Guideline on Anti-Money Laundering and Counter- Financing of Terrorism

(1)

Guideline on Anti-Money Laundering and Counter-

Financing of Terrorism

(For Authorized Institutions)

Revised October 2018

(2)

1.3 This Guideline is issued by the Hong Kong Monetary Authority (HKMA) and sets out the relevant anti-money laundering and counter-financing of terrorism (AML/CFT) statutory and regulatory requirements, and the AML/CFT standards which Authorized Institutions (AIs), including Registered Institutions (RIs)¹, should meet in order to comply with the statutory requirements under the AMLO and the BO. Compliance with this Guideline is enforced through the AMLO and the BO. AIs which fail to comply with this Guideline may be subject to disciplinary or other actions under the AMLO and/or the BO for non- compliance with the relevant requirements.

1.4 This Guideline is intended for use by AIs and their officers and staff. This Guideline also:

(a) provides a general background on the subjects of money laundering and terrorist financing (ML/TF), including a summary of the main provisions of the applicable AML/CFT legislation in Hong Kong; and

(b) provides practical guidance to assist AIs and their senior management in designing and implementing their own policies, procedures and controls in the relevant operational areas, taking into consideration their special circumstances, so as to meet the relevant AML/CFT statutory and regulatory requirements.

1.5 The relevance and usefulness of this Guideline will be kept under review and it may be necessary to issue amendments from time to time.

1 In addition to comply with this Guideline, RIs and associated entities that are AIs are required to have regard to paragraph 4.1.6 of the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism issued by the Securities and Futures Commission (SFC Guideline) for the definition of customer for the securities, futures and leveraged foreign exchange businesses, as well as paragraphs 7.13 and 7.14 of the SFC Guideline in identifying suspicious transactions for the securities, futures and leveraged foreign exchange businesses.

(4)

1.6 For the avoidance of doubt, the use of the word “must” or

“should” in relation to an action, consideration or measure referred to in this Guideline indicates that it is a mandatory requirement. Given the significant differences that exist in the organisational and legal structures of different AIs as well as the nature and scope of the business activities conducted by them, there exists no single set of universally applicable implementation measures. The content of this Guideline is not intended to be an exhaustive list of the means of meeting the statutory and regulatory requirements. AIs should therefore use this Guideline as a basis to develop measures appropriate to their structure and business activities.

s.7, AMLO 1.7 This Guideline also provides guidance in relation to the operation of the provisions of Schedule 2 to the AMLO (Schedule 2). This will assist AIs to meet their legal and regulatory obligations when tailored by AIs to their particular business risk profile. A failure by any person to comply with any provision of this Guideline does not by itself render the person liable to any judicial or other proceedings but, in any proceedings under the AMLO before any court, this Guideline is admissible in evidence; and if any provision set out in this Guideline appears to the court to be relevant to any question arising in the proceedings, the provision must be taken into account in determining that question. In considering whether a person has contravened a provision of Schedule 2, the HKMA must have regard to any relevant provision in this Guideline.

1.8 A failure to comply with any provision of this Guideline may reflect adversely on whether an AI continues to comply with the authorization criteria set out in the Seventh Schedule to the BO, particularly paragraph 10 of which requires an AI to maintain on and after authorization adequate accounting systems and systems of control. The HKMA is empowered to exercise various provisions under the BO in case of non-compliance with the requirements set out in this Guideline.

The nature of money laundering and terrorist financing

s.1, Sch. 1, AMLO 1.9 The term “money laundering” (ML) is defined in section 1 of Part 1 of Schedule 1 to the AMLO and means an act intended to have the effect of making any property:

(a) that is the proceeds obtained from the commission of an indictable offence under the laws of Hong Kong, or of any conduct which if it had occurred in Hong Kong would constitute an indictable offence under the laws of Hong Kong;

or

(b) that in whole or in part, directly or indirectly, represents such proceeds,

(5)

not to appear to be or so represent such proceeds.

1.10 There are three common stages in the laundering of money, and they frequently involve numerous transactions. An AI should be alert to any such sign for potential criminal activities. These stages are:

(a) Placement - the physical disposal of cash proceeds derived from illegal activities;

(b) Layering - separating illicit proceeds from their source by creating complex layers of financial transactions designed to disguise the source of the money, subvert the audit trail and provide anonymity; and

(c) Integration - creating the impression of apparent legitimacy to criminally derived wealth. In situations where the layering process succeeds, integration schemes effectively return the laundered proceeds back into the general financial system and the proceeds appear to be the result of, or connected to, legitimate business activities.

s.1, Sch. 1, AMLO 1.11 The term “terrorist financing” (TF) is defined in section 1 of Part 1 of Schedule 1 to the AMLO and means:

(a) the provision or collection, by any means, directly or indirectly, of any property –

(i) with the intention that the property be used; or (ii) knowing that the property will be used,

in whole or in part, to commit one or more terrorist acts (whether or not the property is actually so used);

(b) the making available of any property or financial (or related) services, by any means, directly or indirectly, to or for the benefit of a person knowing that, or being reckless as to whether, the person is a terrorist or terrorist associate; or (c) the collection of property or solicitation of financial (or

related) services, by any means, directly or indirectly, for the benefit of a person knowing that, or being reckless as to whether, the person is a terrorist or terrorist associate.

1.12 Terrorists or terrorist organisations require financial support in order to achieve their aims. There is often a need for them to obscure or disguise links between them and their funding sources.

It follows then that terrorist groups must similarly find ways to launder funds, regardless of whether the funds are from a legitimate or illegitimate source, in order to be able to use them without attracting the attention of the authorities.

(6)

Legislation concerned with ML, TF, financing of proliferation of weapons of mass destruction (PF) and financial sanctions

1.13 The Financial Action Task Force (FATF) is an inter-governmental body established in 1989. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory and operational measures for combating of ML, TF, PF, and other related threats to the integrity of the international financial system. The FATF has developed a series of Recommendations that are recognised as the international standards for combating of ML, TF and PF. They form the basis for a co-ordinated response to these threats to the integrity of the financial system and help ensure a level playing field. In order to ensure full and effective implementation of its standards at the global level, the FATF monitors compliance by conducting evaluations on jurisdictions and undertakes stringent follow-up after the evaluations, including identifying high-risk and other monitored jurisdictions which could be subject to enhanced scrutiny by the FATF or counter-measures by the FATF members and the international community at large. Many major economies have joined the FATF which has developed into a global network for international cooperation that facilitates exchanges between member jurisdictions. As a member of the FATF, Hong Kong is obliged to implement the latest FATF Recommendations² and it is important that Hong Kong complies with the international AML/CFT standards in order to maintain its status as an international financial centre.

