Chapter F — Anti-Money Laundering & Counter-Terrorist Financing Guidelines

POINT 2: 適用範圍 (F-600 — Application of the Guidelines)

2.1 Who Must Comply

The Guidelines apply to "practices" — defined as:

• Practice units registered under AFRC Ordinance, AND
• Trust or company service providers where all proprietors/partners/directors are HKICPA members
• Includes individual members working in such practices

2.2 Mandatory vs Good Practice — The Application Matrix

Critical Note: Suspicious Transaction Report (STR) reporting (F-640) and sanctions (F-650) are mandatory for ALL services without exception — including services NOT listed in 600.2.1/600.2.2. The policies to support them (F-610) must also be in place.

2.3 指定服務 (Specified Services — trigger mandatory Customer Due Diligence (CDD)/RK/monitoring)

Category A (600.2.1) — When practices, by way of business, prepare for or carry out:

1. Buying or selling of real estate
2. Managing of client money, securities or other assets
3. Management of bank, savings or securities accounts
4. Organisation of contributions for creation, operation or management of corporations
5. Creation, operation or management of legal persons or legal arrangements
6. Buying or selling of business entities

Category B (600.2.2) — Trust or company services:

1. Forming corporations or other legal persons
2. Acting as, or arranging for director/secretary/partner/similar position
3. Providing registered office, business address, correspondence or administrative address
4. Acting as, or arranging for, trustee of express trust or nominee shareholder (except for listed companies)

2.4 Key Terminology: "Must" vs "Should"

2.5 Legal Status of Guidelines

• Not themselves creating judicial liability
• Admissible in court under Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) — court MUST take into account if relevant
• AFRC must have regard to the Guidelines when determining compliance with Schedule 2 of Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO)
• Non-compliance → risk of criminal prosecution + loss of reputation

2.6 Money Laundering / Terrorist Financing Key Concepts

Money Laundering (3 stages):

1. Placement — physical disposal of cash proceeds from illegal activities
2. Layering — separating illicit proceeds from their source via complex layers of financial transactions to disguise origin
3. Integration — creating apparent legitimacy; returning laundered proceeds back into the general financial system

Terrorist Financing (Key distinction):

• Money Laundering (ML) focus: SOURCE of property (criminal proceeds)
• Terrorist Financing (TF) focus: DESTINATION/USE of property (may originate from legitimate sources)
• Even legitimate money can be Terrorist Financing (TF) if intended for terrorist purposes

POINT 3: Anti-Money Laundering / Counter-Financing of Terrorism Policies, Procedures & Controls (F-610)

3.1 Mandatory Policies, Procedures and Controls (PPC) Coverage (610.1.1)

Practices' Policies, Procedures and Controls (PPC) must cover 9 areas:

1. Risk assessment and management
2. Customer Due Diligence (CDD) (Section 620)
3. Ongoing monitoring (Section 630)
4. Making Suspicious Transaction Reports (STRs) (Section 640)
5. Targeted financial sanctions and Terrorist Financing (TF) (Section 650)
6. Record-keeping (Section 660)
7. Compliance management — including designating Money Laundering Reporting Officer at management level
8. Staff training and communication (Section 670)
9. Group policy (where appropriate)

3.2 Risk-Based Approach (Risk-Based Approach (RBA)) — 610.3

Core principle: No one-size-fits-all. Measures must be proportionate to identified risks.

Risk factors to consider:

• Customer risk & country risk (types of client, geographical locations)
• Product/service/transaction risk
• Delivery/distribution channel risk
• Other risks depending on specific circumstances
• Size of the practice

What an effective Risk-Based Approach (RBA) determines:

• Extent of Customer Due Diligence (CDD) on direct client + verification depth for beneficial owners
• Level of ongoing monitoring
• Measures to mitigate identified risks

Important: Risk-Based Approach (RBA) is NOT static — risks change over time. Must adjust assessment as circumstances develop and threats evolve.

3.3 New Products/Technologies Risk Assessment (610.2)

Before launching new products, new business services, or new/developing technologies, practices MUST:

• Identify and assess Money Laundering / Terrorist Financing risks that may arise
• Take appropriate measures to mitigate and manage any significant risks identified

Practices should also conduct periodic firm-wide risk assessment.

