Article

Key Changes to the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For TCSP Licensees)

Author

Adrian Yick

Date Published

The Companies Registry of Hong Kong (the “CR”) has published a revised Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees) (the “Guideline”), which takes effect on 3 March 2025. This Guideline replaces the existing Guideline on Compliance of Anti-Money Laundering and Counter-Terrorist Financing Requirements for Trust or Company Service Providers (June 2023), which has been in effect since June 2023.

Key amendments to the Guideline:

  1. Alignment with Regulatory Standards: The format and content of the Guideline have been updated to align with those published by other regulatory authorities in Hong Kong.
  2. Institutional ML/TF Risk Assessment: A new requirement has been introduced for TCSP licensees to conduct institutional money laundering and/or terrorist financing (“ML/TF”) risk assessments.
  3. Simplified and Enhanced AML/CFT Systems: The Guideline introduces simplified and enhanced anti-money laundering and counter-financing of terrorism systems (“AML/CFT Systems”), including policies, procedures, and controls.
  4. Practical Guidance on SDD and EDD: Detailed guidance is provided to facilitate the implementation of simplified due diligence (“SDD”) and enhanced due diligence (“EDD”) under a risk-based approach (“RBA”), supported by examples of lower and higher risk factors and corresponding measures.

A. Introduction of Institutional ML/TF Risk Assessment

The revised Guideline introduces a new requirement for TCSP licensees to conduct institutional-level ML/TF risk assessments. This assessment serves as the foundation for implementing a risk-based approach (RBA) at the firm level.

The institutional ML/TF risk assessment aims to identity, assess and understand the ML/TF risks in the following areas:

  1. Customer-related risks: Customer profiles and countries or jurisdictions from which customers originate;
  2. TCSP licensee related risks: Countries or jurisdictions where the TCSP licensee operates, as well as its products, services, transactions and delivery channels of the TCSP licensee.

Suggested steps for conducting institutional ML/TF risk assessment:

  1. Document the risk assessment procedure, which involves identifying and evaluating pertinent risks through both qualitative and quantitative analysis, and gather relevant information from relevant internal and external sources;
  2. Consider all relevant risk factors before determining the overall risk level, and the suitable level and type of mitigation measures;
  3. Obtain approval from senior management for the findings of the risk assessment;
  4. Establish a process to periodically review and update the risk assessment; and
  5. Establish suitable mechanisms to submit the risk assessment to the CR when requested to do so.

Factors to consider in Institutional ML/TF Risk Assessments:

  1. Customer risk factors:
    • Target market and customer segments;
    • Proportion of high-risk customers;
  3. Country risk factors of the TCSP licensee and its customers:
    • Countries or jurisdictions associated with higher ML/TF risks, such as those with higher levels of corruption, organised crime, or weak AML/CFT systems;
  5. Product, service, or transaction risk factors of the TCSP licensee:
    • Nature, scale, and complexity of the business;
    • Vulnerability of products/services to ML/TF;
    • Transaction volume and size;
  7. Delivery channel risk factors of the TCSP licensee:
    • Whether the TCSP licensee has direct interactions with the customer;
    • Reliance on third parties for customer due diligence (“CDD”).
    • Use of technology of the TCSP licensee;
  9. Other risk factors:
    • Availability and quality of risk management resources, including availability of trained and qualified staff;
    • Compliance and regulatory findings; and
    • Internal or external audit results.

Institutional ML/TF risk assessments should be reviewed and updated at least every two years or whenever there are significant changes in business operations or risk exposure relevant to the TCSP licensee.

B. Simplified and Enhanced AML/CFT Systems

Paragraphs 3.2 and 3.3 of the Guideline provide new guidance on enhancing or simplifying AML/CFT Systems, as opposed to enhanced due diligence (“EDD”) or simplified due diligence (“SDD”) measures outlined in Chapter 4 of the Guideline. Key updates include:

  • Approval by Senior Management: AML/CFT Systems should be approved by senior management of the TCSP licensee;
  • Enhanced AML/CFT Systems: TCSP licensees should continuously monitor their AML/CFT Systems and enhance them as necessary. If higher risks are identified, the TCSP licensee should take enhanced measures to mitigate those risks;
  • Simplified AML/CFT Systems: TCSP licensees may adopt simplified AML/CFT Systems provided that:
    1. They comply with the statutory requirements under Schedule 2 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap.615) and the relevant requirements in relation to institutional ML/TF risk assessment and AML/CFT Systems in the Guideline;
    2. Low ML/TF risk is identified in the institutional ML/TF risk assessment or other appropriate risk assessment; and
    3. The simplified AML/CFT Systems are approved by senior management of the TCSP licensee and are subject to periodic review.

C. Practical Application of SDD and EDD under a RBA

SDD

TCSP licensees may apply SDD measures when their risk assessment, business relationship or transaction presents a low ML/TF  risk. The  Guideline suggests the following SDD measures for low ML/TF risk customers:

  • Accepting alternative documents, data or information (for example, proof of financial institution licence, listed status or authorisation status);
  • Applying simplified customer due diligence for beneficial owners as outlined in the Guideline;
  • Less frequent updates to customer identification information;
  • Lower levels of monitoring for transactions, provided reasonable monetary thresholds are applied; and
  • Skipping specific enquiries about the purpose and nature of a business relationship, inferring these details from the type of transactions or relationships established.

EDD

For high ML/TF risk customers, TCSP licensees must apply EDD measures. Approval from the senior management of the TCSP licensee is required before establishing or continuing a business relationship with a customer that presents high ML/TF risk.

Notwithstanding the EDD measures should be proportionate and appropriate to the identified ML/TF risks, the Guideline recommends that TCSP licensees may adopt the following EDD measures:

  • Gathering additional customer information and conducting more frequent updates to customer and beneficial owner identification information;
  • Collecting more details about the intended nature of the business relationship;
  • Obtaining more information on the customer's source of wealth and source of funds;
  • Understanding reasons for the intended transactions; and
  • Requiring the first payment to be made through an account in the customer’s name.

D. Clarifications on who should be treated as a person purporting to act on behalf of the customer (“PPTA”)

In paragraph 8 of the Response to the commonly raised questions on the Guideline received from the consultation exercise published by the Registry for Trust and Company Service Providers on 6 December 2024 (the “Response”), the Guideline clarifies the criteria for determining whether a person is considered a PPTA. Determination should be based on:

  • The nature of that person’s roles and the activities which the person is authorised to conduct; and
  • The ML/TF risks associated with these roles and activities.

The Response further clarifies that any individual authorised to act on behalf of a customer to establish a business relationship with a TCSP licensee should always be treated as a PPTA. As a general rule, the Response further suggests that each legal person customer should have at least one PPTA, who should be the person acting on behalf of a customer to establish the business relationship with the TCSP licensee as mentioned. There may also be instances where multiple PPTAs exist, or where the PPTAs act alone or jointly.

Key Takeaways for TCSP Licensees

  • Action Required: Update internal AML/CFT policies, procedures, and controls to meet the new requirements under the Guideline.
  • Institutional ML/TF Risk Assessment: Perform and document the ML/TF Risk Assessment at institutional level as required under the Guideline;
  • Staff Training: Ensure employees understand the new amendments under the Guideline, including the application of SDD and EDD measures under the RBA.

Simplify Your AML/CFT Workflow Today

KYC Management enables firms to complete the entire AML/CFT process in minutes - not hours. From customer due diligence and risk assessments to screening and ongoing monitoring, KYC Management expedites traditionally manual and complex AML/CFT processes into a simple and compliant workflow.

Interested in learning more? Contact us today!