7 October 2020
On 18 September 2020, the Securities and Futures Commission (SFC) commenced a three month consultation on a wide range of proposed changes to its Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) (Guideline) and the Prevention of Money Laundering and Terrorist Financing Guideline issued by the SFC for Associated Entities (AE Guideline). The SFC’s proposed changes include measures to incorporate various aspects of the Guidance for a Risk-based Approach for the Securities Sector (Securities Sector Guidance) published by FATF in October 2018, including through: · significantly enhancing the requirements in relation to institutional risk assessments, which we consider may open the door to enforcement in relation to deficiencies in firms’ risk assessment processes; · mitigation of the risks associated with business relationships in the securities sector similar to cross-border correspondent relationships; and · providing further guidance in relation to simplified and enhanced customer due diligence (CDD) processes, as well as red-flag indicators for suspicious transactions / activities. The SFC has also stated that, following industry feedback, it has also proposed changes designed to facilitate compliance with the existing requirement to assess third-party deposits, by allowing for third-party deposit due diligence to be conducted after settling transactions with deposited funds, but only in exceptional circumstances. Proposed changes to Guideline and AE Guideline The SFC’s proposed changes to the Guideline and AE Guideline are far-reaching, and include a range of amendments to consolidate existing guidance issued by way of circular into the two guidelines. However, we consider there are also five categories of proposed changes which are likely to require licenced corporations (LCs) to make significant revisions to their existing anti-money laundering and counter-terrorist financing (AML/CTF) policies, procedures and controls if enacted by the SFC. |
The SFC has emphasised that many of its proposed changes are intended to facilitate the securities industry’s implementation of AML/CTF measures using a risk-based approach, including through the enactment of a range of measures set out in FATF’s Securities Sector Guidance. As part of this focus on the use of a risk-based approach, the SFC has also emphasised the importance of the risk assessments undertaken by institutions to identify, assess and understand the money laundering and terrorist financing (ML/TF) risks to which they are exposed. While LCs are already required to undertake an institutional risk assessment, it is clear from the SFC’s proposed reforms that many LCs will need to significantly enhance their processes and procedures for undertaking this risk assessment. In particular, the SFC has proposed requiring LCs to: · consider quantitative and qualitative data to identify, manage and mitigate their ML/TF risks, including FATF and other international data; · consider a list of “non-exhaustive illustrative risk indicators” linked to higher or lower ML/TF risk in relation to four specific risk factors, being country risk, customer risk, product / service / transaction risk, delivery / distribution channel risk. While some of these risk factors appear in the current version of the Guideline, the revised list (set out in Appendix A of the proposed revised Guideline) includes a significant number of risk factors which do not currently form part of the SFC’s guidance and which firms may not currently have considered in their institutional risk assessment. The SFC has also noted that a number of these risk factors may also be relevant to the customer risk assessment process – for example, the SFC has identified non-resident customers who have no discernible reason for opening an account with an LC in Hong Kong as a type of higher customer risk; and · undertake an institutional risk assessment at least once every two years, or more frequently upon the occurrence of trigger events which materially impact an LC’s business and risk exposure, including, for example, the acquisition of a new customer segment or delivery channel, the launch of a new product and services or a significant change in the LC’s operational processes. The proposed revised Guideline does establish that the SFC acknowledges that the nature and extent of an institutional risk assessment procedure should be commensurate with the nature, size and complexity of the business of a financial institution (FI), and that a relatively less sophisticated risk assessment process may be appropriate for smaller FIs with less complex businesses. This is likely to be considerable comfort to smaller FIs who may not be equipped to undertake a large scale institutional risk assessment process. However, the SFC has also stressed that this risk assessment process is intended to facilitate the design and implementation of adequate and appropriate AML/CTF policies, procedures and controls that are “commensurate with the ML/TF risks identified in order to properly manage and mitigate them”. We consider that this may suggest that the SFC will adopt the strategy of foreign AML/CTF regulators in bringing disciplinary actions against firms in relation to deficiencies in risk assessment processes. For example, in multiple cases brought by AUSTRAC in Australia, deficiencies in a firm’s risk assessment processes have been used to establish that the AML/CTF policies implemented to manage the firm’s ML/TF risk could not possibly have been adequate or appropriate. |