3.4 Management Oversight — Compliance Officer (CO) and Money Laundering Reporting Officer (610.4)

Two mandatory appointments:

Compliance Officer (CO) and Money Laundering Reporting Officer may be the same person where appropriate.

Compliance Officer (CO) and Money Laundering Reporting Officer must be (610.4.3):

1. Independent of operational/business functions (subject to practice size constraints)
2. Based in Hong Kong
3. Of sufficient seniority and authority
4. Afforded regular contact and direct access to senior management
5. Fully conversant with statutory/regulatory requirements and Money Laundering / Terrorist Financing risks
6. Capable of accessing ALL available information on a timely basis
7. Equipped with sufficient resources, including staff and cover for absence

Compliance Officer (CO)'s indicative roles (610.4.4-4.5):

• Review Anti-Money Laundering / Counter-Financing of Terrorism systems to ensure currency with statutory requirements
• Oversight of Policies, Procedures and Controls (PPC), including monitoring effectiveness
• Managing and testing Policies, Procedures and Controls (PPC)
• Identifying and addressing significant deficiencies
• Mitigating risks from countries not applying Financial Action Task Force (FATF) Recommendations
• Communicating key Anti-Money Laundering / Counter-Financing of Terrorism issues to senior management
• Considering changes needed from new legislation/regulatory requirements
• Training of staff

Money Laundering Reporting Officer's principal functions (610.4.6):

• Review internal disclosures and determine whether Suspicious Transaction Report (STR) to Joint Financial Intelligence Unit (JFIU) is needed
• Maintain records of internal reviews
• Provide guidance on avoiding "tipping off"
• Act as main point of contact with Joint Financial Intelligence Unit (JFIU), law enforcement, and competent authorities

3.5 Compliance Function (610.4.7-4.8)

• Review implementation of Policies, Procedures and Controls (PPC) to ensure effectiveness
• Frequency/extent commensurate with Money Laundering / Terrorist Financing risks and business size
• May engage external party to conduct review
• Where practicable, establish independent compliance function with direct line to senior management

3.6 Staff Screening (610.4.9)

• Practices should establish procedures to be satisfied of integrity of new employees

3.7 Overseas Operations — Group Policy (610.5)

Practices with overseas branches/offices/subsidiaries MUST:

• Adopt group Anti-Money Laundering / Counter-Financing of Terrorism policy ensuring overseas operations comply with Customer Due Diligence (CDD) and RK requirements similar to Schedule 2 of Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO)
• If local law does NOT permit equivalent procedures → MUST take additional measures to effectively mitigate Money Laundering / Terrorist Financing risk

POINT 4: Customer Due Diligence — Customer Due Diligence (CDD) (F-620)

4.1 The Four Customer Due Diligence (CDD) Pillars (620.1)

When providing specified services, practices MUST:

Pillar A: Identify the client and verify client's identity using documents/data/information from:

• Government body, OR
• Public register, OR
• Digital identification system recognised by AFRC (e.g., iAM Smart), OR
• Any other reliable and independent source

Pillar B: Where there is a beneficial owner:

• Identify and take reasonable measures to verify the beneficial owner's identity
• For legal persons/trusts: understand ownership and control structure
• For corporations: >25% share capital/voting rights, OR exercises ultimate control

Pillar C: Understand and obtain information on purpose and intended nature of business relationship (unless obvious)

Pillar D: If person purports to act on behalf of client:

• Identify and verify that person's identity
• Verify that person's authority to act on behalf of client (written authority recommended)

Risk-tiered Customer Due Diligence (CDD): Enhanced Due Diligence (EDD) for high-risk, Simplified Due Diligence (SDD) possible for low-risk in specified circumstances.

4.2 When Customer Due Diligence (CDD) MUST Be Applied (620.3.1)

4.3 Pre-Existing Clients (620.3.2-3.4)

For clients from before 1 March 2018:

• Customer Due Diligence (CDD) must be performed when: (a) unusual/suspicious transaction, (b) transaction inconsistent with knowledge of client/source of funds, (c) material change in client's business
• Should review information over time and assess risks
• If unable to comply → MUST terminate business relationship as soon as practicable

4.4 Risk Assessment — Three Risk Categories (620.4)

Important nuance (620.4.5-4.7): Not all clients falling into risk categories are necessarily high-risk. After adequate review, legitimate purpose may be found. Financial Action Task Force (FATF)-deficiency countries: extra care justified but NOT an automatic refusal or automatic Enhanced Due Diligence (EDD) — weigh all circumstances.

