Anti-Money Laundering and Counter-Financing of Terrorism
Consistent with the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) (AML/CFT Guideline), unless the context otherwise requires, the term financial institutions (FIs) in the following FAQs refers to licensed corporations and virtual asset service providers licensed by the Securities and Futures Commission under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (AMLO) (SFC-licensed VAS Providers).
Group-wide anti-money laundering and counter-financing of terrorism (AML/CFT) Systems
Overseas subsidiaries For the purpose of section 22(1)(b) of Schedule 2 to the AMLO and paragraph 3.13 of the AML/CFT Guideline, is a licensed corporation’s or an SFC-licensed VAS Provider’s subsidiary that carries on banking or insurance business outside Hong Kong regarded as “carrying on the same business as an FI in a place outside Hong Kong”?
It should be noted that section 22(1)(b) of Schedule 2 to the AMLO states “the same business as an FI”, and the term “FI” refers to an FI as defined in the AMLO, including authorized institution, licensed corporation, authorized insurer, licensed VAS provider, etc. Therefore, so long as the overseas subsidiary carries on the business as any type of FI as defined in the AMLO (not necessarily the same type of FI as the parent company), then this provision will apply.
Key Reference(s): AML/CFT Guideline para. 3.13
Identification and verification of customer’s identity – natural persons
Non-Hong Kong residents What documents would be regarded as “reliable and independent” for verifying the identity information of a natural person customer who is not a Hong Kong resident?
The following are examples of documents that would be considered reliable and independent for non-Hong Kong residents: (a) a valid travel document; (b) a valid national (ie, government or state-issued) identity card bearing the photograph of the individual; or (c) a valid national driving licence incorporating all the required identification information and photographic evidence of the identity of the applicant (issued by a competent national or state authority).
Key Reference(s): AML/CFT Guideline para. 4.2.3
Acceptable travel documents What are acceptable “travel documents” for the purpose of paragraph 4.2.3 of the AML/CFT Guideline?
The following documents are examples of travel documents for the purpose of identity verification:
(b) Mainland Travel Permit for Taiwan Residents;
(c) Seaman’s Identity Document (issued under and in accordance with the International Labour Organisation Convention/Seafarers Identity Document Convention 1958);
(d) Taiwan Travel Permit for Mainland Residents;
(e) Permit for residents of Macao issued by Director of Immigration;
(f) Exit-entry Permit for Travelling to and from Hong Kong and Macao for Official Purposes; or
(g) Exit-entry Permit for Travelling to and from Hong Kong and Macao.
Key Reference(s): AML/CFT Guideline para. 4.2.3
Retention of a copy of travel documents What part of the “travel documents” should be kept on file?
An FI should retain a copy of the “biodata” page of the travel documents containing the bearer’s photograph and biographical details for the purpose of the record-keeping requirements in the AMLO and the AML/CFT Guideline.
Key Reference(s): AML/CFT Guideline para. 4.2.3
Identification and verification of customer’s identity – legal persons, trusts or other similar legal arrangements
Principal place of business What is the “principal place of business” of a legal person?
The “principal place of business” means the location where a legal person primarily operates or the place of its main activities. It can be the same as, or differ from, the address of registered office.
Legal persons, depending on their business nature, may operate in various locations or premises of different natures. If the address of the principal place of business of a legal person is not in line with an FI’s understanding of the legal person’s business nature or customer profile, the FI should seek to understand the rationale for why that address is provided to the FI.
Key Reference(s): AML/CFT Guideline para. 4.2.5
Address of registered office Does an FI need to separately ask the customer to provide “address of registered office” information, if such information is included in a document provided by a reliable and independent source that is obtained by (or otherwise available to) the FI?
Paragraph 4.2.5(c) of the AML/CFT Guideline requires FIs to obtain the address of registered office of a legal person. When the address of registered office of a legal person is included in a document provided by a reliable and independent source (eg, certificate of incumbency) that is obtained by (or otherwise available to) the FI for verification of the legal person's identity, an FI may accept the document as an evidence of the address of registered office unless the FI was made aware that such address was out of date.
Key Reference(s): AML/CFT Guideline para. 4.2.5
Presence of directors or beneficial owners for the purpose of account opening Is there any requirement for directors and beneficial owners of a legal person to establish business relationship with an FI and be physically present at account opening?
