SFC Consults on Changes to AML and CFT Guidelines for Licensed Corporations

On 18 September 2020, the Securities and Futures Commission (SFC) published a Consultation Paper[1] on proposals to amend its Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (for Licensed Corporations) (AML/CFT Guideline for SFC-Licensed Corporations) and its Prevention of Money Laundering and Terrorist Financing Guideline issued by the Securities and Futures Commission for Associated Entities. The consultation is open until 18 December 2020.

The objectives of the proposed amendments are to:

• align the AML/CTF Guideline for SFC-Licensed Corporations with the Financial Action Task Force’s (FATF) latest standards on anti-money laundering and counter-financing of terrorism (AML/CFT) amplified by the Guidance for a Risk-Based Approach for the Securities Sector published by the FATF in October 2018 (Risk-Based Approach Guidance);[2]

• address some areas for improvement identified in the latest Mutual Evaluation Report of Hong Kong published by FATF on 4 September 2019;

• facilitate the securities industry’s implementation of AML/CFT measures using a risk-based approach; and

• incorporate relevant guidance currently set out in the SFC’s circulars to SFC-licensed corporations and associated entities on AML/CFT standards in areas including institutional risk assessments and third-party deposits and payments and other guidance into the revised guidelines.

1. 1. Proposed amendments to align with FATF standards

   The SFC’s key proposals to update the guidelines are as follows:

   1. Risk assessment

      1. Institutional risk assessment

         As proper institutional risk assessment is identified as the cornerstone of an SFC-licensed corporation’s risk-based approach to AML/CFT, the SFC proposes to formalise the guidance on how SFC-licensed corporations should conduct institutional risk assessments set out in Appendix 1 to the SFC’s Circular on Compliance with AML/CTF Requirements[3] of January 2017 by including it in the AML/CFT Guideline for SFC-Licensed Corporations with no substantive changes.

         The SFC also proposes to incorporate some elaborative guidance drawn from the Risk-Based Approach Guidance into the AML/CFT Guideline for SFC-Licensed Corporations. The Risk-Based Approach Guidance requires securities firms to take a holistic approach towards their institutional risk assessments and consider quantitative and qualitative information obtained from relevant internal and external sources, including risk assessments and guidance issued by the FATF, inter-governmental organisations, governments and authorities from time to time.

         It is also proposed that illustrative examples should be included in the AML/CFT Guideline for SFC-Licensed Corporations to provide guidance on how to approach an institutional risk assessment in a manner that is commensurate with the nature, size and complexity of the business of the SFC-licensed corporation. A list of non-exhaustive illustrative risk indicators associated with risk factors which may indicate higher or lower risks of money laundering or terrorist financing is set out in Appendix A to the revised guideline.

         While SFC-licensed corporations are currently required to keep their institutional risk assessments up-to-date, the SFC proposes to amend the AML/CFT Guideline for SFC-Licensed Corporations to require that the institutional risk assessment should be reviewed at least once every two years or more frequently upon occurrence of trigger events that materially impact an SFC-licensed corporation’s business and risk exposure. Examples of trigger events are the acquisition of a new customer segment, the launch of new products and services, or a significant change in the SFC-licensed corporation’s operational processes.

      2. Risk indicators for institutional and customer risk assessments

         In addition to the institutional risk assessment, SFC-licensed corporations are also required to assess the money laundering and terrorist financing (ML/TF) risks associated with a customer or proposed business relationship so as to apply a risk-sensitive customer due diligence (CDD) programme.

         The SFC proposes to expand the list of risk indicators that SFC-licensed corporations should consider by incorporating the illustrative examples provided in the Risk-Based Approach Guidance into the AML/CFT Guideline for SFC-Licensed Corporations. Expanding the list of risk indicators is aimed at assisting licensed corporations’ risk assessments at an institutional level and customer level, and deepening their appreciation of a larger range of ML/TF risk indicators which may affect the risk profiles of their business activities and customers.

   2. Risk Mitigation

      1. Due diligence for cross-border correspondent relationships

         Financial institutions are required to apply additional due diligence and other risk mitigating measures to cross-border correspondent banking relationships and similar relationships in the securities sector under the Risk-Based Approach Guidance and FATF Recommendation 13.

         The SFC considers it appropriate to apply the cross-border correspondent relationships provisions to transactions in securities, futures contracts as well as leveraged foreign exchange contracts, given that the Risk-Based Approach Guidance applies to instruments within a broad definition of “securities”.

         The cross-border correspondent relationships provisions seek to ensure that potential ML/TF risks stemming from client-driven transactions in a business relationship between a correspondent securities firm and an overseas financial institution conducting business on behalf of customers would be duly assessed and addressed by appropriate risk mitigating measures.

         The SFC also proposes that SFC-licensed corporations should apply certain additional due diligence measures when they establish a cross-border correspondent relationship with an overseas financial institution (proposed paragraph 4.20.5). Since not all cross-border correspondent relationships pose the same level of ML/TF risks, the proposed revised AML/CFT Guideline for SFC-Licensed Corporations sets out relevant risk factors that SFC-licensed corporations should take into account in assessing the extent of additional due diligence measures required (proposed paragraph 4.20.6). These include (among others): the purpose of the cross-border correspondent relationship and the nature and expected volume and value of transactions and the types of underlying customers to be served by the correspondent institution through the correspondent account and whether the underlying customers and their transactions are assessed as high risk by the respondent institution.