4.5 Identity Verification Sources (620.5)

For clients:

• Governmental body documents
• Public register
• iAM Smart (HK Government digital ID — AFRC-recognised)
• For FI/TCSP clients: relevant authority/regulatory body
• For other DNFBP: relevant regulatory body

Copies of all reference source documents must be retained (Section 660).

4.6 Beneficial Owner — Detailed Requirements (620.6)

Definition: Individual(s) who ultimately own or control the client, or on whose behalf a service is provided.

For individuals: Client themselves is normally the beneficial owner. No proactive search required UNLESS indications they're not acting on own behalf.

For corporations (>25% threshold):

• Owns/controls >25% of issued share capital
• OR entitled to exercise/control >25% of voting rights
• OR exercises ultimate control over management
• If acting on behalf of another person → that other person is the BO

Verification standard for BOs: "Reasonable measures" (lower than client verification) — must be satisfied that practice knows who the BO is.

4.7 Timing of Verification (620.10)

General rule: Customer Due Diligence (CDD) must be completed BEFORE establishing relationship or carrying out transactions.

Exception — Delayed verification (620.10.3): Only if ALL of:

• Money Laundering / Terrorist Financing risk from delay can be effectively managed
• Delay is essential not to interrupt normal conduct of business
• Verification is completed as soon as reasonably practicable

If cannot complete Customer Due Diligence (CDD) → MUST NOT establish relationship. Must also assess whether this failure itself provides grounds for Suspicious Transaction Report (STR).

4.8 Enhanced Due Diligence — Enhanced Due Diligence (EDD) (620.12)

Mandatory Enhanced Due Diligence (EDD) for:

Politically Exposed Person (Politically Exposed Persons):

• Non-Hong Kong Politically Exposed Person — ALWAYS high risk
• Hong Kong Politically Exposed Person — assess risk level; Enhanced Due Diligence (EDD) if high risk
• International organisation Politically Exposed Person — assess risk level
• Former Politically Exposed Person — apply Risk-Based Approach (RBA); Enhanced Due Diligence (EDD) may be needed for at least 12 months after leaving office
• Family members and close associates of Politically Exposed Person

Enhanced Due Diligence (EDD) measures for Politically Exposed Person:

• Obtain senior management approval before establishing/continuing relationship
• Take reasonable measures to establish source of wealth and source of funds
• Apply enhanced ongoing monitoring

Other Enhanced Due Diligence (EDD) triggers:

• Complex/unusually large transactions with no apparent economic purpose
• Higher-risk countries (Financial Action Task Force (FATF) "Call for Action" jurisdictions)
• Non-face-to-face clients (without adequate safeguards)
• Correspondent relationships with overseas firms

4.9 Simplified Due Diligence — Simplified Due Diligence (SDD) (620.11)

When Simplified Due Diligence (SDD) may apply: Lower-risk situations where:

• Client is an FI or DNFBP subject to Anti-Money Laundering / Counter-Financing of Terrorism regulation in HK or equivalent jurisdiction
• Client is a listed company on recognised stock exchange
• Client is a HK government body or statutory body
• Product is low-risk (e.g., certain insurance policies)

Simplified Due Diligence (SDD) does NOT mean NO due diligence — still must identify client, but may reduce extent/timing of verification measures.

4.10 Reliance on Third-Party Customer Due Diligence (CDD) (620.13)

Practices may rely on Customer Due Diligence (CDD) conducted by intermediaries (including CPAs, FIs, legal professionals, TCSP licensees) subject to conditions:

• Intermediary must be in HK or equivalent jurisdiction
• Intermediary must be subject to Anti-Money Laundering / Counter-Financing of Terrorism regulation
• Intermediary must be willing to provide Customer Due Diligence (CDD) records promptly on request
• Ultimate responsibility remains with the practice

POINT 5: Suspicious Transaction Reports — Suspicious Transaction Report (STR) (F-640)

5.1 The Reporting Obligation

Three statutes create Suspicious Transaction Report (STR) obligations:

"Any property" means the obligation applies to ALL services — NOT limited to specified services. Applies whether or not a transaction was actually conducted, and covers attempted transactions.

