Risk Management and Reporting Requirements – How New Regulations Affect TCSPs

October 22, 2021

Risk Management and Reporting Requirements – How New Regulations Affect TCSPs

On 1 March 2018, Hong Kong's Anti-Money Laundering and Counter-Terrorist Financing Ordinance ("AMLO") was officially expanded to include Trust Companies and Service Providers ("TCSPs"). This move created additional obligations on the part of TCSPs to manage risk. New reporting requirements in line with global standards may also affect TCSPs in terms of anonymity and privacy.

Before March 2018, there was no official licensing regime for TCSPs. With the new rules in place[1], the Company Registrar can impose financial penalties on TCSPs should they breach AML requirements or any regulation under the AML Ordinance.

Although the maximum one-time penalty cannot exceed HKD500,000, the Registrar has the right to impose a fine of up to HKD10,000 for each day the breach remains unresolved. Such penalties can also be levied directly on a firm's Directors. Details of any financial reparations will also be published, which adds reputational cost to the monetary sums already being paid. Companies must clearly understand their specific obligations.


The Obligations of TCSP Licensees

The two primary obligations of trust companies are to:

  • Ensure that they comply with all the AML and Counter-Financing of Terrorism (CFT) requirements under the AML Ordinance.
  • Take all reasonable measures to mitigate the risk of money laundering or terrorist financing.

"Reasonable measures" in this case fall under the context of a risk-based approach, meaning that trust companies must identify, assess, and understand the relevant risks, then implement adequate measures to mitigate any issues that could arise. TCSPs, therefore, have significant flexibility in deciding how to act.


The Anatomy of an AML/CFT Policy

As a general rule, a robust AML/CFT policy should cover six domains:

  • Risk assessment
  • Customer due-diligence measures
  • Ongoing customer monitoring
  • Reporting of suspicious transactions
  • Record keeping
  • Staff training

On the risk assessment front, trust companies should be aware of the two broad categories – customer and product or service risk.

The former relates the nature of the customer, such as politically exposed persons, cash-intensive businesses, and those without easily verifiable sources of wealth—the latter stems from the products or services of the TCSPs themselves. For instance, services concealing beneficial ownership details and opaque ownership structures through shell companies and nominee shareholdings.

These tie into customer due-diligence measures, ongoing customer monitoring, and reporting of suspicious transactions – areas where challenges often arise.

Companies should also be mindful of how their internal processes can hinder proper assessments of these risks, which would affect the needed follow-up actions. In that respect, instituting stringent record-keeping processes – and providing the necessary staff training – are also crucial.


An Overview of the Common Reporting Standard

The Organisation for Economic Co-operation and Development ("OECD") developed the Common Reporting Standard ("CRS") in 2014 after leaders from the G20 nations endorsed the principle[2]. The idea was to establish an international standard where jurisdictions could easily and automatically exchange financial account information.

In 2016 and 2017, Hong Kong amended its Inland Revenue Ordinance to translate the CRS into domestic law[3]. This automatic information exchange is still limited to 75 jurisdictions. The policy is that Hong Kong will only conduct an automatic exchange of information ("AEOI") with a particular jurisdiction if there is an arrangement that can provide a basis for such an exchange.

The CRS's basic requirements are for institutions to identify and annually report the details of financial accounts held by tax residents of the 75 jurisdictions to the Inland Revenue Department. The details of non-Hong Kong tax residents are broad, including entities, individuals, and "controlling persons" of certain accounts. For TCSPs, the definitions of "controlling persons" include:

  • Settlors
  • Protectors
  • Trustees
  • Beneficiaries (whether fixed interest or discretionary)
  • Other trust-related parties, such as appointors and guardians

The penalties for breaching these CRS compliance requirements can be severe, ranging from fines to imprisonment. Individual account holders can also be fined for providing misleading or incorrect information.

The purposes of these requirements – improving global tax transparency and helping avoid profit-shifting tax schemes – are noble. They are also the primary source of many challenges that trust companies face.


CRS Issues for Trust Companies

The nature of the CRS requirements themselves can lead to challenges – especially when more complex structures, such as trusts, are involved. There is a delicate balance here. If TCSPs are overly cautious and go beyond the CRS requirements, they may lose clients. On the other hand, underreporting could lead to strict penalties. Navigating this line means trust companies must engage the services of compliance professionals, if necessary – considering that compliance standards are likely to tighten.


A Look at the Future of Compliance

In July 2020, the Hong Kong Monetary Authority released a consultation paper for enhancing the regulation and supervision of the trust business[4]. Although intended to be non-legally binding, the idea was to codify certain general principles – such as fairness, compliance, and corporate governance – concerning trusts.

In September 2020, the Securities and Futures Commission released another consultation paper proposing amendments to its AML/CFT guidelines[5]. The document set out more robust risk assessment procedures, additional due diligence, and even prohibitions against shell companies in cross-border relationships.

All these moves are in line with the current global trend toward stronger and more standardised compliance measures.


Understanding and Preparing for Stricter Regulations

TCSPs in Hong Kong may have once enjoyed the benefits of a light-touch regulatory regime, but standards have shifted. The major signposts of this change were the passing of the AMLO and the amendment of the Inland Revenue Ordinance to translate the CRS into domestic law.

These stricter standards have created challenges for TCSPs – but they may only be the beginning as tighter regulations loom. To adapt to this new environment, TCSPs must fully understand their obligations and put the necessary processes in place to meet them. Given the sensitive nature of the industry, there is a delicate balance between regulatory compliance and satisfying client demands. TCSPs have a fine line to walk.


[1] https://www.tcsp.cr.gov.hk/tcspls/portal/guide/59/eng/TCSP_G1-e.pdf

[2] https://www.oecd.org/g20/topics/international-taxation/automatic-exchange-of-financial-account-information.htm

[3] https://www.ird.gov.hk/eng/tax/dta_aeoi.htm

[4] https://www.hkma.gov.hk/media/eng/regulatory-resources/consultations/Consultation_paper_on_enhancing_the_regulation_and_supervision_of_trust_business.pdf

[5] https://apps.sfc.hk/edistributionWeb/api/consultation/openFile?lang=EN&refNo=20CP4

Topics: Regulatory Updates & News, Hong Kong SAR, TCSPs, Risk Management, Trust Companies and Service Providers

Download a complementary edition of our Tricor Perspectives Series

Tricor Group
About the Author

Tricor Group

More Articles