RBWM CDD Process LoBP Refresh October 2016 Final 2 31102016

Global Customer Due Diligence (CDD) 

Global RBWM Process Line of Business Procedures 

(LoBPs) 

October 2016 

INTERNAL

Revision History 

Date Version Status Prepared by Comments 

8 th June 2015 1.0 Draft James Thompson First re-fresh produced following 

review of snagging list items 

15 th June 1.1 Draft James Thompson Reviewed with GAMLO, RBWM FCC 

and RBWM Business. Amendments 

tracked in document and issued for 

review 

19 th June 1.2 Draft James Thompson Updated following review meeting 

30 th July 1.3 Draft Alan Clare Updated with final amendments 

following approval of changes by 

Lynda Cassell 

7 October 2015 1.4 Publication James Thompson Separated Governance LoBP from 

this document; updated reference 

numbers and minor formatting 

corrections completed 

24 March 2016 1.5 Draft Jane Fletcher Updates to LoBP post RBWM 

FCC/AML and GAMLO review 

08 April 2016 1.5 Draft Jane Fletcher Updates from GAMLO 

13 July 2016 1.6 Final Draft Jane Fletcher Sign-off from GAMLO 

14 July 2016 1.7 Publication James Thompson July 2016 - Final 

28 Sept 2016 1.8 Draft Jane Fletcher Policy refresh update 

31 Oct 2016 1.9 Publication James Thompson October 2016 - Final 

Sign Off 

Role Name Sign-off Date 

Global Head of FCC & MLRO Robert Werner 25/10/16 

SVP Global Head of AML Policy Lynda Cassell 10/8 & 

5/10 (QC&QA) 

Global Head of AML, FC Compliance Barbara Patow 12/8 & 

5/10 (QC&QA) 

RBWM Policy Approval Committee Committee Members 12/8 & 

2/9 (QC&QA) 

INTERNAL 

Page | 2

INTERNAL 

Page | 3

1. Introduction 

Key Objective 

How will the Objective 

be achieved? 

Scope of Chapter 

HSBC is committed to implementing Customer Due Diligence (CDD) policies and 

procedures to safeguard against Financial Crime risks, including the risks of money 

laundering, fraud, terrorist financing, tax evasion, sanctions, and bribery and corruption. 

HSBC’s legal and regulatory requirements have been set by regulators in the countries in 

which HSBC offers products and services. 

This document and subsequent chapters represent the CDD Process Procedural 

Standards. It expands on the content of existing HSBC policies and principles and the AML 

Written Programme in order to establish a globally consistent set of CDD procedures to be 

implemented across HSBC. 

1.1 Introduction 

1.2 Objectives of this document 

1.3 Navigation by Key Areas 

1.4 Key Related Documents 

1.5 Related Processes 

Related Chapters 

Please see Section 1.4 and 1.5 of this Chapter 

Other Related 

Documents and 

Processes 

Please see Section 1.4 and 1.5 of this Chapter 

Page | 4 

INTERNAL

1.1. Introduction 

1.1.1. HSBC must define and implement Global CDD procedures as part of the overall HSBC Financial Crime Risk 

Control Framework, to deter, mitigate and safeguard against Financial Crime risks, including money 

laundering, fraud, terrorist financing, tax evasion, sanctions, and bribery and corruption. 

1.1.2. This document and subsequent chapters, collectively called the Global RBWM CDD Procedural Standards, 

provide detailed procedures to be followed in order to address the above risks and comply with regulatory 

requirements and guidance. These documents have been developed as Line of Business Procedures from 

the Global CDD Procedural Standards. The Global CDD Procedural Standards must be adopted as a 

minimum standard. The RBWM Procedures may exceed the Global CDD Procedural Standards. 

1.1.3. This document will provide information to the following parties: 

a) Lines of Business – Global Business and their Product providers 

b) Operational Functions – including CDD Operating Units (or equivalent) 

c) Global Functions – including Financial Crime Compliance (FCC), Tax, Legal and Global Risk 

1.1.4. The CDD Procedural Standards expand upon Section 3 of the Anti-Money Laundering Written Programme 

Policy Part I, (AML Programme) and set out the minimum Global CDD Procedural Standards covering CDD 

Process and Customer Type Procedures to be applied. 

1.2. Objectives of this document 

1.2.1. Implementation and compliance with these procedures will: 

a) Enable RBWM and its employees to comply with money laundering and counter terrorist financing 

laws and regulations, as well as regulatory guidance 

b) Enable RBWM to deter Customers from using its facilities to launder the proceeds of illegal or illicit 

activities, fund terrorist activities or violate lawful sanctions 

c) Facilitate cooperation with law enforcement authorities to the fullest extent permitted by law and 

regulation 

d) Enable employees to detect and report suspicious activity, relationships and transactions 

e) Promote good corporate governance and risk management throughout RBWM and properly 

manage and mitigate money laundering and sanctions related risks 

INTERNAL 

Page | 5

1.3. Navigation by Key Area 

1.3.1. This document is divided into the Global RBWM CDD Process Procedural Standards (see Appendix 1) and 

the Customer Type CDD Procedural Standards (see Appendix 2): 

Chapter Key Area Description 

1 Introduction This section sets out the objectives and provides 

guidance on the use of the Global CDD Procedural 

Standards. It positions the document in relation to the 

wider context of the AML Programme. 

Process CDD Process Procedural Standards See Appendix 1 

Chapters 

Customer Due Diligence (CDD) Process 

2-11 

Screening 

Periodic and Event Driven Reviews 

Escalation Process 

Approvals 

CDD Risk Acceptance 

Quality Control and Quality Assurance 

Customer Data Management, Verification 

Requirements and Key Risk Indicators & 

Management Information 

Restricted and Prohibited Customers, 

Special Categories of Customers 

(SCCs) and Prohibited 

ProductsGovernance 

Customer 

Chapters 

1 - 9 

Customer Type CDD Procedural 

Standards 

1.4. Key Related Documents 

See Appendix 2 

Individuals 

Trusts 

Sole Traders 

Clubs and Societies 

Private Investment Vehicles (PICs & PIFs) 

Reliance 

Insurance 

1.4.1. During the course of the CDD Process, other key documents are to be used alongside the Global RBWM 

CDD Procedural Standards Manual. Readers should in particular familiarise themselves with: 

a) AML Programme – A high level and principles based policy document which outlines key 

considerations in order to meet applicable requirements and guidelines, mitigate potential 

compliance, regulatory, and reputational risks associated with violations of Anti-Money Laundering, 

Counter Terrorist Financing and Proliferation Financing 

b) Financial Crime Compliance Risk Assessment Model (FCC-RAM) – The FCC-RAM is the 

methodology that is used to risk assess Customers and determine the Customer’s Financial Crime 

Risk Rating (FCRR). The Customer’s FCRR plays a key role in determining the CDD requirements 

for on boarding new Customers and monitoring on-going relationships. 

c) Client Selection and Exit Management (CSEM) including Business Acceptance – The CSEM 

Policy must be followed in all cases of Client Selection and Exit Management. 

d) Sanctions Policy – The Sanctions Policy outlines key considerations to mitigate risks associated 

with violations of sanctions laws and regulations and the risk of conducting business with 

sanctioned parties. 

INTERNAL 

Page | 6

1.4.2. For further information, queries or guidance on the content or use of this or other key documents, readers 

should consult FCC. 

1.5. Related Processes 

1.5.1. The CDD Process forms part of a holistic Financial Crime Risk Management Framework which should be 

read in conjunction with other related Financial Crime Procedural Standards which include but are not 

limited to: 

a) Client Selection and Exit Management (CSEM) including Business Acceptance 

a) Transaction Monitoring 

b) Unusual Activity Reporting and Suspicious Activity Reporting 

c) Payment/Message Screening 

d) Name screening processes 

e) Counterparty Fraud, including Fraud Certification 

f) Anti-Bribery and Corruption (ABC) policies and procedures 

INTERNAL 

Page | 7

Appendix 1: Description of the CDD Process Chapters 

Chapter Key Area Description 

2 Customer Due Diligence (CDD) 

Process 

This section includes the CDD processes which support and 

facilitate the completion of CDD Procedures. This includes a 

description of the CDD process, roles and responsibilities, CDD 

requirements and determination of the Financial Crime Risk Rating 

(FCRR). 

3 Screening This section includes the types of Screening required, the method of 

Screening and the process to be followed as a result of a Screening 

hit. 

4 Periodic and Event Driven 

Reviews 

This section outlines the definition, frequency and requirements of 

Periodic and Event Driven Reviews. 

5 Escalation Process This section includes the processes for Escalation where information 

may indicate heightened Financial Crime Risk. This may be 

identified at onboarding or at any point throughout the Customer 

relationship. This section outlines the Escalation Process from 

initiation to completion. 

6 Approvals This section includes the risk based Approval matrices for sign off of 

the CDD Profile at onboarding and at Periodic or Event Driven 

Review. 

7 CDD Risk Acceptance This section includes the CDD Risk Acceptance process that must 

be adhered to for temporary and permanent CDD Risk Acceptance. 

8 Quality Control and Quality 

Assurance 

This section includes the Quality Control (“QC”) and Quality 

Assurance (“QA”) procedures that provide an evaluation of the 

quality of information and documentation retained in the CDD Profile 

against the established CDD standards. 

9 Customer Data Management, 

Verification Requirements and 

Key Risk Indicators & 

Management Information 

10 Restricted and 

Prohibited Customers, 

Special Categories of 

Customers (SCCs) and 

Prohibited Products 

This section includes the procedures related to Customer Data 

Management, including the verification of documents, key risk 

indicators and management information. 

This section includes the definition and procedures for SCCs and 

Prohibited Customers. 

This chapter should be read in conjunction with the appropriate 

Customer Type Procedural Standard. 

11 Governance This section includes the hierarchy of the documents that support 

the implementation of the CDD Procedural Standards and the 

related responsibilities for their approval and maintenance. 

Page | 8 

INTERNAL

Appendix 2: Customer Family/Customer Types 

Definitions of the Customer families and Customer Types are provided in the table below: 

Customer 

Family 

Customer Type 

Definition 

Retail Individual 

A natural person managed in Retail Banking and Wealth 

Management (RBWM) and not a HNWI (refer to HNWI definition 

below). 

Individuals 

High Net Worth Individual 

(“HNWI”) 

A natural person who is managed outside of GPB and is either: 

 

 

Premier Top Tier Customer, or has equivalent Total 

Relationship Balance (TRB) in that market; or 

Where Premier Top Tier is not available, Total 

Relationship Balance (TRB) with HSBC equal to or greater 

than USD 1 million. 

Note: TRB is defined as the sum of total assets held with HSBC, 

excluding loans, mortgages and other borrowings with HSBC. 

Trusts 

Private Holding Trust 

A Private Holding Trust is typically established for the purpose of 

wealth management so that assets of an Individual may be 

smoothly transferred from one generation to the next. 

Alternatively, this type of Trust may be established for asset 

protection purposes. For this type of a Trust, a Settlor may be an 

Individual, a Private Investment Vehicle (PIV) or a Private 

Investment Company (PIC). 

Sole Traders 

A Sole Trader, also known as a sole proprietorship or a 

proprietorship, is a type of business entity that is always owned 

and generally run by one individual and in which there is no legal 

distinction between the owner and the business (i.e. it is not 

incorporated). 

Non- 

Financial 

Institution 

and 

Commercial 

Enterprises 

RBB Corporates and 

Partnerships 

The owner receives all profits and has unlimited responsibility for 

all losses and debts. All assets of the business are owned by the 

Sole Trader. A Sole Trader may use a “Trading As” name or 

business name other than his or her legal name. 

Corporates are incorporated entities established for commercial 

trading operating activity with the objective of generating profits. 

They commonly have limited liability, and can be owned by 

shareholders who can transfer their shares to others, and can be 

controlled by a board of directors who are normally elected or 

appointed by the shareholders. 

NPOs 

Clubs and Societies 

A Partnership / unincorporated business, although principally 

operated by individuals, or a group of individuals, are different 

from private individuals in that there is an underlying business. 

An association of members sharing a common interest by a 

structure (formal or informal) through which they can pursue that 

interest. Depending on the size, purpose, and jurisdiction, may be 

incorporated or unincorporated 

For the purposes of this document, clubs and societies (whether 

incorporated or unincorporated) will be treated as a Partnership 

unless otherwise specified (refer to Corporates and Partnerships 

section for additional detail). E.g. Chess club 

INTERNAL 

Page | 9

Private 

Investment 

Structures 

Private Investment Vehicles: 

Private Investment Company’s 

and Private Investment Funds 

Private Investment Company 

An incorporated entity (wherever constituted) ultimately 

beneficially owned by an individual or a small number of 

individuals, who are all connected to each other by family 

relationship or other, similar close association, the sole purpose of 

which is holding and investing the ultimate beneficial owner’s(s’) 

personal wealth. Assets held may include, but are not limited to, 

real property, shares, bonds or any negotiable instrument. 

Private Investment Funds 

A Fund which satisfies one of the following criteria: 

Is limited to 10 or fewer investors (whether individuals or 

entities); or 

 

Is only open to investors (individuals) who are all connected 

to each other by family relationship or other, similar close 

association, or to investors (entities) which are connected by 

legal structure, for example entities in the same controlled 

group. 

INTERNAL 

Page | 10

2. Customer Due Diligence (CDD) Process 

Key Objective 


be achieved? 


Related Chapter 

Other Related 

Documents and 


To safeguard against Financial Crime risks including; money laundering, fraud, terrorist 

financing, bribery and corruption, tax evasion and sanctions, as well as to comply with 

legal and regulatory requirements. 

The CDD Process outlines the specific roles, responsibilities and procedures to identify, 

verify and validate Customers in order to assess and manage the financial crime risk 

associated with specific Customer Types with a Risk Based Approach. 


2.2 Roles and Responsibilities 

2.3 Customer Type Determination and Pre-CDD 

2.4 Financial Crime Risk Rating 

2.5 CDD at On-boarding 

2.6 Final FCRR 

2.7 On-going CDD 

Periodic and Event-Driven Reviews 

Financial Crime Compliance Risk Assessment Model 

Three Lines of Defence Model (GCL 150011) 

Page | 11 

INTERNAL


2.1.1. Customer Due Diligence (CDD) is the process of obtaining and maintaining a profile of information and 

documentation about the Customer related to their existence, business or occupation, expected activity and 

purpose of the account. This process enables the assessment of the Financial Crime risk in accordance 

with the Financial Crime Compliance Risk Assessment Model and the subsequent management of those 

risks. 

2.1.2. One of the outcomes of the CDD process is the determination of the Customer’s final Financial Crime Risk 

Rating (FCRR). The final FCRR (i.e. this may differ from the initial FCRR as the FCRR may be manually 

increased through the completion of the CDD onboarding template) will determine the level of due diligence 

required, levels of approval required and on-going monitoring including frequency of the periodic review 

cycle. 

2.1.3. This Section provides an overview of each part of the Customer Due Diligence (CDD) Process including 

roles and responsibilities, Pre-CDD, initial FCRR, CDD at onboarding, final FCRR and on-going CDD. 

2.2 Roles & Responsibilities 

2.2.1 The Group has adopted a risk management and internal control structure, referred to as Three Lines of 

Defence 1 . This structure is in place to ensure that HSBC meets its regulatory and legal requirements while 

achieving its commercial aims and meeting its responsibilities to shareholders, Customers and staff. 

2.2.2 First Line of Defence: Comprising the majority of employees, identifies the risks and ensures that the right 

controls are in place to prevent, manage, and reduce the risks. 

2.2.3 Second Line of Defence: a much smaller group of employees, sets policy and guidelines for managing 

operational risks, and provides advice and guidance to support these policies. It also challenges the First 

Line of Defence to ensure that its risk management activities are working effectively. The Second Line of 

Defence is independent of the day to day commercial risk-taking activities undertaken by the First Line of 

Defence. 

2.2.4 Third Line of Defence: Global Internal Audit forms the Third Line of Defence. Global Internal Audit 

independently assures that the Group is managing operational risk effectively. The table below outlines the 

roles relevant to the CDD process within each Line of Defence. Regional and Country terms will be defined 

within the Regional and Country Procedures. 

1 

Please see GCL 150011 - Refreshed Three Lines of Defence Roles & Responsibilities, for additional information. 

INTERNAL 

Page | 12

2.2.5 Under the Three Lines of Defence for RBWM, there are key roles and responsibilities for the Business, 

CDD Operating Unit (where applicable), and FCC, specific to the CDD Process. Specific roles and 

responsibilities will be defined throughout the RBWM procedures where appropriate to do so at a global 

level. 

2.2.6 These Procedures outline the CDD Process to be undertaken at: 

(i) 

(ii) 

On-boarding of the Customer, and 

As part of the on-going Customer management 

2.3 Customer Type Determination and Pre-CDD 2 

2.3.1 Definitions 

For the purpose of the Global CDD Procedural Standards the terms Customer and Connected Parties are 

defined as noted below: 

a) Customer: The term “Customer” can be used instead of “Client”. In general, the Customer is the 

party, or parties, with whom a business relationship is established by providing a product or service, 

or for whom a transaction is carried out. A relationship need not involve an actual physical 

transaction or the provision of a banking product, giving advice can constitute establishing a 

business relationship. 

b) Connected Parties: A Connected Party is a term used to describe a party (can be a natural person 

or legal entity) who has the power to direct or influence the activities of the Customer through the 

management or ownership structure and/or is a Beneficial Owner of the Customer. Connected 

Parties may include Beneficial Owners, Key Controllers, Trustees, Settlors/Grantors/Founders, 

Protectors, or other defined beneficiaries of a legal arrangement. 

2.3.2 Customer Type Determination and Pre-CDD 

Within RBWM, the majority of customers will be Individuals. Different types of Customers pose different 

Financial Crime risks and as a result, different data points and procedures are required for each Customer 

Type in order to assess the Financial Crime Risk of the Customer appropriately. The data points and 

specific procedures for each Customer Type are outlined in the specific Customer Type CDD Procedures 

and Templates. 

2.3.3 In order to determine which Customer Type CDD Procedures must be followed, the Customer Type must 

be identified first by collecting sufficient information from and/or about the Customer to be able to identify 

which Customer Type they fall under. In RBWM the most frequent Customer Type will be Individual. Other 

Customer Types include Trusts, Private Investment Vehicles (PICs and PIFs), and Sole Traders. 

2.3.4 Once the Customer Type is determined, the specific Customer Type CDD requirements must be followed to 

collect the information and documentation required throughout the CDD processes. 

2.3.5 RBWM has published CDD Procedures for the types of customers that accounts are most frequently 

opened for. Where RBWM has not produced a CDD Line of Business Procedure for a specific customer 

type (e.g. a bank, religious organisation, foundations etc), the entity/organisation should either be referred 

to another Line of Business or Country FCC. 

2.4 Financial Crime Risk Rating (FCRR) 

2.4.1 The Financial Crime Compliance Risk Assessment Model (FCC-RAM) has been developed to assess the 

Financial Crime risk associated with specific Customer Types. The FCC-RAM risk assesses Customers as 

High, Medium, or Low or classifies customers as Special Categories of Customers (SCC). Please see the 

Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and Prohibited Products- 

Chapter 10 for additional information on SCCs. 

2 

Pre-CDD is referred to as the stage preceding the formal commencement of CDD. Its components, approach and timing may vary by LoB, 

Customer Type and applicable operating model. Pre-CDD, typically, does not apply to Individual Customers. 

INTERNAL 

Page | 13

2.4.2 The FCC-RAM uses information obtained during Pre-CDD to determine the Customer’s initial Financial 

Crime Risk Rating (FCRR) which determines the level of CDD to be performed. 

2.4.3 FCC-RAM inputs may be re-visited through the CDD process based on additional information received. 

Initial data points collected during the determination of the initial FCRR will be replaced with valid and actual 

data points which may affect the final computed (i.e. calculated) FCRR. There may be a final adjusted Risk 

Rating following manual adjustment (see Section 2.6) 

2.5 CDD at Onboarding 

2.5.1 The specific requirements for CDD based on the Customer Type and the customer’s initial FCRR are 

outlined in the Customer Type CDD Procedures. 

2.5.2 CDD is performed through Identification & Verification (ID&V), Know Your Customer (KYC) and where 

applicable, Enhanced Due Diligence (EDD). 

Identification & Verification (ID&V): Identifying who the Customer and their Connected Parties are 

by gathering information about their identity; and verifying some or all of the information gathered 

using reliable and independent documentary and/or electronic sources 

Know Your Customer (KYC): The purpose of KYC is to obtain a thorough understanding of the 

Customer. This is performed by screening, collecting information and documentation about what 

the Customer does (e.g. business type, country of operation, source of wealth and source of funds), 

and understanding the intended purpose, use and activity of the account. 

Enhanced Due Diligence: Certain Customer Types and Customers with certain characteristics pose 

a higher risk of financial crime (e.g. High Risk and SCCs). Enhanced Due Diligence must be 

performed to mitigate the increased risk of Financial Crime associated with these Customers. 

2.5.3 CDD applies to the Customer, Connected Parties 3 to the Customer and other relevant parties as defined in 

the specific Customer Type CDD Procedures. 

2.5.4 In some markets, duplicate customer profiles and / or Customer IDs are created, for example if the 

customer uses different ID sources at onboarding. 

2.5.5 Processes and systems must be in place to prevent the creation of duplicate customer profiles as this will 

impact the effective risk rating of the customer, screening and the customer’s overall risk profile will not be 

fully considered. 

2.5.6 However, where the creation of duplicate profiles is unavoidable, Countries must agree a process to 

manage this. 4 

2.6 Final FCRR 

2.6.1 Based on the information obtained during CDD (ID&V, KYC and where applicable, EDD) the FCC-RAM is 

re-run and the Customer’s final FCRR is determined. 

2.6.2 The final FCRR determines the level of approval required for the Customer, and the level of on-going 

monitoring including the Periodic Review cycle. 