1.14 The main pieces of legislation in Hong Kong that are concerned with ML, TF, PF and financial sanctions are the AMLO, the Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP), the Organized and Serious Crimes Ordinance (OSCO), the United Nations (Anti-Terrorism Measures) Ordinance (UNATMO), the United Nations Sanctions Ordinance (UNSO) and the Weapons of Mass Destruction (Control of Provision of Services) Ordinance (WMD(CPS)O). It is very important that AIs and their officers and staff fully understand their respective responsibilities under the different legislation.

AMLO

s.23, Sch. 2 1.15 The AMLO imposes requirements relating to customer due diligence (CDD) and record-keeping on AIs and provides the HKMA with the powers to supervise compliance with these requirements and other requirements under the AMLO. In addition, section 23 of Schedule 2 requires AIs to take all reasonable measures (a) to ensure that proper safeguards exist to prevent a contravention of any requirement under Parts 2 and 3 of

2 The FATF Recommendations can be found on the FATF’s website (www.fatf-gafi.org).

(7)

Schedule 2; and (b) to mitigate ML/TF risks.

s.5, AMLO 1.16 The AMLO makes it a criminal offence if an AI (1) knowingly; or (2) with the intent to defraud the HKMA, contravenes a specified provision of the AMLO. The “specified provisions” are listed in section 5(11) of the AMLO. If the AI knowingly contravenes a specified provision, it is liable to a maximum term of imprisonment of 2 years and a fine of $1 million upon conviction.

If the AI contravenes a specified provision with the intent to defraud the HKMA, it is liable to a maximum term of imprisonment of 7 years and a fine of $1 million upon conviction.

s.5, AMLO 1.17 The AMLO also makes it a criminal offence if a person who is an employee of an AI or is employed to work for an AI or is concerned in the management of an AI (1) knowingly; or (2) with the intent to defraud the AI or the HKMA, causes or permits the AI to contravene a specified provision in the AMLO. If the person who is an employee of an AI or is employed to work for an AI or is concerned in the management of an AI knowingly contravenes a specified provision he is liable to a maximum term of imprisonment of 2 years and a fine of $1 million upon conviction. If that person does so with the intent to defraud the AI or the HKMA, he is liable to a maximum term of imprisonment of 7 years and a fine of $1 million upon conviction.

s.21, AMLO 1.18 The HKMA may take disciplinary actions against AIs for any contravention of a specified provision in the AMLO. The disciplinary actions that can be taken include publicly reprimanding the AI; ordering the AI to take any action for the purpose of remedying the contravention; and ordering the AI to pay a pecuniary penalty not exceeding the greater of $10 million or 3 times the amount of profit gained, or costs avoided, by the AI as a result of the contravention.

DTROP

1.19 The DTROP contains provisions for the investigation of assets that are suspected to be derived from drug trafficking activities, the freezing of assets on arrest and the confiscation of the proceeds from drug trafficking activities upon conviction.

OSCO

1.20 The OSCO, among other things:

(a) gives officers of the Hong Kong Police Force and the Customs and Excise Department powers to investigate organised crime and triad activities;

(b) gives the Courts jurisdiction to confiscate the proceeds of organised and serious crimes, to issue restraint orders and charging orders in relation to the property of a defendant of

(8)

an offence specified in the OSCO;

(c) creates an offence of ML in relation to the proceeds of indictable offences; and

(d) enables the Courts, under appropriate circumstances, to receive information about an offender and an offence in order to determine whether the imposition of a greater sentence is appropriate where the offence amounts to an organised crime/triad related offence or other serious offences.

UNATMO

1.21 The UNATMO is principally directed towards implementing decisions contained in relevant United Nations Security Council Resolutions (UNSCRs) aimed at preventing the financing of terrorist acts and combating the threats posed by foreign terrorist fighters. Besides the mandatory elements of the relevant UNSCRs, the UNATMO also implements the more pressing elements of the FATF Recommendations specifically related to TF.

s.25, DTROP &

OSCO

1.22 Under the DTROP and the OSCO, a person commits an offence if he deals with any property knowing or having reasonable grounds to believe it to represent any person’s proceeds of drug trafficking or of an indictable offence respectively. The highest penalty for the offence upon conviction is imprisonment for 14 years and a fine of $5 million.

s.6, 7, 8, 8A, 13 &

14, UNATMO 1.23 The UNATMO, among other things, criminalises the provision or collection of property and making any property or financial (or related) services available to terrorists or terrorist associates. The highest penalty for the offence upon conviction is imprisonment for 14 years and a fine. The UNATMO also permits terrorist property to be frozen and subsequently forfeited.

s.25A, DTROP &

OSCO, s.12 & 14, UNATMO

1.24 The DTROP, the OSCO and the UNATMO also make it an offence if a person fails to disclose, as soon as it is reasonable for him to do so, his knowledge or suspicion of any property that directly or indirectly, represents a person’s proceeds of, was used in connection with, or is intended to be used in connection with, drug trafficking, an indictable offence or is terrorist property respectively. This offence carries a maximum term of imprisonment of 3 months and a fine of $50,000 upon conviction.

s.25A, DTROP &

OSCO, s.12 & 14, UNATMO

1.25 “Tipping off” is another offence under the DTROP, the OSCO and the UNATMO. A person commits an offence if, knowing or suspecting that a disclosure has been made, he discloses to any other person any matter which is likely to prejudice any investigation which might be conducted following that first- mentioned disclosure. The maximum penalty for the offence upon conviction is imprisonment for 3 years and a fine.

(9)

UNSO

1.26 The UNSO provides for the imposition of sanctions against persons and against places outside the People’s Republic of China arising from Chapter 7 of the Charter of the United Nations. Most UNSCRs are implemented in Hong Kong under the UNSO.

