HKMA rates level of money laundering and terrorist financing risk for SVF sector as medium

Last Friday, the Hong Kong Monetary Authority (HKMA) published its money laundering and terrorist financing (ML/TF) risk assessment report for the stored value facility (SVF) sector in Hong Kong.

The latest assessment confirms that the SVF sector continues to carry a medium level of ML/TF risk.

While the majority of the sector continues to be characterised by lower ML/TF risks (as indicated by the use of SVF products for low value transport and retail transactions), some pockets of higher ML/TF risks have emerged, arising from SVF products with functions such as overseas cash withdrawal and cross-border remittances.

SVF licensees should consider the HKMA’s report, and (where necessary) update their institutional ML/TF risk assessments and enhance their internal systems and controls.

Continue reading

Digital Banking Licences have arrived for non-bank players in Singapore

On 28 June 2019, the Monetary Authority of Singapore (MAS) announced that it will issue up to five new digital bank licences, which will effectively open digital banking business to non-bank players in Singapore. Announcing the measures at the 46th Annual Dinner of The Association of Banks in Singapore, Mr Tharman Shanmugaratnam, Senior Minister and Chairman of MAS, said that “the new digital bank licences mark the next chapter in Singapore’s banking liberalisation journey. They will ensure that Singapore’s banking sector continues to be resilient, competitive and vibrant.” MAS expects to invite applications for the licences in August 2019.

Continue reading

HKMA reminds registered institutions of their Internal Investigation Disclosure Obligation

Authors: William Hallatt, Hannah Cassidy, Natalie Curtis, Tess Lumsdaine and Isabelle Lamberton

The Hong Kong Monetary Authority (HKMA) has issued a circular to registered institutions (RIs) in relation to the frequently-asked questions (FAQs) released by the Securities and Futures Commission (SFC) on 21 May 2019, which sought to clarify the SFC’s Internal Investigation Disclosure Obligation.

In the circular, the HKMA reminds RIs that they also must comply with the Internal Investigation Disclosure Obligation, when notifying the SFC that an individual has ceased to act as its executive officer (EO), reflecting the SFC’s guidance in Question 9 of the FAQs.

The Internal Investigation Disclosure Obligation

On 1 February 2019, the SFC announced significant changes to its licensing forms and processes. Included in these changes was the introduction of the compulsory Internal Investigation Disclosure Obligation through the new Form 5U, which came into effect on 11 April 2019.

The Internal Investigation Disclosure Obligation requires RIs to provide information to both the SFC and the HKMA regarding:

  • whether departing EOs were the subject of an internal investigation in the six months prior to their cessation; and
  • details of this investigation, if such details have not previously been provided to the regulators.

Firms are also required to notify the SFC and HKMA as soon as practicable if an internal investigation into that individual is commenced subsequent to making the initial notification of cessation (for more details, please see our February 2019 bulletin).

The FAQs

On 21 May 2019, the SFC released the FAQs to clarify various aspects of the Internal Investigation Disclosure Obligation, including:

1. The scope of reportable investigations

It is now clear that the scope of reportable investigations is very wide, given that:

  • firms are required to proactively disclose information about all “investigative actions” (no matter how they are described in internal policies), regardless of whether the subject matter covers regulated or unregulated activities; and
  • no materiality threshold will apply to exclude low-level investigations that are of minimal significance from the obligation.

2. The level of detail required for disclosures

When making an internal investigation disclosure, firms are required to provide information on:

  • factual matters, including a description of the matter, background, relevant dates, duration, the role played by the outgoing employee, and status of the investigation;
  • an assessment of the (potential) impact to the market and clients, and materiality; and
  • if the investigation is completed, the outcome of the investigation and the basis of its conclusion.

3. The confidentiality applied to any disclosures made

In the FAQs, the SFC reiterated its statutory obligation under section 378 of the Securities and Futures Ordinance, and confirmed that it will not disclose information obtained under the new obligation to any other persons, including the outgoing employee and his/her prospective employer, unless otherwise permitted by law.

