Keynote Speech at 2018 Refinitiv Pan Asian Regulatory Summit
10 Oct 2018
Keynote Speech at 2018 Refinitiv Pan Asian Regulatory Summit
Carmen Chu, Executive Director (Enforcement and AML), Hong Kong Monetary Authority
Ladies and gentlemen, thank you for inviting me to speak at this year’s Pan-Asian Regulatory Summit.
- This is a very opportune time for me to update you about our work in the area of anti-money laundering and counter-financing of terrorism (AML/CFT), and particularly how new technologies and techniques are affecting that work.
- As many of you will know, Hong Kong is currently undergoing its fourth-round mutual evaluation jointly conducted by the Financial Action Task Force and the Asia Pacific Group on Money Laundering, respectively the global standard setter and its regional equivalent for AML/CFT. In fact the assessment team will be coming to Hong Kong for its on-site visit in just a few weeks’ time.
- Anyone who has experience of these mutual evaluations will know how much work is involved, and my colleagues at the Hong Kong Monetary Authority (HKMA) – as well as others across the Government, law enforcement agencies and many private-sector firms – have been working very hard on preparing for the exercise. So I am pleased to have the opportunity today to share with you some of the latest developments.
Why We Do This
- But before that, I would like to give a reminder of why we do all these. If you’ve heard it before, I make no apology: it bears repeating. Money laundering and terrorist financing are crimes. They facilitate other crimes, including some quite nasty ones: fraud, drug trafficking, people trafficking and, of course, terrorism. That is what AML/CFT controls are about. Not ticking boxes. Not keeping the regulator off your back. Banks and financial institutions are not law enforcement and can never replace the Police and other agencies, but they are nevertheless playing a frontline role in our anti-money laundering regime since their data, technology and know-how has the opportunity like never before to detect and disrupt criminal activity.
Hong Kong Money Laundering and Terrorist Financing Risk Assessment Report
- There was a major development in April this year, when the Government published a territory-wide Hong Kong Money Laundering and Terrorist Financing Risk Assessment Report. It marks the first time that Hong Kong has publicly set out, in a comprehensive way, its assessment of the risks it faces in all sectors. Of course, that doesn’t mean that threats, vulnerabilities and risks were never assessed before: a great deal of work has been done, over the years. And that information was fed into a Central Coordinating Committee, chaired by the Financial Secretary and comprising relevant parties including the HKMA, where AML/CFT policies are decided and coordinated across the board.
- It was a very useful assessment exercise and the HKMA’s work focused on the banking sector. Obviously, in our supervisory work we gather a lot of information to help form our own view of the risks. However, input and understanding on risks from banks themselves have always been an integral part of the collaborative approach we adopt. Banks are the ones interfacing with customers on a daily basis and who see first hand how criminals abuse their services and exploit vulnerabilities as new and emerging threats arise. Our analysis found that banks take their AML obligations seriously; banks have a vast pool of experience and expertise in their AML compliance departments and as a result surveillance efforts have never been better.
- That is not to say that the regulator and other Government agencies have no role to play. Quite the contrary. There are times when we see things happening in a number of institutions and are able to share information to alert banks to risks they may not yet have seen individually. I’ll say more about this later, but for now, I’ll just note that it made a lot of sense to talk to the banking sector in our risk assessment process.
- The banking sector was fully consulted in writing and two focus groups to discuss risks in different market segments. While none of the input came as a surprise, it certainly refined our views on the risks facing the sector and added emphasis in some areas, such as risks relating to financing of proliferation of weapons of mass destruction and areas like human and wildlife trafficking, and how some banks are participating in global efforts to identify and interdict the financial flows linked to these crimes. I would like to take this opportunity to express our thanks again to the banking sector for its useful input.
- It should be no surprise to anyone that our banking sector is assessed as “high risk” in terms of money laundering and terrorist financing. This is consistent with assessments in other financial centres and reflects the reality that sooner or later criminal proceeds would pass through banks. And while our supervisory work suggests that controls in banks are generally strong, and banks are committed to this “gatekeeper” role, the risks are still inherent in banking business.
- I should add that the HKMA is also responsible for supervision of the stored value facility – or SVF – sector, including AML/CFT matters. As the SVF sector only came fully under regulation in late 2016, the analysis in the Hong Kong Risk Assessment Report was based on information available at that time, collected during the processing of licence applications, including independent third-party reviews, and international experience. We now have about 18 months of supervisory experience and operating data to work on; and especially because business models and technology are developing rapidly in this sector, we are in the final stage of updating the risk assessment, on which we will shortly be communicating with the sector. While not yet finalised, we believe the “medium” overall risk rating for the SVF sector remains reasonable, and as with all risk assessments, this is an iterative process. Threats and risks are never static, and our assessments of both the banking and SVF sectors will be kept up to date.
- The Hong Kong Risk Assessment Report contains a statement of the Government’s AML/CFT policy and also identifies a number of areas where the Government will focus its efforts. Among others, they include strengthening the risk-based approach, strengthening law enforcement efforts and intelligence capability and enhancing restraint and confiscation of proceeds of crime, including through multi-agency cooperation.
