Hong Kong - SFC Urges Intermediaries To Review Compliance With AML/CFT Requirements Following Identification Of Deficiencies.

17 February, 2017

The Securities and Futures Commission (SFC) issued a circular on 26 January 2017 (Circular) highlighting its concerns regarding compliance by licensed corporations (LCs) and associated entities (AEs) with anti-money laundering and counter financing of terrorism (AML/CFT) requirements.

The Circular sets out the deficiencies and inadequacies in intermediaries' AML/CFT policies, procedures and controls (AML/CFT systems) identified by the SFC in the course of its routine and thematic inspections conducted in 2016. The SFC emphasises that LCs and AEs should review their AML/CFT systems and take immediate action to rectify any similar breaches or deficiencies. To assist intermediaries, the SFC has further set out some examples of good practices which LCs and AEs are encouraged to consider adopting.

1. SFC's key areas of concern

In the Circular, the SFC noted that it had identified over 200 incidents of non-compliance from the review of the AML/CFT practices in more than 290 intermediaries during the year of 2016. The SFC highlighted the following four key areas of concern where intermediaries had failed to comply with the relevant provisions in the Guideline on Anti-Money Laundering and Counter-Terrorist Financing (AML Guideline), the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission and the Management, Supervision and Internal Control Guidelines for Persons registered by or Registered with the Securities and Futures Commission.

Failure to properly conduct and keep sufficient documentation on Institutional Risk Assessments (IRA) to identify and assess money laundering and terrorist financing (ML/TF) risks;
Failure to provide adequate internal guidance to staff and perform compliance monitoring to ensure effectiveness of AML/CFT systems;
Deficiencies in the implementation of certain customer due diligence (CDD) and ongoing monitoring measures; and
Inadequate monitoring, evaluation and reporting of suspicious transactions.

We have summarised the SFC's key inspection findings and regulatory guidance on these key areas below. Full details of the SFC's findings (including case examples) are set out in Appendix 1 and Appendix 2 to the Circular.

2. Deficiencies and inadequacies in IRA

IRA refers to the process for identifying and assessing ML/TF risks to which a firm is exposed, so as to determine the adequate and appropriate AML/CFT systems that should be implemented to mitigate those risks.

Key inspection findings	Regulatory guidance
Failure to consider ML/TF risks in all relevant key areas in the risk assessment process.	The design of the approach and process for conducting the IRA should be commensurate with the business profile of each firm and should take into account the ML/TF risk factors set out in paragraphs 2.2 to 2.8 of the AML Guideline, which includes: characteristics of the products and services offered; delivery/distribution channels; types of customers and the risks inherent in the nature of their activity; and countries or geographical locations of customers and intermediaries.
Failure to use relevant available data (such as number of high risk customers, compliance test data) to assist the analysis of the firm’s vulnerability to the associated ML/TF risks.
Missing or inadequate documentation of the IRA performed.	Records and relevant documents of the IRA performed should be maintained. This should include risk factors identified and assessed, information sources taken into account, the evaluation made on the adequacy and appropriateness of the firm’s AML/CFT systems. During its routine inspections, the SFC will look for documentary evidence that IRA has been properly carried out.

The SFC has further highlighted the following as important aspects of the IRA:

Proper senior management oversight – senior management should review and approve risk assessment results and any enhancement measures that are necessary to ensure effectiveness of the AML/CFT systems; and
Keeping the IRA up-to-date – a mechanism should be put in place to review risk assessments regularly and ensure that the risks of any new products and services are assessed and addressed before they are introduced.

3. Failure to provide adequate internal guidance and perform compliance monitoring

Key inspection findings	Regulatory guidance
Failure to provide sufficiently detailed internal guidance to staff, for example, what constitutes a trigger event for initiating a review of client records and what constitutes a valid certificate of incumbency for the purpose of verifying the information of overseas	Firms should ensure that sufficient internal guidance is provided to staff to carry out their AML/CFT related functions.

corporate customers.
Lack of regular review of AML/CFT systems by the compliance and audit function, resulting in instances of non-adherence to the firm's policies and procedures not being detected.	The compliance and audit function of a firm should regularly review the AML/CFT systems, for example, by conducting sample testing (in particular on the system for recognising and reporting suspicious transactions) to ensure effectiveness.