Although the HKMA’s circular is silent on this point, it is likely that the HKMA will take a similar approach to the sharing of information obtained under the obligation. However, given the scope of the obligation and the sensitive nature of the disclosures, a positive statement from the HKMA would be welcomed.

Final Thoughts

The HKMA’s circular has made clear that the HKMA is supportive of the SFC’s intention to ensure that individuals will no longer be permitted to escape regulatory scrutiny by simply resigning during the course of an investigation.

However, the Internal Investigation Disclosure Obligation is a significant enhancement of the prior notification requirements. We anticipate that firms will face a number of key issues in complying with this requirement, including navigating potential litigation risk from former employees, and considering what constitutes an “investigative action”.

William Hallatt
William Hallatt
Asia Head of Financial Services Regulatory, Hong Kong
+852 2101 4036
Hannah Cassidy
Hannah Cassidy
Partner, Hong Kong
+852 2101 4133
Natalie Curtis
Natalie Curtis
Partner, Singapore
+65 6868 9805
Tess Lumsdaine
Tess Lumsdaine
Registered Foreign Lawyer (New South Wales, Australia), Hong Kong
+852 2101 4122

Isabelle Lamberton
Isabelle Lamberton
Registered Foreign Lawyer (New South Wales, Australia), Hong Kong
+852 2101 4218

HKMA takes first step towards regulating the use of big data analytics and artificial intelligence in FinTech

Authors: Hannah Cassidy, Jeremy Birch, Sheena Loi and Peggy Chow

The Hong Kong Monetary Authority (HKMA) has issued a circular to encourage authorised institutions to adopt the “Ethical Accountability Framework” (EAF) for the collection and use of personal data issued by the Office of the Privacy Commissioner for Personal Data (PCPD). A report on the EAF was published by the PCPD in October 2018 (Report), which explored ethical and fair processing of data through (i) fostering a culture of ethical data governance and (ii) addressing the personal data privacy risks brought by emerging information and communication technologies such as big data analytics, artificial intelligence and machine learning.

The EAF is expressly stated to be non-binding guidance, intended as a first step towards a privacy regime better equipped to address modern challenges. However, the HKMA’s circular arguably elevates the legal status of the EAF for authorised institutions. The HKMA is likely to incorporate the EAF into its broader supervision and inspection of authorised institutions. In particular, in construing the principles based elements of the Supervisory Policy Manual as it applies to FinTech, the EAF will undoubtedly have an influence going forward.

Tension between the value of data-processing technology and public trust

Big data has no inherent value in its raw form. Its value lies in the ability to convert that data into useful information for organisations, which can then generate knowledge or insight relating to clients or the market as a whole through data analytics or artificial intelligence. Ultimately, this insight results in competitive advantage. However, a tension exists between (i) developing data-processing technology to gain a competitive advantage; and (ii) addressing public distrust arising from the data-intensive nature of such technology.

As the Report highlights, the existing regulatory regime in Hong Kong does not adequately address the privacy and data protection risks that arise from advanced data processing. Big data analytics and artificial intelligence in particular pose challenges to the existing notification and consent based privacy legal framework. These challenges are not limited to the legal framework in Hong Kong. The privacy and data protection legislations on an international level are also ill-equipped to anticipate advances in data-intensive technology.

Back

Data stewardship accountability

The PCPD sees the need to provide guidance on how institutions could act ethically in relation to advanced data-processing to foster public trust. It reminds institutions to be effective data stewards, not merely data custodians. Data stewards take into account the interests of all parties and consider whether the outcomes of their advanced data processing are not just legal, but also fair and just.

The PCPD also encourages data stewardship accountability, which calls for institutions to define and translate stewardship values into organisational policies, using an “ethics by design” approach. This approach requires institutions to have data protection in mind at every step and to apply the principles of privacy by default and privacy by design. Privacy by default means that once a product or service has been released to the public, the strictest privacy settings should apply by default. Privacy by design, on the other hand, requires organisations to ensure privacy is built into a system during the entire life cycle of the system. Ultimately, data stewardship should be driven by policies, culture and conduct on an organisational level, instead of technological controls.

