HKMA's observations on AML/CFT control measures for remote customer on-boarding activities
The Hong Kong Monetary Authority (HKMA) elaborates on its regulatory expectations of Authorized Institutions (AIs) in respect of remote on-boarding activities, outlining good practices and suggestions to mitigate AML/CFT risks.
Following recent thematic reviews, engagement with AIs, virtual banks and technology firms in the Fintech Supervisory Sandbox and Chatroom, the HKMA issued a circular on 3 June 2020 identifying observations and good practices for remote customer on-boarding initiatives by AIs.
We highlight below the key observations and suggested good practices:
1) Conduct adequate initial AML/CFT risk assessment:
- While no particular format of AML/CFT risk assessments are prescribed, all AIs reviewed by the HKMA had performed assessments with review and approval by their Financial Crime Compliance (or equivalent) teams before launching remote customer on-boarding initiatives. Common factors covered in these initial assessments include due diligence on the vendor's capability and reliability, as well as potential risks arising from remote on-boarding initiatives and the technology deployed.
- It is essential for AIs which rely on existing "off-the-shelf" solutions offered by vendors to demonstrate an appropriate level of understanding of how the solutions work, and their benefits and limitations, including the algorithms used and the features or attributes matched by the artificial intelligence in the identity card authentication process.
2) Adopt a risk-based approach:
- AIs may adopt a phased risk-based approach in launching remote on-boarding initiatives by initially targeting lower-risk customer groups and/or limiting the service scope (such as lower transaction limits and account functionality).
- Control procedures for remote on-boarding applications ought to be adjusted according to perceived assessed risks of a potential customer. While certain AIs do not permit remote on-boarding for higher-risk customers, AIs may choose to on-board higher-risk customers through video conference and/or require initial payments from same-name accounts at other banks to activate the account being opened at the AI.
3) Continuous management and monitoring of technology adopted:
- All AIs reviewed by the HKMA adopted ongoing quality assurance processes on the technology deployed in remote on-boarding process, such as 100% manual checking of selfie images and identification documents. AIs are encouraged to follow up on any irregularities noted during the manual checking process and consider adjusting or fine-tuning their control procedures and technological requirements with vendors.
- During post-implementation reviews, AIs may plan to reduce the manual testing sample size over time, taking into account the reliability and consistency of the technology deployed as well as a holistic overview of its mitigation of AML/CFT risks.
4) Continuous monitoring of account vulnerabilities:
- Initial customer due diligence conducted at the beginning of the remote on-boarding process should be complemented with continuous monitoring of the account for AML/CFT risks. Such continuous monitoring should be tailored to the risk profile of the customer.
- AIs are encouraged to share information and intelligence by establishing internal working groups with members from their Financial Crime Compliance and anti-fraud teams to conduct joint investigations into ML-related fraud cases and manage alerts generated from transaction monitoring and fraud prevention systems.
The HKMA's guidance comes at an opportune time, when more AIs are considering remote on-boarding amid the COVID-19 outbreak. It provides AIs with a blueprint to balance technological convenience with risk-based control measures to mitigate AML/CFT risks.