5.2 Knowledge vs Suspicion

Knowledge: Actually knowing something is the case. Includes:

• Actual knowledge
• Knowledge of circumstances that would indicate facts to a reasonable person
• Knowledge of circumstances that would put a reasonable person on inquiry

Suspicion: More subjective but MORE than mere speculation. Must be:

• A positive feeling of actual apprehension or mistrust
• Amounting to "a slight opinion, but without sufficient evidence"
• A possibility that is "more than fanciful"
• "A vague feeling of unease would not suffice" (Da Silva case)

5.3 Making the Suspicious Transaction Report (STR)

Method: Joint Financial Intelligence Unit (JFIU) encourages use of standard form or e-channel "STREAMS" (Suspicion Transaction Report and Management System)

Timing: As soon as reasonably practical. For urgent cases:

• Indicate urgency in Suspicious Transaction Report (STR)
• Immediate telephone notification to Joint Financial Intelligence Unit (JFIU) for exceptional urgency
• Especially important when client has instructed movement of funds/property

Content of Suspicious Transaction Report (STR) (640.3.5):

1. Personal particulars of person/company involved (name, ID/passport, DOB, address, phone, bank account)
2. Details of suspicious transaction
3. Why the transaction is suspicious (which indicators are present)
4. Explanation (if any) given by the person/company

5.4 Statutory Defence (640.2.5)

Filing an Suspicious Transaction Report (STR) provides statutory defence to Money Laundering / Terrorist Financing:

• Pre-transaction Suspicious Transaction Report (STR): If made before undertaking disclosed acts AND acts undertaken with Joint Financial Intelligence Unit (JFIU) consent
• Post-transaction Suspicious Transaction Report (STR): If made on own initiative, as soon as reasonable after performing the act

5.5 Tipping Off — THE CRITICAL RISK (640.2.16-2.21)

Offence: Know/suspect that Suspicious Transaction Report (STR) has been made → disclose to any other person any matter likely to prejudice investigation.

Maximum penalty: 3 years imprisonment + $500,000 fine

Key rules:

• Once Suspicious Transaction Report (STR) made → client must NOT be informed or alerted
• Preliminary enquiries (before any suspicion formed) do NOT constitute tipping off
• BUT if enquiries lead to Suspicious Transaction Report (STR) → client must not be alerted retroactively
• It's a defence that person did NOT know/suspect disclosure would prejudice investigation
• Communicating suspicions to client's senior management: first satisfy they are NOT implicated AND information won't be passed to those who may prejudice investigation

5.6 Money Laundering Reporting Officer's Suspicious Transaction Report (STR) Process (640.3)

Internal reporting flow:

1. Staff member with knowledge/suspicion → reports to Money Laundering Reporting Officer
2. Money Laundering Reporting Officer evaluates (full access to all documentation)
3. Money Laundering Reporting Officer decides: Suspicious Transaction Report (STR) to Joint Financial Intelligence Unit (JFIU) or no Suspicious Transaction Report (STR) (with documented reasons)
4. If Suspicious Transaction Report (STR): report to Joint Financial Intelligence Unit (JFIU) without undue delay
5. If no Suspicious Transaction Report (STR): document the reasons for that decision

Key safeguards:

• Staff reports must NOT be filtered out by supervisors/managers who are not responsible for Money Laundering (ML) reporting
• Reporting lines should be as short as possible
• Money Laundering Reporting Officer must acknowledge receipt + remind of tipping off obligation
• Each new suspicious transaction from same client requires a new report — one Suspicious Transaction Report (STR) is not a blanket

5.7 Post-Reporting (640.4)

Critical warnings:

