Since the implementation of the Companies Registry’s (CR) Guideline on Compliance of Anti-Money Laundering and Counter-Terrorist Financing Requirements for Trust or Company Service Providers (TCSPs) in March 2018, it is a requirement for TCSPs to take all reasonable measures to mitigate the risk of ML/TF; and to ensure that the AML/CTF requirements under the AMLO are complied with. This new AML/CTF framework are in line with international requirements as promulgated by the Financial Action Task Force (FATF). The FATF is an inter-governmental body that sets international standards on combating money laundering and terrorist financing.
To fulfil the above-mentioned obligations, TCSPs must assess the ML/TF risk of their businesses, develop and implement AML/CTF policies, procedures and controls (“APPC”) on: risk assessment; customer due diligence (“CDD”) measures; ongoing monitoring of customers; suspicious transactions reporting; record keeping; and staff training.
[New update on the latest statistics of inspection and prosecution by CR, on 2020 Dec 18]
In 2020 Dec, CR’s Deputy Registry Manager (TCSP) in charge of Enforcement, has revealed that since the commencement of the Guidelines on Compliance on AML/CTF Requirements for TCSPs (“AML/CTF Guidelines”) on 1 March 2018, CR has in total through a combination of on-site inspections & off-site monitoring, inspected almost 3,200 TCSPs, interviewed another 1,952 TCSPs, and issued 859 warnings or advisory letters, and 1,380 summonses.
See details on slide #20, of CR’s presentation of Licensing Regime for Trust or Company Service Providers (TCSPs).
Key focuses during these AML/CTF inspections includes compliance with Customer Due Diligence (CDD) process, Record Keeping, AML/CTF Screenings, and Suspicious Transactions Reporting (STR) (See slides #33, of CR’s ACRU 2019 presentation). The revelations suggest that CR is serious about enforcement & compliance with the AMLO’s AML/CTF regime, and the inspection process is likely to continue given that this represents only 27.4% of the total TCSPs population have undergone a CR on-site inspection.
So how can TCSPs (or other professional firms in similar capacity, e.g. auditors, accountants, lawyers etc.) prepare themselves for the AML/CTF compliance inspection by CR?
TCSPs should take a closer look at and comply with the following regulations:
- Schedule 2 of Anti-Money Laundering and Counter-Terrorist Financing Ordinance, Cap. 615 (“the AMLO”) (download here).
- Guideline on Compliance of Anti-Money Laundering and Counter-Terrorist Financing Requirements for Trust or Company Service Providers (download here).
We summarise the key areas where a TCSP should focus on to prepare for the AML/CTF compliance inspection.
AML/CFT Policy (APPC)
First and foremost, TCSPs should have adequate AML/CTF risk management, and AML/CTF internal Policies, Procedures and Controls (APPC). Hence, TCSPs should establish a policy document which we called the AML/CTF Policy. (Collectively, the APPC is referred to as “AML/CTF systems” in CR’s Guidelines for TCSPs).
This policy should contain:
- Customer Due Diligence (CDD) measures
- Ongoing monitoring
- making of suspicious transaction reports
- record-keeping
- risk assessment and management
- audit of the internal policies, procedures and controls
- monitoring and management of compliance with, and the internal communication of, the internal policies, procedures and controls
- hiring and training of employees
At the same time, HKICPA is kind enough to give some basic guidances on the AML/CTF Policy in its AML Procedures Manual for Accountants (“the manual”).
If you are not sure how to develop a APPC document, you can purchase the template here.
Customer Due Diligence (“CDD”)
The CDD requirements are set out in Schedule 2 to the AMLO. CDD is intended to enable the TCSP to form a reasonable belief that it knows the true identity of each customer and, with an appropriate degree of confidence, knows the type of business and transactions the customer is likely to undertake. Depending on specific circumstances and risk profiles, TCSPs may also need to conduct additional measures (referred to as enhanced customer due diligence (“EDD”)).
The CDD measures applicable to the TCSPs are:
- identifying the customer and verifying the customer’s identity using documents, data or information provided by reliable and independent source;
- where there is a beneficial owner in relation to the customer, identifying and taking reasonable measures to verify the beneficial owner’s identity so that the TCSP is satisfied that it knows who the beneficial owner is, including in the case where the customer is a legal person or trust, measures to enable the TCSP to understand the ownership and control structure of the legal person or trust;
- obtaining information on the purpose and intended nature of the business relationship (if any) established with the TCSP unless the purpose and intended nature are obvious; and
- if a person purports to act on behalf of the customer, to identify the person and taking reasonable measures to verify the person’s identity, and to verify the person’s authority to act on behalf of the customer.
