General
s.5(1), Sch. 2 5.1 Ongoing monitoring is an essential component of effective AML/CFT Systems. An AI should continuously monitor its business relationship with a customer in two aspects:
(a) ongoing CDD: reviewing from time to time documents, data and information relating to the customer that have been obtained by the AI for the purpose of complying with the requirements imposed under Part 2 of Schedule 2 to ensure that they are up-to-date and relevant; and
(b) transaction monitoring:
(i) conducting appropriate scrutiny of transactions carried out for the customer to ensure that they are consistent with the AI’s knowledge of the customer, the customer’s business, risk profile and source of funds; and
(ii) identifying transactions that (i) are complex, unusually large in amount or of an unusual pattern; and (ii) have no apparent economic or lawful purpose, and examining the background and purposes of those transactions and setting out the findings in writing.
Ongoing CDD
s.5(1)(a), Sch. 2 5.2 To ensure documents, data and information of a customer obtained are up-to-date and relevant41, an AI should undertake reviews of existing CDD records of customers on a regular basis and/or upon trigger events42. Clear policies and procedures should be developed, especially on the frequency of periodic review or what constitutes a trigger event.
s.5(1)(a), Sch. 2 5.3 All customers that present high ML/TF risks should be subject to a minimum of an annual review, or more frequent reviews if deemed necessary by the AI, to ensure the CDD information retained remains up-to-date and relevant.
Transaction monitoring
Transaction monitoring systems and processes
s.19(3), Sch. 2 5.4 An AI should establish and maintain adequate systems and processes to monitor transactions. The design, degree of automation and sophistication of transaction monitoring systems and processes should be developed appropriately having regard to
41 Keeping the CDD information up-to-date and relevant does not mean that an AI has to re-verify identities that have been verified (unless doubts arise as to the veracity or adequacy of the evidence previously obtained for the purposes of customer identification).
42 While it is not necessary to regularly review the existing CDD records of a dormant customer, an AI should conduct a review upon reactivation of the relationship. The AI should define clearly what constitutes a dormant customer in its policies and procedures.
the following factors:
(a) the size and complexity of its business;
(b) the ML/TF risks arising from its business;
(c) the nature of its systems and controls;
(d) the monitoring procedures that already exist to satisfy other business needs; and
(e) the nature of the products and services provided (which includes the means of delivery or communication).
5.5 An AI should ensure that the transaction monitoring systems and processes can provide all relevant staff who are tasked with conducting transaction monitoring and investigation with timely and sufficient information required to identify, analyse and effectively monitor customers’ transactions.
5.6 An AI should ensure that the transaction monitoring systems and processes can support the ongoing monitoring of a business relationship in a holistic approach, which may include monitoring activities of a customer’s multiple accounts within or across lines of businesses, and related customers’ accounts within or across lines of businesses. This means preferably the AI adopts a relationship-based approach rather than on a transaction-by-transaction basis.
5.7 In designing transaction monitoring systems and processes, including setting of parameters and thresholds, an AI should take into account the transaction characteristics, which may include:
(a) the nature and type of transactions (e.g. abnormal size or frequency);
(b) the nature of a series of transactions (e.g. structuring a single transaction into a number of cash deposits);
(c) the counterparties of transactions;
(d) the geographical origin/destination of a payment or receipt;
and
(e) the customer’s normal account activity or turnover.
5.8 An AI should regularly review the adequacy and effectiveness of its transaction monitoring systems and processes, including parameters and thresholds adopted. The parameters and thresholds should be properly documented and independently validated to ensure that they are appropriate to its operations and context.
RBA to transaction monitoring and review of transactions
s.5(3), Sch. 2 5.9 An AI should conduct transaction monitoring in relation to all business relationships following the RBA. The extent of monitoring (e.g. frequency and intensity of monitoring) should be
commensurate with the ML/TF risk profile of a customer. Where the ML/TF risks are high43, the AI should conduct enhanced transaction monitoring. In low risk situations, the AI may reduce the extent of monitoring.
s.5(1)(b) & (c), Sch.
2 5.10 An AI should take appropriate steps (e.g. examining the background and purposes of the transactions; making appropriate enquiries to or obtaining additional CDD information from a customer) to identify if there are any grounds for suspicion, when:
(a) the customer’s transactions are not consistent with the AI’s knowledge of the customer, the customer’s business, risk profile or source of funds; or
(b) the AI identifies transactions that (i) are complex, unusually large in amount or of an unusual pattern, and (ii) have no apparent economic or lawful purpose44.
5.11 Where an AI conducts enquiries and obtains what it considers to be a satisfactory explanation of the transaction or activity, it may conclude that there are no grounds for suspicion, and therefore take no further action. Even if no suspicion is identified, the AI should consider updating the customer risk profile based on any relevant information obtained.
5.12 However, where the AI cannot obtain a satisfactory explanation of the transaction or activity, it may conclude that there are grounds for suspicion. In any event where there is any suspicion identified during transaction monitoring, an STR should be made to the JFIU.
5.13 An AI should be aware that making enquiries to customers, when conducted properly and in good faith, will not constitute tipping off. However, if the AI reasonably believes that performing the CDD process will tip off the customer, it may stop pursuing the process. The AI should document the basis for its assessment and file an STR to the JFIU.
s.5(1)(a), Sch. 2 5.14 The findings and outcomes of steps taken by the AI in paragraph 5.10, as well as the rationale of any decision made after taking these steps, should be properly documented in writing and be available to the HKMA, other competent authorities and auditors.
43 Examples of high ML/TF risk situations that require enhancing transaction monitoring include: (a) a customer or a beneficial owner of a customer being a foreign PEP; and (b) a business relationship presenting a high risk of ML/TF under section 15 of Schedule 2.
44 An AI should examine the background and purposes of the transactions and set out its findings in writing.
Chapter 6 – TERRORIST FINANCING, FINANCIAL SANCTIONS AND