2.6.3 The final FCRR may be manually adjusted based on information received during the CDD process or as a 

result of an outcome following the escalation of a Financial Crime Indicator. Adjustments can take three 

forms: 

Policy driven adjustments: 

 

The SCC Policy requires that certain Customers be marked as SCC irrespective of the FCC-RAM 

driven FCRR. (See the Restricted and Prohibited Customers, Special Categories of Customers 

(SCCs) and Prohibited Products) 

Country Regulation Adjustments 

 

Where country regulation requires an adjustment, this will be captured in the Country addenda 

(please see AML Governance LoBP for further guidance). 

3 

RBWM are not required to Risk Rate Connected Parties 

4 

The Global Target Operating Model provides the necessary guidance 

INTERNAL 

Page | 14

Local risk factors also need to be considered for localisation of RAM methodology. 

Judgmental adjustments: 

As a result of analysing data collected during the CDD process or as a result of an outcome 

following the escalation of a Financial Crime Indicator, the Customer’s FCRR may be adjusted 

upwards at the discretion of the Country FCC. 

2.6.4 An adjustment to the final calculated FCRR can only serve to move the Customer into a higher risk 

category. 

2.6.5 If the rationale for the manual adjustment is no longer applicable, the FCRR may revert to the FCC-RAM 

calculated FCRR (for removal of SCC status, see Restricted and Prohibited Customers, Special Categories 

of Customers (SCCs) and Prohibited Products Chapter). 

2.6.6 The figure below demonstrates the factors that may lead to a difference between the initial FCRR and the 

final FCRR. 

2.7 On-going CDD 

2.7.1 To ensure that CDD information and documentation is kept up to date, complete and accurate, On-going 

CDD is performed through Periodic or Event Driven Reviews. Please refer to the Periodic and Event Driven 

Reviews Chapter. 

INTERNAL 

Page | 15

3. Screening 

Key Objective(s) 

How will the 

Objective(s) be 

achieved? 



Other Related 

Documents and 


To understand the nature of HSBC’s Customer, its business and any associated Financial Crime 

risks posed by the Customer. 

Screening enables HSBC to identify high risk indicators that have not been identified elsewhere 

in CDD or that the Customer has failed to bring to our attention. 

Customer screening plays an integral part of HSBC’s CDD processes and helps to identify those 

Customers who may pose a higher risk of financial crime to HSBC. Customer screening takes 

the form of two types: 

(i) 

(ii) 

Screening Official Sanctions, Terrorist, PEP and Other lists 

Negative News Screening 


3.2 Key Screening Principles 

3.3 Screening against Official and Other lists 

3.4 Negative News Screening 

3.5 Screening, Negative News and Negative Facts Tools 

Escalations 

Politically Exposed Persons (PEPs) 

Approvals 

Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and Prohibited 

Products 

Global AML Policy 

Global Sanctions Policy 

RBWM Sanctions Policy 

Customer Selection and Exit Management 

The Global Sanctions Manual Screening Guidance link here. 

https://team.global.hsbc/sites/FinancialCrimeCompliance/SitePages/Home.aspx 

Page | 16 

INTERNAL


3.1.1 Customer screening is an integral part of HSBC’s CDD processes. It is conducted at onboarding and on an 

on-going basis and consists of two elements: 

a) Screening against the Official Lists 5 and Other lists 

b) Negative News/Facts Screening 

3.1.2 Screening against Official and Other lists helps to identify those Customers who may pose a higher risk of 

Financial Crime to HSBC, due to their presence on an internal or external blocked or restricted activity list. 

3.1.3 Negative NewsScreening allows us to identify further information on the Customer which contributes to 

establishing a full understanding of the Financial Crime risks associated with the relationship. 

3.1.4 This section outlines the key process elements of Customer screening. RBWM will define how Customer 

screening is operationalised in country in their Country LoBPs. 

3.2 Key Screening Principles 

3.2.1 Screening must be undertaken on the Customer and its Connected Parties identified. The specific parties 

which require Screening are set out in the Customer Type CDD Procedural Documents, e.g. Individuals. 

3.2.2 Screening against Official and Other Lists must be conducted in line with AML Policy and the Global 

Sanctions Policy. 

3.2.3 Where beneficiaries of deceased customers (excluding those related to Insurance products) have not 

been identified, it is mandatory to complete screening prior to any payment being made to these parties. 

3.2.4 For Insurance; where beneficiaries are defined as Connected Parties who “control”, “direct” or “contribute” 

to an insurance product and therefore subject to ID&V (as stipulated in RBWM CDD Customer LoBP 

Section 1.8); the following screening principles will apply: 

a. At on-boarding of an insurance product: Should such a beneficiary be listed / known during the onboarding 

of a product; the beneficiary must be screened; and 

b. Change in beneficiary: At any point when such a beneficiary is added or an existing beneficiary 

replaced by a new one, the new beneficiary must be screened. 

3.2.5 In addition to this; it is mandatory to complete CDD and screening on all insurance beneficiaries when 

proceeds of a policy become due; prior to payment of such proceeds. This is regardless of whether the 

beneficiary has been identified previously as a Connected Party (defined above) or whether they are only 

a named beneficiary with no influence over an insurance product (e.g. nominated beneficiary). Also refer 

to RBWM AML LoBP Section 4 – Insurance; paragraph G.2.1.3. 

3.2.6 Screening for named members under an insurance group scheme should be completed as set out in the 

RBWM AML LoBP Section 4 – Insurance; paragraph G.2.1.5. 

3.3 Screening against Official and Other Lists 

Types of Official and Other Lists 

3.3.1 Screening must be completed against Official Lists and Other Lists which are defined as follows: 

5 

The Official Lists are the lists of individuals, entities or organisations who have been designated as sanctioned targets by the UN, UK, US, EU 

or HK. The Official Lists which must be screened are set out in the Global Sanctions Policy. 

INTERNAL 

Page | 17

Official/Other List 

Description 

Official Lists 

Sanctions and Counter 

Terrorist Financing lists 

HSBC must comply with Sanctions and Counter Terrorist Financing laws. Identified details 

must be checked against the Official Sanctions Lists outlined in Appendix C of the Global 

Sanctions Policy. These included the lists issued by: 

g) United Nations 

h) European Union 

i) US Treasury OFAC 

j) HM Treasury (UK) 

k) Hong Kong Monetary Authority 

l) USA PATRIOT Act Section 311 Special Measures 

Other Official Lists issued by the Competent Authorities in the jurisdictions in which HSBC 

operates, as required by local regulations. If applicable, registration should be made with 

local authorities in order to receive any local sanctions lists. Link to the Global Policy 

appendix with the Global Sanctions Lists: 

http://fim.ghq.hsbc/FIM/home.nsf/ByRef/UKWE9H5P7818032912032014?Open&language=EN 

Other Lists 

Scion (or other internal 

watch list systems) 

Politically Exposed 

Persons (PEPs) list 

Other Country-specific 

lists 

HSBC maintains an internal list of parties against who are not designated but whom 

HSBC believes present an unacceptable Financial Crime risk to HSBC. 

Group Policy requires the Business to identify Politically Exposed Persons. 

At country-level, HSBC entities may maintain lists of parties that pose a Financial Crime 

risk, e.g. an additional list of persons as determined by local authorities. If applicable, 

registration should be made with local authorities in order to receive any search lists. 

Information to be Screened 

3.3.2 The data points for the Customer and any Connected Parties which must be screened against the Official 

and Other Lists are outlined in the Global Sanctions Policy and are set out in the table below. 

3.3.3 If it is known that a Customer has changed their name in the past, Screening against Official and Other 

lists must include both the new name as well as the previous name(s). 

3.3.4 Where manual screening is undertaken as part of onboarding or periodic or event driven reviews, 

Screening against the Official and Other Lists must be undertaken via an automated screening solution in 

accordance with the criteria outlined in the Global Sanctions Policy. 

3.3.5 The table below identifies the information which must be screened against Official and Other Lists. 

INTERNAL 

Page | 18

Party 

Customers 

Customers – Individuals 

Customers - Entities 


Automated Screening 

Full Legal Names identified during ID&V 

Nationality/Citizenship 

Gender, name of employer, address of 

employer. City and country of residential 

address (includes current and permanent if 

different as well as any other 

correspondence address) identified during 

ID&V 

Full Legal Names, any “Trading As” names 

City and country of Registered Office 

address in country of Incorporation and city 

and country of Business address identified 

during ID&V 

City & Country of business (if different from 

the registered office address). 


Manual Screening 

Full legal Names identified during ID&V 

Full legal Names and any “Trading As” 

names identified during ID&V 

Connected Parties 

Beneficial Owners 

Full legal Name of the individuals or legal 

entity identified including the Ultimate 

Beneficial Owner and Intermediate Owner. 

Individuals - city and country of residential 




ID&V 

Legal entity - city and country of Registered 

Office address in country of Incorporation 

and city and country of Business address 

identified during ID&V 



Full legal Name of the individuals or legal 

entity identified including the Ultimate 

Beneficial Owner and Intermediate Owner 


Key Controllers 

Full legal name of the individuals and legal 

entities 

Individuals - City and country of residential 




ID&V 

Legal entity - City and country of Registered 



identified in ID&V 



Full legal name of the individuals and legal 

entities identified during ID&V 

INTERNAL 

Page | 19

Party 

Other Directors, not 

identified as Key 

Controllers 

Direct Appointees 


Automated Screening 

Full legal name of the Individuals identified 

in ID&V 

City and country of residential address 

(includes current and permanent if different 

as well as any other correspondence 

address) identified during ID&V 


in ID&V 





ID&V 








Manual Screening 


in ID&V 


in ID&V 

Other Connected Parties 

Full legal name and any “Trading as” names 

identified in ID&V 





ID&V 







Full legal Names and any “Trading As” 

names identified during ID&V 

Timing of ‘Official’ List Screening 

3.3.6 Screening against Official Lists must be undertaken in two situations: 

a. Initial Screening at onboarding– New Customer and Connected Party relationships 

At onboarding, the Business must screen the Customer and any identified Connected Parties against the 

Official Lists referenced in Section 3.3.1. This will identify True or Potential matches of the Customer and 

Connected Party information to the details of an individual, entity or organisation included in the Official 

Lists. 

b. Automated screening should be conducted as soon as possible but no later than 48 hours after the 

account has been opened or the relationship established. Any alerts must be investigated and discounted 

within the timeframes approved by the appropriate Screening Committee. RBWM Sanctions Policy 

Official list Screening must be conducted and any alerts discounted, before any economic benefit i.e. loans, 

overdrafts and credit cards or the ability to perform any transactions is made available to the customer. 

INTERNAL 

Page | 20

A manual World-Check search of the Customer and Key Connected Parties must be undertaken. The 

Global Sanctions Manual Screening Guidance link here should be referenced for the process to follow. 

3.3.7 On-going Screening (Official & Other Lists) – Existing Customer relationships 

a. Once a Customer has been on-boarded, on-going Screening is required. All customer records will be 

screened against official lists, daily through HSBC’s automated screening solutions. 

b. During Periodic and Event-Driven Reviews, Screening against Official and Other lists is limited to the 

names (i.e. Customer name, Trading As Name, Connected Parties) that have changed since the last 

review, or to any new Connected Parties that have been identified. Where such changes have taken place, 

these names must be screened by the Business, refer to Section 3.3.4 6 . 

c. On-going Screening of beneficiaries to Insurance policies is not required as it is only completed prior to 

payment. 

Timing of ‘Other’ List Screening 

3.3.8 Screening against ‘Other’ Lists must be undertaken in two situations: 

a) Initial Screening at onboarding– New Customer relationships 

 

 

 

During the onboarding process, the Business must screen the Customer and any identified 

Connected Parties against the Other Lists referenced in Section 3.3.1. This screening process may 

be carried out via overnight batch within 48 hours of the account being activated or the 

product/service being issued. 

This will identify True or Potential matches of the Customer and Connected Party information to the 

details of an individual, entity or organisation included in the Other Lists. 

Any alerts must be investigated and discounted within the timeframes prescribed by the appropriate 

Screening Committee. In the event that a true PEP match is identified, the customer may continue 

to transact on their account while any additional due diligence procedures are completed. All ‘Other’ 

list matches must be immediately escalated to local FCC for further instruction. 

b) On-going Screening – Existing Customer relationships 

Once a Customer has been on-boarded, on-going Screening is required. All customer records will 

be screened against official lists, daily through HSBC’s automated screening solutions. 

During Periodic and Event-Driven Reviews, Screening against Other lists is limited to the names 

(i.e. Customer name, Trading As Name, Connected Parties) that have changed since the last 

review, or to any new Connected Parties that have been identified. Where such changes have 

taken place, these names must be screened by the Business, refer to Section 3.3.4 7 . 

On-going Screening of beneficiaries to Insurance policies is not required as it is only completed 

prior to payment. 

Resolution of Screening Matches 

3.3.9 During the Screening process, if Customer or Connected Party information appears to be a match on one 

of the Official/Other Lists, this is classified as a Potential Match. Where a Potential Match is identified, 

further data points of the subject of the Potential Match must be checked e.g. date of birth or address, in 

6 

Where the business does not screen existing customers through an automated screening solution, the Customer and all Connected Parties 

must be screened during the Periodic and Event Driven Reviews even where there have not been any changes to such parties since the last 

review. 

7 

Where the business does not screen existing customers through an automated screening solution, the Customer and all Connected Parties 

must be screened during the Periodic and Event Driven Reviews even where there have not been any changes to such parties since the last 

review. 

INTERNAL 

Page | 21

order to determine whether or not they are a “True Match”. Where there is any doubt the Potential Match 

must be escalated. 

3.3.10 Where a Potential or True Match has been identified, the parties who can resolve the Match will vary. The 

table below outlines the parties who can resolve Potential and True Matches 8 . 

Official/Other List Potential Match True Match 

Sanctions and Counter 

Terrorist Financing lists 

Scion (or other internal 

list systems) 

Politically Exposed 

Persons (PEPs) list 

Other Country-specific 

Watch lists 

Business 

Immediate escalation to FCC (see 

Escalations Chapter) 



Conduct PEP EDD (see PEPs 

Chapter for EDD requirements) then 

escalate to FCC at Approval (see 

Approvals Chapter) in line with PEP 

SCC determination 



3.3.11 For all Potential and True Matches, the CDD profile must be updated to record the action taken and the 

rationale for the decision made, i.e. to discount a Potential Match or to escalate a Potential Match or True 

Match to Country FCC. 

3.3.12 Where a True match has already been resolved (i.e. at a previous review) and documented, it should only 

be re-escalated to FCC when additional information is identified (e.g. the Potential Match is against a 

different list or the same list with updated information (e.g. a PEP who is now included on a sanctions 

list)). 

3.3.13 If it is determined that an account must be closed or declined, then the Client Selection and Exit 

Management (CSEM) policy must be followed. 

3.4 Negative News Screening 

Definitions 

3.4.1 Negative NewsScreening is a key mechanism for identifying adverse information about a Customer. This 

ensures necessary steps are taken to protect HSBC’s reputation. 

3.4.2 HSBC applies a risk based approach to its Negative News Screening. The approach to be undertaken is 

dependent on the Customer Type and is outlined in the relevant Customer Type CDD Chapter. The 

following guidance should be read in conjunction with Global Guidance on Minimum Standards for 

Negative News Searches (including via an Internet Search Engine). See Appendix A 

Definition 

Negative News 

An indication of adverse information about an individual, a legal entity or Connected Party that 

may or may not be factual. Negative News may be speculative and is often not supported by 

documentary evidence. 

Negative News involves public source searches using Group-approved tools and requires a 

judgmental assessment of the relevance and materiality of any finding. Further investigation may 

be required to determine the veracity of the information. 

8 

Regional and Country procedures will outline who within the Business will be authorised to resolve a Potential Match. 

Page | 22 

INTERNAL

Timing of Negative News Screening 

3.4.3 Negative News Screening, similar to ‘Other’ Lists referred above in 3.3.1 must be performed by RBWM as 

part of the Customer onboarding process, during a Periodic Review and following a Material Trigger Event 

unless automated adverse news Screening is in place. 

Application of Screening - Negative News Screening 

3.4.4 Screening must be carried out against a media archive that contains, at a minimum, global coverage of 

financial-crime relevant news, as reported in credible sources. For searches carried out using an internet 

search engine, the aggregate of free, publicly-available internet content shall be deemed to satisfy these 

requirements. 

3.4.5 The default internet search engine for internet-based negative news searches is Google.com. In some 

cases, CAMLO may specify a different search engine (for example, where there are difficulties accessing 

Google.com, or where another search engine is shown to provide superior search quality for a particular 

language or character set). This must be set out in the Country AML Addenda. 

3.4.6 Negative News Screening should be undertaken on a Risk Based Approach. The depth and breadth of 

the Negative News search is to be adjusted based on the potential risk posed by the Customer. This is 

based on two factors: 

1. Length of History: The time horizon of the search should be restricted to five years (at 

onboarding) or the period since the last search was conducted. In certain circumstances, for 

instance, where Negative News is identified, this time horizon may be extended to establish a fuller 

understanding. 

2. Search strings 9 : The minimum standards for internet-based negative news searches in English 

are set out in the Guidance in Appendix A. Where RBWM CAMLO has determined that internet 

searches are required to be carried out in languages other than English, the default keyword strings 

will be defined by RBWM CAMLO, with guidance from the Global AML and Sanctions Screening 

Team. A search will have a validity period of 90 days in support of onboarding a customer. Where 

the 90 days is exceeded a new search should be undertaken. 

3.4.7 Please refer to the Individuals Chapter for the filters to be applied to Manual Negative News Screening 

based on the Customer FCRR. 

3.4.8 If it is known that the Customer’s name has changed within the last five years (at onboarding) or since the 

last review, both the new and previous name(s) must be subject to Negative News Screening. 

3.4.9 Where a result provides a link to an internet site that can only be accessed by subscription holders, and 

the link cannot be discounted based on the information available about its content (such as the title and 

preview made available freely by the publishers) access to the site should be requested. Access to the 

internet is managed by the Information Security Policy and access to blocked sites can be requested by 

following the instructions provided in the blocking message shown when access is attempted. Where 

access to the site is denied on security grounds, its content need not be reviewed as the credibility of such 

sites is reduced. 

3.4.10 Where the only potential Negative News result provides a link to an internet site that can only be 

accessed by subscription holders and the link cannot be discounted by reviewing the freely available 

information such as the title or review, this should be referred to the appropriate person (e.g. RM, Portfolio 

Management Team, Line Manager) to determine materiality. 

3.4.11 Where the appropriate person is not able to determine materiality they should seek guidance from local 

country FCC. 

Materiality of Negative News Screening 

3.4.12 Where Negative News is identified, consideration must be given to its materiality and impact on the 

Customer relationship. 

9 

List of numbers and characters used when searching for Negative News. Search strings will be agreed with the appropriate Country Business 

Risk function as part of locally defined search strings. 

INTERNAL 

Page | 23

3.4.13 This assessment is judgemental. However, Negative News/Facts must be considered material where the 

information is relevant to determining whether the Customer poses a higher risk of Financial Crime. 

3.4.14 By way of guidance, the following would be indicative of material Negative News: 

a) Criminal and Regulatory enforcement action, Financial Crime violation or other illegal activity 

conducted or facilitated by the Customer or Connected Party 

b) Information which prompts an assessment as to whether the Customer would be considered to be 

a Prohibited or Restricted Customer as outlined in the Restricted and Prohibited Customers, 

Special Categories of Customers (SCCs) and Prohibited Products Chapter 

c) Information which may qualify the Customer as SCC as outlined in the Restricted and Prohibited 

Customers, Special Categories of Customers (SCCs) and Prohibited Products Chapter 

d) Information which highlights Financial Crime Indicators as defined in the Escalation Chapter 

e) Information which raises a serious reputational risk concern from HSBC’s association with the 

Customer 

3.4.15 Other factors to consider when determining whether Negative News is material include: 

a) The seriousness of the News: For example, information about low level litigation brought against 

or by Customers is generally not material 

b) Aging of the News : Historic Negative News is generally less material than a recent event. 

c) Reliability and number of sources: Information which is hearsay or from a single nonestablished 

source may be less material than information obtained from a reputable source and/or 

where several sources are used to corroborate the Negative News. 

3.4.16 Where there is uncertainty in respect of whether an item of Negative News is material, FCC must be 

consulted by initiating the Escalation Process. 

Resolution of Negative News matches 

3.4.17 The table below outlines the parties who can resolve Potential and True Negative News Matches 10 : 

Potential Matches 

Non Material 

True Matches 

Material 

Negative News/Facts Business Business FCC 

3.4.18 For all Potential and True Negative News Matches, the CDD profile must be updated to record the action 

taken, including any escalation to Country FCC (see Escalations Chapter). 

3.4.19 Records of Potential and non-material True Matches must be maintained to demonstrate an auditable trail 

of discounted matches. This must include details of the match found, who discounted it and the rationale 

for the discount. 

Screening Negative News Tools 

3.4.20 Screening and Negative News tools may be either manual or automated. 

3.4.21 Whilst the default Internet search engine for Internet-based negative news searches is Google.com any 

request to use alternative solutions tools must be submitted to the RBWM Head of AML and then to the 

Global Head of AML for review and approval and subsequent approval by the Global Head of AML 

Systems Analytics, ensuring that the search tools used are effective and suitable for use across the 

jurisdictions where they are applied 

10 

Regional and Country procedures will outline who within the Business will be authorised to resolve a Potential Match. 

INTERNAL 

Page | 24

3.4.22 Where Country FCC recommend appropriate Negative News solutions for use in their jurisdiction, such a 

request must include a risk analysis of the proposed tool, its relevant parameters, the scope of its 

intended usage (i.e. RBMW and Customer Type limitations) and local language application. 

INTERNAL 

Page | 25

Appendix A 

Global Guidance on Minimum Standard for Negative News Searches v2.0 

Page | 26 

INTERNAL

4. Periodic and Event-Driven Reviews 

Key objective 


be achieved? 



