AML requirements for covered institutions and individuals

Enforcement and regulation

Which government entities enforce the AML regime and regulate covered institutions and persons in your jurisdiction? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

The Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (AMLO) sets out the overall AML framework in Hong Kong and covers two types of institutions – financial institutions and designated non-financial businesses and professions.

The regulatory authority or body responsible for enforcement of AMLO will vary depending on the nature of the regulated institution, as follows:

  • in relation to an authorised institution under the Banking Ordinance or a stored value facility licensee: the Hong Kong Monetary Authority (HKMA);
  • in relation to a licensed corporation under the Securities and Futures Ordinance: the Securities and Futures Commission (SFC);
  • in relation to an authorised insurer, appointed insurance agent or authorised insurance broker: the Insurance Authority;
  • in relation to a licensed money service operator or to the Postmaster General: the Commissioner of Customs;
  • in relation to a trust and company services provider licensee: the Registrar of Companies;
  • in relation to an accounting professional: the Hong Kong Institute of Certified Public Accountants;
  • in relation to an estate agent: the Estate Agents Authority; and
  • in relation to a legal professional: the Law Society.

 

AMLO provides for powers to conduct routine inspections in relation to complying with applicable obligations.

Covered institutions and persons

Which institutions and persons must have AML measures in place?

AMLO covers the following institutions and persons:

  • authorised institutions under the Banking Ordinance (Chapter 155);
  • licensed corporations under the Securities and Futures Ordinance (Chapter 571);
  • money service operators under AMLO;
  • authorised insurers, appointed insurance agents and authorised insurance brokers under the Insurance Ordinance (Chapter 41);
  • the Postmaster General of Hong Kong;
  • persons licensed by the HKMA under the Payment Systems and Stored Value Facilities Ordinance (Chapter 584); and
  • each of the designated non-financial businesses and professions, including solicitors, accountants, real estate agents and trust and company service providers.
Compliance

Do the AML laws applicable in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

AMLO imposes on covered institutions a number of obligations contained in its Schedule 2, supplemented by industry-specific guidelines. Covered institutions are required to undertake an institutional risk assessment and then develop and implement policies, procedures and controls relating to:

  • customer due diligence (CDD) measures;
  • ongoing monitoring of customers;
  • suspicious transactions reporting;
  • record-keeping; and
  • staff training.

 

As part of the CDD measures, covered institutions are required to identify customers and verify their identities using reliable documents, data or information from an independent source. Another important element is sanctions and designated party screening. Covered institutions should maintain an updated database of names and particulars of terrorist suspects and designated parties.

In addition, appropriate compliance management arrangements, such as oversight by senior management and appointment of a compliance officer and money laundering reporting officer, are also required.

On 18 September 2020, the SFC launched a three-month consultation on a range of proposed changes to its Guidelines on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) and the Prevention of Money Laundering and Terrorist Financing Guidelines issued by the SFC for Associated Entities.  

The SFC’s proposed changes include measures to incorporate various aspects of the securities sector guidance published by the Financial Action Task Force (FATF) in October 2018, including through enhanced requirements in relation to institutional risk assessments, mitigation of risks associated with cross-border correspondent (and similar) relationships, and further guidance in relation to simplified and enhanced CDD processes.

At time of writing, the new SFC guidelines have not entered into force. Covered institutions would be well advised to plan ahead by considering the impact of the proposed guidelines and revising AML/CTF compliance policies and procedures accordingly. 

Although industry-specific guidelines impose requirements to have in place suspicious transaction reporting processes, the obligation to report such suspicious transactions is provided for under the Organised and Serious Crimes Ordinance (OSCO), Drug Trafficking (Recovery of Proceeds) Ordinance (DTROPO) and United Nations (Anti-Terrorism Measures) Ordinance (UNATMO) rather than AMLO, which only provides for an obligation to monitor.

Breach of AML requirements

What constitutes breach of AML duties imposed by the law?

Relevant authorities can take disciplinary action for breach of one of a number of Schedule 2 requirements by a covered institution.

Failure to comply with AML requirements under AMLO may amount to a criminal offence. Examples are as follows.

