Background: developments in regulatory standards
The Financial Action Task Force (FATF) has evolved its standards and expectations on non-face-to-face account opening since it launched the risk-based approach as one of the key changes to the FATF Recommendations in 2012.1 In its Interpretative Note to Recommendation 10 published at the same time, the FATF noted “non-resident customers” and “non-face-to-face business relationships or transactions” as examples of high-risk situations for undertaking customer due diligence (CDD).2 In its more recent guidance on “Digital Identity”, published in March 2020, the FATF clarified that these circumstances should not always be classified as higher risk and were only examples of circumstances where the risk may potentially be higher.3 The FATF also noted that, in certain circumstances, the evolution of digital ID technology and other processes mean that non-face-to-face transactions may now present a standard level of risk or may even be lower risk.4
Governments and regulators globally are continuing to reassess the traditional mindset of rating non-face-to-face account opening as high risk and are generally adopting a forward-looking approach of encouraging the use of technology subject to applying a risk-based assessment. In Hong Kong, in general, the Anti-Money Laundering and Counter-Terrorist Financing Ordinance requires financial institutions to take additional measures to address any increased risks associated with customers not being physically present for identification purposes. Hong Kong’s financial regulators, including the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC), have provided flexibility in online customer onboarding within a risk-controlled environment.
Guidance by the HKMA
On 1 February 2019, the HKMA issued a circular to Authorised Institutions (AIs) on the remote onboarding of individual customers (“Onboarding Circular“)5 that, together with the revised Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Authorised Institutions) (“HKMA AML Guidelines“) published in October 2018 (effective in November 2018),6 clarified the HKMA’s regulatory expectations with respect to remote customer onboarding. The HKMA AML Guidelines, as updated in late 2018, reduced unintentional barriers to the use of technology in AIs’ anti-money laundering/combating the financing of terrorism (AML/CFT) systems (e.g., by allowing the use of different methods to mitigate the risks during non-face-to-face account opening).
In the Onboarding Circular, the HKMA highlighted the need for AIs to conduct AML/CFT risk assessments proportionate to the nature, size and complexity of their businesses prior to the launch of remote onboarding initiatives, and to ensure that any technology solutions adopted by AIs should be at least as robust as checks performed in person. Where the individual customer’s identity is determined through electronic channels, the HKMA expects an AI’s remote onboarding procedures to cover the following two areas:
- Identity authentication — AIs should take appropriate measures to ensure the reliability of the documentation obtained to verify identity, including utilising technology to determine the genuineness of the identity document (e.g., hologram detection and detection of the security features of identity documents).
- Identity matching — AIs should use appropriate technology (e.g., biometric solutions such as facial recognition and liveness detection) to link the customer to the identity verification documentation.
As far as investment accounts are concerned, the HKMA also provided further guidance for Registered Institutions (RIs). The HKMA issued a circular on 23 August 20197 in which it referred to the SFC designated web page for acceptable non-face-to-face approaches for opening accounts by RIs. The HKMA clarified that if an RI has already established the true identity of a customer when opening a bank account, the RI is not separately required to re-verify the customer’s identity when opening an investment account for the same customer, which will reduce any duplication of work.
HKMA thematic review
On 3 June 2020, the HKMA released feedback from its thematic review of AML/CFT control measures for remote customer onboarding initiatives.8 The review covered remote on-boarding initiatives, insights and observations from engagement with AIs and technology firms in the Fintech Supervisory Sandbox and Chatroom, as well as supervision of virtual banks that have commenced or that are in the process of commencing business. The HKMA has provided four high-level regulatory expectations with key observations and good practices:
- AIs should adequately assess AML/CFT risks associated with a remote on-boarding initiative prior to its launch.
- Detailed assessment is undertaken on the system, including its features, benefits and limitations, the attributes of the artificial intelligence/algorithms, etc., involved in the authentication process.
- There is no specific formula for the assessment process. AIs may use task force-style approaches and formal or stand-alone formats with iterations.
- AIs should apply a risk-based approach in the design and implementation of AML/CFT control measures for remote on-boarding initiatives.
- A phased implementation process is adopted before a full launch, which initially limits the scope of customers (e.g., low-risk customer segments) or limits the scope of available services.
- Remote on-boarding is not made available to certain high-risk customers and additional measures are implemented to address the related risks, e.g., using teleconferences/videoconferences.
- AIs should monitor and manage the ability of the technology adopted to meet AML/CFT requirements on an ongoing basis.
- Parallel manual processes may be adopted at the initial phase to assess system effectiveness and accuracy (e.g., manual checks on selfie images, ID documents and liveness detection processes).
