The AML/CFT landscape, both globally and locally, continues to increase in complexity. Held on 24 November 2023, the Institute’s 4th AML/CFT Conference – AML/ CFT Regulations, Topical Issues and Practical Sharing – called attention to a number of developments of relevance to governance professionals, in particular those working for trust or company service providers (TCSPs). This first article in our two-part review of the conference looks at the key conference takeaways relating to local developments in the AML/CFT landscape.

Building Hong Kong’s AML/CFT defences

The Guest of Honour at the forum, Joseph Chan JP, Under Secretary for Financial Services and the Treasury,  the HKSAR Government, reiterated the government’s commitment to upholding a robust AML/CFT regime. He also reviewed various steps the government has recently taken to upgrade Hong Kong’s AML/CTF framework.

He stressed that ensuring good AML/CFT defences is an indispensable part of Hong Kong’s competitiveness as an international financial centre. ‘As a global financial centre, and as a responsible member of the global financial community, we attach great importance to our AML/CFT framework. We will continue to make sure our regime is effective in terms of risk identification, law enforcement, asset recovery, anti–proliferation financing and international cooperation,’ he said.

He cited the publication of the Money Laundering and Terrorist Financing Risk Assessment Report in July 2022. The Hong Kong government periodically conducts a risk-assessment exercise, examining the money laundering and terrorist financing threats facing Hong Kong. The 2022 report recognises that the growth of the virtual assets (VA) market and digital financial technologies has important ramifications for AML/CFT. The government has signalled its commitment to becoming a global hub for digital assets, but it has also been strengthening its regulatory framework to guard against potential AML/CFT vulnerabilities in alignment with this strategy. 

An important development relating to this regulatory framework was the implementation of the Anti–Money Laundering and Counter–Terrorist Financing (Amendment) Ordinance 2022 (Revised AMLO) on 1 June 2023. Mr Chan noted that the Revised AMLO brought in several significant amendments to the law on AML/CFT in Hong Kong in a bid to ensure that the local regulatory regime stays in line with the latest international standards set by the Financial Action Task Force (FATF), the global money laundering and terrorist financing watchdog. Specifically, the Revised AMLO provides for a new licensing regime for virtual asset service providers (VASPs) to be supervised by the Securities and Futures Commission.

Mr Chan also mentioned the government’s plans to launch an enhanced regulatory framework for stable coins sometime next year. Moreover, the government is considering making VA trading activities outside the exchanges subject to Hong Kong’s regulatory regime.

‘We will continue, as always, to work closely with the community and with all of you to make certain that our legal framework stays up to date with market developments so that we can provide a very clear and transparent regulatory framework for market participants,’ he said.

Compliance with the Revised AMLO 

Two speakers in the first session of the conference looked at what the Revised AMLO means for designated non-financial businesses and professions, in particular TCSPs.

1. Transitioning to a risk-based approach

The Revised AMLO not only brings in tougher requirements for TCSPs in terms of their AML/CFT due diligence work, it also strengthens awareness of the transition from a rules-based to a risk-based approach to AML/ CFT. The first speaker in Session One, Michael Lintern-Smith FCG HKFCG, Roll of Honour, Solicitor and Consultant, Robertsons, emphasised that a rules-based, tick-box approach to AML/CFT compliance is not going to be ultimately successful and, under a risk-based approach, practitioners need to have a greater focus on client risk assessment.

He urged conference participants to read the Guidance on Risk-Based Supervision, published in 2021 by FATF. He also highlighted the useful guidance provided by The Law Society of Hong Kong. The Law Society’s Practice Direction P sets out the client due diligence that solicitors are now required to follow in respect of all clients, but as Mr Lintern-Smith pointed out it has lessons for all professionals, since, whatever their background, they face similar AML/CFT challenges.

Practice Direction P gives guidance on how to assess client, country and service risk factors, as well as the risk assessments needed for the type of transactions involved and the delivery channel used for the provision of services.