WMD(CPS)O

s.4, WMD(CPS)O 1.27 The WMD(CPS)O controls the provision of services that will or may assist the development, production, acquisition or stockpiling of weapons capable of causing mass destruction or that will or may assist the means of delivery of such weapons. Section 4 of WMD(CPS)O prohibits a person from providing any services where he believes or suspects, on reasonable grounds, that those services may be connected to PF. The provision of services is widely defined and includes the lending of money or other provision of financial assistance.

(10)

Chapter 2 – RISK-BASED APPROACH

Introduction

2.1 The risk-based approach (RBA) is central to the effective implementation of an AML/CFT regime. An RBA to AML/CFT means that jurisdictions, competent authorities, and AIs are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate with those risks in order to manage and mitigate them effectively. RBA allows an AI to allocate its resources more effectively and apply preventive measures that are commensurate with the nature and level of risks, in order to focus its AML/CFT efforts in the most effective way. Therefore, an AI should adopt an RBA in the design and implementation of its AML/CFT policies, procedures and controls (hereafter collectively referred to as “AML/CFT Systems”) with a view to managing and mitigating ML/TF risks.

Institutional ML/TF risk assessment

2.2 The institutional ML/TF risk assessment forms the basis of the RBA, enabling an AI to understand how and to what extent it is vulnerable to ML/TF. The AI should conduct an institutional ML/TF risk assessment to identify, assess and understand its ML/TF risks in relation to:

(a) its customers;

(b) the countries or jurisdictions its customers are from or in;

(c) the countries or jurisdictions the AI has operations in; and (d) the products, services, transactions and delivery channels of

the AI.

2.3 The appropriate steps to conduct the institutional ML/TF risk assessment should include:

(a) documenting the risk assessment process which includes the identification and assessment of relevant risks supported by qualitative and quantitative analysis, and information obtained from relevant internal and external sources;

(b) considering all the relevant risk factors before determining what the level of overall risk is, and the appropriate level and type of mitigation to be applied;

(c) obtaining the approval of senior management on the risk assessment results;

(d) having a process by which the risk assessment is kept up-to- date; and

(e) having appropriate mechanisms to provide the risk assessment to the HKMA when required to do so.

(11)

2.4 In conducting the institutional ML/TF risk assessment, an AI should cover a range of factors, including:

(a) customer risk factors, for example:

(i) its target market and customer segments;

(ii) the number and proportion of customers identified as high risk;

(b) country risk factors, for example:

(i) the countries or jurisdictions it is exposed to, either through its own activities or the activities of customers, especially countries or jurisdictions identified by credible sources, with relatively higher level of corruption or organised crime, and/or not having effective AML/CFT regimes;

(c) product, service, transaction or delivery channel risk factors, for example:

(i) the nature, scale, diversity and complexity of its business;

(ii) the characteristics of products and services offered, and the extent to which they are vulnerable to ML/TF abuse;

(iii) the volume and size of its transactions;

(iv) the delivery channels, including the extent to which the AI deals directly with the customer, the extent to which the AI relies on (or is allowed to rely on) third party to conduct CDD, the extent to which the AI uses technology, and the extent to which these channels are vulnerable to ML/TF abuse;

(d) other risk factors, for example:

(i) the nature, scale and quality of available ML/TF risk management resources, including appropriately qualified staff with access to ongoing AML/CFT training and development;

(ii) compliance and regulatory findings;

(iii) results of internal or external audits.

2.5 The scale and scope of the institutional ML/TF risk assessment should be commensurate with the nature, size and complexity of the AI’s business.

2.6 The institutional ML/TF risk assessment should consider any higher risks identified in other relevant risk assessments which may be issued from time to time, such as Hong Kong’s jurisdiction-wide ML/TF risk assessment and any higher risks notified to the AIs by the HKMA.

2.7 A locally-incorporated AI with branches or subsidiaries, including those located outside Hong Kong, should perform a group-wide ML/TF risk assessment.

(12)

2.8 For the purpose of paragraphs 2.2 and 2.7, if an AI is a part of a financial group and a group-wide or regional ML/TF risk assessment has been conducted, it may make reference to or rely on those assessments provided that the assessments adequately reflect ML/TF risks posed to the AI in the local context.

2.9 To keep the institutional ML/TF risk assessment up-to-date, an AI should conduct its assessment every two years and upon trigger events which are material to the AI’s business and risk exposure.

New products, new business practices and use of new technologies

2.10 An AI should identify and assess the ML/TF risks that may arise in relation to:

(a) the development of new products and new business practices, including new delivery mechanisms; and

(b) the use of new or developing technologies for both new and pre-existing products.

2.11 An AI should undertake the risk assessment prior to the launch of the new products, new business practices, or the use of new or developing technologies, and should take appropriate measures to manage and mitigate the risks identified.

Customer risk assessment

2.12 An AI should assess the ML/TF risks associated with a proposed business relationship, which is usually referred to as a customer risk assessment. The assessment conducted at the initial stage of the CDD process would determine the extent of CDD measures to be applied³. This means that the amount and type of information obtained, and the extent to which this information is verified, should be increased where the ML/TF risks associated with the business relationship are higher. It may also be simplified where the ML/TF risks associated with the business relationship is lower. The risk assessment conducted will also assist the AI to differentiate between the risks of individual customers and business relationships, as well as apply appropriate and proportionate CDD and risk mitigating measures⁴.

3 For the avoidance of doubt, except for certain situations specified in Chapter 4, an AI should always apply all the CDD measures set out in paragraph 4.1.3 and conduct ongoing monitoring of its customers.

4 An AI should adopt a balanced and common sense approach when conducting a customer risk assessment and applying CDD measures, which should not pose an unreasonable barrier to bona fide businesses and individuals accessing services offered by the AI.

(13)

2.13 Based on a holistic view of the information obtained in the context of the application of CDD measures, an AI should be able to finalise the customer risk assessment⁵, which determines the level and type of ongoing monitoring (including ongoing CDD and transaction monitoring), and support the AI’s decision whether to enter into, continue or terminate, the business relationship. As the customer risk profile will change over time, an AI should review and update the risk assessment of a customer from time to time, particularly during ongoing monitoring.

2.14 Similar to other parts of the AML/CFT Systems, an AI should adopt an RBA in the design and implementation of its customer risk assessment framework, and the complexity of the framework should be commensurate with the nature and size of the AI’s business, and should be designed based on the results of AI’s institutional ML/TF risk assessment. In general, the customer risk assessment framework will include customer risk factors; country risk factors; and product, service, transaction or delivery channel risk factors⁶.

