Latest SFC inspection findings on AML/CTF systems and controls: a warning shot to the industry
The Securities and Futures Commission (“SFC”) issued a robust circular on 31 August 2018 in relation to the adequacy of licensed corporations’ (“LCs”) Anti-Money Laundering and Counter Financing of Terrorism (“AML/CFT”) controls. The circular followed thematic visits to 13 LCs where the AML/CFT controls were tested and found wanting.
In the circular, the SFC reminded LCs to ensure they had taken all reasonable measures to mitigate money laundering and terrorist financing (“ML/TF”) risk by critically reviewing their systems and controls. The timing of the circular is not insignificant, arriving just a short time ahead of the global standard setter, the Financial Action Take Force (“FATF”), conducting its mutual evaluation of Hong Kong later this year. Mutual evaluations play a significant role in signalling ML/TF risk status in each jurisdiction and they are not taken lightly. The process inevitably places pressure on all financial regulators in Hong Kong to demonstrate the strength of their supervisory and enforcement actions – and not just the controls on paper.
The SFC’s circular comes hot on the heels of the HKMA’s actions against Shanghai’s Commercial Bank in mid-August as well as Hong Kong’s ML/TF Risk Assessment in April.
Deficiencies identified by the SFC
The SFC highlighted the following deficiencies as those most likely to undermine LCs systems and controls:
- Failure to complete an adequate institutional risk assessment (“IRA”) to evaluate the appropriateness of a firm’s existing AML/CFT controls to mitigate identified risk.
- Failure to document proper governance in relation to the IRA by obtaining senior management sign off.
- A lack of proper procedures in relation to conducting and documenting customer risk assessments, including:
- failing to follow up on inconsistencies in information provided by customers;
- not providing staff with defined risk rating criteria to assist them in assigning appropriate risk ratings to customers;
- not requiring justification for deviation from defined risk parameters and results; and
- inadequate documentation in relation to customer risk assessments.
- Not taking steps to identify and verify the identity of customers including failing to obtain independent source documents in relation to corporates and the identity of beneficial owners (ie natural persons who own or control more than 25% of a corporate entity).
- Failing to have in place screening to identify politically exposed persons connected to customers.
- A failure to ensure that collective investment schemes (a form of investment vehicle) are suitable for simplified customer due diligence. Simplified customer diligence means, generally, that it is not necessary to identify, and verify the identity of, beneficial owners. Simplified due diligence can be applied to a collective investment scheme but only if it meets specific eligibility criteria set out in the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).
- Not ensuring that enhanced due diligence was commensurate to the degree and nature of risk for high risk customers.
- Not applying any risk management measures when establishing a business relationship prior to completing the identification and verification of identity process.
- For high risk customers, failing to have procedures in place to ensure that customer due diligence was reviewed and refreshed on an annual basis.
- Failing to conduct sanctions screening on an ongoing basis and failing to document the rationale behind decisions to discount potential name matches to designated persons.
- Failing to have in place adequate systems and controls to identify suspicious transactions and review business relationships when suspicious transactions have been reported to the Joint Financial Intelligence Unit
The findings in the SFC’s report indicate that many LCs may not be achieving even basic AML/CTF standards. It is the clearest signal that LCs must take steps to address this imminently, particularly as the SFC completed the circular with a staunch reminder that it would not hesitate to take enforcement action for failings. This is a warning that LCs would be remiss to ignore, particularly in light of the upcoming FATF visit and enhanced regulatory scrutiny in relation to ML/TF.
We are working with multiple regulated and unregulated entities on creating and bolstering their AML/CTF compliance regimes and responding to periodic regulatory requests. Contact us if you need any assistance.