LeftMenu

搜寻于 AML Monitoring

AML Monitoring

Applicable to ALL practice units: Q1 to Q9

Applicable to practice units which has provided services specified in paragraphs 600.2.1 and 600.2.2 of the AML Guidelines and / or adopted “good practices”: Q10 to Q15

Determining specified transactions or services and application of AML Guidelines

Q1.	If a CPA firm conducts due diligence work or acts as a reporting accountant for a client in respect of a purchase or a sale of real estate or a business entity, would that constitute a specified transaction and require the relevant AML procedures to be carried out by the CPA firm?

Paragraph 600.2.1 of the AML Guidelines provides that when practices, by way of business, prepare for or carry out for a client a transaction involving buying and selling of real estate (point (a) of the paragraph refers) or business entities (point (f) of the paragraph refers), specific AML procedures are required to be adopted. In the Institute's view, due diligence or reporting accountant work on a purchase or a sale of real estate or a business entity assists the client in preparing for those transactions, whether or not they are eventually completed. The nature of those engagements means that the CPA firm to be engaged for such work would normally be sufficiently involved to fall within the scope of paragraph 600.2.1 and hence the relevant AML procedures should apply. (Posted on 16 January 2019)

Q2.

An entity bought a shelf company and plans to engage a practice to change the company name of and provide secretarial services to the shelf company. Will the services to be provided be considered as falling within the scope of specified services, including services of "creating, operation or management of a legal persons or arrangements" (paragraph 600.2.1(e)) / "forming corporations or other legal persons" (paragraph 600.2.2(a))?

Since the shelf company has already been created before a practice is engaged to change the company's name, the practice will not be involved in creating or forming the company. Accordingly, for the work on the change in name alone, it will not meet the definitions as set out in paragraphs 600.2.1(e) and 600.2.2(a) and therefore will not constitute a specified service. However, this position will not be the same if the practice was also previously involved, by way of business, in helping the entity to set up or acquire the shelf company as such transaction would have caught by paragraphs 600.2.1(e), 600.2.2(a) or probably 600.2.1(f) (buying and selling of business entities) and met the definition of a specified service. Depending on the scope of company secretarial services to be provided by the practice, those services may also meet the definition of other specified services as defined in paragraph 600.2. Accordingly, care should be taken to clearly define the scope of services if the services are not to be treated as specified services. Notwithstanding the above, the practice should always bear in mind its responsibility for making a suspicious transaction report to the Joint Financial Intelligence Unit when an unusual or suspicious event is identified during the course of its work. (Posted on 3 May 2019)

Q3.

If a practice introduces a company secretary to a client, will this work be considered as a service of "arranging for another person to act as a secretary" (paragraph 600.2.2(b)) and thereby met the definition of a specified service? Does it make a difference if the practice is paid or not paid for the introduction?

One of the considerations of whether the introduction amounts to a specified service is whether the practice does that by way of business. According to the Companies Registry's Frequently Asked Questions on licensing requirements for trust or company service providers or TCSPs, whether the provision of a service amounts to "by way of business" is a question of fact to be answered upon consideration of all the circumstances. If, for example, the practice is not paid for the introduction, whether directly or indirectly, and does the introduction on an ad hoc basis, and not, e.g., as a part of a regular or habitual commercial arrangement, the service may not be considered as a specified service. (Posted on 10 June 2019)

Q4.	If a practice only provides statutory audit services, what are the minimum requirements of the AML Guidelines with which the practice needs to comply?

The extent to which a practice should comply with the requirements of the AML Guidelines depends on the nature of transactions / services that a practice carries out or prepares for its clients. If a practice carries out or prepares for its clients transactions or services specified in paragraphs 600.2.1 and 600.2.2 of the AML Guidelines (“specified services”), all sections of the AML Guidelines are mandatory for the practice to the extent that they are applicable to the part of its business concerning specified service activities.

A statutory audit per se is not a specified service. Therefore, if a practice only provides statutory audit services, the minimum requirements of the AML Guidelines with which the practice should fully comply are Sections 640 and 650 of the AML Guidelines concerning suspicious transaction reporting and financial sanctions and terrorist financing. In other words, it is not mandatory for a practice providing solely statutory audit services to carry out customer due diligence ("CDD") and ongoing monitoring measures on its clients, or record keeping, so far as it relates to these. However, practices will need to have suitable policies and procedures in place, including record keeping, to address matters relating to suspicious transaction reporting and complying with financial sanctions and terrorist financing.