4. Deficiencies in CDD and ongoing monitoring

Key inspection findings	Regulatory guidance
Failure to take into account relevant risk factors in performing customer risk assessments.	Firms should ensure that their risk assessment schemes are able to identify and categorise ML/TF risks at the customer level properly by considering a comprehensive list of factors in the assessment and taking enhanced measures to manage and mitigate higher ML/TF risks.
Inadequate measures for establishing source of wealth and source of funds of high risk customers.	Firms should take reasonable measures to establish the source of wealth and source of funds of high risk customers as required under the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance (AMLO) and the AML Guideline. This includes: where standard forms are used to obtain information from the higher risk customers, ensure that the form collects all the information as required under AMLO and the AML Guideline; and using a risk-based approach, make further inquiries with the customers and obtain corroborative evidence from other sources to supplement information provided by customers.
Inadequate procedures for identifying politically exposed persons (PEPs).	Firms should maintain effective procedures in identifying PEPs. It would be ineffective to solely rely on information provided by the customer (such as self-declared occupation) as a trigger for performing name screening against public information or commercial databases.
Failure to perform risk assessments on customers known to be domestic PEPs.	Firms should not presume that a domestic PEP is a non- high risk customer without performing any risk assessment on the customer.
Misapplication of the Simplified Customer Due Diligence (SDD) provisions.	The types of customers to whom SDD may be applied are prescribed under section 4(3) of Schedule 2 to the AMLO (note: this includes financial institutions, listed corporations, certain investment vehicles, governments or public bodies meeting specified criteria). Regardless of whether a corporate customer is eligible for the application of SDD, firms should record the names of all directors and verify their identity using a risk-based approach.
Inadequate assessment of jurisdictional equivalence.	Firms should institute appropriate policies and procedures to assess and determine which jurisdictions (other than Financial Action Task Force members) apply requirements similar to those imposed under Schedule 2 to the AMLO for jurisdictional equivalence purposes and

	maintain sufficient documentation of the assessments performed.
Inadequate policies and procedures to keep CDD information up-to-date and relevant.	Firms should institute appropriate policies and procedures to perform CDD reviews from time to time, for example upon certain trigger events, and to subject all high risk customers (excluding dormant accounts) to a minimum of an annual review.

5. Inadequate suspicious transaction monitoring, evaluation and reporting

Key inspection findings	Regulatory guidance
The money laundering reporting officer (MLRO) failed to play an active role in the identification and reporting of suspicious transactions.	Firms should critically review the role of the MLROs to ensure they play an active role in considering internal disclosures received from staff and in the identification and reporting of suspicious transactions, in accordance with the AML Guideline. This may involve MLROs reviewing large or unusual transactions reports, and other relevant exception reports on a regular basis.
Inadequate monitoring of red-flags of potentially suspicious transactions.	In order to ensure the effectiveness in detecting suspicious transactions, firms should have regard to a comprehensive set of relevant red-flags indicating unusual transactions, including but not limited to those set out in the AML Guideline.
Inadequate measures to evaluate the reasonableness of third party payments.	When handling third party payments, firms should: consider whether the customers' requests align with their known reasonable practices, frequency of third party payments and purported reasons for them; using a risk-based approach, take additional measures such as making further inquiries with the customers and obtaining corroborative evidence from relevant sources; and report suspicious transactions to the Joint Financial Intelligence Unit (JFIU).
Insufficient documentation of the justifications for the disposal of alerts generated by the suspicious transaction monitoring systems.	Firms should maintain documentation on the findings and outcomes of the reviews of alerts in order for the firms, auditors or regulators to assess whether the alerts were properly cleared by frontline or compliance staff.
Failure to review a business relationship upon filing of a report to JFIU.	Firms should review business relationships reported to the JFIU and determine how to handle them to mitigate the risks. Such review should be conducted by the MLRO and if necessary the issue should be escalated to senior management.