- That may all sound a bit high-level. But the point is that the policy is driven by the assessment of risks and cascades through the whole system. In our case, the HKMA’s AML/CFT policy and supervisory approach is set out in a new Supervisory Policy Manual to be issued next week under the Banking Ordinance, and a similar circular to the SVF sector as well. These documents do not include anything new; the HKMA has long been pursuing risk-based supervision while we have now, for the first time and for greater transparency, articulated it in a statutory module specifically on AML/CFT.
- The focus on risk is important. It drives the allocation of resources in the HKMA, and the same should be true in financial institutions as well. No one has unlimited resources; we all have tough choices to make, so it is essential to identify the main risks and to focus resources on them.
- And there is an important implication to the risk-based approach: focusing your resources means you can’t be looking everywhere. And this is something we recognise. We have been clear that it is unrealistic to expect “zero failure” outcomes. We expect institutions to implement adequate and appropriate controls, properly resourced, commensurate with the risks as identified and understood by each bank and SVF. Individual banks and SVFs do not automatically have the same risk ratings as the sectoral rating, given varying business models in different institutions. That is why we have made the requirement to assess ML/TF risks at the institutional level a central tenet of our supervisory work, and I am pleased that significant progress has been made over the years.
- But that does not mean nothing will ever get through. Even the best controls cannot fully fend off every attempt to exploit an institution. The point is to deter it as far as possible, and detect it as soon as possible through transaction monitoring, screening and suspicious transaction reporting. Equally important is the record-keeping requirements; often not given the emphasis they deserve but actually very crucial. If something slips through the controls, records have significant value to investigations and prosecutions.
- And the question of resources and effectiveness brings me to technology. Hardly a day goes by without some new brilliant idea that may change banking and, especially, the payments sector forever. I’ve mentioned stored value facility, which wasn’t fully regulated until less than two years ago, yet seems almost traditional now.
- Like other supervisors around the world, the HKMA adopts a technology neutral stance. In other words, whatever technology is used, we expect services are delivered safely and efficiently. In the case of virtual banks, we should recognise that a virtual bank is, first and foremost, just a bank. So requirements around capital adequacy and managing key risks including, of course, AML/CFT controls, all apply just as they do for bricks-and-mortar banks. But risks may vary with scale, scope and modality of business operations of individual banks, so are our supervisory tools and intensity accordingly.
- We recognise the potential benefits of technology, and we are impressed by the new initiatives put in front of us through engagement with banks and FinTech companies at the HKMA Sandbox and Chatroom where we have provided early supervisory feedback on each occasion. Technology has a lot of potential to make AML/CFT controls more effective and efficient.
- Let me elaborate the point about efficiency. Taking customer screening systems as just one example, the less time is spent on investigating false hits, the more time can be devoted for real ones. That was a key lesson of the thematic work we did over the last year on automated sanctions screening systems of a number of banks. Pretty much all of these systems were effective, able to identify test samples from sanctions databases. But efficiency – measured by the number of alerts generated for every true hit – was more variable. The key is to understand what the system does and make sure it is properly tuned: something that can’t be left to the service provider.
- Another area where technology is set to play a major role is customer on-boarding. Increasingly this is being done without the customer having to be physically present – which I should add has always been permissible under international standards and local requirements. Obviously, it is quicker, more convenient and less costly. But there are also risks to manage: the risks of impersonation, identity theft and financial crime are increased, and if the balance is not right, one type of compliance cost will be replaced by another. Technology offers solutions. In fact, there are banks in Hong Kong now on-boarding customers remotely using smartphones, optical character and facial recognition technology, which could be more secure than having a human staff member examine an ID card. And know-your-customer utilities (KYCU) – an area we are exploring actively with the banking industry – may allow information to be collected and assessed more effectively, and shared across institutions with appropriate customer consent, and help enhance customer experience in bank account opening and maintenance. But personal data must still be handled safely and the technology risks are properly understood and mitigated.
- And it is not just financial institutions that can make greater use of technology. Regulators globally are also increasingly looking to technology to enhance work efficiency. We in the HKMA encourages and will facilitate open dialogue with banks, SVF operators, technology experts and relevant stakeholders on innovative RegTech solutions, in addition to the current discussion in Sandbox and Chatroom on an individual basis. We will also examine ways to enhance AML/CFT surveillance at the sectoral level making greater use of existing and new data and information from banks and SVF licensees through the application of analytical tools such as artificial intelligence and machine learning in transaction monitoring and screening, for example.
- This brings me back to the Government’s policy statement which highlights the focus on strengthening law enforcement efforts and intelligence capability, and enhancing restraint and confiscation of proceeds of crime including through multi-agency cooperation.
- We all know how the current system works in customer due diligence, transaction monitoring and suspicious transaction reporting to the Joint Financial Intelligence Unit (JFIU) to help law enforcement agencies catch the bad guys. This is the model that has been around for years and is used pretty much everywhere. It is important and it is shown to be working. Our JFIU colleagues regularly share information and typologies to help the banking sector to identify trends and patterns typical of criminals laundering money.
