KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

date of birthnationality

KYC to onboard international persons

namedate of birthresidential address permanent addressnationalityidentification documentspassportidentity card

corporate requirements

certificate of incorporationbusiness registrationcompany's memorandum copyarticles of associationsearch enquiry of registrycompany reportdetails of ownershipidentification documents of directorsprincipal shareholderaccount signatries

National ID card name

Hong Kong Identity Card

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

ELECTRONIC TRANSACTIONS ORDINANCE

E-sig law files

What year did the relevant AML laws and regulations become effective?

2012

Further details on AML regime

Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance – April 2012 (“AMLO”); b) Drug Trafficking (Recovery of Proceeds) Ordinance - 1989 (amended 2005) (“DTROP”); c) Organised and Serious Crimes Ordinance - 1994 (amended 2012) (“OSCO”); and d) United Nations (Anti-Terrorism Measures) Ordinance - 2002 (amended 2012) (“UNATMO”)

Who is the regulator for AML controls for Banking

The Hong Kong Monetary Authority (“HKMA”)

Link to site

http://www.hkma.gov.hk/eng/index.shtml)

Other financial Services

The Securities and Futures Commission (“SFC”) is the regulator for AML controls for securities

Website of Regulator

http://www.sfc.hk/sfc/html/EN/index.html

Financial Sector regulator

http://www.oci.gov.hk/about/index.html , http://www.customs.gov.hk/en/home/index.html

Practical Guidance for AML

Practical guidance PDF's

Is there a requirement to verify the identity of customers retroactively?

Retroactive details

No, although under the revised guidelines, enhanced AML assessment requirements are expected to be applied to all customers, including existing customers. As part of their ongoing AML due diligence process, intermediaries should consider and determine whether additional identification information, in line with the current standards, should be obtained from all existing customers, particularly those customers in higher risk categories. In particular, authorised institutions regulated by the HKMA are required to conduct a review, at least once annually, on all high risk customers to ensure that the customer's records maintained are up-to-date and relevant. Under the AMLO, the identity of pre-existing customers is not subject to retrospective verification. The AMLO only requires the financial institution to review the documents, data and information relating to the customer that is held at the time it conducts the review.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Generally speaking, the current legislation does not specifically set out minimum transaction thresholds where customer due diligence is or is not required. However, less stringent due diligence requirements would be permitted in certain circumstances, such as: a) a remittance/exchange transaction carried out by remittance agents/money changers, where the transaction amount is less than HKD8,000 or equivalent; or b) a transaction carried out by

What are the requirements for customer identification information for individuals

The identity of an individual including his/her name, residential address (and permanent address - if different), date of birth and nationality, etc. should be obtained. Identification should be from documents issued by official or reputable sources, i.e. passports or identity cards. The address should be checked by appropriate means, e.g. by reviewing utility or rates bills or checking the electoral roll.

Details to be Collected on Corporates

The following documents or information should be obtained, including the Certificate of Incorporation and Business Registration Certificate, copy of the company’s memorandum and articles of association, a company search enquiry of the registry and a company report, details of ownership and structure control of the company, the board resolution evidencing the opening of the account and conferring authority on those who will operate it, identification documents of the directors, principal shareholders and account signatories, as required. Additional requirements will arise for higher risk customers

What are the high level requirements around beneficial ownership (identification and verification)?

There is a requirement to identify the beneficial ownership and control, i.e. to determine which individual(s) ultimately own(s) or control(s) the direct customer, and/or the person on whose behalf a transaction is being conducted. For corporates, the identity of the principal shareholders (e.g. those holding 10% or more voting interests) should be identified. The identity of all shareholders holding 25% (for normal risk circumstance) /10% (for high risk circumstances) or more of the voting rights or share capital are required to be verified.

What circumstances are enhanced customer due diligence measures required?

Enhanced due diligence is required for higher risk categories of customers, business relationships or transactions. These may include companies with unduly complex ownership structure, PEPs, business relationships and transactions with persons from or in jurisdictions that do not meet international AML standards, customers who are not physically present for identification purposes, or remittance transactions for which the remittance messages do not contain complete originator information.

How should FI's deal with Politically exposed persons

Local regulatory guidance includes a requirement to gather sufficient information from a new customer and check publicly available information to establish whether or not the customer is a PEP. The decision to open an account for a PEP should be taken at a senior management level. A number of risk factors that institutions should consider in handling a business relationship with a PEP are also outlined.

What enhanced due diligence must be performed for correspondent banking relationships?

A bank providing correspondent banking services is required to gather sufficient information about its respondent banks to understand their business. Approval from senior management should be sought before establishing new correspondent banking relationships and the respective responsibilities of each institution should be documented. A corresponding banking relationship should not be established unless it is satisfied that the AML/CFT controls of the proposed respondent bank are adequate and effective. Particular care is required if a correspondent banking relationship is maintained with banks incorporated in jurisdictions that do not meet international AML standards, or where the respondent banks allow the direct use of the correspondent account by their customers to transact business on their own behalf (i.e. payable–through accounts).

