Background
On 31 May 2019, the Securities and Futures Commission (SFC) published a circular in relation to third-party deposits and payments of licensed corporations (LCs) (Circular) together with an appendix on key control measures and examples of effective practices (Appendix).
The SFC has become increasingly concerned about the risks associated with third-party deposits and payments to or from accounts maintained by clients with LCs. When a client uses a third-party to pay for or receive proceeds of investment transactions, there are risks that the arrangement might have been used to disguise the true beneficial owner or the source of funds for evading regulatory requirements and/or conducting unlawful activities such as misappropriation of client assets, money laundering and terrorist financing (ML/TF) and other misconduct or crime. These may undermine market integrity and prejudice the interest of investors.
In a number of recent enforcement cases, the SFC found that the internal systems and controls put in place by LCs for handling or scrutinising third-party deposits and payments did not meet the expected standards or were not properly enforced by the responsible officers.
In this article, we summarise the Circular by setting out the key standard of conduct expected from LCs in implementing policies, procedures and controls to mitigate the risk involved in third-party deposits or payments and reminding LCs of their existing obligations under the AML Guideline[1], AMLO[2] and Code of Conduct[3].
Expected standards and control measures
In view of the risks associated with these arrangements, the SFC has made it very clear that firms should discourage these arrangements and should only accept them under exceptional and legitimate circumstances having regard to the client's profile and normal commercial practices.
LCs are highly encouraged to implement robust systems and procedures that can be reasonably expected to protect client assets as well as to detect and prevent risks associated with third-part payment arrangements. Here are a few suggestions by the SFC.
- LCs must clearly define in their policies and procedures the exceptional and legitimate circumstances under which third-party deposits and payments may be permitted and provide examples of acceptable third-party payors and payees. These policies and procedures should be approved by senior management and effectively communicated to all relevant staff members.
- LCs must only accept any third-party payment arrangements when effective monitoring systems and control measures are implemented to mitigate the associated risks and the applicable legal and regulatory requirements are adhered to.
- LCs must designate the Manager-In-Charge (MIC) of Anti-money Laundering and Counter-Terrorist Financing (AML/CFT) to oversee the design, implementation and ongoing monitoring of the policies and procedures for handling third-party deposits and payments. All these transactions should be subject to approval by the MIC of AML/CFT or Money Laundering Reporting Officer (MLRO). LCs should also appoint staff members responsible for carrying out the control measures and clearly delineate their duties. In 2017, an LC was reprimanded and fined HK$2.6 million for its senior management and Compliance Department's failure to implement appropriate internal procedures and controls to detect, assess, enquire and monitor red flag third-party deposits. The SFC also found evidence showing a lack of mutual understanding of respective roles and responsibilities in the handling of third party deposits among the senior management and staff.
- LCs must conduct due diligence on ANY third-party deposit or payment requests to determine:
- the identity of the third-party payor or payee. LCs should adopt a risk-sensitive approach. Relatively low-risk third-party payors or payees include immediate family members, beneficial owners and affiliated companies of corporate clients and regulated custodians and lending institutions. Others posing higher risks should be subject to a dual approval process by the MIC of AML/CFT or MLRO and a member of senior management.
- the relationship between the client and the third-party payor or payee. LCs should exercise increased caution when the relationship is difficult to verify, insufficient details of the identity of the third-party is provided for verification or the third-party payor or payee makes or receives payments for several seemingly unrelated clients, which may suggest nominees or warehousing arrangements to facilitate market and corporate misconduct.
- the reason and the need for receiving the deposit from or making the payment to the third-party. LCs should take all appropriate measures (e.g. making prompt follow-up inquiries and obtaining evidence) to ensure that a third-party deposit or payment will only be accepted when it is reasonably in line with the client's profile and normal commercial practices, including the frequency and pattern of previous transactions.
- In 2017, the SFC reprimanded and fined an LC HK$3 million over multiple AML/CFT internal controls failures, including, amongst other things, failure to enquire third-party deposits and to ensure effective approval process of third-party deposits. The RO (also being the former managing director) was also suspended for 6 months as a result.
- LCs must vigilantly monitor client accounts involving third-party deposits and payments, and stay alert to red flags, especially potentially suspicious transactions where the true beneficial ownership is concealed. A suspicious transaction report should be made to the Joint Financial Intelligence Unit (JFIU) and other authorities (such as the SFC and the Police) when there may be a suspicion of ML or TF.
- In 2017, an LC was found to have breached the AML Guidance, AMLO and Code of Conduct for failing to conduct ongoing due diligence and scrutiny on clients' transactions and to identify a large number of frequent and complex, unusual large transactions and unusual patterns of transactions which have no apparent economic or lawful purpose. The LC was reprimanded and fined HK$4.5 million. Similarly, another LC was reprimanded and fined HK$3 million for failing to identify suspicious third-party transactions and perform appropriate customer due diligence. The RO (also being the former managing director) was prohibited from re-entering the industry for 9 months.
- In late 2018, an authorised institution (AI) was found to have contravened the AMLO by failing to identify and handle non-compliant wire transfers and implement effective customer due diligence procedures in identifying and verifying the beneficial owners of certain customers before entering into any business relationship with them. The AI was reprimanded and fined HK$12.5 million by the Hong Kong Monetary Authority.
- In early 2019, the SFC reprimanded and fined another LC HK$15.2 million, which is by far the highest fine imposed for similar failure, for turning a blind eye to more than 2,200 suspicious third-party deposits totalling over HK$2.3 billion in 14 months. The LC was criticised for not making a timely report to the JFIU despite the suspicious circumstances and failing to put in place any systems or controls regarding customer due diligence of third-party depositors. The RO (also being the former head of retail brokerage) was banned from re-entering the industry for 10 months as a result.
- LCs must require clients to designate bank accounts held in their own names or the names of acceptable third parties for the making of all deposits and withdrawals. This facilitates LCs in performing due diligence on the third-party payor or payee and ascertain sources and destinations of the transaction proceeds.
- LCs must inform clients in writing of their policies for handling third-party payment arrangements, including policies for rejecting or accepting them under exceptional and legitimate circumstances, requirements to provide supporting documents to ascertain sources of deposits, verification procedures for third-party payor or payee, and the return policy on rejected third-party deposits.
Our observations
The SFC's discouragement on third-party deposits and payments is in no ambiguous terms. LCs are reminded to assess compliance risks with much caution when formulating its policy on third-party deposits and payments. It is clear that the SFC and other regulators are actively investigating into control failures regarding third-party deposit and payment arrangements and will continue to monitor compliance following the Circular.
It should also be noted that the Appendix is not an exhaustive list of the control measures and practices which the SFC expects of LCs. LCs should review their business models and client profiles in order to come up with the most suitable policy.
Individual accountability has been the SFC's focus in recent years. The approach of the SFC in pursuing follow-up actions against the ROs sends a clear message to the market that senior management is to bear responsibility for the firm's compliance with applicable standards and requirements. Whilst recent enforcement decisions against management were all targeted at the relevant ROs, all LCs should have already appointed a MIC for their AML/CTF function since late 2017 and thus the relevant MICs are also reminded of their obligations and the regulator's expectation of them.
Please refer to our earlier publication to know more about the SFC's actions on third party payments in 2017.
[1] Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) (AML Guideline)
[2] Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (AMLO)
[3] Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct)