Martin Lim, Founder and Director, Ingenique Solutions, provides practical guidelines for implementing internal policies, procedures and controls for anti–money laundering and counter–financing of terrorism compliance, and offers a checklist for busy trust and company service providers.

It has been more than one-and-a-half years since the Anti–Money Laundering and Counter–Financing of Terrorism (AML/CFT) Ordinance (AMLO) came into effect on 1 March 2018 for designated non-financial businesses and professions (DNFBP). The ordinance requires trust and company service providers (TCSPs) to take all reasonable measures to mitigate the risk of money laundering and terrorist financing (ML/TF), and to ensure that the AML/CFT requirements under the AMLO are complied with.

As of 30 April 2019, the Companies Registry has conducted 1,779 on-site inspections of TCSPs, from which 420 warning or advisory letters have been issued and 32 cases of non-compliance have been prosecuted.

To fulfil the AMLO obligations, TCSPs must assess the ML/TF risk of their businesses, and develop and implement AML/CFT policies, procedures and controls (APPC) on risk assessment; customer due diligence (CDD) measures; ongoing monitoring of customers; suspicious transactions reporting; record-keeping; and staff training.

So how can TCSPs prepare themselves for the AML/CFT compliance inspection by the Companies Registry? TCSPs should take a closer look at and comply with the following regulations:

  • Schedule 2 to the AMLO (Cap 615), and
  • ‘Guideline on Compliance of Anti–Money Laundering and Counter–Terrorist Financing Requirements for Trust or Company Service Providers’.

In this article, we summarise the key areas on which a TCSP should focus to prepare for the AML/CFT compliance inspection.

AML/CFT policy

First and foremost, TCSPs should have adequate AML/CFT risk management, as well as proper AML/CFT internal policies, procedures and controls (APPC). Hence, TCSPs should establish an APPC policy document which records the procedures and controls that have been put in place in the business to mitigate the ML/TF risks. (Collectively, the APPC is referred to as ‘AML/CFT systems’ in the Companies Registry’s AML/CFT Guideline for TCSPs).

This policy should cover:

  • management oversight
  • risk assessment
  • CDD measures
  • enhanced CDD (ECDD) measures
  • record-keeping
  • ongoing monitoring
  • suspicious transactions reporting, and
  • hiring and training of employees.

Management oversight

What are the roles and responsibilities of the sole proprietor, partners, board of directors and management in preventing money laundering and terrorist financing?

It is recommended that the TCSP establish an organisational and reporting structure in relation to AML/CFT. The reporting structure should include a compliance officer and preferably also a money laundering reporting officer (MLRO). These are key persons who are responsible for AML/CFT and they should be named in the reporting structure, as well as mentioned in the AML/CFT policy.

The role of the compliance officer is to keep management informed of compliance and risk management matters as and when they deal with customers that seem suspicious. Any suspicious trade should be reported to the compliance officer (or the MLRO, if appointed) and he or she will escalate to management if approval or further action is required.

Risk assessment

We recommend that TCSPs perform an overall risk assessment of their clients. TCSPs can assess customers’ risks based on the type of customer (‘customer risks’), the countries or jurisdictions where the customers are from or in (‘country risks’), and the type of services provided to the client (‘services risks’).

Make a list of all the risk categories that are relevant to you. For example, (i) type of customer: money changer; (ii) type of service provided: acting as nominee director.

Give a risk rating to each specific risk category. You may want to rate each risk category simply as ‘low risk’, ‘medium risk’ or ‘high risk’. TCSPs need to pay particular attention to those risk categories that they rate as medium or high risk, because these risk categories will need to be mitigated with ECDD procedures – and these procedures should be documented.

Produce a set of risk mitigation procedures for each risk category. Set out below are examples of some risk mitigation procedures.

  • Implement another form of control on the customer – for instance, if a customer is requesting nominee director services, and he or she is deemed to be a higher-risk customer, the TCSP may require the customer to engage an auditor appointed by the TCSP.
  • Ask for more details from the customer – for instance, gather and verify the source of wealth or source of funds information for individuals, or top suppliers and customer information for entities.
  • Increase the frequency and quality of ongoing monitoring for higher-risk customers.