Other Related 

Documents and 


To understand on an on-going basis who our existing Customers are and to ensure CDD 

information and documentation is kept up to date, complete and accurate, such that 

Financial Crime Risks are effectively managed. 

On-going monitoring processes such as Periodic Reviews of CDD Profiles and responding 

to Trigger Events will ensure that CDD information and documentation is kept up to date, is 

complete and accurate such that Financial Crime Risks are effectively managed. 

Certain concerns (whether they relate to commercial, Financial Crime Risks, or 

reputational risk) may result in a decision to Exit a Customer relationship. In such cases, 

appropriate due diligence must be undertaken until such time whereby the Exit is 

completed. 

At all times throughout the Customer relationship, consideration must be given to 

escalating Unusual Activity and Suspicious Activity Reporting (SAR) obligations. 

4.1 Introduction to CDD Reviews 

4.2 Trigger Events and Event Driven Reviews 

4.3 Periodic CDD Reviews - Principles and Approach 

4.4 First Time File Reviews (FTFR) 

4.5 Periodic Review Frequency 

4.6 CDD and EDD requirements at Periodic Review 

4.7 Requirements applicable to Entities 

4.8 Requirements applicable to Individuals 

4.9 Roles and Responsibilities during Periodic Review 

4.10 CDD Review Approvals 

4.11 CDD Reviews for Exit Customer 

Customer Data Management, Verification Requirements, KRIs & MI 

Escalations 



Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and 

Prohibited ProductsApprovals 

Individuals 

Corporates and Partnerships 

Financial Crime Country Risk Model 

Financial Crime Compliance Risk Assessment Model 



Page | 27 

INTERNAL

4.1 Introduction to CDD Reviews 

4.1.1 Maintaining up-to-date CDD information throughout the life of the Customer relationship is an important 

element of Financial Crime Risk Management. 

4.1.2 Performing processes such as Periodic Reviews of CDD Profiles and responding to Trigger Events will 

ensure that CDD information and documentation is kept up to date, complete and accurate. 

4.1.3 There are three situations where updates to the CDD Profile may be required: 

i. Customer Specific Trigger Events that result in an Event Driven Review (see Section 4.2); 

ii. 

Policy Driven Trigger Events (see Section 4.2); and 

iii. Periodic Reviews (see Section 4.3). 

4.1.4 Certain concerns may result in a decision to Exit a Customer relationship. In such cases, appropriate due 

diligence must be undertaken leading up to the planned Exit. 

4.2 Trigger Events and Event Driven Reviews 

Types of Trigger Events 

4.2.1 Trigger Events are defined as changes in circumstances occurring after onboarding or between Periodic 

Reviews which affect an existing Customer or its relationship with HSBC. Trigger Events require the 

Customer’s CDD Profile to be updated and their Financial Crime Risk Rating (FCRR) to be re-assessed. 

4.2.2 Appendix 1 lists Trigger Events for each Customer Type. Appendix 1 is not intended to be exhaustive but 

sets out the global minimum requirements. 

4.2.3 Trigger Events can take two forms: 

a) Customer Specific Trigger Events 

b) Policy Driven Trigger Events 

Customer Specific Trigger Events 

4.2.4 Customer Specific Trigger Events are defined as changes as a result of: 

a) New or changed information about a Customer being identified between Periodic Reviews; or 

b) New products being taken on by a Customer. 

4.2.5 The materiality of a Customer Specific Trigger Event is dependent on the Customer Type and the nature of 

the event. The necessary action following a Customer Specific Trigger Event depends on the impact of the 

event itself, classified as either: 

a) Material; or 

b) Administrative 

4.2.6 Once a Customer Specific Trigger Event is identified, the Trigger Event process must be initiated. 

INTERNAL 

Page | 28

Trigger Event Process for Customer Specific Trigger Events 

4.2.7 The following table describes the impact of Customer Specific Trigger Events and the extent of CDD 

required: 

Impact 

Description & CDD Review Requirements 

Material Material Trigger Events are those that either: 

 

 

i. Increase the Customer’s FCRR; or 

Administrative Administrative Trigger Events: 

 

 

ii. 

Indicate a fundamental shift in a Customer’s business activity or relationship 

with HSBC. 

As a result of a Material Trigger Event, a Customer review must be undertaken 

(see Section 4.6 (Individuals) and 4.7 (Entities) on Periodic Reviews). 

As a result of a Material Trigger Event, the next Periodic Review date will be reset 

(see Figure 4.1) in line with the new FCRR Periodic Review frequency (see section 

4.4). 

i. do not result in an increase in the FCRR 

ii. 

do not indicate a fundamental shift in a Customer’s business activity or 

relationship with HSBC 

Changes should be updated in core banking systems following business as usual 

processes and added to the CDD profile (and associated ID&V and Screening, 

where required) 

The next Periodic Review date will not be reset in the event of an Administrative 

Trigger Event (see Figure 4.1) 

Figure 4.1: Example of Trigger Event Impact on Periodic Review Cycle (3-Year Cycle) 

Policy Driven Trigger Events 

4.2.8 Policy Driven Trigger Events are changes which affect the Policy framework used to assess Customer risk, 

e.g. as a result of an amendment to the Global Financial Crime Country Risk Model (FCCRM) or to local 

legislation. The relevant AML office or FCC Sanctions in line with the AML Governance Guidance will 

determine if a Policy change will result in a Policy Driven Trigger Event. 

4.2.9 Policy Driven Trigger Events will occur periodically to reflect HSBC’s on-going monitoring of Financial Crime 

Risk and changes in both the operating and regulatory environments. Examples include external changes, 

e.g. the introduction of sanctions for a jurisdiction, or internal changes, e.g. an upward shift in a country risk 

rating. 

4.2.10 In response to a Policy Driven Trigger Event, an assessment is required as to how changes are to be 

applied. The Business in conjunction with the RBWM Global Head of AML or FCC Sanctions must decide 

which categories of Customers need to be remediated (i.e. a structural portfolio review) and which will be 

revisited at their next scheduled Periodic or Event Driven Review. 

INTERNAL 

Page | 29

4.4 

4.3 Periodic Reviews – Principles and Approach 

4.3.1 The purpose of conducting a Periodic Review is to confirm that the Customer’s CDD profile, including KYC, 

product information, and the FCRR are accurate, up to date and complete based on reasonable due 

diligence, and the Customer relationship remains within HSBC’s risk appetite. “The next Periodic Review 

date should be set based on the completion date and profile finalisation of the current Periodic Review” 

4.3.2 In addition to the above, for Retail Business Banking customers, an assessment must be undertaken to 

ensure that the relationship remains within the RBB portfolio criteria. In line with CDD Risk Acceptance, 

where changes are identified, referral should be made to the Country Head of RBB and FCC to establish if 

the customer relationship should continue to be managed by RBWM. 

4.3.3 At Periodic Review the FCRR must be recalculated using the Financial Crime Compliance Risk Assessment 

Model. 

4.3.4 Any changes must be documented to the onboarding standard. It is not required to re-verify CDD 

information which has remained constant. 

4.3.5 For the purpose of this document, the following definitions will apply: 

 

 

 

Verification - verifying some or all of the identity information gathered using reliable and independent 

documentary and/or electronic sources (For further information refer to Individuals KYC chapter). 

Validation - describes the process of corroborating (i.e. supporting with evidence) KYC information 

(For further information refer to Individuals KYC chapter). 

Confirmation – a process to affirm details relating to the Customer which will be provided by the 

Customer themselves, or the Business (generally the RM) in lieu of the Customer. (For further 

information refer to Individuals KYC chapter). 

4.4 First Time File Review (Remediation of existing customers) 

4.4.1 RBWM must identify the review cycle for customers who have not been risk rated using the current version 

of the Global Standards RAM and where a review isn't already scheduled. Remediating existing customers 

through undertaking a First Time File Review will ensure that all of the CDD requirements are gathered to 

complete the CDD Profile in line with the Global AML Policy. This may require customer contact. 

4.4.2 RBWM must use available information on the customer to assign a Financial Crime Risk Rating (FCRR), 

aligned to the Financial Crime Customer Risk Assessment Methodology (FCC-RAM). 

4.4.3 For Retail Low Risk Individuals, remediation of the customer will be undertaken following a Material Trigger 

Event. For Retail Low Risk Individuals, the CDD profile may not be completed until the Material Trigger and 

FTFR has been completed. 

4.4.4 All other customers and entities will be scheduled for remediation based on their risk rating. once they have 

been uploaded into the CDD Review Tool following the approved roll out strategy. 

4.4.5 Subsequent Periodic Reviews will be scheduled in line with the customer's risk rating once the Remediation 

is completed during FTFR. See the table below for the review schedules. 

4.4.6 The RBWM CDD Line of Business Procedures identify where there is a difference in approach between 

Periodic Review and Remediation (First Time File) Review. 

4.5 Periodic Review Frequency 

4.5.1 The frequency of Periodic Reviews is determined by the Customer Type and the Customer’s FCRR. 

4.5.2 The following table specifies the minimum Periodic Review frequencies that apply: 

INTERNAL 

Page | 30

Periodic Review Cycle (Years) 

Customer FCRR 

High Net Worth 

Individuals & RBWM 

Entities* 

Retail Individuals 

High and SCC 1 1 

Medium 3 5 

Low 5 Material Trigger Alerts** 

*Entities include Retail Business Banking Sole Traders and Corporates & Partnerships, Trusts, Clubs & Societies 

** For Low Risk Retail Individuals reliance is placed on Material Trigger Events for updates to the CDD Profile and monitoring and identifying any 

significant changes in account activity. 

. 

4.5.3 At the time of Periodic Review or Trigger Event the classification of the customer between HNWI and Retail 

needs to be checked. If a customer no longer qualifies for HNWI the RM should conduct the review and 

action the trigger as described, remove the HNWI classification and set the Periodic Review Cycle based 

on the new classification and Risk Rating. 

4.6 CDD and EDD Requirements at Periodic Review 

4.6.1 It is important to recognise that characteristics and resulting CDD and Enhanced Due Diligence (EDD) 

procedures will differ by Customer Type. The following section outlines the CDD and EDD procedures for 

Entity and Individual Customer Types. 

4.6.2 Periodic reviews should not commence more than two months in advance of the profile expiry date, but 

must be completed by the profile expiry date. This will allow the Business time to collect any additional CDD 

information, recalculate the FCRR, escalate issues and complete the review and approval before the end of 

the review cycle (profile expiry date). 

4.6.3 If a case is overdue, it must be reported as part of Management Information. Management Information will 

report on profiles 0-29 days overdue, 30-59 days overdue and 60 plus days overdue from the expiry date of 

the Customer’s CDD Profile. There must be escalation to Business Line Management and Country FCC 

where cases remain overdue. 

4.6.4 A risk based approach needs to be taken when considering the action to take upon the expiry of a CDD 

profile, encouraging customers to respond and preventing unnecessary exits. 

4.6.5 A decision to retain a customer when the profile has expired should be treated as a CDD Risk Acceptance 

request and the CDD Risk Acceptance LoBP (Chapter 7) should be followed 

4.6.6 All requests to exit a customer, irrespective of the whether the CDD Profile review is overdue or not, will 

need to be approved at Client Selection Committee (CSC) who will make the final decision 

4.6.7 The approach should be documented on the customers CDD profile to maintain a full audit trail 

4.6.8 Pending the CSC decision, accounts must be restricted (where the restriction of accounts is allowed by 

local regulation etc.) 

4.6.9 For further information regarding exiting customers, refer to CSEM Policy. 

4.6.10 If Financial Crime Risk indicators are identified during the course of the Periodic Review the Business must 

follow the Escalation process (See Chapter 5 - Escalations). 

4.6.11 Dormant accounts are subject to Operational Risk FIM requirements. A Periodic Review is not required for 

Customers where all accounts, products and services are dormant. However, an Event Driven Review must 

be completed prior to the reactivation of a dormant relationship. 

INTERNAL 

Page | 31

4.6.12 An Event Driven Review must be completed prior to the reactivation of a dormant relationship. Where a 

credit is received to repay or reduce the balance of a written off account, providing the credit is received 

from an account in the customer’s name, directly via a Collection Agency or the customer is seen face to 

face, the credit may be applied to the account and the account balance closed or reduced until such time as 

the balance is repaid. 

4.7 Requirements Applicable to Individuals 

Customer Risk Rating at CDD Review 

4.7.1 Changes to the Customer Profile identified during Periodic Review may result in a change to the 

Customer’s FCRR. CDD must be completed in accordance with the final FCRR of the Customer. 

Periodic Review Requirements 

4.7.2 The following table outlines categories of CDD requirements applicable to Individuals at onboarding and 

Periodic Review. 

4.7.3 At Periodic Review confirmation is required of any changes to the key risk drivers as outlined in the table 

below. Where a change has been identified, the onboarding requirements must be followed, as outlined in 

the relevant Customer Type Procedural Standards. 

4.7.4 There are several key differences between on-boarding and Periodic Review requirements for Individuals 

which are outlined in Sections (4.7.5 - 4.7.12). 

CDD Requirements 

Customer ID&V 

Address Verification 

Know Your Customer (KYC) 

Account Activity Review 

Screening of Customer and 


Customer Contact and 

Visitation (where applicable) 

Enhanced Due Diligence (EDD) 

Where EDD has been 

performed. 

Periodic 

Review 

Requirements 

 

(4.7.5) 

 

(4.7.6 – 4.7.9) 

Key Risk Drivers 

Risk based approach to the remediation 

of address verification information for 

existing customers as noted below 

The Account Activity Review will determine 

the extent to which the actual account 

activity is consistent with expected account 

activity and all key information contained in 

the CDD profile. (including ongoing Source 

of Wealth (SOW)). 

Screening at Periodic Review will ensure any 

(4.7.10 – 4.7.12) new developments are identified (i.e. by 

Negative News/Facts Screening) 

 

(see Individuals 

KYC Chapter – 

2.8) 

 

(see Individuals, 

SCC & 

Prohibited 

Customers and 

PEP Chapters) 

 

Contact or Visitation are required to remain 

up-to-date with the Customer’s professional, 

business or personal activities, investment 

profile and financial requirements. 

Where an earlier determination requires 

EDD, the key facts must be updated at 

periodic review. 

INTERNAL 

Page | 32

Customer ID&V 

4.7.5 Where a gap is identified in relation to residential address verification for an existing customer then, 

provided the following conditions have been met, it is not necessary to request additional documentary 

evidence to fill the gap: 

 

 

 

 

 

The individual's account was opened more than 2 years ago, and the customer has maintained an 

uninterrupted relationship with HSBC since then; and 

The customer is a resident in the country where the account is held; and 

The business holds the customer's residential address (primary and other, where applicable) and any 

correspondence address (where known to be different to his/her residential address); and 

Correspondence has not been returned to HSBC as undelivered; and 

There is no Financial Crime Risk issues identified during the period based on available information; 

andAddress verification is not required by local regulations or used to evidence compliance with 

FATCA. 

Note: Information may also be captured during other customer contact, for example, CRS processes and the 

capture of Tax residency and Tax Identification number. 

4.7.6 If the conditions above have not been met, the customer's residential address must be verified in line with 

CDD procedures. In this instance, an HSBC issued letter or statement received by the customer at their 

address (but not a print-out from an HSBC system) can be provided by the customer as acceptable 

evidence of the customer’s residential address for both domestic and international account opening. 

4.7.7 Residential address verification is not required each time a customer moves address. 



4.7.8 Account Activity must be assessed to determine that it is in line with the CDD Profile during each review. 

4.7.9 The Account Activity review must assess if the Customer has conducted any transaction activity 

inconsistent with expected behaviour or any business related transactions via their retail personal account. 

Further guidance on determining if the account has been used for business purposes is provided in 

Appendix 2. 

4.7.10 Guidance on the nature and extent of the review can be found in Appendix 2. 

Ongoing Source of Wealth (SoW) 

4.7.11 Source of Wealth information for Individuals must be identified and validated, in line with risk rating, if the 

Source of Wealth has previously been obtained for the Customer and there is evidence of significant 

changes in Customer circumstances, e.g. through Transaction Monitoring or other evidence of change. 

4.7.12 Where Source of Wealth has not previously been obtained, when conducting a First Time File Review, this 

information must be identified and verified in line with onboarding standards and risk rating. 

4.7.13 Care should be taken where it may prove difficult for the customer to provide evidence of the SoW, 

especially at FTFR. 

4.7.14 SoW should be obtained, as per onboarding procedures, where a material change results in an Individual 

moving into a category where SoW information is now required or had previously not been obtained. (see 

Figure 2.5 in Individuals Chapter, KYC Section). 

Screening of the Customer and Connected Parties 

4.7.15 Where screening of Customer and Connected Parties recorded at on-boarding is automated (e.g. reverse 

PEP or Sanctions screening), this does not need to be repeated at Periodic Review. 

4.7.16 Negative News and Negative Facts Screening is only required to be performed incrementally, i.e. for the 

period from the date of the last review to the date of current review. 

INTERNAL 

Page | 33

4.7.17 For all newly identified Connected Parties, screening must occur in line with onboarding requirements. (see 

Individuals Chapter, KYC Section). 

Connected Parties ID&V 

4.7.18 If identified at Periodic Review, newly identified Connected Parties will be subject to the ID&V requirements 

specified at onboarding (See Chapter 1 - Individuals). 

4.8 Requirements Applicable to Entities (Customer Types applicable to RBWM are: 

Sole Traders, RBB Corporates and Partnerships, Trusts, Clubs & Societies and Personal 

Investment Vehicles) 

Customer Risk Rating at CDD Review 

4.8.1 Changes to the CDD Profile identified during Periodic Review may result in a change to the Customer’s 

FCRR. CDD must be completed in accordance with the final FCRR of the Customer. 

Periodic Review Requirements 

4.8.2 The following table outlines categories of CDD requirements applicable to Entities at Periodic Review. 

4.8.3 At Periodic Review confirmation is required of any changes to the key risk drivers as outlined in the table 

below. Where a change has been identified, the onboarding requirements must be followed, as outlined in 

the relevant Customer Type sections. 

4.8.4 There are several additional requirements at Periodic Review for Entities which are outlined in Sections 

(4.8.5 - 4.8.20). 

CDD Requirements 

Customer ID&V 

Existence of Customer and 

Legal Entity Status 

Listed or Regulated Status 

Connected Party ID&V 


(BOs and UBOs) 

Key Controllers and Other 


Periodic Review 

Requirements 

 

(4.8.5) 

 

(4.8.5) 

 

(4.8.6 – 4.8.7) 

 

(4.8.6 – 4.8.7) 

Key Risk Driver 

Confirmation that the legal entity still exists is critical, both from a risk management 

and operational standpoint. 

Changes to the listed status of the Customer entity or Parent may result in changes 

to the levels of transparency, disclosure and corporate governance. 

Beneficial Owners have the potential to exploit the Customer entity’s relationship 

with HSBC to launder money or commit other financial crimes because they 

exercise ultimate control over the Customer via their ownership interest or voting 

power. 

Changes in the ownership structure may result in changes to the risk profile. This 

may be due to (i) PEPs, negative news orsanctionsssues identified in the new 

ownership structure, (ii) change in legal entity type (iii) change in AML control 

framework (AML controls at new owner are different or inferior). 

Changes in Key Controllers may impact the risk profile of the Customer. Key 

Controllers, given their influence on activities, have the potential to be able to exploit 

the Customer entity's relationship with HSBC to launder money or commit other 

financial crimes. 

At periodic review, the focus will be on identifying new risks, for example new PEPs 

in the control structure, sanctioned entities and/or individuals and/or negative news 

associated with new or existing Key Controllers. 


Nature of Business 

(or equivalent as per 

Customer Type). 


 

 

(4.8.8 – 4.8.9) 

Certain business activities are more susceptible to money laundering or other 

financial crimes, and changes in the nature or scope of business activities may 

result in changes to the risk profile of the Customer. Changes in jurisdictions in 

which the Customer operates may also present sanctions risks. 

At Periodic Review, the focus is on identification of changes in Customer activity that 

would impact risk profile, or a change in the Customer’s sanctions exposure (e.g. an 

increase or decrease in the Customer’s indirect risk exposure to a Sensitive 

Sanctioned Country). 

Certain products and services are more susceptible to misuse. At Periodic Review, 

the focus is on identification of any new product activity that may impact the money 

INTERNAL 

Page | 34

Visitation (if required per 

Customer Type) 

Screening of Customer and 


 

(see AML Policy: CDD 

Standards - 

Corporates & 

Partnerships) 

 

(4.8.10 – 4.8.14) 

laundering or Sanctions Risk of the Customer. Changes to the products or services 

being utilised may also indicate a change in the underlying Customer’s business 

activities. 

Where applicable visitation will support assessment of the nature of business to 

ensure it is consistent with the information contained in the CDD profile. 

Screening at Periodic Review will ensure any adverse changes are identified (i.e. by 

negative news/facts and sanctions screening). In addition, this will identify any new 

risks associated with PEP identification and screening against Official and Other 

Lists (as defined in the Section 3 – Screening). 


Requirements for PEPs 

Exposure to Sensitive 

Sanctioned Countries 

Exposure to Sixth Filter 

Countries (rated High Risk 

on the FCCRM in which 

HSBC does not have a 

presence) 

 

(see AML Policy: CDD 

Standards – PEPs) 

 

(4.8.15 – 4.8.17) 

 

(4.8.18 – 4.8.19) 

Where an earlier determination has been made to raise the FCRR of a Customer, 

the key facts must be updated at Periodic Review to ensure that the risk issues are 

still applicable (e.g. PEP status, sanctions, etc.), and updated to reflect any case 

developments (e.g. negative news). 

Customer ID&V 

4.8.5 Based on a review of the key risk drivers above, the Periodic Review must seek to identify any changes to 

the Customer e.g. existence, legal or listed status of the entity. 

Connected Parties ID&V 

4.8.6 At Periodic Review, the ownership structure and existing Connected Parties who retain control of the 

Customer need to be confirmed. However they do not need to be re-verified. 

