Closer to International Practice – China’s New AML Rules
April, 2021 - Yin Ge, Tiecheng YANG, Ting Zheng, Virginia QIAO
On 16 April 2021, the People’s Bank of China (“PBoC”) issued the Measures for Supervision and Administration of Anti-Money Laundering and Counter-Terrorist Financing in Financial Institutions (《金融机构反洗钱和反恐怖融资监督管理办法》) (the “2021 AML Measures”), following PBoC’s issuance of a consultation draft of the same on 30 December 2020 (the “Consultation Draft”). The 2021 AML Measures will take effect on 1 August 2021 and supersede the 2014 Measures for Supervision and Administration of Anti-Money Laundering in Financial Institutions (for Trial Implementation) (《金融机构反洗钱监督管理办法(试行)》) (the “2014 AML Measures”). Under the general background of improving the anti-money laundering (“AML”) and counter-terrorist financing (“CTF”) capabilities of PRC financial institutions and fulfilling the follow-up remediation Financial Action Task Force on Money Laundering (FATF) has required in an international AML assessment, the 2021 AML Measures represent a solid step to unify and refine China’s supervisory mechanism for AML and CTF and to bring China’s AML regulatory regime more in alignment with international practices.
In this legal commentary, we analyze the key points of the 2021 AML Measures and the regulatory implications for PRC financial institutions, with a focus on how the new requirements under the 2021 AML Measures overlay the 2014 AML Measures.
Expanded applicable scope under the 2021 AML Measures
Compared with the 2014 AML Measures, the 2021 AML Measures expand the scope of institutions subject to AML obligations, which include small-sum online lending companies, consumer finance companies, non-bank payment institutions, and others. PBoC has further specified application of the 2021 AML Measures to various types of financial institution subsidiaries in its official response (the “PBoC Reply”) to public comments collected during the public comment period for the Consultation Draft:
- Wealth management subsidiaries (“WMS”) of commercial banks: the 2021 AML Measures apply;
- Subsidiaries of securities firms: the 2021 AML Measures apply to subsidiaries of securities firms, as both are licensed by the China Securities Regulatory Commission;
- Subsidiaries of futures companies: the 2021 AML Measures will not apply to futures company subsidiaries, because their main business is not specifically considered financial in nature; and
- Subsidiaries of fund management companies (“FMCs”): presently, FMCs will be required to undertake the AML obligations for the subsidiaries they have established. PBoC will study further whether such subsidiaries will be separately required to undertake AML obligations.
Notably, the 2021 AML Measures do not cover private fund managers. According to the PBoC Reply, private fund managers are not covered because: (1) the current definition and scope of “private fund manager” remains vague and may need further clarification from regulators; and (2) in light of their large numbers, complex classification and limited workforce, it would be difficult from a practical perspective to unify regulatory requirements and substantially carry out AML work for private fund managers. PBoC intends to further study the potential money-laundering risks of private fund products in conjunction with the relevant competent authorities.
The following table summarizes the applicability of the 2014 AML Measures and the 2021 AML Measures by types of financial institutions:
Type of Financial Institution |
2014 AML Measures |
2021 AML Measures |
1. policy-based banks, commercial banks, rural cooperative banks, rural credit cooperatives and township banks |
√ |
√ |
2. securities firms, futures companies and fund management companies |
√ |
√ |
3. insurance companies and insurance asset management companies |
√ |
√ |
4. financial asset management companies, trust companies, finance companies of enterprise groups, financial leasing companies, auto finance companies and currency brokerage firms |
√ |
√ |
5. WMS |
× |
√ |
6. subsidiaries of securities firms |
√ |
√ |
7. subsidiaries of futures companies |
× |
× |
8. subsidiaries of FMCs |
× |
To be further specified |
9. non-bank payment institutions, bank card clearing institutions, fund clearing centers |
× |
√ |
10. small-sum online lending companies, consumer finance companies, lending companies |
× |
√ |
11. institutions engaged in fund sales business, exchange business, professional insurance agents and insurance brokerages |
× |
√ |
12. private fund managers, including institutions such as PFM WFOE, QDLP, QDIE and QFLP |
× |
× |
Enhanced roles and responsibilities under the 2021 AML Measures
Compared with the 2014 AML Measures, the 2021 AML Measures further specify and enhance for financial institutions aspects of existing internal AML control and risk management requirements. To do so, the 2021 AML Measures unify certain existing industry-specific AML rules, including (1) the Measures for Administration of Anti-Money Laundering and Counter-Terrorist Financing for Financial Institutions in the Banking Industry (《银行业金融机构反洗钱和反恐怖融资管理办法》); (2) the Measures for Administration of Anti-Money Laundering and Counter-Terrorist Financing by Internet Finance Service Agencies (for Trial Implementation) (《互联网金融从业机构反洗钱和反恐怖融资管理办法(试行)》); (3) the Measures for Administration of Anti-money Laundering and Counter-Terrorist Financing of Payment Institutions(《支付机构反洗钱和反恐怖融资管理办法》); and (4) the Notice on Strengthening the Supervision of Anti-Money Laundering Concerning Designated Non-Financial Institutions (《关于加强特定非金融机构反洗钱监管工作的通知》) (collectively, the “Industry AML Rules”). In our reading, the 2021 AML Measures also improve certain existing requirements under the Guidelines for the Management of Money Laundering and Terrorist Financing Risks by Corporate Financial Institutions (for Trial Implementation) (《法人金融机构洗钱和恐怖融资风险管理指引(试行)》) (the “Risk Management Guidelines”) and the Guidelines on Self-Assessment of Money Laundering and Terrorist Financing Risk for Legal-Person Financial Institution (《法人金融机构洗钱和恐怖融资风险自评估指引》) (the “Self-Assessment Guidelines”).