If a client of the above practice decides to engage the practice for a service other than a statutory audit (e.g. a special audit), the practice should obtain an understanding of the nature and purpose of the engagement before accepting it. If the engagement relates to a specified transaction / service (e.g. assisting the client to complete an acquisition of a business entity), the practice will have to expand its AML / CTF policies and procedures to comply with all sections in the AML Guidelines, including CDD, ongoing monitoring and all aspects of record keeping, if it decides to accept the engagement. (Posted on 23 December 2019)

AML CTF policies procedures and controls and application of HKICPA AML Procedures Manual

Q5.	Is it advisable for a practice to adopt T01 (Example policies and procedures) from the Institute's anti-money laundering procedures manual for accountants (AML Procedures Manual) without tailoring?

The example policies and procedures in the AML Procedures Manual only provide general guidance on drawing up an AML / CTF policy manual. The example policies and procedures should be tailored to suit the circumstances of the practice. Areas requiring further tailoring and suggested amendments are listed below:

1. If a practice chooses not to apply "good practice" on services other than those specified in paragraphs 600.2.1 and 600.2.2 of the AML Guidelines, the practice's AML / CTF policy manual should not state that policies and procedures regarding customer due diligence and ongoing monitoring are applied to "all" clients. The following sets out a suggested revised “Policy Statement” for a practice that chooses not to apply “good practice”:

Policy statement

The practice has a policy of zero tolerance to any involvement in money laundering, including tax evasion, when dealing with the practice’s own or our client’s affairs. All principals, employees and any sub-contractors used by the practice are therefore required to comply with relevant legislation on anti-money laundering and counter-terrorist financing (see the section below on staff training and hiring) and the code of ethics of the Hong Kong Institute of Certified Public Accountants (HKICPA) and in particular, Part F of the code, "Guidelines on Anti-Money Laundering and Counter-Terrorist Financing for Professional Accountants". Accordingly, it is the policy of the practice to apply suspicious transaction reporting and financial sanctions related procedures to all clients but all other policies and procedures, in particular the customer due diligence (CDD) and ongoing monitoring procedures specified below, only to ~~all~~ clients;, whether new or existing clients, ~~but in particular to client~~ whose engagements ~~which~~ involve the following:

(a) buying and selling of real estate;

(b) managing of client money, securities or other assets;

(c) management of bank, savings or securities accounts;

(d) organisation of contributions for the creation, operation or management of companies;

(e) creation, operation or management of legal persons or arrangements;

(f) buying and selling of business entities;

(g) forming corporations or other legal persons;

(h) acting as, or arranging for another person to act as, a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;

(i) providing a registered office, business address or accommodation, correspondence or administrative address for a company, a partnership or any other legal person or arrangement;

(j) acting as, or arranging for another person to act as, a trustee of an express trust or similar legal arrangement; or

(k) acting, or arranging for another person to act, as a nominee shareholder for a person other than a corporation whose securities are listed on a recognised stock market.

All principals, employees and any sub-contractors are expected to report any knowledge or suspicion of money laundering, including tax evasion, to the practice’s Money Laundering Reporting Officer (MLRO) in accordance with their statutory obligations.

2. Practices are reminded that since suspicious transaction reporting and financial sanctions (sections 640 and 650 of the AML Guidelines) are mandatory regardless of the services provided, every practice should have policies and procedures on suspicious transaction reporting and financial sanctions. The following sets out example policies and procedures relating to financial sanctions and terrorist financing:

Financial sanctions and terrorist financing

The United Nations Sanctions Ordinance (Cap. 537) empowers the Chief Executive of Hong Kong to make regulations to implement sanctions decided by the United Nations (“UN”) Security Council. It is an offence to provide or solicit financial or related services to a client who is a person or entity designated in UN sanctions lists.

(a) Sources of the lists of the financial sanctions and terrorist financing

The practice will refer to the lists maintained by the UN Security Council and its Sanctions Committees [and the United States’ Office of Foreign Assets Control (“US OFAC”) (note: not mandatory, see 650.1.6)]. The entities and individuals on those lists (referred to as designated persons or entities) are subject to financial restrictions. The purpose of the sanctions is to prevent access to and use of funds for terrorism and terrorist purposes.

The UN sanctions consolidated list is available from:

https://www.un.org/securitycouncil/content/un-sc-consolidated-list

[The US OFAC sanctions list is available from:

https://sanctionssearch.ofac.treas.gov ]

The practice will also refer to the Anti-money laundering section of the HKICPA website

(at: https://www.hkicpa.org.hk/en/Standards-and-regulation/Anti-money-laundering) as well as the HKICPA’s monthly technical e-newsletter ‘Techwatch’ (See http://www.hkicpa.org.hk/en/standards-and-regulations/technical-resources/techwatch/) and the weekly e-circular for information on the latest sanctions lists.

