In the consultation conclusions released by the Securities and Futures Commission (HKSFC) on 23 May 2023 (Consultation Conclusions), the HKSFC has indicated that the HKSFC has also incorporated non-substantive changes to the existing:
- Guideline on Anti-Money Laundering and Counter-Financing of Terrorism for Licensed Corporations (AML Guideline for LCs); and
- Prevention of Money Laundering and Terrorist Financing Guideline issued by the Securities and Futures Commission for Associated Entities,
(together, the AML Guideline).
With the launch of the virtual assets (VA) licensing regime on 1 June 2023, the HKSFC proposes to incorporate a new stand-alone chapter into the AML Guideline for LCs to cover Anti-Money Laundering/Counter-Financing of Terrorism (AML/CFT) requirements governing the conduct of Platform Operators (Platform Operators) and its associated entities when carrying out businesses associated with VA or businesses which give rise to money laundering and terrorist financing (ML/TF) risks in relation to VAs1.
Set out below are salient requirements of the updated AML Guideline for LCs relevant to VA:
|
Topics |
Changes to the AML Guideline for LCs |
Annotations2 |
|
Introduction |
Platform Operators should familiarize themselves with VA specific layering techniques, anonymity-enhancing services and use of unhosted wallets3 that may be utilized by illicit actors/money launderers to obfuscate the sources of VAs. |
Page 142, Paragraph 12.1.2, 12.1.6 |
|
Occasional transactions |
Licensed Corporations (LCs) and SFC-licensed virtual assets service providers (VASPs) should not carry out “occasional transactions”4. |
Page 149, Paragraph 12.3.2 |
|
Cross-border correspondent relationships |
Platform Operators should: *understand whether the respondent institution engages in activities or transactions involving VA that provide higher anonymity; and *assess and ascertain whether the AML/CFT controls implemented by the respondent institution in relation to VA transfers and screening of VA transactions and the associated wallet addresses are adequate and effective in determining on a risk-sensitive basis the amount of information to be collected about a respondent institution. |
Page 151, Paragraphs 12.6.3, 12.6.4 |
|
Ongoing monitoring in relation to VA transactions and activities |
Platform Operators should: *conduct screening of VA transactions and/or the associated wallet addresses: ~BEFORE conducting a VA transfer or making the transferred VAs available to the customer; and ~AFTER conducting a VA transfer on a risk-sensitive basis. *obtain additional customer information (i.e. IP addresses with associated time stamp, geo-location data and device identifier(s)) when establishing a business relationship with customers and/or the VA transactions are conducted by its customers *conduct ongoing monitoring of additional customer information received and take appropriate steps5 to identify if there are any grounds for suspicion, taking into account, originator and recipient information, customer information, transaction history and additional information obtained from the customer *apply enhanced customer due diligence and ongoing monitoring, and take other additional preventive or mitigating actions if Platform Operators become aware of any heightening ML/TF risks6 |
Page 154, Paragraphs 12.7.3, 12.7.5 & 12.7.6 |
|
Third-party deposits/payments |
*To facilitate the prompt identification of the sources of deposits in the form of VAs, the Platform Operators are STRONGLY ENCOURAGED to whitelist accounts (or wallet addresses) owned or controlled by its clients or any acceptable third parties. The Platform Operator should only accept wallet addresses that it assessed to be reliable having regard to the screening results of the VA transactions and the associated wallet addresses and the assessment results of the ownership control of the unhosted wallet. *Where a VA deposit/payment is made via an ordering/beneficiary institution that presents higher ML/TF risk or unhosted wallet, the Platform Operator should ascertain the customer’s ownership or control over the account/wallet address by, for example, (i) using appropriate confirmation methods (for example, using a micropayment test or message signing test); and (ii) obtaining evidence (i.e. statement of account issued by a VA transfer counterparty) from the customer7. |
Page 160, Paragraphs 12.10.5 to 12.10.7 & 12.14.3(b) |
For VA transfers, the Platform Operator should:
1. establish and maintain effective procedures to ensure compliance with the VA transfer requirements (Travel Rule8). These requirements include, for example:
~ An ordering institution must obtain and record required information (required information) from the originator and recipient, including, without limitation, for example, the originator’s address and the originator’s customer identification number (a number that uniquely identifies the originator to the ordering institution that must be referrable to a record held by the ordering institution containing the customer’s address), identification document number, or date and place of birth for originators who are individuals and submit the required information to the beneficiary institution immediately9;
