Introduction

As the FinTech and payment space evolves, novel and innovative payment products and services have emerged in the market. This has prompted the Hong Kong Monetary Authority (“HKMA”) to introduce a new regulatory framework for Stored Value Facilities (“SVF”) in 2015. Since then, SVFs have grown considerably and have been rivaling “traditional” payment means including credit cards. By the end of the third quarter of 2021, there were 65.57 million SVF accounts in use and the total value of SVF transactions in the third quarter of 2021 was HK$73.2 billion (representing a 16.6% increase from the previous quarter). To compare, this is approximately 41.2% of the total value of credit card transactions[1] during the same time period.

So what is an SVF?  SVF is regulated under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584) (“PSSVFO”).  Pursuant to section 2A of the PSSVFO, a facility is an SVF if: (1) it may be used for storing the value of an amount of money that is paid into the facility from time to time, and may be stored on the facility under the rules of the facility; and (2) it may be used as a means of making payments for goods or services and/or as a means of making payments to another person under an undertaking given by the issuer. Some typical examples of SVFs in Hong Kong would be the Octopus Card and prepaid cards.

Under Section 54(1A)(b) of the PSSVFO, the HKMA issued the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism for SVF Licensees (“Guideline”). In view of the increasing use of SVF in Hong Kong, this newsletter serves as a reminder to industry players about the importance of effective internal controls in preventing and identifying risks in relation to money laundering and terrorist financing (“ML/TF”) involving SVF. This is often an overlooked matter as the majority of the SVF sector can be considered as having lower ML/TF risks considering its business nature (though higher risk situations may emerge as the SVF business evolves).

Recent HKMA’s disciplinary actions on SVF licensees

Recently, the HKMA has taken disciplinary actions against two SVF licensees respectively, namely ePaylinks Technology Co., Limited (“ePaylinks”) and 33 Financial Services Limited (“33FS”), both failing to have in place adequate and appropriate systems of control to ensure compliance with the Guideline in areas regarding transaction monitoring and name screening.   These are the first and second disciplinary actions taken by the HKMA against SVF licensees in respect of anti-money laundering failures.

Transaction monitoring

ePaylinks was found to have failed to continuously monitor the relevant transactions:

1. 1. ePaylink’s automated transaction monitoring system (“ePaylink’s System”) had generated a substantial amount of alerts but were not cleared;
      
   2. For certain type of transactions, ePaylink had set up parameters for monitoring purposes.  Yet, some parameters were set at a value higher than the respective transaction limits, hence no alerts would be generated for the purpose of scrutiny.  Further, the parameters were set in HKD only and the ePaylink’s System cannot convert transactions in other common currencies such as USD or RMB into HKD; and
      
   3. From November 2016 to May 2019, ePaylink’s System monitoring was rather restrictive and top-up transactions were not monitored.  In particular, it failed to target certain typical suspicious transaction patterns such as structuring, smurfing, U-turn, etc.

Similarly, 33FS was found to have failures including:

1. 1. 33FS’s monitoring system (“33FS’s System”) would generate reports from time to time but there lacked adequate and appropriate guidance in its policies and procedures for its staff regarding the review of such reports.  Hence, its staff may have failed to identify or recognise signs of ML/TF even when the transactions were reviewed;
      
   2. In some of the transactions, 33FS found them to be suspicious and when 33FS made the relevant enquiries, it was clear that the customers could not explain the background and purpose of the transactions well.  However, 33FS simply accepted the explanations on their face value;
      
   3. Some cards issued by 33FS have been used for overseas cash withdrawals through automated teller machines and such withdrawals have been funded by third-parties.  For each of these transactions, 33FS failed to examine their background and purpose.  33FS also ignored its internal control measures (on not allowing third-party’s deposits and not accepting corporate customers for issuing reloadable cards) and the relevant red flags in its internal policy and examples from the Guideline; and
      
   4. 33FS’s findings from its distributor or customers relating to transactions, and its rationales for clearance of alerts were not documented in writing.

Name screening

Both ePaylinks and 33FS failed to implement an effective name screening mechanism.  In particular, both ePaylinks and 33FS did not conduct name screening on their respective customers subsequent to their onboarding, when the name screening databases were updated.  

As a result, the HKMA reprimanded ePaylinks and 33FS and ordered them to pay a pecuniary penalty of HK$1,000,000 and HK$875,000 respectively.

The Guideline

Referring to the aforementioned cases concerning ePaylinks and 33FS, the HKMA has found that these SVF licensees had failed to comply with the Guideline in areas of customer due diligence, ongoing monitoring and terrorist financing, financial sanctions and proliferation financing, particularly paragraphs 5.1 and 6.16 of the Guideline.

Paragraph 5.1 of the Guideline

Paragraph 5.1 of the Guideline states that ongoing monitoring is an essential component of effective anti-money laundering and counter-financing of terrorism systems and that SVF licensees should continuously monitor its business relationship with a customer in two aspects: (i) ongoing client due diligence (“CDD”), mainly through reviewing from time to time customer information to ensure they are up-to-date and relevant, and (ii) transaction monitoring (the area where both ePaylinks and 33FS have failed to comply with), mainly through conducting appropriate scrutiny of transactions to ensure they are consistent with the nature of the customer and identifying complex and unusual transactions for examination with findings duly recorded.

General points worth noting regarding transaction monitoring:

1. 1. Establishing and maintaining adequate systems and processes to monitor transactions are essential. The design of transaction monitoring systems and processes should take into account  factors including the size and complexity of the licensee’s business and the nature of the licensee’s products and services.
      
   2. Transaction characteristics like the nature and type of transactions should be taken into account when designing transaction monitoring systems.
      
   3. Appropriate steps should be taken (including examining the background and purposes of the transaction and making appropriate enquiries) in respect of suspicious transactions.
      
   4. The findings and outcomes from examinations and enquiries made to customers, as well as the rationale of any decision made afterwards, should be documented in writing. The records should also be available to the HKMA, other competent authorities and auditors.

Paragraph 6.16 of the Guideline

Paragraph 6.16 of the Guideline states that SVF licensees should implement an effective screening mechanism[2] in order to avoid establishing business relationship or conducting transactions with any terrorist suspects and possible designated parties.

General points worth noting regarding screening:

1. Customers and beneficial owners should be screened against (a) current database at the establishment of the relationship and (b) new and any updated designations to the database as soon as practicable.
2. All relevant parties in a cross-border wire transfer should be screened against current database before the transfer is executed.
   

Conclusion

These are the first two AML disciplinary actions by the HKMA against SVF licensees.  This is a strong message from the HKMA to all of the SVF licensees that they are also subject to the same AML requirements as banks.  Further, even though the majority of the SVF sector can be characterised as having lower ML/TF risks, as mentioned in the introduction, it is important to note that higher risk situations can emerge as a licensee’s business model scale and evolve. This has been clearly demonstrated in one of HKMA’s findings in the 33FS case, where higher ML/TF risks have indeed emerged as third-party deposits fund overseas cash withdrawals through automatic teller machines.

Policies, procedures and internal controls should be in line with the Guideline and the ever evolving business of the licensee such that they are effective in identifying possible ML/TF risks and in line with the latest anti-money laundering requirements.