AML is on the SFC’s enforcement and inspection radars
The SFC issued a press release on 21 September 2016 in connection with investigating a number of cases with suspected inadequate AML internal controls and it expects to take some enforcement action.
The press release also listed the following AML issues identified by the SFC:
- failure to scrutinise cash and third party deposits into customer accounts
- ineffective monitoring of transactions in customer accounts
- failure to take adequate measures to continuously monitor business relationships with customers which present a higher risk of money laundering
- inadequate enquiries made to assess potentially suspicious transactions to determine whether or not it is necessary to make a report to the Joint Financial Intelligence Unit, and lack of documentation of the assessment results
- failure to monitor and supervise the ongoing implementation of AML and counter-terrorist financing policies and procedures
As mentioned in our previous newsletters, this type of press release often signals an intensification of focus by the SFC.
Based on the press release, the SFC expects licensed companies to already have enhanced their internal AML controls since the AML and Counter-Terrorist Financing (Financial Institutions) Ordinance and the SFC Guideline on AML and Counter-Terrorist Financing came into effect in 2012.
The SFC’s website has a section on AML which contains various training materials and an AML/CFT self-assessment checklist to assist licensed corporations to assess their compliance with key AML / CFT requirements.
What else is on the SFC inspection radar?
In our August newsletter we talked about Mr Ashley Alder, Chief Executive Officer at the HK SFC, mentioning that cybersecurity will remain a major focus of regulatory inspections. The SFC issued a circular on 13 October 2016 announcing that it will start a cybersecurity review on brokers. The review consists of three components: (i) issuing questionnaires to brokers on cybersecurity features of their systems, (ii) in-depth on-site inspection reviews, and (iii) comparing the SFC regulatory requirements and market practices in Hong Kong against other major markets. The circular also gives examples of good practices the SFC has observed. Licensed companies should take this as a reminder to assess their own cybersecurity risks and to enhance their control.
We are now in the final quarter of 2016 which means licensed individuals have less than three months to comply with their annual CPT requirement. It is worthwhile doing a CPT stock-take on all licensed individuals. If your company has licensed individuals who still need to get annual CPT hours for this year, you should remind them to take action soon. If your company has individuals who need to take additional CPT hours to comply with conditional exemptions from taking licensing exams, this may also be a good time to check how many CPT hours they still need to collect.