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Firms are required to apply effective customer identification procedures to satisfy the true identity of the customer. Such procedures may include: a) requisition of additional documents to complement those required for face-to-face customers; b) taking supplementary measures to verify all the information provided by the customer; and c) requiring the first payment from the account to be made through an account in the customer’s name with a bank having satisfactory customer due diligence standards.

To whom are SAR's made? (suspicious activity reports)

Joint Financial Intelligence Unit (“JFIU”) and relevant authority, HKMA, SFC, OCI

Link to website of SAR reporting

http://www.jfiu.gov.hk/en/ , http://www.hkma.gov.hk/eng/index.html , http://www.sfc.hk/web/EN/index.html , http://www.oci.gov.hk/about/index.html

Other Suspicious or unusual transactions obligations.

Financial institutions shall report to JFIU if there is knowledge or suspicion of ML/TF. Examples include, inter alia: a) customers are reluctant to provide normal information when opening an account, providing minimal or fictitious information or, when applying to open an account, providing information that is complex or expensive for the institution to verify; and/or b) customers who decline to provide information that in normal circumstances would make the customer eligible for credit or for other banking services that would be regarded as valuable.

Are there any de-minimis thresholds below which transactions do not need to be reported?

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Yes

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Institutions are required to refrain from carrying out transactions which they know or suspect to be related to money laundering until they have informed the JFIU which consents to the institution carrying out the transactions. Where it is impossible to refrain or if this is likely to frustrate efforts to pursue the beneficiaries of a suspected money laundering operation, institutions may carry out the transactions and notify JFIU on their own initiative and as soon as it is reasonable for them to do so.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

There are no explicit restrictions on “offshore” transactions monitoring provided that the other regulatory requirements, in particular the outsourcing and record keeping requirements, are fulfilled.

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

As above, an independent review of the Program is required on a ‘regular’ basis. In practice this is conducted based on the bank’s risk-based approach, with many banks choosing to conduct the independent review on an annual basis. The report must be provided to the governing board and senior management. The regulator also requests a copy during their reviews. This does not constitute part of the financial statement audit

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

The scope of work varies depending upon the circumstances which trigger the review as mandated by the HKMA. However, in a comprehensive AML review carried out by external auditors, sample testing of KYC files/SAR reports and examination of risk assessments would normally form part of the scope of work

Data Protection Laws And Personal Data

The primary data protection law in Hong Kong is the Personal Data (Privacy) Ordinance (“PDPO”). Under the PDPO, personal data means any data relating directly or indirectly to a living individual; from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable. The PDPO does not define corporate data or sensitive data.

Data Protection for Corporate Data

N/A

Data protection for "sensitive Data" and additional protections.

N/A

Do any restrictions on the transfer of credit reports exist?

The PDPO stipulates that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose (i.e. any purpose other than the purpose for which the data was to be used at the time of the collection of the data or a purpose directly related to it. There is prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances

Regulator Acronym

HKMA, SFC

Verification of docs (domestic individual)

Certified

Field 67

additional documentsfirst party bank wire

National ID card details

Children are required to obtain their first identity card at the age of 11 and must change to an adult identity at the age of 18.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Hong_Kong_Identity_Card

Passport Photo

common XML schema

www.xml.gov.hk

Is there a risk based approach

Legal Requirement

Yes

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

JFIU

shell banks

Yes

EDD for correspondent banking

Yes

Minimum transactions

HKD 8,000

Min transaction USD

1031

Personal Data protection

Personal Data Protection Act

https://www.pcpd.org.hk/english/files/pdpo.pdf

key restrictions

The law excludes wills, powers of attorney, government leases and some real estate transactions.

Summary

Section 6(1) states that an electronic signature may be used to satisfy the legal requirement for a handwritten signature. Section 17(2) states that electronic records may be used in place of paper records and that those records will have the same legal enforceability as paper records. Summary of law Hong Kong follows the European Union and the UNCITRAL model law in that its laws provide for the enforcement of both simple electronic signatures and digital signatures (sometimes called advanced electronic signatures). It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. One must get consent to do business electronically, but that consent doesn’t need to be explicit. It can be inferred from behavior such as receiving and signing documents electronically.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

The AMLO became effective on 1 April 2012. Previous AML regime was governed by DTROP, OSCO and UNATMO

Non financial sector (e.g. casinos, high value goods etc.)

The Officer of the Commissioner of Insurance (“OCI”) is the regulator for AML controls for insurance sector

Does the country have a risk based approach?

It is expected that financial institutions should adopt a risk based approach to customer due diligence and ongoing monitoring

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Copies of identification documentation should generally be checked against original documents. However, reliance may be placed on a ‘suitable’ certifier to certify that the copy document is a complete and an accurate copy of the original. Such certifiers include, inter alia, officer of an embassy, member of the judiciary, Justice of the Peace, etc.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

We are not aware of any such laws or regulations that may significantly impact upon the transfer of information to Hong Kong.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

There is no specific bank secrecy law in Hong Kong. It should, however, be noted that banks are subject to confidentiality obligations which are applicable under common law (i.e. the legal framework adopted by Hong Kong) and the regulators also expect that banks duly protect the use of its customer data in the normal course of business.