Guideline on Anti-MoneyLaundering and CounterFinancing of Terrorism(For Authorized Institutions)Revised October 2018

CONTENTSPageChapter 1Overview .1Chapter 2Risk-based approach.8Chapter 3AML/CFT Systems .12Chapter 4Customer due diligence .17Chapter 5Ongoing monitoring .52Chapter 6Terrorist financing, financial sanctions and proliferationfinancing .55Chapter 7Suspicious transaction reports and law enforcementrequests .60Chapter 8Record-keeping.67Chapter 9Staff training .70Chapter 10Wire transfers .73Chapter 11Correspondent banking and other similar relationships .78Chapter 12Private banking .84Glossary of key terms and abbreviations .87

Chapter 1 – OVERVIEWIntroduction1.1This Guideline is published under section 7 of the Anti-MoneyLaundering and Counter-Terrorist Financing Ordinance (AMLO)and section 7(3) of the Banking Ordinance (BO).1.2Terms and abbreviations used in this Guideline should beinterpreted by reference to the definitions set out in the Glossarypart of this Guideline. Where applicable, interpretation of otherwords or phrases should follow those set out in the AMLO or theBO.1.3This Guideline is issued by the Hong Kong Monetary Authority(HKMA) and sets out the relevant anti-money laundering andcounter-financing of terrorism (AML/CFT) statutory andregulatory requirements, and the AML/CFT standards whichAuthorized Institutions (AIs), including Registered Institutions(RIs) 1 , should meet in order to comply with the statutoryrequirements under the AMLO and the BO. Compliance with thisGuideline is enforced through the AMLO and the BO. AIs whichfail to comply with this Guideline may be subject to disciplinaryor other actions under the AMLO and/or the BO for noncompliance with the relevant requirements.1.4This Guideline is intended for use by AIs and their officers andstaff. This Guideline also:(a) provides a general background on the subjects of moneylaundering and terrorist financing (ML/TF), including asummary of the main provisions of the applicable AML/CFTlegislation in Hong Kong; and(b) provides practical guidance to assist AIs and their seniormanagement in designing and implementing their ownpolicies, procedures and controls in the relevant operationalareas, taking into consideration their special circumstances, soas to meet the relevant AML/CFT statutory and regulatoryrequirements.1.51The relevance and usefulness of this Guideline will be kept underreview and it may be necessary to issue amendments from time totime.In addition to comply with this Guideline, RIs and associated entities that are AIs are required to have regard toparagraph 4.1.6 of the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism issued by theSecurities and Futures Commission (SFC Guideline) for the definition of customer for the securities, futures andleveraged foreign exchange businesses, as well as paragraphs 7.13 and 7.14 of the SFC Guideline in identifyingsuspicious transactions for the securities, futures and leveraged foreign exchange businesses.1

s.7, AMLO1.6For the avoidance of doubt, the use of the word “must” or“should” in relation to an action, consideration or measurereferred to in this Guideline indicates that it is a mandatoryrequirement. Given the significant differences that exist in theorganisational and legal structures of different AIs as well as thenature and scope of the business activities conducted by them,there exists no single set of universally applicable implementationmeasures. The content of this Guideline is not intended to be anexhaustive list of the means of meeting the statutory andregulatory requirements. AIs should therefore use this Guidelineas a basis to develop measures appropriate to their structure andbusiness activities.1.7This Guideline also provides guidance in relation to the operationof the provisions of Schedule 2 to the AMLO (Schedule 2). Thiswill assist AIs to meet their legal and regulatory obligations whentailored by AIs to their particular business risk profile. A failureby any person to comply with any provision of this Guideline doesnot by itself render the person liable to any judicial or otherproceedings but, in any proceedings under the AMLO before anycourt, this Guideline is admissible in evidence; and if anyprovision set out in this Guideline appears to the court to berelevant to any question arising in the proceedings, the provisionmust be taken into account in determining that question. Inconsidering whether a person has contravened a provision ofSchedule 2, the HKMA must have regard to any relevantprovision in this Guideline.1.8A failure to comply with any provision of this Guideline mayreflect adversely on whether an AI continues to comply with theauthorization criteria set out in the Seventh Schedule to the BO,particularly paragraph 10 of which requires an AI to maintain onand after authorization adequate accounting systems and systemsof control. The HKMA is empowered to exercise variousprovisions under the BO in case of non-compliance with therequirements set out in this Guideline.The nature of money laundering and terrorist financings.1, Sch. 1, AMLO1.9The term “money laundering” (ML) is defined in section 1 of Part1 of Schedule 1 to the AMLO and means an act intended to havethe effect of making any property:(a) that is the proceeds obtained from the commission of anindictable offence under the laws of Hong Kong, or of anyconduct which if it had occurred in Hong Kong wouldconstitute an indictable offence under the laws of Hong Kong;or(b) that in whole or in part, directly or indirectly, represents suchproceeds,2