In general, a corporate account is opened in the name of a legal person by a natural person who is authorised to act on behalf of that legal person to establish business relationship with an FI. The AML/CFT Guideline does not mandate whether the natural person should be a director or beneficial owner of a customer so long as the natural person has been properly authorised to act on behalf of the customer to establish business relationship with the FI. The basic requirement in this regard is for an FI to identify and verify the identity of that natural person as well as obtaining the written authority to verify that the natural person has the authorisation of the legal person to establish a business relationship with the FI.
If, in such a case, the business relationship is established through a face-to-face channel, at least one natural person who is authorised to establish the business relationship should be physically present at the time of account opening.
For the avoidance of doubt, if, in such a case, the business relationship is established through a non-face-to-face channel (eg, when the natural person acting on behalf of the legal person customer to establish the business relationship is not physically present for identification purposes), the FI should mitigate any increased risk according to paragraph 4.10.7 of the AML/CFT Guideline, (eg, applying additional due diligence measures set out in paragraph 4.10.2 of the AML/CFT Guideline to such natural person, except where the FI has verified the identity of the natural person on the basis of data or information provided by a digital identification system (see paragraph 4.2.1(d) of the AML/CFT Guideline)).
Key Reference(s): AML/CFT Guideline para. 4.10.2 and 4.10.7
Person purporting to act on behalf of the customer (PPTA)
Account signatory Should all account signatories of a customer be considered as PPTAs?
Account signatory refers to an individual authorised by a customer to transact on behalf of the customer or operate the customer’s account.
For the purpose of identifying unauthorised transactions, FIs would normally obtain names, specimen signatures and written authorisation of all account signatories to guard against this risk.
For the purposes of the AML/CFT Guideline, not every account signatory is considered to be a PPTA and required to be identified and verified. As set out in paragraph 4.4.1 of the AML/CFT Guideline, whether the person is considered to be a PPTA should be determined based on the money laundering and terrorist financing (ML/TF) risks associated with that person’s roles and the activities which the person is authorised to conduct, as well as the ML/TF risks associated with the business relationship. For example:
Example 1: Company X, which is a customer of an FI, appoints Individual A as the account signatory and provides Individual A with unlimited authority to give instructions on the movement of funds or assets in and out of Company X’s account. Individual A is a PPTA.
Example 2: Company Y appoints several staff members as the account signatories including Individual B and Individual C; and the business relationship with Company Y is assessed by the FI to pose a low ML/TF risk:
Individual B is authorised to give instructions to move funds or assets in or out of Company Y’s account maintained with the FI only if they are co-signed by another account signatory who is a PPTA of the FI. Individual B is unlikely to be a PPTA given the lower ML/TF risks associated with the roles and activities that Individual B is authorised to conduct, having regard to the low ML/TF risk associated with the business relationship.
Individual C alone is authorised to give instructions to move funds or assets in and out of Company’s Y account for all amounts without co-signing with other account signatories. Individual C is likely to be a PPTA given the higher ML/TF risks associated with the roles and activities that Individual C is authorised to conduct.
Key Reference(s): AML/CFT Guideline para. 4.4.1
Reliability of documents, data or information
Electronic documents What measures is an FI expected to take to ensure the reliability of identification documents which are in electronic form?
The AML/CFT Guideline recognises that some commonly used original identification documents can be in electronic form. An FI should take appropriate measures to ensure the reliability of the electronic documents. The appropriateness of the measures to be taken will depend on the type of identification document in question.
For example, an original certificate of incorporation issued by the Hong Kong Companies Registry is available in electronic form. When accepting a print copy of an electronic certificate of incorporation, an FI can corroborate with other identification document or information (eg, record of companies registry) to ensure the reliability of the print copy.
For the avoidance of doubt, corroboration would not be required for instances where the FI itself has downloaded a particular document (as opposed to having received a print copy of it) from a reliable source (eg, the Hong Kong Companies Registry’s website).
Key Reference(s): AML/CFT Guideline para. 4.5.4
Document in foreign language Does the translation need to be performed by a professional third party (eg, solicitor)?