2.15 An AI should keep records and relevant documents of its customer risk assessments so that it can demonstrate to the HKMA, among others: (a) how it assesses the customer’s ML/TF risks; and (b) the extent of CDD measures and ongoing monitoring is appropriate based on that customer’s ML/TF risks.

5 This is sometimes also called a “customer risk profile”.

6 Further guidance can be found in Chapter 4.

(14)

Chapter 3 – AML/CFT SYSTEMS

AML/CFT Systems

s.23, Sch. 2 3.1 An AI should take all reasonable measures to ensure that proper safeguards exist to mitigate the risks of ML/TF and to prevent a contravention of any requirement under Part 2 or 3 of Schedule 2.

To ensure compliance with this requirement, the AI should implement appropriate AML/CFT Systems following the RBA as stated in paragraph 2.1.

s.23(b), Sch. 2 3.2 An AI should:

(a) have AML/CFT Systems, which are approved by senior management, to enable the AI to effectively manage and mitigate the risks that are relevant to the AI;

(b) monitor the implementation of those AML/CFT Systems referred to in (a), and to enhance them if necessary; and (c) take enhanced measures to manage and mitigate the risks

where higher risks are identified.

3.3 The nature, scale and complexity of AML/CFT Systems may be simplified provided that:

(a) an AI complies with the statutory requirements set out in the Schedule 2 of the AMLO and the requirements set out in paragraphs 2.2, 2.3 and 3.2;

(b) the lower ML/TF risks which form the basis for doing so have been identified through an appropriate risk assessment (e.g. institutional ML/TF risk assessment); and

(c) simplified AML/CFT Systems, which are approved by senior management, are subject to review from time to time.

However, AML/CFT Systems are not permitted to be simplified whenever there is a suspicion of ML/TF.

3.4 An AI should implement AML/CFT Systems having regard to the nature, size and complexity of its businesses and the ML/TF risks arising from those businesses, and which should include:

(a) compliance management arrangements;

(b) an independent audit function;

(c) employee screening procedures; and

(d) an ongoing employee training programme (see Chapter 9).

Compliance management arrangements

3.5 An AI should have appropriate compliance management arrangements that facilitate the AI to implement AML/CFT Systems to comply with relevant legal and regulatory obligations as well as to manage ML/TF risks effectively. Compliance

(15)

management arrangements should, at a minimum, include oversight by the AI’s senior management, and appointment of a Compliance Officer (CO) and a Money Laundering Reporting Officer (MLRO)⁷.

Senior management oversight

3.6 Effective ML/TF risk management requires adequate governance arrangements. The board of directors or its delegated committee (where applicable), and senior management of an AI should have a clear understanding of its ML/TF risks and ensure that the risks are adequately managed. Management information regarding ML/TF risks and the AML/CFT Systems should be communicated to them in a timely, complete, understandable and accurate manner so that they are equipped to make informed decisions.

3.7 The senior management of an AI is responsible for implementing effective AML/CFT Systems that can adequately manage the ML/TF risks identified. In particular, the senior management should appoint a CO at the management level to have the overall responsibility for the establishment and maintenance of the AI’s AML/CFT Systems; and a senior staff as the MLRO to act as the central reference point for suspicious transaction reporting.

3.8 In order that the CO and MLRO can discharge their responsibilities effectively, senior management should, as far as practicable, ensure that the CO and MLRO are:

(a) appropriately qualified with sufficient AML/CFT knowledge;

(b) subject to constraint of size of the AI, independent of all operational and business functions;

(c) normally based in Hong Kong;

(d) of a sufficient level of seniority and authority within the AI;

(e) provided with regular contact with, and when required, direct access to senior management to ensure that senior management is able to satisfy itself that the statutory obligations are being met and that the business is taking sufficiently effective measures to protect itself against the risks of ML/TF;

(f) fully conversant with the AI’s statutory and regulatory requirements and the ML/TF risks arising from the AI’s business;

(g) capable of accessing, on a timely basis, all available information (both from internal sources such as CDD records and external sources such as circulars from the HKMA); and (h) equipped with sufficient resources, including staff and

7 Depending on the size of an AI, the functions of CO and MLRO may be performed by the same person.

(16)

appropriate cover for the absence of the CO and MLRO (i.e.

an alternate or deputy CO and MLRO who should, where practicable, have the same status).

CO and MLRO

3.9 The principal function of the CO is to act as the focal point within an AI for the oversight of all activities relating to the prevention and detection of ML/TF, and providing support and guidance to the senior management to ensure that ML/TF risks are adequately identified, understood and managed. In particular, the CO should assume responsibility for:

(a) developing and/or continuously reviewing the AI’s AML/CFT Systems, including any group-wide AML/CFT Systems in the case of a Hong Kong-incorporated AI, to ensure they remain up-to-date, meet current statutory and regulatory requirements, and are effective in managing ML/TF risks arising from the AI’s business;

(b) overseeing all aspects of the AI’s AML/CFT Systems which include monitoring effectiveness and enhancing the controls and procedures where necessary;

(c) communicating key AML/CFT issues with senior management, including, where appropriate, significant compliance deficiencies; and

(d) ensuring AML/CFT staff training is adequate, appropriate and effective.

3.10 An AI should appoint an MLRO as a central reference point for reporting suspicious transactions and also as the main point of contact with the Joint Financial Intelligence Unit (JFIU) and law enforcement agencies. The MLRO should play an active role in the identification and reporting of suspicious transactions.

Principal functions of the MLRO should include having oversight of:

(a) review of internal disclosures and exception reports and, in light of all available relevant information, determining whether or not it is necessary to make a report to the JFIU;

(b) maintenance of all records related to such internal reviews;

and

(c) provision of guidance on how to avoid tipping off.

Independent Audit function

3.11 An AI should establish an independent audit function⁸ which should have a direct line of communication to the senior management of the AI. The function should have sufficient

8 Reference should be made to relevant parts of the Supervisory Policy Manual published by the HKMA, particularly

“IC-2 Internal Audit Function”.

(17)

expertise and resources to enable it to carry out its responsibilities, including independent reviews of the AI’s AML/CFT Systems.

