RBWM CDD Process LoBP Refresh October 2016 Final 2 31102016
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Global Customer Due Diligence (<strong>CDD</strong>)<br />
Global <strong>RBWM</strong> <strong>Process</strong> Line of Business Procedures<br />
(<strong>LoBP</strong>s)<br />
<strong>October</strong> <strong>2016</strong><br />
INTERNAL
Revision History<br />
Date Version Status Prepared by Comments<br />
8 th June 2015 1.0 Draft James Thompson First re-fresh produced following<br />
review of snagging list items<br />
15 th June 1.1 Draft James Thompson Reviewed with GAMLO, <strong>RBWM</strong> FCC<br />
and <strong>RBWM</strong> Business. Amendments<br />
tracked in document and issued for<br />
review<br />
19 th June 1.2 Draft James Thompson Updated following review meeting<br />
30 th July 1.3 Draft Alan Clare Updated with final amendments<br />
following approval of changes by<br />
Lynda Cassell<br />
7 <strong>October</strong> 2015 1.4 Publication James Thompson Separated Governance <strong>LoBP</strong> from<br />
this document; updated reference<br />
numbers and minor formatting<br />
corrections completed<br />
24 March <strong>2016</strong> 1.5 Draft Jane Fletcher Updates to <strong>LoBP</strong> post <strong>RBWM</strong><br />
FCC/AML and GAMLO review<br />
08 April <strong>2016</strong> 1.5 Draft Jane Fletcher Updates from GAMLO<br />
13 July <strong>2016</strong> 1.6 <strong>Final</strong> Draft Jane Fletcher Sign-off from GAMLO<br />
14 July <strong>2016</strong> 1.7 Publication James Thompson July <strong>2016</strong> - <strong>Final</strong><br />
28 Sept <strong>2016</strong> 1.8 Draft Jane Fletcher Policy refresh update<br />
31 Oct <strong>2016</strong> 1.9 Publication James Thompson <strong>October</strong> <strong>2016</strong> - <strong>Final</strong><br />
Sign Off<br />
Role Name Sign-off Date<br />
Global Head of FCC & MLRO Robert Werner 25/10/16<br />
SVP Global Head of AML Policy Lynda Cassell 10/8 &<br />
5/10 (QC&QA)<br />
Global Head of AML, FC Compliance Barbara Patow 12/8 &<br />
5/10 (QC&QA)<br />
<strong>RBWM</strong> Policy Approval Committee Committee Members 12/8 &<br />
2/9 (QC&QA)<br />
INTERNAL<br />
Page | 2
INTERNAL<br />
Page | 3
1. Introduction<br />
Key Objective<br />
How will the Objective<br />
be achieved?<br />
Scope of Chapter<br />
HSBC is committed to implementing Customer Due Diligence (<strong>CDD</strong>) policies and<br />
procedures to safeguard against Financial Crime risks, including the risks of money<br />
laundering, fraud, terrorist financing, tax evasion, sanctions, and bribery and corruption.<br />
HSBC’s legal and regulatory requirements have been set by regulators in the countries in<br />
which HSBC offers products and services.<br />
This document and subsequent chapters represent the <strong>CDD</strong> <strong>Process</strong> Procedural<br />
Standards. It expands on the content of existing HSBC policies and principles and the AML<br />
Written Programme in order to establish a globally consistent set of <strong>CDD</strong> procedures to be<br />
implemented across HSBC.<br />
1.1 Introduction<br />
1.2 Objectives of this document<br />
1.3 Navigation by Key Areas<br />
1.4 Key Related Documents<br />
1.5 Related <strong>Process</strong>es<br />
Related Chapters<br />
Please see Section 1.4 and 1.5 of this Chapter<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
Please see Section 1.4 and 1.5 of this Chapter<br />
Page | 4<br />
INTERNAL
1.1. Introduction<br />
1.1.1. HSBC must define and implement Global <strong>CDD</strong> procedures as part of the overall HSBC Financial Crime Risk<br />
Control Framework, to deter, mitigate and safeguard against Financial Crime risks, including money<br />
laundering, fraud, terrorist financing, tax evasion, sanctions, and bribery and corruption.<br />
1.1.2. This document and subsequent chapters, collectively called the Global <strong>RBWM</strong> <strong>CDD</strong> Procedural Standards,<br />
provide detailed procedures to be followed in order to address the above risks and comply with regulatory<br />
requirements and guidance. These documents have been developed as Line of Business Procedures from<br />
the Global <strong>CDD</strong> Procedural Standards. The Global <strong>CDD</strong> Procedural Standards must be adopted as a<br />
minimum standard. The <strong>RBWM</strong> Procedures may exceed the Global <strong>CDD</strong> Procedural Standards.<br />
1.1.3. This document will provide information to the following parties:<br />
a) Lines of Business – Global Business and their Product providers<br />