not to appear to be or so represent such proceeds.1.10There are three common stages in the laundering of money, andthey frequently involve numerous transactions. An AI should bealert to any such sign for potential criminal activities. Thesestages are:(a) Placement - the physical disposal of cash proceeds derivedfrom illegal activities;(b) Layering - separating illicit proceeds from their source bycreating complex layers of financial transactions designed todisguise the source of the money, subvert the audit trail andprovide anonymity; and(c) Integration - creating the impression of apparent legitimacy tocriminally derived wealth. In situations where the layeringprocess succeeds, integration schemes effectively return thelaundered proceeds back into the general financial system andthe proceeds appear to be the result of, or connected to,legitimate business activities.s.1, Sch. 1, AMLO1.11The term “terrorist financing” (TF) is defined in section 1 of Part1 of Schedule 1 to the AMLO and means:(a) the provision or collection, by any means, directly orindirectly, of any property –(i) with the intention that the property be used; or(ii) knowing that the property will be used,in whole or in part, to commit one or more terrorist acts(whether or not the property is actually so used);(b) the making available of any property or financial (or related)services, by any means, directly or indirectly, to or for thebenefit of a person knowing that, or being reckless as towhether, the person is a terrorist or terrorist associate; or(c) the collection of property or solicitation of financial (orrelated) services, by any means, directly or indirectly, for thebenefit of a person knowing that, or being reckless as towhether, the person is a terrorist or terrorist associate.1.12Terrorists or terrorist organisations require financial support inorder to achieve their aims. There is often a need for them toobscure or disguise links between them and their funding sources.It follows then that terrorist groups must similarly find ways tolaunder funds, regardless of whether the funds are from alegitimate or illegitimate source, in order to be able to use themwithout attracting the attention of the authorities.3

Legislation concerned with ML, TF, financing of proliferation of weapons of massdestruction (PF) and financial sanctions1.13The Financial Action Task Force (FATF) is an inter-governmentalbody established in 1989. The objectives of the FATF are to setstandards and promote effective implementation of legal,regulatory and operational measures for combating of ML, TF,PF, and other related threats to the integrity of the internationalfinancial system.The FATF has developed a series ofRecommendations that are recognised as the internationalstandards for combating of ML, TF and PF. They form the basisfor a co-ordinated response to these threats to the integrity of thefinancial system and help ensure a level playing field. In order toensure full and effective implementation of its standards at theglobal level, the FATF monitors compliance by conductingevaluations on jurisdictions and undertakes stringent follow-upafter the evaluations, including identifying high-risk and othermonitored jurisdictions which could be subject to enhancedscrutiny by the FATF or counter-measures by the FATF membersand the international community at large. Many major economieshave joined the FATF which has developed into a global networkfor international cooperation that facilitates exchanges betweenmember jurisdictions. As a member of the FATF, Hong Kong isobliged to implement the latest FATF Recommendations2 and it isimportant that Hong Kong complies with the internationalAML/CFT standards in order to maintain its status as aninternational financial centre.1.14The main pieces of legislation in Hong Kong that are concernedwith ML, TF, PF and financial sanctions are the AMLO, the DrugTrafficking (Recovery of Proceeds) Ordinance (DTROP), theOrganized and Serious Crimes Ordinance (OSCO), the UnitedNations (Anti-Terrorism Measures) Ordinance (UNATMO), theUnited Nations Sanctions Ordinance (UNSO) and the Weapons ofMass Destruction (Control of Provision of Services) Ordinance(WMD(CPS)O). It is very important that AIs and their officersand staff fully understand their respective responsibilities underthe different legislation.1.15The AMLO imposes requirements relating to customer duediligence (CDD) and record-keeping on AIs and provides theHKMA with the powers to supervise compliance with theserequirements and other requirements under the AMLO. Inaddition, section 23 of Schedule 2 requires AIs to take allreasonable measures (a) to ensure that proper safeguards exist toprevent a contravention of any requirement under Parts 2 and 3 ofAMLOs.23, Sch. 22The FATF Recommendations can be found on the FATF’s website (