4.8.7 Any new Connected Parties identified at Periodic Review need to be ID&V’d to onboarding standards. 



4.8.8 By using information obtained at onboarding, and any new information captured, the Account Activity 

Review will assess the extent to which the expected account activity is consistent with actual account 

activity and that the actual activity is in line with the rest of the CDD Profile. Any unusual activity identified 

must be adequately investigated and may require escalation to FCC. 

4.8.9 The nature and extent of the review will be determined by Customer Type, Product type and the Customer’s 

FCRR. 

Screening of the Customer and Connected Parties 

4.8.10 Where screening of Customer and Connected Parties recorded at on-boarding is automated or real-time 

(e.g. reverse PEP or Sanctions screening), this does not need to be repeated at Periodic Review. 

4.8.11 As a result, Screening at Periodic Review relates only to those parties who have not previously been 

identified (e.g. new Connected Parties) or screening requirements that are not satisfied through automated 

processes, which can include Negative News and/or Negative Facts screening. 

4.8.12 For all newly identified Connected Parties, screening must occur in line with onboarding requirements. 

4.8.13 Negative News and/or Negative Facts Screening is only required to be performed incrementally, i.e. for the 

period from the date of the last review to the date of current review. 

4.8.14 The following table outlines which existing parties are required to be screened at Periodic Review where 

there is no automated Screening. Where a hit against an Official or Other Lists is identified, these should 

be escalated per the Screening Chapter. 

INTERNAL 

Page | 35

Existing Parties to be 

Screened at Periodic Review 

Customer 

X 



Key Controllers 

Other identified 


X 

X 

X 


Exposure to Sensitive Sanctioned Countries 

4.8.15 For Customers with known exposure to Sensitive Sanctioned Countries, the information pertaining to a 

Customer’s exposure must be reviewed at least annually, irrespective of a Customer’s final FCRR and 

subsequent Periodic Review cycle. 

4.8.16 The information pertaining to a Customer’s exposure may be reviewed outside of the Periodic Review Cycle 

at the request of FCC Sanctions. 

4.8.17 The Customer must be escalated to FCC in the following instances: 

a) Where there is an increase in exposure of the Customer to a Sensitive Sanctioned Country; 

b) Where there is a change in the type of exposure a Customer has to a Sensitive Sanctioned 

Country, (i.e. between Direct Relationship, Direct Support or Indirect Risk Exposure); 

c) Where there is a change in the Sensitive Sanctioned Countries that the Customer or a Connected 

Party has exposure to; and/or 

d) Where there is a change in the Customer’s primary business activity in relation to the Sensitive 

Sanctioned country. 

4.8.18 Where exposure to Sensitive Sanctioned Countries is newly identified at a Review, e.g. an Indirect Risk 

Exposure to a Sensitive Sanctioned Country that was not previously identified the Enhanced Due Diligence 

Procedures should be followed. 

Exposure to Sixth Filter Countries rated High Risk on the FCCRM and where HSBC does not have a 

physical presence 11 

4.8.19 For Customers with known exposure to Sixth Filter jurisdictions rated High Risk on the FCCRM in which 

HSBC does not have a physical presence, this exposure must be reviewed as part of the Periodic Review. 

4.8.20 Reputational Risk and Client Selection Committee (RR&CSC) approval will be required where the 

Customer’s exposure to countries rated High Risk on the FCCRM in which HSBC does not have a physical 

presence is greater than 10% for any one jurisdiction, or 25% for any combination of such jurisdictions. 

4.8.21 Event-driven examples of increased Customer exposure may include: 

a) Additional HSBC products and services requested by the Customer; and/or 

11 

For more information on Sixth Filter refer to the Global Risk FIM B.2.21.4 Sixth Filter 

INTERNAL 

Page | 36

) A significant increase in exposure (e.g. an increase which results in greater than 10% of total 

ownership, sales, supplies and/or investment pertaining to a TI CPI ≤ 22 countries) not previously 

identified: 

i. A change in the jurisdictions rated High Risk on the FCCRM in which HSBC does not have 

a physical presence that the Customer has exposure to; and/or 

ii. 

A change in the Customer’s primary business activity or a significant business operation in 

relation to a sixth filter jurisdiction, e.g. where a new local partner is identified. 

4.9 Roles and Responsibilities during Periodic Review 

4.9.1 Country RBWM Procedures should define Roles and Responsibilities detailing who performs which element 

of a review. 

4.10 CDD Review Approvals 

4.10.1 The approval process for CDD Reviews depends on the Customer’s FCRR and whether any material 

updates to the CDD profile have been made (see Approvals Chapter). 

4.11 CDD Reviews for Exit Customers 

4.11.1 This section should be read in conjunction with the Client Selection and Exit Management (CSEM) Policy 

which outlines the Global approach to Customer selection decisioning and Exit Management. 

4.11.2 Where a Notice to Exit has been initiated there is no requirement to conduct a Periodic Review. All other 

CDD requirements must continue to be complied with during the notice period, including Event Driven 

Reviews and Sanctions Screening. Should the decision be taken to retain the customer periodic reviews 

must recommence 

INTERNAL 

Page | 37

Appendix 1 

Trigger Events 

Trigger Events 

Matrix July 2016.xlsx 

Page | 38 

INTERNAL

APPENDIX 2: 

Account Activity Review – Periodic Review 

 

 

 

 

 

 

 

At onboarding, the policy requires RBWM to understand the customer’s intended account usage 

The focus of the Account Activity review is therefore to review actual account usage against the customer’s 

stated intended account usage. 

Transactional activity must be reviewed based on the customer Risk Rating over a defined time period (see 

table below). 

Account Activity reviews should pay particular attention to any product where the following activity can be 

identified: 

o type, volumes and values of transactions 

o patterns of deposits or withdrawals to the account 

o review of cash transactions 

o regular payments (direct debits / standing orders) 

o large and / or unexplained transactions 

o Intermingling of personal and business transactions (see Appendix x) 

o Transaction monitoring alerts 

Where actual account activity is identified which does not match the intended / expected activity, the 

differences must be investigated. 

Where it is not clear from information held, the customer must be contacted to discuss and understand the 

changes. 

Concerns regarding the account activity should be escalated in line with the Escalations Guidance, which 

may also warrant the raising of a UAR (following UAR Guidance) 

Account Activity Review Period 

Customers FCRR Retail Individuals Retail Entities HNWI 

Low & Medium 3 Months 3 Months 3 Months 

High 3 Months 3 Months 6 Months 

SCC 6 Months 6 Months 6 Months 

 

The above review periods are the minimum requirement. It is expected that any variances between 

intended and actual account activity will be identified in the above time scales. However, the period of 

review can be extended depending on the information gathered and at the discretion of the reviewer. 

Page | 39 

INTERNAL

APPENDIX 2 (cont): 

Account Activity Review – First Time File Review (FTFR) 

 

 

 

 

 

 

 

 

First Time File Review (FTFR) is undertaken for customers who were onboarded prior to the 

implementation of Global Standards CDD. 

Where a FTFR is required the principle of conducting an Account Activity Review is the same as that for 

Periodic Review. However, there will not be any information regarding the customer’s intended account 

usage to review. 

Therefore the review must focus on the available actual account activity to determine if it is reasonable 

based on what we know about the customer. 

Particular attention should be given to: 

o Is the Customer’s Account Activity (credits and debits) in line with their known salary or income? 

o Are there any debits or credits which appear inconsistent with the known employment status and 

profile of the customer? 

o Are there any unexplained or unknown deposits or depositors? 

o Does the Customer’s cash activity appear reasonable based on their employment status? 

o Are there any unusual cross border transactions or other transactions which are not in-line with 

what is known about the Customer? 

o Have there been any “spikes” in activity during the period of review which require further 

investigation? 

o Is there any identifiable Intermingling of personal and business transactions on any of the 

Customer’s accounts? (see guidance for the intermingling of business and personal transactions 

below.) 

RBWM should establish if the customer is intending to continue to transact as they have been historically. 

This will capture ongoing intent. 

Updated purpose and usage of account information must be recorded on the Customers CDD Profile, inline 

with the KYC requirements specific to the Customer type. 

Concerns regarding the account activity (historic or intended) should be escalated in line with the 

Escalations Guidance, which may also warrant the raising of a UAR (following UAR Guidance) 

As a result of the First Time File Review process the FCRR for the Customer will be recalculated. The 

Periodic Review frequency for all future reviews will follow the guidance in Section 4.4.2 applicable to each 

risk rating. 

Account Activity Review Period 

The Account Activity Review period at FTFR will be risk-based as per the table below: 

Customers FCRR Retail Individuals Retail Entities HNWI 

Low & Medium 3 Months 3 Months 3 Months 

High 3 Months 3 Months 6 Months 

SCC 6 Months 6 Months 6 Months 

 

This period can be extended depending on the information gathered and at the discretion of the reviewer 

Page | 40 

INTERNAL

Appendix 2 (cont): 

Intermingling of Business and Personal Transactions 

1: The use of retail personal accounts for business purposes is not permitted by RBWM for the following reasons: 

Reduced ability to undertake effective transaction monitoring to identify suspicious or unusual activity, 

therefore increasing the risk of failing to identify transactions connected to money laundering or terrorist 

financing 

Regulatory requirements of certain regions and countries formally prevent the use of personal accounts for 

business purposes 

CDD activities will have been completed to the requirements for Individual Customers rather than Sole 

Traders, therefore will not have identified the required Nature of Business information. Please see Chapter 

5: Sole Traders for further Nature of Business guidance. 

2: Potential indicators that the Customer has been utilising their personal account for business transactions would 

include: 

Recurring large remittances to unrelated 3 rd parties 

Transaction remarks that indicate invoice payments or business settlements 

Regular transactions to corporate accounts 

Where a Customer holds both a business and retail personal account, any transfers between these 

accounts that are subsequently paid onwards to a 3 rd party in their entirety. 

3: Where it is identified that a Customer has been conducting business transactions via their retail personal 

account(s) then the Customer should be contacted to understand the transactions and discuss their options. 

4: The review of the transactions may warrant a UAR to be raised as deemed appropriate by the business. For 

additional information on UAR requirements please refer to the UAR guidance (UAR Guidance). Where there is no 

indication of financial crime resulting from the review of the UAR the Customer should be managed as per the 

following guidance. 

5: In countries where RBWM operates a Retail Business Banking (RBB) portfolio, the Customer can continue to be 

managed by RBWM and be provided with a suitable RBB product to meet their needs. Customers retained by 

RBWM in this manner must have an RBB marker applied to their record to identify them to ensure that CDD 

requirements are conducted appropriately for their Customer type. E.g. Sole Trader. 

6: Where there is no Retail Business Banking portfolio, the customer should be referred to a Relationship Manager 

within CMB following local referral procedures. CMB will present them with products and services that would better 

suit their business needs. Please refer to the appropriate LoBP for further Customer Type definition information 

7. In Countries where CMB does not operate, RBWM should seek to exit the relationship with the Customer by 

serving notice to terminate the account. The Customer’s account should then be closed after the 60 day notice 

period. 

8: Where it is agreed with the Customer to retain their personal retail account and cease conducting business 

transactions, the account should continue to be monitored for a period of 30 days from initial Customer contact. If 

there are no further business transactions then RBWM can retain the account. 

9: If further business transactions are identified, the CDD Profile must be considered as expired and the ongoing 

retention of the Customer should be considered as CDD Risk Acceptance (Chapter 7 provides further guidance on 

CDD Risk Acceptance) 

10: If further business transactions are identified the Customer should be contacted once more and must be advised 

that if they continue to use the account for business rather than personal needs they will be served notice to 

terminate the account. After the second 30 day period if there is no change in customer behaviour the customer’s 

account should be closed after the 60 day notice period. Customer should only be escalated to Country FCC with a 

view to exiting in line with the CSEM policy if there are financial crime issues. 

11: Where the customer has been onboarded as an Individual and the account activity review has identified the 

account is being used for business purposes, the CDD profile will need to be updated, ensuring that the 

requirements outlined in the Sole Trader procedure are followed. 

12. An Entity Customer utilising their business account for personal transactions would also constitute intermingling of 

business and personal transactions. Where it is possible to identify this intermingling behaviour on the Customer’s 

corporate account the Customer should be contacted to discuss the transactions and to make them aware that 

they will need to open a separate retail personal account to meet their needs. 

13. Where this is the case the guidance detailed in points 8 - 10 regarding monitoring periods and the required next 

steps if further transactions are identified should be followed. 

INTERNAL 

Page | 41

5. Escalation Process 

Key Objective 

To outline the Escalation process, stakeholders involved in the process and the outcomes 

of the Escalation. 


be achieved? 



Other Related 

Documents and 


The results of the CDD processes undertaken at onboarding are recorded on the CDD 

Profile. 

As a result of analysing data collected during the CDD process, Financial Crime Risks may 

be identified whereby it is appropriate to escalate a CDD Profile to Financial Crime 

specialists. 


5.2 Escalation Process 


Periodic and Event-Driven Review 

Global Standards Manual - Chapter 5: Compliance and Reputational Risk 

HTS FIM B 6.2 Records Retention 


Financial Crime Compliance Risk Assessment Model (FCC-RAM) 

Reputational Risk and Client Selection Committee (RR&CSC) 

Page | 42 

INTERNAL

5.1. Introduction 

5.1.1 During the CDD process and throughout the Customer relationship 12 , information may be identified which 

indicates a heightened risk of Financial Crime. This information may require Escalation and the 

engagement of a Financial Crime specialist, or the upward revision of the initial Financial Crime risk rating. 

5.2. Escalation Process 

5.2.1 The Escalation Process is a mechanism for managing Financial Crime Indicators with respect to a 

Customer and engaging a Financial Crime specialist, where appropriate, to address the concerns. 

5.2.2 Financial Crime Indicators are defined as information or situations which are considered to indicate 

potential Financial Crime. A list of Financial Crime Indicators has been compiled to provide guidance, (see 

Appendix 1). This list is not exhaustive and any indicators of Financial Crime are subject to the Escalation 

Process. 

5.2.3 Different Escalation paths exist depending on the type of Financial Crime Indicator. These include: 

a) Reputational Risk and Financial Crime Concerns which are escalated to Country FCC. 

b) Specific matters may be routed to other specialists as directed by Country FCC (e.g. Financial 

Intelligence Unit (FIU), Financial Crime Investigations Unit (FCI) Regional Fraud or Tax) 13 . 

c) Relevant policy or procedural breaches must be escalated to Country FCC or Regulatory 

Compliance (refer to FIM B2.1.4 Escalation, Exception Reporting & Follow-Up). Please refer to 

the AML Governance Chapter for additional information. 

d) Counterparty Fraud or Credit Risk concerns are escalated to Fraud and Credit Risk 

respectively (out of scope of these Procedures). 

5.2.4 Please note that the above list is not exhaustive and FCC must be consulted if there is any doubt as to the 

appropriate Escalation path. 

5.2.5 A Financial Crime Indicator may warrant an Unusual Activity Report “UAR” to be raised, as deemed 

appropriate by the Business. The raising of a UAR or any reference to potential Money Laundering must not 

be recorded on the CDD profile. For additional information on UAR requirements refer to the UAR Guidance 

document (UAR Guidance). 

5.2.6 Figure 5.1 below summarises the Escalation Process flow: 

Fig 5.1: Escalations Process Flow 

12 

For Escalations relating to Whistleblowing see Global Standards Manual, Chapter 5: Compliance and Reputational Risk and 5.5 

Whistleblowing 

13 

Changes to the Guidance may occur based on the outcomes of work being performed on UARs/SARs and by AML Investigations. 

INTERNAL 

Page | 43

Initiating the Escalation Process 

5.2.7 The Escalation Process must be initiated where Financial Crime Indicators are identified, at any time during 

the CDD Process or during the course of the Customer relationship. 

5.2.8 Financial Crime Indicators identified during the CDD Process (at onboarding, Periodic or Event-Driven 

Reviews) will be escalated to FCC. All Escalations raised are to be resolved prior to submitting the CDD 

profile for Approval. 

5.2.9 Financial Crime Indicators identified at any other time throughout the relationship with the Customer may be 

classified as a Material Trigger Event and treated accordingly as well as escalated to FCC (see Periodic 

and Event-Driven Reviews Chapter). 

5.2.10 All Escalations to FCC must be logged. Logs will be maintained by the Business and FCC to ensure that all 

issues are tracked through resolution. Business and FCC logs will be maintained at country level and 

cases escalated to Regional FCC which may further escalate to Global FCC, as appropriate. 

5.2.11 At a minimum, the following details must be logged: 

a) Customer name and unique identifier (as applicable) 

b) Reason for Escalation 

c) Date of Escalation 

d) Name and Title of Individual who raised the concern and other relevant parties involved in the 

Escalation Process. 

e) Interim Business Restrictions imposed (if applicable) 

f) Final Outcome including mitigation actions 

Outcomes from the Escalation Process 

5.2.12 Actions to be taken as a result of the Escalation Process include the following: 

a) Do not proceed with the onboarding, or for existing Customers consider Exiting. (see CSEM 

Policy) 

b) Proceed with the onboarding/existing relationship, but adjust the FCRR to a higher level, e.g. to 

High Risk/SCC and conduct required EDD (see Customer Due Diligence (CDD) Process 

Chapter) 

c) Proceed with the onboarding/existing relationship, maintaining the FCRR as determined by the 

FCC-RAM, i.e. no adjustment 

d) Request additional EDD, e.g. Specific ID&V or KYC 

e) AML Investigations file a SAR 

5.2.13 Pending the final outcome of the Escalation Process, interim Business Restrictions may be imposed if 

agreed by the Business and FCC. 

5.2.14 In all cases, risk issues identified, the actions agreed and outcome of the Escalation Process will be 

documented and recorded in accordance with the Customer Data Management Policy (see HTS FIM B.6.2 

Record Retention). 

5.2.15 Where the Business and FCC fail to agree regarding the outcome of an Escalation, the case must be 

escalated up the respective management lines of the Business and FCC in parallel until agreement is 

reached and documented accordingly. 

5.2.16 If the Business or FCC does not agree with the conclusion, the relevant Risk Committees, e.g. RR&CSC or 

equivalent may act as a decision forum (see CSEM Policy). 

INTERNAL 

Page | 44

Escalation of Suspicious Tax Evasion Behaviour 

5.2.17 All RBWM employees who know, or have reasonable grounds for suspecting that, an existing and/or 

potential new customer intends to use RBWM services to engage in financial crime, including tax evasion, 

must follow unusual activity escalation guidance. 

5.2.18 Where compliance teams investigating unusual activity (i.e. AML Investigations) have reason to believe that 

the investigation may relate to potential tax evasion, and have queries regarding a customer’s tax 

obligations, investigative employees must escalate to their respective Group/RBWM Tax function. (See 

Individuals ID&V Chapter Appendix 2) for the list of tax evasion indicators). 

5.2.19 The following is a non-exhaustive list of circumstances where Compliance teams may wish to seek 

guidance from or escalate to their respective Group/RBWM Tax function as a result of suspicious tax 

evasion behaviour by the customer. The below list does not substitute existing money laundering escalation 

procedures or related policies (e.g., global exit policy). 

 

 

 

 

Customer's country of tax residence is unclear from the file or arising from conversations with 

the Customer; 

Customer has or intends to regularise his/her tax affairs whilst continuing to bank with HSBC; 

Customer wishes to negotiate the tax representation clause included in our general terms and 

conditions; 

Customer does not wish to comply with RBWM tax specific policies, as applicable. 

INTERNAL 

Page | 45

Appendix 1 - Financial Crime Risk Indicators 

This list is not exhaustive and any indicators of Financial Crime are subject to the Escalation Process. 

Financial Crime Indicators 

Sanctions 

Regulatory Issues 

Visitation 

Bankers 

Custodian 

Adverse Media 

Does the Customer operate in, or have links to, a sanctioned 

country or Entity? 

Are you aware of any significant regulatory issues, such as 

fines or non-compliance relating to this Customer? 

Has a visit to the Customer’s premises or a meeting with 

appropriate senior company officials raised any concerns? (See 

Individuals KYC Section 2.8 for Visitation requirements) 

If the Customer deals with other bankers, is the distribution of 

their banking business out of line with your expectations? 

If HSBC has been appointed as Custodian for this Customer, do 

you have any concerns regarding the Customer’s investment 

advisor or fund manager? 

 

 

Reputation or the relevance of their experience 

Appropriateness – do they act in any other capacity? 

Are you aware of any Negative news, Negative Facts or adverse 

media reports about this Customer which raise any Financial 

Crime concerns? 

Politically Exposed Person 

(PEP) 

Key Connected Parties 

Business Operations 

Could this Customer or any Connected Party be considered as a 

Politically Exposed Person (PEP)? 

PEP – Judiciary 

Current or former Heads of State or member of ruling 

royal family 

Politician – current/former senior or high profile 

politicians or high ranking officials or political parties or 

public enterprises 

High ranking military officials and personnel 

Persons connected to/associated with a Public Official 

i.e. immediate family, aides and close advisors, business 

associates 

Corporate PEP (refer to RBWM AML Policy PEP 

Guidance Chapter 13 for full details) 

Do any of the following Connected Parties raise any concerns? 

Auditors 

Advisors including law firms or consultant 

Does the Customer operate in, or have links to, any of the 

following business operations? 

 

 

 

Government /State-Owned body (GSB) 

Money Services Business (MSB) e.g. bureau de 

change, cambio 

Gaming operations e.g. casinos including online gaming 

and/or internet gambling 

Page | 46 

INTERNAL

Company Structure 

 

 

 

 

Production or distribution of arms or other military 

products 

Manufacture or distribution of jewellery, precious stones 

or metals 

Voluntary sector as a charity, not-for-profit organisation 

(NPO) or non-governmental organisation (NGO) 

A sector perceived as ethically, environmentally or 

socially unsound 

Do you have any concerns regarding the Customer’s company 

structure or common attributes between related entities? 

Operating Model - the line of business, products, 

suppliers/customers; any commonality between them; or 

any material changes to the operating model. 