Paragraph 4.5.5 of the AML/CFT Guideline requires FIs to take appropriate steps to be reasonably satisfied that the documents in foreign language in fact provide evidence of the customer’s identity. The examples of appropriate steps provided in the footnote to paragraph 4.5.5 of the AML/CFT Guideline, which include obtaining a translation from a suitably qualified person, are illustrative but not exhaustive. There is no requirement that the translation has to be performed by a professional third party (eg, solicitor) or someone who is qualified; an FI may obtain a translation from a reliable source, which may include technology solutions and commonly used translation tools.
Key Reference(s): AML/CFT Guideline para. 4.5.5
Expired documents If a previously obtained identity document such as passport of a customer is expired, does the FI need to re-verify any aspect of customer identification by obtaining a current identity document?
The FI does not need to re-verify any aspect of customer identification just because of the expiry of a previously obtained identity document. According to the footnote to paragraph 5.2 of the AML/CFT Guideline, once the identity of a customer has been satisfactorily verified, there is no obligation to re-verify identity unless in specified circumstances; however, the FI should take steps from time to time (ie, during a periodic or trigger event customer due diligence (CDD) review) to ensure that the customer information that has been obtained is up-to-date and relevant.
Key Reference(s): AML/CFT Guideline para. 5.2
Simplified customer due diligence
Listed company beneficial owner transparency For the purposes of paragraph 4.8.8 of the AML/CFT Guideline, how does an FI assess whether there are any disclosure requirements that ensure the adequate transparency of the beneficial ownership of companies listed on a stock exchange?
In determining whether there are disclosure requirements that ensure the adequate transparency of the beneficial ownership of companies listed on a stock exchange, an FI could take into account the following factors, for example:
(a) whether there is a statutory regime that requires the disclosure of interests in listed companies above a certain threshold, either by the shareholders or by the listed companies;
(b) the existence of penalties for non-compliance (pecuniary or otherwise) with the disclosure requirements;
(c) a clear minimum shareholding threshold that triggers disclosure – in general, it should be at least the beneficial ownership threshold under the AMLO (more than 25%), or lower if needed to reflect the FI’s internal standards;
(d) a specified timeframe for disclosure – in general, it would normally be expected that disclosures should be made within a limited number of days of the relevant triggering event; and
(e)public access to the shareholder information.
Key reference(s): AML/CFT Guideline para. 4.8.8
Enhanced measures for high risk customers and jurisdictions
Source of wealth Does an FI need to establish source of wealth for every customer?
No. Under a risk-based approach, FIs are required to establish the customer’s source of wealth in high risk situations. Examples of these high risk situations include (a) a customer or whose beneficial owner is a non-Hong Kong politically exposed person (PEP); (b) a high risk business relationship with a customer or whose beneficial owner is a Hong Kong PEP or an international organisation PEP; and, where appropriate, (c) other situations that by its nature presents a high money laundering and terrorist financing risk. Therefore, FIs are not expected to establish source of wealth for each and every customer.
For customers who are non-high risk, some of the information that is obtained by (or otherwise available to) an FI to understand the purpose and intended nature of the business relationship (eg, occupation of individual customers, business nature of corporate customers, etc) should often be sufficient for the FI to have a basic understanding of the customer’s profile and accordingly be able to monitor that the account balance, and value and volume of transactions, is in line with the expected wealth and profile of the customer.
For high risk customers, there is no expectation to apply the same source of wealth procedures to all these customers in the same manner, or collect evidence dating back decades when the risk does not justify doing so, as it is often impractical.
Key Reference(s): AML/CFT Guideline para. 4.9.2, 4.11.12 and 4.11.24
Jurisdictions subject to a call by the Financial Action Task Force (FATF) Which jurisdictions are subject to a call by the FATF?
Only jurisdictions listed in the FATF statement: “High-Risk Jurisdictions subject to a Call for Action” should be regarded as “jurisdictions for which this is called for by the FATF” under paragraph 4.14.1 of the AML/CFT Guideline. Additional measures that are proportionate to the risks should be conducted on business relationships and transactions with customers from these jurisdictions.
For the avoidance of doubt, conducting additional measure is not mandatory for customers connected to jurisdictions listed in the FATF statement: “Jurisdictions under Increased Monitoring”. However, the fact that a customer is connected to such a jurisdiction should be taken into account in determining the overall risk profile of the customer.