  • A financial institution commits an offence if it contravenes a specified provision in Schedule 2 to AMLO either knowingly or with intent to defraud any relevant authority. The maximum penalty for this offence is a fine of HK$1 million and seven years’ imprisonment.
  • An employee, or a person who is concerned in the management of a financial institution, commits an offence if he or she (1) knowingly causes or knowingly permits the financial institution to contravene a specified provision; or (2) causes or permits such a contravention with intent to defraud the financial institution or any relevant authority. The maximum penalty for (1) is a fine of HK$1 million and two years’ imprisonment; and that for (2) is a fine of HK$1 million and seven years’ imprisonment.
  • A failure to comply with a provision in any guideline published by a relevant authority or body does not by itself render the person liable to any judicial or other proceedings; however, in any proceedings under AMLO before any court, the guideline will be admissible in evidence. If any provision set out in the guideline appears to the court to be relevant to any question arising in the proceedings, the provision must be taken into account in determining that question.
  • Tipping off (ie, disclosing to any person any matter that is likely to prejudice an investigation into that matter) is a criminal offence under sections 25A of DTROPO and OSCO and section 12 of UNATMO. The maximum penalty for the offence is imprisonment for a term of three years and a fine of HK$500,000. Tipping off includes circumstances where a suspicion has been raised internally within the covered institution but has not been reported to the Joint Financial Intelligence Unit (JFIU). However, making enquiries to customers will not constitute tipping off when conducted properly and in good faith. If the covered institution has reasons to believe that performing CDD measures will tip off the particular customer, it may stop pursuing the process and file a suspicious transaction report (STR) to the JFIU.
Customer and business partner due diligence

Describe due diligence requirements in your jurisdiction’s AML regime.

Covered institutions are required to carry out CDD prior to entering into a business relationship with a customer. This process will include a risk assessment of the customer. The specific measures that must be applied will depend on the type of covered institution, the type of customer being onboarded and the outcome of the risk assessment of that customer. Enhanced due diligence obligations will attach where a customer is considered high risk. A process for simplified due diligence is also available in particular situations.

The main requirements for CDD are:

  • to identify and verify the customer’s identity;
  • where applicable, to identify and verify the beneficial owner’s identity;
  • to obtain information on the purpose and intended nature of the business relationship; and
  • if a person purports to act on behalf of the customer, to identify and verify the agent’s identity and verify its authority to act.

 

Schedule 2 of AMLO defines what constitutes beneficial ownership. In respect of a company, a beneficial owner is an individual who owns or controls, directly or indirectly, more than 25 per cent of the shares or voting rights of the company, or exercises ultimate control of the management of the company (Schedule 2, section 1).

Verification of identity must take place by reference to information provided by a reliable and independent source, such as a government body or a relevant authority.

A covered institution must continuously monitor any existing business relationship by:

  • reviewing and ensuring the documents and information of the customer are up to date;
  • conducting appropriate scrutiny of transactions carried out for the customer; and
  • identifying transactions that are complex, unusually large or of an unusual pattern that have no apparent economic purposes. 
High-risk categories of customers, business partners and transactions

Do the AML rules applicable in your jurisdiction require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified?

Covered institutions should adopt a risk-based approach in determining the extent of customer due diligence measures and ongoing monitoring. An effective risk-based approach should involve the identification and categorisation of money laundering or terrorist finance (ML/TF) risks at the customer level, establishing reasonable measures that allow effective management of the identified risks.

There are certain business relationships that may carry higher ML/TF risks. This includes customers with residence in or a connection with high-risk jurisdictions, and those with a public profile indicating involvement with politically exposed persons (PEPs). Where there is a high ML/TF risk involving PEPs, a covered institution should:

  • obtain approval of senior management to commence or continue the relationship;
  • take reasonable measures to establish the relevant customer’s or beneficial owner’s source of wealth and funds; and
  • conduct enhanced ongoing monitoring on that business relationship.

 

Special requirements are imposed for correspondent banking relationships, and relationships with shell banks are prohibited under AMLO. Otherwise, particular scenarios are generally addressed in the regulatory-specific guidelines or through specific circulars addressing those issues.

Record-keeping and reporting requirements

Describe the record-keeping and reporting requirements for covered institutions and persons.

Covered institutions are required to retain records relating to CDD and customer transactions, such as the information obtained in the course of identifying a customer and verifying its identity. These records should be kept for at least five years after the end of the particular business relationship. Likewise, for wire transfers equal to or exceeding HK$8,000 and any other transactions equal to or exceeding HK$120,000, all relevant records should be kept for at least five years after the date of the occasional transfer (Schedule 2, section 20).