Schedule 2; and (b) to mitigate ML/TF risks.s.5, AMLO1.16The AMLO makes it a criminal offence if an AI (1) knowingly; or(2) with the intent to defraud the HKMA, contravenes a specifiedprovision of the AMLO. The “specified provisions” are listed insection 5(11) of the AMLO. If the AI knowingly contravenes aspecified provision, it is liable to a maximum term ofimprisonment of 2 years and a fine of 1 million upon conviction.If the AI contravenes a specified provision with the intent todefraud the HKMA, it is liable to a maximum term ofimprisonment of 7 years and a fine of 1 million upon conviction.s.5, AMLO1.17The AMLO also makes it a criminal offence if a person who is anemployee of an AI or is employed to work for an AI or isconcerned in the management of an AI (1) knowingly; or (2) withthe intent to defraud the AI or the HKMA, causes or permits theAI to contravene a specified provision in the AMLO. If theperson who is an employee of an AI or is employed to work for anAI or is concerned in the management of an AI knowinglycontravenes a specified provision he is liable to a maximum termof imprisonment of 2 years and a fine of 1 million uponconviction. If that person does so with the intent to defraud the AIor the HKMA, he is liable to a maximum term of imprisonment of7 years and a fine of 1 million upon conviction.s.21, AMLO1.18The HKMA may take disciplinary actions against AIs for anycontravention of a specified provision in the AMLO. Thedisciplinary actions that can be taken include publiclyreprimanding the AI; ordering the AI to take any action for thepurpose of remedying the contravention; and ordering the AI topay a pecuniary penalty not exceeding the greater of 10 millionor 3 times the amount of profit gained, or costs avoided, by the AIas a result of the contravention.1.19The DTROP contains provisions for the investigation of assetsthat are suspected to be derived from drug trafficking activities,the freezing of assets on arrest and the confiscation of theproceeds from drug trafficking activities upon conviction.1.20The OSCO, among other things:DTROPOSCO(a) gives officers of the Hong Kong Police Force and theCustoms and Excise Department powers to investigateorganised crime and triad activities;(b) gives the Courts jurisdiction to confiscate the proceeds oforganised and serious crimes, to issue restraint orders andcharging orders in relation to the property of a defendant of5

an offence specified in the OSCO;(c) creates an offence of ML in relation to the proceeds ofindictable offences; and(d) enables the Courts, under appropriate circumstances, toreceive information about an offender and an offence in orderto determine whether the imposition of a greater sentence isappropriate where the offence amounts to an organisedcrime/triad related offence or other serious offences.UNATMO1.21The UNATMO is principally directed towards implementingdecisions contained in relevant United Nations Security CouncilResolutions (UNSCRs) aimed at preventing the financing ofterrorist acts and combating the threats posed by foreign terroristfighters. Besides the mandatory elements of the relevantUNSCRs, the UNATMO also implements the more pressingelements of the FATF Recommendations specifically related toTF.s.25, DTROP &OSCO1.22Under the DTROP and the OSCO, a person commits an offence ifhe deals with any property knowing or having reasonable groundsto believe it to represent any person’s proceeds of drug traffickingor of an indictable offence respectively. The highest penalty forthe offence upon conviction is imprisonment for 14 years and afine of 5 million.s.6, 7, 8, 8A, 13 &14, UNATMO1.23The UNATMO, among other things, criminalises the provision orcollection of property and making any property or financial (orrelated) services available to terrorists or terrorist associates. Thehighest penalty for the offence upon conviction is imprisonmentfor 14 years and a fine. The UNATMO also permits terroristproperty to be frozen and subsequently forfeited.s.25A, DTROP &OSCO, s.12 & 14,UNATMO1.24The DTROP, the OSCO and the UNATMO also make it anoffence if a person fails to disclose, as soon as it is reasonable forhim to do so, his knowledge or suspicion of any property thatdirectly or indirectly, represents a person’s proceeds of, was usedin connection with, or is intended to be used in connection with,drug trafficking, an indictable offence or is terrorist propertyrespectively.This offence carries a maximum term ofimprisonment of 3 months and a fine of 50,000 upon conviction.s.25A, DTROP &OSCO, s.12 & 14,UNATMO1.25“Tipping off” is another offence under the DTROP, the OSCOand the UNATMO. A person commits an offence if, knowing orsuspecting that a disclosure has been made, he discloses to anyother person any matter which is likely to prejudice anyinvestigation which might be conducted following that firstmentioned disclosure. The maximum penalty for the offenceupon conviction is imprisonment for 3 years and a fine.6

