AML requirements for covered institutions and individuals

Enforcement and regulation

Which government entities enforce your jurisdiction’s AML regime and regulate covered institutions and persons? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

AMLO sets out the overall AML framework in Hong Kong, and covers two types of institutions - financial institutions and designated non-financial businesses and professions.

The regulatory authority or body responsible for enforcement of AMLO will vary depending on the nature of the regulated institution, as follows:

  • in relation to an authorised institution under the Banking Ordinance or a stored value facility licensee - the HKMA;
  • in relation to a licensed corporation under the Securities and Futures Ordinance - the SFC;
  • in relation to an authorised insurer, appointed insurance agent or authorised insurance broker - the Insurance Authority;
  • in relation to a licensed money service operator or to the Postmaster General - the Commissioner of Customs;
  • in relation to a trust and company services provider licensee - the Registrar of Companies;
  • in relation to an accounting professional - the Hong Kong Institute of Certified Public Accountants;
  • in relation to an estate agent - the Estate Agents Authority; and
  • in relation to a legal professional - the Law Society.

AMLO provides for powers to conduct routine inspections in relation to complying with applicable obligations.

Covered institutions and persons

Which institutions and persons must carry out AML measures?

AMLO covers the following institutions and persons:

  • authorised institutions under the Banking Ordinance;
  • licensed corporations under the Securities and Futures Ordinance;
  • money service operators under AMLO;
  • authorised insurers, appointed insurance agents, authorised insurance brokers under the Insurance Ordinance;
  • the Postmaster General of Hong Kong;
  • persons licensed by the HKMA under the Payment Systems and Store Value Facilities Ordinance; and
  • each of the designated non-financial businesses and professions, including solicitors, accountants, real estate agents and trust and company service providers.

Do the AML laws in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

AMLO imposes on covered institutions a number of obligations contained in its Schedule 2, supplemented by industry specific guidelines. Covered institutions are required to undertake an institutional risk assessment and then develop and implement policies, procedures and controls relating to:

  • customer due diligence (CDD) measures;
  • ongoing monitoring of customers;
  • suspicious transactions reporting;
  • record-keeping; and
  • staff training.

As part of the CDD measures, covered institutions are required to identify customers and verify their identities using reliable documents, data or information from an independent source. Another important element is sanctions and designated party screening. Covered institutions should maintain an updated database of names and particulars of terrorist suspects and designated parties.

In addition, appropriate compliance management arrangements, such as oversight by senior management and appointment of a compliance officer and money laundering reporting officer are also required.

It should be noted that, although industry specific guidelines impose requirements to have in place suspicious transaction reporting processes, the obligation to report such suspicious transactions under OSCO, DTROPO and UNATMO rather than AMLO, which only provides for an obligation to monitor.

Breach of AML requirements

What constitutes breach of AML duties imposed by the law?

Relevant authorities can take disciplinary action for breach of one of a number of Schedule 2 requirements by a covered institution.

Failure to comply with AML requirements under AMLO may amount to a criminal offence. For example:

  • A financial institution commits an offence if it contravenes a specified provision in Schedule 2 to AMLO either knowingly or with intent to defraud any relevant authority. The maximum penalty for this offence is a fine of HK$1 million and seven years’ imprisonment.
  • An employee, or a person who is concerned in the management of a financial institution, commits an offence if he or she (i) knowingly causes or knowingly permits the financial institution to contravene a specified provision; or (ii) causes or permits such a contravention with intent to defraud the financial institution or any relevant authority. The maximum penalty for (i) is a fine of HK$1 million and two years’ imprisonment; and for (ii) is a fine of HK$1 million and seven years’ imprisonment.
  • A failure to comply with a provision in any guideline published by a relevant authority or body does not by itself render the person liable to any judicial or other proceedings but, in any proceedings under AMLO before any court, the guideline will be admissible in evidence. If any provision set out in the guideline appears to the court to be relevant to any question arising in the proceedings, the provision must be taken into account in determining that question.
  • Tipping-off (ie, disclosing to any person any matter that is likely to prejudice an investigation into that matter) is a criminal offence under sections 25A of DTROPO and OSCO and section 12 of UNATMO. The maximum penalty for the offence is imprisonment for a term of three years and a fine of HK$500,000. Tipping-off includes circumstances where a suspicion has been raised internally within the covered institution but has not been reported to the JFIU. However, making enquiries to customers will not constitute tipping-off when conducted properly and in good faith. If the covered institution has reasons to believe that performing CDD measures will tip off the particular customer, it may stop pursuing the process and file an STR to the JFIU.
Customer and business partner due diligence

Describe due diligence requirements in your jurisdiction’s AML regime.

Covered institutions are required to carry out CDD prior to entering into a business relationship with a customer. This process will include a risk assessment of the customer. The specific measures that must be applied will depend on the type of covered institution, the type of customer being on-boarded and the outcome of the risk assessment of that customer. Enhanced due diligence obligations will attach where a customer is considered high risk. A process for simplified due diligence is also available in particular situations.

The main requirements for customer due diligence are:

  • identify and verify the customer’s identity;
  • where applicable, identify and verify the beneficial owner’s identity;
  • obtain information on the purpose and intended nature of the business relationship; and
  • if a person purports to act on behalf of the customer, identify and verify the agent’s identity and verify their authority to act.

