Key points in the SFC Consultation Paper to amend the SFC AML Codes


The Hong Kong Securities and Futures Commission (“SFC”) released a consultation paper on 18 September 2020, proposing amendments to (1) the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) and (2) the Prevention of Money Laundering and Terrorist Financing Guideline issued by the Securities and Futures Commission for Associated Entities (collectively, “AML Codes”). Edmond Leung and Alan Wong from the Regulatory and Compliance practice group of Tanner De Witt summarise the amendments to the AML Codes.

The proposed amendments from the SFC are intended to keep the AML Codes in line with the Financial Action Task Force’s (“FATF”) standard. This follows the FATF’s Guidance for a Risk-based Approach for the Securities Sector published on 26 October 2018 (“RBA Guidance”). Also, the proposals address some areas for improvement identified in the FATF Mutual Evaluation Report of Hong Kong published on 4 September 2019.

Institutional risk assessments

Presently, a licensed corporation (“LC”) is required to continuously identify and assess money laundering and terrorist financing risks to which it is exposed, and to ensure its internal anti-money laundering and counter-terrorist financing systems (“AML/CFT System”) are adequate and appropriate to mitigate the risks identified. This process is commonly referred to as an institutional risk assessment (“IRA”). 

The SFC is now proposing to codify the requirements of IRAs into the AML Codes. This includes:

  • setting out steps that an LC should take when carrying out an IRA;
  • information that an LC should consider for taking a holistic approach in its review, including obtaining quantitative and qualitative information from relevant sources; and
  • the risk factors that should be addressed in the IRA.

Senior management will be required to review and approve the IRA. LCs will also be required to make risk assessment information readily available to the SFC.

The IRA needs to be reviewed at least once every two years, or more frequently if there is any triggering event with material impact on the LC’s business and risk exposure. Some of these triggering events include:

  • a significant breach of the AML/CFT System;
  • the acquisition of new customer segments or delivery channels;
  • the launch of new products and services; or
  • a significant change of the operational processes.

An LC should weigh the precise nature and extent of the IRA required against the nature, size and complexity of the business of the LC.

Enhancement to Risk Factors

The SFC proposes to expand the list of examples of risk indicators in the AML Code. The SFC will also supplement the list of indicators that will permit an LC to ascribe a lower risk and adopt simplified due diligence.

Some high-risk indicators for money laundering and terrorist financing risks provided by the SFC include:

  • a customer’s business relationship established with the LC is unusual in light of the customer’s geographical location;
  • a customer was mentioned in negative news reports in a credible media channel;
  • deposits from or payments to unknown or unrelated third parties;
  • adoption of new payment technologies or methods not used by the LC in its normal course of business; and
  • intermediaries from higher risk countries or jurisdictions, or with a history of non-compliance.

Some high-risk indicators for suspicious transaction and activities provided by the SFC include:

  • a customer’s correspondence address is associated with other apparently unrelated accounts;
  • a customer does not exhibit any concern over the costs of transactions or fees;
  • making large transactions shortly before news or a significant announcement is issued that affects the price of the security;
  • making transactions for one or more accounts regularly at or near the close of market trading hours that alter the closing price of the security; and
  • transferring funds to other financial institutions in different jurisdictions from the financial institutions where the funds were initially received.

These lists are not meant to be exhaustive and LCs will be required to consider other risks.

Cross-border correspondent relationships

The SFC proposes to incorporate certain duties on LCs when establishing cross-border correspondent relationships with an overseas intermediary. This is similar to the measures that apply to banks. A typical example of a cross-border correspondent relationship is a business relationship established between a securities firm (“Correspondent”) executing securities transactions on a stock exchange for an overseas intermediary’s (“Respondent”) local customers. In this example, the local customers are not customers of the Correspondent. The Correspondent will need to carry out additional due diligence against the Respondent to ensure the Respondent has a proper AML/CFT System in place.

The additional due diligence should involve:

  • collecting information to understand the nature of the Respondent’s business;
  • considering the quality and reputation of the Respondent through publicly available information;
  • assessing the AML/CFT System of the Respondent (this should include considering whether the AML/CFT System is subject to any independent audit);
  • considering the nature, expected volume and value of transactions of a proposed cross-border correspondent relationship;
  • considering the proposed use of an account maintained by the Correspondent for the Respondent (“Correspondent Account”);
  • ascertaining the types of underlying customers of the Respondent; and
  • understanding the Respondent’s business, including its management and ownership structure, its financial group, major business activities, target markets, customers bases and their locations.

If the Respondent is in a higher risk category, then the Correspondent should also review the audit findings, interview the Respondent’s compliance officer, and carry out an on-site visit.

The above due diligence should be carried out even if the Respondent is a related foreign financial institution within the same group, but subject to a different risk profile.

If the Respondent’s underlying customers have direct access to the Correspondent Account, the Correspondent should make additional checks against the Respondent. A Correspondent should only enter into a cross-border correspondent relationship if the senior management’s approval is obtained.

No relationship should be established with a shell financial institution. A shell financial institution means a corporation that is incorporated in a place outside Hong Kong and provides financial services in that place but does not have a physical presence (i.e. it does not have any business premises and no full-time employee is working at the business premises).

Finally, a Correspondent should review the cross-border correspondent relationship regularly and monitor any transactions made by the Respondent to detect unexpected or unusual activities.

Third-party deposits and payments

Presently, LCs are required to follow the circulars from the SFC when dealing with customers who receive or pay funds to a third party. The SFC is now introducing a new chapter in the AML Code that will incorporate the SFC’s circulars.

Generally, an LC should only accept third-party deposits or payments in exceptional and legitimate circumstances, and those deposits must reasonably match the customer’s profile and commercial practice. An LC should not accept any third-party deposit or payment arrangement unless there are adequate policies and procedures in place. The policies and procedures should be designed by a manager-in-charge.

The policies and procedures should address:

  • the circumstances when third-party deposits and payments are acceptable;
  • the monitoring systems and controls over third-party deposits and payments;
  • the level of due diligence to be conducted against the third-party;
  • the procedure for receiving clearance from the manager-in-charge before allowing the transaction;
  • the circumstances and risk management policies concerning a third-party deposit if an LC allows due diligence on the source of the deposit to be carried out after settling the transaction. This will include a reasonable timeframe for the completion of the due diligence against the third-party, and placing appropriate limits on the number, types and amount of transactions; and
  • when to report to the Joint Financial Intelligence Unit (“JFIU”) concerning third-party deposits and payments.

If a customer fails to satisfy the third party due diligence within a reasonable timeframe, the LC should cease carrying out further transactions for the customer and consider making a report to the JFIU.

Concluding comments

These proposals for change either consolidate prior SFC circulars or adopt FATF recommendations. The changes are welcome and expected. Nonetheless, LCs should carefully review the proposals, and prepare now for changes and improvements to their internal controls and processes in anticipation of the proposals being implemented.

The deadline to submit comments to the SFC on the consultation paper is 18 December 2020.

Edmond Leung and Alan Wong

If you would like to discuss any of the matters raised in this article, please contact:

Edmond Leung
Partner | E-mail
Pádraig Walsh
Partner | E-mail
Russell Bennett
Partner | E-mail
River Stone
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.