3.12 The audit function should regularly review the AML/CFT Systems to ensure effectiveness. The review should include, but not be limited to:

(a) adequacy of the AI’s AML/CFT Systems, ML/TF risk assessment framework and application of RBA;

(b) effectiveness of suspicious transaction reporting systems;

(c) effectiveness of the compliance function; and

(d) level of awareness of staff having AML/CFT responsibilities.

3.13 The frequency and extent of the review should be commensurate with the nature, size and complexity of its businesses and the ML/TF risks arising from those businesses. Where appropriate, the AI should also seek a review from external parties.

Employee screening

3.14 An AI should have adequate and appropriate screening procedures in order to ensure high standards when hiring employees⁹.

Group-wide AML/CFT Systems

3.15 Subject to paragraphs 3.18 and 3.19, a Hong Kong-incorporated AI with overseas branches or subsidiary undertakings that carry on the same business as a financial institution (FI) as defined in the AMLO should implement group-wide AML/CFT Systems to apply the requirements set out in this Guideline¹⁰ to all of its overseas branches and subsidiary undertakings in its financial group, wherever the requirements in this Guideline are relevant and applicable to the overseas branches and subsidiary undertakings concerned.

s.22(1), Sch. 2 3.16 In particular, a Hong Kong-incorporated AI should, through its group-wide AML/CFT Systems, ensure that all of its overseas branches and subsidiary undertakings that carry on the same business as an FI as defined in the AMLO, have procedures in place to ensure compliance with the CDD and record-keeping requirements similar to those imposed under Parts 2 and 3 of Schedule 2, to the extent permitted by the laws and regulations of that place.

9 Reference should be made to relevant parts of the Supervisory Policy Manual published by the HKMA, particularly

“CG-6 Competence and ethical behavior”.

10 For the avoidance of doubt, these include, but not limited to, the requirements set out in paragraph 3.4.

(18)

3.17 To the extent permitted by the laws and regulations of the jurisdictions involved and subject to adequate safeguards on the protection of confidentiality and use of information being shared, including safeguards to prevent tipping off, a Hong Kong- incorporated AI should also implement, through its group-wide AML/CFT Systems, for:

(a) sharing information required for the purposes of CDD and ML/TF risk management; and

(b) provision to the AI’s group-level compliance, audit and/or AML/CFT functions, of customer, account, and transaction information from its overseas branches and subsidiary undertakings that carry on the same business as an FI as defined in the AMLO, when necessary for AML/CFT purposes¹¹.

3.18 If the AML/CFT requirements in the jurisdiction where the overseas branch or subsidiary undertaking of a Hong Kong- incorporated AI is located (host jurisdiction) differ from those relevant requirements referred to in paragraph 3.15, the AI should require that branch or subsidiary undertaking to apply the higher of the two sets of requirements, to the extent that host jurisdiction’s laws and regulations permit.

s.22(2), Sch. 2 3.19 If the host jurisdiction’s laws and regulations do not permit the branch or subsidiary undertaking of a Hong Kong-incorporated AI to apply the higher AML/CFT requirements, particularly the CDD and record-keeping requirements imposed under Parts 2 and 3 of Schedule 2, the AI should:

(a) inform the HKMA of such failure; and

(b) take additional measures to effectively mitigate ML/TF risks faced by the branch or subsidiary undertaking as a result of its inability to comply with the requirements.

11 This should include information and analysis of transactions or activities which appear unusual (if such analysis was done); and could include a suspicious transaction report, its underlying information, or the fact that a suspicious transaction report has been submitted. Similarly, branches and subsidiary undertakings should receive such information from these group-level functions when relevant and appropriate to risk management.

(19)

Chapter 4 – CUSTOMER DUE DILIGENCE

4.1 What CDD measures are

s.19(3), Sch. 2 4.1.1 The AMLO defines what CDD measures are (see paragraph 4.1.3) and also prescribes the circumstances in which an AI should carry out CDD (see paragraph 4.2). This Chapter provides guidance in this regard. Wherever possible, this Guideline gives AIs a degree of discretion in how they comply with the AMLO and put in place procedures for this purpose. In addition, an AI should, in respect of each kind of customer, business relationship, product and transaction, establish and maintain effective AML/CFT Systems for complying with the CDD requirements set out in this Chapter.

4.1.2 An AI should apply an RBA when conducting CDD measures and the extent of CDD measures should be commensurate with the ML/TF risks associated with a business relationship. Where the ML/TF risks are high, the AI should conduct enhanced due diligence (EDD) measures (see paragraph 4.9). In low risk situations, the AI may apply simplified due diligence (SDD) measures (see paragraph 4.8).

s.2(1), Sch. 2 4.1.3 The following are CDD measures applicable to an AI:

(a) identify the customer and verify the customer’s identity using documents, data or information provided by a reliable and independent source (see paragraph 4.3);

(b) where there is a beneficial owner in relation to the customer, identify and take reasonable measures to verify the beneficial owner’s identity so that the AI is satisfied that it knows who the beneficial owner is, including, in the case of a legal person or trust¹², measures to enable the AI to understand the ownership and control structure of the legal person or trust (see paragraph 4.4);

(c) obtain information on the purpose and intended nature of the business relationship (if any) established with the AI unless the purpose and intended nature are obvious (see paragraph 4.6); and

(d) if a person purports to act on behalf of the customer:

(i) identify the person and take reasonable measures to verify the person’s identity using documents, data or information provided by a reliable and independent source; and

(ii) verify the person’s authority to act on behalf of the customer (see paragraph 4.5).

12 For the purpose of this Guideline, a trust means an express trust or any similar arrangement for which a legal- binding document (i.e. a trust deed or in any other forms) is in place.

(20)

4.1.4 The term “customer” is defined in the AMLO to include a client.

The meaning of “customer” and “client” should be inferred from its everyday meaning and in the context of the industry practice.

4.1.5 In general, the term “customer” refers to the party, or parties, with whom a business relationship is established, or for whom a transaction is carried out by an AI. This generally excludes the third parties of a transaction. For example, an ordering AI in an outward wire transfer transaction does not regard the beneficiary (who has no other relationship with the AI) as its customer.

4.1.6 Hong Kong is an international financial centre, and it is not uncommon for a customer relationship to be managed by an AI but the account of that customer to be booked outside Hong Kong.