Corporate Governance - Customer’s corporate board or 

governance 

Group Structure - subsidiaries or other related 

companies 

Supply Chain – concerns over the existence of the 

Customer’s buyers or suppliers, their credentials or 

business performance 

Change of Terms – such as requests for extensions of 

loans or any increase in Past Due Bills 

Controlling Individuals such as directors, senior 

managers and shareholders of the Customer or a related 

company, supplier or customer 

Is the ownership vested in Bearer Shares 

Collateral 

Customer’s Behaviour/ 

Performance 

Do you have any concerns regarding the existence, or common 

attributes between, the value of key operations, premises or 

assets against which credit lines are secured? 

Has the Customer’s behaviour or performance raised any of the 

following concerns? 

“Too good to be true” – the Customer is 

outperforming their competitors or the broader market 

Financial Distress –the Customer’s behaviour 

indicates any financial distress 

Transparency – nature or transparency of their 

dealings with HSBC 

Expertise –the Customer does not possess the 

requisite expertise to undertake their activities 

Page | 47 

INTERNAL

6. Approvals 

Key Objective 


be achieved? 



Other Related 

Documents and 


HSBC requires that the Business assesses the Financial Crime risks associated with each 

Customer and through the Approvals process determines if a Customer is to be on 

boarded, maintained or exited. 

Approval matrices have been established to reflect the various levels of Approval required 

at Customer onboarding, Periodic Review and in the case of Risk Acceptance. 

In addition to approvals, this Chapter also describes various situations where a Customer 

relationship may involve internal Business Restrictions resulting in limitations to the scope 

of the products and services offered. 


6.2 Approval Process 

6.3 Approval Process – Online Account Opening 

6.4 Meaning of Approval by Role 

6.5 Approval Matrix for Customer Onboarding 

6.6 Approval Matrix for Periodic and Event Driven Reviews 

6.7 Approval Matrix for Requested CDD Risk Acceptance 

6.8 Rejection of CDD Profile 

6.9 Business Restrictions 

6.10 Attestation – Same Jurisdiction 

Quality Control and Quality Assurance 



Escalations 

Customer Data Management, Verification Requirements KRIs & MI 

Global Risk FIM B2.21Reputational Risk and Client Selection 


HTS FIM B 6.2 Records Retention 

Page | 48 

INTERNAL


6.1.1 To manage the Financial Crime risks faced by HSBC effectively and to ensure the Customer relationship 

remains within HSBC’s risk appetite, a Risk Based Approach to the approval of CDD Profiles is required. 

6.1.2 Approval matrices have been established reflecting the various levels of sign-off required for each Financial 

Crime Risk Rating (FCRR) at onboarding, Periodic Review and in the case of CDD Risk Acceptance 

requests (see sections 6.4, 6.5 and 6.6). 

6.2 Approval Process 

6.2.1 It is the responsibility of the Business to return and complete relevant CDD information in line with 

procedural standards. 

6.2.2 All mandatory information and documentation must be complete or a CDD Risk Acceptance obtained prior 

to, or on, submission for Approval. 

6.2.3 It should be noted that no individual staff member can approve at more than one level. Furthermore, 

approvals can only be delegated to more junior members of staff by GCB2s or higher where prior approval 

has been provided by the Global Head of RBWM FCC. 

6.2.4 Certain higher risk cases (as defined in the Reputational Risk and Client Selection Policy) require the 

relevant Reputational Risk and Client Selection Committee (RR&CSC) to review and approve a Customer 

Relationship (e.g. Sixth Filter cases). 

6.2.5 An audit trail of the appropriate CDD approval and sign-off process, including dates and full records of any 

rejections, must be documented and recorded in accordance with the Customer Data Management Policy 14 

(see Section 9.2) 

6.3 Approval Process – Online Account Opening 

6.3.1 Where a customer is onboarded through an online channel, where there is no customer contact as 

standard, the approval process may need to be different. 

6.3.2 The controls applied to the online channel will vary by market, but there are consistent principles and 

controls to be applied, as follows: 

 

 

 

Online account opening does not need to be restricted by customer risk rating, however, 

consideration should be given to the most appropriate operating model for customers where 

EDD may be needed. 

Exits from the online journey or a journey "pause" must be in place in order to mitigate the risk 

posed by some customers which will be difficult to manage online. Examples may include, 

exposure to Sensitive Sanctioned Countries, customers with Connected Parties, detailed Source 

of Funds / Source of Wealth questions 

System fields should be mandatory, they must include "real" data i.e. responses which are 

relevant to the field. To help achieve this drop down box options are preferable. Where free 

format text is unavoidable, reports should be developed and reviewed to monitor input of 

sequential numbers and characters 

14 

See HTS FIM B.6.2 Records Retention 

INTERNAL 

Page | 49

6.4 Meaning of Approval by Role 

6.4.1. The following table outlines the definitions of the different approval levels for First and Second Line of 

Defence. 

Function 

Role Role Description Responsibility 

Approval Approval Definitions Definitions 

Descripti within RBWM 

on 

Preparer 

Where there is a Preparer distinct from the Business Owner, it is the responsibility of 

Onboarding Staff 

Premier Relationship the Preparer Where to there collate is a relevant Preparer CDD distinct information from the into Business the CDD Owner, profile. it is The the Preparer responsibility is of 

Preparer Officer 

responsible the Preparer for confirming to collate that relevant the information CDD information on the CDD into Profile the CDD is complete, profile. The Preparer is 

properly recorded and technically accurate. The Preparer must also ensure that the 

Onboarding Relationship Manager responsible for confirming that the information on the CDD Profile is complete, 

profile properly meets the recorded relevant and policy technically and procedural accurate requirements, in line with RBWM in line CDD with Country Procedures. 

Staff 

Customer Services 

legal and regulatory standards. 

Representative 

CDD Analyst 

The Business owner is responsible for: 

a) Approving that the Financial Crime and reputational risk attached to a Customer 

Relationship Manager 

is 

The 

acceptable 

Business 

and 

owner 

that onboarding/Periodic 

is responsible for: 

or Event Driven Review should 

Customer Services proceed. a) Approving This will that be based the Financial upon the Crime information and reputational provided, risk the Business attached to Owner’s a Customer 

Representative knowledge is acceptable, of the Customer based relationship, the information the jurisdictions provided by where the customer, the Customer the Financial 

Business owner 

CDD Senior Analyst operates Crime and Risk incorporated, Rating,the Business as well as Owner’s the AML knowledge risks and mitigants of the customer identified; and a 

and holistic understanding of the customer relationship; 

Business (Generally a Relationship 

Manager or Customer 

b) Acknowledging b) Approving that that they have Periodic read or and Event understood Driven Review the information has been provided completed in 

owner 

Business 

the CDD accurately Profile and that the the information CDD profile within has been is consistent updated with accordingly, their knowledge based on any 

Services Representative) 

Business 

of the Customer. new information provided and the revised or existing Financial Crime Risk Rating 

(First Line 

(First Where the Business owner is also the Preparer, the Preparer Approval Definition 

of Defence) Line 

c) Acknowledging that they have read and understood the information provided in 

additionally the applies. CDD Profile and that the information within is consistent with their knowledge 

of Defence) 

of the Customer. 

Business Manager 

(Generally Branch Manager 

or Contact Centre Team 

Manager where relevant) 

Branch Manager 

All of the information provided by the Customer, the Financial Crime Risk Rating and a 

The Business holistic understanding Manager (typically of the the customer Business relationship owner’s Line should Manager) be considered is in a position in the 

to take decision a broader making view of process how a particular Customer’s risk fits within the Country 

Business. Where By the approving Business the owner CDD Profile is also (based the Preparer, on the the information Preparer provided), Approval the Definition 

Business additionally Manager applies. is confirming that the Customer poses an acceptable Financial 

Crime and reputational risk for the local HSBC entity. 

The Business Manager is in a position to take a broader view of how a particular 

Business Contact Centre Team Customer’s risk fits within the Country Business. By approving the CDD Profile (based 

Manager Business Executive Manager 

on the information provided), the Business Manager is confirming that the Customer 

The Business 

poses an 

Executive 

acceptable 

is of 

Financial 

a higher 

Crime 

grade 

and 

than 

reputational 

a Business 

risk 

Manager 

for the 

and 

local 

is also 

HSBC 

in 

entity. 

a 

(Generally Area Manager) position to take a broader view of how a particular Customer’s risk fits within the 

Regional Business 

Business. 

Global Business 

Executives are sometimes based in Regional/Global locations. (Location varies by 

market) 

Business Area Manager 

The Business Executive is of a higher grade than a Business Manager and is also in a 

Executive Regional Manager position to take a broader view of how a particular Customer’s risk fits within the 

Country Business. FCC have a deep understanding of the relevant Local regulations, global 

policies Executives and procedures are sometimes to provide based independent Regional/Global control over locations. the Financial (Location Crime varies risk by 

management market) activities. FCC will act independently to the Business and will provide 

Compliance 

oversight of CDD. 

Country FCC will take a risk based approach to the review of CDD Profiles including 

(Second 

concurrence Country of FCC the profile have a as deep part understanding of the CDD Process of the and relevant Quality Local Assurance regulations, (see global 

Line of Country FCC 

Quality policies Control and and procedures Quality Assurance to provide Chapter). independent control over the Financial Crime risk 

Defence) 

management activities. FCC will act independently to the Business and will provide 

Any review and subsequent concurrence of the profile as part of the CDD Process 

Compliance 

oversight of CDD. 

must include considerations such as Financial Crime Risk and the extent to which the 

risk has Country been properly FCC will 

(Second Line 

assessed take a risk and based managed approach by the to Business. the review of CDD Profiles including 

concurrence of the profile as part of the CDD Process and Quality Assurance (see 

of Defence) Country 

Country FCC should determine when it is appropriate to escalate cases to the MLRO/ 

Quality Control and Quality Assurance Chapter). 

FCC 

Head of AML for approval. 

Any review and subsequent concurrence of the profile as part of the CDD Process 

must include considerations such as Financial Crime Risk and the extent to which the 

Regional FCC 

Where additional Regional or Global FCC is required, this is defined within this 

risk has been properly assessed and managed by the Business. 

Global FCC 

Chapter. 

Country FCC should determine when it is appropriate to escalate cases to the MLRO/ 

Head of AML for approval. 

Regional 

FCC 

Global FCC 

Where additional Regional or Global FCC concurrence is required, the LoBPs will 

determine this. 

Page | 50 

INTERNAL

6.4.2. The level of approval required is driven by the: 

a) FCRR of the Customer; 

b) Reason for review (onboarding, Periodic or Event Driven Review or CDD Risk Acceptance). 

c) Other discrete characteristics 15 

6.4.3. The following sub sections of this chapter outline the Approval matrices to be followed for each Approval 

Request type: 

a) At Customer on-boarding, (See Section 6.4). 

b) At Periodic Review or Event Driven Review (see Section 6.5). 

c) In the case of a CDD Risk Acceptance (see Section 6.6). 

6.4.4. This document sets out the Global RBWM minimum approval requirements. Jurisdictions are expected to 

ensure adherence to these requirements in addition to any additional country requirements specified by 

Compliance. 

6.5 Approval Matrix for Customer Onboarding 

6.5.1. The following matrix identifies the minimum approval requirements for Customers at on-boarding. 

* Where frontline staff have the appropriate system privileges to fulfil the full account opening process, there may be no distinction 

between the roles of Preparer and Business Owner, therefore only one Approval will be applicable. In all other cases the above 

Table will apply 

** FCC provide concurrence only 

6.5.2. In addition to these approvals, additional approval requirements may apply in accordance with the CSEM 

Policy, e.g. relevant RR&CSC for Sixth Filter exposure. 

6.6 Approval Matrix for Periodic and Event Driven Reviews 

6.6.1. Periodic Reviews may result in updates to the CDD profile. Material changes are those changes that, had 

they been identified as a Trigger Event, then they would have been a Material Trigger Event (see Periodic 

and Event-Driven Reviews Chapter). 

6.6.2. The level of approval required for Periodic Reviews is based on the level of change following the Review 

(i.e. Material vs. No Material change). 

6.6.3. If there are no Material Changes at Periodic Review, lower approval levels are acceptable (except for SCC 

Customers). 

6.6.4. If an Administrative Trigger Event is identified between Periodic Reviews, the CDD profile is to be updated 

reflecting the change but does not require approval. (see Periodic and Event-Driven Reviews Chapter). 

6.6.5. The matrix below identifies the minimum approval requirements dependant on the level of change and the 

FCRR. 

15 

Other discrete characteristics include Customer Type and PEPs. Refer to Trusts, Individuals ID&V, KYC and EDD LoBPs for exceptional 

circumstances which may necessitate escalation to Business Risk/ FCC for approval, beyond the minimum approval requirements outlined in 

6.3.3. See: Global RBWM AML Policy Chapter 13: PEPs 

INTERNAL 

Page | 51

* Where frontline staff have the appropriate system privileges to fulfil the profile review process, there may be no distinction between 

the roles of Preparer and Business Owner, therefore only one Approval will be applicable. In all other cases the above Table will 

apply 

** FCC provide concurrence only 

6.7 Approval Matrix for requested CDD Risk Acceptance 

6.7.1 Please refer to the CDD Risk Acceptance Chapter for the matrix identifying the minimum approval 

requirements for Risk Acceptance. 

6.8 Rejection of CDD Profile 

6.8.1. At any stage during the approval process, the CDD Profile may be returned with guidance to the Preparer 

or Business owner or rejected. 

6.8.2. Approval may be refused when: 

a) Profile is returned: Incorrect or missing information is identified within the CDD Profile or the 

approver requests additional information/documentation. In such instances, the CDD Profile will 

need to be returned to the Preparer or Business owner with guidance, explaining why approval 

was not given and what resultant action is required. 

b) Profile is rejected: The Financial Crime Risk (including reputational risk) posed by the 

Customer is deemed to be too high/outside of business risk appetite. In such circumstances, the 

Customer should not be on-boarded or in the case of an existing Customer, should be exited 

(see B2.21.3 Customer Selection and Exit Management). 

6.8.3. Where Approval has been refused during the CDD Approval process, the refusal and the reason for the 

refusal must be recorded in the CDD Profile. 

6.8.4. In the case of disagreement between the Business, i.e. the risk owner and First Line of Defence, and 

Compliance as the Second Line of Defence, the Escalation Process must be followed (see Escalations 

Chapter). 

6.9 Business Restrictions 

6.9.1. In certain situations, the type of business that a Customer is approved to undertake with HSBC may be 

subject to internal restrictions e.g. where the Customer is only authorised to engage with a given HSBC 

entity and/or for a prescribed set of products and services. Lifting of a Business Restriction is a Material 

Trigger Event. 

6.10 Attestation 

6.10.1. For shared customers, attestation refers to the process whereby a Business Owner (for example a 

Relationship Banker/Manager who owns the customer relationship, Account Service Rep. etc) from one 

LoB attests to another HSBC party (e.g. Product Provider, Preparer or product line of another LoB) 

regarding the integrity of the CDD profile of the Customer, including confirmation that the CDD profile is 

complete, it is maintained in accordance with HSBC Group Policy, and is consistent with the applicable 

Country LoB CDD Procedures. 

6.10.2. Attestation must be given prior to the other LoB or product provider accepting new business 

INTERNAL 

Page | 52

6.10.3. The Business Owner has primary responsibility for the management of the overall customer relationship 

and attests to the ongoing management of CDD including informing the impacted product provider in the 

event that the attesting LoB exits the Customer or imposes a business restriction in line with paragraph 

6.8.1. Further information on Exits can be found in the CSEM Global Risk FIM policy (B2.21.3 Customer 

Selection and Exit Management). 

6.10.4. This process only applies where both the Business and the Product lines are within the same jurisdiction, or 

where outsourcing arrangements are in place between HSBC legal entities in according with AML and 

Sanctions Outsourcing Guidance. Where these conditions are not met, full due diligence will be required 

within the receiving entity. This can be satisfied through the receipt of the due diligence documentation held 

by the home country. Where this is prevented by data sharing laws and regulations, or where the 

documentation is unsatisfactory, the receiving country should perform their own due diligence. 

6.10.5. Where, in the same jurisdiction, multiple HSBC legal entities have access to the same CDD Profile, 

approval by one entity can be deemed to apply for all, unless regulatory requirements specify otherwise. 

6.10.6. Attestation recipients may audit and monitor performance to confirm the adequacy of processes and 

controls of the LoB on whom reliance is placed. 

6.10.7. HSBC Affiliates will share CDD information on joint customers across jurisdictions, unless prohibited from 

doing so by local data protection legislation (see the Customer Data Management, Verification 

Requirements and KRIs & MI Chapter). 

6.10.8. Country procedural standards must document where attestation is / is not acceptable due to local 

regulation. This guidance must be approved by Regional FCC 

INTERNAL 

Page | 53

7. CDD Risk Acceptance 

Key Objective 


be achieved? 



Other Related 

Documents and 


To identify and deal with Risk Acceptance that arises during the CDD Profile completion 

process in an appropriate manner in order to safeguard against Financial Crime risks. 

HSBC is committed to ensuring that CDD for each Customer is performed, completed and 

approved before a new account is opened or a new business relationship is established. 

Where variances to CDD requirements are identified, CDD Risk Acceptance may be 

requested. The processes and approval requirements outlined in this chapter must be 

adhered to. 


7.2 Customer CDD Risk Acceptance 

7.3 CDD Procedural Standards Breaches 

Escalations 

Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and 

Prohibited Products 

Global Risk FIM, Compliance Risk Management, B 2.1.4 Escalations, Exception Reporting 

& Follow Up 

Page | 54 

INTERNAL


7.1.1 HSBC is committed to ensuring that CDD for each Customer is performed, completed and approved by the 

appropriate employee before a product is provided, or a new business relationship is established. 

7.1.2 HSBC has a very limited appetite for granting CDD Risk Acceptances, unless otherwise mandated by 

regulatory requirements. However, where Risk Acceptance to the CDD requirements is requested, these 

must be dealt with to safeguard against Financial Crime Risks. 

7.1.3 This section outlines the processes and approval requirements to be adhered to with respect to: (i) 

requested Customer CDD Risk Acceptance; and (ii) identified CDD Procedural Standards Breaches. 

7.2 Customer CDD Risk Acceptance 

7.2.1 This section details the requirements and necessary governance to manage risks in a commercially 

sensitive and Customer centric manner whilst safeguarding against Financial Crime Risks. 

7.2.2 Customer CDD Risk Acceptance may be applied upon receipt of appropriate approval. There are two forms 

of CDD Risk Acceptance: 

a) Temporary CDD Risk Acceptance (see Section 7.2.3) 

b) Permanent CDD Risk Acceptance (see Section 7.2.9) 

Temporary CDD Risk Acceptance 

7.2.3 In limited instances, the Business may be authorised to provide a product to a Customer where they have 

been unable to provide all necessary CDD information/documentation to complete the CDD profile. This can 

occur at any stage during the CDD process, including onboarding and periodic & event driven review. 

7.2.4 Temporary CDD Risk Acceptance is defined as having a lifespan up to and including 60 calendar days. 

7.2.5 Temporary CDD Risk Acceptance requests can only be considered for approval where the following 

minimum standards have been met, unless regulatory or contractual obligations apply: 

a) There is an expectation that the necessary information/documentation will be received within a 

specified time; 

b) Sufficient Customer identification information has been obtained to enable Customer Screening to 

be performed; 

c) Any Financial Crime Risk exposure arising from incomplete verification of the Customer or 

Connected Party identity is reasonably mitigated and documented; 

d) The permitted activity is appropriate to the LoB; 

e) There is capacity to exit on expiry of the Risk Acceptance period; and 

f) A Risk Acceptance Request Form has been completed (see paragraph 7.2.17). 

g) Where a temporary CDD Risk Acceptance is required at onboarding we must have obtained at 

least one verification document 

7.2.6 In all circumstances a check, independent to the Business Owner (usually within operations), is required to 

confirm that the CDD Risk Acceptance has been resolved before the CDD Risk Acceptance period expires. 

7.2.7 Throughout the CDD Risk Acceptance period, the Business must continue to obtain the outstanding CDD 

information/documentation. Internal reminders are to be sent to the Business at regular intervals to ensure 

timely prompts can be sent to Customers to request the outstanding information/documentation. 

7.2.8 On expiry of a Temporary CDD Risk Acceptance period, reasons for not obtaining the information must be 

clearly understood. The Business and FCC must agree on what action is to be taken. This may include 

retaining the customer (see below) or Customer exit (subject to local regulatory requirements and 

contractual limitations – refer to CSEM Policy. 

7.2.9 If the reason for applying Temporary CDD Risk Acceptance has been satisfied e.g. supporting evidence has 

been provided, the approval of the CDD profile must follow the requirements outlined in the Approval 

Chapter. 

INTERNAL 

Page | 55

CDD Profile Expiry - Temporary CDD Risk Acceptance Expiry & Periodic Review 

7.2.10 A CDD profile expiry occurs in the following circumstances: 

a) A Temporary CDD Risk Acceptance period has expired 

Customer Retention 

b) A profile review conducted at Periodic Review has become overdue 

7.2.11 Where the CDD profile has expired and the customer remains within the risk appetite of the bank, to 

encourage the customer to respond and to avoid unnecessary exit the following steps can be considered: 

a) Staff and / or customer incentives may be considered where appropriate to encourage the 

customer to respond. This must be governed jointly by the Business, Risk and Marketing as 

appropriate 

b) Service disruption may be applied to customer accounts if they do not respond or provide 

adequate CDD documentation once the profile has expired. This may include: 

Reduced access to new products and / or services 

Internet Banking restrictions 

Reducing withdrawal thresholds at ATM 

Reducing credit card limits 

Withdrawing existing products 

c) Service disruption should not prevent a customer from making regular payments from the 

primary bank account e.g. household bills 

d) The RM should continue to make every effort to contact the customer via different channels, as 

many times as appropriate, making it easy for the customer to respond and provide the 

necessary information. 

e) The case will continue to report as overdue. 

7.2.12 Service disruption should be used cautiously and appropriate processes and resources made available to 

ensure restrictions can be easily and quickly lifted once a customer responds. 