Both the privacy by design and the privacy by default principles are mandatory requirements under the EU General Data Protection Regulation (GDPR). The legal development trend is for Asian-based privacy regulators to, whether by means of enacting new laws (e.g. India) or issuing non-mandatory best practice guidance to encourage data users to meet the higher standards under GDPR.

Back

Data stewardship values

The PCPD encourages institutions to adopt the three “Hong Kong Values”, whilst providing the option to modify each value to better reflect their respective cultures. The three Hong Kong Values listed below are in line with the various Data Protection Principles of the Personal Data (Privacy) Ordinance (Cap. 486):

(i)   The “Respectful” value requires institutions to:

  • be accountable for conducting advanced data processing activities;
  • take into consideration all parties that have interests in the data;
  • consider the expectations of individuals that are impacted by the data use;
  • make decisions in a reasonable and transparent manner; and
  • allow individuals to make inquiries, obtain explanations and appeal decisions in relation to the advanced data processing activities.

(ii)   The “Beneficial” value specifies that:

  • where advanced data-processing activities have a potential impact on individuals, organisations should define the benefits, identify and assess the level of potential risks;
  • where the activities do not have a potential impact on individuals, organisations should identify the risks and assess the materiality of such risks;
  • once the organisation has identified all potential risks, it should implement appropriate ways to mitigate such risks.

(iii)   The “Fair” value specifies that organisations should:

  • avoid actions that are inappropriate, offensive or might constitute unfair treatment or illegal discrimination;
  • regularly review and evaluate algorithms and models used in decision-making for any bias and illegal discrimination;
  • minimise any data-intensive activities; and
  • ensure that the advanced data-processing activities are consistent with the ethical values of the organisation.

The PCPD also encourages institutions to conduct Ethical Data Impact Assessments (EDIAs), allowing them to consider the rights and interests of all parties impacted by the collection, use and disclosure of data. A process oversight model should be in place to ensure the effectiveness of the EDIA. While this oversight could be performed by internal audit, it could also be accomplished by way of an assessment conducted externally.

Back

International Direction of Travel

The approach outlined above is not unique to Hong Kong. In fact, at the time the EAF was announced by the PCPD in October 2018, the 40th International Conference of Data Protection and Privacy Commissioners released a Declaration on Ethics and Protection in Artificial Intelligence (Declaration) which proposes a high level framework for the regulation of artificial intelligence, privacy and data protection. The Declaration endorsed six guiding principles as “core values” to preserve human rights in the development of artificial intelligence and called for common governance principles on artificial intelligence to be established at an international level.

It is clear that there is a global trend toward ethical and fair processing of data in the application of advanced data analytics. For instance, the Monetary Authority of Singapore has formulated similar ethical principles in the use of artificial intelligence and data analytics in the financial sector, announced in November 2018. Another example is the EU’s GDPR’s specific safeguards related to the automated processing of personal data that has, or is likely to have, a significant impact on the data subject, to which the data subject has a right to object. Specifically, a data protection impact assessment assessing the impact of the envisaged processing operations must be carried out before such processing is adopted, if such processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons after taking into account the nature, scope, context and purposes of the processing.

Although this may appear to be a relatively minor development in Hong Kong, we see this as a step in a broader movement toward the regulation of AI and a sea change in the approach to data protection and privacy. The HKMA circular and the EAF are in line with the global data protection law developments, which are largely being led by the EU.