~ The ordering institution should undertake the VA transfer counterparty due diligence measures (Measures) to ascertain whether the beneficiary institution and/or intermediary institution10 can submit the required information securely to protect the integrity, availability and confidentiality of the information for facilitating record-keeping, fulfilment of AML/CFT obligations and protecting against unauthorized access or disclosure;
~ Appropriate controls undertaken may include (a) the entry of a bilateral data sharing agreement between the ordering institution and beneficiary institution and/or service level agreement, together with a technological solution provider and (b) the use of a strong encryption algorithm to encrypt information during data submission;
~ The beneficiary institution/intermediary institution (instructed institution) must have risk-based policies and procedures for determining (i) whether and when to execute, suspend (i.e. prevention of relevant VAs from being made available to the recipient) or return relevant VAs to the account of the instructing institution (i.e. ordering institution) when there is no suspicion of ML/TF considering the outcomes of the VA transfer counterparty due diligence and screening of the VA transactions and the associated wallet addresses in relation to the VA transfers; and
~ If the required information cannot be obtained by the instructed institution in connection with VA transferred, the instructed institution should either (a) consider restricting/terminating its business relationship with the instructing institution in relation to the VA transfer, or (b) take reasonable measures to mitigate the ML/TF risk involved.
2. conduct VA transfer counterparty due diligence.
Due diligence should be conducted against a VA transfer counterparty by a Platform Operator before conducting a VA transfer and thereafter, only if there is a suspicion of ML/TF or when the Platform Operator is aware of any heightened ML/TF risks from its ongoing monitoring of VA transfers with VA transfer counterparties.
If the Platform Operator conducts VA transfers with VA transfer counterparties located in different jurisdictions belonging to the same group, due diligence on each VA transfer counterparty should be conducted independently on the one hand. On the other hand, a holistic assessment should be undertaken to assess the ML/TF risks posed by the counterparties.
The Measures to be applied, on a risk-sensitive basis, by the Platform Operator should include, without limitation, the following on a regular basis and/or upon trigger events11, and take into account relevant factors set out in the AML Guideline for LCs12:
~ collection of sufficient information to identify and verify the identity of the VA transfer counterparty using documents, data or information provided by a reliable and independent source, and take reasonable measures to understand the ownership and control structure of the VA transfer counterparty on a look-through basis to identify its beneficial owners;
~ understanding the nature and expected volume and value of VA transfers with the VA transfer counterparty;
~ determination of the reputation of the VA transfer counterparty and the quality and effectiveness of its host jurisdiction regulations and supervisory oversight by its host regulator based on publicly available information; and
~ assessment of the AML/CFT controls applied by the VA transfer counterparty and be satisfied that these controls are adequate and effective.
3. use a technological solution for Travel Rule compliance (technology solution).
Platform Operators should conduct due diligence on the technology solution to satisfy itself that the technology solution enables the Platform Operator to comply with the Travel Rule in an effective and efficient manner. For example, consideration as to the interoperability of the technology solution with other solutions adopted by the VA transfer counterparties. The Platform Operator should also consider, among other things, whether:
~ it could identify situations where the required information provided is incomplete or missing due to slight differences in travel rule requirements across the laws, rules and regulations of other jurisdictions relevant to a VA transfer;
~ the technology solution allows the required information for a large volume of VA transfers to be submitted immediately and securely to and/or obtained from multiple VA transfer counterparties in a stable manner;
~ the technology solution enables it to implement measures/controls for effective scrutiny of VA transfers to identify and report suspicious transactions and enables screening VA transfers to meet sanctions obligations; and
~ the solution facilitates the Platform Operator in conducting VA transfer counterparty due diligence and keeping record of the required information.
Ultimately, the structures, processes, policies, procedures, systems and controls adopted by the Platform Operator (AML/CFT systems), as guided by the above checklist, should be adequate and appropriate in managing and mitigating AML/CFT risks. Further, the external assessor would be able to confirm that the Platform Operator’s AML/CFT systems in place (a) comply with the applicable legal and regulatory requirements upon adopting on a risk-based approach; and (b) can enable the Platform Operator to identify suspicious transactions and activities.