6. Examples of good practices

The SFC has provided examples of good practices it has observed in the course of its inspections and encourages LCs and AEs to consider and assess whether the same should be adopted in their AML/CFT systems to strengthen management supervision and AML/CFT compliance programs. Some examples are:

SFC's areas of concern	Examples of good practices
Effective controls	Senior management participating in the review and approval of matters pertaining to the AML/CFT systems. A risk-based compliance monitoring program for testing all key components of the AML/CFT systems regularly. Separate, tailored training programs for different groups of staff according to job roles and functions.
CDD and ongoing monitoring	A framework of country risk ratings that took into account a wide range of assessment factors for determining jurisdictional equivalence. Screening of customers, their beneficial owners and other connected parties against commercially available databases to assist in identifying PEPs. Enhanced procedures to perform review of high risk customers. Sophisticated systems for name screening against terrorist/sanction designations.
Suspicious transaction monitoring, evaluation and reporting	Monthly post-transaction reviews on customers with accumulated level of cash transactions or third party payments exceeding certain thresholds. Prohibiting cash transactions and third party payments using a risk based approach or subjecting such transactions to senior management approval. Adoption of monitoring parameters tailored to the firm's circumstances. Regular reviews of the risk factors, parameters and thresholds used in the transaction monitoring systems. Generation of aging reports to monitor the alert clearance status. Special measures on customers previously reported to the JFIU.

Details of the examples of good practices are available in Appendix 3 to the Circular. 7.

Conclusion

The SFC has reiterated that intermediaries should have appropriate and effective AML/CFT systems in place to mitigate ML/TF risks. In particular, the SFC has stated that AML/CFT compliance will continue to be a focus of its supervision in the coming year. Intermediaries can expect the SFC to continue their close supervision in this area through the use of their range of supervisory tools including conducting further inspections. At the same time, it is foreseeable that the SFC will, in an appropriate case, take enforcement actions against intermediaries in breach of AML/CFT requirements. This is consistent with what the SFC confirmed in its relaunched Enforcement Reporter newsletter published in December 2016.

The SFC emphasises in the Circular that LCs and AEs should without delay review their AML/CFT systems against the deficiencies and inadequacies highlighted in Appendix 1 and Appendix 2 to the Circular, and take immediate remediation action to address any similar issues that may exist in their own policies, procedures and controls.

Appendix 1: Deficiencies and Inadequacies in Institutional Risk Assessment

Appendix 2: Case Examples of Deficiencies or Inadequacies Other Than Those in Institutional Risk Assessment

For further information, please contact:

William Hallatt, Partner, Herbert Smith Freehills

William.Hallatt@hsf.com

Hong Kong – SFC Urges Intermediaries To Review Compliance With AML/CFT Requirements Following Identification Of Deficiencies.

Where LegalAI Will Be In 10 years.

Understanding The Ethical Dimensions Of Generative AI In Legal Practice.

7 Legal Tech Trends To Watch In 2025.

US – Commercial-Item Contractors Take Note: Federal Circuit To Rehear Percipient.ai En-Banc.

US – Clean Energy Tax Credits And After the Election – What to Expect?

The EU Methane Regulation How Traders And Operators Can Prepare.

Malaysia – Transfer Of Domicile For A Vessel Registration.

Indonesia – Shifting Tides: The Third Amendment To The Shipping Law And Its Impact On Indonesian Shipping Joint Ventures.

- Stephen Igor Warokka - SSEK,

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Non-Party Access To Court Documents: Court Of Appeal Interprets Leading Supreme Court Authority.

CONVENTUS LAW

OTHERS

Hong Kong – SFC Urges Intermediaries To Review Compliance With AML/CFT Requirements Following Identification Of Deficiencies.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

Footer

CONVENTUS LAW

OTHERS