(b) Frequency of conducting name checks

The practice will conduct a name check of a client and consider, based on a risk approach, extending the check to the clients’ beneficial owners against the latest UN [and US OFAC] sanctions lists before the establishment of a business relationship with that client, regardless of what service is to be provided and perform ongoing screening of our client base regularly thereafter.

The practice will check for updates of UN sanctions lists on a [weekly] [monthly] basis as it [has] [does not have] cases with high money laundering/terrorist financing (“ML /TF”) risks.

(c) Reporting obligation

When the practice comes across situations where it suspects that property belongs to a designated person or entity or is otherwise terrorist property, the practice has a responsibility to stop dealing with the property and report to the Joint Financial Intelligence Unit (see the section on “Reporting of suspicious transactions” for details).

3. As mentioned in Q11, practices need to set out the factors determining the period of ongoing monitoring review and what constitutes a trigger event. The following sets out example policies and procedures to be incorporated in the “Ongoing monitoring” section:

In high risk situations, where EDD has been applied, the information will be reviewed annually.

In normal and low risk situations where CDD and SDD have been applied the information will be reviewed every [x years] and [y years], respectively. A review of the risk category of normal and low risk clients will be performed annually.

Trigger events

Apart from conducting periodic on-going monitoring of all clients’ transactions following the above timeframes, the practice will take steps to ensure that the client information obtained for the purposes of CDD is up to date and relevant when any of the following trigger events occurs:

(a) a significant or unusual activity or transaction is to take place;

(b) a material change occurs in a client’s ownership and/or activities;

(c) there is a substantial change in client documentation standards; or

(d) the practice is aware that there is insufficient information about a particular client.

(Note: the above trigger events are examples from section 620.10.7 of the AML Guidelines.)

Please note that the above suggested policies and procedures are for reference only. Practices should tailor the relevant policies and procedures according to their own particular circumstances. An example policy, which reflects all the above changes, for a practice that chooses not to adopt “good practices” is Example AML CTF policies and procedures for reference. In a practice review, an assessment will be made on the practice's level of compliance with its established policies and procedures and any failure of compliance will be reported as a finding. (Posted on 3 May 2019, updated on 23 December 2019)

Making suspicious transaction reports

Q6.	Does my practice need to appoint a money laundering reporting officer (MLRO) if (a) it does not have an intention to engage, by way of business, in work to prepare for or carry out specified transactions or (b) it is an own name practice with no staff?

The Drug Trafficking (Recovery of Proceeds) (Amendment) Ordinance; Organized and Serious Crimes (Amendment) Ordinance; and United Nations (Anti-Terrorism Measures) Ordinance all have requirements to report suspicious transactions, which apply to everybody in Hong Kong. Under the law, employees may disclose their knowledge or suspicion that certain activities may relate to money laundering and terrorist financing to a person designated to receive such reports by their employer. By making appropriate disclosures to the designated person, in accordance with procedures laid down by their employer, employees are regarded as having discharged their obligations under the law. As indicated in Section 610 of the AML Guidelines, practices must appoint an MLRO as a central reference point for reporting suspicious transactions. Therefore, each practice should designate a person of sufficient seniority and authority within the practice as an MLRO in order to discharge its responsibilities. In case of a sole proprietorship or an own name practice, the sole proprietor or sole practitioner can be the MLRO but such designation should be communicated to all staff members, if any, in order to draw their awareness.(Posted on 16 January 2019)

Financial sanctions and terrorist financing

Q7.

Paragraph 650.1.5 of the AML Guidelines requires practices to conduct name checks of clients and their beneficial owners against the latest sanctions and designated persons lists; and report to the Institute any actions taken in compliance with the targeted financial sanctions, including attempted transactions. (a) How frequently should practices perform name checks? (b) What should practices do if they have knowledge of an activity or transaction relating to targeted financial sanctions?

(a) How frequently should practices perform name checks?

Practices are expected to conduct name checks of clients and their beneficial owners against the latest United Nations sanctions and designated persons lists ("Lists") before the establishment of a business relationship and perform ongoing screening regularly thereafter. If, for example, a practice has clients (or their beneficial owners) that are from ML/TF high-risk jurisdictions, or who are politically exposed persons, the practice may need to check for updates of the Lists more regularly, say weekly, and to perform screening in relation to any updates. In normal circumstances, practices are still expected to check for updates of the Lists regularly, at least monthly, and, if there are any changes, to perform screening of their client base against those changes. Paragraph 650.2.7 requires that the screening and any results must be documented or recorded electronically to demonstrate compliance with the provisions of Section 650 of the AML Guidelines. (Posted on 10 June 2019)

(b) What should practices do if they have knowledge of an activity or transaction relating to targeted financial sanctions?