Key Reference(s): AML/CFT Guideline para. 4.14
Cross-border correspondent relationships
Assessing the ML/TF risks associated with cross-border correspondent relationships When assessing the ML/TF risks associated with cross-border correspondent relationships, how should an FI factor in the nature and expected volume and value of transactions of respondent institutions?
The FI is expected to have regard to the nature and expected volume and value of transactions of respondent institutions under normal market conditions, rather than extreme market conditions, when establishing new cross-border correspondent relationships. For existing cross-border correspondent relationships, the FI should take into account up-to-date characteristics of the respondent institutions obtained from the periodic review or event-driven review of the information and data concerning the respondent institutions in the process of refreshing the understanding of the nature and expected volume and value of transactions.
Key Reference(s): AML/CFT Guideline para. 4.20.6
Nested correspondent relationship What measures is an FI expected to put in place to mitigate the risks associated with a nested correspondent relationship?
Nested correspondent relationship refers to the use of a correspondent account by a number of other financial institutions (ie, downstream respondent institutions) through their relationships with the FI’s direct respondent institution, to conduct transactions and obtain access to other financial services.
A nested correspondent relationship would expose the FI to higher risks due to increased uncertainty about whether and how the downstream respondent institutions conduct CDD on their respective underlying customers and the possible involvement of shell financial institutions. Hence, the FI should apply appropriate and proportionate additional due diligence and other risk mitigating measures in accordance with a risk-based approach. For example, obtaining general information about the target markets, underlying customer base and the operation locations of the downstream respondent institutions; performing a more in-depth review of the AML/CFT controls of the direct respondent institution to assess whether the direct respondent institution has performed the additional due diligence measures on downstream respondent institutions in a manner similar to paragraphs 4.20 of the AML/CFT Guideline.
Key reference(s): AML/CFT Guideline para. 4.20.6
Senior management approval Who could carry out the approval process for establishing a cross-border correspondent relationship?
An FI should obtain approval from its senior management for establishing a cross-border correspondent relationship and the level of seniority of the senior management in making such approval should be commensurate with the assessed ML/TF risk. “Senior management” as defined in the glossary of the AML/CFT Guideline includes a broad range of management personnel who may be designated as the approval persons as the FI sees fit.
When the designated management personnel have delegated the authority to approve to other staff members for carrying out the approval process on their behalf, they remain responsible for the approval decision. The FI should ensure that the delegation and approval processes are governed by proper internal policies and oversight mechanisms to ensure, amongst other things, that the delegates are equipped with the necessary training and knowledge to carry out the approval process in accordance with the FI’s policies and criteria for establishing a cross-border correspondent relationship, and their work is monitored and supervised by the delegating designated management personnel.
Key reference(s): AML/CFT Guideline para. 4.20.10 and Glossary of key terms and abbreviations
Using intermediaries for ongoing monitoring If an FI relies on an intermediary to carry out CDD measures when onboarding a customer, can the FI further rely on the intermediary to conduct ongoing monitoring?
No. Section 18 of Schedule 2 to the AMLO only allows an FI to carry out any CDD measures set out in section 2 of Schedule 2 to the AMLO by means of an intermediary but does not allow an FI to rely on an intermediary to continuously monitor relevant business relationships as required by section 5 of Schedule 2 to the AMLO. Therefore, an FI cannot rely on an intermediary to continuously monitor its business relationships with a customer (ie, ongoing CDD and transaction monitoring).
However, an FI may use an intermediary to collect further documents, data and information, and provide or coordinate relevant updates, to assist the FI in ensuring that the CDD records maintained by the FI remain up-to-date and relevant.
Key Reference(s): AMLO s.2, 5 and 18 of Sch. 2 and AML/CFT Guideline footnote to para. 4.15.1
Independent validation of transaction monitoring systems Who can independently validate an FI’s transaction monitoring systems and processes?
Such validation can be performed by an external party or an internal audit function of the FI. Subject to appropriate segregation of duties, the internal audit function should have sufficient expertise and resources to enable it to carry out an independent review of the FI’s AML/CFT Systems (see paragraph 3.10 of the AML/CFT Guideline).
