SFC sets out findings from AML/CFT onsite inspections

29 October 2018

The recent SFC review of nearly 300 firms highlights some good practice to take on board when it comes to financial crime.

At the end of August, the SFC published a circular to provide its key findings, good practices and a number of deficiencies in meeting the expected regulatory standards for AML/CFT measures and controls. These included a thematic inspection focusing on 13 licensed corporations’ measures and controls for identifying and mitigating money laundering and terrorist financing (ML/TF) risks as well as reviews of the anti-money laundering (AML) and counter-financing of terrorism (CFT) policies, procedures and controls of around 270 licensed corporations during the SFC’s routine inspections.

Best practice in AML/CFT compliance

The regulator highlighted its findings in relation to AML/CFT compliance in institutional risk assessment, customer risk assessment, initial and ongoing CDD and suspicious transaction monitoring in the course of inspections. The SFC outlined some examples of good practice they observed which they suggest others could learn from as they develop systems and controls:

  • Institutional risk assessment – developing a detailed action plan. The report noted a licensed corporation who had carried out an institutional risk assessment looking at the inherent ML/TF risks and internal controls for each business line. Based on the result, a detailed action plan with recommended priorities was drawn up to address residual risks.
  • Customer risk assessment – using a scoring system to calculate individual customers’ risk scores.
  • Initial and ongoing CDD – setting a policy of mandating face-to-face meetings, obtaining additional information from external service providers to establish the source of wealth for customers who were identified to be PEPs. Conducting annual reviews of high-risk customers, daily PEP screening and adverse news searching for all of customers to identify new hits which might increase customers’ ML/TF risk levels.
  • Suspicious transaction monitoring – putting in place annual reviews of the parameters and thresholds used in automated transaction monitoring systems to ensure effectiveness in identifying potentially suspicious transactions and reducing false positives, not accepting third-party fund deposits, monitoring deposit patterns by individual customers and setting up a comprehensive set of red flags to enable staff to identify and access potential suspicious funds.

Areas for improvement in AML/CFT controls

The SFC also identified some deficiencies and inadequacies in meeting the expected regulatory standards. For example, some senior managers (including the ‘Managers in Charge’ of the AML/CFT function) failed to fulfil their responsibilities to ensure AML/CFT policies, procedures and controls are capable of addressing risks to which the firm is exposed.

  • Risk-based customer due diligence – The regulator also emphasised the importance of using a risk-based approach to determine the extent of CDD measures for corporate customers, collective investment schemes and politically exposed persons. Licenced corporations should ensure that profiles of high-risk customers (excluding those with dormant accounts) should be subject to annual reviews, and more frequently if deemed necessary by the licensed corporations, to ensure that the CDD information remains up-to-date and relevant.
  • Sanctions screening – For those licensed corporations who failed to incorporate relevant sanctions designations into their database maintained for screening customers or failed to implement procedures for ongoing sanction screening, the SFC pointed out that they should institute appropriate measures and allocate sufficient resources to maintain proper records for screening, and to implement procedures for ongoing sanctions screening against new or updated terrorists and sanctions lists after the establishment of business relationship .
  • Suspicious transaction monitoring – In relation to monitoring and reporting suspicious transactions, the SFC stressed that it’s a licensed corporation’s legal obligation to continuously monitor its business relationship with a customer in a number of ways. These include:

1. conducting appropriate scrutiny of transactions carried out for a customer to ensure that they are consistent with the firm’s knowledge of the customer, the customer’s business, risk profile and source of funds

2. identifying transactions which are complex, unusually large, have an unusual pattern or have no apparent economic or lawful purpose, and examining the background and purpose of those transactions.

The regulator made it clear that the findings and outcomes of these examinations as well as the rationale for decisions made should be properly documented in writing so as to demonstrate that the licensed corporation is handling unusual or suspicious activities appropriately.

AML/CFT will continue to be a priority for licensed corporations and associated entities. Senior managers should familiarise themselves with Appendix 2 of the circular to consider any applicable good practices and help develop their AML/CFT measures and controls.

Share this