- Self-assessment for money laundering and terrorist financing risks
The 2021 AML Measures require financial institutions to conduct self-assessments of money laundering and terrorist financing risks and, based on their operations and risk profile, to establish comprehensive internal control systems as well as to formulate corresponding risk management policies.
According to the 2021 AML Measures, financial institutions are required to (1) establish a self-assessment system for money laundering and terrorist financing risks at the headquarters level; (2) assess money laundering and terrorist financing risks on a regular or irregular basis; and (3) report the self-assessment results to PBoC within 10 working days from the date of sign-off by the board of directors or senior management.
Notably, the Self-Assessment Guidelines provide implementation requirements for money laundering risk self-assessments by specifying certain general principles, key factors, and core methods. The Self-Assessment Guidelines are compulsory for corporate financial institutions and non-bank payment institutions in China, while other types of institutions (e.g., bank card clearing institutions, fund clearing centers, etc.) may conduct self-assessments by reference to the Self-Assessment Guidelines.
- Setting up internal AML systems
The 2021 AML Measures unify various requirements as set out in the Industry AML Rules by defining financial institution AML mechanisms, human resources support, AML information systems and technical support, amongst other requirements.
Beyond the 2014 AML Measures and the Industry AML Rules, the 2021 AML Measures specifically stipulate (1) performance assessment systems; and (2) reward and punishment mechanisms shall be established and linked with AML/CTF responsibilities of the board of directors, board of supervisors, senior management and other relevant AML/CTF functions. We understand these provisions to provide overarching principles for the existing implementation requirements under the Risk Management Guidelines.
- Establishment of internal audit mechanisms
The 2021 AML Measures further enhance internal AML audit requirements for financial institutions compared to the 2014 AML Measures. Financial institutions are required to establish internal audit mechanisms for AML/CTF and perform internal/external audits to review the internal control effectiveness of their AML/CTF systems. The audits are required to ensure comprehensive coverage of both onshore and offshore branches/holding subsidiaries. In addition, the audit report is to be submitted to the board of directors or its authorized special committee.
The above requirements are new compared to the 2014 AML Measures, but they are not without precedent. Similar requirements are stipulated in the Risk Management Guidelines, according to which corporate financial institutions are required to conduct internal audits to investigate and assess the compliance and effectiveness of AML management systems.
- Supervision of offshore branches and holding subsidiaries
Compared to the 2014 AML Measures, the 2021 AML Measures increase management requirements for financial institutions’ offshore branches and holding subsidiaries to prevent foreign AML regulatory risks. Financial institutions must require their offshore branches and holding subsidiaries to implement the 2021 AML Measures to the extent permitted by the laws of the country (region) in which they are located; if the country (region) in which they reside has more stringent requirements, they will be required to comply with relevant provisions of the country (region). If the requirements of the 2021 AML Measures are more stringent than the relevant provisions in the country (region) where they are located, but the laws of the country (region) prohibit or restrict implementation of the 2021 AML Measures, the financial institution must take appropriate additional measures to address the AML/CTF risk and report to PBoC. These requirements mirror existing requirements under the Risk Management Guidelines.
Moreover, the 2021 AML Measures require financial institutions’ headquarters to submit to PBoC annual reports that describe the AML/CTF regulations and supervision to which the institution’s offshore branches and holding subsidiaries are subject in the country (region) where they are located.
