Hong Kong Top Compliance Risks

1. Geopolitical Risk

In the current global environment, there are many geopolitical risks facing FIs. It probably goes without saying that there is none bigger than the United States (U.S.) sanctions regime. As we are aware by now, in July 2020 the U.S. signed into law the Hong Kong Autonomy Act (HKAA) and issued an accompanying Executive Order. Both authorize the imposition of sanctions on foreign persons, including foreign FIs, engaged in certain conduct relating to HKSAR. This added additional complexity to those firms based on the jurisdictions in which they operate, their customer base, or the services they offer their customers.

To complicate matters further, although the Hong Kong Monetary Authority (HKMA) responded with a circular stating that these “unilateral sanctions” had no legal status in Hong Kong,^[1] the reality is that they pose a range of challenges for FIs with dealings in HKSAR. The position of the U.S. as the world’s leading economy and the dominance of the U.S. dollar in international commerce and finance operations give the U.S. strong extraterritorial enforcement authority over any transaction that occurs in US dollars (USD). In the past, the Office of Foreign Assets Control (OFAC) sanctions targeted countries where HKSAR FIs would have little or no business, and it was simple to have a blanket policy of prohibiting dealings with those countries/individuals. However, in the context of the new sanctions, FIs will need to tread more carefully to determine applicability and impact.

Key Takeaways:

• Ensure your U.S. sanctions compliance program is up to date;
• Implement transaction monitoring, particularly for transactions conducted in USD; and
• Review your sanctions exposure resulting from existing and new relationships (i.e., consider whether the client is a sanctioned individual or entity of which they own 50% or more). Special care must be taken as ownership may be indirect.

2. Anti-Money Laundering and Counter-Financing of Terrorism Practices & Regtech

The pandemic has caused clear operational challenges with regards to Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) practices, such as the difficulties in carrying out face-to-face customer due diligence, delays in reviewing alerts, the changes in financial behaviors due to remote/online transactions, and the impact on predicate crimes (i.e., human trafficking and the exploitation of workers), just to name a few. The HKMA has shared observations and industry practices to assist FIs in their efforts to cope with new AML/CFT risks.^[2] In its guidance, the HKMA also refers to the Financial Action Task Force (FATF) “Update: COVID-19-related Money Laundering and Terrorist Financing” for case studies of how criminals continue to exploit the global financial system.^[3] As such, the HKMA reiterates that the principle of the risk-based approach (RBA) provides the flexibility to be both pragmatic and responsive to the challenges of the evolving COVID-19 situation.

To counter the increase in criminal activity, FIs are building out their risk management teams and exploring the adoption of Regtech solutions. In HKSAR, about 90% of all retail banks have either launched or plan to launch remote on-boarding for individuals using Regtech.^[4] There has also been a strong growth in testing remote on-boarding initiatives for corporate customers through the HKMA Fintech Supervisory Sandbox. Notably, the HKMA issued a circular in September 2020 to articulate key principles in relation to remote on-boarding of corporate customers based on use cases and proposals.^[5]

In January 2021, the HKMA published a report titled “AML/CFT Regtech: Case Study and Insights”, highlighting the opportunities Regtech offers to transform the efficiency of AML/CFT practices.^[6] The report details case studies and insights of banks which have successfully implemented technologies, including network analytics and robot process automation (RPA). Examples include deploying the application of RPA within name screening, adverse media searches and transaction monitoring alert investigations. As regulatory complexity continues to increase, having cutting-edge technology will be a critical tool to help navigate the compliance landscape.

Key Takeaways:

• Remain informed on evolving AML/CFT risks with regards to COVID-19;
• Ensure the importance of early and continuing stakeholder buy-in for the adoption of Regtech solutions; and
• Establish a clear roadmap to track and measure success to support your vision for AML/CFT Regtech.