UNSO1.26The UNSO provides for the imposition of sanctions againstpersons and against places outside the People’s Republic of Chinaarising from Chapter 7 of the Charter of the United Nations. MostUNSCRs are implemented in Hong Kong under the UNSO.1.27The WMD(CPS)O controls the provision of services that will ormay assist the development, production, acquisition or stockpilingof weapons capable of causing mass destruction or that will ormay assist the means of delivery of such weapons. Section 4 ofWMD(CPS)O prohibits a person from providing any serviceswhere he believes or suspects, on reasonable grounds, that thoseservices may be connected to PF. The provision of services iswidely defined and includes the lending of money or otherprovision of financial assistance.WMD(CPS)Os.4, WMD(CPS)O7

Chapter 2 – RISK-BASED APPROACHIntroduction2.1The risk-based approach (RBA) is central to the effectiveimplementation of an AML/CFT regime. An RBA to AML/CFTmeans that jurisdictions, competent authorities, and AIs areexpected to identify, assess and understand the ML/TF risks towhich they are exposed and take AML/CFT measurescommensurate with those risks in order to manage and mitigatethem effectively. RBA allows an AI to allocate its resourcesmore effectively and apply preventive measures that arecommensurate with the nature and level of risks, in order to focusits AML/CFT efforts in the most effective way. Therefore, an AIshould adopt an RBA in the design and implementation of itsAML/CFT policies, procedures and controls (hereaftercollectively referred to as “AML/CFT Systems”) with a view tomanaging and mitigating ML/TF risks.Institutional ML/TF risk assessment2.2The institutional ML/TF risk assessment forms the basis of theRBA, enabling an AI to understand how and to what extent it isvulnerable to ML/TF. The AI should conduct an institutionalML/TF risk assessment to identify, assess and understand itsML/TF risks in relation to:(a)(b)(c)(d)2.3its customers;the countries or jurisdictions its customers are from or in;the countries or jurisdictions the AI has operations in; andthe products, services, transactions and delivery channels ofthe AI.The appropriate steps to conduct the institutional ML/TF riskassessment should include:(a) documenting the risk assessment process which includes theidentification and assessment of relevant risks supported byqualitative and quantitative analysis, and informationobtained from relevant internal and external sources;(b) considering all the relevant risk factors before determiningwhat the level of overall risk is, and the appropriate level andtype of mitigation to be applied;(c) obtaining the approval of senior management on the riskassessment results;(d) having a process by which the risk assessment is kept up-todate; and(e) having appropriate mechanisms to provide the riskassessment to the HKMA when required to do so.8

2.4In conducting the institutional ML/TF risk assessment, an AIshould cover a range of factors, including:(a) customer risk factors, for example:(i) its target market and customer segments;(ii) the number and proportion of customers identified ashigh risk;(b) country risk factors, for example:(i) the countries or jurisdictions it is exposed to, eitherthrough its own activities or the activities of customers,especially countries or jurisdictions identified bycredible sources, with relatively higher level ofcorruption or organised crime, and/or not havingeffective AML/CFT regimes;(c) product, service, transaction or delivery channel risk factors,for example:(i) the nature, scale, diversity and complexity of itsbusiness;(ii) the characteristics of products and services offered, andthe extent to which they are vulnerable to ML/TF abuse;(iii) the volume and size of its transactions;(iv) the delivery channels, including the extent to which theAI deals directly with the customer, the extent to whichthe AI relies on (or is allowed to rely on) third party toconduct CDD, the extent to which the AI usestechnology, and the extent to which these channels arevulnerable to ML/TF abuse;(d) other risk factors, for example:(i) the nature, scale and quality of available ML/TF riskmanagement resources, including appropriately qualifiedstaff with access to ongoing AML/CFT training anddevelopment;(ii) compliance and regulatory findings;(iii) results of internal or external audits.2.5The scale and scope of the institutional ML/TF risk assessmentshould be commensurate with the nature, size and complexity ofthe AI’s business.2.6The institutional ML/TF risk assessment should consider anyhigher risks identified in other relevant risk assessments whichmay be issued from time to time, such as Hong Kong’sjurisdiction-wide ML/TF risk assessment and any higher risksnotified to the AIs by the HKMA.2.7A locally-incorporated AI with branches or subsidiaries, includingthose located outside Hong Kong, should perform a group-wideML/TF risk assessment.9

