| Stage in life cycle |
SIs |
AIs and SVFs |
| Preparatory – risk assessment |
- Adopt a risk-based approach (RBA)
- Identify, assess and understand the money laundering and terrorist financing risks (ML/TF risks) associated with its stablecoin activities
- Design and implement AML/CFT measures, policies, procedures and controls commensurate with the ML/TF risks to manage and mitigate them effectively (collectively, “AML/CFT Systems”)
- ML/TF risks assessment should:
- consider customer risk factor; country risk factors; product, service or transaction risk factors; and delivery channel risk factors to assess ML/TF vulnerabilities
- follow a structured process and be properly documented, with qualitative and quantitative analysis to support the identification and assessment of the relevant risks
- take account of all relevant risk factors before determining the overall risk level and the appropriate type and level of mitigation
- have assessment results approved by senior management
- have a process in place for keeping the risk assessment up-to-date, including assessing and identifying ML/TF risks in the development or use of new products, new business practices, new delivery mechanisms, or technologies, before launch
- have appropriate mechanisms to provide the risk assessment to the HKMA when required
- consider risks identified in other published risk assessments (e.g. Hong Kong’s jurisdiction-wide ML/TF risk assessment) and higher risks notified by the HKMA or law enforcement agencies from time to time
|
- Equivalent obligations apply in assessing ML/TF risks and implementing effective AML/CFT Systems
|
| Customer due diligence (CDD) – when to perform? |
- Before establishing business relationship with a customer
- Before carrying out an occasional transaction (e.g. issuing or redeeming stablecoin) involving an amount equal to HK$8,000 or above for a customer
- Whenever suspicion arises that the customer or its account is engaged in ML/TF
- Whenever doubts arise over the veracity or adequacy of information previously obtained for identifying or verifying the customer’s identity
|
- Equivalent obligations apply with some variations in operational details
|
| CDD – targets |
- Stablecoin holder
- Where stablecoin holder is not a natural person:
- beneficial owner(s) (i.e. any natural person who ultimately has an ownership interest of more than 25%, or any natural person exercising control of the stablecoin holder or its management)
- director(s)
- person purporting to act on behalf of the stablecoin holder (“PPTA”)
- Permitted offeror(s) appointed by the SI (if any) for offering the stablecoins issued by the SI are customers of the SI, for CDD purposes
|
- Equivalent obligations apply, although “permitted offeror(s)” of stablecoins is specific to the stablecoin regime
|
| CDD – what are the measures? |
- Identify and verify a customer’s identity using documents, data or information provided by a reliable and independent source
- Obtain information on the purpose and intended nature of the customer’s activities relating to stablecoin
- Identify and verify the identity of any PPTA and his/her authority to act on behalf of the customer
- Information to be obtained on a natural person include:
- full name
- date of birth
- nationality
- residential address
- unique identification number and identity document type
- Information to be obtained on a legal person other than a natural person:
- full name
- date and place of incorporation, establishment or registration
- unique identification number and identification document type
- principal place of business or registered office address
|
- Equivalent obligations apply with respect to AI or SVF customers and their activities
|
| CDD – non-face-to-face or remote channel |
- Verify the identity of a customer based on data or information provided by a digital identification system that is a reliable and independent source recognised by the HKMA
- Employ appropriate technology solutions to mitigate risks (particularly, impersonation risks), which should cover:
- identity authentication – to ensure reliability of the data or information obtained through electronic channels
- identity matching – to link the natural person customer incontrovertibly to the identity data and information obtained for identity authentication
|
- Equivalent obligations apply
|
| Simplified due diligence (SDD) and enhanced due diligence (EDD) |
- SDD applies where ML/TF risks are low
- EDD should be applied where ML/TF risks are high, such as on a customer defined as a politically exposed person (PEP)
- Senior management approval should be obtained to establish or continue a business relationship that presents a high MF/TF risk
|
- Equivalent arrangements and obligations apply
|
| CDD – reliance on performance by intermediaries |
- CDD performance may be outsourced to certain intermediaries such as a qualified accountant or lawyer; licensed or authorized entity supervised by the HKMA, Securities and Futures Commission or the Insurance Authority; or permitted overseas intermediary
- SI remains ultimately responsible for CDD compliance
- SI must satisfy conditions and requirements applicable to outsourcing of CDD
|
- Equivalent arrangements and obligations apply
|
| CDD – customer’s wallet |
- If SI does not provide custodial services, the stablecoin holder has to use a wallet provided by a licensed or regulated custodian, or an unhosted wallet (sometimes also referred to as self-hosted wallet) to receive stablecoins from the SI or return stablecoins to the SI at redemption
- SI should manage ML/TF risks associated with wallets used by customers
- SI should follow additional HKMA guidance to manage ML/TF risks associated with the decentralised nature and lack of regulatory oversight of unhosted wallets
|
- Stablecoin wallet and related obligations are specific to the stablecoin regime
|
| Ongoing monitoring of business relationship, transactions and stablecoins in circulation |
- SI should continuously monitor its business relationship with a customer in two aspects:
- ongoing CDD
- transaction monitoring
- SI should examine and keep records of the background and purpose of a customer’s transactions to recognise and identify grounds for suspicion such as:
- transactions that are complex, unusually large in amount or of an unusual pattern, or have no apparent economic or lawful purpose
- transactions that are inconsistent with the SI’s knowledge of the customer or the customer’s business, risk profile or source of funds
- transactions involving wallet addresses that are directly or indirectly associated with illicit or suspicious activities/sources, or designated parties
- The blockchain technology enables instantaneous and automatic recording of on-chain stablecoin transactions. SI may apply various measures to guard against the risks of stablecoins being used for illicit activities, including:
- using technological solutions, such as blockchain analytic tools, to screen stablecoin transactions and associated wallet addresses beyond the primary distribution venue on an ongoing basis