3. Environmental, Social and Governance Criteria in the Financial Sector

Environmental Social and Governance (ESG) issues are seeing a surge in popularity which only promises to grow throughout 2021. Notably, China made a bold call in September last year, with President Xi pledging that the country will achieve carbon neutrality before 2060, while New Zealand became the first country to require the financial sector to report on climate risk. Meanwhile, in one of the few bright spots for a corporate lending market depressed by the pandemic, a growing number of borrowers across APAC are obtaining loans with interest rates linked to meeting sustainability goals. As such, we expect the cost of capital to increase for FIs that do not actively manage sustainability matters, particularly those related to climate risk.

In HKSAR, the HKMA is teaming up with the International Finance Corporation to help commercial banks address climate change as it seeks to cement the city’s place as a hub for green financing, with US$29 trillion in green and climate investment opportunities expected globally over the next decade.^[7] To that end, in June 2020 the HKMA published the “White Paper on Green and Sustainable Banking” outlining its initial views on the expectations for authorized institutions in addressing climate-related issues.^[8] The development of supervisory expectations forms part of a phased approach introduced by the HKMA in May 2019 aimed at encouraging the adopting of green and sustainable banking in HKSAR.

The HKMA is proposing to launch a formal consultation in the first half of 2021 on supervisory expectations related to climate disclosures. In two further circulars entitled “Range of Practices for Management of Climate Risks” and “Climate Risk Stress Test”, the HKMA further unveiled plans to conduct a climate risk stress test exercise in 2021 to assess the resilience of the banking sector as a whole.^[9]

Key Takeaways:

• Draft ESG policies and procedures tailored to your business practice with a specific consideration to climate risk;
• Institutionalize the monitoring of climate-related risks; and
• Ensure the board has sufficient oversight of climate strategy development and implementation.

4. COVID-19-related Financial Fraud

The number of technology-based crimes in HKSAR doubled to more than 6,400 in the first half of 2020, with monetary losses totaling HKD$1.52 billion.^[10] As such, working from home arrangements made employees “vulnerable” to online criminals.^[11] This is particularly relevant for remote banking staff, targeted by fraudsters through impersonation and phishing attacks. It has created both primary risks for FIs – as they may unwittingly process payments or even provide financing on behalf of fraudulent traders – and secondary risks, as perpetrators attempt to launder the proceeds of crime through the financial system. In response, the Securities and Futures Commission (SFC) published a circular reminding licensed corporations to assess their operational capabilities and implement appropriate measures to manage cybersecurity risks.^[12]

For further guidance, the Fraud and Money Laundering Intelligence Taskforce (FMLIT), a public-private partnership of information sharing in HKSAR, has established an Operation Priority on COVID-19-related deceptions delivering alerts and case-based intelligence. In addition, the Fraud Risk Management Taskforce, established under the Hong Kong Association of Banks (HKAB) in May 2020, broadcasted a video clip on television to remind the public to stay alert for COVID-19-related fraudulent activities and has shared good practices on fraud prevention and detection with the industry. A session was also held by the HKAB, with the HKMA’s support, in September 2020 to share financial crime trends observed, and challenges encountered, during COVID-19, and good practices of FIs in managing and mitigating AML/CFT risks.^[13]

Key Takeaways:

• Ensure the three pillars of cybersecurity – people, processes and technology – work together to create a sturdy defense network against COVID-19-related fraud; and
• Review the controls and procedures in place for remote working arrangements with regard to cybersecurity risks.

5. Virtual Banks

In a move to propel HKSAR into the smart banking era, the HKMA made up for its initial fintech hesitation by welcoming applications for “virtual banks” in 2018. Eight virtual banks were granted licenses in 2019, but most started operations in the midst of the pandemic due to previous licensing issues. Since Q4 2020 and continuing through today, virtual banks have been winning over traditionally underserved younger customers and small and medium enterprises (SME) with more attractive interest rates on savings and loans, which they are able to offer in the absence of costly branch networks as well as with more user-friendly customer apps. As such, online-only banks challenge the traditional banking system by leveraging customer data and analytics to digitally deliver hyper-personalized services and engage customers in new and differentiated ways.