Practices should make a suspicious transaction report to the Joint Financial Intelligence Unit if they know or suspect that an activity or transaction relates to money laundering or terrorist financing, even if no service has been provided (paragraph 640.1.1). Practices should not lodge a suspicious transaction report to the Institute as the Institute is not the designated government body to receive such reports. Practices are expected to maintain proper records relating to suspicious transaction reporting, including any consequential actions taken, in accordance with Section 640 of the AML Guidelines. In cases where there are actions taken in compliance with the targeted financial sanctions that warrant reporting to the Institute, practices should make a report in writing to the Institute. (Posted on 10 June 2019)

Q8.

A practice provides only services other than those specified in paragraphs 600.2.1 and 600.2.2 of the AML Guidelines (“non-specified services”), for example audit services, and does not apply “good practice” (i.e. not performing CDD on clients receiving non-specified services). Is the practice required to identify the beneficial owners of its clients for the purpose of conducting name checks against sanctions and terrorists lists?

The requirements set out in Section 650 of the AML Guidelines (Financial sanctions and terrorist financing) are mandatory for all practices irrespective of the nature of services that they provide. According to paragraph 650.2.4 of the AML Guidelines, practices should perform ongoing screening of their clients against sanctions and terrorists lists. According to paragraph 650.2.5 of the AML Guidelines, practices may adopt a risk-based approach to determine if the screening procedures should be extended to cover the beneficial owners of their clients. Practices are expected to document the basis if they conclude, based on their assessment, not to extend their screening procedures to beneficial owners of their clients receiving non-specified services. As a general rule, if there is a suspicion of money laundering or terrorist financing by a client, the name screening procedures should always be extended to the client’s beneficial owners and even other connected parties, as defined in Appendix E of the AML Guidelines. (Posted on 23 December 2019)

Q9.	If a practice does not subscribe to a commercial database, what resources can it use to perform sanctions screening?

For sanctions screening, a practice may refer to the following resources:

When the practice needs to perform a search against all current sanctions lists (e.g. before starting a business relationship with a new client), it may refer to the consolidated list published by the United Nations: https://www.un.org/securitycouncil/content/un-sc-consolidated-list. A search function is also available in the United Nations’ web site: https://scsanctions.un.org/search/ .
When the practice needs to perform ongoing sanctions screening and would like to find out which particular sanctions list(s) have been updated recently, it may refer to the updates in the HKICPA web site: https://www.hkicpa.org.hk/en/Standards-and-regulation/Anti-money-laundering.
There are several ways for the practice to identify the amendments made (e.g. new designations of individuals and entities) in the updated sanctions lists to find out whether any new designations exist in its client base. The following sets out some suggested ways:

Direct sources -

a. Press releases of United Nations Security Council:

https://www.un.org/press/en/content/security-council/press-release

Other indirect sources may include -

b. Government of the United Kingdom where the practice may, among others, download an Excel version of the consolidated sanctions list:

https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets/consolidated-list-of-targets

c. Government of Australia where the practice may, among others, download an Excel version of the consolidated sanctions list:

https://dfat.gov.au/international-relations/security/sanctions/Pages/consolidated-list.aspx

(Posted on 23 December 2019)

Customer due diligence and ongoing monitoring

Q10.	Paragraph 620.10.5 of the AML Guidelines requires that verification of identity must be concluded within a reasonable timeframe after the establishment of business relationship. What is a "reasonable" timeframe?

Practices should determine the timeframe that is commensurate to their circumstances. Although there is no defined timeline set out in the AML Guidelines, practices may make references to the guideline established by the Companies Registry on compliance with a similar provision in the relevant AML Ordinance. The Companies Registry requires a Trust or Company Service Provider ("TCSP") licensee to suspend a business relationship with a client or customer if a verification of identity cannot be completed within 60 working days after the establishment of the business relationship; and to terminate the business relationship if the verification cannot be concluded within 120 working days after the establishment of the business relationship. (Posted on 3 May 2019)

Q11.	What is the expected frequency of a periodic review of customer due diligence ("CDD") information?

