July 19, 2005 - Hong Kong

Hong Kong: Self-Assessment of Compliance with Anti-Money Laundering (AML) Requirements

On 30 June 2005, the Hong Kong Monetary Authority (“HKMA”) finalised the self-assessment framework on AML compliance. The self-assessment framework has been introduced for the purposes of facilitating the assessment by authorised institutions’ (“AIs”) of their compliance with the regulatory requirements on AML and to supplement the HKMA’s on-site examinations. Self-assessment will also prompt AIs to identify weaknesses at an early stage and to rectify those weaknesses at the earliest possible time. To conduct self-assessments of their compliance with the AML regulatory requirements, AIs are required to prepare a report based on the self-assessment framework developed by the HKMA. The self-assessment should be based on the position as of 30 June 2005. AIs will be allowed a period of 3 months (i.e. up to 30 September 2005) to submit the self-assessment report to the HKMA. The Self-Assessment Framework The Self-Assessment Framework covers the AML regulatory requirements for the core control areas, including: • Overview of General AML Policies and Principles - a clear statement of policies that is consistent with the principles and standards embodied in the Guideline, Supplement and Interpretative notes issued by the HKMA in relation to the prevention of money laundering should be in place. • Customer Due Diligence (“CDD”) for various types of Non-Bank Customers - AIs should establish customer acceptance policies and procedures to identify the types of customers that may pose a higher than average risk of money laundering. In deciding on the risk profile of customers, AIs should take into account a customer’s origin, background and profile, nature of business, complexity of ownership structure, and any other information which suggests that the customer is of a higher risk. • Correspondent Banking - proper approvals for establishing new correspondent banking relationships should be duly obtained by AIs. • Remittance - in the remittance message, information about the originating customer, such as name and account number, should be included by AIs. Moreover, AIs should assume a risk-based approach to ascertain whether certain remittances may be suspicious. • Terrorist Financing - AIs should ensure that the relevant legislation and regulations on terrorist financing are strictly adhered to. Systems and procedures should be well-established enough to enable AIs to identify and report any transaction that may be linked with terrorist suspects. • Record-keeping - policies which define the retention period and specific treatment (e.g. the form of storage such as original document, microfilm or electronic form) for various types of document should be in place. • Suspicious Transactions - AIs should have systems which allow them to detect and report unusual or suspicious transactions. Staff of AIs responsible for dealing with customer accounts or reviewing customer transactions should also be familiar with characteristics relating to suspicious transactions and terrorist activity. • Compliance and Internal Audit Functions - AIs should assign one or more Compliance Officer(s) as a central reference point for the reporting of suspicious transactions to the Joint Financial Intelligence Unit and to whom internal reports should be made. • Staff Awareness and Training - staff of AIs should be aware of their own personal legal obligations under the relevant AML legislation and the expected responsibilities relating to AML. AIs should provide training to staff in order to equip them to implement the current AML policies, the CDD procedures, and the procedures for the reporting of suspicious transactions. How to complete the self-assessment report? In each of the control areas, AIs are expected to indicate their level of compliance (i.e. “fully compliant”, “partially compliant” or “non-compliant”) with each of the requirements applicable to them. The responses to the requirements set out in each control area will help in determining whether AIs have considered and implemented the requirements. Thus, if the response to a requirement is “fully compliant”, AIs should include a brief description of how the requirement is implemented in the report. On the other hand, if the response is “partially compliant” or “non-compliant”, AIs should indicate the deficiencies in detail and explain how the requirement could be met. The self-assessment should be performed by the Internal Audit Department, the Compliance Department, or other equivalent unit within the AI. It should also be approved and signed by the Chief Executive of the reporting AI. Where necessary, AIs may appoint external auditors or consultants to carry out the self-assessment. What use will be made of the self-assessment results? The HKMA will make use of the self-assessment results submitted by AIs to monitor the AML compliance of individual AIs and to follow up on measures for the rectification of identified deficiencies as part of its ongoing supervision process. The HKMA may also endorse the self-assessment results of individual AIs during its on-site examination or off-site review, or through the commissioning of an external auditors’ report under Section 59(2) of the Banking Ordinance. The self-assessment results will allow the HKMA to scrutinise the compliance position of individual AIs and, hence, to identify common issues within the banking industry and develop supervisory guidance over the longer term. After reviewing self-assessment results, the HKMA will advise the banking industry of the overall AML compliance by AIs and any other compliance issues that may require further attention within the industry. Where can I find copies of the Self-Assessment Framework? The Self-Assessment Framework and the Completion Instructions are available on the website of the HKMA,