Schedule 2 of AMLO defines what constitutes beneficial ownership. In respect of a company, a beneficial owner is an individual who owns or controls, directly or indirectly, more than 25 per cent of the shares or voting rights of the company, or exercises ultimate control of the management of the company (Schedule 2, section 1).

Verification of identity must take place by reference to information provided by a reliable and independent source, such as a governmental body or a relevant authority.

A covered institution must continuously monitor any existing business relationship by:

  • reviewing and ensuring documents and information of the customer are up to date;
  • conducting appropriate scrutiny of transactions carried out for the customer; and
  • identifying transactions that are complex, unusually large or of an unusual pattern that have no apparent economic purposes.
High-risk categories of customers, business partners and transactions

Do your jurisdiction’s AML rules require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified?

Covered institutions should adopt a risk-based approach in determining the extent of customer due diligence measures and ongoing monitoring. An effective risk-based approach should involve the identification and categorisation of money laundering or terrorist finance (ML/TF) risks at the customer level, establishing reasonable measures that allow effective management of the identified risks.

There are certain business relationships that may carry higher ML/TF risks. This includes customers with residence in or connection with high-risk jurisdictions, and those with a public profile indicating involvement with politically exposed persons (PEP). Where there is high ML/TF risk involving PEPs, a covered institution should:

  • obtain approval of senior management to commence or continue the relationship;
  • take reasonable measures to establish the relevant customer’s or beneficial owner’s source of wealth and funds; and
  • conduct enhanced ongoing monitoring on that business relationship.

Special requirements are imposed for correspondent banking relationships and relationships with shell banks are prohibited under AMLO. Otherwise, particular scenarios are generally addressed in the regulatory specific guidelines or through specific circulars addressing those issues.

Record-keeping and reporting requirements

Describe the record-keeping and reporting requirements for covered institutions and persons.

Covered institutions are required to retain records relating to customer due diligence and customer transactions, such as the information obtained in the course of identifying a customer and verifying its identity. These records should be kept for at least five years after the end of the particular business relationship. Likewise, for wire transfers equal to or exceeding HK$8,000 and any other transactions equal to or exceeding HK$120,000, all relevant records should be kept for at least five years after the date of the occasional transfer (Schedule 2, section 20).

In relation to reporting requirements, it is a statutory obligation under sections 25A(1) of DTROPO and OSCO and section 12(1) of UNATMO, to disclose where a person knows or suspects that any property represents proceeds of an indictable offence, drug trafficking or terrorist activities. The person shall, as soon as it is reasonable for him or her to do so, file an STR with the JFIU. A failure to report knowledge or suspicion carries a maximum penalty of imprisonment for three months and a fine of HK$50,000. Examples of situations that may give rise to suspicion include transactions that involve unnecessary complexity and those that do not appear to have a commercial rationale and legitimate purpose.

Privacy laws

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

The Personal Data (Privacy) Ordinance sets out six data protection principles (DPPs) that a data user should comply with unless exempted. Of particular relevance in the context of ML/TF compliance are:

  • DPP1, which regulates the collection of personal data;
  • DPP2, which requires, among other things, that personal data is not kept longer than is necessary;
  • DPP3, which prohibits the use, disclosure and transfer of personal data for any purpose other than the purpose for which the data was collected, or a directly related purpose, unless the data subject has expressly and voluntarily consented to it. The personal data in question may be exempted, for instance, where complying with the requirements under DPP3 would likely to prejudice the prevention or detection of crime, or where the use, disclosure or transfer is required by a court order; and
  • DPP6, which provides for a data subject’s right to access his personal data. In circumstances where a covered institution has a suspicion relating to a customer, an exemption (for prevention or detection of crime) will apply.

Sharing of information among covered institutions is challenging. The Fraud and Money Laundering Intelligence Taskforce, a public-private intelligence sharing mechanism led by the police and involving the HKMA and the banking industry, was launched in May 2017. It aims to improve the collective understanding of current and emerging fraud and ML threats, and thereby enhancing the detection, prevention and disruption of fraud, ML and other financial crimes.

Resolutions and sanctions

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

Under AMLO, if a person who is working for a covered institution knowingly contravenes a specified provision of AMLO, he or she is liable to a maximum term of imprisonment of two years and a fine of HK$1 million. If that person does so with the intent to defraud the covered institution or any relevant authority, he or she is liable to a maximum term of imprisonment of seven years and a fine of HK$1 million. These criminal actions are generally resolved and settled through the judicial process.

In addition, relevant authorities have the power to take disciplinary actions against covered institutions. These actions include:

  • public reprimands;
  • orders to take remedial actions; and
  • orders to pay pecuniary penalty. The penalty for each contravention is up to HK$10 million or three times the amount of profit gained or costs avoided as a result of the contravention.

In recent years, the SFC and the HKMA have leveraged fines in the millions of dollars through agreed enforcement outcomes that have also regularly contained requirements to appoint independent experts to assist with remediation.

Limitation periods for AML enforcement

What are the limitation periods governing AML matters?

See question 11.


Do your jurisdiction’s AML laws have extraterritorial reach?

See question 12.

In relation to AML obligations applicable to financial institutions, Hong Kong incorporated institutions with overseas branches or subsidiary undertakings that carry on the same business are required to implement group-wide ML/TF systems to apply the requirements set out in the relevant guideline to all of its overseas branches and subsidiary undertakings in its financial group, wherever relevant.

The AML obligations under AMLO apply to those institutions specified in question 14 regardless of whether they are part of a foreign group.