- Post-implementation reviews, which may be part of ongoing arrangements or may be stand-alone, are taken to identify any new or emerging risks due to technology adoption or changes to existing control processes.
- Ongoing monitoring should take into account vulnerabilities associated with the product and delivery channel.
- CDD undertaken at on-boarding is combined with other ongoing monitoring processes tailored to the risk profile of customer relationships, e.g., using rule-based detection scenarios or different data points to monitor customer behaviour to mitigate risks.
The SFC has provided guidance on remote customer onboarding from the AML and on conducting compliance perspectives. In line with the FATF standards and in a similar manner to the updates to the HKMA AML Guidelines, in October 2018, the SFC released changes to the Guideline on Anti-Money Laundering and Counter-Terrorist Financing (“SFC AML Guidelines“), which took effect from November 2018.9 The revisions enabled a licensed corporation to adopt a risk-based approach in determining the extent of additional measures to mitigate any increased risk (including impersonation risk) in the case of a non-face-to-face account opening. The additional measures include:
- certifying copies of identification documents by an appropriate person
- checking relevant data against reliable databases or registries
- using appropriate technology, etc.
The extent of additional measures is subject to a risk assessment regarding the nature and characteristics of the product or service and the risk posed by the customer. A case-by-case assessment is to be undertaken to determine whether a particular measure is acceptable and could adequately guard against impersonation risk. In implementing the new measures, the SFC emphasised flexibility by stating that it did not intend to propose specific examples of appropriate technology, reliable databases or registries in the SFC AML Guidelines. It also proposed that it would consider the need to provide additional guidance taking into account future FATF guidance and technological developments.
In respect of the conduct requirements under paragraph 5 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission, the SFC has provided a designated web page10 with information on acceptable account opening approaches. Any of the following approaches are permitted:
|1||Certified by other persons||Signing client agreements and sighting related identity documents to be certified by designated persons. The SFC expects that any affiliate performing client identity verification for account opening purposes should be a regulated financial institution.|
|2||Certification services||Use of certification services recognised by the Electronic Transactions Ordinance|
|3||Mail approach||Comply with all of the following steps: (i) client provides a signed physical copy of the client agreement together with a copy of the client’s identity document; (ii) a cheque bearing the client’s name (as in the identity document) and the client’s signature (as in the client agreement) is encashed from the client’s account with a Hong Kong-licensed bank in an amount of no less than HKD 10,000; (iii) inform the client of the account opening procedures and conditions (in particular, the cheque clearance requirement); and (iv) keep proper records.|
|4||Online onboarding of clients using a designated bank account in Hong Kong||Comply with all of the following steps: (i) obtain a client agreement signed using an electronic signature together with a copy of the client’s identity document; (ii) successfully transfer to the financial institution’s bank account no less than HKD 10,000 from the client’s account with a Hong Kong-licensed bank; (iii) use the same account for all future deposits/withdrawals; and (iv) keep proper records that are accessible for compliance and audit purposes.|
|5||Remote onboarding of overseas individual clients||Comply with all of the following steps as detailed in the SFC circular on 28 June 201911 regarding overseas individual clients: (i) identity document authentication; (ii) identity verification; (iii) execution of client agreements by way of electronic signature; (iv) successfully transfer to the financial institution’s bank account no less than HKD 10,000 from the client’s account with a bank that is regulated in an eligible jurisdiction and use the same account for future deposits/withdrawals; and (v) record keeping.|
Actions to consider
In a changing market where being online and a smooth onboarding process is now “expected” or “normal” rather than “nice to have,” AIs and licensed corporations may wish to explore what steps they need to take to offer this channel in a compliant manner. To do this, AIs and licensed corporations should:
- Conduct a pre-launch assessment to assess the operating methodologies of new and existing systems and risks, including internal and external factors such as limitations for systems that may be purchased off the shelf or as an outsourced software-as-a-service solution.
- Revise and update internal policies, procedures and client documentation to cater for remote client onboarding and continue to assess and address the core risks of AML/CFT in the online environment.
- Consider each of the key recommendations of the HKMA/SFC (as appropriate) and determine the manner in which they have or will be addressed in any current or planned processes and procedures.
- Provide regular training and maintain proper records and audit trails of the assessments undertaken.
3 http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/Guidance-on-Digital-Identity.pdf — see paragraph 88.
4 http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/Guidance-on-Digital-Identity.pdf — see paragraph 89.
8 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2020/20200603e1.pdf and annex https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2020/20200603e1a1.pdf.