However, for these new entrants, making a splash with attractive rates was just the first step. The real challenge is just beginning as virtual banks confront a crowded marketplace and deal with tightening regulations in areas such as risk management and data protection.^[14] To compete, virtual banks must demonstrate that they have an outstanding proposition, as well as the strategic, operational financial resources needed to operate in a dynamic banking environment all while meeting regulatory standards. In this regard, HKSAR virtual banks have one advantage – while digital banks in other geographies are often startups, Asian digital banking is largely driven by established companies and consortia. Despite structural challenges with regards to governance, consortia bring significant advantages in terms of scalability, which is essential to establish a robust regulatory framework.

Key Takeaways:

• Leverage unique capabilities to provide a differentiated service and identify a clear path to profitability; and
• Promote financial inclusion by targeting the retail segment, younger populations and SMEs.

6. Virtual Asset Platforms

During Hong Kong Fintech Week held in November 2020, the CEO of the SFC announced a ground-breaking legislative proposal to introduce a new licensing regime for virtual asset (VA) trading platforms. On the same day, the Financial Services Treasury Bureau (FSTB) released a consultation paper, explaining that under the proposed regime, all VA platforms operating in HKSAR, or targeting HKSAR investors, must be licensed, regulated and monitored by the SFC, regardless of whether the virtual assets they trade are “securities” or not. In other words, VA platforms can no longer stay outside of the SFC’s current “opt in” licensing regime by simply avoiding the inclusion of securities on their platform. The move is aimed to rectify the significant limitations of the current framework and align HKSAR with the legislative practices of other Asian financial centers, namely Japan and Singapore.

For the platforms that have so far remained outside of the SFC’s regulatory net, the issue to consider is no longer “Should I get an SFC license?” but rather “Should I structure my business to ensure I can secure a license before the regime is officially introduced?” Platforms with a retail focus will face the more imminent choice between changing their business model to focus on professional investors or exit the HKSAR market. While the new regime will undoubtably have a significant impact on many players, it will take some time before it comes into effect, as the proposed changes need to go through the legislative process first.

Key Takeaways:

• Understand the licensing conditions and their applicability to your business;
• Determine course of action (i.e., engage in the license application process, make changes to your business model or exit the HKSAR market); and
• If appropriate, implement risk management policies and procedures for managing AML/CFT, cybersecurity and other risks arising from a regulated virtual asset activity.

7. LIBOR Transition

The London Interbank Offered Rate (LIBOR), viewed by some as the most important number in the financial markets, was originally set to be phased out by the end of 2021. Accommodating this change was never going to be an easy task for the financial services industry, and then there was COVID-19. Many FIs appeared to table, or at least slow, transition efforts as they dealt with the impact of the pandemic and other priorities, notwithstanding persistent reminders from regulators that the deadline was firm.

Then, in a reversal of fortune for the industry, on March 5, 2021, the ICE Benchmark Administration (IBA), which administers LIBOR, announced the following:

• It will cease the publication of sterling, euro, Swiss franc and Japanese yen LIBOR settings and the one-week and two-month USD LIBOR settings immediately following the LIBOR publication on December 31, 2021.
• It will extend the overnight and one-month, three-month, six-month and 12-month USD LIBOR settings immediately following the LIBOR publication on June 30, 2023.

The U.K. Financial Conduct Authority (FCA), which regulates LIBOR, chimed in with similar enthusiasm that all 35 LIBOR settings will either cease to be provided by any administrator or no longer be representative by the dates set by IBA.

According to the HKMA,^[15] at the end of September 2020, HKD$4.8 trillion of assets and HKD$1.4 trillion of liabilities (30% and 10% respectively of the banking system’s total assets) had exposure to LIBOR in the HKSAR banking system. This does not include derivatives contracts that have an estimated exposure in aggregate of approximately HKD$31.6 trillion in notional value referencing LIBOR. Neary half of all assets and liabilities referencing LIBOR have scheduled maturities after year-end 2021.