7.2.13 It is important to ensure that Legal sign off or input is obtained to ensure that any restrictions are allowed 

under T’s & C’s. 

7.2.14 Once the profile reaches 60 days overdue, the following must be considered: 

 

 

 

 

Outside Risk Appetite – Exit via CSEM (A, B or C Exit Category) 

Commercially Unviable – Exit via CSEM (F Exit Category) 

PVC 16 (significant Reputational Risk) – Apply Permanent CDD Risk Acceptance 

Retain But Not Risk Accepted – Mark Operationally Dormant & Inhibit Relationship 

7.2.15 The MI reporting for expired profiles needs to differentiate between both expired Temporary CDD Risk 

Acceptance and expired profile reviews at Periodic Review. This requirement reflects the different risk 

posed to the Bank between new customers, where there will not have been a valid profile created 

(Temporary CDD Risk Acceptance expiry) and existing customers (profile expiry at Period Review). 

Permanent CDD Risk Acceptance 

7.2.16 It should be noted that only in very rare circumstances will Permanent CDD Risk Acceptance be granted 

and only in cases where appropriate risk mitigants have been identified e.g. law enforcement reason for 

why documentation is not available. 

7.2.17 Permanent CDD Risk Acceptance is defined as having a lifespan beyond 60 calendar days. These are 

cases where the Business is unable to collect the necessary CDD information/documentation from the 

Customer. 

16 

It is expected that the volumes of these cases will be low, where there are unique customer circumstances and information / evidence will not 

be available. Cases are subject to formal FCC approval as per the requirements of Permanent Risk Acceptance. 

INTERNAL 

Page | 56

7.2.18 The process for applying for a Permanent CDD Risk Acceptance is the same to that of Temporary CDD 

Risk Acceptance. 

7.2.19 The retention of a Prohibited Customer is considered a Permanent CDD Risk Acceptance. There is no 

appetite to on-board new Prohibited Customers ( See Chapter 10 - Restricted and Prohibited Customers, 

Special Categories of Customers (SCCs) and Prohibited Products). 

7.2.20 Permanent CDD Risk Acceptance is subject to an annual sign-off in line with the requirements described in 

paragraph 7.2.24 

Retail Business Banking – CDD Risk Acceptance 

7.2.21 Where RBWM has a Retail Business Banking portfolio, if the customer does not meet the established 

criteria for a Retail Business Banking customer, approval to onboard or retain must be provided by the 

Country Heads of Retail Business Banking and FCC. 

7.2.22 A decision to approve or retain will be treated as Permanent CDD Risk Acceptance. 

7.2.23 Where RBWM do not want to onboard the customer, where there are no financial crime concerns, the 

customer can be referred to CMB. 

Approval of a Customer CDD Risk Acceptance 

7.2.24 The level of approval required to grant a CDD Risk Acceptance follows a risk based approach and is 

dependent on the FCRR of the Customer and whether the request is a Temporary or Permanent CDD Risk 

Acceptance. 

7.2.25 The following tables outline the approvals required to grant a CDD Risk Acceptance: 

Function Role Description Low Medium High SCC 


Business 

(Generally RM or Customer 


Business Management 

(First Line of Defence) 

 

(Generally Branch Manager) 

Business Executive* 

 

(Generally Area Manager) 

Compliance Local FCC 

(Second Line of Defence) Country Head of FCC 

 

Regional FCC 

Global LoB FCC 

Temporary Risk Acceptance 

Function Role Description Low Medium High SCC 

Business 

(First Line of Defence) 

*Business Executive is defined as a GCB3 or above 


(Generally RM or Customer 


Business Management 

 

(Generally Branch Manager) 

Business Executive* 

 

(Generally Area Manager) 

Compliance Local FCC 

(Second Line of Defence) Country Head of FCC 

Regional FCC 

 

Global LoB FCC 

Permanent Risk Acceptance 

7.2.26 High and SCC Customers with CDD Risk Acceptance must be approved at a senior level by the Business 

and FCC. 

INTERNAL 

Page | 57

CDD Risk Acceptance – Other Considerations 

7.2.27 In requesting a CDD Risk Acceptance, the following details must be provided for both Temporary and 

Permanent requests: 

a) A full analysis of the request (including the rationale for the request i.e. what CDD 

information/documentation is missing and why, relevant policy / procedural standard, CDD review 

type); 

b) Details of any risks posed as a result of the CDD Risk Acceptance being granted and 

corresponding mitigants to manage the risks; 

c) Details of the risk presented to the Bank by the Customer relationship; 

d) The requested duration of the CDD Risk Acceptance period; and 

e) Any applicable Business Restrictions. 

7.2.28 In providing concurrence with the CDD Risk Acceptance, FCC is required to confirm: 

a) The time period for the CDD Risk Acceptance; 

b) Business restrictions to be imposed; 

c) Compliance of the request with the applicable regulations; and 

d) Satisfaction with the risk assessment and mitigating controls put in place by the Business. 

7.2.29 CDD Risk Acceptance requests must be recorded in the CDD profile, along with the outcome, the rationale 

and any Business Restrictions applied. 

7.2.30 A register of Permanent CDD Risk Acceptances is to be maintained by the Business (First Line of Defence) 

and must be made available to the appropriate AML Offices. 

7.2.31 All CDD Risk Acceptance requests must be logged in a CDD Risk Acceptance Log and include the 

following details: 

a) Customer name and unique identifier 

b) Nature of CDD Risk Acceptance 

c) Reason for CDD Risk Acceptance and risk mitigants 

d) Date of approval 

e) Expected date of resolution (for Temporary CDD Risk Acceptance) 

f) Details of CDD Risk Acceptance if not resolved within agreed timelines 

g) Name and role of Approvers 

h) Business restrictions 

7.2.32 Due to contractual obligations entered into at the point of provision of Insurance products, additional 

controls apply to the sale of Insurance products to Customer, subject to Country FCC approving a CDD 

Risk Acceptance: 

a) There is no appetite to provide Insurance Products to Customers with Temporary CDD Risk 

Acceptance. 

b) Customers with Permanent CDD Risk Acceptance require approval by Insurance FCC prior to the 

sale of an Insurance product. 

7.2.33 Sufficient MI to enable an understanding of the risks underlying the CDD Risk Acceptance requested and 

granted must be generated for the Business and FCC to review on a regular basis. This will help support an 

assessment of the effectiveness of the applicable standards and whether any remedial action is necessary 

(including training, review of policy and review of CDD requirements) (See Customer Data Management, 

Verification Requirements and Key Risk Indicators & Management Information Chapter). 

7.2.34 Business Executive and FCC must confirm on an annual basis (generally via MLRO reporting) that the 

number and nature of Permanent CDD Risk Acceptance is within the Business risk appetite. 

INTERNAL 

Page | 58

7.2.35 Where there is disagreement between the Business and FCC in relation to whether a CDD Risk 

Acceptance should be granted, the Escalation Process must be followed (see Escalations Chapter). 

7.3 CDD Procedural Standards Breaches 

7.3.1 A CDD Procedural Standards Breach is defined as trading, entering into, or continuing a relationship 

without full CDD information/documentation being in place and without a valid CDD Risk Acceptance in 

place. Examples of these Breaches can include: 

a) Accounts becoming operational where CDD is non-compliant with the Global CDD Procedures, 

without a dispensation or a CDD Risk Acceptance being in place; 

b) An expired Temporary CDD Risk Acceptance request that is not resolved; or 

c) Missing documentation/information that is a specific regulatory requirement under local legislation. 

7.3.2 It is not considered to be a CDD Procedural Standards Breach if a Customer is included in an approved 

remediation plan. 

7.3.3 If a Breach is identified, the matter must immediately be escalated to FCC and Business Management (refer 

to Global Risk FIM, Compliance Risk Management, B 2.1.4 Escalations, Exception Reporting & Follow Up). 

7.3.4 MI on Breaches needs to be sufficiently granular to understand the type of Breach. 

7.3.5 Completion of remediation and closure of the Breach must be tracked by the Business. 

INTERNAL 

Page | 59

8 Quality Control and Quality Assurance 


How will the 


achieved? 

To ensure that CDD information and documentation held on file is complete, accurate and 

up to date. 

To ensure that CDD processes have been undertaken in accordance with internal policies 

and regulatory requirements. 

Information and documentation obtained during the CDD process will be reviewed for 

completeness, accuracy and timeliness as part of the Quality Control (QC) and Quality 

Assurance (QA) procedures performed by the Business. 

Testing, and other self-assessments will be performed to ensure compliance with the 

applicable internal policies and regulatory requirements. 

The requirements in these procedures must be applied commensurate with the 

respective operating processes, customer types, and financial crime risks within 

the RBWM Business. 


In Scope 

This Guidance outlines minimum standards and principles to assist proceduralise 

CDD QC & QA processes. All Customers profiles that go through the CDD 

process are in scope of this Guidance which is focused on 1st Line 

responsibilities.(BRCM QA Activity is out of scope of this Guidance). 


CDD Process Chapters 

CDD Customer Type Chapters 

CDD Reliance Chapter 

Chapter 18.01 – Record Keeping and Retention Requirements 

Other Related 

Documents and 


Three Lines of Defence Model (GCL 150011) 

Global CDD Operations – RBWM CDD QC & QA Framework 

Page | 60 

INTERNAL


8.1.1 Throughout the relationship with the Customer and during the CDD process, information and 

documentation are obtained about the Customer. In order to assess appropriately the financial crime risk 

associated with the Customer, it is critical that the information and documentation obtained within the CDD 

Profile complies with CDD standards. The Quality Control (QC) and Quality Assurance (QA) processes 

are therefore key to effectively managing the risks associated with incomplete, inaccurate or unverified 

information and documentation retained in the CDD Customer Profile. 

8.1.2 Quality Control (QC) checks will look at the completeness,accuracy and timeliness of the information and 

documentation captured in the CDD Profile, identify any errors in the application of the CDD process. For 

example, that adequate information is retained in the CDD Profile to support the customer’s final 

recommended Financial Crime Risk Rating (FCRR). 17 These procedures are key to effectively managing 

the risks associated with incomplete or inaccurate information and documentation retained in the CDD 

Profile. 

8.1.3 QA is an independent, post approval process, that tests and reviews customer CDD profiles against 

internal policies and established procedures including approvals, decisions made, and quality of data 

captured to ensure that key controls are operating effectively. QA is undertaken on a sample basis and 

will look at the quality of the data collected, the decisions made, and the actual processes themselves. 

8.1.4 In some instances a portion or all of the CDD requirements may be performed by third parties. In these 

cases the Bank places reliance on third parties and therefore limited due diligence is performed internally. 

Such arrangements must be aligned to the requirements set out in the Global AML Policy External 

Outsourcing AML Guidance and CDD Reliance Chapter, which also outlines the Bank’s Control Testing 

processes to cover the third parties’ activities. 

8.1.5 The QC and QA procedures reinforce the Group's Risk Management Framework of the Three Lines of 

Defence. 18 

8.2 Quality Control & Quality Assurance (QC&QA) 

Responsibility 

8.2.1 QC & QA procedures are the responsibility of the RBWM Business and must be performed by an 

independent person. i.e someone who is suitably trained to ensure testing is applied consistently (e.g. 

Branch Manager or CDD Utility Quality team). and with the appropriate segregation of duties within the 

Line of Business or CDD Operating Unit.RBWM CDD Quality Control and Quality Assurance Frameworks 

should be referenced to determine specific QC & QA processes and procedures. (See Appendix A) 

Timing and Frequency 

8.2.2 QC & QA must be undertaken for new customer account opening (post approval), periodic and event 

driven reviews. Both should be performed independently of eachother, on an ongoing basis after the 

Approval process is complete, and results reported each month to the Regional & Global Risk 

Management Committee. The QA would undertake reviews and sample from CDD Profiles approved 

within the previous 30 days. Samples should include accounts opened from all channels where staff 

interaction is involved. Straight Through Processing (STP) does not require QC or QA sampling. 

QC/QA Minimum Sample Sizes 

8.2.3 Samples should be representative of the Country/operational area population. An operational area is 

defined as the country or region size and structure. The volume and criteria for sample selection and size 

17 

The Financial Crime Customer Risk Assessment Model (FCC-RAM) is used to calculate a Financial Crime Risk Rating (FCRR) for each 

customer – i.e. High, Medium or Low risk. See the Risk Models AML Guidance for further information. These FCRRs determine the level of CDD 

that is required to manage the risk posed by that customer and the frequency that the relationship is reviewed. 

18 

Please refer to the Thee Lines of Defence Model on the Group’s Risk website and the Group Standards Manual Chapter 10 for additional 

information on Three Lines of Defence Model and the applicable roles and responsibilities of each line of defence. Please note that this Guidance 

focusses only on the 1 st Line requirements. 

INTERNAL 

Page | 61

is to be defined by Operational area and documented within the Country LoBP. Using statistical sampling 

the following guidelines are to be applied. These equate to a 90% level of reliability19. 

8.2.4 Quality Control (QC) checks will look at the completeness,accuracy and timeliness of the information and 

documentation captured in the CDD Profile, identify any errors in the application of the CDD process. For 

example, that adequate information is retained in the CDD Profile to support the customer’s final 

recommended Financial Crime Risk Rating (FCRR).20 These procedures are key to effectively managing 

the risks associated with incomplete or inaccurate information and documentation retained in the CDD 

Profile. 

QC Sample Selection Requirements - New customer account opening, periodic and event driven reviews 

8.2.5 This guidance outlines minimum sampling requirements in 8.2.3 above which must be applied. 

The sample selected must ensure that each member of staff with responsibility for conducting CDD 

have at least 1 account sampled on an annual basis. 

A sample size of 10% (minimum 10) of all new accounts opened / new relationships formed must be 

undertaken within each legal entity within each Country on a monthly basis. 

The sample should cover the complete NTB high risk and SCC relationships established during the 

month. 

The sample should cover all customer relationships / products opened / different distribution Channels 

and should otherwise be random. 

The sample should be taken from accounts opened within the previous 30 days as the sample is being 

undertaken to ensure areas of concern are identified in a timely manner. 

The Business QC/QA framework (see Appendix A) for process application will increase the level of 

QC/QA sampling, on a risk based approach, e.g: following the implementation of new policies and 

procedures, hiring of new staff, shifts in responsibilities, where systemic errors identified etc. until it is 

determined that the changes are consistently and effectively implemented or the issues are appropriately 

managed. 

Where appropriate, this could be done through the use of thematic reviews (i.e. a focussed review on a 

specific topic or area of change to identify any issues For QA specifically, the sample must ensure that 

the relevant CDD process and procedures themselves are also in scope of the review. 

Following completion of a Periodic or Event Driven Review, QC & QA checks must be performed to 

ensure that the relevant CDD requirements have been performed to the necessary standard. Please 

refer to the Periodic and Event Driven Reviews Chapter for further information. 

The table below outlines the minimum sample sizes required within the overall sample taken for the 

various populations of periodic and event driven reviews. These reviews must be conducted in line 

with the guidance provided in the below checklist. 

Population 

High Risk and SCC Periodic Review 

Medium Risk Periodic Review 

Event Driven Reviews 

Sample Size 

20% of reviews in the month 



19 

A reliability level is a statistical term used to indicate the reliability of an estimate in an unknown population. It is used to indicate how likely or 

probable the results you get from your samples are to be representative of the entire population of whatever you are sampling. 

20 

The Financial Crime Customer Risk Assessment Model (FCC-RAM) is used to calculate a Financial Crime Risk Rating (FCRR) for each 

customer – i.e. High, Medium or Low risk. See the Risk Models AML Guidance for further information. These FCRRs determine the level of CDD 

that is required to manage the risk posed by that customer and the frequency that the relationship is reviewed. 

INTERNAL 

Page | 62

QA Sample Selection 

8.2.6 This guidance outlines miminum sampling requirements in 8.2.3 above which must be applied. 

The sample selected must include accounts that have been through the QC process as well as those 

that have not on a monthly basis. 

The sample should cover the complete NTB high risk and SCC relationships established during the 

month. 

The sample should cover all customer relationships / products opened / different distribution channels 

and should otherwise be random. 

The sample should comprise of New To Bank customers; Existing customers (i.e. periodic or event 

based reviews); 

The sample should be taken from accounts approved/completed within the previous 30 days. 

The QA framework document will increase the level of QA sampling, on a risk based approach, e.g.: 

following the implementation of new policies and procedures, hiring of new staff, shifts in responsibilities, 

where systemic errors identified etc. until it is determined that the changes are consistently and 

effectively implemented or the issues are appropriately managed. 

Where appropriate, this could be done through the use of thematic reviews (i.e. a focussed review on a 

specific topic or area of change) to identify any issues For QA specifically, the sample must ensure that 

the relevant CDD process and procedures themselves are also in scope of the review. Please refer to 

the QA framework document for further details. 

Volume of Customers 

Operational areas with large 

volumes (>770 profiles per 

month): 

Operational areas with low 

volumes (

A QC process must be in place for CDD Analyst accreditation (i.e. formal recognition of competence 

and authorisation to perform specific tasks) of new to bank employees and employees who are new to 

performing CDD. 

The accreditation process must require that 100% of the employees work be checked during the first 

two weeks performing their role. The learning curve / time horizon may be extended if low volumes of 

work have been completed / checked. 

Where satisfactory performance is evidenced and no issues have been identified (i.e. errors at 3% or 

less), the level of checking may be reduced to 50% for week 3. If, there are still no issues at the end of 

week 3, sampling may be reduced to 20% for week 4. 

After week 4 if the individual’s work is satisfactory with no issues identified, QC can revert to the 

standard level for all employees in the Country. (see Section 8.2.3) 

In the event that errors are identified at the end of week 2, checking must remain at 100%. If errors are 

identified during week 3 or 4, the sample size should revert to the previous level until such time as 

quality has improved and the sample may be reduced in line with the phased approach outlined above. 

Where a member of staff is not improving or there are repeat errors identified then consideration 

should be given to putting in place a formal Personal Improvement Plan and identifying training needs 

in conjunction with their line manager. 

QC & QA Checklist 

8.2.7 The QC & QA checks must include the following as a minimum: 

 

 

Check of ID&V documentation and information recorded/held on the customer’s file or record to 

ensure it meets with ID&V requirements as defined in the ID&V matrix and Country procedures. 

Check of CDD (KYC information) including any EDD to ensure the information completed is correct, 

makes sense and that no fields have been left blank or have non meaningful data completed. 

8.2.8 Check of any additional supporting information that is provided relevant to the CDD/EDD e.g. evidence of 

source of wealth for a high risk customer or source of funds validation for accounts to be funded with 

cash, etc. A standard baseline checklist has been developed for RBWM globally and must be used to 

ensure consistency of testing and reporting of errors identified among monitoring staff, across different 

monitoring reviews and over a period of time (See Appendix A for checklist). It also allows for any errors 

identified to be consistently categorised. 

8.2.9 Tasks / results recorded on the checklist should be structured so as to determine whether the business 

processes and controls effectively manage regulatory compliance risk; for example, that minimum ID&V 

requirements are captured. 

8.2.10 The global baseline checklist will be reviewed regularly (at least on an annual basis) by RBWM CDD AML 

CDD Standards, Global Standards. Variations to the baseline checklist, with input from the respective in 

country FCC team, will be requried to ensure that it remains relevant to the underlying regulation and 

associated business processes and controls. These variances should be logged and approved with 

Country FCC and captured within the LoBP Addenda. 

Findings 

INTERNAL 

A feedback process must be established for both QC & QA functions to ensure that staff are provided 

with details of any errors identified in their work. 

Whilst responsibility for remediating the finding may rest elsewhere, the staff member who committed 

the error must be notified of it to ensure they can learn from this and understand the mistake that was 

made and how to avoid this in the future. 

Findings should be categorised as ‘Regulatory’, ‘Policy and Procedural’ and ‘Administrative Error’ to 

provide a distinction and allow for differentiation in consequence management. From a Reporting & MI 

perspective these will be captured as Material and Non-Material errors. 

- Material = Regulatory & Policy and Procedural Errors 

- Non-Material = Administrative Error 

Page | 64

A Regulatory Error is defined as any deficiency in the Customer profile or supporting documentation 

that may put HSBC at regulatory risk from an AML/KYC perspective. For example, opening an account 

for a sanctioned entity. 

A Policy and Procedural Error is defined as any deficiency in the Customer Profile that does not meet 

HSBC Policy and RBWM CDD LOBP requirements. For example, not performing a Negative News 

search 

The scoring methodology should be consistent between QC & QA to ensure it accurately reflects the 

position across both functions. A profile is considered to be a ‘fail’ when the score of the profile review 

is

various CDD processes. The production of MI must be provided based on a consistent approach between 

QC & QA to ensure it accurately refects the position across both functions. MI reporting should include 

numerical data, supporting narratives, and clear action plans where required. 

8.2.18 MI metrics must also be reported in line with the Global Financial Crime Compliance (FCC) Risk Appetite 

Framework (RAF), which in turn is aligned to the FCC Risk Appetite Statement (RAS) reporting. 

8.2.19 Key CDD-related QC and QA metrics must include: 

 

 

 

 

 

MI data segmented between New to Bank, Remediation and Reviews; 

Number of profiles sampled & percentage profiles 

Ratio utilized between low, medium, high risk and SCC customers, as appropriate; 

Numbers of errors identified; 

Number of profiles that fail according to the materiality of the error; 

o 

o 

o 

Clearly state the total number errors identified during the review period as well as 

separate figures to show the number of:Regulatory Errors; 

Policy and Procedural Errors; and 

Administrative Errors. 

