Circular to Licensed Corporations and Associated Entities
Anti-Money Laundering / Counter Financing of Terrorism (AML/CFT)
AML/CFT measures and controls inspection findings
In inspections of licensed corporations (LCs) over the past year, the Securities and Futures Commission (SFC) detected a number of deficiencies in meeting the expected regulatory standards for AML/CFT measures and controls. These included a thematic inspection focusing on 13 LCs’ measures and controls for identifying and mitigating money laundering and terrorist financing (ML/TF) risks as well as reviews of the AML/CFT policies, procedures and controls of around 270 LCs during the SFC’s routine inspections. The deficiencies are detailed in Appendix 1 to this circular, whilst some good practices identified during the inspections are set out in Appendix 2.
The SFC reminds LCs and associated entities (AEs) to take all reasonable measures to mitigate ML/TF risks as well as to put in place proper safeguards to ensure compliance with the customer due diligence (CDD) and record-keeping requirements under the AMLO1.
LCs and AEs should critically review their internal AML/CFT policies, procedures and controls and take immediate action to rectify any deficiencies or inadequacies in light of this circular. In particular, LCs and AEs should avoid the following deficiencies and inadequacies which could seriously undermine the effectiveness of a firm’s AML/CFT measures and controls:
Institutional risk assessment2 (IRA) –
(a) failure to evaluate the adequacy and appropriateness of the firm’s existing AML/CFT policies, procedures and controls to address the ML/TF risks identified by IRAs;
(b) lack of documentation to demonstrate that the IRA results have been reviewed and approved by senior management.
Customer risk assessment3 (CRA) – failure to provide sufficient guidance to staff and to put in place adequate procedural and supervisory safeguards to ensure that staff conduct CRAs in compliance with the regulatory requirements and the firm’s policies.
Initial and ongoing CDD4 –
(a) failure to include all beneficial owners of a customer in the customer identification process and the politically exposed person screening process;
(b) failure to implement risk-based policies and procedures in a compliant and effective manner to ensure that:
(i) a customer which is a collective investment scheme (CIS) meets the eligibility criteria5before applying the simplified CDD6 under the AMLO to the customer;
(ii) the enhanced CDD measures applied to different high-risk customers match the nature and level of their risks and comply with any special requirements under the AMLO;
(iii) appropriate risk management measures are applied when the identity verification process is not completed before establishing a business relationship with a customer;
(iv) the CDD information for all high-risk customers is reviewed at least annually, and that any significant changes in the business relationships with these customers are taken into account in the reviews of their customer profiles and the related ML/TF risks.
4. Sanctions screening7 –
(a) failure to conduct ongoing screening of existing customers against new or updated terrorist and sanctions designations;
(b) lack of documentation of justifications for disposing of potential name matches to demonstrate that they have been followed up and handled properly.
5. Suspicious transaction monitoring and reporting –
(a) inadequate systems and controls to identify, or make follow-up enquiries about, customer transactions which exhibit major or common red flags indicating potentially suspicious transactions for timely evaluation;
(b) failure to review business relationships which have been reported to the Joint Financial Intelligence Unit and to take appropriate risk mitigating measures.
LCs and AEs are also encouraged to consider any applicable good practices in Appendix 2 in devising their AML/CFT measures and controls.
The SFC will continue to monitor LCs’ and AEs’ compliance with their AML/CFT obligations and provide guidance to assist them in enhancing their AML/CFT policies, procedures and controls. The SFC will not hesitate to take regulatory action, including bringing enforcement proceedings against firms and their senior management, for failures to put in place proper AML/CFT measures and controls to comply with the legal and regulatory requirements.
Should you have any queries regarding the contents of this circular, please contact Ms Kammy Kwok at 2231 1455.
Intermediaries Supervision Department
Securities and Futures Commission