15th April 2021
AML Regulations for Virtual Assets Service Providers (VASP) in Hong Kong 2021
Hong Kong’s existing AML regime is primarily set out in two main articles of legislation, the Anti-Money Laundering and Counter Terrorist Financing Ordinance (AMLO) and the Banking Ordinance, which require firms to put risk-based AML measures in place and to observe certain record-keeping and reporting obligations. In practice, this means implementing suitable due diligence measures for customers based on the level of risk they present and monitoring their transactions throughout the business relationship based on their risk profiles.
Hong Kong’s AML regulations also extend to virtual asset and cryptocurrency providers. In 2019, the Securities and Futures Commission (SFC) introduced the 2019 Regulatory Framework which outlined the risks associated with virtual assets and introduced a licensing process for VASPs that met robust regulatory criteria. The Framework operates on a voluntary, opt-in basis and is limited in scope since it applies only to products regulated under Hong Kong’s Securities and Futures Ordinance, which focuses on ‘traditional’ assets such as stocks, bonds, futures contracts, and funds (and services related to these products). The Framework does not cover platforms that trade only in non-security virtual assets, which means popular cryptocurrencies such as Bitcoin fall outside its regulatory scope.
To address the limitations of the 2019 Regulatory Framework, FSTB recently proposed a new licensing regime that will apply to all VASPs including virtual asset exchanges.
In November 2020, the FSTB began a consultation period on a proposed new regulatory framework for VASPs. The consultation period ran until 31st January 2021 and a bill is expected to be introduced at some point in 2021 via an update to AMLO. The proposed regime will introduce a requirement for all VASPs in Hong Kong to obtain an SFC license, and will cover any firms that buys, sells, or exchanges virtual assets or that controls virtual assets as part of its business.
Key highlights of the proposed VASP regulatory framework include:
- Comprehensive regulatory powers for the SFC including the power to assess, monitor and investigate cryptocurrency exchanges and VASPs.
- Cryptocurrency exchanges licensed under the regime will have to adhere to the same regulatory and supervisory standards as traditional financial service providers.
- The new regulations will apply only to centralized cryptocurrency exchanges (those operating under a central authority). Decentralized cryptocurrency exchanges will continue to be regulated under the opt-in regime.
- Licensed cryptocurrency exchanges will only be able to serve professional investors. Retail investors may have to use decentralized exchanges in order to continue performing cryptocurrency transactions.
Under the proposed regime, in order to obtain a VASP license from the SFC, cryptocurrency firms must:
- Be locally incorporated within Hong Kong.
- Appoint 2 officers who will be personally responsible for overseeing compliance.
- Pass a ‘fit and proper’ test that involves criminal background checks, AML/CFT performance history, and financial standing.
Similarly, licensed VASPs must meet a range of conditions that are applicable in addition to existing anti-money laundering regulations:
- Professional investors: The restriction of licensed VASP services to professional investors means individuals with portfolios of HK$8 million or more, corporations with portfolios of HK$40 million or more, or licensed institutions such as banks and broker-dealers.
- Financial and business soundness: Licensed VASPs must demonstrate they have adequate financial resources (a minimum amount has not yet been specified) and can operate their business in a prudent and sound manner.
- Risk assessment: VASPs must conduct appropriate assessments of the AML/CFT risk that their customers present.
- Record-keeping and reporting: VASPs must comply with relevant record-keeping and reporting, audit, and disclosure requirements.
The proposed VASP licensing regime in Hong Kong will be implemented in addition to AMLO, which requires firms to put a range of risk-based AML/CFT controls in place, including:
- Customer due diligence: VASPs should establish and verify the identities of their customers prior to commencing business relationships. The CDD process should involve names, addresses, dates of birth although, in a cryptocurrency context, digital identifiers such as scans of official documents and biometric information may also be necessary.
- Transaction monitoring: VASPs should monitor the transactional behavior of their customers in order to spot activity that does not match their established risk profile and that could indicate criminal activity.
- Screening and monitoring: VASPs should screen their customers against international sanctions and watchlists, for politically exposed person (PEP) status, and for their involvement in adverse media stories.
Smart technology tools: Given the vast amount of digital transaction data involved in digital regulatory compliance, VASPs should seek to implement a suitable technological solution to meet their AML/CFT obligations.
Smart technology solutions, including artificial intelligence and machine learning systems bring automated speed, efficiency and accuracy to compliance processes, and reduce the prospect of costly human error. As an added benefit, smart technology also allows firms to adapt to a changing regulatory landscape such as the proposed VASP regime to be introduced in Hong Kong in 2021, and to emergent criminal methodologies.