b) Operational Functions – including <strong>CDD</strong> Operating Units (or equivalent)<br />
c) Global Functions – including Financial Crime Compliance (FCC), Tax, Legal and Global Risk<br />
1.1.4. The <strong>CDD</strong> Procedural Standards expand upon Section 3 of the Anti-Money Laundering Written Programme<br />
Policy Part I, (AML Programme) and set out the minimum Global <strong>CDD</strong> Procedural Standards covering <strong>CDD</strong><br />
<strong>Process</strong> and Customer Type Procedures to be applied.<br />
1.2. Objectives of this document<br />
1.2.1. Implementation and compliance with these procedures will:<br />
a) Enable <strong>RBWM</strong> and its employees to comply with money laundering and counter terrorist financing<br />
laws and regulations, as well as regulatory guidance<br />
b) Enable <strong>RBWM</strong> to deter Customers from using its facilities to launder the proceeds of illegal or illicit<br />
activities, fund terrorist activities or violate lawful sanctions<br />
c) Facilitate cooperation with law enforcement authorities to the fullest extent permitted by law and<br />
regulation<br />
d) Enable employees to detect and report suspicious activity, relationships and transactions<br />
e) Promote good corporate governance and risk management throughout <strong>RBWM</strong> and properly<br />
manage and mitigate money laundering and sanctions related risks<br />
INTERNAL<br />
Page | 5
1.3. Navigation by Key Area<br />
1.3.1. This document is divided into the Global <strong>RBWM</strong> <strong>CDD</strong> <strong>Process</strong> Procedural Standards (see Appendix 1) and<br />
the Customer Type <strong>CDD</strong> Procedural Standards (see Appendix 2):<br />
Chapter Key Area Description<br />
1 Introduction This section sets out the objectives and provides<br />
guidance on the use of the Global <strong>CDD</strong> Procedural<br />
Standards. It positions the document in relation to the<br />
wider context of the AML Programme.<br />
<strong>Process</strong> <strong>CDD</strong> <strong>Process</strong> Procedural Standards See Appendix 1<br />
Chapters<br />
Customer Due Diligence (<strong>CDD</strong>) <strong>Process</strong><br />
2-11<br />
Screening<br />
Periodic and Event Driven Reviews<br />
Escalation <strong>Process</strong><br />
Approvals<br />
<strong>CDD</strong> Risk Acceptance<br />
Quality Control and Quality Assurance<br />
Customer Data Management, Verification<br />
Requirements and Key Risk Indicators &<br />
Management Information<br />
Restricted and Prohibited Customers,<br />
Special Categories of Customers<br />
(SCCs) and Prohibited<br />
ProductsGovernance<br />
Customer<br />
Chapters<br />
1 - 9<br />
Customer Type <strong>CDD</strong> Procedural<br />
Standards<br />
1.4. Key Related Documents<br />
See Appendix 2<br />
Individuals<br />
Trusts<br />
Sole Traders<br />
Clubs and Societies<br />
Private Investment Vehicles (PICs & PIFs)<br />
Reliance<br />
Insurance<br />
1.4.1. During the course of the <strong>CDD</strong> <strong>Process</strong>, other key documents are to be used alongside the Global <strong>RBWM</strong><br />
<strong>CDD</strong> Procedural Standards Manual. Readers should in particular familiarise themselves with:<br />
a) AML Programme – A high level and principles based policy document which outlines key<br />
considerations in order to meet applicable requirements and guidelines, mitigate potential<br />
compliance, regulatory, and reputational risks associated with violations of Anti-Money Laundering,<br />
Counter Terrorist Financing and Proliferation Financing<br />
b) Financial Crime Compliance Risk Assessment Model (FCC-RAM) – The FCC-RAM is the<br />
methodology that is used to risk assess Customers and determine the Customer’s Financial Crime<br />
Risk Rating (FCRR). The Customer’s FCRR plays a key role in determining the <strong>CDD</strong> requirements<br />
for on boarding new Customers and monitoring on-going relationships.<br />
c) Client Selection and Exit Management (CSEM) including Business Acceptance – The CSEM<br />
Policy must be followed in all cases of Client Selection and Exit Management.<br />
d) Sanctions Policy – The Sanctions Policy outlines key considerations to mitigate risks associated<br />
with violations of sanctions laws and regulations and the risk of conducting business with<br />
sanctioned parties.<br />
INTERNAL<br />
Page | 6
1.4.2. For further information, queries or guidance on the content or use of this or other key documents, readers<br />
should consult FCC.<br />
1.5. Related <strong>Process</strong>es<br />