Whether this relationship should be considered as a business relationship as defined in the AMLO, a major consideration is whether the relationship is managed in substance by the AI. If there is a business relationship, the AI should comply with relevant requirements set out in the AMLO and this Guideline in relation to that customer¹³.

4.2 When CDD measures should be carried out

s.3(1), Sch. 2 4.2.1 An AI should carry out CDD measures in relation to a customer:

(a) at the outset of a business relationship;

(b) before performing any occasional transaction¹⁴:

(i) equal to or exceeding an aggregate value of $120,000, whether carried out in a single operation or several operations that appear to the AI to be linked; or

(ii) a wire transfer equal to or exceeding an aggregate value of $8,000, whether carried out in a single operation or several operations that appear to the AI to be linked;

(c) when the AI suspects that the customer or the customer’s account is involved in ML/TF¹⁵; or

(d) when the AI doubts the veracity or adequacy of any information previously obtained for the purpose of identifying the customer or for the purpose of verifying the customer’s identity.

s.1, Sch. 2 4.2.2 “Business relationship” between a person and an AI is defined in the AMLO as a business, professional or commercial relationship:

(a) that has an element of duration; or

13 For the avoidance of doubt, a business relationship always exists whenever an account is booked in Hong Kong.

14 Occasional transactions may include for example, wire transfers, currency exchanges, purchase of cashier orders or gift cheques.

15 This criterion applies irrespective of the $120,000 or $8,000 threshold applicable to occasional transactions set out in paragraphs 4.2.1(b)(i) and 4.2.1(b)(ii) respectively.

(21)

(b) that the AI, at the time the person first contacts it in the person’s capacity as a potential customer of the AI, expects to have an element of duration.

s.1, Sch. 2 4.2.3 “Occasional transaction” is defined in the AMLO as a transaction between an AI and a customer who does not have a business relationship with the AI.

4.2.4 An AI should be vigilant to the possibility that a series of linked occasional transactions could meet or exceed the CDD thresholds of $8,000 for wire transfers and $120,000 for other types of transactions. Where the AI become aware that these thresholds are met or exceeded, CDD measures should be carried out.

4.2.5 The factors linking occasional transactions are inherent in the characteristics of the transactions – for example, where several payments are made to the same recipient from one or more sources over a short period, where a customer regularly transfers funds to one or more destinations. In determining whether the transactions are in fact linked, an AI should consider these factors against the timeframe within which the transactions are conducted.

4.2.6 Where cash transactions are undertaken by an AI for non-account holders of that AI, e.g. when cash is deposited into an existing account by a person whose name does not appear on the mandate of that account, care and vigilance are required. Where the transaction involves an amount equal to or exceeding $120,000, or is otherwise unusual, the person should be asked to produce positive evidence of identity, and a copy should be retained on file.

4.3 Identification and verification of identity – customer

s.2(1)(a), Sch. 2 4.3.1 An AI should identify the customer and verify the customer’s identity by reference to documents, data or information provided by a reliable and independent source:

(a) a governmental body;

(b) the HKMA or any other relevant authority (RA);

(c) an authority in a place outside Hong Kong that performs functions similar to those of the HKMA or any other RA; or (d) any other reliable and independent source that is recognised

by the HKMA.

(22)

Customer that is a natural person¹⁶

s.2(1)(a), Sch. 2 4.3.2 For a customer that is a natural person, an AI should identify the customer by obtaining at least the following identification information:

(a) full name;

(b) date of birth;

(c) nationality; and

(d) unique identification number (e.g. identity card number or passport number) and document type.

s.2(1)(a), Sch. 2 4.3.3 In verifying the identity of a customer that is a natural person, an AI should verify the name, date of birth, unique identification number and document type of the customer by reference to documents, data or information provided by a reliable and independent source, examples of which include:

(a) Hong Kong identity card or other national identity card;

(b) valid travel document (e.g. unexpired passport); or

(c) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body).

4.3.4 The identification document obtained by an AI should contain a photograph of the customer. In exceptional circumstances where an AI is unable to obtain an identification document with a photograph, the AI may accept an identification document without a photograph if the associated risks have been properly assessed and mitigated.

4.3.5 An AI should obtain the residential address information of a customer that is a natural person¹⁷.

Customer that is a legal person¹⁸

s.2(1)(a), Sch. 2 4.3.6 For a customer that is a legal person, an AI should identify the customer by obtaining at least the following identification information:

(a) full name;

(b) date of incorporation, establishment or registration;

(c) place of incorporation, establishment or registration

16 For the purpose of this Guideline, the terms “natural person” and “individual” are used interchangeably.

17 For the avoidance of doubt, an AI may, under certain circumstances, require verification (on top of collection) of residential address from a customer for other purposes (e.g. group requirements, other local or overseas legal and regulatory requirements). In such circumstances, the AI should communicate clearly to the customer the reasons of requiring verification of address.

18 Legal person refers to any entities other than natural person that can establish a permanent customer relationship with an AI or otherwise own property. This can include companies, bodies corporate, foundations, anstalt, partnerships, associations or other relevantly similar entities.

(23)

(including address of registered office);

(d) unique identification number (e.g. incorporation number or business registration number) and document type; and (e) principal place of business (if different from the address of

registered office).

s.2(1)(a), Sch. 2 4.3.7 In verifying the identity of a customer that is a legal person, an AI should normally verify its name, legal form, current existence (at the time of verification) and powers that regulate and bind the legal person by reference to documents, data or information provided by a reliable and independent source, examples of which include¹⁹:

(a) certificate of incorporation;

(b) record in an independent company registry;

(c) certificate of incumbency;

(d) certificate of good standing;

(e) record of registration;

(f) partnership agreement or deed;

(g) constitutional document; or

(h) other relevant documents, data or information provided by a reliable and independent source (e.g. document issued by a government body).

4.3.8 For a customer that is a partnership or an unincorporated body, confirmation of the customer’s membership of a relevant professional or trade association is likely to be sufficient to verify the identity of the customer as required in paragraph 4.3.7 provided that:

(a) the customer is a well-known, reputable organisation;

(b) the customer has a long history in its industry; and

(c) there is substantial public information about the customer, its partners and controllers.

4.3.9 In the case of associations, clubs, societies, charities, religious bodies, institutes, mutual and friendly societies, co-operative and provident societies, an AI should satisfy itself as to the legitimate purpose of the organisation, e.g. by requesting sight of the constitution.