The SFC has also proposed implementing a range of due diligence requirements in relation to cross-border correspondent relationships, which the SFC defines as situations in which Hong Kong LCs and registered institutions (RIs) provide dealing in securities, dealing in futures contracts or leveraged foreign exchange trading services to an institution outside of Hong Kong (respondent institution). The SFC has proposed requiring LCs and RIs to apply a range of additional due diligence measures in relation to these relationships, including: · collecting sufficient information about the respondent institution to enable it to understand fully the nature of the respondent institution’s business;
· determining from publicly available information the reputation of the respondent institution and the quality of its supervision by authorities in that place which perform functions similar to those of the relevant authorities, ie, regulators of the financial sectors covered by the AMLO; · assess the AML/CTF controls of the respondent institution and be satisfied that the AML/CTF controls of the respondent institution are adequate and effective; · obtain senior management approval to the relationship; and · understand clearly the respective AML/CTF responsibilities of the LC / RI and the respondent institution within the cross-border correspondent relationship. The SFC has also proposed that additional measures be undertaken where respondent institutions allow their underlying customers to directly access and operate the correspondent accounts, including requiring LCs and RIs to ensure that the respondent institution will, on request, provide CDD documents, data or information obtained by the respondent institution in relation to those customers. |
The SFC has proposed strengthening the risk-based application of CDD by amending the Guideline to include an expanded list of illustrative examples of possible simplified and enhanced CDD measures. This list includes just one additional example for simplified CDD measures, which is to allow for limiting the type / extent of CDD measures used, such as altering the type or range of documents used to verify a customer’s identity. However, there are a number of additional examples for enhanced CDD, including: · evaluating the information provided by the customer regarding the destination of funds involved in the transaction and the reason for the transaction in order to better assess ML/TF risks, especially when funds are transferred to higher risk jurisdictions; and · requiring that investment sale proceeds are paid to the customer’s bank account from which the funds for investment were originally transferred. |
The SFC has also noted that the Guideline’s current list of red-flag indicators which might give rise to suspicion of ML/TF were drawn from a 2009 FATF report regarding the securities sector, and that since this time the sector has evolved significantly due to the introduction of new products, services and transaction methods, as well as different ML/TF methods. As such, the SFC has proposed amending the Guideline to incorporate a wide range of new red-flag indicators drawn from the Securities Sector Guidance, including: · A customer who exhibits unusual concern with the FI’s AML/CTF systems including policies, controls, monitoring or reporting thresholds; · A customer who does not exhibit any concern with the cost of transactions or fees; · Securities intended to be held-to-maturity are unwound before maturity in the absence of volatile market conditions or other logical or apparent reason; · Multiple new customers are referred by the same individual to open accounts for trading in the same security within a short period of time; · A customer with limited or no other assets at the FI receives a transfer of large amounts of thinly-traded securities; · Frequent changes of bank account details or information for receiving investment sale proceeds; · Unusual or unexpected increase in the sales performance of an employee; and · The use of an address which is not the customer’s home or office address, eg, utilisation of an employee’s address for the dispatch of customer documentation or correspondence. The SFC has stressed that its illustrative list of red-flag indicators is intended “solely to provide an aid to LCs”, and that LCs should not consider it to be exhaustive, or to use this list as a routine instrument without further analysis or context. |
Finally, the SFC has also proposed providing additional guidance to facilitate LCs’ compliance with the existing requirement to assess third-party deposits, which LCs are generally expected to undertake prior to settling transactions with deposited funds. However, the SFC has flagged that it recognises that there may be “occasional and exceptional circumstances” where it is reasonable for some due diligence procedures to be undertaken after settling transactions with deposited funds, and has proposed amending the Guideline to permit LCs to do so. In particular, the SFC has proposed amending the Guideline to allow for this practice to occur only where: · LCs can effectively manage any ML/TF risk arising from the delay in completing the third-party deposit due diligence; · it is necessary to avoid interrupting the normal conduct of business with the customer; and · the third-party deposit due diligence is completed as soon as reasonably practicable. The SFC has also proposed requiring LCs to implement appropriate risk management policies and procedures in relation to delayed third-party deposit due diligence, and that these policies and procedures should include: · establishing a reasonable timeframe for the completion of the third-party deposit due diligence and the follow-up actions if that timeframe is exceeded (including suspension or termination of the business relationship); · placing appropriate limits on the number, types, and/or amount of transactions that can be performed; · enhanced monitoring of transactions carried out by or for the customer; and · ensuring senior management are regularly informed of all instances of delayed third-party deposit due diligence. |