Management Oversight
What are the roles and responsibilities of the sole proprietor/partners/board of directors and management in preventing money laundering and terrorism financing?
It is recommended that the TCSP establish an organisational and reporting structure in relation to AML/CTF. The reporting structure should include a Compliance Officer, preferably also a Money Laundering Reporting Officer (MLRO), and an Internal Auditor. These are key persons who are responsible for AML/CTF and they should be named in the reporting structure as well as mentioned in the AML/CTF Policy.
The role of the Compliance Officer is to keep Management informed of the compliance and risk management matters as and when they deal with customers that are seemingly suspicious. Any suspicious trade should be reported to the Compliance Officer (or the MLRO if appointed) and he or she will escalate to Management if approval is required.
The audit function of a TCSP should be independent and adequately resourced, and be able to assess the effectiveness of its APPC periodically.
Read more: Management Oversight – Lessons Learnt from BSI AML Control Failures
Risk Assessment
We recommend TCSPs perform an overall risk assessment of its clients. TCSPs can assess clients’ risks based on the type of customers, type of services provided, types of transactions that the client engages in, or the countries or jurisdictions where the customers are from or in.
- List down all the risk categories that are relevant to you. For example, (i) type of customer – money changers, (ii) type of service provided – acting as nominee director.
- For each specific risk category, give a risk rating to it. You may want to rate, for each risk category, simply as Low Risk, Medium Risk or High Risk. TCSPs need to pay particular attention to those risk categories that they rate as Medium or High Risk because these risk categories will need to be mitigated with Enhanced CDD procedures and these procedures should be documented.
- For each risk category, produce a set of risk mitigation procedures.
Up until this stage, the TCSPs should go through their client lists and classify their clients based on the risk categories defined. As CR requires all TCSPs to conduct CDD on their existing high risk clients by 1 March 2018, it is recommended that CSPs complete the following for all the high risk clients:
- Ensure that CDD and Enhanced CDD forms are completed and signed by the customers.
- Ensure that copies of identification documents are available and verified.
- Perform screening on the customers to ensure that they are not blacklisted or Politically Exposed Persons (PEPs), Relatives or Close Associates (RCAs) of PEPs. This can be done either by doing Google searches or searching commercial AML/CFT databases like SentroWeb-DJ. All search results must be retained as documentary proof.
Suspicious Transaction Reporting
Based on suspicious transactions reporting statistics from Joint Financial Intelligence Unit (JFIU) of the Hong Kong Police, TCSPs is one of industries which has the least number of suspicious transaction report (“STR”) reported.
- If a TCSP has not reported an STR before, it should at least know how to report one if such an occasion arise. TCSPs should have proper escalating procedures being documented in the AML/CTF Policy. TCSPs are strongly encouraged to use the STR proforma or the e-reporting system named Suspicious Transaction Report and Management System (STREAMS) to report suspicious transactions. Please visit JFIU website here for full details of the reporting methods and advice.
- TCSPs should also reference regularly to the JFIU’s website on updates on Terrorists List, Alert List, United Nations Sanction List, latest information, publications & press releases as published by the relevant authorities in HK, as well as the latest typologies work on methods, techniques and trends of money laundering and terrorist financing. This will allow TCSPs to stay abreast of alerts and updates on AML/CTF requirements and changes to the relevant lists of UN-designated individuals and entities, as well as other AML/CTF announcements, such as high risk jurisdictions identified by the Financial Action Task Force (FATF) etc. (Please visit JFIU website here).
- In addition, TCSPs should also reference the Financial Services and the Treasury Bureau (FSTB) website on the latest information, publications & press releases on Hong Kong’s AML/CFT regime and strategies. The FSTB is responsible for coordinating the Government’s efforts to deliver AML/CFT policies, strategies and legislative initiatives endorsed by the Central Coordinating Committee on AML/CFT (CCC). The FSTB monitors the overall effectiveness of Hong Kong’s AML/CFT regime and compliance with the FATF Recommendations, and facilitates cooperation among stakeholders.
(The FSTB website link is here)
Every business dreads the news that the auditors or regulators are coming. TCSPs can manage the AML/CTF compliance inspection process proactively and reduce surprises when they cover the major areas mentioned above. An important thing to do is also to train and brief your staff of all the policies and procedures before the inspectors arrive. The goal of the review is to understand what the inspectors want and to give them the assurance that you have done your best and what is required according to the regulations. The approach to the review is to be truthful. If there is any shortcomings, work out the remedial actions with the inspectors.