Key Reference(s): AML/CFT Guideline para. 3.10 and 5.8
Suspicious transaction report (STR)
What are FIs’ reporting requirements under the National Security Law (NSL)? Is the reporting threshold the same as Organized and Serious Crimes Ordinance (OSCO)?
The obligation for reporting under the NSL will be triggered when an FI “knows” or “suspects” that any property is offence related property. The threshold for reporting is the same as under existing arrangements under the OSCO, the Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP) and the United Nations (Anti-Terrorism Measures) Ordinance (UNATMO). The time frame for reporting is also the same, ie, FIs should file an STR to the Joint Financial Intelligence Unit (JFIU) as soon as reasonably practicable.
Key Reference(s): AML/CFT Guideline ch.7
Filing of NSL-related STRs
Who should NSL-related STRs be filed to?
All STRs should continue to be filed to the JFIU following existing reporting mechanism, ie, STREAMS, and the “consent / no-consent” systems will remain. FIs can click the box “National Security Law” under the “Reason for Disclosure” column in the STR Proforma, where appropriate.
Note: While it is recognised that FIs may not be able to have full knowledge of the exact nature of the underlying crime, it is expected that these categories are selected on a best effort basis.
Key Reference(s): AML/CFT Guideline ch.7
Offence related property
What is the definition of “offence related property” in NSL and under what circumstances should an FI disclose this property to the JFIU?
“Offence related property” as defined under section 1 of Schedule 3 to the Implementation Rules of the NSL refers to the property of a person who commits or attempts to commit, or participates in or facilitates the commission of, an offence endangering national security; or property used / intended to be used for financing or assisting the commission of an offence endangering national security. “Offence endangering national security” refers to offence of that nature under the NSL and the laws of the HKSAR safeguarding national security.
Pursuant to section 5 of Schedule 3 to the Implementation Rules of the NSL, the following non-exhaustive scenarios can be regarded as circumstances that trigger a disclosure obligation:
(a) When it comes to FIs’ attention that a person is arrested / charged for an offence endangering national security; and/or
(b) When FIs have knowledge or suspicion that a property is “offence related property” after receiving information from law enforcement agencies.
The FIs must make a disclosure of the property held by the persons specified in (a) or the circumstance in relation to (b) to JFIU.
For the avoidance of doubt, such property includes all kind of property regardless of the portion of shareholdings by the persons specified in (a).
If you wish to contact the National Security Department (NSD) of the Hong Kong Police Force for advice, you can do so by the following means:
Information request related to customers of overseas branches or subsidiaries
Would FIs be requested under search warrants related to NSL to submit information of customer’s accounts in their branches or subsidiaries in other jurisdictions?
No. As with the existing practice under the OSCO, DTROP and UNATMO, requests by the law enforcement agencies for information of an account managed in other jurisdictions will be made through Mutual Legal Assistance (involving the Department of Justice). Such requests will not be made through the FIs.
Key reference(s): AML/CFT Guideline para. 7.33
It is noted that, under exceptional circumstances, a warrant is not required for the search of places for evidence under NSL. How are FIs able to ascertain if authority has been conferred for such actions?
A search warrant will ordinarily be obtained by law enforcement agencies when searching an FI’s records. Under exceptional circumstances where it would not be reasonably practicable to obtain such a search warrant, a police officer at or above the rank of Assistant Commissioner of Police may authorise the search. In such cases a formal written document will be produced to the FI on spot, with the name and contact details of the authorized officer clearly stated. Similar arrangements also exist under various other existing ordinances, such as the Gambling Ordinance.
Key reference(s): AML/CFT Guideline para. 7.33
Article 63 of the NSL stipulates that the relevant institutions, organizations and individuals who assist with the handling of a case shall keep confidential any information pertaining to the case. Would the sharing of information with overseas head offices, subsidiaries or branches for risk management purposes breach this requirement?
As with existing obligations under the OSCO, DTROP and UNATMO, FIs should also observe information confidentiality requirements under the NSL and must not disclose to another person any information or other matter which is likely to prejudice any investigation which might be conducted. The sharing of information with overseas head offices, subsidiaries or branches for risk management purposes, as global financial institutions lawfully do now, will not be affected.
Key Reference(s): AML/CFT Guideline para. 3.16
Third-party deposits and payments
Jointly-owned account Are deposits or payments from a jointly-owned bank account third-party deposits or payments?