Finally, Mr Lintern-Smith stressed that these risk assessments cannot be a one-off exercise. ‘Let’s not forget that client due diligence is a continuing process. We all do it when we’re taking on board new clients, but it is a requirement that you continue to do so while you carry on providing services – and that is where a lot of people fall down,’ he said.

2. Changing definitions

The second speaker in Session One, Daniel Wong FCG HKFCG, Associate Director – Compliance and Risk Management, SWCS Corporate Services Group (Hong Kong) Ltd, concentrated on the guidance released to coincide with the enactment of the Revised AMLO. Guidance has been issued by a  number of different regulators in  Hong Kong and, while these guidelines contain some help with the definitions of, for example, ‘politically exposed persons’ (PEPs) and the ‘beneficial owners’ of trusts, there is still quite a lot of room for interpretation.

Generally the definitions in the Revised AMLO have been broadened. The definition of the ‘beneficial owner’ of a trust, for example, now extends to the trustee and to all the beneficiaries of the trust, regardless of the degree of their vested interest. Similarly, the term ‘foreign PEP’ has been replaced by ‘non–Hong Kong PEP’. This widens the scope of this definition greatly as it means that all PEPs outside Hong Kong (including those in the Mainland), are now caught by the definition. Moreover, organisations may have some difficulty judging the level of seniority required to qualify as a PEP. The definition of PEPs is restricted to ‘high-ranking officials’, but Mr Wong flagged up that this is very much subject to interpretation.

‘What is high ranking?’ he asked. ‘Is it only restricted to very senior positions, or can it include those positions one level down?’

Another salient issue Mr Wong discussed is how far practitioners can rely on public or commercial databases to determine the PEP status of individuals. This issue is also pertinent to employee screening. He pointed out that employee screening in the government sector is nothing new, but it is relatively new to the private sector, especially for TCSPs, and practitioners may have concerns about whether they are required to verify the accuracy of information in public or commercial databases.

There is also ambiguity in the Revised AMLO when it comes to the requirements for verifying a customer’s identity when they cannot be physically present for face-to-face client induction. Mr Wong specified that paper documentation and proof is not sufficient – this is clear. However, the requirement to use ‘recognised’ digital identity systems raises doubts about what constitutes ‘recognised’. He emphasised that the new remote onboarding rules heavily favour relying on the government’s ‘iAM Smart’ system when a customer is not physically present for identification purposes.

Virtual assets – the AML/CFT risks 

Technology awareness has become a lot more important for practitioners involved in AML/CFT issues. Jason Ho, Partner and Leader of the Financial Services Technology Risk Consulting practice of Ernst & Young, made clear in his presentation that this trend will continue and that professionals involved in AML/CFT work will need to be a lot more tech savvy in the future.

‘In recent years there has been a very strong collaboration between those working on the technology side and those working on the AML/CFT side,’ he said.

Mr Ho focused his presentation on one aspect of this issue – the need for TCSPs to upgrade their technological expertise regarding the AML/CFT risks relevant to VAs. The challenge of ensuring effective know your customer (KYC) and customer due diligence (CDD) measures when working with digital asset owners is a relatively new challenge for TCSPs. Mr Ho clarified the different types and risk profiles of VAs.

High-risk VAs such as cryptocurrencies and non-fungible tokens have received a lot of attention, but he explained that certain VAs are lower risk. Digital tokens of real world assets, for example, exist in both physical and digital forms. This is true, for example, of tokenised versions of stocks and bonds, and tokenised real-world assets such as real estate, property and equipment. Similarly, central bank digital currencies, or CBDCs, are digital forms of existing currencies issued by a government-backed central bank.

Mr Ho also pointed out that organisations need to have the necessary talent, both on the board and in management, to oversee and administer proper risk management frameworks, notably regarding the governance and oversight of VA risks.

‘One of the toughest issues I’ve seen in the market is actually the lack of talent in this area. This is not just in cybersecurity, but also in every aspect of the VA market. This is a relatively new topic and actually there are still not very many experienced people in the market,’ Mr Ho said.

The Institute’s 4th AML/CFT Conference was held on 24 November 2023 in hybrid mode. More information is available on the Institute’s website: www.hkcgi.org.hk.