Ineffective AML Procedures

As announced on 17 Aug 2018, HKMA reprimanded Shanghai Commercial Bank Limited (SCOM) for contravening S.19(3) of Schedule 2 to the AMLO by failing to establish and maintain effective procedures for the purpose of carrying out its duty to continuously monitor business relationships. It also SCOM to pay a pecuniary penalty of HKD5,000,000 and submit to HKMA a report prepared by an independent external advisor assessing whether the remedial measures implemented by SCOM are sufficient to address the contraventions and the effectiveness of the implementation.

In summary, SCOM did not:

• continuously monitor its business relationship with 33 customers by examining the background and purposes of their transactions that were identified as (i) complex, unusually large in amount or of an unusual pattern and (ii) having no apparent economic or lawful purpose, and setting out its findings in writing;
• establish and maintain effective procedures for the purpose of carrying out its duty under S.5 of Schedule 2 to the AMLO to continuously monitor business relationships; and
• carry out customer due diligence (CDD) measures in respect of certain pre-existing customers when a transaction took place with regard to each of the customers that (i) was, by virtue of the amount or nature of the transaction, unusual or suspicious, or (ii) was not consistent with SCOM's knowledge of the customer or the customer's business or risk profile, or with its knowledge of the source of the customer's funds.

As regards the deficiencies in monitoring business relationships, although the relevant transactions were identified through SCOM's Management Information System (MIS) reports, which took into account different customer risk levels and transaction types, and were selected by SCOM's Compliance Department at the material time for further enquiry or investigation, SCOM had not adequately examined the background and purposes of those transactions and set out the findings in writing.

SCOM also lacked effective policies and procedures for monitoring the handling of MIS alerts including properly recording the follow-up actions taken and monitoring the review time, resulting in significant delay in alert clearance. As for carrying out CDD measures in respect of pre-existing customers, while one of the customers conducted the relevant transactions as early as in May 2012, SCOM failed to identify those transactions at the material time as unusual or suspicious or not consistent with its knowledge of the customer and had not conducted CDD measures accordingly.

It is the first time HKMA took a high profile action against a bank for contravention of the AMLO. This case reveals that putting in place surveillance systems and recruiting a team of compliance officers is no guarantee of compliance standards, effective implementation is critical.