While we can certainly question why regulators didn’t pause the transition process earlier when it was apparent that the industry was struggling to keep pace, the extension, which is now confirmed, will provide needed relief for the industry and contribute to a more orderly transition with better outcomes. We resisted our own urge to blink by removing this from the 2021 priority list, but we believe there is still much work to be done that can’t wait until 2023.

Key Takeaways:

• Understand your firm’s exposure to products referencing LIBOR;
• Do not wait until 2023 to start the transition process;
• Include adequate fallback provisions in all newly issued LIBOR-linked contracts; and
• Be able to offer products with an alternative reference rate.

8. Compliance Program Transformation

COVID-19 accelerated the digital agenda for many FIs. These agendas are related not only to how customers are engaged but also to how the work with the institution gets done. To meet these challenges, the compliance function will need to adapt faster than ever. Decisions on how the compliance function changes will need to ensure:

• Processes are optimal and sustainable;
• There is alignment between technologies that have been deployed and the institution’s target operating model;
• Technology partners are able to deliver the expected results;
• The existing compliance workforce is able to adapt to new technologies;
• The changes made will deliver on the strategic cost reductions that FIs hoped would accompany their digital transformation programs; and
• Both management and regulators agree the choices made and the benefits of those choices can be optimized, and the risks mitigated.

Key Takeaways:

• Understand the skills and capabilities of the current team;
• Identify areas that need enhancement to embrace the digital future; and
• Identify technologies that can support your transformation goals.

You may be asking why other issues did not make our list — third-party risk management, cybersecurity, conduct risk and compliance risks associated with new and emerging products such as cryptocurrency, to name but a few. Rest assured, we considered all of these and more. Some are embedded in the topics addressed above, and all are contenders for their own spot on the list as we update it throughout the year. If you have other ideas, we welcome your input.

[1] HKMA Circular, “Financial Sanctions”, 8 August 2020

[2] HKMA Circular, “Coronavirus Disease (COVID-19) and Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) measures”, 30 July 2020.

[3] HKMA Circular, “Coronavirus disease (COVID-19) and Money Laundering and Terrorist Financing (ML/TF) risks – An Update”, 31 December 2020 and FATF “Update: COVID-19-related Money Laundering and Terrorist Financing Risk”, December 2020.

[4] Figures according to the HMKA circular “AML/CFT Regtech: Case Study and Insights”, January 2021. See also the HKMA Circular, “Promoting Regtech Adoption in Hong Kong”, July 2020.

[5] HKMA Circular, “Remote on-boarding of corporate customers”, 24 September 2020.

[6] Same as above.

[7] Figures from SCMP article: “HKMA joins new alliance on green financing as US$29 trillion in opportunities expected over next decade”, 9 November 2020.

[8] HKMA White Paper, “Green and Sustainable Banking”, June 2020.

[9] HKMA Circular, “Range of Practices for Management of Climate Risks”, 7 July 2020 and HKMA Circular “Climate Risk Stress Test”, 4 December 2020.

[10] Figures from SCMP article: “Cybercrime surges in Hong Kong as Covid-19 work-from-home arrangements leave people ‘vulnerable’ to fraudsters”, * 8 September 2020.

[11] Figures from SCMP article: “Cybercrime surges in Hong Kong as Covid-19 work-from-home arrangements leave people ‘vulnerable’ to fraudsters”, * 8 September 2020.

[12] SFC Circular, “Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements”, 29 April 2020.

[13] Please refer to HKMA Circular, “Coronavirus disease (COVID-19) and Money Laundering and Terrorist Financing (ML/TF) risks – An Update”, 31 December 2020.

[14] McKinsey Report, “Joining the next generation of digital banks in Asia”, 26 January 2021.

[15] Reform of Interest Rate Benchmarks