HKMA publishes feedback after industry thematic review of AML and CFT control measures

The HKMA has issued a Circular detailing key observations and good practices in AML/CFT control measures that have been identified from various sources, including recent thematic reviews of remote on-boarding initiatives, insights and observations from engagement with Authorised Institutions (AIs), technology firms in the Fintech Supervisory Sandbox (FSS) and Chatroom, supervision of Virtual Banks, and industry feedback received from other HKMA initiatives.

In light of Covid-2019, the need for social distancing, remote on-boarding (see circular) and digital delivery of financial services has become more important. To date, 10 AIs have launched remote on-boarding, and the HKMA further encourages AIs to test and adopt efficient and reliable technologies (such as the government’s iAM Smart) to conduct customer due diligence and other e-services.

High-level regulatory expectations, observations, and good practices on AML/CTF control measures associated with remote-onboarding are contained in the Annex to the Circular. AIs considering the introduction and enhancement of remote on-boarding schemes should review the Annex, alongside the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Authorised Institutions).

Regulatory expectations from the Annex are summarised below:

  1. AIs should adequately assess ML/TF risks associated with a remote on-boarding initiative prior to its launch.

    There is no prescribed format for the performance of ML/TF risk assessment; some AIs adopted a task force style approach comprising of front/second line departments, some performed the risk assessment as part of a wider scope assessment, and others adopted a more standalone format.

    Common factors covered in pre-implementation assessments included due diligence on the vendor’s capability and the reliability of their solutions; possible impacts and risks (including but not limited to ML/TF risk, impersonation risk) arising from remote on-boarding initiatives and technology; new or additional risks due to changes in AML/CFT control processes.

    AIs that adopted off-the-shelf solutions for identity authentication and identity matching whilst working with third party vendors demonstrated an appropriate level of understanding of how the programs worked. Such understanding is essential for AIs adopting or planning to use remote on-boarding solutions.
  2. AIs should apply a risk-based approach in the design and implementation of AML/CFT control measures for remote on-boarding initiatives.

    AIs should be able to demonstrate that the extent of customer due diligence (CDD) measures is commensurate with the ML/TF risks associated with a business relationship, irrespective of the means used to on-board a customer.

    AIs recognised that remote on-boarding may involve ML/TF vulnerabilities different from traditional processes, and instead adopted a phased approach, initially targeting lower-risk customer segments. Other approaches include conducting part of the process through teleconference or video conference with applicants displaying higher-risk characteristics to better understand the potential risks, as well as implementing extra control measures to mitigate impersonation risks.
  3. AIs should monitor and manage the ability of the technology adopted to meet AML/CFT requirements on an ongoing basis.

    All AIs reviewed adopted ongoing quality assurance processes over the effectiveness of the end-to-end AML/CFT controls for remote on-boarding, including the technology deployed.

    AIs generally applied 100% manual checking of selfie images, ID documents and liveness detection processes during the early stages of implementation to assess performance and identify any emerging risks. Manual checking is also helpful for identifying any abnormalities and implementing appropriate risk mitigating measures or contingencies, for example where the artificial intelligence application does not perform as intended and cannot detect certain aspects such as unusual background of selfie or unusual facial expression by the applicant.  The manual checking sample size is intended to decrease over time after taking into account the reliability and consistency of the technology.

    Post-implementation review (“PIR”) is considered an essential part of the on-boarding initiative. Some AIs undertook this as part of an ongoing process while others undertook this as a standalone review (within 6 to 12 month after implementation).  Whatever form the PIR took, the HKMA notes that it is good practice to cover any new and/or emerging risks identified due to the adoption of the technology or changes to existing control processes.
  4. Ongoing monitoring should take into account vulnerabilities associated with the product and delivery channel.  

    ML/TF risks often only become apparent upon operation of the account, so CDD at on-boarding is only one part of effective AML/CFT controls. Therefore, the implementation of an ongoing monitoring system tailored to the risk profile of a customer relationship is essential.

    All AIs in the review were able to describe how CDD during on-boarding combined with ongoing monitoring to mitigate risks. This may be in the form of applying specific rules-based detection scenarios to monitor transactions of customers on-boarded remotely, or exploring different data points to monitor customer behaviour (e.g. data obtained for fraud prevention purposes).  

    The HKMA noted it was good practice to regularly share information and intelligence e.g. establishing internal working groups or regular meetings with members from both Financial Crime Compliance and anti-fraud teams to identify monitoring rules in the fraud monitoring system that had AML/CFT applications.