- blacklisting sanctioned wallet addresses or those associated with illicit activities
- freezing stablecoins promptly upon request from regulators or law enforcement agencies, or court orders
- Effectiveness of the ML/TF risk mitigating measures for stablecoin activities is yet to be proven. The HKMA therefore expects SIs to adopt a cautious approach in assessing the adequacy of their AML/CFT Systems, in particular, concerning peer-to-peer transfers between unhosted wallets. Unless an SI can demonstrate to the HKMA’s satisfaction that these risk mitigating measures are effective, the identity of each individual stablecoin holder should be verified (i) by the SI even if the holder has no customer relationship with the SI, (ii) by an appropriately supervised financial institution or virtual asset service provider or (iii) by a reliable third party
|
- Equivalent obligations apply, although arrangements relating to stablecoins, blockchain and stablecoin wallets are specific to the stablecoin regime
|
| Stablecoin transfers |
Travel rule
- All reasonable measures should be taken to ensure proper safeguards are in place to mitigate ML/TF risks associated with stablecoin transfers, to enable the SI to effectively carry out sanctions screening and transaction monitoring procedures on all relevant parties involved in a stablecoin transfer
- A stablecoin transfer typically involves the originator, the ordering institution acting on behalf of the originator, the recipient, the beneficiary institution at which the recipient receives the stablecoin and other intermediary institutions
- Depending on its business model, an SI may act as the ordering institution, beneficiary institution or other intermediary institution in a stablecoin transfer, and the SI should follow requirements applicable to the respective roles
- Major requirements on the ordering institution include:
- obtaining and recording the following information:
- originator’s name
- number of the originator’s account maintained with the ordering institution and from which the stablecoins are transferred (or a unique reference number assigned to the stablecoin transfer by the ordering institution)
- for transfers involving an amount not less than HK$8,000, the originator’s address, customer identification number, and (for an individual originator) date and place of birth
- the recipient’s name, number of the recipient’s account maintained with the beneficiary institution and to which the stablecoins are transferred (or a unique reference number assigned to the stablecoin transfer by the beneficiary institution)
- submitting the information obtained to the beneficiary institution securely and immediately
- Major requirements on the beneficiary institution include:
- obtaining and recording the required information submitted to it by the ordering institution
- for a transfer involving an amount not less than HK$8,000, verifying the identity of the recipient if not previously verified as part of its CDD process
- Complying with additional requirements for stablecoin transfers involving unhosted wallets (other than P2P transfers between non-customer stablecoin holders):
- before sending stablecoins to an unhosted wallet on behalf of its customer, obtain and record the following information from the customer:
- originator’s name
- number of the originator’s account maintained with the SI and from which stablecoins are transferred (or other unique reference number assigned to the stablecoin transfer by the SI)
- originator’s address, customer identification number, and (for an individual originator) date and place of birth
- recipient’s name and wallet address
- before receiving stablecoins from an unhosted wallet on behalf of its customer, obtain and record the following information from the customer:
- originator’s name and wallet address
- originator’s address, customer identification number, and (for an individual originator) date and place of birth
- recipient’s name and the number of the recipient’s account maintained with the SI and to which stablecoins are transferred (or other unique reference number assigned to the stablecoin transfer by the SI)
|
- Equivalent travel rule applies to SVFs
|
| Other ongoing obligations |
- Staff training
- provide adequate training to staff to implement AML/CFT Systems
- tailor scope and frequency of training according to the job functions, responsibilities and level of experience of the staff
- Suspicious transaction reporting
- must file suspicious transaction report (STR) with the Joint Financial Intelligence Unit (JFIU) as soon as reasonable if an SI knows or suspects that any property: (i) in whole or in part directly or indirectly represents any person’s proceeds of, (ii) was used in connection with, or (iii) is intended to be used in connection with drug trafficking or an indictable offence; or that any property is terrorist property
- should promptly undertake further investigation and analysis on identifying any stablecoin transactions or associated wallet addresses that are directly and/or indirectly associated with illicit or suspicious activities/sources, or designated parties. Any grounds for suspecting transactions should be reported to the JFIU, taking appropriate follow-up actions as required
- Record keeping
- SI should keep:
- CDD information (including analysis results and ongoing monitoring records), transaction records and other records necessary and sufficient to meet statutory and regulatory requirements
- establish and maintain records of all ML/TF reports made to its Money Laundering Reporting Officer
- establish and maintain a record of all STRs made to the JFIU
- Record-keeping period is typically at least five years:
- CDD, account and business relationship records should not only be kept throughout the business relationship with the customer but also for at least five years after the end of the business relationship, or (applicable to occasional transactions) for at least five years after the transaction is completed
- Information and records relating to a stablecoin transfer should be retained for at least five years after completion of the transfer, regardless of whether the business relationship ends during that period
- The HKMA may, by written notice, require the SI to keep records relating to a specified transaction or customer for a longer period, where the records are relevant to an ongoing criminal or HKMA investigation, or for any other purpose specified in the notice
- Where CDD is outsourced to an intermediary, the SI remains responsible for complying with record-keeping requirements – ensuring that the intermediary has systems in place to comply with all record-keeping requirements, and that documents and records will be provided by the intermediary as soon as reasonably practicable upon the SI’s request and upon termination of the intermediary’s service
|
- Equivalent obligations apply
|
