Risk-based approach - Guideline on Anti-Money Laundering and Counter- Financing of Terrorism

Introduction

2.1 The risk-based approach (RBA) is central to the effective implementation of an AML/CFT regime. An RBA to AML/CFT means that jurisdictions, competent authorities, and AIs are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate with those risks in order to manage and mitigate them effectively. RBA allows an AI to allocate its resources more effectively and apply preventive measures that are commensurate with the nature and level of risks, in order to focus its AML/CFT efforts in the most effective way. Therefore, an AI should adopt an RBA in the design and implementation of its AML/CFT policies, procedures and controls (hereafter collectively referred to as “AML/CFT Systems”) with a view to managing and mitigating ML/TF risks.

Institutional ML/TF risk assessment

2.2 The institutional ML/TF risk assessment forms the basis of the RBA, enabling an AI to understand how and to what extent it is vulnerable to ML/TF. The AI should conduct an institutional ML/TF risk assessment to identify, assess and understand its ML/TF risks in relation to:

(a) its customers;

(b) the countries or jurisdictions its customers are from or in;

(c) the countries or jurisdictions the AI has operations in; and (d) the products, services, transactions and delivery channels of

the AI.

2.3 The appropriate steps to conduct the institutional ML/TF risk assessment should include:

(a) documenting the risk assessment process which includes the identification and assessment of relevant risks supported by qualitative and quantitative analysis, and information obtained from relevant internal and external sources;

(b) considering all the relevant risk factors before determining what the level of overall risk is, and the appropriate level and type of mitigation to be applied;

(d) having a process by which the risk assessment is kept up-to-date; and

(e) having appropriate mechanisms to provide the risk assessment to the HKMA when required to do so.

2.4 In conducting the institutional ML/TF risk assessment, an AI should cover a range of factors, including:

(a) customer risk factors, for example:

(i) its target market and customer segments;

(ii) the number and proportion of customers identified as high risk;

(b) country risk factors, for example:

(i) the countries or jurisdictions it is exposed to, either through its own activities or the activities of customers, especially countries or jurisdictions identified by credible sources, with relatively higher level of corruption or organised crime, and/or not having effective AML/CFT regimes;

(i) the nature, scale, diversity and complexity of its business;

(ii) the characteristics of products and services offered, and the extent to which they are vulnerable to ML/TF abuse;

(iii) the volume and size of its transactions;

(iv) the delivery channels, including the extent to which the AI deals directly with the customer, the extent to which the AI relies on (or is allowed to rely on) third party to conduct CDD, the extent to which the AI uses technology, and the extent to which these channels are vulnerable to ML/TF abuse;

(d) other risk factors, for example:

(i) the nature, scale and quality of available ML/TF risk management resources, including appropriately qualified staff with access to ongoing AML/CFT training and development;

(ii) compliance and regulatory findings;

(iii) results of internal or external audits.

2.5 The scale and scope of the institutional ML/TF risk assessment should be commensurate with the nature, size and complexity of the AI’s business.

2.6 The institutional ML/TF risk assessment should consider any higher risks identified in other relevant risk assessments which may be issued from time to time, such as Hong Kong’s jurisdiction-wide ML/TF risk assessment and any higher risks notified to the AIs by the HKMA.

2.7 A locally-incorporated AI with branches or subsidiaries, including those located outside Hong Kong, should perform a group-wide ML/TF risk assessment.

2.8 For the purpose of paragraphs 2.2 and 2.7, if an AI is a part of a financial group and a group-wide or regional ML/TF risk assessment has been conducted, it may make reference to or rely on those assessments provided that the assessments adequately reflect ML/TF risks posed to the AI in the local context.

2.9 To keep the institutional ML/TF risk assessment up-to-date, an AI should conduct its assessment every two years and upon trigger events which are material to the AI’s business and risk exposure.

New products, new business practices and use of new technologies

2.10 An AI should identify and assess the ML/TF risks that may arise in relation to:

(a) the development of new products and new business practices, including new delivery mechanisms; and

(b) the use of new or developing technologies for both new and pre-existing products.

2.11 An AI should undertake the risk assessment prior to the launch of the new products, new business practices, or the use of new or developing technologies, and should take appropriate measures to manage and mitigate the risks identified.

Customer risk assessment

2.12 An AI should assess the ML/TF risks associated with a proposed business relationship, which is usually referred to as a customer risk assessment. The assessment conducted at the initial stage of the CDD process would determine the extent of CDD measures to be applied³. This means that the amount and type of information obtained, and the extent to which this information is verified, should be increased where the ML/TF risks associated with the business relationship are higher. It may also be simplified where the ML/TF risks associated with the business relationship is lower. The risk assessment conducted will also assist the AI to differentiate between the risks of individual customers and business relationships, as well as apply appropriate and proportionate CDD and risk mitigating measures⁴.

3 For the avoidance of doubt, except for certain situations specified in Chapter 4, an AI should always apply all the CDD measures set out in paragraph 4.1.3 and conduct ongoing monitoring of its customers.

4 An AI should adopt a balanced and common sense approach when conducting a customer risk assessment and applying CDD measures, which should not pose an unreasonable barrier to bona fide businesses and individuals accessing services offered by the AI.

2.13 Based on a holistic view of the information obtained in the context of the application of CDD measures, an AI should be able to finalise the customer risk assessment⁵, which determines the level and type of ongoing monitoring (including ongoing CDD and transaction monitoring), and support the AI’s decision whether to enter into, continue or terminate, the business relationship. As the customer risk profile will change over time, an AI should review and update the risk assessment of a customer from time to time, particularly during ongoing monitoring.

2.14 Similar to other parts of the AML/CFT Systems, an AI should adopt an RBA in the design and implementation of its customer risk assessment framework, and the complexity of the framework should be commensurate with the nature and size of the AI’s business, and should be designed based on the results of AI’s institutional ML/TF risk assessment. In general, the customer risk assessment framework will include customer risk factors; country risk factors; and product, service, transaction or delivery channel risk factors⁶.

2.15 An AI should keep records and relevant documents of its customer risk assessments so that it can demonstrate to the HKMA, among others: (a) how it assesses the customer’s ML/TF risks; and (b) the extent of CDD measures and ongoing monitoring is appropriate based on that customer’s ML/TF risks.

5 This is sometimes also called a “customer risk profile”.

6 Further guidance can be found in Chapter 4.

在文檔中 Guideline on Anti-Money Laundering and Counter- Financing of Terrorism (頁 10-14)