Amendments to the AMLO
On 16 December 2022, the Securities and Futures Commission (SFC) issued a circular (link) announcing that the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance 2022 (Amendment Ordinance) had been gazetted (link).
In this article, we summarise the key changes relating to customer due diligence (CDD) measures which are particularly relevant to the securities industry. These changes were made in response to the technical issues identified in the Mutual Evaluation report on Hong Kong by the Financial Action Task Force (FATF) and other FATF standards and will come into effect on 1 June 2023.
Definition of a Politically Exposed Person (PEP)
The definition of a PEP is amended to mean an individual who is or has been entrusted with a prominent public function in a place outside Hong Kong. As a result, the special requirements relating to a PEP in section 10 of Schedule 2 to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) apply not only to a PEP from a place outside the People’s Republic of China but also to a PEP from outside Hong Kong. Note that the Amendment Ordinance (and the AMLO) only refers to foreign PEPs whereas the current SFC AML Guideline covers domestic PEPs and international organization PEPs which involve different requirements.
A new term “former politically exposed person” has been added in section 1 of Part 1 of Schedule 2 to the AMLO (former PEP). This new term, together with the related amendments discussed below, allow licensees to be exempted from taking all the special requirements / additional measures in relation to a former PEP provided that they have done an appropriate risk assessment and concluded that such former PEP does not present a high risk of money laundering or terrorist financing (risk-sensitive approach).
A risk-sensitive approach is currently not possible for any of the situations below, but note the underlined changes which will apply after the amendments take effect:
(a) onboarding a customer or its beneficial owner who is or has been a PEP (section 10(1) of Sch. 2 of the AMLO mandates special requirements to be undertaken; from 1 June 2023 section 10(3) permits a risk-sensitive approach);
(b) an existing customer or its beneficial owner who is or has become a PEP (section 10(2) of Sch. 2 of the AMLO mandates special requirements to be undertaken; from 1 June 2023 section 10(3) permits a risk-based approach); and
(c) during ongoing monitoring an existing customer or its beneficial owner who is a PEP (section 5(3)(b) mandates additional measures to be taken and does not allow a risk-sensitive approach; from 1 June 2023 section 5(5) permits a risk-sensitive approach).
Recognised digital identification system
A new term “recognised digital identification system” has been added in section 1 of Part 1 of Schedule 2 to the AMLO (Recognised System).
The relevant consultation paper and conclusions do not expand on how this will work in practice and do not provide any examples of a Recognised System. Asset managers should watch this space closely because once the amendments are implemented, the current mandatory additional requirements for non-face-to-face onboarding of a customer can only be waived if the onboarding CDD measures are conducted based on data and information provided by a Recognised System.
The SFC may give guidance as to what systems will be considered as being “recognised”. See the definition extracted below. For example, the iAM Smart application may qualify because the SFC refers to it as an example of non-face-to-face onboarding using digital identification system recognised by the relevant authority in Question 15(c) of Section A12 of the revised BRMQ for licensed corporations.
|“recognised digital identification system means – in relation to a financial institution […], a digital identification system that is a reliable and independent source that is recognised by the relevant authority”|
Compliance challenges during non-face-to-face onboarding of corporate clients
When onboarding corporate investors, the majority of cases are likely to be non-face-to-face (NFTF) because the employee of the licensed entity is unlikely to be physically present to witness the representative sign the account opening documents. The SFC AML FAQ #7 discusses this (link).
For further information, you can go to the SFC’s “Acceptable account opening approaches” dedicated webpage here, and specifically, see paragraph 5.1 of the SFC’s Code of Conduct.
Challenges arise when dealing with a Corporate Professional Investor (CPI) that does not give consent to waive investor protections including suitability obligations or does not pass the relevant CPI assessment, because other related KYC obligations will apply in addition to AMLO’s CDD requirements (such as the NFTF requirements discussed above). The KYC requirements overlap with the CDD requirements.
Examples of KYC requirements under the Code of Conduct include the obligation to provide the above CPI with relevant risk disclosure statements and the employee signing a declaration that they provided the statements and explained the risks to the investor.