• Joint Financial Intelligence Unit (JFIU) "consent" is NOT a "clean bill of health" for the continuing client relationship
• Practices should conduct an appropriate review of business relationship upon filing Suspicious Transaction Report (STR)
• Filing Suspicious Transaction Report (STR) + continuing without further consideration is NOT sufficient
• Relationships reported to Joint Financial Intelligence Unit (JFIU) should be subject to Money Laundering Reporting Officer review + escalation to senior management
• Can terminate relationship but must consider not tipping off client; liaise with Joint Financial Intelligence Unit (JFIU) first
• Suspicious Transaction Report (STR) overrides duty of confidentiality — disclosure to Joint Financial Intelligence Unit (JFIU) is NOT breach of contract

5.8 Non-Practice Members (640.5)

Members working in organisations other than practices:

• Should ascertain if employer has Suspicious Transaction Report (STR) procedures via Compliance Officer (CO)/Money Laundering Reporting Officer
• If no employer procedures → report direct to Joint Financial Intelligence Unit (JFIU)
• Members in banking/insurance/securities: familiarise with Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) + relevant financial services regulator guidelines
• FI employees: Additional criminal liability under Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) s.5 — knowingly causing FI to contravene Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) → 2 years imprisonment + $1M fine; with intent to defraud → 7 years + $1M fine

POINT 6: Targeted Financial Sanctions & Terrorist Financing (F-650)

6.1 Sanctions Framework

UN Sanctions:

• UNSC designates individuals/entities for targeted financial sanctions
• Lists maintained by UNSC and its Sanctions Committees
• United Nations Sanctions Ordinance (UNSO) (Cap. 537) empowers HK Chief Executive to make regulations implementing UN sanctions
• Designated persons/entities specified by notice in Government Gazette or CEDB website

Prohibition: Making available funds/financial assets/economic resources to designated persons or dealing with their property → 7 years' imprisonment + unlimited fine (except under licence from Chief Executive)

6.2 Hong Kong-Specific Terrorist Legislation (United Nations (Anti-Terrorism Measures) Ordinance (UNATMO))

United Nations (Anti-Terrorism Measures) Ordinance (UNATMO) (Cap. 575):

• Enacted 2002 to implement UNSCR 1373
• Secretary for Security (S for S) can freeze suspected terrorist property → contravention = 7 years + unlimited fine
• Prohibition on making property/services available to known/suspected terrorist → 14 years + unlimited fine
• Prohibition on financing travel for terrorist purposes (s.11L)
• Prohibition on travelling/organising travel for terrorist purposes (s.11K, 11M)
• Designation notices published in Gazette under s.4

Terrorist act definition (broad):

• Serious violence against person
• Serious damage to property
• Endangering life
• Serious risk to public health/safety
• Seriously interfering with/disrupting electronic systems
• Seriously interfering with/disrupting essential services
• Made to compel government or intimidate public + for political/religious/ideological cause

6.3 Proliferation Financing — Weapons of Mass Destruction (Control of Provision of Services) Ordinance (WMDO) (Cap. 526)

• Offence to provide services believed/suspected connected to WMD proliferation
• "Services" widely defined — includes lending money, financial assistance, professional services

6.4 Screening Obligations (650.2)

Client screening:

• MUST conduct name checks of clients AND beneficial owners against latest designated lists
• Screening at relationship establishment AND ongoing
• Sources: UNSC designations, Gazette/CEDB lists, overseas authority designations (e.g., US Executive Order 13224)

Ongoing screening frequency:

• High-risk clients (Politically Exposed Person, high-risk jurisdictions): may need weekly checks
• Normal circumstances: check for updates at least monthly
• After any update → re-screen complete client base

Connected parties: Screening should extend beyond clients/BOs to connected parties using Risk-Based Approach (RBA).

Documentation: ALL screening and results must be documented or recorded electronically.