Cross-border sharing of AML data
Although the 2021 AML Measures fill in gaps for AML management for certain types of institutions, financial regulators have further room for rulemaking. For instance, Article 5 of the 2021 AML Measures requires the confidentiality of client identity data and transaction information (the “AML Data”) that is lawfully obtained during the performance of AML/CTF duties or obligations and prohibits its provision to third parties (unless stipulated by laws). This obligation mirrors confidentiality requirements under Article 5 of the Anti-Money Laundering Law of the People’s Republic of China (《中华人民共和国反洗钱法》).
Based on the confidentiality requirements, the Risk Management Guidelines specifically provide further guidance in relation to cross-border sharing of AML Data as follows:
- Corporate financial institutions must strictly limit the scope of AML Data to be shared during the course of cross-border business and cross-border regulatory supervision, and establish appropriate internal systems for cross-border data transmission, risk control, and authorization procedures;
- Where an offshore regulator requires a corporate financial institution to provide AML Data for AML/CTF purposes, the corporate financial institution shall inform the offshore regulator to submit a request through diplomatic, judicial assistance, or financial regulator cooperation channels;
- No information may be shared with third parties regarding domestic judicial freezes, judicial inquiries, suspicious transaction reports, or AML investigations by administrative agencies; and
- A corporate financial institution can provide AML Data to offshore clearing agencies only upon obtaining client consent, unless it is for AML purposes and involves the remittance and registration information of institutional clients.
These provisions may raise concerns among multi-national financial group operations in China because of their implications vis-à-vis data localization and cross-border transfers from China to offshore affiliates for storage/processing of know-your-customer data (which may fall within the scope of AML Data).
On 13 February 2020, PBoC and the China Financial Standards Technical Committee issued the Personal Financial Information Protection Technical Specification (JR/T 0171-2020) (《个人金融信息保护技术规范 (JR/T 0171-2020)》) (the “PFI Specification”). The PFI Specification provides that a financial institution may share personal financial information (“PFI”) with an offshore institution (including its headquarters, parent company or any of its branches, subsidiaries and other affiliates necessary for the completion of such business), provided that the following conditions are met:
- Due to business needs, it is truly necessary to provide the information to an offshore institution;
- The explicit consent of the PFI subject has been obtained;
- A security assessment of the cross-border transfer of PFI has been undertaken to ensure that the data security protection capabilities of the offshore institution meet relevant security requirements;
- The financial institution ensures that the offshore institution effectively performs its duties and obligations by signing an agreement with the offshore institution, conducts on-site inspections, etc.; and
- Adherence to national laws and regulations and relevant rules, measures and standards of industry regulatory authorities.
In the PFI Specification, the scope of “PFI” broadly covers personal information acquired, processed, and maintained by financial institutions through the provision of financial products and services, including account information, identity information, financial transaction information, personal identity information, property information, borrowing and lending information, and other information reflecting certain circumstances of a specific individual.
The scope of AML Data under the 2021 AML Measures overlaps to some extent with the scope of PFI as defined in the PFI Specification. However, PBoC has not clearly differentiated between AML Data and PFI, nor has it provided detailed guidance on the convergence between the 2021 AML Measures and the PFI Specification (and other applicable data protection rules), which may lead to uncertainties in the concurrent application between the two sets of regulatory rules. This could present financial institutions with certain challenges for data compliance under the AML regulatory regime and PFI protection regime. In terms of legal effect, it should be noted that the PFI Specification is a recommended standard for the financial industry, which is to provide practical guidance to financial institutions in the field of PFI protection. In practice, we do not rule out the possibility that the financial regulators may consider the PFI Specification an important reference when conducting relevant supervisory inspections or law enforcement actions. Therefore, the PFI Specification may serve as operating guidelines for financial institutions. We recommend that the cross-border sharing of AML Data should be carefully considered and addressed by financial institutions. As a prudent approach, and where applicable, financial institutions will need to comply in parallel with the AML Data and the PFI requirements when sharing AML Data cross-border.
Outlook
With the continuous development of the AML regulatory framework in China, we anticipate that further rules and/or detailed guidance will be formulated to fill in certain gaps as discussed in this legal commentary, e.g., the applicability of the 2021 AML Measures by subsidiaries of FMCs and private fund managers, the cross-border sharing of personal data under the AML regulatory regime, and personal financial information protection regime.
We will also continue to monitor relevant regulatory updates and share our views with readers in a timely manner.
Important Announcement |
This Legal Commentary has been prepared for clients and professional associates of Han Kun Law Offices. Whilst every effort has been made to ensure accuracy, no responsibility can be accepted for errors and omissions, however caused. The information contained in this publication should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases. If you have any questions regarding this publication, please contact: |
TieCheng YANG Tel: +86 10 8516 4286 Email: [email protected] Yin GE Tel: +86 21 6080 0966 Email: [email protected] Ting ZHENG Tel: +86 21 6080 0203 Email: [email protected] |