In a case reported on 15 December 2022, a licensed representative falsely declared that she had met with the representatives of three corporate clients in person, witnessed their signatures, and provided them with risk disclosure statements. This misled her firm to treat such onboarding as having been carried out “face-to-face” and the respective clients were at risk of having their accounts operated without their authorisation. Following SFC disciplinary action the licensed representative was suspended for ten months.
In this case, this breach could have been avoided by adopting a simple approach: using a qualified certifier such as a licensed individual of an affiliate which is a regulated financial institution or a lawyer (see paragraph 1 “Certified by other persons” at the dedicated webpage) to verify the identity and sign as a witness.
In the statement of disciplinary action, the SFC referred to the provisions in the Code of Conduct but not the overlapping requirements to verify the client’s true identity in the AMLO and the AML Guideline (see 4.10). In practice however licensed firms need to comply with both the NFTF requirement of the Code of Conduct, as well as the AMLO and the AML Guideline (see 4.10.5 at this link).
Is your compliance manual up-to-date?
The SFC continues to conduct routine inspections of licensed entities. Over the last three years a significant number of routine inspections have been undertaken remotely but we are beginning to see the return of onsite inspections. According to the SFC Annual Report 2021-2022, the SFC conducted 883 inspections over the past three years.
During the year from 1 April 2021 to 31 March 2022, the SFC carried out 262 routine inspections (as disclosed in the “Intermediaries” section of the SFC Annual Report 2021-2022 (link).
Based on our experience of assisting asset managers to prepare for SFC inspections, we have highlighted below a number of areas which we often find require updating in compliance manuals and which you should revisit going into 2023:
- Complaints handling policies and procedures (for example, must acknowledge a complaint within 7 days and issue a final response within 2 months)
- Climate-related risks
- House bank account and client bank accounts (if applicable)
- Annual review of business contingency plan
- Institutional Risk Assessment (at least once every two years)
- Customer Risk Assessment
- Ongoing review of customers (at least annual review of customers classified as high risk)
- Prevention of financing of proliferation of weapons of mass destruction
- Notification to the SFC in connection with internal investigation of licensed representative before or after departure
- Conduct requirements relating to complex products
- New Suitability FAQs
- Disclosure of benefits relating to discretionary segregated accounts
Finally, licensees should also consider the new AMLO amendments when updating their compliance manuals.
The SFC has posted materials of AML webinars
The SFC has posted the following webinar materials and licensees are encouraged to download them for reference and internal training purposes (see SFC circular of 15 December 2022 here).
- Anti-Money Laundering and Counter-Financing of Terrorism Webinar 2022 by the SFC (link)
- The SFC covers the HK Risk Assessment of July 2022, update on major AML regulatory developments and related inspection findings.
- The inspection findings relate to third party fund transfers across online brokerage, distribution and advisory services.
- Proliferation Financing: Risk Assessment and Mitigation by the Commerce and Economic Development Bureau (link)
- It provides useful guidance generally to the level of the risk which Hong Kong is exposed to the risk of proliferation financing.
- Suspicious Transaction Reporting by the Financial Intelligence and Investigation Bureau (link)
- Its content includes an overview of the reporting obligations as well as case studies relating to insider dealing and market manipulation.
- It also give guidance on how to make a suspicious transaction report to the Joint Financial Intelligence Unit.
Revised Business and Risk Management Questionnaire (BRMQ)
On 23 December 2022, the SFC issued a circular (link) informing licensees of revisions to the BRMQ. The SFC has amended the BRMQ to collect additional information on a variety of functions and business activities to enhance the effectiveness of the SFC’s risk-based supervision.
- Business and Risk Management Questionnaire for Licensed Corporation (Annex 1 of the above circular and click here)
(The additional content is underlined in the revised versions.)
For example, many new questions have been included in Section A12 (page 48 to 79) to collect more client and transaction data to help identify and analyse the money laundering and terrorist financing risk exposures of licensees. In the AML section of the revised BRMQ for Licensed Corporation, there are 35 questions (currently 15 questions); and 15 sub-sections (currently 8 sections). Examples of new areas include institutional risk assessment, independent review of AML systems, outsourcing of CDD measures and staff integrity.
Licensees should familiarise themselves with the revised BRMQ which need to be completed in relation to financial years ending on or after 30 November 2023.