- In parallel, there are discussions internationally on ways to get more out of the limited resources. One way of doing this is to focus on sharing more targeted information and intelligence. And this has been the basis of a very interesting cooperation between the Police, banking sector and the HKMA.
- In May 2017, the Police, with the support from the HKMA and banking industry, launched a pilot project; the Fraud and Money Laundering Intelligence Taskforce, or FMLIT. Similar to other overseas platforms, FMLIT is a public-private sector partnership which pools knowledge and expertise to help make combating money laundering more effective, especially as it relates to key crimes such as fraud, which is identified in the Hong Kong Risk Assessment as by far the most prevalent predicate offence for money laundering, accounting for around 80% of cases between 2011 and 2015.
- 26. A number of typologies on fraud and trade-based money laundering were developed from focused, intelligence-led suspicious transaction reports and shared with all banks to help enhance effectiveness of transaction monitoring. In the 18 months period since pilot launch of FMLIT up to end-August, there were 488 intelligence-led suspicious transaction reports and as a result, 96 people have been arrested, HK$22 million have been restrained and a further HK$33 million of losses have been prevented. While it is still early days, we and the banking sector view the FMLIT as very positive development.
- There are other areas where a partnership cum information sharing approach is being pursued to strengthen the sector’s resilience to major threats. In March this year, the HKMA co-hosted a round table with major banks, at which the Police and other stakeholders were invited to share information and enhance understanding of the threat for Hong Kong’s banking system being abused for evasion of international sanctions intended to prevent the proliferation of weapons of mass destruction. Building on that work, the industry developed information on typologies and investigative techniques that were circulated to all banks in August to help them consider appropriate approaches. The industry has also recently developed an alert on risks related to human trafficking, which will be circulated to all banks shortly. This work demonstrated the strong commitment of the sector to tackling various financial crime risks.
Supervision and Enforcement
- Finally, I should say a few words about our supervisory and enforcement efforts. I have said a lot about cooperation with the industry and I would like to emphasise that we find the overwhelming majority of industry practitioners to be committed to meeting their legal and regulatory obligations and, more importantly, to that aim of helping to stop bad people doing bad things.
- But unfortunately there are occasional situations, where we find that controls are not what they should be and institutions have not fully met their legal and regulatory obligations. In those cases, supervisory and enforcement measures may be necessary.
- Our key objective whenever we find deficiencies in AML/CFT controls is to bring about remedial action as quickly as possible: to fix the problem and prevent recurrence. Often that can be done by agreement of actions and timeframe with the institution concerned. In some cases, we may use statutory powers under the relevant ordinances, for example requiring banks or SVF licencees to engage an independent expert to validate the implementation and effectiveness of remedial measures. That is one form of supervisory action. Putting on hold an institution’s new business or expansion plans is another example. Where proportionate to the circumstances, the HKMA has also issued Compliance Advice Letters to stress the importance of meeting legal and regulatory obligations, and requiring the banks concerned to put in place appropriate measures to avoid recurrence.
- For the most serious cases, following thorough investigation with sufficient evidence, disciplinary action may be warranted. Sanctions include orders to remedy the contravention, public reprimands – that is naming and shaming – and pecuniary penalties. So far, we have taken disciplinary action under the Anti-Money Laundering and Counter-Financing of Terrorism Ordinance on three occasions and you can find details on the HKMA website. While our priority is to ensure prompt remedial action is taken, enforcement action is required, when it is appropriate in all the circumstances, to send deterrent messages and help the industry to learn from past mistakes.
- Our supervisory approach, including with regard to enforcement measures, is set out in the Supervisory Policy Manual. There are also various Guidelines on how we exercise our statutory power to impose pecuniary penalties in an effective, proportionate and dissuasive manner, as well as a Guidance Note which explains how cooperation in investigation and enforcement proceedings will be taken into consideration by the HKMA when determining the outcome of enforcement action.
- Ladies and gentlemen, enforcement and sanctions will impact on a minority of institutions under serious circumstances. The points I hope you will take away today are:
- First, the banking and SVF sectors have a significantly strengthened understanding of their ML/TF risks, as demonstrated by the volume and importance of risk assessment work pursued over the past years and which is reflected in the Hong Kong Risk Assessment Report and other output targeting specific threats;
- Second, the better understanding of risks helps drive both the work of the HKMA and private sectors. “Risk-based approach” is the key – efforts and resources should be focused on areas of higher risk;
- Third, the greater use of technology, and enhanced information sharing between the public and private sectors, can help us do our job more effectively and efficiently.
- And finally, we must also bear in mind that activity alone is not a full measure of success. The real value in AML/CFT work, and which will be a focus in the mutual evaluation, is in respect of outcomes. Back to the basics, which drive the HKMA’s work, is how the banking and SVF sectors effectively support law enforcement efforts to detect, deter and disrupt money laundering, and our contribution to a safe and clean financial centre.
- Thank you for your attention.