SIDLEY’S INSIGHT
One of the key concerns hindering the development of VAs as a mainstream asset class in financial markets worldwide remains the AML/CFT risks embedded in the utilization of blockchain technology in VAs. This technology advocates decentralization and privacy and therefore, contradicts the prevailing regulatory approach to combatting AML/CFT through verification of the ultimate identity of asset ownership by financial intermediaries.
Therefore, notably, the AML Guideline microscopically focuses on auditing and tracking transfers of VAs among VA transfer counterparties through the adoption of technological solutions to identify and report on suspicious transactions and activities. Platform Operators are encouraged to adopt technological solutions to effectively monitor information exchange, VA transfer counterparties’ performance and efficiency in reporting and intercepting AML/CFT transactions and activities. It is yet to be ascertained whether the HKSFC’s adopted regulatory approach would successfully contain AML/CFT risks within manageable levels for VAs to become a mainstream asset class in the financial world.
For prospective Platform Operators, compliance with the AML Guideline should top their compliance checklist given the HKSFC’s paramount focus on ensuring that Hong Kong maintains its good standing as a jurisdiction that claims to be “Largely Compliant” with the FATF Recommendations. The determination of choice of technology solution (if adopted) to facilitate compliance with the AML Guideline and detailed discussions relating to collaboration arrangements with VA transfer counterparties should be underway as soon as the Platform Operator decides to launch its trading services in Hong Kong.
For Sidley’s insights and concluding remarks relating to Hong Kong’s introduction of a market-changing VASP licensing regime, please see here.
1 This covers the Platform Operator’s offer of products, services or transactions involving VAs OR when clients derive their funds or wealth substantially from VAs or carries out VA businesses.
2 Reference is made to the pages and paragraphs in the AML Guideline for LCs appearing as Appendix B to the Consultation Conclusions.
3 An unhosted wallet refers to software or hardware that enables a person to store and transfer VAs on his own behalf, and in relation to which the private key is controlled or held by that person.
4 This covers, for example, wire transfers, currency exchanges, purchase of cashier orders or gift cheques.
5 For example, implement controls to prevent VAs from being made available to the recipient or putting the receiving wallet on hold until screening is completed and it is confirmed that no concern is raised.
6 For example, request the customer unmask the IP address and where necessary, decline to provide services to that customer if the IP address remains masked.
7 HKSFC’s Frequently Asked Questions on AML Guideline for LCs – Response to Question 29 states that sole reliance on a customer’s self-declaration could not adequately assist a Platform Operator in ascertaining the customer’s ownership or control of an account or an unhosted wallet.
8 Travel Rule refers to the application of the wire transfer requirements set out in the FATF Recommendation 16 that are modified in the context of VA transfers (as to requirements to obtain, hold, and submit required and accurate originator and required recipient information immediately and securely when conducting VA transfers), recognizing the unique technological properties of VAs.
9 HKSFC’s Frequently Asked Questions on AML Guideline for LCs – Response to Question 28 states that the submission of required information AS SOON AS PRACTICABLE (and not “immediately”, i.e. the information must be submitted to the beneficiary institution prior to, or simultaneously or concurrently with, the VA transfer) after the VA transfer will be acceptable as an interim measure until 1 January 2024 given the implementation status of the Travel Rule in other major jurisdictions (e.g. the U.S., Singapore, the UK and Europe). Paragraphs 12.11.10 and 12.11.13 of the AML Guideline for LCs should only come into effect on 1 January 2024.
10 Where an intermediary institution is involved in a VA transfer, an ordering institution should undertake the Measures to determine if the intermediary institution can submit the required information immediately to the beneficiary institution and should not execute the VA transfer if otherwise.
11 When the Platform Operator is aware of any heightened ML/TF risks from its ongoing monitoring of VA transfers with VA transfer counterparties or other information such as negative news from credible media or public information that the counterparty has been subject to any targeted financial sanction, ML/TF investigation or regulatory action.
12 The factors to be considered include: (a) the types of products and services offered by the VA transfer counterparty; (b) the types of customers to which the VA transfer counterparty provides services; (c) geographical exposures of the VA transfer counterparty and its customers; (d) the AML/CFT regime in the jurisdictions in which the VA transfer counterparty operates and/or is incorporated; and (e) the adequacy and effectiveness of the AML/CFT controls of the VA transfer counterparty.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.