 

 

Number of profiles that fail due to multiple non-material errors; 

Trending analysis with supporting narratives, particularly where there is a downward or consistent 

negative trend. A broad snapshot of the number of profiles completed and the level of profile 

successful at operational area. This should include but not limited to: 

 

o The concern areas - Top Regulatory & Policy Procedural errors for the month 

o Number of Regulatory, Policy & Procedural and Administrative errors 

o Number of Data Quality, KYC and ID &V errors 

o Root cause analysis of errors identified 

o Trend analysis captured and reported 

o Recommendations to improve quality of CDD onboarding or periodic review process 

o Feedback to training team to enable continuous improvement 

o Remediation Status of the profiles including breaches of the 60 days without resolution 

The MI report must cover a 12 month rolling period to ensure that any emerging trends can be 

identified. The MI must also show how many Regulatory and Policy and Procedural errors recorded 

each month are still to be remediated. 

8.2.20 The results must also be reported to the Regional RBWM FCC team for consolidation into a Regional 

report and onward submission to the Global RBWM FCC team. 

8.2.21 The KRIs shown below must be be utilised. Where the KRI is anything other than ‘Green’ an explanation 

should be given as to the root cause and the action being taken to address the negative trend. 

8.2.22 If the QC/QA process reporting Country reports ‘amber’ or ‘red’ QC/QA results for 3 consecutive months, 

this must be escalated to Regional RBWM FCC for consideration to be given to increasing the sample 

size for that Country until compliance rates show a sustained level of improvement. 

Error rate observed in sample RAG 

3% or below Green 

More than 3% but less than 5% 

Amber 

5% or above 21 Red 

21 

A Failure Rate of 6.4% would make the operational area Red as it is outside the Risk Tolerance level of 5%, based on the RAS01 metric as of 

March 2016. 

INTERNAL 

Page | 66

8.3 KYC Quality Analysis 

8.3.1 First Line of Defence, the Business, must perform regular analysis to establish overall quality of KYC, using 

existing data sources, including but not limited to, BRCM reviews, Audit findings and Compliance Testing. 

This will typically be coordinated on a Regional basis. 

8.3.2 Thematic deficiencies must be identified, with interventions scheduled and tracked to address improvement 

areas. 

8.3.3 The findings of analysis and proposed interventions must be reported to Regional and then Global RMC on 

a quarterly basis. Progress against agreed interventions must be reported monthly at Regional RMC. 

8.3.4 Further guidance on the approach to be used is documented in the KYC Quality Continuous Improvement 

Cycle in appendix B. 

8.4 Quality Assurance – Compliance / Second Line of Defence 

8.4.1 The QA performed by Compliance / Second Line of Defence on the First Line of Defence is documented in 

the Group Risk Compliance FIM B2.1.3.1 Financial Crime Compliance Monitoring & TestingPlease refer to 

the Procedural Standard for Monitoring and Testing for additional information 

INTERNAL 

Page | 67

Appendix A – Quality Control & Quality Assurance Checklist 

RBWM QC & QA 

Goldcopy Checklist v1.3 

BRQA Framework 

Document RBWM Ver 1.0.doc 

Page | 68 

INTERNAL

Appendix B - KYC Quality Continuous Improvement Cycle 

Page | 69 

INTERNAL

9. Customer Data Management, Verification Requirements 

and Key Risk Indicators & Management Information 


How will the 


achieved? 



Other Related 

Documents and 


To maintain an audit trail concerning Customer Due Diligence, as evidence of 

compliance with legal and regulatory obligations, and to assist in any financial 

investigation conducted by law enforcement. 

To obtain and verify the appropriate CDD documentation in accordance with 

legal and regulatory obligations. 

To report to Business and Compliance executives, providing them with the 

necessary information to take appropriate action in the prevention of Financial 

Crime and to fulfill their regulatory obligations. 

An effective data management framework must be adhered to with respect to 

data sharing, documentation storage and retention of documents. The 

framework must be consistent across the business based on the standards 

outlined in this document. 

Minimum requirements for verification documentation to be obtained as part of 

the CDD process must be established. These standards must address where 

non-approved documentation (including documentation in a non-local language) 

is obtained and where discrepancies are identified in the documentation 

obtained. 

Key Risk Indicators (KRIs) and Management Information (MI) must be reported 

on a periodic basis and be relevant and of sufficient detail to provide meaningful 

and actionable analysis. 


9.2 Customer Data Management 

9.3 Verification Requirements 

9.4 Discrepancies to ID&V 

9.5 ID&V Related Provisions 

9.6 Key Risk Indicators & Management Information 


Governance 

HTS FIM – B 6.2 Records Retention 

Risk FIM – B.10 Information Security Risk 

Compliance FIM - B2.4.5 Privacy, Data Protection and Cross-Border Data 

Transfer 

Page | 70 

INTERNAL


9.1.1 Within the parameters of what is legally permissible, an effective data management framework must be 

adhered to with respect to data sharing, documentation storage and retention. This chapter provides further 

guidance on these requirements as well as the verification of documents, key risk indicators and 

management information. 

9.2 Customer Data Management 

9.2.1 The CDD process requires Customer data to be collected and shared for risk management and Customer 

service purposes. As a result, it is important that regulatory legislation, both on a global and country level, 

is adhered to with respect to: 

(i) data sharing (including data transfer, processing, data storage and outsourcing) 

(ii) data protection 

(iii) bank secrecy 

(iv) other specific legislation governing data 22 

9.2.2 Any country or global procedures or regulatory guidance that conflict with Group policies on information 

sharing, privacy and protection must be approved by Legal. 

Data Retention 

9.2.3 All documentation obtained to support the CDD Profile must be retained in accordance with the HTS FIM 

B.6.2 Records Retention. 

Storage Methods 

9.2.4 Group requirements for records management are defined in the Knowledge Management FIM (B 6.2 

Records Retention). 

9.2.5 The methods for retaining and storing required CDD information and documentation will depend on HSBC’s 

global CDD suite of systems. 

9.2.6 The overarching global requirement is that all CDD information and documentation is readily accessible and 

retrievable e.g. for AML programme purposes or in the case of a law enforcement or regulatory request. 

Unless physical documents are required, the preferred method of storage is electronic. 

9.2.7 Minimum identification information required to be captured in relation to the Customer and Connected Parties 

must be recorded in the applicable RBWM system in order to facilitate automated sanctions screening. Refer 

to the Global Risk FIM Customer Sanctions Screening Sanctions B2.19.5 for details of the minimum screening 

requirements. 

9.3 Verification Requirements 

ID&V Definitions 

9.3.1 For the purpose of identification and verification of customers, identification, verification and validation have 

been defined below: 

 

 

 

Identification - identifying who the Customer and Connected Parties are by gathering information 

about their identity from the Customer, RM or publicly available sources 

Verification - verifying some or all of the identity information gathered using reliable and 

independent documentary and/or electronic sources 

Validation – describes the process of corroborating (i.e. supporting with evidence) KYC 

information. 

9.3.2 The Customer specific verification information requirements are documented in the ID&V Section within the 

Customer Type Procedures e.g. the number and type of documentary sources. 

22 

Group requirements for data sharing are outlined within the Compliance FIM B2.4.5 Privacy, Data Protection and Cross-Border Data Transfer 

INTERNAL 

Page | 71

9.3.3 Where entities are in the process of being formed and draft documents are used to evidence the existence 

of the entity, this must follow the CDD Risk Acceptance Process. Please see the CDD Risk Acceptance 

Chapter for additional information. The final documents must be obtained on a timely basis in accordance 

with the Risk Acceptance granted. 

9.3.4 The lists of ID&V sources e.g. Documentary sources, Electronic sources, Business Information (third party) 

sources and Independent sources as noted in the Global ID&V Matrix must be adapted to the local 

jurisdictional requirements, for instance based on common law and civil law requirements, and must be 

equivalent to the standard documents described in the Global ID&V Matrices. Country FCC must ensure 

that the local ID&V matrix is reviewed on an annual basis. 

9.3.5 Please refer to the Governance Chapter for specific roles and responsibilities relating to the maintenance 

and approval of the localised lists of ID&V sources. 

9.3.6 Requests to use ID&V sources outside of the localised list of ID&V sources on a one-off basis must be 

treated as a Risk Acceptance. Please refer to the CDD Risk Acceptance Chapter. 

Documentary Sources, Approved Electronic Sources and Sources from Approved Third 

Party Vendors 

9.3.7 The following outlines the high level classification of Documentary Sources, Electronic Sources, Business 

Information and Public Sources. Please refer to the specific Customer Type ID&V Matrices for acceptable 

documents for each Customer Type where below sources can be used. 

Documentary 

Primary 

&Secondary 

Sources 

Primary Sources: 

For an Individual, Primary sources are documents issued by governments and contain a photograph 

or other safeguard such as an identification number or a date of birth (e.g. passport, driver’s license, 

national ID cards, or other government issues identity document). 

For Entities, this would include documents that evidence the legal existence of a Corporation, 

Partnership, Trust, Limited Liability Company or other entity (e.g. Articles of Incorporation or a Trust 

Deed). 

Primary Documents must be current at the time of initial review / collection, i.e. unexpired. 

Secondary Sources: 

Secondary sources include other original government or local government-issued documents, 

certified/notarised documents or documents issued by public utilities. Secondary documents also 

include documents issued by recognised financial institutions and, in some cases, universities or 

employers. The utilisation of employers letters needs to be considered on a country by country basis 

and documented in the Country ID&V Matrix following approval from Country FCC 

Secondary Documents must be of recent date (please refer to the ID&V Matrices for specific 

timeframes regarding the relevant documents for each Customer Type). 

Electronic 

Sources 

Business 

Information (third 

party) Sources 

Public Sources 

Electronic Sources are used to verify the Customer’s or Connected Parties identity independently, 

i.e. a comparison of information provided by the Customer with information obtained from credible 

and reliable external sources (e.g. Credit Bureau Records). 

Identification, Verification and Validation may be completed through Country FCC-approved third 

party data providers (e.g. LexisNexis, Bloomberg). Please refer to the ID&V Matrices for approved 

ID&V sources for each Customer Type. 

Identification, Verification and Validation may be completed through public sources other than 

approved business information sources (e.g. documents held in the public domain such as audited 

financials published on a company website) 

9.4 Discrepancies to ID&V 

9.4.1 Once the identity of a Customer has been verified satisfactorily, there is no obligation to re-verify identity 

(unless doubts arise as to the authenticity or adequacy of the evidence previously obtained for the purposes 

of Customer identification or as a result of a Trigger Event or Periodic Review e.g. name change) even if the 

documentation used to verify the Customer has expired. 

INTERNAL 

Page | 72

9.4.2 In the course of the ID&V process, discrepancies may arise between the information obtained from the 

Customer and the information that is obtained from reliable and independent approved sources. When there 

are doubts as to the authenticity of the document / information, consideration must be given to verifying the 

authenticity of the document with its issuer. 

9.4.3 All discrepancies must be investigated and, where possible, resolved by: 

a) Confirming that the information received from the Customer is correct and/or 

b) Obtaining additional sources to verify the information 

9.4.4 Where the Business cannot resolve a discrepancy in ID&V, it must escalate to FCC. 

9.4.5 A complete record of any discrepancies, together with any actions taken to resolve each discrepancy and 

approvals obtained must be maintained in accordance with the HTS FIM B 6.2 Records Retention. 

9.4.6 Concerns regarding the authenticity of a document must be escalated to Fraud who will communicate with 

FCC as appropriate. A concern may warrant a UAR to be raised, as deemed appropriate by the Business. 

For UAR procedural standards refer to the UAR Procedural Standard. 

9.5 ID&V Related Provisions 

Minimum requirements for certification and reliance on non-local language documents 

9.5.1 Where ID&V documents are in a language other than those approved for business use within the local 

jurisdiction (non-local languages), they require certification according to the process outlined below. 

9.5.2 Non-local language documents may be relied upon to satisfy CDD requirements; a word-for-word 

translation of the document is not necessary, unless required under local regulations. 

9.5.3 To be reasonably satisfied that the non-local language document provides evidence of the Customer’s 

identity (or other parties being identified), and/or fulfils the purpose required for CDD, a set of minimum 

information requirements must be documented which include: 

a) The name, the type of document, issuer and, if applicable, the expiration date and the 

date of issue 

b) The purpose and function of the document in the CDD process 

c) The specific contents of the document that are material to its purpose and function in the 

CDD process and details of any restrictions 

d) Signed certification from person reviewing the document(s) that they are fluent to business 

proficiency in the document’s language. Where there are any doubts concerning the legal 

language within the document, this must be escalated to Legal or FCC. 

9.5.4 Translations and certifications as noted above must be retained with the source document. 

9.5.5 Within RBWM, certification may be performed by employees, with appropriate training to undertake the 

task, and fluent in the relevant language or with sufficient knowledge of the document to confirm that it 

meets requirements. RBWM’s default position is for the cost of translation to be borne by the Customer. 

However the overall commercial situation of the Customer should be considered. 

9.5.6 The Risk FIM B.10 Information Security Risk governs Information Security, including the use of translation 

websites for non-public information. Specifically, anything other than public information concerning our 

Customers should not be translated using online translation sites. Public information is information that is in 

the public domain and as such is common knowledge in the market. Examples of non-public information 

may include any information related to a confidential transaction or subject to a confidentiality agreement. 

Technological Limitations and Legible Copies 

9.5.7 Every effort should be made to obtain legible copies of all documents required. 

9.5.8 In instances where copies of documents are difficult to read, for example, on the rare occasion where a 

scanning process has made a document difficult to read, and re-scanning the document does not improve 

the position or is not possible, it is permissible for the Business to transcribe the CDD data manually on the 

INTERNAL 

Page | 73

copy of the document or on a separate attached sheet. Where information is transcribed, this must be 

performed with the original document at the time it is obtained. The staff completing this process must 

provide their name, staff number and signature. In certain cases and dependent on the channel of 

onboarding (e.g. non face-to-face), it may be necessary to contact the Customer for copies of legible 

documentation. 

9.6 Key Risk Indicators and Management Information (“KRIs & MI”) 

9.6.1 Identification, measurement and reporting of KRIs and MI on the CDD Process provides Business, 

Compliance, and Management with data, trends, analysis and risk indicators required to assess the 

effectiveness of Financial Crime Risk Management controls within the organisation and analyse and 

manage the performance of the CDD process on an on-going basis. 

9.6.2 It is the responsibility of the Business to provide KRI and MI reporting as required to manage the financial 

crime risk of their business. Additionally, KRIs and MI may be required from Group Functions or for 

regulatory reporting. 

9.6.3 Reporting must reflect risk related MI as well as operational / process performance MI. 

9.6.4 KRI and MI reporting may be Global, Regional, Country and by Line of Business. 

9.6.5 KRIs and MI must be captured in sufficient detail to allow for meaningful review by the Business, 

Compliance, and Management. 

PLACEHOLDER 

Global RBWM and FCC will define in conjunction with Global AML the minimum set of 

KPI and MI requirements that countries must produce. 

An Appendix to the chapter will be added once the minimum requirements have been 

approved. 

INTERNAL 

Page | 74

10.Restricted and Prohibited Customers, Special 

Categories of Customer (SCCs) and Prohibited Products 


How will the 


achieved? 



To identify, assess and mitigate the risks associated with specific customer relationships, 

which pose a higher risk of exposure to Financial Crime. 

By defining Prohibited Customers; Restricted Customers, including Special Categories of 

Customers; High Risk customers and the related procedures, assessment criteria, 

approvals and other considerations required for these types of Customers. 


10.2 Special Categories of Customer (SCC) 

10.3 Prohibited & Restricted Customers 

10.4 High Risk Business Types 


Approvals 


Other Related 

Documents and 


10.1.1 . 


Client Selection and Exit Management (CSEM) Policy 

Reputational Risk and Client Selection Committee (RRCSC) 

AML Policy FIM B.2.17.8 – Prohibited Customers, Restricted Customers and Prohibited 

Accounts & Services 

AML Policy FIM B.2.17.9 - Special Categories of Customer (SCC) 

Transaction Monitoring 

Page | 75 

INTERNAL


10.1.1 Different customer types pose different inherent levels of financial crime risk to HSBC. The main way that 

these risks are identified and managed is through the Financial Crime Customer Risk Assessment Model 

(FCC-RAM), which allocates a Financial Crime Risk Rating (FCRR) to each customer of either Low 

(sometimes referred to as Standard), Medium or High within RBWM. These risk ratings then dictate the 

level of Customer Due Diligence (CDD) requirements that need to be applied. 

10.1.2 However, there are certain customer types that are more vulnerable to significant financial crime. To help 

the bank manage the risk, these customer types are therefore: 

a) Prohibited Customers - Certain entities or types of individual are Prohibited. This is driven by 

regulations. HSBC will not provide products or services to these customers. 

b) Restricted Customers – Certain customer types are restricted due to vulnerability to significant 

financial crime risk. HSBC has a reduced risk appetite for Restricted Customers and they can only 

be onboarded or retained where comprehensive controls are in place 23 , which are proportionate to 

the nature, scale and complexity of the money laundering or other financial crime risks associated 

with the Customer; and that the Customer is: 

 

 

 

 

Legally permissible by Local regulations; 

Classified as Special Category of Customer (SCC) and subject to an increased level of 

ongoing scrutiny and approval; including 

Approval by the appropriate Reputational Risk Client Selection Committee (RRCSC); 

and 

Is tracked in a SCC Register, that is made accessable to the appropriate AML Office, 

where legally permissible. 

10.1.3 Special Categories of Customer (SCC) – Specific types of customers are deemed to pose an inherently 

high risk of exposure to financial crime owing to the type or nature of their role or business. These types of 

customers are categorised under the term SCC. Restricted customers that are retained or maintained by 

permenant exception are also considered as SCC 

10.1.4 High Risk Business Types – There are a number of customers that have inherent financial crime risks, 

which need to be considered during the onboarding and review processes; however, those risks are not 

prohibitive and do not require the same level of additional CDD requirements that are applied to Restricted 

or SCC Customers. The risk posed by these customers’ needs to be considered in light of the CDD 

gathered – for example, given the business type, does the nature of business and purpose of account 

appear consistent; does the source of wealth make sense. 

10.1.5 The Global AML Policy and AML Procedure provides the minimum requirements for managing the 

financial crime risk posed by the above Customers. These procedures provide further guidance on the 

treatment of such customers and should be read in conjunction with the Global AML Policy and applicable 

Customer Type Procedures. 

10.1.6 Prohibited Accounts and Services - This Procedure also outlines the Accounts and Services prohibited as 

indicated by HSBC ‘s Global AML Policy. 

10.1.7 Certain Accounts and Services (referred to collectively as Products) are prohibited from being offered by 

HSBC to its customers. These products are prohibited because they are outside of the bank’s risk appetite 

given the level of money laundering risk they pose and the lack of appropriate and/or proportional controls 

available to mitigate those risks. 

10.1.8 See Appendix D for a list of Prohibited Products. 

10.1.9 The provision of Hold Mail Accounts is also prohibited by the Global AML Policy. A Hold Mail Account is 

one where the customer has instructed all documentation related to the account to be held on their behalf 

until collection and/or where the customer uses an HSBC location as their mailing address. Where Hold 

Mail Accounts are identified, countries must take steps to ensure that an appropriate correspondence 

address is on file for the customer and that all relevant documentation is sent to this address. If the 

customer refuses to provide a correspondence address or declines to receive documentation at this 

23 

Comprehensive Controls are required by both the Customer and by the Business Unit maintaining the relationship. 

INTERNAL 

Page | 76

address then RBWM must proceed with exiting the relationship through the Client Selection and Exit 

Management Process. 

10.1.10 Some countries may have additional regulatory requirements to restrict or prohibit certain types of 

customers. These categories must be recorded and approved in Country AML Addenda and Variance 

Log. Refer to the AML Governance Procedure for further information. 

RBWM can identify additional Resticted Customer and/or SCC categories. These must be recorded and 

approved in RBWM LoBP’s and Variance Log. Refer to the AML Governance Procedure for further 

information. 

Identifying Impacted Customers 

10.1.11 Customers can be identified as Prohibited, Restricted, SCC or other High Risk Business Type, based on 

information gathered through the CDD Processes at on-boarding, or during a Periodic or Event-based 

Review. 

10.1.12 Over the course of the CDD process, information may be identified that automatically makes the customer 

Restricted (e.g. an entity which operates as a money service business) or Prohibited (e.g. individual which 

was previously exited for AML reason) or SCC (e.g. PEP). 

10.2 Special Categories of Customer (SCC) 

Identification of SCCs 

10.2.1 The SCC designation overrides the Customer’s FCC-RAM derived risk rating, forcing a higher risk 

designation and additional controls (e.g. EDD) to manage the risk. See Appendix B for the SCC 

designated categories. 

10.2.2 SCCs must be assigned to a named Relationship Manager. Where a relationship management team is in 

place and to be utilised rather than of a named Relationship Manager this is possible, but should be 

approved by RBWM Regional FCC. 

10.2.3 SCCs are subject to: 

 

 

 

Enhanced Due Diligence (EDD) in addition to the Identification and Verification (ID&V) and Know your 

Customer (KYC) requirements as determined by the relevant Customer Type CDD Procedures. Please 

note, if EDD is required after the customer has already been through the approval process, then that 

EDD must be completed and the customer resubmitted through the approval process. Please refer to 

Chapter 3 in the RBWM CDD Customer LoBP. 

Annual periodic review. Please refer to the Periodic and Event Driven Review Chapter 

Ongoing monitoring controls 

10.2.4 If a customer meets more than one SCC category e.g. a PEP with a known material level of exposure to a 

Sensitive/Sanctioned country then the EDD requirements for each SCC categorisation must be completed 

and each SCC category recorded on the customer profile in the appropriate system and/or on the SCC 

Register where legally permissible. 24 

10.2.5 When determining if an Entity is SCC, the Business should also consider whether part of the Entity’s 

Nature of Business has a link to a SCC category. In these cases, consideration should be given to 

whether the SCC-related activity is material (e.g. generates a material amount of revenue) and therefore 

should be categorised as an SCC to ensure the potential risk is managed appropriately. Examples 

include: 

24 

There may be exceptions to this, for example where there is a PEP and GSB connection. See the respective Customer Type CDD Chapters 

for further guidance. 

Page | 77 

INTERNAL

Some travel agencies also operate as currency dealers or exchangers, which could make the 

customer a money service business (MSB). See the MSB CDD Chapter for further guidance. 