6.5 Information Sharing Protections (650.2.9)

• Exemptions from civil and criminal liability when sharing third-party information for preventing/suppressing Terrorist Financing (TF)
• Sharing Terrorist Financing (TF)-related information NOT restricted by Personal Data Privacy Ordinance (Cap. 486)

6.6 Terrorist Financing (TF)-Specific Suspicious Transaction Report (STR) Obligations

• Any suspected Terrorist Financing (TF) activity/transaction → MUST make Suspicious Transaction Report (STR) to Joint Financial Intelligence Unit (JFIU)
• Even if no direct terrorist connection, if it looks suspicious → STILL report
• Tipping off also applies under United Nations (Anti-Terrorism Measures) Ordinance (UNATMO)

POINT 7: Record Keeping (F-660)

7.1 What Must Be Kept (660.2.1)

7.2 Retention Periods

7.3 Storage Requirements (660.3)

7.4 Critical Security Consideration (660.2.4)

Suspicious Transaction Report (STR) internal reports are NOT part of client working papers! They must be kept:

• In secure form
• Separately from normal client work document retention
• To guard against inadvertent disclosure to anyone accessing client files for non-AML purposes

7.5 Audit Trail Requirements

Records must ensure:

• Client/BO can be properly identified and their identity verified
• Complete and clear audit trail for transactions
• Original/suitable copies available on timely basis to AFRC or other authorities
• Evidence of compliance with ALL other Guidelines sections

POINT 8: Staff Training (F-670)

8.1 Training Obligations

Practices MUST provide appropriate Anti-Money Laundering / Counter-Financing of Terrorism training. Training is an essential element of an effective system — even well-designed controls are compromised if staff are not adequately trained.

8.2 What Staff Must Be Made Aware Of (670.1.5)

All relevant staff must know:

1. Practice's statutory obligations under Schedule 2 of Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) and their own role
2. Statutory obligations to report suspicious transactions under Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP), Organised and Serious Crimes Ordinance (OSCO), United Nations (Anti-Terrorism Measures) Ordinance (UNATMO) and consequences of breaches
3. Other statutory obligations under Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP), Organised and Serious Crimes Ordinance (OSCO), United Nations (Anti-Terrorism Measures) Ordinance (UNATMO), United Nations Sanctions Ordinance (UNSO), Weapons of Mass Destruction (Control of Provision of Services) Ordinance (WMDO)
4. Practice's Policies, Procedures and Controls (PPC) relating to Anti-Money Laundering / Counter-Financing of Terrorism, including suspicious transaction identification and reporting
5. New and emerging techniques, methods, trends in Money Laundering / Terrorist Financing

8.3 Role-Based Training Content (670.1.6)

All staff:

• Background to Money Laundering / Terrorist Financing
• Identifying and reporting suspicious transactions to Money Laundering Reporting Officer
• Understanding "tipping off" offence
• Circumstances that may give rise to suspicion
• Client verification and processing procedures

COs and Managerial Staff — Additional higher-level training:

• All aspects of practice's Anti-Money Laundering / Counter-Financing of Terrorism regime
• Policies, Procedures and Controls (PPC) in relation to Customer Due Diligence (CDD) and RK requirements
• Responsibilities for supervising/managing staff, auditing system, random checks, making Suspicious Transaction Reports (STRs) to Joint Financial Intelligence Unit (JFIU)

Money Laundering Reporting Officer — Specific additional training:

• Responsibilities for assessing submitted reports and making Suspicious Transaction Reports (STRs) to Joint Financial Intelligence Unit (JFIU)
• Keeping abreast of Anti-Money Laundering / Counter-Financing of Terrorism requirements and developments generally

8.4 Timing & Frequency (670.1.4)

• Before new staff commence work — especially important
• Frequency sufficient to ensure staff maintain up-to-date knowledge and competence
• Adapted for different staff groups according to role, size/complexity of business, and Money Laundering / Terrorist Financing risk level

8.5 Training Materials

May include Financial Action Task Force (FATF) papers and typologies. All materials must be up to date and in line with current requirements and standards.

8.6 Training Records (670.1.10)

MUST maintain records of:

• Who has been trained
• When they were trained
• Type of training provided
• Retention: minimum 3 years (but F-660 suggests 5 years aligned with other records)

8.7 Training Effectiveness Monitoring (670.1.11)

Practices should monitor effectiveness by:

1. Testing understanding: Checking staff's understanding of Policies, Procedures and Controls (PPC), statutory obligations, ability to recognise suspicious transactions, and awareness of tipping off risks
2. Monitoring compliance: Checking compliance with Anti-Money Laundering / Counter-Financing of Terrorism controls AND monitoring quality/quantity of internal reports → identify further training needs

