Carmen Chu, Executive Director (Enforcement and AML), Hong Kong Monetary Authority
Good morning everyone. It is my great pleasure to participate in the Pan Asian Regulatory Summit again and let me thank Thomson Reuters for the opportunity to meet all of you in Hong Kong and share ideas from different perspectives.
At the HKMA, we are committed to strengthening Hong Kong’s position as a global leader when it comes to risk-based regulation and supervision. So today I will provide an update about the structural reforms in the approach to managing financial crime risk. These reforms are aimed at encouraging a much stronger focus on effectiveness and outcomes, rather than a tick-box approach to compliance - an evolution made possible by the transition from silo style working to the eco-system approach we use today.
Our key takeaway: Delivering impactful reforms in financial crime risk management is dependent on executing the risk-based approach correctly.
Historically, institutions have found executing the risk-based approach challenging. Since the concept was first introduced by the Financial Action Task Force, regulators like the HKMA have spent a lot of time clarifying what it actually means. We have clarified that the risk-based approach to AML/CFT should be premised on up-to-date understanding of evolving risks, by making the best possible use of data. We have also clarified, on a number of occasions, that the international standards on which the Hong Kong regime is based do not expect “zero failure” in preventing, detecting or deterring possible abuse of bank accounts for money laundering or other financial crimes.
But we know that circulars and guidance are not enough, so our supervision in recent years has placed a much stronger emphasis on industry engagement and focus on supporting the outcomes we are trying to achieve, that is, AML/CFT controls which are proportionate to the assessed risks and which treat customers fairly through effective execution. We engage banks through our on-site examinations, often focusing on effectiveness rather than technical compliance, and also by optimising the data we collect to analyse systemic risks as well as individual banks’ performance in risk management efforts.
It is clear from our engagement that the risk-based approach gives banks the flexibility to target limited resources at priority threats, but doing so requires banks to understand what higher and lower risks both look like and guard against consequences which the design of the risk-based approach never intended. I am referring here to things like asking customers to provide details or proof of salary, employment or investments dating back years or treating all politically exposed persons (PEPs) as ultra-high risk. To further promote effective execution, building on work done in the past few years which can be referenced on our website and training materials, we are currently preparing further practical guidance on how to apply a risk-based approach on PEPs, particularly around local PEPs and former PEPs, and working with an external consultant to make sure the new guidance is consistent with international standards and best practices.
The good news is we now have an expanded toolbox that helps to clearly signpost higher risk areas and situations, making it easier to get the risk-based approach right, based on expanded information sharing, increased collaboration and responsible deployment of technologies. In Hong Kong, the public and private sectors have been sharing information on cases through the Fraud and Money Laundering Intelligence Taskforce since 2017. At the same time, banks have significantly strengthened the collective ability to deploy network analytics to fully leverage this richer stream of data. And we now have bank experts co-located alongside police officers in an integrated anti-deception centre to make sure that collaboration on that analysis takes place at speed, to drive increased interception of funds.
But we are not stopping there. Many of you will be aware of the ongoing consultation on our proposal to allow banks to share personal account information, subject to appropriate safeguards, for the purpose of preventing and detecting fraud and financial crime. This will add significantly to our eco-system toolbox, allowing banks to leverage upon the detection capabilities of other banks. The consultation is still open till the end of this month, so if you have not already done so, feel free to contribute inputs or comments to this important development in Hong Kong, which reflects similar initiatives in other international financial centres.
Despite some successes from these efforts, we know from the cases we see that criminal syndicates are not bound by any rules, boundaries or borders or restricted to any one modus operandi. Fraudsters and money launderers innovate in the blink of an eye and use technology to attack at scale anywhere and at any time. Therefore, while we have witnessed significant innovation, including Regtech adoption under the eco-system approach in recent years, the stark reality is that unless we keep innovating, we will not be able to combat the evolving nature of financial crime.
While the rise in fraud-related complaints has shown signs of slowing, the absolute numbers still suggest that it is a priority concern for everyone. No one can afford to relax in the face of this threat which, if left unchecked, could challenge confidence in the use of digital services. Instant payment systems provide super efficiency and there is also a need for new technologies to close the gap between the fraud occurring, the transfer of funds, and identification and potential interception.
Recently, there is increasing global debate about what risks we are willing to accept in exchange for speed of transactions and online services. We are hearing of examples where certain parts of online accounts can be blocked or certain payments slowed down, to allow time for banks to seek offline authentication before processing payments and for law enforcement agencies to intercept funds. As experience grows collectively, the realisation that not all digital fraud risks can be mitigated by banks alone is a healthy one, so the HKMA has progressively strengthened education for consumers to stay alert to the latest modus operandi of fraudsters and to protect oneself against losses.
While tackling fraud is important, we are also regularly reminded that the range of money laundering threats, whether from corruption and other predicate crimes, or channelled through virtual assets, remains significant, particularly for international financial centres including Hong Kong. To make sure banks’ systems are effective in mitigating these priority threats, the HKMA uses a wide range of supervisory and enforcement measures as warranted, the aim of which is to lead to adequate changes in banks.
The supervision and oversight of virtual assets is another area which regulation and supervision can be strengthened globally, following the efforts of the Financial Action Task Force to include this segment as part of the international standards in 2019. These developments, while creating business opportunities, could also bring about increasing challenges to the integrity and reputation of financial centres. So we must double our guard and, in addition to innovative approaches powered by data and technology, make sure our ability to collaborate and cooperate across borders continues to develop.
Doubling our guard will most certainly involve Artificial Intelligence (AI) applications which are already being used by some banks in AML work and have the potential to transform many of the data intensive processes currently deployed for financial crime risk management. While recognising that AI may involve additional risks, the HKMA and banks also seek to maximise the potential of greater operational efficiencies through AI tools, supporting our ambition around innovation – faster fraud detection being just one. To clarify our thinking in this area, we will in the coming weeks be providing AML-focused guidance around the use of AI, to make sure the right guardrails are in place, and which adds to our thematic guidance on banks’ transaction monitoring systems.
To round off, over the past five years, it has been the evolution of public-private and private-private partnerships which have, more than anything else, expanded the range of data and tools to sharpen the risk-based approach in AML efforts. As a result, our limited resources are being applied to the priority risk areas. As these partnerships become more mature globally, we believe there is now an opportunity to fine tune these platforms to prioritise those areas delivering the greatest benefits, while minimising duplication.
Looking forward, these collaborative initiatives must stay true to the principles on which they were designed: Agile in addressing new threats; Manage risks and customer experience in a balanced manner; and Led by innovation and new capabilities. Success is being measured by effectiveness and outcomes, more so than for tick-box compliance, and many of these effective outcomes are being achieved, now and in the future, through an eco-system approach.
That is why the HKMA, together with the industry and relevant stakeholders, will continue to invest in data, technology and capabilities, placing collaboration at the heart of everything we do, following the risk-based approach to drive effective regulatory outcomes in support of financial stability and market integrity.
I very much hope the discussions which take place today will focus on and contribute to how we shape the future of financial crime risk management. Thank you.