1.5.1. The <strong>CDD</strong> <strong>Process</strong> forms part of a holistic Financial Crime Risk Management Framework which should be<br />
read in conjunction with other related Financial Crime Procedural Standards which include but are not<br />
limited to:<br />
a) Client Selection and Exit Management (CSEM) including Business Acceptance<br />
a) Transaction Monitoring<br />
b) Unusual Activity Reporting and Suspicious Activity Reporting<br />
c) Payment/Message Screening<br />
d) Name screening processes<br />
e) Counterparty Fraud, including Fraud Certification<br />
f) Anti-Bribery and Corruption (ABC) policies and procedures<br />
INTERNAL<br />
Page | 7
Appendix 1: Description of the <strong>CDD</strong> <strong>Process</strong> Chapters<br />
Chapter Key Area Description<br />
2 Customer Due Diligence (<strong>CDD</strong>)<br />
<strong>Process</strong><br />
This section includes the <strong>CDD</strong> processes which support and<br />
facilitate the completion of <strong>CDD</strong> Procedures. This includes a<br />
description of the <strong>CDD</strong> process, roles and responsibilities, <strong>CDD</strong><br />
requirements and determination of the Financial Crime Risk Rating<br />
(FCRR).<br />
3 Screening This section includes the types of Screening required, the method of<br />
Screening and the process to be followed as a result of a Screening<br />
hit.<br />
4 Periodic and Event Driven<br />
Reviews<br />
This section outlines the definition, frequency and requirements of<br />
Periodic and Event Driven Reviews.<br />
5 Escalation <strong>Process</strong> This section includes the processes for Escalation where information<br />
may indicate heightened Financial Crime Risk. This may be<br />
identified at onboarding or at any point throughout the Customer<br />
relationship. This section outlines the Escalation <strong>Process</strong> from<br />
initiation to completion.<br />
6 Approvals This section includes the risk based Approval matrices for sign off of<br />
the <strong>CDD</strong> Profile at onboarding and at Periodic or Event Driven<br />
Review.<br />
7 <strong>CDD</strong> Risk Acceptance This section includes the <strong>CDD</strong> Risk Acceptance process that must<br />
be adhered to for temporary and permanent <strong>CDD</strong> Risk Acceptance.<br />
8 Quality Control and Quality<br />
Assurance<br />
This section includes the Quality Control (“QC”) and Quality<br />
Assurance (“QA”) procedures that provide an evaluation of the<br />
quality of information and documentation retained in the <strong>CDD</strong> Profile<br />
against the established <strong>CDD</strong> standards.<br />
9 Customer Data Management,<br />
Verification Requirements and<br />
Key Risk Indicators &<br />
Management Information<br />
10 Restricted and<br />
Prohibited Customers,<br />
Special Categories of<br />
Customers (SCCs) and<br />
Prohibited Products<br />
This section includes the procedures related to Customer Data<br />
Management, including the verification of documents, key risk<br />
indicators and management information.<br />
This section includes the definition and procedures for SCCs and<br />
Prohibited Customers.<br />
This chapter should be read in conjunction with the appropriate<br />
Customer Type Procedural Standard.<br />
11 Governance This section includes the hierarchy of the documents that support<br />
the implementation of the <strong>CDD</strong> Procedural Standards and the<br />
related responsibilities for their approval and maintenance.<br />
Page | 8<br />
INTERNAL
Appendix 2: Customer Family/Customer Types<br />
Definitions of the Customer families and Customer Types are provided in the table below:<br />
Customer<br />
Family<br />
Customer Type<br />
Definition<br />
Retail Individual<br />
A natural person managed in Retail Banking and Wealth<br />
Management (<strong>RBWM</strong>) and not a HNWI (refer to HNWI definition<br />
below).<br />
Individuals<br />
High Net Worth Individual<br />
(“HNWI”)<br />
A natural person who is managed outside of GPB and is either:<br />
<br />
<br />
Premier Top Tier Customer, or has equivalent Total<br />
Relationship Balance (TRB) in that market; or<br />
Where Premier Top Tier is not available, Total<br />
Relationship Balance (TRB) with HSBC equal to or greater<br />
than USD 1 million.<br />
Note: TRB is defined as the sum of total assets held with HSBC,<br />
excluding loans, mortgages and other borrowings with HSBC.<br />
Trusts<br />
Private Holding Trust<br />
A Private Holding Trust is typically established for the purpose of<br />
wealth management so that assets of an Individual may be<br />
smoothly transferred from one generation to the next.<br />
