneficial owner’s identity so that the AI is satisfied that it knows who the beneficial owner is.
4.4.2 The verification requirements for a customer and a beneficial owner are different under the AMLO. In determining what constitutes reasonable measures to verify the identity of a beneficial owner of a customer, an AI should consider and give due regard to the ML/TF risks posed by the customer and the business relationship.
4.4.3 Where a natural person is identified as a beneficial owner, the AI should endeavour to obtain the same identification information as at paragraph 4.3.2 as far as possible.
Beneficial owner in relation to a natural person
4.4.4 In respect of a customer that is a natural person, there is no requirement on an AI to make proactive searches for beneficial owners of the customer in such a case, but the AI should make appropriate enquiries where there are indications that the customer is not acting on his own behalf.
Beneficial owner in relation to a legal person
s.1, Sch. 2 4.4.5 The AMLO defines beneficial owner in relation to a corporation as:
(a) an individual who
(i) owns or controls, directly or indirectly, including through a trust or bearer share holding, more than 25%
of the issued share capital of the corporation;
(ii) is, directly or indirectly, entitled to exercise or control the exercise of more than 25% of the voting rights at general meetings of the corporation; or
(iii) exercises ultimate control over the management of the corporation; or
(b) if the corporation is acting on behalf of another person, means the other person.
s.1, Sch. 2 4.4.6 The AMLO defines beneficial owner, in relation to a partnership as:
(a) an individual who
(i) is entitled to or controls, directly or indirectly, more than a 25% share of the capital or profits of the partnership;
(ii) is, directly or indirectly, entitled to exercise or control the exercise of more than 25% of the voting rights in the partnership; or
(iii) exercises ultimate control over the management of the partnership; or
(b) if the partnership is acting on behalf of another person, means the other person.
s.1, Sch. 2 4.4.7 In relation to an unincorporated body other than a partnership, beneficial owner:
(a) means an individual who ultimately owns or controls the unincorporated body; or
(b) if the unincorporated body is acting on behalf of another person, means the other person.
s.2(1)(b), Sch. 2 4.4.8 For a customer that is a legal person, an AI should identify any natural person who ultimately has a controlling ownership interest (i.e. more than 25%) in the legal person and any natural person exercising control of the legal person or its management, and take reasonable measures to verify their identities. If there is no such natural person (i.e. no natural person falls within the definition of beneficial owners set out in paragraphs 4.4.5 to 4.4.7), the AI should identify the relevant natural persons who hold the position of senior managing official, and take reasonable measures to verify their identities.
4.4.9 While an AI usually can identify who the beneficial owner of a customer is in the course of understanding the ownership and control structure of the customer, the AI may obtain an undertaking or declaration25 from the customer on the identity of, and the information relating to, its beneficial owner.
Nevertheless, in addition to the undertaking or declaration obtained, the AI should take reasonable measures to verify the identity of the beneficial owner (e.g. corroborating the undertaking or declaration with publicly available information).
4.4.10 If the ownership structure of a customer involves different types of legal persons or legal arrangements, in determining who the beneficial owner is, an AI should pay attention to who has ultimate ownership or control over the customer, or who
25 In some jurisdictions, corporations are required to maintain registers of their beneficial owners (e.g. the significant
25 In some jurisdictions, corporations are required to maintain registers of their beneficial owners (e.g. the significant