The Securities and Futures Commission (SFC) issued a circular on 31 August 2018 highlighting both deficiencies and good practices observed in relation to anti-money laundering and counter financing of terrorism (AML/CFT) compliance by licensed corporations (LCs) and associated entities (AEs). The observations were made over the past year from the SFC's review of AML/CFT measures, policies, procedures and controls (AML/CFT systems) belonging to 13 LCs during thematic inspections and around 270 LCs during routine inspections. This follows on from the SFC's circular issued on 26 January 2017, setting out its observations relating to AML/CFT compliance from inspections conducted in 2016 (see our earlier bulletin here).
The SFC reminded LCs and AEs that they are required to critically review their AML/CFT systems in light of the circular and take immediate action to rectify any deficiencies. In particular, the SFC focused on the following five main areas and reiterated its requirements:
1. Institutional risk assessment (IRA)
When carried out properly, an IRA should assist the senior management of LCs in their assessment of inherent AML/CFT risks that the LCs' business lines might be exposed to, such that adequate and appropriate AML/CFT systems can be put in place to mitigate these risks where necessary.
2. Customer risk assessment (CRA)
LCs should ensure that members of staff have sufficient guidance on how to conduct CRAs properly and have in place adequate procedural and supervisory safeguards to ensure that CRAs are conducted in compliance with the regulatory requirements and the LCs' policies.
3. Initial and ongoing customer due diligence (CDD)
LCs should have in place adequate initial CDD measures that identify and verify the identities of all beneficial owners of customers and include such beneficial owners in the politically exposed person screening process.
In respect of existing customers, LCs should have ongoing CDD measures ensuring that periodic reviews of the profiles of high-risk customers are carried out at least annually and in accordance with the frequency stipulated in the LCs' policies and procedures.
4. Sanctions screening systems and mechanisms
LCs should implement effective sanctions screening systems and mechanisms that include ongoing screening of existing customers against new or updated terrorist and sanctions designations.
Effective documentation of the justifications for disposing of potential name matches is equally important for demonstrating that the potential name matches have been handled properly.
5. Suspicious transactions monitoring and reporting
LCs should have adequate AML/CFT systems to identify, or make follow-up enquiries about, potentially suspicious customer transactions for timely evaluation.
Where business relationships have been reported to the Joint Financial Intelligence Unit, LCs should have adequate AML/CFT systems to monitor the same such that risk mitigation measures may be taken where appropriate.
The SFC has indicated that it will continue to monitor and provide guidance to LCs and AEs in relation to AML/CFT compliance, and will not hesitate to take regulatory action (including bringing enforcement proceedings against firms and their senior management) for failures to put in place proper AML/CFT systems to comply with legal and regulatory requirements.
The circular comes against the backdrop of an impending mutual evaluation of Hong Kong by the Financial Action Task Force due to commence in October this year. Aside from legislative reforms by the government to enhance Hong Kong's AML/CFT regulatory framework, the SFC and the Hong Kong Monetary Authority have taken numerous AML/CFT-related enforcement actions in the past 18 months. The SFC is also considering comments on its consultation on proposed enhancements to its AML/CFT guidelines, and aims to implement the revised guidelines on 1 November 2018 (see our bulletin of 16 July 2018).
LCs should conduct a review of their AML/CFT systems against the deficiencies highlighted by the SFC and take immediate remediation action where necessary. In our view, a sensible starting point would be to consider whether any of the good practices highlighted and thereby endorsed by the SFC can be adopted in the process.