2.8For the purpose of paragraphs 2.2 and 2.7, if an AI is a part of afinancial group and a group-wide or regional ML/TF riskassessment has been conducted, it may make reference to or relyon those assessments provided that the assessments adequatelyreflect ML/TF risks posed to the AI in the local context.2.9To keep the institutional ML/TF risk assessment up-to-date, an AIshould conduct its assessment every two years and upon triggerevents which are material to the AI’s business and risk exposure.New products, new business practices and use of new technologies2.10An AI should identify and assess the ML/TF risks that may arisein relation to:(a) the development of new products and new business practices,including new delivery mechanisms; and(b) the use of new or developing technologies for both new andpre-existing products.2.11Customer risk assessment2.1234An AI should undertake the risk assessment prior to the launch ofthe new products, new business practices, or the use of new ordeveloping technologies, and should take appropriate measures tomanage and mitigate the risks identified.An AI should assess the ML/TF risks associated with a proposedbusiness relationship, which is usually referred to as a customerrisk assessment. The assessment conducted at the initial stage ofthe CDD process would determine the extent of CDD measures tobe applied3. This means that the amount and type of informationobtained, and the extent to which this information is verified,should be increased where the ML/TF risks associated with thebusiness relationship are higher. It may also be simplified wherethe ML/TF risks associated with the business relationship islower. The risk assessment conducted will also assist the AI todifferentiate between the risks of individual customers andbusiness relationships, as well as apply appropriate andproportionate CDD and risk mitigating measures4.For the avoidance of doubt, except for certain situations specified in Chapter 4, an AI should always apply all theCDD measures set out in paragraph 4.1.3 and conduct ongoing monitoring of its customers.An AI should adopt a balanced and common sense approach when conducting a customer risk assessment andapplying CDD measures, which should not pose an unreasonable barrier to bona fide businesses and individualsaccessing services offered by the AI.10

562.13Based on a holistic view of the information obtained in thecontext of the application of CDD measures, an AI should be ableto finalise the customer risk assessment5, which determines thelevel and type of ongoing monitoring (including ongoing CDDand transaction monitoring), and support the AI’s decisionwhether to enter into, continue or terminate, the businessrelationship. As the customer risk profile will change over time,an AI should review and update the risk assessment of a customerfrom time to time, particularly during ongoing monitoring.2.14Similar to other parts of the AML/CFT Systems, an AI shouldadopt an RBA in the design and implementation of its customerrisk assessment framework, and the complexity of the frameworkshould be commensurate with the nature and size of the AI’sbusiness, and should be designed based on the results of AI’sinstitutional ML/TF risk assessment. In general, the customer riskassessment framework will include customer risk factors; countryrisk factors; and product, service, transaction or delivery channelrisk factors6.2.15An AI should keep records and relevant documents of itscustomer risk assessments so that it can demonstrate to theHKMA, among others: (a) how it assesses the customer’s ML/TFrisks; and (b) the extent of CDD measures and ongoingmonitoring is appropriate based on that customer’s ML/TF risks.This is sometimes also called a “customer risk profile”.Further guidance can be found in Chapter 4.11

