Circular to Licensed Corporations and Associated Entities
Anti-Money Laundering / Counter Financing of Terrorism (AML/CFT)
AML/CFT measures and controls inspection findings
In inspections of licensed corporations (LCs) over the past year, the Securities and Futures Commission (SFC) detected a number of deficiencies in meeting the expected regulatory standards for AML/CFT measures and controls. These included a thematic inspection focusing on 13 LCs’ measures and controls for identifying and mitigating money laundering and terrorist financing (ML/TF) risks as well as reviews of the AML/CFT policies, procedures and controls of around 270 LCs during the SFC’s routine inspections. The deficiencies are detailed in Appendix 1 to this circular, whilst some good practices identified during the inspections are set out in Appendix 2.
The SFC reminds LCs and associated entities (AEs) to take all reasonable measures to mitigate ML/TF risks as well as to put in place proper safeguards to ensure compliance with the customer due diligence (CDD) and record-keeping requirements under the AMLO1.
LCs and AEs should critically review their internal AML/CFT policies, procedures and controls and take immediate action to rectify any deficiencies or inadequacies in light of this circular. In particular, LCs and AEs should avoid the following deficiencies and inadequacies which could seriously undermine the effectiveness of a firm’s AML/CFT measures and controls:
Institutional risk assessment2 (IRA) –
(a) failure to evaluate the adequacy and appropriateness of the firm’s existing AML/CFT policies, procedures and controls to address the ML/TF risks identified by IRAs;
(b) lack of documentation to demonstrate that the IRA results have been reviewed and approved by senior management.
Customer risk assessment3 (CRA) – failure to provide sufficient guidance to staff and to put in place adequate procedural and supervisory safeguards to ensure that staff conduct CRAs in compliance with the regulatory requirements and the firm’s policies.
Initial and ongoing CDD4 –
(a) failure to include all beneficial owners of a customer in the customer identification process and the politically exposed person screening process;
(b) failure to implement risk-based policies and procedures in a compliant and effective manner to ensure that:
(i) a customer which is a collective investment scheme (CIS) meets the eligibility criteria5before applying the simplified CDD6 under the AMLO to the customer;
(ii) the enhanced CDD measures applied to different high-risk customers match the nature and level of their risks and comply with any special requirements under the AMLO;
(iii) appropriate risk management measures are applied when the identity verification process is not completed before establishing a business relationship with a customer;
(iv) the CDD information for all high-risk customers is reviewed at least annually, and that any significant changes in the business relationships with these customers are taken into account in the reviews of their customer profiles and the related ML/TF risks.4. Sanctions screening7 –
(a) failure to conduct ongoing screening of existing customers against new or updated terrorist and sanctions designations;
(b) lack of documentation of justifications for disposing of potential name matches to demonstrate that they have been followed up and handled properly.5. Suspicious transaction monitoring and reporting –
(a) inadequate systems and controls to identify, or make follow-up enquiries about, customer transactions which exhibit major or common red flags indicating potentially suspicious transactions for timely evaluation;
(b) failure to review business relationships which have been reported to the Joint Financial Intelligence Unit and to take appropriate risk mitigating measures.LCs and AEs are also encouraged to consider any applicable good practices in Appendix 2 in devising their AML/CFT measures and controls.
The SFC will continue to monitor LCs’ and AEs’ compliance with their AML/CFT obligations and provide guidance to assist them in enhancing their AML/CFT policies, procedures and controls. The SFC will not hesitate to take regulatory action, including bringing enforcement proceedings against firms and their senior management, for failures to put in place proper AML/CFT measures and controls to comply with the legal and regulatory requirements.
Should you have any queries regarding the contents of this circular, please contact Ms Kammy Kwok at 2231 1455.
Intermediaries Supervision Department
Intermediaries Division
Securities and Futures CommissionEnclosure
End
SFO/IS/050/2018
1 Section 23 of Schedule 2 to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) (Cap. 615).
2 The process for identifying and assessing ML/TF risks to which a firm is exposed so as to determine the adequate and appropriate AML/CFT policies, procedures and controls which should be implemented to mitigate the risks identified, as required under paragraphs 2.2 to 2.8 of the Guideline on Anti-Money Laundering and Counter-Terrorist Financing (AML Guideline) and elaborated in Appendix 1 to the SFC’s circular dated 26 January 2017 on Compliance with AML/CFT Requirements.
3 The process for identifying and categorising ML/TF risks at the customer level so as to determine the extent of CDD measures and ongoing monitoring which are commensurate with the risks identified pursuant to Chapter 3 of the AML Guideline.
4 Pursuant to section 2 of Schedule 2 to the AMLO, CDD measures consist of: (a) identifying a customer and verifying the customer’s identity using reliable, independent source documents, data or information; (b) if there is a beneficial owner in relation to the customer, identifying the beneficial owner and taking reasonable measures to verify the beneficial owner’s identity; (c) obtaining information on the purpose and intended nature of the business relationship; and (d) if a person purports to act on behalf of the customer, identifying the person and taking reasonable measures to verify the person’s identity using reliable and independent source documents, data or information and verifying the person’s authority to act on behalf of the customer.
5 The eligibility criteria for an investment vehicle (including a CIS) are set out in section 4(3)(d) of Schedule 2 to the AMLO and paragraphs 4.10.9 and 4.10.11 of the AML Guideline.
6 Under section 4(1) of Schedule 2 to the AMLO, applying simplified CDD means that the beneficial owner of a customer is not required to be identified and verified.
7 LCs are required under Chapter 6 of the AML Guideline to establish and maintain effective sanctions screening systems and mechanisms to avoid establishing business relationships or conducting transactions with any terrorist suspects or possible designated parties.
Links:
Appendices: Program Deficiencies, Good Practices
Categories: Anti-Money Laundering HK Securities and Futures Commission Regulatory Reviews
Mr. Watchlist 
Leave a Reply