This article was written by Richard Mazzochi, Urszula McCormack, Leonie Tear and Alison Leung.
Remote onboarding of customers by banks in Hong Kong* has rapidly gained pace as the “go-to” for fast and innovative service delivery. Momentum that was already building with the advent of virtual banks has accelerated as demand for digital financial service delivery in the post-COVID-19 world has strengthened. At the same time, remote onboarding and straight-through-processing carry regulatory compliance points that need to be addressed to deal with elevated money laundering / terrorist financing (ML/TF) risks.
The Hong Kong Monetary Authority (HKMA) has published a circular to provide concrete feedback on the recent thematic reviews of remote onboarding initiatives from engagement with banks and fintech firms.
This alert summarises the HKMA’s expectations, key observations and good practices in anti-money laundering and counter-financing of terrorism (AML/CFT) control measures for remote customer onboarding initiatives. It also describes other key initiatives, including the role of remote onboarding for key Greater Bay Area initiatives.
Regulatory expectations and good practices
The HKMA circular sets out the regulatory expectations as well as examples of good practices observed during thematic reviews.
Banks are encouraged to refer to them when launching remote customer onboarding initiatives or to help benchmark current practices.
The following table summarises the key messages.
||Good practices observed
- Adopt a task force style approach comprising different front-line departments and second line control functions to undertake the assessment.
- Seek early supervisory feedback through the HKMA Fintech Supervisory Chatroom and testing results obtained through the Fintech Supervisory Sandbox to fine-tune the assessment to effectively identify ML/TF risks.
- Consider whether internal capabilities are sufficient to formulate suitable test cases.
- Conduct due diligence on and work closely with the third-party vendor when adopting off-the-shelf solutions to:
- ensure it has an appropriate level of understanding of how the solutions work (including the benefits and limitations of the solutions, the algorithms used and the features / attributes matched by the artificial intelligence in the process); and
- identify and reduce the risk of the technology solution delivering unintended and inappropriate outcomes.
- Consider other key risks including ML/TF risk, impersonation risk and any additional risks due to changes in AML/CFT control processes.
- Banks must demonstrate that customer due diligence (CDD) measures are commensurate with the associated ML/TF risks. For example, when onboarding higher-risk applicants, banks can:
- use teleconference or video conference; and
- require first payments from same-name accounts at other banks to activate the new account.
- Adopt a phased approach when launching remote onboarding services:
- initially targeting lower-risk customer segments and limiting the service scope (eg limited account functionality, lower transaction limits, restricting straight-through account opening); and
- incrementally expanding the customer segment and service scope based on operating experience and constant assessment.
- Adopt ongoing quality assurance processes over the end-to-end AML/CFT controls for remote on-boarding.
- Manual check of selfie images, ID documents and liveness detection processes (eg false-acceptance and false-rejection rate) to assess performance of new technology solution. Sample sizes can reduce over time taking into account the performance of technology.
- Impose restrictions (eg limiting the amount of funds which could be transferred out) on straight-through account opening process until the manual checks are completed.
- Follow up on any irregularities detected (eg discuss fine-tuning with vendors).
- Conduct post-implementation reviews after remote onboarding initiatives are up and running, covering:
- any emerging risks or new ways to “deceive” the artificial intelligence embedded in the technology solution; and
- any additional risks due to changes in existing control processes.
- Implement a monitoring system which is tailored to the risk profile of the whole customer relationship.
- Additional ongoing monitoring may be required if customers are on-boarded remotely (eg apply specific rules-based transaction monitoring detection scenarios for customers on-boarded remotely).
- Pool resources from both transaction monitoring and fraud prevention teams, for example:
- Establish internal working groups with members from both teams to share information regularly, conduct trend analysis and joint investigations (if necessary)
- Adopt the same escalation flow and case management system to manage alerts generated from both the case transaction monitoring and fraud prevent systems.
The HKMA emphasised that these practices are not an exhaustive list for meeting regulatory expectations. Banks must comply with all relevant guidance including the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Authorized Institutions). Institutional ML/TF risk profiles differ and it is important for banks to ensure control measures are commensurate with assessed risks.
Other key developments in this area
Virtual banking and remote onboarding are growing in popularity to meet an increasing digital economy across the region.
Regulation is developing at pace to match the need and technology growth. Banks should be aware of the following developments.
HKMA COVID-19 guidance: Convenience with controls
Banks in Hong Kong, and across the APAC region continue to play a critical role in the provision of banking services during the COVID-19 pandemic. For its part, the HKMA has issued guidance encouraging banks to provide greater convenience to customers but with appropriate risk mitigants in place.
In summary, the HKMA has highlighted the need to:
- use appropriately trustworthy technology to facilitate remote onboarding and minimise CDD for accounts opened to receive government handouts;
- be vigilant about emerging ML/TF risks, including face mask scams; and
- continue to file timely suspicious transaction reports and speak to the HKMA early if compliance teams were struggling under COVID-19 restrictions.
See our KWM COVID-19 FATF Report Alert for further detail.
SFC remote onboarding guidance
The Securities and Futures Commission (SFC) published the procedural steps to be observed by licensed corporations when onboarding overseas individual clients including:
- using appropriate and effective technology to authenticate identification documents;
- using effective processes and technology, such as biometrics to verify the client matches the documentation provided;
- executing client agreements electronically;
- obtaining a deposit of at least HK$10,000 to the licensed corporation’s bank account from another account in the client’s name with a bank supervised by a regulator in an eligible jurisdiction; and
- maintaining policies and procedures for proper record keeping, staff training and audit of the above processes.
See our alert, KWM SFC Remote Onboarding Alert for further detail.
HKMA Regtech Watch
The HKMA has recognised the growing importance of regulatory technology (or “regtech”) for ML/TF risk management. The latest issue of the Regtech Watch cites remote onboarding as a regtech use case that may help to make the implementation of AML/CFT measures within the banking industry more effective and efficient. It describes with illustration the two-stage approach to identifying and verifying the identity of an individual customer using technology for two key purposes:
Dovetailing into Greater Bay Area initiatives
The anticipated establishment of wealth management and insurance connect schemes will enable residents of Hong Kong and Mainland cities in the Guangdong-Hong Kong-Macao Greater Bay Area (Greater Bay Area) to invest in wealth management and insurance products originated anywhere in the GBA.
Remote onboarding will be vital to the sale of these products. See updates on the latest development of the various initiatives regarding the Greater Bay Area in the Hong Kong 2020-21 Budget Speech.
What banks should do
Good practices are often a precursor to both enabling innovation to go forward, as well as signalling a potential regulatory enforcement focus in the near to mid-term. It therefore merits attention as both a carrot and a stick.
The key actions are as follows:
For banks who have already deployed remote onboarding - benchmark your compliance approach to the regulatory expectations and good practices set out above. Self-identifying improvements early is the best protection against future downside risk.
For banks who have not yet deployed remote onboarding – consider whether this is hampering reasonable access to your products and services, and what obstacles remain. If you choose to deploy, consider the HKMA guidance and core AMLO obligations.
For all banks with a regional footprint – think about how you will respond to emerging Greater Bay Area initiatives.
Compliance, transaction monitoring and fraud prevention teams should also work closely with the technical teams or third-party vendors throughout the design, introduction and ongoing review of the remote customer onboarding process.
To date, we have worked with multiple banks and industry to craft strong remote onboarding processes. If you have new ideas, speak to us and/or your regulatory contacts.
*Any reference to “Hong Kong” or “Hong Kong SAR” shall be construed as a reference to “Hong Kong Special Administrative Region of the People’s Republic of China”.