Where a deposit or payment is made from or to a jointly-owned bank account, the joint owner who is not the FI’s customer is considered as a third party for the purposes of these provisions. FIs should apply policies and procedures for handling third-party deposits and payments to transactions with such a jointly-owned bank account accordingly.
Key Reference(s): AML/CFT Guideline para. 11.1
Third-party deposit or payment approvers Could the third-party deposit or payment approvers delegate the carrying out of the approval process for the acceptance of a third-party deposit or payment?
Yes. When the third-party deposit or payment approvers have delegated the authority to approve to other staff members for carrying out the approval process on their behalf, they remain responsible for the approval decision. The FI should also ensure that the delegation and the approval processes are governed by proper internal policies and oversight mechanisms which ensure, amongst other things, that the delegates are equipped with the necessary training and knowledge to carry out the approval process in accordance with the FI’s policies and criteria for the acceptance of a third-party deposit or payment.
Key Reference(s): AML/CFT Guideline para. 11.5
Virtual asset transfers
The requirements for submitting the required information (referred to in paragraph 12.11.9 of the AML/CFT Guideline) to the beneficiary institution (or, where applicable, another intermediary institution) immediately (ie, before or when the virtual asset transfer is conducted) set out in paragraphs 12.11.10 and 12.11.13 of the AML/CFT Guideline will become effective on 1 January 2024 (effective date).
Prior to the effective date, when should an FI submit the required information in accordance with paragraphs 12.11.9 and 12.11.19 of the AML/CFT Guideline?
Prior to the effective date, if the FI is unable to submit the required information to the beneficiary institution (or, where applicable, another intermediary institution) immediately, the FI should still submit the required information as soon as practicable after the virtual asset transfer.
For the avoidance of doubt, from 1 June 2023 onwards, FIs are required to comply with all other requirements relating to virtual asset transfers set out in paragraphs 12.11 to 12.13 of the AML/CFT Guideline, including the requirements for submitting the required information securely.
Key Reference(s): AML/CFT Guideline para. 12.11.9 and 12.11.19
Ascertaining a customer’s ownership or control of an account maintained with the ordering or beneficiary institution, or an unhosted wallet
When ascertaining a customer’s ownership or control of an account maintained with the ordering or beneficiary institution, or an unhosted wallet, can an FI rely on a self-declaration made by the customer?
Sole reliance on a customer’s self-declaration could not adequately assist an FI in ascertaining the customer’s ownership or control of an account or an unhosted wallet. An FI should refer to the examples of confirmation methods (ie, micropayment test and message signing test) under paragraph 12.10.6 of the AML/CFT Guideline which are meant to be non-exhaustive.
Key Reference(s): AML/CFT Guideline para. 12.10.6
Certification If an FI decides to use certification as a supplementary measure to fulfil the requirement of section 9 of Schedule 2 to the AMLO, what documents should be certified?
In general, the identification document used for the purpose of identity verification (eg, official document such as an identity card, passport, certificate of incorporation, or certificate of incumbency etc) should be subject to certification.
There is no expectation to require certification for all other CDD information or documents provided by the customer; or to require certification if an FI is able to check the documents against public sources.
As a general principle, customers should always be provided with the opportunity, if they wish to do so, to present their original documents to the staff of the FI.
Key Reference(s): AML/CFT Guideline para. 4.10.5, and para. 7 of Appendix C
Sanctions screening of parties involved in payments In a cross-border wire transfer, who must be screened as a “relevant party”?
An FI should, at a minimum, screen the following relevant parties in a cross-border wire transfer: (a) originator; (b) recipient; (c) ordering institution; (d) intermediary institution; (e) beneficiary institution; and (f) named parties (eg, individuals, companies, banks etc) in the payment message.
Key Reference(s): AML/CFT Guideline para. 6.16(c)
Record-keeping of unsuccessful applicants For cases of unsuccessful application for business, is an FI required to retain the identification records and documents in relation to the unsuccessful applicants?
Under the AMLO, there is no requirement for an FI to maintain records and documents involving unsuccessful applicants. This, however, does not preclude the FI from retaining the relevant records and documents in order to meet its other statutory obligations.
Key Reference(s): AML/CFT Guideline ch. 8
Last update: 25 May 2023