It is important to ensure that as the risk gets higher, more risk mitigation procedures are in place.

Customer due diligence

The CDD requirements are set out in Schedule 2 to the AMLO. CDD is intended to enable the TCSP to form a reasonable belief that it knows the true identity of each customer and, with an appropriate degree of confidence, knows the type of business and transactions the customer is likely to undertake. Depending on specific circumstances and risk profiles, TCSPs may also need to conduct additional measures (referred to as ECDD).

The CDD measures applicable to the TCSPs are:

  • identifying the customer and verifying the customer’s identity using documents, data or information provided by reliable and independent sources
  • if a person purports to act on behalf of the customer, identifying the person and taking reasonable measures to verify the person’s identity, and verifying the person’s authority to act on behalf of the customer
  • where there is a beneficial owner in relation to the customer, identifying and taking reasonable measures to verify the beneficial owner’s identity so that the TCSP is satisfied it knows who the beneficial owner is, including – in cases where the customer is a legal person or trust – measures to enable the TCSP to understand the ownership and control structure of the legal person or trust, and
  • obtaining information on the purpose and intended nature of the business relationship (if any) established with the TCSP.
  • At this stage, the TCSPs should have gone through their client lists and classified their clients based on the risk categories defined. The following steps should then be undertaken.
  • Ensure that CDD and ECDD forms are completed.
  • Ensure that copies of identification documents are available and verified.
  • Perform screening on the customers to ensure that they are not blacklisted or politically exposed persons (PEPs), and that they are not relatives or close associates (RCAs) of PEPs. This can be done either by doing Google searches or searching commercial AML/CFT databases like SentroWeb-DJ. All search results must be retained as documentary proof.

Enhanced customer due diligence

When a customer falls under the medium- or high-risk category, based on the risk assessment, a TCSP should perform ECDD. Besides applying more risk mitigation procedures, the TCSP has to ensure that there is management approval for each of the higher-risk customers.

Suspicious transaction reporting

If a TCSP has not reported a suspicious transaction report (STR) before, it should at least know how to report one, if such an occasion arise. TCSPs should have proper escalating procedures documented in the APPC. TCSPs are strongly encouraged to use the STR proforma or the e-reporting system named Suspicious Transaction Report and Management System (STREAMS) to report suspicious transactions.

TCSPs should also refer regularly to the website of the Joint Financial Intelligence Unit (JFIU) to check for updates on the Terrorists List, Alert List, United Nations (UN) Sanction List, and latest information, publications and press releases as published by the relevant authorities in Hong Kong, as well as the latest typologies work on methods, techniques and trends of money laundering and terrorist financing. This will allow TCSPs to stay abreast of alerts and updates on AML/CFT requirements and changes to the relevant lists of UN-designated individuals and entities, as well as other AML/CFT announcements, such as high-risk jurisdictions identified by the Financial Action Task Force (FATF).

In addition, TCSPs should also refer to the website of the Financial Services and the Treasury Bureau (FSTB) for the latest information, publications and press releases on Hong Kong’s AML/CFT regime and strategies. The FSTB is responsible for coordinating the HKSAR Government’s efforts to deliver AML/CFT policies, strategies and legislative initiatives endorsed by the Central Coordinating Committee on AML/CFT (CCC). The FSTB monitors the overall effectiveness of Hong Kong’s AML/CFT regime and compliance with the FATF Recommendations, and facilitates cooperation among stakeholders.

Be prepared

Every business dreads the news that the auditors or regulators are coming. TCSPs can manage the AML/CFT compliance inspection process proactively and reduce surprises when they cover the major areas mentioned above. It is important to train your staff and brief them on all the policies and procedures before the inspectors arrive. The goal of the review is to understand what the inspectors want and to give them the assurance that you have done your best to fulfil what is required according to the regulations. The approach to the review is to be truthful. If there are any shortcomings, work out the remedial actions with the inspectors.

Martin Lim, Founder and Director

Ingenique Solutions


SIDEBAR: Online resources (in order of appearance)