Chapter 3 – AML/CFT SYSTEMSAML/CFT Systemss.23, Sch. 23.1s.23(b), Sch. 23.2An AI should take all reasonable measures to ensure that propersafeguards exist to mitigate the risks of ML/TF and to prevent acontravention of any requirement under Part 2 or 3 of Schedule 2.To ensure compliance with this requirement, the AI shouldimplement appropriate AML/CFT Systems following the RBA asstated in paragraph 2.1.An AI should:(a) have AML/CFT Systems, which are approved by seniormanagement, to enable the AI to effectively manage andmitigate the risks that are relevant to the AI;(b) monitor the implementation of those AML/CFT Systemsreferred to in (a), and to enhance them if necessary; and(c) take enhanced measures to manage and mitigate the riskswhere higher risks are identified.3.3The nature, scale and complexity of AML/CFT Systems may besimplified provided that:(a) an AI complies with the statutory requirements set out in theSchedule 2 of the AMLO and the requirements set out inparagraphs 2.2, 2.3 and 3.2;(b) the lower ML/TF risks which form the basis for doing sohave been identified through an appropriate risk assessment(e.g. institutional ML/TF risk assessment); and(c) simplified AML/CFT Systems, which are approved by seniormanagement, are subject to review from time to time.However, AML/CFT Systems are not permitted to be simplifiedwhenever there is a suspicion of ML/TF.3.4An AI should implement AML/CFT Systems having regard to thenature, size and complexity of its businesses and the ML/TF risksarising from those businesses, and which should include:(a)(b)(c)(d)compliance management arrangements;an independent audit function;employee screening procedures; andan ongoing employee training programme (see Chapter 9).Compliance management arrangements3.5An AI should have appropriate compliance managementarrangements that facilitate the AI to implement AML/CFTSystems to comply with relevant legal and regulatory obligationsas well as to manage ML/TF risks effectively. Compliance12

management arrangements should, at a minimum, includeoversight by the AI’s senior management, and appointment of aCompliance Officer (CO) and a Money Laundering ReportingOfficer (MLRO)7.Senior management oversight3.6Effective ML/TF risk management requires adequate governancearrangements. The board of directors or its delegated committee(where applicable), and senior management of an AI should havea clear understanding of its ML/TF risks and ensure that the risksare adequately managed. Management information regardingML/TF risks and the AML/CFT Systems should becommunicated to them in a timely, complete, understandable andaccurate manner so that they are equipped to make informeddecisions.3.7The senior management of an AI is responsible for implementingeffective AML/CFT Systems that can adequately manage theML/TF risks identified. In particular, the senior managementshould appoint a CO at the management level to have the overallresponsibility for the establishment and maintenance of the AI’sAML/CFT Systems; and a senior staff as the MLRO to act as thecentral reference point for suspicious transaction reporting.3.8In order that the CO and MLRO can discharge theirresponsibilities effectively, senior management should, as far aspracticable, ensure that the CO and MLRO are:(a) appropriately qualified with sufficient AML/CFT knowledge;(b) subject to constraint of size of the AI, independent of alloperational and business functions;(c) normally based in Hong Kong;(d) of a sufficient level of seniority and authority within the AI;(e) provided with regular contact with, and when required, directaccess to senior management to ensure that seniormanagement is able to satisfy itself that the statutoryobligations are being met and that the business is takingsufficiently effective measures to protect itself against therisks of ML/TF;(f) fully conversant with the AI’s statutory and regulatoryrequirements and the ML/TF risks arising from the AI’sbusiness;(g) capable of accessing, on a timely basis, all availableinformation (both from internal sources such as CDD recordsand external sources such as circulars from the HKMA); and(h) equipped with sufficient resources, including staff and7Depending on the size of an AI, the functions of CO and MLRO may be performed by the same person.13

appropriate cover for the absence of the CO and MLRO ( alternate or deputy CO and MLRO who should, wherepracticable, have the same status).CO and MLRO3.9The principal function of the CO is to act as the focal point withinan AI for the oversight of all activities relating to the preventionand detection of ML/TF, and providing support and guidance tothe senior management to ensure that ML/TF risks are adequatelyidentified, understood and managed. In particular, the CO shouldassume responsibility for:(a) developing and/or continuously reviewing the AI’sAML/CFT Systems, including any

words or phrases should follow those set out in the AMLO or the BO. 1.3 This Guideline is issued by the Hong Kong Monetary Authority (HKMA) and sets out the relevant anti-money laundering and counter-financing of terrorism (AML/CFT) statutory and regulatory requirements, and the AML/CFT standards which