         It is also proposed that the revised AML/CFT Guideline for SFC-Licensed Corporations should include more granular guidance on how SFC-licensed corporations can apply the additional due diligence measures in a risk-sensitive manner (paragraphs 4.20.7 to 4.20.11). For example, SFC-licensed corporations may first obtain information for assessing whether the respondent institution has adequate and effective AML/CFT controls in place by way of a due diligence questionnaire. Where it is discovered that the cross-border correspondent relationship presents high risks, a more in-depth review should be conducted, such as a review of independent audit finding, interviews with compliance officers, on-site visits or requests for an ad hoc third-party review.

         For consistency with FATF standards, SFC-licensed corporations are prohibited under the proposed AML/CFT Guideline for SFC-Licensed Corporations from entering into or continuing direct or nested correspondent relationships with a shell financial institution (a financial institution that does not have a physical presence in a jurisdiction where it is incorporated or licensed and where there may not be any management or full-time staff who are appropriately qualified with sufficient AML/CFT knowledge).

      2. Simplified and enhanced measures under a risk-based approach

         The current AML/CFT Guideline for SFC-Licensed Corporations provides some examples of simplified and enhanced measures which SFC-licensed corporations may apply to lower risk and higher risk customers or business relationships. The SFC proposes to expand the list of illustrative examples of possible simplified and enhanced measures with additions that are mainly drawn from the Risk-Based Approach Guidance, to assist licensed corporations in strengthening the risk-based application of CDD and ongoing monitoring measures.

      3. Red-flag indicators of suspicious transactions and activities

         As the ML/TF risks faced by the securities sector have evolved with the introduction of new products, services and transaction methods and new methods of laundering money and financing terrorism, the SFC is proposing to update the list of red-flag indicators for suspicious transactions and activities drawing upon examples in the Risk-Based Approach Guidance where relevant to Hong Kong’s securities sector and the SFC’s supervisory observations.

         However, the SFC reminds SFC-licensed corporations that the list of illustrative red-flag indicators of suspicious transactions and activities in the AML/CFT Guideline for SFC-Licensed Corporations is intended solely as an aid to licensed corporations, and must not be applied as a routine instrument without any analysis or context. In addition, the examples provided are not exhaustive. SFC-licensed corporations should monitor any other relevant red-flag indicators which they consider to be relevant to the risk profiles of their customers and the patterns of their transactions and activities.

      4. Third-party deposits and payments

         The SFC proposes to incorporate the guidance given to SFC-licensed corporations and associated entities in its Circular on Third-Party Deposits and Payments issued on 31 May 2019[4] on the policies, procedures and controls to mitigate the ML/TF risks associated with third-party deposits and payments into a new chapter of the AML/CFT Guideline for SFC-Licensed Corporations. This includes general guidance that SFC-licensed corporations must take all reasonable measures to mitigate ML/TF risks and ensure adequate policies and procedures are in place to handle third party deposits and payments. The circular’s guidance will be incorporated without substantive changes, other than the introduction of facilitative guidance on whether and under what conditions SFC-licensed corporations may be allowed to delay the completion of the due diligence for identifying and assessing a third-party deposit.

         According to the proposed revisions to the guideline, delayed due diligence should be permissible only if:

         • any risk of ML/TF arising from the delay in completing the third-party deposit due diligence can be effectively managed;

         • it is necessary to avoid the interruption of the normal conduct of business with the customer; and

         • the third-party deposit due diligence is completed as soon as reasonably practicable after settlement.

         The SFC also proposes that SFC-licensed corporations should adopt appropriate risk management policies and procedures to establish a reasonable timeframe for completion of the third-party deposit due diligence and the follow-up actions if the stipulated timeframe is exceeded. If the third-party deposit due diligence cannot be completed within the reasonable timeframe set out in their policies and procedures, SFC-licensed corporations should refrain from carrying out further transactions for the customer and assess whether there are grounds for knowledge or suspicion of ML/TF and consider filing a suspicious transaction report to the Joint Financial Intelligence Unit.

2. 2. Other proposed amendments

   1. Person purporting to act on behalf of customer (PPTA)

   In light of the feedback received from market participants from time to time, the SFC considers it appropriate to elaborate on the guidance regarding PPTA by providing further clarification.

   The SFC seeks to clarify that when determining whether a person is a PPTA, SFC-licensed corporations should have regard to whether a person might be considered as instrumental in carrying out the ML/TF scheme, should the account or transaction involved be found to be linked with criminal activity. Licensed corporations are required to identify and take reasonable measures to verify the identity of a PPTA, as well as the person’s authority to act on behalf of the customer.

   2. Establishing source of funds and source of wealth

   Currently, under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Chapter 615 of the Laws of Hong Kong) and the AML/CFT Guideline for SFC-Licensed Corporations, customers who pose higher ML/TF risks (including PEPs) are subject to special requirements or additional measures during the CDD process. This requires licensed corporations to establish customers’ source of funds or wealth, and sometimes both.

   The SFC proposes to include additional guidance in the AML/CFT Guideline for SFC-Licensed Corporations to assist SFC-licensed corporations in complying with the existing requirements. For example, source of funds information should not be restricted to knowing where the funds have been transferred – licensed corporations should also understand the underlying activity which generated the funds and obtain relevant information to ascertain the nature of that activity. Some illustrative and non-exhaustive examples of activities generating the funds are given in the revised guideline and include salary payments and investment sale proceeds. Illustrative and non-exhaustive examples of the information and documents which may be used to establish source of wealth are also given.

Responding to the SFC Consultation Paper

The proposed amendments are subject to a two-month public consultation, closing on 18 December 2020.
Responses are invited by email, fax, online and by mail, which may be sent: