26 November 2001
The Chief Executive
All authorized institutions
Dear Sir/Madam,
Following my letter of 26 September 2001, I am writing to provide further guidance on measures which will help to strengthen controls against money laundering. This draws on experience in Hong Kong as well as on the recent guideline published by the Basel Committee on "Customer due diligence for banks". You may wish to note that the first two recommendations are particularly relevant to transactions with money changers which, as part of their day to day business, normally handle a large amount of bank notes in different currencies.
This principle requires banks not only to establish the identity of their customers, but also to have a good understanding of what is normal and reasonable activity for particular types of customer. This is necessary to identify transactions that fall outside the regular pattern of an account's activity and may therefore be unusual or suspicious.
In keeping with this, authorized institutions ("AIs") should take appropriate measures to satisfy themselves about the source and legitimacy of cash or funds to be credited to a customer' account or foreign currency bank notes that the customer wishes to sell. This is particularly the case where large amounts are involved.
This requires a good understanding of the nature of the customer's business. A judgement needs to be made whether the total amount of money involved is reasonable or not having regard to the customer's business and the size of turnover that it could be expected to generate from legitimate sources. It is not enough to assume, for example, that large transactions are not suspicious simply because the nature of the customer' business typically involves the handling of cash or remittance of funds. Nor should it be assumed that, because a customer is registered with the Police as a money changer, the AI does not need to conduct its own due diligence or ongoing monitoring.
AIs should therefore make appropriate enquiries about the nature of the customer' business at the time an account is opened and ensure that their understanding is kept up to date thereafter.
Among other things, the country of origin of cash or funds needs to be established. Where cash or funds are believed to derive from a place outside Hong Kong, including the Mainland, AIs should ask themselves two basic questions:
Where there are suspicions about the nature of transactions over an account, institutions should file a report with the Joint Financial Intelligence Unit ("JFIU") They may also decide to terminate the relationship with the customer concerned, in which case they should take care to retain copies of relevant documents that would help to establish an audit trail for suspicious funds.
In order to satisfy their legal and regulatory obligations, AIs need to have systems to enable them to identify and report suspicious transactions. However, it is not enough to rely simply on the initiative of front-line staff to make ad hoc reports. AIs also need to have management information systems to provide managers and compliance officers with timely information on a regular basis to enable them to detect patterns of unusual or suspicious activity, particularly in relation to higher risk accounts.
AIs should establish criteria to identify accounts that may be of higher risk from a money laundering perspective.
MIS reports should identify transactions that are unusual either in terms of amount (for example, by reference to predetermined limits for the customer in question or to comparative figures for similar customers) or type of transaction or other relevant risk factors. High account activity in relation to the size of the balance on an account may, for example, indicate that funds are being "washed" through the account and may trigger further investigation.
While a focus on cash transactions is important, it should not be exclusive. AIs should not lose sight of non-cash transactions, e.g. inter-account transfers or inter-bank transfers, particularly when large amounts are involved. The MIS reports referred to above should therefore capture not only cash transactions but also those in other forms. The aim should be to obtain a consolidated picture of the customer' transactions and overall relationship with the bank.
The role of the compliance officer
It follows from the above that the role of the compliance officer should not be simply that of a passive recipient of ad hoc reports of suspicious transactions. Rather, the compliance officer should play an active role in the identification and reporting of suspicious transactions. This should involve regular (preferably daily) review by the compliance officer of exception reports of large or irregular transactions generated by the AI' MIS as well as ad hoc reports made by front-line staff. The compliance officer should form a considered view whether unusual or suspicious transactions should be reported to the JFIU. If a decision is made not to report an apparently suspicious transaction to the JFIU, the reasons for this should be fully documented by the compliance officer. The fact that a report may already have been filed with the JFIU in relation to previous transactions of the customer in question should not necessarily preclude the making of a fresh report if new suspicions are aroused.
More generally, the compliance officer should have the responsibility of checking on an ongoing basis that the AI has policies and procedures to ensure compliance with legal and regulatory requirements and of testing such compliance.
It follows from this that AIs should ensure that the compliance officer is of sufficient status within the organisation, and has adequate resources, to enable him to perform his functions.
Internal audit
Internal audit also has an important role to play in independently evaluating on a periodic basis an AI' policies and procedures on money laundering. This should include checking the effectiveness of the compliance officer function, the adequacy of MIS reports of large or irregular transactions and the quality of reporting of suspicious transactions. The level of awareness of branch staff of their responsibilities in relation to the prevention of money laundering should also be reviewed. As in the case of the compliance officer, the internal audit function should have sufficient expertise and resources to enable it to carry out its responsibilities.
The HKMA' supervisory approach
The HKMA has also been reviewing its own supervisory approach towards money laundering, taking into account international developments on this issue. Briefly, the main elements of our enhanced approach will consist of the following:
more in-depth examination (with sample testing and branch visits) to be performed by dedicated teams of those AIs which may be more vulnerable to money laundering because of the nature of their business or other risk factors;
higher level review of the policies and procedures on money laundering of other AIs to be conducted as part of normal risk-based examinations;
in appropriate cases (e.g. where an initial examination has indicated that major inadequacies in controls may exist) reviews by external auditors under section 59 of the Banking Ordinance;
self-assessment by compliance officers of AIs on risk indicators of money laundering within their institutions and the quality of controls (the HKMA will develop a self-assessment framework for this purpose);
further guidance from the HKMA on the standard requirements for the post of compliance officer;
revised guidelines to be issued by the HKMA on controls against money laundering to take account of the latest recommendations of the Financial Action Task Force and the Basel Committee.
I hope that you will find the above information helpful. If you have any questions regarding this letter, please get in touch with your usual contact at the HKMA.
Yours faithfully,
D T R Carse
Deputy Chief Executive
* Even if evasion of exchange controls is not an offence within Hong Kong (where no such controls exist), AIs should not knowingly facilitate such evasion in other jurisdictions.