The Securities and Futures Commission of Hong Kong has found many financial firms' anti-money-laundering measures and controls wanting during its inspections over the past year and has put them in a single report.

Some of the findings come from a thematic inspection of the systematic ways in which 13 firms identified and avoided risks that pertain to money laundering and terrorist financing. Others came from routine inspections which looked at the ways in which about 270 firms reviewed their AML/ATF policies.

The assessment of risks

Several firms fell down on the job when making their institutional risk assessments (IRAs). One mistook the completion of the AML/ATF self-assessment checklist issued by the SFC as equivalent to the performance of an IRA. The checklist is, of course, designed to provide a structured way in which firms assess their compliance with the main AML/ATF rules, it is no substitute. One firm’s IRA did not include an evaluation of whether its AML/ATF policies, procedures and controls were adequate and appropriate for the purpose of offsetting the risks it had identified. The SFC thinks that this evaluation is necessary for any firm that wants to evolve an action plan to improve its AML/CFT policies, procedures and controls. Some firms did not maintain records and relevant documents that proved that senior managers had reviewed and approved their IRA results.

When it comes to customer risk assessments (CRAs), there is room for improvement. One firm did not follow up on inconsistent information provided by customers (e.g. a customer who declared himself to be unemployed but who claimed a salary as his source of income) in the course of 'customer due diligence' or CDD. Some firms failed to tell their management and front-line staff how to determine a customer’s overall ML/TF risk level by reference to a range of set factors. This resulted in inconsistent ML/TF risk levels being assigned to customers with similar risk factors. Another firm allowed its relationship managers to override CRA results derived from its assessment questionnaire without insisting on justification. Some firms did not maintain enough documentats to show how individual customers’ ML/TF risk levels were derived. When a firm identifies customers whose 'ML/TF risk' (the risk of being caught breaking an AML rule by a regulator) and do more than usual to offset that risk.

Initial CDD

Firms were found wanting in their pursuit of information about the beneficial ownership of their corporate customers during the 'onboarding' process. Some failed to obtain any reliable, independent source documents such as certificates of incorporation or certificates of incumbency to verify the identities of those corporations and their beneficial owners. Some failed to identify all beneficial owners (people who ultimately own or control more than a 25% interest) of their corporate customers and verify their identities. One firm looked for customers' names on a commercially available database to identify politically exposed persons (PEPs) but, in the SFC's words, "the scope of screening did not extend to the beneficial owners of the customers." One firm erroneously assumed that all customers that were collective investment schemes were eligible for the application of the 'simplified CDD' allowed by the Anti-Money-Laundering Ordinance without ascertaining whether the customers could meet the requisite criteria. Another firm stipulated in its written policies and procedures that all 'high risk' customers were subject to enhanced CDD measures, but it did not elaborate on this or say what measures its staff should take in different situations. As a result, the CDD measures that it did take depended on the personal judgement of front-line staff, who provided no justification provided for their whims. The measures also did not comply with the special requirements that the AMLO imposesfor some types of customer. Another firm did not set up any risk management policies and procedures for imposing conditions on the continuance of a business relationship with a customer "when allowing the customer to utilise the relationship to effect securities transactions prior to the completion of identity verification."

Continuing CDD

The list of deficiencies and inadequacies regarding 'ongoing' CDD is long. One firm required its front-line staff to review highly risky customers’ profiles every year but did not put in place procedural and supervisory safeguards to ensure that they did so. As a result, the profiles of many went out of date and remained so for many years. Another firm conducted annual reviews of highly risky customers’ profiles by issuing messages to remind the customers to notify the firm of any updates to the information previously provided to the firm. The firm did not take any other steps to update the profiles of some of these customers when there were significant changes in its business relationships with them (e.g. changes in the nature, volume or size of transactions) and when it did not receive any notifications from them.

The SFC believes that the profiles of highly risky customers (excluding those with dormant accounts) should be subject to reviews every year (and more frequently if deemed necessary by the firms), the better to keep the CDD information up-to-date and relevant. Like seemingly all regulators, the SFC is a stickler for firms obeying their own internal policies and procedures.