2023-04-27
Added · Updated
The document outlines key observations and good practices for Authorized Institutions (AIs) to improve the on-boarding process for corporate customers. It mandates that AIs implement timely application processing, adopt risk-based approaches rather than outright rejections, and apply proportionate Customer Due Diligence measures. Specific guidance is provided for Virtual Asset Service Providers and customers from FATF grey-listed jurisdictions to prevent undue burdens and ensure consistent implementation.
– 4 – Annex Key observations and good practices identified in on-boarding of corporate customers
– 5 – 3. Observation: The frontline staff of an AI rejected an account opening application of the company upfront upon learning its business nature/model but without undergoing individual risk assessment on the applicant. Expected standard: AIs should not reject an account opening application outright simply in view of the industry sector which the applicant is operating in. Rather, AIs should adopt a risk-based approach to differentiate and understand the risks of customers and adopt appropriate and effective measures which are proportionate to the identified risks. AIs should also provide practical guidance and adequate training to their frontline staff to ensure consistent and effective implementation on the ground. 4. Observation: An AI conducted additional CDD measures for a SFClicensed VASP. Expected standard: AIs are reminded that the additional CDD measures for VASPs set out in the 2022 circular only apply when it offers correspondent services (e.g. an account to settle clients’ transactions) to overseas VASPs. In other words, if it is a SFC-licensed VASP, the AI concerned is not required to conduct the additional CDD measures. AIs should provide practical guidance and training to frontline staff so as to ensure a clear understanding on the requirements.
– 6 – 5. Observation: An AI required a SFC-licensed VASP seeking to open a bank account to furnish an independent assessment report on the VASP’s systems and controls with respect to AML/CFT. Expected standard: Provision of an independent report can be costly and time consuming. The information collected by AIs should be reasonable taking into account the circumstances of VASPs, particularly their status as a legal entity under the supervision of SFC. 6. Good Practice: An AI offers a narrower set of banking services and requires correspondingly less extensive CDD measures at account opening. Expected standard: AIs are reminded that the extent of CDD measures should be proportionate to the risk level of customers and the functionalities of the service provided in order not to create undue burden on the customers and the AI itself. For example, if a technology firm only opens an account for its own corporate use (e.g. payroll and rental), particularly for those setting up an office in Hong Kong to look for the opportunities here or in the course of applying for a licence under the new regulatory regime for virtual assets and VASPs in Hong Kong, but not yet commence any regulated activities, AIs may consider whether the Simple Bank Account arrangement can meet customer needs, and should give due regard to the “approval-in-principle” issued by the relevant authority to VASP licence applicants in the CDD process instead of taking no actions until the VASP licence is actually granted.
– 7 – 7. Good Practice: An AI conducts customer risk assessments taking into account various risk factors and differentiate the risk level of customers, instead of automatically applying enhanced due diligence on customers from jurisdictions in the FATF grey list. Expected standard: The FATF statement: “Jurisdictions under Increased Monitoring” (often referred to as the grey list) identifies countries that are actively working with the FATF to address strategic deficiencies in their AML/CFT regimes. The FATF has clarified that it does not call for the application of enhanced due diligence measures to be applied to these jurisdictions and the FATF Standards do not envisage de-risking, or cutting-off entire classes of customers, but calls for the application of a risk-based approach. AIs should continue to take into account the fact that a customer is connected to such a jurisdiction in constructing the risk profile of the customer, and apply CDD measures proportionate to the risks.