Clifford Chance

The Hong Kong Monetary Authority (HKMA) has provided helpful AML / CFT guidance following its thematic review.

Combating money laundering and terrorist financing (ML/TF) has, and continues to be, an area of supervisory and enforcement focus for regulators in Hong Kong and beyond.

In recent years, we have seen record ML fines in Hong Kong, notably in connection with the 1MDB scandal (where the SFC imposed a HK$2.7 billion fine), and ML compliance is top of the agenda for many, particularly Hong Kong's regulated financial institutions.

That said, significant autonomy is given to regulated financial institutions in terms of design and implementation of their Anti-Money Laundering (AML) compliance programmes. There is no "one-size-fits-all" when it comes to ML controls. Finding the right balance in a risk-based fashion, between practicality and cost-effectiveness, and detecting and preventing ML as far as possible, is an invariable challenge.

The use of Regtech – notably data analytics and appropriate integration of external data, is an important tool in striking that balance.

And it is in this context that the HKMA's thematic review of Authorised Institutions' (AIs) use of external information and data, in ML/TF risk management, provides guidance on good practices and a steer on the HKMA's areas of emphasis.

Key points of interest are:

• The Risk Based Approach. The HKMA adopts a risk-based approach in ML/TF supervision. Each AI must consider the most appropriate AML programme to adopt, taking into account the programme's typologies, areas of focus and processes, which should be commensurate with the size of the financial institution, customer profile, geographical footprint and services offered.
• Appropriate use and sharing of external information. Intelligence from external sources, particularly the Fraud and Money Laundering Intelligence Taskforce (FMLIT)¹, was used to reduce AML risks. Information regarding online fraud that was case-specific (regarding subject individuals or entities) and typological (regarding risk indicators and typologies) was found to be relatively targeted and useful. Importantly, this information was shared internally, including with staff of affected business lines or functional units, to enhance awareness.
• Data analytics and integration of external information. The HKMA observed that technology tools, notably data and network analytics, were used effectively to help visualise connectivity of relevant data, such as common behaviours and attributes, which facilitated further data analysis and identification of high risk relationships and suspicious transactions. Analytics were also used by one bank to monitor digital footprints and identify mule account networks (i.e. linked accounts that are not genuine customer accounts and potentially used for ML / TF), intercept suspected fraudulent funds and return them to victims. The HKMA gave credit to banks which were able to integrate external information, for example from FMLIT, into their existing data analytics programmes, and noted that these banks "demonstrated stronger capabilities to identify higher-risk relationships, suspicious transactions and networks of mule accounts".
• Support from senior management. The importance and effectiveness of senior management support was emphasised, notably by providing strong direction, maintaining close communication and intelligence sharing between group entities and allocating resources for ongoing development in integrating external information and data into AML/CFT systems.
• The importance of performance measurement. Whilst all reviewed AIs recognised the value of integrating external information and data into AML/CFT systems, not all had established a framework to analyse the efficiency and effectiveness of outputs and evaluate outcomes. In terms of measuring the effectiveness of use of external data, quantifiable measurements such as number of customers with nexus to case specific information, number of STRs filed, amount of assets held by AIs subject to "no consent" decisions by JFIU, and amount of customer loss prevented were used with one AI considering less tangible elements such as impact on customers and bank staff.

Given there is no "one-size-fits-all" when it comes to ML controls, this is welcome guidance from the HKMA regarding integration of external data, to help regulated financial institutions stay on the right side of the regulatory microscope.

_{1. The FMLIT is led by the Hong Kong Police Force in collaboration with the HKMA and Hong Kong Association of Banks, with the aim of more effectively targeting and tackling current and future financial crime and ML threats, notably through information sharing.}