Customer that is a trust or other similar legal arrangement²⁰

s.2(1)(a), Sch. 2 4.3.10 In respect of trusts, an AI should identify and verify the trust as a customer in accordance with the requirements set out in

19 In some instances, an AI may need to obtain more than one document to meet this requirement. For example, a certificate of incorporation can only verify the name and legal form of the legal person in most circumstances but cannot act as a proof of current existence.

20 Examples of legal arrangement include fiducie, treuhand and fideicomiso.

(24)

paragraphs 4.3.11 and 4.3.12. The AI should also regard the trustee as its customer if the trustee enters into a business relationship or carries out occasional transactions on behalf of the trust, which is generally the case if the trust does not possess a separate legal personality. In such a case, the AI should identify and verify the identity of the trustee in line with the identification and verification requirements for a customer that is a natural person or a legal person, where applicable.

s.2(1)(a), Sch. 2 4.3.11 For a customer that is a trust or other similar legal arrangement, an AI should identify the customer by obtaining at least the following identification information:

(a) name of the trust or legal arrangement;

(b) date of establishment or settlement;

(c) the jurisdiction whose laws govern the trust or legal arrangement;

(d) unique identification number (if any) granted by any applicable official bodies and document type (e.g. tax identification number or registered charity or non-profit organisation number); and

(e) address of registered office (if applicable).

s.2(1)(a), Sch. 2 4.3.12 In verifying the identity of a customer that is a trust or other similar legal arrangement, an AI should normally verify its name, legal form, current existence (at the time of verification) and powers that regulate and bind the trust or other similar legal arrangement by reference to documents, data or information provided by a reliable and independent source, examples of which include:

(a) trust deed or similar instrument²¹;

(b) record of an appropriate register²² in the relevant country of establishment;

(c) written confirmation from a trustee acting in a professional capacity²³;

(d) written confirmation from a lawyer who has reviewed the relevant instrument; or

(e) written confirmation from a trust company which is within the same financial group as the AI, if the trust concerned is managed by that trust company.

21 Under exceptional circumstance, the AI may choose to retain a redacted copy.

22 In determining whether a register is appropriate, the AI should have regard to adequate transparency (e.g. a system of central registration where a national registry records details on trusts and other legal arrangements registered in that country). Changes in ownership and control information would need to be kept up-to-date.

23 “Trustees acting in their professional capacity” in this context means that they act in the course of a profession or business which consists of or includes the provision of services in connection with the administration or management of trusts (or a particular aspect of the administration or management of trusts).

(25)

Reliability of documents, data or information

4.3.13 In verifying the identity of a customer, an AI needs not establish accuracy of every piece of identification information collected in paragraphs 4.3.2, 4.3.6 and 4.3.11.

4.3.14 An AI should ensure that documents, data or information obtained for the purpose of verifying the identity of a customer as required in paragraphs 4.3.3, 4.3.7 and 4.3.12 is current at the time they are provided to or obtained by the AI.

4.3.15 When using documents for verification, an AI should be aware that some types of documents are more easily forged than others, or can be reported as lost or stolen. Therefore, the AI should consider applying anti-fraud procedures that are commensurate with the risk profile of the person being verified.

4.3.16 If a natural person customer or a person representing a legal person, a trust or other similar legal arrangement to establish a business relationship with an AI is physically present during the CDD process, the AI should generally have sight of original identification document by its staff and retain a copy of the document. However, there are a number of occasions where an original identification document cannot be produced by the customers (e.g. the original document is in electronic form). In such an occasion, the AI should take appropriate measures to ensure the reliability of identification documents obtained.

4.3.17 Where the documents, data or information being used for the purposes of identification are in a foreign language, appropriate steps should be taken by the AI to be reasonably satisfied that the documents, data or information in fact provide evidence of the customer’s identity.

Connected parties

4.3.18 Where a customer is a legal person, a trust or other similar legal arrangement, an AI should identify all the connected parties²⁴ of the customer by obtaining their names.

4.3.19 A connected party of a customer that is a legal person, a trust or other similar legal arrangement:

(a) in relation to a corporation, means a director of the customer;

(b) in relation to a partnership, means a partner of the customer;

(c) in relation to a trust or other similar legal arrangement, means a trustee (or equivalent) of the customer; and

24 For the avoidance of doubt, if a connected party also satisfies the definition of a customer, a beneficial owner of the customer or a person purporting to act on behalf of the customer, the AI has to identify and verify the identity of that person with reference to relevant requirements set out in this Guideline.

(26)

(d) in other cases not falling within subsection (a), (b) or (c), means a natural person holding a senior management position or having executive authority in the customer.

4.4 Identification and verification of identity – beneficial owner

s.2(1)(b), Sch. 2 4.4.1 A beneficial owner is normally a natural person who ultimately owns or controls the customer or on whose behalf a transaction or activity is being conducted. An AI should identify any beneficial owner in relation to a customer, and take reasonable measures to verify the beneficial owner’s identity so that the AI is satisfied that it knows who the beneficial owner is.

4.4.2 The verification requirements for a customer and a beneficial owner are different under the AMLO. In determining what constitutes reasonable measures to verify the identity of a beneficial owner of a customer, an AI should consider and give due regard to the ML/TF risks posed by the customer and the business relationship.

4.4.3 Where a natural person is identified as a beneficial owner, the AI should endeavour to obtain the same identification information as at paragraph 4.3.2 as far as possible.

Beneficial owner in relation to a natural person

4.4.4 In respect of a customer that is a natural person, there is no requirement on an AI to make proactive searches for beneficial owners of the customer in such a case, but the AI should make appropriate enquiries where there are indications that the customer is not acting on his own behalf.

