Key Highlights on SFC Guideline on AML/CFT issued September 2021
- Institutional risk assessment
- Due Diligence on cross-border correspondent relationship
- Third-party deposits and payments
1. Institutional Risk Assessment
Financial Institution (FI) should: –
(a) Consider all relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigating measures to be applied (“Considering relevant risk factors”)
(b) keep the risk assessment up-to-date
(c) document the risk assessment
(d) obtain the approval of senior management of the risk assessment result
(e) have appropriate mechanisms to provide risk assessment information to relevant regulators (e.g. SFC, JFIU, the police, etc.) upon request
Standard for Institutional Risk Assessment[Para 2.4] In considering the institutional risk assessment, an FI should consider quantitative and qualitative information obtained from relevant internal and external sources (e.g. government or FATF guidance) to identify, manage and mitigate the risk. We find this provision not very helpful.
[Para 2.5] Nature and extent of institutional risk assessment procedures should be commensurate with the nature, size and complexity of the business of the FI
– FI’s business smaller in size or less complex => simpler risk assessment
– FI’s products and services are more varied and complex => more sophisticated risk assessment.
Considering relevant risk factors
[Para 2.6] FI should holistically take into account relevant risk factors including (a) country risk, (b) customer risk, (c) product/service/transaction risk, (d) delivery/distribution channel risk, and (e) other relevant risks exposed to FI
=> Too broad => BUT Appendix A explains in detail about these risks with examples!
[Para 2.7] Examples of Risks (helpful)
(a) Country Risk – jurisdiction in which the FI is operating or exposed to, either through its own activities or the activities of the customers. Greater vulnerability due to (i) crime, corruption or financing of terrorism, (ii) general level and quality of jurisdiction’s law enforcement efforts related to AML/CFT, (iii) regulatory and supervisory regime and controls, and (iv) transparency of beneficial ownership
(b) Customer Risk – proportion of customers identified as high risk
(c) Product/Service/Transaction Risk – characteristics of the products and services that it offers and transactions it executes, and the extent of which these are vulnerable to ML/TF abuse.
(d) Delivery/Distribution Channel Risk – extent of which FI deals with customer, the extent of which it relies on third parties to conduct CDD or AML/CFT regulations.
(e) Other Risk – the review results of compliance, internal and external audits as well as regulatory findings.
Keeping risk assessment up-to-date
[Para 2.9] FI should review the institutional risk assessment at least every 2 years or more frequently upon trigger events with material impact on the firm’s business and risk exposure.
Documenting risk assessment
[Para 2.9] An FI should maintain records and relevant documents of the institutional risk assessment… => Wolfsberg Questionnaire is a good starting point.
Two types of Questionnaires
Correspondent Banking Due Diligence Questionnaire (CBDDQ)
Financial Crimes Compliance Questionnaire (FCCQ)
- Due Diligence on cross-border correspondent relationship
“Cross-border correspondent relationships” refer to provision of services for dealing in securities…by an FI in HK (“Correspondent Institution”) to another financial located in a place outside of Hong Kong (“Respondent Institution”) where transactions effected on a principal (matched principal) or agency basis under the business relationships are initiated by the respondent institution.”
[Para 4.20.3] Vulnerability to AML/CFT risks“ Where a Respondent Institution conducts business for or on behalf of customers through a cross-border correspondent relationship with an FI, the FI normally has limited information regarding underlying transactions and the nature or purpose of the underlying transactions because it generally does not have direct relationships with the underlying customers of the Respondent Institution.”
“This will expose the FI to risks stemming from the lack or incompleteness of information about the underlying customers and transactions.”
“FI must carry out CDD measures in relation to a customer including a Respondent Institution (special customer?). Although an FI…(cannot) verify the identities of the beneficial owners (of the respondent institutions), FI should apply the following additional due diligence when it establishes a cross-border correspondent relationship (exception for existing Respondent Institution for 6 months grace period – end of March 2022)…”:
(a) To understand the Respondent Institution’s business
(b) To determine the reputation of the Respondent Institution (based on public information)
(c) To determine the quality of the regulatory supervision over the Respondent Institution
(d) To assess AML/CFT controls of the Respondent Institution
(e) To obtain approval from senior management
(f) To understand FI’s AML/CFT responsibilities
[Para 4.20.6] Risk Based Analysis (RBA)
“FI should adopt an RBA in applying the additional due diligence measures stated above, taking into account relevant factors such as:
- The purpose of the cross-border relationship, the nature and expected volume and value of transactions
- How the Respondent Institution will provide services to its underlying customers through the account maintained by the FI for the Respondent Institution (“Correspondent Account”)
- The types of underlying customers whom the Respondent Institution intends to serve through the Correspondent Account and the extent of which any of these underlying customers and their transactions are assessed as high risk by the Respondent Institution
- The quality and effectiveness of the AML/CFT regulation as well as supervision by authorities in the jurisdictions in which the Respondent Institution operates and/or is incorporated
- Management and Ownership
- Financial Group
- Major Business Activities
- Target Markets
- Customer Base
- Location of Customers
Documenting risk assessment
[Para 2.18] An FI should maintain records and relevant documents of the institutional risk assessment…
=> Wolfsberg Questionnaire is a good starting point!
Two types of Questionnaires
Correspondent Banking Due Diligence Questionnaire (CBDDQ)
Financial Crimes Compliance Questionnaire (FCCQ)
- Third-party deposits and payment (3/4)
“Third-party deposits or payments should be accepted only under exceptional and legitimate circumstances and when they are reasonably in line with the customer’s profile and normal commercial circumstances”
Adequate policies and procedures (including risk management procedures) should be put in place, setting out;
(a) exceptional and legitimate circumstances under which third-party deposits or payments may be accepted and their evaluation criteria
(b) monitoring systems and controls for identifying transactions involving third—party deposits
(c) enhanced monitoring of client accounts involving third-party deposits or payments and the reporting of any ML/TF suspicions identified to the JFIU
(d) respective designated mangers or staff responsible for carrying out these policies and procedures [Para 11.9] Delayed Due Diligence
“FI should perform due diligence on the source of the deposits before settling transactions with the deposited funds.
However, FI may, in exceptional situations, complete the third-party deposit due diligence after settling transactions with the deposited funds, provided that
(a) any risk of ML/TF arising from the delay in completing the third-party deposit due diligence can be effectively managed;
(b) it is necessary to avoid interruption of the normal conduct of business with the customer; andd
(c) the third-party deposit due diligence is completed as soon as possible after settling transactions with the deposited funds.
[Para 11.11] In case third-party deposit due diligence cannot be completed within the reasonable timeframe setout in the FI’s risk management policies and procedures, FI should refrain from carrying out further transactions for the customer.