APPENDICES SUMMARY

Appendix A — Legislation Details

• Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP)/Organised and Serious Crimes Ordinance (OSCO): Money Laundering (ML) offence (s.25) — dealing with proceeds knowing/having reasonable grounds to believe → 14 years + $5M fine. "Dealing" widely defined (receiving, acquiring, disguising, disposing). "Indictable offence" = any offence triable on indictment (NOT just summary). Includes conduct outside HK. Defence: intended to disclose under s.25A + reasonable excuse.
• United Nations (Anti-Terrorism Measures) Ordinance (UNATMO): Terrorist property reporting (s.12). Designation notices in Gazette.
• Knowledge vs Suspicion: Knowledge = actual knowledge or circumstances that would indicate to reasonable person. Suspicion = "positive feeling of actual apprehension or mistrust... more than fanciful" (Queensland Bacon v Rees; Da Silva).
• Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO): Customer Due Diligence (CDD) and RK requirements. Schedule 2. AFRC/Institute can publish guidelines. Guidelines admissible in court.

Appendix B — Risk Factors (Examples)

Client Risk factors:

• Reduced transparency: lack of face-to-face introduction, unclear BO, inexplicable ownership changes, unnecessarily complex structure, client reluctant to provide information
• Transactions out of line: funds outside business profile, sudden activity from dormant client, extraordinary fees offered
• Higher risk sectors: cash-intensive, frequent Politically Exposed Person involvement, multijurisdictional without centralised oversight, bearer share jurisdictions

Service Risk: Pooled client accounts, advice on setting up legal arrangements, misuse of introductory services

Country Risk: Financial Action Task Force (FATF)-identified deficiencies, UN sanctions, significant corruption, terrorist activity support

Risk-decreasing factors: FIs/DNFBPs involvement, client sophistication, long-standing relationships with frequent contact, employment-based regular income, well-known reputable companies

Appendix C — Identity Verification Documents

Natural persons:

• HK residents: HKID card (name, DOB, ID number)
• Non-residents physically present: valid travel document
• Non-residents not present: valid passport OR national ID with photo OR valid driving licence with photo
• Minors: birth certificate + parent/guardian ID
• Address: residential + permanent address (if different)

Corporations:

• Full name, date/place of incorporation, registration number, registered office
• Certificate of incorporation, M&A/articles, ownership chart
• Company search report (within last 6 months) — certified by registry or professional third party
• Directors' names verified using Risk-Based Approach (RBA)

Beneficial owners of corporations: >25% share capital OR voting rights OR ultimate control. Follow chain through intermediate layers.

Trusts:

• BOs = beneficiaries (with vested interest), settlor, protector/enforcer, individual with ultimate control, trustee
• Verify by reviewing trust deed, appropriate register, or written confirmation from professional trustee/lawyer

Appendix D — Suspicious Transaction Indicators

Joint Financial Intelligence Unit (JFIU) Common Indicators:

• Large/frequent cash transactions
• "Structuring/smurfing" (many low-value transactions when one large would suffice)
• "U-turn" transactions (money passes A→B→A)
• Increased activity on first banking day after HK horse racing (Mon/Thu — illegal bookmaking)
• Shelf/shell companies, tax haven companies, company formation agents as signatories, remittance agents, casinos
• Currencies/countries associated with international crime/drug trafficking
• Clients refusing/unwilling to provide explanations, or providing untrue explanations
• Activity unexpected given client's profile
• Countries/nationals associated with terrorist activities
• Politically Exposed Person

General indicators:

• No apparent legitimate purpose/commercial rationale
• Unnecessary complexity
• Service/transaction out of ordinary range
• Size/pattern out of line with previous patterns
• Client refuses Customer Due Diligence (CDD) cooperation
• Business relationship used for single service/very short period
• Extensive use of trusts/offshore structures inconsistent with needs
• High-risk jurisdictions without reasonable explanation
• Unnecessary routing through third parties/accounts

Appendix E — Glossary (Key Terms)

PENALTIES AT A GLANCE

*Report compiled from HKICPA Code of Ethics Chapter F (318ncoe1225.pdf, December 2025 revision)*

*Point 1 (Legal Framework full details) to be covered separately*

#