Companies manufacturing/supplying part components for Arms purposes e.g. components of hand 

guns 

Businesses that have gambling machines on their premises, which are additional to their overall Nature 

of Business (e.g recreational vehicle/caravan parks or gas stations); or where a gambling license is 

included as part of another license (e.g. an off-license or cinema); etc. See the Gambling CDD Chapter 

for further guidance. 

10.2.6 If it is uncertain regarding the classification of a customer as SCC, please refer to local RBWM FCC in the 

first instance. 

SCC Approvals 

10.2.7 SCC Customers must go through the following minimum Approval stages at on-boarding and periodic and 

event-based review: 

a) The Preparer (where distinct from Business Owner); 

b) Business Owner; 

c) Business Management; and 

d) FCC Concurrence - once the business has approved, it must be submitted to FCC for consideration 

of the financial crime risk posed and the extent that the risk has been assessed and managed. 

e) Certain SCC categories may require additional approval requirements. Please refer to the relevant 

Customer Type CDD Chapter, which are noted in Appendix 2, for further information. 

SCC Register 

10.2.8 A Register of current SCCs must be maintained at a country level. It must be managed by the Business. 

10.2.9 The Register must be accessible by the applicable Country AML Office and Country LoB FCC, and by the 

Regional AML Office (where possible given local data sharing restrictions). 

10.2.10 Management Information (MI) taken from the Registers must also be made available to the respective 

Regional AML Office, the Global AML Office and Global Line of Business AML teams when requested (as 

possible given local data sharing restrictions). 

10.2.11 While RBWM Regions may choose to increase the information required to be escalated within MI the 

following data points must be captured at a minimum (as applicable): 

 

 

 

 

 

 

 

 

 

 

 

SCC Category 

Unique Identifier (CIN) 

Region 

Country 

HSBC Legal Entity 

Country of Incorporation/Establishment 

Country of Business Address of Legal Entity 

Country of Residential Address 

Country of Nationality 

Country of Political Exposure (where PEP holds Office) 

Highest Risk PEP (Y/N) 

INTERNAL 

Page | 78

SCC Classification across Organisational Groups – RBB only 

10.2.12 Where a subsidiary or Parent is classified as SCC, other companies within the group do not automatically 

need to be classified as SCC. The reason for the SCC categorisation should be assessed for those other 

group entities, and: 

 

 

If the SCC category directly impacts the other entity, they must also be categorised as SCC and 

subject to the requirements outlined in this procedure. For example, subsidiary 1 has a Uulitamate 

Beneficial Owner (UBO) who is a PEP - that PEP is also a UBO of subsidiary 2. 

If the SCC categorisation is not applicable, then that entity should be risk rated separately, as per the 

FCC-RAM. The subsequent CDD will be based on that risk rating. Please note that it is possible for 

the other entity to be subject to a different SCC categorisation. For example, subsidiary 1 has a PEP 

as a UBO, making it SCC02. The PEP does not have any ownership over subsidiary 2 in that group. 

However, subsidiary 2 has a material level of exposure to a sensitive sanctioned country, making it 

SCC11. 

10.2.13 Where an entity is classified as SCC, a branch of that entity may also be classified as SCC since the 

branch is legally part of the entity. However, this can also be assessed on a case-by-case basis where 

the nature of business and control of each branch is materially independent. 

Removal of SCC Categorisation 

10.2.14 Local FCC must provide concurrence on the removal of the SCC categorisation. Once the concurrence is 

provided the SCC category recorded on the customer profile may be removed and the customer removed 

from the SCC Register 

10.2.15 For the removal of SCC Categorisation for PEPs (SCC 01), PEP Associates or Connected persons, 

Corporate PEPs (SCC 02), please refer to the PEP Chapter for further guidance. 

10.3 Identification of Prohibited & Restricted Customers 

Prohibited Customers 

10.3.1 Based on information gathered over the course of CDD Processes, it may be determined that the 

Customer is a Prohibited Customer as defined in Section 4 of the Global AML Policy or in the Customer 

Type CDD Procedures. 

10.3.2 If a Prohibited Customer is identified, the on-boarding or CDD Periodic or Event-based review should be 

suspended. RBWM Business must proceed with exiting the relationship through the Client Selection and 

Exit Management (CSEM) Process. The Customer may also warrant escalation through the UAR process 

given the nature of the change or activity and which could be considered unusual from a financial crime 

perspective given the change in profile behaviour. See Appendix A for a list of Prohibited Customer Types 

Restricted Customers 

10.3.3 If a Restricted Customer is identified, comprehensive controls must be in place, which are proportionate to 

the nature, scale and complexities of the money laundering risks associated with the customer, in order to 

onboard or retain the customer. If the proper controls 25 are established with both the Customer, and the 

Business area maintaining the relationship, the customer may be on-boarded or retained after receiving 

the appropriate controls.Where retained or onboarded, Restricted Customers must be classified as SCC. 

See Appendix B for the list of SCC Categories and section 10.3 for further information on SCCs. 

10.3.4 Individuals that have an identified material financial ownership (e.g. 10% or above), close association or 

otherwise assert control over an entity that, if it were a Customer, would be a Restricted Customer, must 

also be considered a Restricted Customer (see SCC 12). 

25 

Consideration should be given to controls outlined in the various CDD Chapters, some of which are focused on the specific customer types. 

Plus the approvals outlined in this section and the requirements outlined in the SCC section below. 

INTERNAL 

Page | 79

Restricted Customer Approvals 

10.3.5 Restricted Customers must go through the following minimum Approval stages at on-boarding and 

periodic and event-based review: 

 

 

 

 

 

The Preparer (where distinct from Business Owner); 

Business Owner; 

Business Management; and 

FCC Concurrence - once the business has approved, it must be submitted to Local FCC for 

consideration of the financial crime risk posed and the extent that the risk has been assessed and 

managed 

At on-boarding, or where newly discovered only: Where the customer has gone through the approval 

process and the decision is made to on-board or retain the Restricted Customer, further approval is 

required from the appropriate Reputational Risk and Client Selection Committee (RRCSC). 

The following types of customers are restricted: 

Money Services Businesses (MSBs), i.e. licensed and/or registered 

companies offering services involving money/currency exchange, money 

transfer, cheque cashing, and issuing or selling travellers cheques, 

money orders; 

Third Party Payment Providers (TPPPs) e.g. companies that provide 

payment processing services to merchants and other business entities; 

Issuers/Dealers of Virtual Currency, i.e., companies that provide or trade 

in a medium of exchange that operates like a currency in some 

environments but is not issued or backed by a central bank or public 

authority nor has legal tender status in any jurisdiction; 

Certain Government and State Owned Body (GSB)/Embassy 

Relationships; 

Where retained or 

onboard – 

applicable SCC 

Category 

SCC 05 

SCC 05 

SCC 05 

SCC 04 

Certain Gaming/Gambling Operations; SCC 06 

Certain Customers, mainly pharmaceutical, where a portion of or all of 

their operations relate to medical marijuana where not prohibited by local 

law e.g. U.S. 

SCC 09 

Page | 80 

INTERNAL

10.4 High Risk Business Types 

10.4.1 High Risk Business Types are customers that pose an additional level of financial crime risk, usually given 

the nature of their business. For the purpose of this Procedure, these types of business are seperate to 

the SCC categories. However, please note that some parts of the bank may reference some SCCs or 

Prohibited customer types under the term High Risk Business 

10.4.2 High Risk Business Types are identified to assist the bank in managing the risks that they pose. The bank 

does this in a number of ways, including: 

 

 

FCC-RAM: High Risk Business Types are used by the FCC-RAM as one of the elements that 

determines the overall FCRR of a customer. 

Enterprise Wide Risk Assessment (EWRA): High Risk Business Types assist the bank in capturing and 

understanding its financial crime risk exposure, beyond the SCC categories. 

10.4.3 The focus in this Procedure is on what the Business should consider from a CDD perspective if a High 

Risk Business Type customer is identified. The use of High Risk Business Types by the FCC-RAM or 

EWRA is out of scope. 

10.4.4 The level of CDD required for High Risk Business Types is determined by their FCRR. They are not SCC 

and therefore do not require the additional SCC requirements. However, these types of customer do pose 

an additional level of risk, and therefore special attention should be on whether, taken collectively, the 

CDD information gathered makes sense. 

10.4.5 When a High Risk Business is identified (regardless of the customer’s FCRR) some considerations 

include: 

 

 

 

 

Does the nature of business, purpose of account, Source of Wealth and Source of Funds make 

business sense when looked at together? 

Is the entity acceptably publically listed or equivalently regulated? This could give some level of 

reassurance given the level of disclosure and transparency that would entail. 

Is the customer required to be licensed or registered with an appropriate body, and if so, are they? 

Are they incorporated in or operating out of a Free Trade Zone? Does this make business sense given 

what is known about the nature of business? 

10.4.6 When a High a High Risk Business is identified (regardless of the customer’s FCRR) some considerations 

include: 

 

the Approval process for High Risk Business Types (as defined in this Procedure) is as per their FCRR. 

Please see the CDD Process Chapter 6 on Approvals for further information. 

See Appendix C for non-exhaustive examples of High Risk Business Types, including further 

considerations to assist in managing the risk. 

INTERNAL 

Page | 81

Appendix A – Prohibited Customers 

Description 

Additional information 

Supporting 

Guidance 

Sanctioned Persons, Entities, governments or 

countries or Entities & Individuals on Internal 

Watchlists 

Individuals or Entities and their Connected 

Parties or other relevant parties included on the 

HSBC Global or applicable Local Lists used for 

Sanctions Screening (e.g. Section 311 of the 

USA PATRIOT Act) 

Entities and Individuals that are recorded on 

internal lists (e.g. Scion or Customers previously 

exited for Financial Crime) for Financial Crime 

purposes. 

Refer to the Global 

Sanctions Policy for 

more information. 

Anonymous or Numbered Accounts or 

customers seeking to maintain an account in an 

obviously fictitious name 

A bank account that has no features identifying 

its owner 

Customers whose identities are not known or 

cannot be verified 

i. Customers exited for financial crime 

reasons, due to a strong suspicion or direct 

evidence that criminal activity has taken place, 

where a criminal offence has been committed 

and charges have been brought or where there 

is a suspicion of terrorist financing; 

ii. 

list. 

Are on HSBC’s applicable country level 

Shell Banks 

Unlicensed/registered non-bank financial 

institutions (NBFIs), including 

Unlicensed/registered Money Service 

Businesses (MSBs). 

Certain Gambling Operations 

Any individual or entity prohibited from holding 

an account by local law outside their home 

jurisdiction (eg certain Politically Exposed 

Persons) 

Capable and issued bearer share companies 

that have not satisfied mitigating controls 

Where the Customer’s identity is not known or 

cannot be verified or if the Customer refuses to 

participate in the required CDD process and 

provide transparent answers 

iii. Where Customers are known to have 

been convicted of a financial crime, including 

money laundering, drug trafficking, human 

trafficking, terrorism financing, tax evasion, 

political corruption, sanctions violations; or 

cause a reasonable basis for suspecting that the 

potential customer is involved in, or whose 

wealth / funding comes from such activities 

A “shell bank” is an entity that has no physical 

existence in the country in which it is 

incorporated and licensed, and which is 

unaffiliated with a regulated financial group that 

is subject to effective consolidated supervision. 

Physical presence means mind and 

management located within a country 

NBFIs which are not licensed or registered in 

jurisdictions which require license and/or 

registration. 

a. Category 2 e.g. remote gambling services; 

and 

b. Certain operations under Category 1 e.g. 

junket operations. 

iv. Refer to 

Customer Selection 

and Exit Management 

(CSEM) Policy 

See CDD Customer 

Types Chapter 8 - 

Banks 



NBFIs 



Gambling 

See section 7.4 of 

Corporates & 

Partnerships EDD 

Chapter 

INTERNAL 

Page | 82

Appendix B – Group SCC Categories 

# Description Additional information 

SCC 

01 

SCC 

02 


PEP Associates or Connected persons 

(includes family members and close 

associates) 

Corporate PEPs are also classified as 

SCC 02. 

As a general principle, a PEP is designated as 

SCC. 

However, after a period of time when a PEP has 

left office, PEPs can be declassified from SCC 

status, subject to at least the same level of 

approval that is required for SCC classification. 

They must, however, continue to be denoted as 

a PEP. 

As above. 

A Connected person may also be declassified as 

a PEP in situations where the Connected person 

becomes disassociated with the PEP, subject to 

the same level of approval that is required for 

SCC classification. 

Supporting 

Guidance 



PEPs 



PEPs 

SCC 

03 

Charities, Not-for-Profit Organisations 

(NPO), Non-governmental Organisations 

(NGOs), religious organisations that 

exhibit high risk characteristics. 



NPOs 

SCC 

04 

Government and State Owned Bodies 

(GSBs) that exhibit High Risk 

Characteristics and Embassies 

Foreign Embassies, Consulates, and Foreign 

Missions. 

GSBs of countries where the country’s TI CPI 

score is 35 or lower. 



GSBs 

SCC 

05 

v. Crowdfunding platforms, Third 

Party Payment Processors (TPPPs), 

Issuers/Dealers of Virtual Currency and 

Money Services Businesses (MSBs). 

vi. I.e. companies offering services involving 

money/currency exchange, money transfer, 

cheque cashing, and issuing or selling travellers 

cheques. 

vii. See CDD 

Customer Types 

Chapter 11 - NBFIs 

SCC 

06 

SCC 

07 

Gambling Operations 

Companies that manufacture or sell 

weapons, e.g., Arms dealers and 

manufacturers. 

Some companies are prohibited under the 

Defence Equipment Policy, B.21.5.3. 

For those Gambiling customers that are not 

prohibited – i.e. some of Catergory 1 

Where the customer is ‘Restricted’, and 

therefore can be retained as they are not 

prohibited under the Defence Equipment Policy, 

then they must be classified as SCC. 

Where an Exception is approved by the Global 

Risk Management Meeting; 



Gambling 

Defence Equipment 

Policy, B.21.5.3 26 . 

SCC 

08 

SCC 

09 

Certain Bearer Share Corporations that 

are: 

 

Entities and individuals that pose 

significant reputational risk to HSBC 

e.g., customers who are have been 

accused or convicted of money 

laundering, terrorist financing, tax 

Have their Issued Bearer Share Companies 

(IBSC) beneficial ownership verified through an 

approved third party assurance process (M5); 

IBSC that has agreed to cancel their bearer 

shares and re-issue them in a registered form or 

to put them in custody (M3 and M4), must be 

classified as SCC until they meet the relevant 

requirements. 

For example, Under Group's Sustainability Risk 

Management Policy, "Group members must 

ensure that the financial services which they 

provide to customers do not indirectly result in 

unacceptable impacts on people or on the 

environment." 

See section 7.4 of 

Corporates & 

Partnerships EDD 

Chapter 

26 

http://fim.ghq.hsbc/fim/home.nsf/ByRef/UKWE77TKZ916162109102007?open&language=en 

Page | 83 

INTERNAL

SCC 

10 

SCC 

11 

SCC 

12 

 

evasion, bribery, or corruption, human 

trafficking, proliferation, organised 

crime, as well as those entities that 

pose sustainability/environmental 

concerns. 

Any Restricted customers which do 

not fall under a prescribed SCC 

category. 

Offshore Banking License 

Individuals or entities with a known and 

material level of exposure to a Sensitive 

Sanctioned country 

Individuals, who effectively own, operate 

or exercise any significant control in 

relation to any of the 

businesses/activities listed above 

Certain Customers, mainly pharmaceutical, 

where a portion of or all of their operations relate 

to medical marijuana where not prohibited by 

local law e.g. U.S." 

Bank customers solely operating under an offshore 

licence. 

I.e. Where the Global Sanctions Policy 27 

requires an SCC rating to be provided where a 

Customer has obtained Customer Sanctions 

Risk Approval (CSRA) 28 . 

E.g. Individuals linked to SCC 03, SCC 04, SCC 

05, SCC 06, SCC 07, SCC 08, or SCC 10 



Banks 

Refer to the Global 

Sanctions Policy for 

more information. 

27 Refer to the Global Risk FIM - D2.19.2 Appendix B of The Global Sanctions Policy. 

28 

Required for Customers that have exposure to Sanctioned Countries. 

Page | 84 

INTERNAL

Appendix C – Examples of High Risk Business Types 

Higher Risk 

Nature of 

Business 

Transportation 

of Goods 

Cash Intensive 

High Value 

Products 

Exposure to 

potential 

criminal 

activities 

Dual Use Goods 

Business 

Services 

Rationale for Higher Risk 

Potential for money laundering 

through shipments of physical 

cash or other illicit goods, and 

potential breaches of 

sanctions, human trafficking 

and terrorism. 

High exposure to stolen goods. 

For example, Criminals may 

target pawnbrokers to obtain 

funds due to the reduced 

requirements for obtaining a 

loan (the customer only needs 

an item to provide as 

collateral). 

Increased risk of being used at 

the placement and integration 

stages of money laundering to 

conceal or legitimise funds 

through the buying and selling 

of high value products. 

Potential exposure to criminal 

activities such as: 

Human Trafficking 

Tobacco smuggling 

Hydrocarbon theft 

Terrorist Financing 

Considered high risk as linked 

to the production, import or 

export of precursor goods that 

may be used for chemical 

weapons or explosives. 

Can potentially facilitate the 

establishment and acquisition 

of shell companies. 

Can potentially assist in 

disguising ownership control of 

a legal person or entity. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Examples of Potentially Impacted 

Business Types 

Freight forwarders 

Freight shipping companies 

Import/ export traders 

Virtual Importers/Exporters 

Equipment rental and 

manufacturing related to transport 

Charterers or Operators of Ships, 

Vehicles or Aircraft 

Couriers 

Night clubs 

Pawnbrokers 

Independently Owned (i.e. not part 

of a large organisation) Cash 

Intensive: including: beauty/hair 

salons, taxi and limousine drivers, 

convenience stores, independent 

gasoline stations, laundromats, 

vending machine operators, 

restaurants, taverns, bars, and 

parking garages. 

Privately owned ATMs/teller 

machines – the cash used to supply 

the machines may come from 

illegitimate sources. 

Precious metals, stones, jewellery 

dealers or wholesalers, particularly 

gold and diamonds 

Art & Antiques 

Auctioneers 

Real estate developers, brokers 

and appraisers 

Sex industry establishments 

Tobacco Wholesalers 

Hydrocarbon Trading/Investing 

Telephone card/phone centres and 

distributors 

Construction companies 

Extractive Industries, e.g. mining 

Pharmacedutical Companies 

Chemical Companies 

Nominee Incorporation services 

(NIS) 

Attorneys 

Accountants 

Example CDD Considerations 

What countries does the entity 

do business with? Does this 

make sense given what is 

known about the entity? 

Is there any adverse media 

reporting? 

Does the Transaction picture 

make sense given what is 

known about the nature of 

business? 

Would a site visit be useful? I.e. 

to check that the business is real 

and understand what controls 

they have in place. 

Does the source of wealth and 

funds make sense? 

Would a site visit be useful? I.e. 

to check that the business is real 

and understand what controls 

they have in place. 


reporting? 

Does the source of wealth and 

source of funds make sense 

given what is known about the 

nature of business? 


reporting? 

What countries does the entity 

trade with? Does this make 

sense given what is known 

about the entity? 

Does the entity have appropriate 

trading licenses in place? 

Are they registered or licensed 

with an appropriate authority? 


reporting? 

Page | 85 

INTERNAL

Appendix D - Prohibited Accounts and Services 

Description Additional information Supporting Guidance 

HSBC does not allow domestic or foreign bank 

Payable-through-accounts through domestic or 

customers to provide payable-through-accounts to 

foreign bank customers 

their customers on their HSBC accounts. 

Where the customer has instructed all 

documentation related to the account are to be 

held on their behalf until collection; 

Hold Mail 

And, Customers that use an HSBC location as 

their mailing address. 

Remittance Services for Non-Customers 

viii. Direct control of internal concentration or 

suspense accounts by customers 

Travellers Cheques, Pre-Paid Travel Cards and U.S 

Postal Money Orders 

The physical transportation of currency and monetary 

instruments by employees. e.g. bulk cash 

Wholesale cross border banknotes trading business 

Payments and Cash Management services to any 

Gaming/Gambling customers 

Virtual Currency 

Additional prohibited accounts, as required by the 

Country AML Policy and local AML laws, rules, and 

regulations 

Any other product or service as determined by the 

Global Head of AML 

Issue of demand drafts and origination, wire 

transfers or other same-day value payment 

systems such as Automated Clearing House 

(ACH); 

ix. 

Sale of Travellers Cheques and sale of Pre-Paid 

travel cards (such as those issued by Visa or 

American Express) by Group Offices; 

Travellers Cheques Deposits and encashments; 

Any ongoing servicing provided for existing Pre- 

Paid travel cards; 

Accepting/negotiation of a U.S. Domestic Postal 

Money Order bearing the proviso, “Negotiable only 

in the US and possessions” by Group Offices 

outside the United States, its possessions and 

freely associated states”; 

Including: 

Buying, selling and shipping large volumes of bank 

notes cross border typically shipped via plane, 

armoured car or containerised cargo. 

Receiving large shipments of currency 

Directly when taking possession of an actual 

shipment. 

Indirectly when taking possession of the economic 

equivalent of a currency shipment such as cash 

being delivered to the central bank vault or third 

party vault 

A medium of exchange that operates like a 

currency in some environments but is not issued 

by a central bank or public authority nor does it 

have legal tender status in any jurisdiction e.g., 

Bitcoin. 

E.g. Entities subject to Section 311 Designations 

in the US. 

x. Concentration and 

Omnibus Accounts 

Guidance 

Monetary Instruments 

Guidance 

Cash Services Guidance 




Gambling 


INTERNAL 

Page | 86

RBWM CDD Process LoBP Refresh October 2016 Final 2 31102016

Create successful ePaper yourself

Delete template?

Save as template?