Other than an event driven review, practices should perform a periodic review of all clients to ensure the CDD information remains up to date and relevant. The frequency of a periodic review is dependent on the risk assessment of clients. Clients who are foreign politically exposed persons ("PEP") or high risk domestic PEP should be subjected to an annual review (paragraph 620.12.20) as a minimum. In addition, practices should carry out an annual review of risk category of clients (paragraph 620.10.8) and for material changes in the client's ownership and/or activities (paragraph 620.10.7(b)). Practices are advised to set out in their AML policy manual the frequency of a periodic review and what constitutes a triggering event for a review of the CDD information held on a particular client, including a pre-existing client (i.e., a client with which the practice had a business relationship before the implementation of the amendments to AMLO on 1 March 2018). (Posted on 3 May 2019)

Q12.	Paragraph 620.7.1 of the AML Guidelines requires practices to identify and verify the identity of any person purporting to act on behalf of the client (“PPTA”). Who should be treated as a PPTA of a corporate client?

The requirement to identify and verify the identity of a PPTA originated from Financial Action Task Force (FATF) Recommendation 10 and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) adopts the same requirement. FATF does not provide further guidance as to who should be determined as a PPTA. According to the FAQ issued by the Hong Kong Association of Banks, whether a person is considered to be a PPTA should be determined based on the nature of that person’s role and the activities in relation to which the person is authorized to act, as well as the money laundering and terrorist financing risks associated with those roles and activities.

A corporate client is represented by a natural person (e.g. a director or an officer). Therefore, each corporate client should have at least one PPTA. As a minimum, a person who is authorized to act on behalf of a client to establish a business relationship with the practice (i.e. the person who signed or will sign an engagement letter on behalf of the client) should always be treated as a PPTA for the purpose of applying paragraph 620.7.1 of the AML Guidelines. (Posted on 23 December 2019)

Q13.	What documentary evidence should be obtained to verify the authority of a PPTA?

If the PPTA is a director of a corporate client, a practice may verify the authority of that person by reference to the latest list of directors shown in the records kept by the company registry in the place of incorporation of that client if such information is publicly available. If the client is a listed entity (e.g. a company listed in the Hong Kong Stock Exchange), the practice may also refer to publicly available information (e.g. announcements posted on HKEXnews) to confirm whether that person is a director of the corporate client.

If the PPTA is not a director of a corporate client (e.g. an officer of the company) or there is no publicly available information to enable a verification be made, documentary evidence (e.g. a board resolution, a power of attorney or a letter of appointment) should be obtained to substantiate the PPTA’s authority. (Posted on 23 December 2019)

Q14.	If a client meets the criteria for the performance of simplified customer due diligence (“SDD”), does the practice need to identify and verify (e.g. collecting identity documents and conducting name checks) the client’s beneficial owners?

A practice can perform SDD only on specific types of clients and services as set out in paragraphs 620.11.5 to 620.11.11 of the AML Guidelines. According to AMLO, practices are not required to identify and verify the identity of any beneficial owner of the client when applying SDD.

However, practices are reminded that, according to paragraph 620.11.2 of the AML Guidelines, SDD should not be applied whenever, among others, there is suspicion of money laundering or terrorist financing or a practice has doubts over the veracity and adequacy of client identification or verification information obtained, or where specific higher risk scenarios apply. Practices are also reminded that they are still required to identify and verify the identity of the person purporting to act on behalf of the client even SDD is adopted. (Posted on 23 December 2019)

Q15.	Is it a must to subscribe to a commercial database for the performance of name checks on clients and their beneficial owners?

When performing a CDD, practices are required to identify whether the client and/or its beneficial owner(s) are politically exposed persons or subjected to sanctions. In addition, practices should also check whether the client and/or its beneficial owner(s) are connected with adverse news. The AML Guidelines do not mandate a subscription to a commercial database. Practices should consider their own circumstances, in particular their own money laundering / terrorist financing risk assessment, to determine whether or not to subscribe to a commercial database. If a practice does not subscribe to a commercial database, it may perform a search via various sources, including direct sources, such as the United Nations Security Council website, and indirect sources, including public search engines (e.g. Google, Yahoo or Baidu), as well as resources for sanctions and negative news screening. Further details are performed in Q9. (Posted on 23 December 2019)

总数: Bookmarks

Bookmark(s) Click icon to add bookmark(s) to my profile

User Profile Bookmark(s)

总数: Bookmarks

Click icon to add bookmark(s) to my profile

Bookmark(s)

User Profile Bookmark(s)

AML Monitoring

Applicable to ALL practice units: Q1 to Q9

Applicable to practice units which has provided services specified in paragraphs 600.2.1 and 600.2.2 of the AML Guidelines and / or adopted “good practices”: Q10 to Q15