Updated: May 24
Corporations licensed by the Securities and Futures Commission (SFC) are not only required by regulation to have adequate AML policies, they may also need to be able to provide these to a foreign financial institution if they are conducting customer due diligence measures for the foreign financial institution for example a Cayman fund manager.
We highlight in this article five key areas that an AML policy should cover.
Business Risk Management Questionnaire (BRMQ)
Many of the questions in the BRMQ (for AML see Section A12) are hypothetical but what the SFC wants to know is whether the firm has policies and procedures so that in the event of these things occurring, staff would be required to take appropriate steps. Firms need to make sure therefore that their policies and procedures provide adequately for these matters. In relation to AML, this means ensuring that the AML policy (or procedures):
requires that enhanced customer due diligence measures be taken in the event that the firm takes on a high risk client (Q3 Part II) and distinguish in this regard between the steps required for (Q1(a) Part I):
foreign politically exposed persons (PEPs) and
domestic PEPs and International organisation PEPs
(unless the policy prohibits all high risk customers)
includes one or more of the permissible means of verifying a customer’s identity in the event that the take-on process is done remotely (unless the policy prohibits “non-face-to-face” clients) (Q4 Part II)
mandates transaction monitoring (Q5 and Q6 Part III) – even if the firm only does fund raising (although the frequency and intensity can be designed on a risk-based approach relevant to the business scope)
has processes for reporting suspicious transactions (Q7 Part IV) – even if the firm has never identified a suspicious transactions and name screening (Q8 and Q9 Part V)
SFC circular on third-party payments and deposits
The SFC has repeatedly emphasised its concerns about the high ML/TF risk where third-party payments are made into or from a client account.
On 31 May 2019, the SFC issued a Circular to Licensed Corporations and Associated Entities - Third-party Deposits and Payments in which it explained that recent enforcement actions had shown that firms’ policies and procedures relating to third-party payments and deposits were often deficient. The SFC also pointed out that the AML policy should be specifically approved by the Manager-In-Charge of AML/CFT (AML MIC) after they have ensured that is sufficient and effective.
AML/CFT self-assessment checklist published by SFC
We recommend AML MICs use this checklist (issued in April 2019) to check whether the firm’s AML policies are sufficient.
SFC circular on inspection findings relating to AML/CFT
On 31 August 2018, the SFC issued a circular in which it discussed the routine inspection (i.e. examination) findings of the Intermediaries Supervision Department in relation to firms’ AML/CFT measures and controls. These deficiencies included:
Institutional Risk Assessment
Customer Risk Assessment
Therefore AML MICs would be well advised to ensure that both of these areas are provided for adequately in their AML policies.
SFC’s AML seminars and training
On 3 December 2019, the SFC published the slides they had used at their November 2019 AML seminars (available here). These provide a comprehensive overview of the major Hong Kong AML regulatory developments and the SFC’s areas of focus. AML MICs should therefore read these carefully and ensure that their AML policies cover all the points highlighted by the SFC. The SFC has also encouraged the industry to use these slides in their internal AML training.
For further information, please contact:
Lavita Pong, Deacons