Clifford Chance

Banks should reference these examples and the expectations of the HKMA set out in its press release and recent guidance to take appropriate risk mitigating measures on an ongoing basis.

Introduction

The HKMA announced on 19 November 2021 that it had completed investigations and disciplinary proceedings against four banks under the Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Ordinance (Cap. 615) (AMLO), imposing pecuniary penalties of a total of HK$44.2 million (about US$5.7 million). This arose from a series of onsite examinations the HKMA conducted on banks’ systems and controls for compliance with the AMLO after its enactment on 1 April 2012. The HKMA also issued orders for an independent external advisor to assess and report to it on the sufficiency and effectiveness of remedial measures taken by two of the banks to address identified contraventions and other deficiencies.

The four banks' contraventions principally relate to ongoing CDD, and enhanced CDD in high-risk situations, and spanned from April 2012 to September 2017 (with the record keeping contraventions extending up to September 2018). The HKMA notes that this was when the industry's "understanding and experience was less mature". The HKMA further notes that since then, significant progress has been made by the industry, including by the banks concerned, in enhancing financial crime compliance capabilities, with attention having been given to improving processes, controls, and staffing. This is reflected by the fact that by the time of publication of the Financial Action Task Force (FATF) Mutual Evaluation Report (MER) on Hong Kong on 4 September 2019, based on an onsite visit from 31 October to 15 November 2018, Hong Kong was found to be overall compliant and effective in respect of its AML and CTF systems.

Whilst the HKMA has stressed that significant progress has been made, banks should nevertheless make reference to these examples. This is because significant autonomy is given to regulated financial institutions in terms of design and implementation of their AML compliance programmes. There is no "one-size-fits-all" when it comes to money laundering (ML) controls, which should be commensurate with the financial institution's size, services offering, customer profile and geographical footprint. Finding the right balance in a risk-based fashion, between practicality and cost-effectiveness, in detecting ML, is a constant challenge. Disciplinary actions like these are therefore invaluable from which to learn lessons.

Summary of HKMA findings

The issues identified by the HKMA are set out in more detail in tabular form in our briefing. In summary:

• The four banks were found to have failed to comply with their duty to continuously monitor customer business relationships through ongoing CDD. These notably included lack of timely periodic reviews (in some cases, for high-risk customers). One bank was found to have adopted a "mailer approach" under which the bank issued a letter to customers enquiring whether there had been any change in the customer information provided at account opening, and if the customer did not respond within 21 days, the bank assumed that there had been no change and no follow-up review or verification steps were taken – such approach was considered by the HKMA to have "inherent deficiencies" and did not ensure customer information was up to date and relevant.
• In situations where the HKMA perceived high ML and terrorist financing (TF) risks, there was an identified lack of reasonable measures to establish their customers' or their beneficial owners' sources of wealth and funds, or to obtain senior management approval to establish or continue the business relationship. One bank was also found to have delayed in implementing these measures after obtaining knowledge that their customers or their beneficial owners were politically exposed persons (PEPs).

Key takeaways for banks

Banks should refer to these examples to review data quality and transaction monitoring system effectiveness, and take appropriate risk mitigating measures on an ongoing basis. The HKMA expects up to date understanding of evolving risks, use of better-quality data, responsible innovation including regtech adoption, and close collaboration in the ecosystem.

A summary of HKMA's recent guidance on the use of better quality data, responsible adoption of regtech, keeping up to date and collaboration can be found in our briefing.

Conclusion

AML compliance continues to be an area of regulatory focus in Hong Kong. The risk-based approach in AML compliance requires judgment and a balancing act between operational efficiency and appropriate ML controls and procedures; design and implementation can also vary widely depending on the bank's circumstances.

Quality data and regtech are key to striking this balance. Also key is awareness through training, not only of compliance staff, but also front-line staff, who are the first line of defence. Our expert team would be pleased to assist with your AML training and internal control review needs.