2014-12-19

Added · Updated

HKMA Guidance on FATF Risk-Based Approach for Banking Sector and ML/TF Risk Assessment

The Hong Kong Monetary Authority issued this circular to align authorized institutions with the Financial Action Task Force's Risk-Based Approach Guidance for the Banking Sector. It mandates that institutions conduct comprehensive institutional and customer-level money laundering and terrorist financing risk assessments covering customers, jurisdictions, products, and delivery channels. Senior management must approve these documented assessments, which must be kept up-to-date and commensurate with the institution's size and complexity, while providing results to the regulator upon request.

Hong Kong Monetary Authority logo

Hong Kong

Hong Kong Monetary Authority

Click to view thumbnail

Banking Supervision Department 銀行監理部 Our Ref.: B10/1C B1/15C 19 December 2014 The Chief Executive All Authorized Institutions Dear Sir/Madam, FATF Risk-Based Approach Guidance for the Banking Sector and Money Laundering and Terrorist Financing Risk Assessment I am writing to inform you that the Financial Action Task Force on Money Laundering (FATF) published on 27 October 2014 “Risk-Based Approach Guidance for the Banking Sector” (the Guidance). We are also taking this opportunity to clarify the expectations of the Hong Kong Monetary Authority (HKMA) over authorized institutions’ (AIs’) assessment of money laundering and terrorist financing (ML/TF) risks. FATF Risk-Based Approach Guidance for the Banking Sector The Guidance outlines the principles involved in applying a risk-based approach (RBA) to anti-money laundering and counter-terrorist financing (AML/CFT) and addresses countries, their competent authorities and the banking sector. Your specific attention is drawn to section I which sets out the key elements of an RBA and section III which provides specific guidance to banks on the effective implementation of an RBA. Above all, the Guidance supports the development of a common understanding of what the RBA to AML/CFT entails, which includes the expectation that AIs should identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively. This Guidance should be read in conjunction with the guidance paper issued by the Basel Committee on Banking Supervision, “Sound Management of Risks Related to Money Laundering and Financing of Terrorism”, which was circulated to AIs on 10 February 2014. The principles outlined in both documents will greatly assist AIs in the design and implementation of effective AML/CFT systems1 . 1 See paragraph 2.1 of the Guideline on Anti-Money Laundering and Counter-Terrorist Financing (for Authorized Institutions) (AMLO Guideline), also referred to as AML/CFT program

2 While the HKMA will have regard to this Guidance during future review of local legal and regulatory AML/CFT requirements, in the meantime, AIs are encouraged to review the Guidance in the context of, and assess the implications for, enhancing their AML/CFT control frameworks. The Guidance is available on the FATF’s website (http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-S ector.pdf). ML/TF Risk Assessment Central to the proper application of an RBA to AML/CFT is the expectation that AIs should identify, assess and understand the ML/TF risks to which they are exposed. The HKMA has made this an increasing focus of its recent AML/CFT supervision and provided guidance in two recent AML/CFT seminars2 . AIs should conduct ML/TF risk assessment at both the institutional and customer levels. While the requirements of risk assessment at customer level have been articulated in the AMLO Guideline 3 , the following paragraphs further clarify the expectations of the HKMA over AIs’ institutional assessments of their ML/TF risks. (i) Why are institutional ML/TF risk assessments so important? The ML/TF risk assessment forms the basis for the RBA, enabling the AI to understand how, and to what extent it is vulnerable to ML/TF, deciding the most appropriate and effective way to mitigate the identified risks, and the way to manage any resulting residual risk according to the AI’s risk appetite. The successful implementation and effective operation of an RBA to AML/CFT hinges on strong senior management leadership and oversight of the development and implementation of the RBA across the AI. Senior management should not only know about the ML/TF risks to which the AI is exposed, but also understand how its AML/CFT control framework operates to mitigate those risks. (ii) What steps should AIs take? While many AIs may already have ML/TF risk assessments in place, we would like to reiterate that all AIs should take appropriate steps to identify, assess and understand their ML/TF risks in relation to (1) their customers; (2) the countries or jurisdictions their customers are from or in; (3) the countries or jurisdictions the AIs have operations in; and (4) the products, services, transactions and delivery channels of the AIs. In practice, our expectation will be that the AI has: (a) documented the risk assessment process which includes the identification and assessment of relevant risks, supported by qualitative and quantitative analysis and information obtained from relevant internal and external sources;

2 Please refer to HKMA circulars dated 2 May and 13 August 2014 3 Reference should also be made to Chapter 3 of the AMLO Guideline

3 (b) considered all the relevant risks factors4 before determining what the level of overall risk is and the appropriate level and type of mitigation to be applied; (c) obtained the approval of senior management on the assessment results; (d) a process by which the risk assessment is kept up-to-date; and (e) appropriate mechanisms to provide its risk assessment to the HKMA when required to do so. (iii) Complexity The risk assessment should be commensurate with the nature and size of the AI’s business: (a) For larger or complex AIs (e.g. where AIs offer a variety of products and services across multiple branches or subsidiaries, locally or overseas), a comprehensive risk assessment is required. (b) For smaller or less complex AIs (e.g. where vast majority of the AIs’ customers fall into similar categories and/or where the range of products and services provided are very limited), a less sophisticated ML/TF risk assessment may suffice. (iv) Overseas operations If an AI is a part of a banking group (e.g. a foreign bank branch set up in Hong Kong) and a group-wide or regional risk assessment has been conducted, it may make reference to or rely on those assessments provided that the assessments adequately reflect ML/TF risks posed to the AI in the local context. Similarly, a locally-incorporated AI with overseas branches or subsidiary undertakings should perform a group-wide ML/TF risk assessment5 . Should you require further information, please contact Ms Sophia Lam on 2878 1356 or Mr Gavin Cheung on 2878 8305. Yours faithfully, Henry Cheng Executive Director (Banking Supervision) 4 Reference should also be made to Chapter 2 of the AMLO Guideline 5 As reflects the requirements set out in section 22 of Schedule 2 to the Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance, Cap.615 and Chapter 2 of the AMLO Guideline.