Beneficial owner in relation to a legal person

s.1, Sch. 2 4.4.5 The AMLO defines beneficial owner in relation to a corporation as:

(a) an individual who

(i) owns or controls, directly or indirectly, including through a trust or bearer share holding, more than 25%

of the issued share capital of the corporation;

(ii) is, directly or indirectly, entitled to exercise or control the exercise of more than 25% of the voting rights at general meetings of the corporation; or

(iii) exercises ultimate control over the management of the corporation; or

(b) if the corporation is acting on behalf of another person, means the other person.

s.1, Sch. 2 4.4.6 The AMLO defines beneficial owner, in relation to a partnership as:

(27)

(a) an individual who

(i) is entitled to or controls, directly or indirectly, more than a 25% share of the capital or profits of the partnership;

(ii) is, directly or indirectly, entitled to exercise or control the exercise of more than 25% of the voting rights in the partnership; or

(iii) exercises ultimate control over the management of the partnership; or

(b) if the partnership is acting on behalf of another person, means the other person.

s.1, Sch. 2 4.4.7 In relation to an unincorporated body other than a partnership, beneficial owner:

(a) means an individual who ultimately owns or controls the unincorporated body; or

(b) if the unincorporated body is acting on behalf of another person, means the other person.

s.2(1)(b), Sch. 2 4.4.8 For a customer that is a legal person, an AI should identify any natural person who ultimately has a controlling ownership interest (i.e. more than 25%) in the legal person and any natural person exercising control of the legal person or its management, and take reasonable measures to verify their identities. If there is no such natural person (i.e. no natural person falls within the definition of beneficial owners set out in paragraphs 4.4.5 to 4.4.7), the AI should identify the relevant natural persons who hold the position of senior managing official, and take reasonable measures to verify their identities.

4.4.9 While an AI usually can identify who the beneficial owner of a customer is in the course of understanding the ownership and control structure of the customer, the AI may obtain an undertaking or declaration²⁵ from the customer on the identity of, and the information relating to, its beneficial owner.

Nevertheless, in addition to the undertaking or declaration obtained, the AI should take reasonable measures to verify the identity of the beneficial owner (e.g. corroborating the undertaking or declaration with publicly available information).

4.4.10 If the ownership structure of a customer involves different types of legal persons or legal arrangements, in determining who the beneficial owner is, an AI should pay attention to who has ultimate ownership or control over the customer, or who

25 In some jurisdictions, corporations are required to maintain registers of their beneficial owners (e.g. the significant controllers registers maintained in accordance with the Companies Ordinance of Hong Kong). An AI may refer to those registers to assist in identifying the beneficial owners of its customers. Where a register of the beneficial owners is not made publicly available, the AI may obtain the record directly from its customers.

(28)

constitutes the controlling mind and management of the customer.

Beneficial owner in relation to a trust or other similar legal arrangement

s.1, Sch. 2 4.4.11 The AMLO defines the beneficial owner, in relation to a trust as:

(a) an individual who is entitled to a vested interest in more than 25% of the capital of the trust property, whether the interest is in possession or in remainder or reversion and whether it is defeasible or not;

(b) the settlor of the trust;

(c) a protector or enforcer of the trust; or

(d) an individual who has ultimate control over the trust.

s.2(1)(b), Sch. 2 4.4.12 Similar to a corporation, a trust or other similar legal arrangement can also be part of an intermediate layer in an ownership structure, and should be dealt with in similar manner to a corporation being part of an intermediate layer. For trusts, an AI should identify the settlor, the protector (if any), the enforcer (if any), the beneficiaries or class of beneficiaries, and any other natural person exercising ultimate control over the trust (including through a chain of control or ownership), and take reasonable measures to verify their identities. For other similar legal arrangements, an AI should identify any natural person in equivalent or similar positions to a beneficial owner of a trust as stated above and take reasonable measures to verify the identity of such person. If a trust or other similar legal arrangement is involved in a business relationship and an AI does not regard the trustee (or equivalent in other similar legal arrangement) as its customer pursuant to paragraph 4.3.10 (e.g. when a trust appears as part of an intermediate layer), the AI should also identify the trustee and take reasonable measures to verify the identity of the trustee so that the AI is satisfied that it knows who the trustee is.

4.4.13 For a beneficiary of a trust designated by characteristics or by class, an AI should obtain sufficient information²⁶concerning the beneficiary to satisfy the AI that it will be able to establish the identity of the beneficiary at the time of payout or when the beneficiary intends to exercise vested rights.

Ownership and control structure

s.2(1)(b), Sch. 2 4.4.14 Where a customer is not a natural person, an AI should understand its ownership and control structure, including identification of any intermediate layers (e.g. by reviewing an ownership chart of the customer). The objective is to follow the chain of ownerships to the beneficial owners of the customer.

26 For example, an AI may ascertain and name the scope of the class of beneficiaries (e.g. children of a named individual).

(29)

4.4.15 Where a customer has a complex ownership or control structure, an AI should obtain sufficient information for the AI to satisfy itself that there is a legitimate reason behind the particular structure employed.

Bearer shares

4.4.16 Bearer shares refer to negotiable instruments that accord ownership in a legal person to the person who possesses the bearer share certificate. Therefore it is more difficult to establish the beneficial ownership of a company with bearer shares. An AI should adopt procedures to establish the identities of the beneficial owners of such shares and ensure that the AI is notified whenever there is a change of beneficial owner of such shares.

4.4.17 Where bearer shares have been deposited with an authorised/registered custodian, an AI should seek independent evidence of this, for example confirmation from the registered agent that an authorised/registered custodian holds the bearer shares, together with the identities of the authorised/registered custodian and the person who has the right to those entitlements carried by the share. As part of the AI’s ongoing periodic review, it should obtain evidence to confirm the authorised/registered custodian of the bearer shares.

4.4.18 Where the shares are not deposited with an authorised/registered custodian, an AI should obtain declarations prior to account opening and annually thereafter from each beneficial owner of such shares. The AI should also require the customer to notify it immediately of any changes in the ownership of the shares.

Nominee shareholders

4.4.19 For a customer identified to have nominee shareholders in its ownership structure, an AI should obtain satisfactory evidence of the identities of the nominees, and the persons on whose behalf they are acting, as well as the details of arrangements in place, in order to determine who the beneficial owner is.

4.5 Identification and verification of identity – person purporting to act on behalf of the customer

4.5.1 A person may be appointed to act on behalf of a customer to establish business relationships, or may be authorised to give instructions to an AI to conduct various activities through the account or the business relationship established. Whether the person is considered to be a person purporting to act on behalf of the customer (PPTA) should be determined based on the nature of that person’s roles and the activities which the person is authorised to conduct, as well as the ML/TF risks associated with these roles and activities. An AI should implement clear policies and procedures for determining who is considered to be a PPTA.

Guideline on Anti-Money Laundering and Counter- Financing of Terrorism