Back

Hannah Cassidy
Hannah Cassidy
Partner, Hong Kong
+852 2101 4133
Jeremy Birch
Jeremy Birch
Partner, Hong Kong
+852 2101 4195
Sheena Loi
Sheena Loi
Senior Consultant, Hong Kong
+852 2101 4146
Peggy Chow
Peggy Chow
Senior Associate TMT/Data Protection, Singapore
+65 6868 8054

HKMA and SFC issue joint circular following co-ordinated inspections which reveal risky financial arrangements and deficient lending practices

Authors: William Hallatt, Hannah Cassidy and Valerie Tao

On 24 April 2019, the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) issued a joint circular on their recent co-ordinated inspections of a bank and an SFC licensed corporation (LC) within a Mainland-based group.

The inspections identified two key areas of concern:

  • The group had adopted complex structures and opaque financing arrangements, which may have concealed financial risks and made it difficult to conduct rigorous risk assessment.
  • There were deficiencies in the lending practices of the bank within the group.

The regulators have indicated that this is not a one-off case and encourage institutions with similar structures and arrangements to conduct a review urgently and take action to mitigate risks.

This is not the first time the HKMA and the SFC have undertaken co-ordinated inspections, but is a relatively new collaborative approach. The SFC has recently stated that, as part of its front-loaded regulation, it will be conducting more joint supervisory exercises with the HKMA.

The regulators have indicated in the circular that they have also been coordinating with Mainland regulators to share information and observations derived from their supervisory work.

Continue reading

HKMA turns up the heat and announces consultation on IBOR transition

On 12 February 2019, the Hong Kong Monetary Authority (HKMA) announced in a briefing to the Legislative Council Panel on Financial Affairs that the Treasury Markets Association (TMA) will hold a long-awaited consultation this quarter on alternative reference rates.

The announcement follows signals from regulators globally that firms should transition away from the London Interbank Offered Rate (LIBOR) and other IBORs to alternative, risk-free, reference rates.

While there is no immediate plan to discontinue the Hong Kong Interbank Offered Rate (HIBOR), the HKMA noted that “as a FSB member, [the HKMA] has an obligation to put in place an alternative reference rate as a contingent fall-back”, tentatively suggesting the HKD Overnight Index Average (HONIA) as the most suitable alternative. Click here to read more.

HERBERT SMITH FREEHILLS’ 2019 GUIDE TO CORPORATE INVESTIGATIONS IN CHINA

Authors: Kyle Wombolt and Anita Phillips

Kyle Wombolt, global head of corporate crime and investigations, and Anita Phillips, professional support consultant, have updated their guide to corporate investigations in China. This forms part of GIR’s acclaimed text, The Practitioner’s Guide to Global Investigations 2019, third edition. It is regarded as the only text covering the nuts and bolts of multi-jurisdictional corporate investigations.

Continue reading

Corporate Crime update – December 2018

Welcome to the December 2018 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters.

This month, we would like to wish all of our regular readers a very happy, and hopefully corporate crime free, festive season! 

For the full update on each jurisdiction, please click on the name of the jurisdiction below. Continue reading

HKMA set to turn up the heat on bank culture in 2019

On 19 December 2018, the Hong Kong Monetary Authority (HKMA) announced that it will introduce supervisory measures (Supervisory Measures) focused specifically on measuring authorised institutions’ (AI) progress in implementing reforms to their culture. The Supervisory Measures include requiring AIs to complete and return self-assessment forms regarding their culture to the HKMA, and undertaking on-site reviews focused specifically on culture. For our full briefing on the supervisory measures, please click here

William Hallatt
William Hallatt
Head of Financial Services Regulatory, Asia, Hong Kong
+852 2101 4036
Gareth Thomas
Gareth Thomas
Partner, Hong Kong
+852 2101 4025
Hannah Cassidy
Hannah Cassidy
Partner, Hong Kong
+852 2101 4133
Emily Rumble
Emily Rumble
Associate, Hong Kong
+852 2101 4225

From offline to online: upholding investor protection in sale of complex products

As investment services go digital, Hong Kong regulators have found it necessary to issue tailored guidance to protect investors.

From 6 April and 23 August 2019 respectively, new guidelines from the Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority will increase the regulatory requirements for financial institutions offering investment products via online platforms. Continue reading