AML Developments In Hong Kong: What To Do Next

The Hong Kong Government has introduced amendments to enhance anti-money laundering (AML) and counter-terrorism financing (CTF) regulations to bring them more in line with Financial Action Task Force (FATF) requirements. Due to take effect in March next year, these amendments extend customer due diligence obligations to more organizations and will also require banks to record additional information on wire transfers.

Over the last few months, the Hong Kong Monetary Authority (HKMA) has also issued a revised list of FAQs on customer due diligence that clarifies the responsibilities of banks in gathering and certifying customer information.

There has also been movement on the enforcement side, with for example the HKMA fining private bank Coutts & Co HK$7 million (US$897,000) for failing to set up proper procedures to identify politically exposed persons (PEPs) in its client base. The regulator is also monitoring allegations the territory’s currency-issuing banks processed funds linked to Russian criminal syndicates.

The FATF is due to evaluate Hong Kong’s AML framework in July/August 2018 to gauge its compliance with FATF recommendations. The evaluation will consider both the legal and institutional aspects of the framework and how effectively it is enforced. Institutions should therefore expect further refinements to the regulatory regime and additional scrutiny of their client due diligence practices.

This means banks should examine possible deficiencies in their AML controls and shore up measures to mitigate money laundering and terrorist financing risks. They should also make sure their systems are capable of supporting enhanced AML controls.

Given the increasing prominence of AML globally, many institutions already have the foundations in place. However, increasingly rigorous regulatory oversight coupled with the convergence of AML, fraud and cybercrime risks mean that even institutions with advanced AML infrastructure can’t afford to rest on their laurels.

The key challenges around AML controls are both organizational and technical. On the technical side, the high volume of regulations and data involved in AML measures mean they are difficult to manage manually. Yet in many institutions automation of AML compliance operations is still limited.

Automation should extend to customer data screening against major watchlists such as the United Nations Consolidated Sanctions List, which includes all individuals and entities subject to sanctions by the UN Security Council. The FATF also recommends steps to identify and monitor PEPs, which typically requires the use of third-party databases.

Policies and procedures also need to be backed up with a robust transaction monitoring system, which should be a core element of any AML approach. This system should be capable of assessing all client accounts and transactions, subjecting them to various levels of scrutiny depending on risk profile, and instantly flagging any suspicious or irregular activities.

The automation of processes and controls in customer due diligence and risk assessment — the very area being emphasized by Hong Kong regulators – tends to be less advanced, increasing the chances of human error and limiting the scope of audits. It’s therefore important that an AML system includes features to support these processes, including assistance with identity verification, capturing new customer profiles and conducting preliminary risk scoring.

At the same time, institutions have to be mindful of customer experience — an area that requires particular attention for two reasons. First, banks are increasingly serving clients via online and other preferred channels, meaning the likelihood of suspicious activity is higher and underlining the need for strong AML controls. Secondly, with many institutions still operating in silos, information flows are often inconsistent and lead to duplicated requests or false positives, negatively impacting the client relationship.

Management is another core aspect of AML, and systems should support the creation and processing of cases throughout a defined workflow, tasking and assigning employees to investigate or follow up when required.  Systems also need to be capable of consistently generating the necessary output. This means comprehensive and accurate reports covering all aspects of AML/CTF compliance, including suspicious transactions, management and regulatory reports. Customer profiles and other records should also be maintained and easily accessible to support investigations by law enforcement if required.

In enhancing systems, it’s vital not to lose sight of the organizational aspects of AML strategy. The implementation of an AML system is not exclusively an IT project. The policies and procedures that underpin the system will involve staff from multiple business units, and should be supported by training and awareness initiatives, a new roles and responsibilities matrix, and in some cases additional human resources.

Given the scope of implementation, many institutions adopt a phased approach to make AML projects more manageable and minimize the strain on operations or resources. This also allows the institution to scale up from a relatively low investment, adding functionality and capacity as the business grows, or in response to regulatory or internal needs.

The complexity and costs involved in developing an AML system from scratch mean most banks will opt for a solution from an external vendor. In evaluating the options, it’s vital to establish whether the vendor has an established track record in the field, and whether the system is flexible and easy to deploy and build on. Another key question is whether the system is designed for the local (and regional) market and supported by a dedicated product team, which can ensure new features are added to reflect changes in the local environment.

Implementing a solution that combines these qualities will ensure an institution demonstrates its AML commitment to regulators and meets evolving obligations in markets such as Hong Kong in an efficient and cost-effective way, while also minimizing disruption for both internal stakeholders and clients.

Source: FI