In relation to reporting requirements, it is a statutory obligation under sections 25A(1) of DTROPO and OSCO and section 12(1) of UNATMO to disclose where a person knows or suspects that any property represents proceeds of an indictable offence, drug trafficking or terrorist activities. The person must, as soon as it is reasonable for him or her to do so, file an STR with the JFIU. A failure to report knowledge or suspicion carries a maximum penalty of imprisonment for three months and a fine of HK$50,000. Examples of situations that may give rise to suspicion include transactions that involve unnecessary complexity, and those that do not appear to have a commercial rationale and legitimate purpose.

Privacy laws

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

The Personal Data (Privacy) Ordinance (Chapter 486) sets out six data protection principles (DPPs) that a data user should comply with unless exempted. Of particular relevance in the context of ML/TF compliance are:

  • DPP1, which regulates the collection of personal data;
  • DPP2, which requires, among other things, that personal data is not kept longer than is necessary;
  • DPP3, which prohibits the use, disclosure and transfer of personal data for any purpose other than the purpose for which the data was collected, or a directly related purpose, unless the data subject has expressly and voluntarily consented to it. The personal data in question may be exempted, for instance, where complying with the requirements under DPP3 would be likely to prejudice the prevention or detection of crime, or where the use, disclosure or transfer is required by a court order; and
  • DPP6, which provides for a data subject’s right to access his or her personal data. In circumstances where a covered institution has a suspicion relating to a customer, an exemption (for prevention or detection of crime) will apply.

 

Sharing of information among covered institutions is challenging. The Fraud and Money Laundering Intelligence Taskforce, a public–private intelligence sharing mechanism led by the Hong Kong Police Force and involving the HKMA and the banking industry, was launched in May 2017. It aims to improve the collective understanding of current and emerging fraud and money laundering threats, thereby enhancing the detection, prevention and disruption of fraud, money laundering and other financial crimes.

Resolutions and sanctions

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

Under AMLO, if a person who is working for a covered institution knowingly contravenes a specified provision of AMLO, he or she is liable to a maximum term of imprisonment of two years and a fine of HK$1 million. If that person does so with the intent to defraud the covered institution or any relevant authority, he or she is liable to a maximum term of imprisonment of seven years and a fine of HK$1 million. These criminal actions are generally resolved and settled through the judicial process.

In addition, relevant authorities have the power to take disciplinary actions against covered institutions. These actions include:

  • public reprimands;
  • orders to take remedial actions; and
  • orders to pay pecuniary penalties. The penalty for each contravention is up to HK$10 million or three times the amount of profit gained or the costs avoided as a result of the contravention.

 

In recent years, the SFC and the HKMA have leveraged fines in the millions of dollars through agreed enforcement outcomes that have also regularly contained requirements to appoint independent experts to assist with remediation.

Limitation periods for AML enforcement

What are the limitation periods governing AML matters?

There is no limitation period under OSCO or DTROPO. There are no formal time limits for the commencement of a prosecution for an indictable offence.

Under AMLO, the limitation period for offences other than an indictable offence is 12 months from when the offence is discovered.

Extraterritoriality

Do your jurisdiction’s AML laws have extraterritorial reach?

The offence of dealing with property applies only to dealings in Hong Kong; however, the laws apply to both citizens and non-citizens, and the predicate offence can be conduct that takes place outside Hong Kong.

In relation to AML obligations applicable to financial institutions, Hong Kong incorporated institutions with overseas branches or subsidiary undertakings that carry on the same business are required to implement group-wide ML/TF systems to apply the requirements set out in the relevant guideline to all its overseas branches and subsidiary undertakings in its financial group, wherever relevant.

The AML obligations under AMLO apply to certain institutions regardless of whether they are part of a foreign group, namely:

  • authorised institutions under the Banking Ordinance;
  • licensed corporations under the Securities and Futures Ordinance;
  • money service operators under AMLO;
  • authorised insurers, appointed insurance agents and authorised insurance brokers under the Insurance Ordinance;
  • the Postmaster General of Hong Kong;
  • persons licensed by the HKMA under the Payment Systems and Store Value Facilities Ordinance; and
  • each of the designated non-financial businesses and professions, including solicitors, accountants, real estate agents and trust and company service providers.

Law stated date

Correct on

Give the date on which the above information is accurate

1 May 2020.