Addressing the HKMA Circular on Balanced and Effective AML/CFT Measures in Private Banking: Key Actions and Recommendations

On 7 March 2023, the Hong Kong Monetary Authority (HKMA) released an advisory statement on Balanced and Effective Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) Measures in Private Banking, providing private banks with further guidance on key AML/CFT requirements.1


Despite the high potential exposure to money laundering and terrorism financing (ML/TF) faced by private banks, due to the nature of their client base, the size of the transactions they handle, and the complexity of the financial products they offer, the majority of their client base consists of legitimate customers. This means conducting the required level of due diligence tends to put an unnecessary strain on the banks’ operations while simultaneously inconveniencing their customers.

To balance operational and business requirements and customer experience with the need for risk mitigation, the HKMA’s new circular calls for the adoption of a risk-based approach (RBA) in the business practices of authorised institutions (AIs) and emphasises the need to prevent undue burden on legitimate businesses. This new circular aligns with the Financial Action Task Force (FATF) recommendations and HKMA FAQ regarding AML/CFT and coincided with the release of the Monetary Authority of Singapore (MAS) circular on ML/TF Risks in the Wealth Management Sector.

What you should know about the circular

The quantum of customer due diligence (CDD) required to protect AIs from ML/TF risks has seen a significant increase. This corresponds to the complexity of know-your-customer (KYC) policies (as recommended by regulators) and the rapid growth of the HNWI customer base. Through recent customer feedback, the HKMA has recognised the burden such a level of scrutiny places on legitimate customers and concluded that the use of RBA in line with FATF recommendations would be the prudent course of action for AIs.

The guiding principles for RBA include:

  • Risk differentiation: Differentiate the risk across customer segments based on factors like geographical, business, supply chain or distribution channel, and product and service risks. This approach should be flexible and in line with the actual risk posed by different customer segments.
  • Proportionality: Customise the level of due diligence based on the risk. Authorized institutions (AIs) should avoid imposing enhanced due diligence (EDD) on customers with lower risk.
  • Not a zero-failure regime: Regulators understand that RBA would not count as an ideal scenario in terms of due diligence and some risk might go undetected. AIs should implement an efficient transaction monitoring system to detect suspicious client activity to mitigate the residual risk and report it to relevant authorities with appropriate mitigation measures.

AIs should review their existing policies to ensure compliance with RBA. The HKMA is urging AIs to adopt RBA in their AML/CFT policies to reduce the burden on private banks and customers during onboarding, ongoing monitoring, and adoption of new AML/CFT regulations.

Certain scenarios where the application of RBA should be considered, as recommended by the HKMA, include:

Heading 1 a
  • This information is crucial for RBA and ongoing monitoring. The regulator advises using third-party databases and public sources to verify the origin of wealth. It is not expected to establish SOW and source of funds (SOF) for every customer. Instead, risk-based collection, clarification, and corroboration should be performed based on underlying risk.

Heading 2 b
  • RBA may be extended in cases where there is a former or an international PEP, and EDD measures may be implemented depending on the risk identified.

Heading 3 c
  • When dormant accounts are reopened, trigger event CDD reviews are conducted. AIs may establish a stipulated timeline for such reviews based on the account’s risk level.

Heading 4 d
  • The nature of the document determines the document’s validity or ‘current’ status. If a document does not have an expiry date, confirmation from the client regarding its status is acceptable.

The HKMA requires AIs to treat customers fairly while implementing RBA. This entails transparent, reasonable, and efficient procedures for account opening and operations. By promoting RBA, the regulator is taking a proactive role in promoting regtech adoption. It also advocates for a comprehensive AML/CFT approach that goes beyond due diligence and leverages technology to identify customer risks.

Our recommendations

Recognising the challenges that AIs face, we recommend that private banks:

Heading 5 1

Senior management oversight is required to establish a strong control framework around RBA. Implement a balanced and risk targeted approach to optimise CDD measures.

Heading 6 2

Segment the risks into categories, such as customer risk, geographical risk, product and business vulnerability risk, and channel risk, to effectively manage them. Additionally, we recommend that you identify fiscal and tax risks for your clients.

Heading 7 3

Formulate controls not only to meet the regulatory requirements but also to curb ML/TF risks. Map your existing processes, identify the gaps, and implement risk-based control nodes.

Heading 8 4

Integrating KYC and transaction monitoring processes with advanced monitoring systems that use artificial intelligence and network link analysis (NLA) can improve money laundering detection and ongoing monitoring of customer activity.

Speak with our experts to find out more about the industry’s best practices and what your organisation should do to ensure adherence to regulatory requirements and effective risk management.

Our experts in this topic