Alternatively, this type of Trust may be established for asset<br />
protection purposes. For this type of a Trust, a Settlor may be an<br />
Individual, a Private Investment Vehicle (PIV) or a Private<br />
Investment Company (PIC).<br />
Sole Traders<br />
A Sole Trader, also known as a sole proprietorship or a<br />
proprietorship, is a type of business entity that is always owned<br />
and generally run by one individual and in which there is no legal<br />
distinction between the owner and the business (i.e. it is not<br />
incorporated).<br />
Non-<br />
Financial<br />
Institution<br />
and<br />
Commercial<br />
Enterprises<br />
RBB Corporates and<br />
Partnerships<br />
The owner receives all profits and has unlimited responsibility for<br />
all losses and debts. All assets of the business are owned by the<br />
Sole Trader. A Sole Trader may use a “Trading As” name or<br />
business name other than his or her legal name.<br />
Corporates are incorporated entities established for commercial<br />
trading operating activity with the objective of generating profits.<br />
They commonly have limited liability, and can be owned by<br />
shareholders who can transfer their shares to others, and can be<br />
controlled by a board of directors who are normally elected or<br />
appointed by the shareholders.<br />
NPOs<br />
Clubs and Societies<br />
A Partnership / unincorporated business, although principally<br />
operated by individuals, or a group of individuals, are different<br />
from private individuals in that there is an underlying business.<br />
An association of members sharing a common interest by a<br />
structure (formal or informal) through which they can pursue that<br />
interest. Depending on the size, purpose, and jurisdiction, may be<br />
incorporated or unincorporated<br />
For the purposes of this document, clubs and societies (whether<br />
incorporated or unincorporated) will be treated as a Partnership<br />
unless otherwise specified (refer to Corporates and Partnerships<br />
section for additional detail). E.g. Chess club<br />
INTERNAL<br />
Page | 9
Private<br />
Investment<br />
Structures<br />
Private Investment Vehicles:<br />
Private Investment Company’s<br />
and Private Investment Funds<br />
Private Investment Company<br />
An incorporated entity (wherever constituted) ultimately<br />
beneficially owned by an individual or a small number of<br />
individuals, who are all connected to each other by family<br />
relationship or other, similar close association, the sole purpose of<br />
which is holding and investing the ultimate beneficial owner’s(s’)<br />
personal wealth. Assets held may include, but are not limited to,<br />
real property, shares, bonds or any negotiable instrument.<br />
Private Investment Funds<br />
A Fund which satisfies one of the following criteria:<br />
Is limited to 10 or fewer investors (whether individuals or<br />
entities); or<br />
<br />
Is only open to investors (individuals) who are all connected<br />
to each other by family relationship or other, similar close<br />
association, or to investors (entities) which are connected by<br />
legal structure, for example entities in the same controlled<br />
group.<br />
INTERNAL<br />
Page | 10
2. Customer Due Diligence (<strong>CDD</strong>) <strong>Process</strong><br />
Key Objective<br />
How will the Objective<br />
be achieved?<br />
Scope of Chapter<br />
Related Chapter<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
To safeguard against Financial Crime risks including; money laundering, fraud, terrorist<br />
financing, bribery and corruption, tax evasion and sanctions, as well as to comply with<br />
legal and regulatory requirements.<br />
The <strong>CDD</strong> <strong>Process</strong> outlines the specific roles, responsibilities and procedures to identify,<br />
verify and validate Customers in order to assess and manage the financial crime risk<br />
associated with specific Customer Types with a Risk Based Approach.<br />
2.1 Introduction<br />
2.2 Roles and Responsibilities<br />
2.3 Customer Type Determination and Pre-<strong>CDD</strong><br />
2.4 Financial Crime Risk Rating<br />
2.5 <strong>CDD</strong> at On-boarding<br />
2.6 <strong>Final</strong> FCRR<br />
2.7 On-going <strong>CDD</strong><br />
Periodic and Event-Driven Reviews<br />
Financial Crime Compliance Risk Assessment Model<br />
Three Lines of Defence Model (GCL 150011)<br />
Page | 11<br />
INTERNAL
2.1 Introduction<br />
2.1.1. Customer Due Diligence (<strong>CDD</strong>) is the process of obtaining and maintaining a profile of information and<br />
documentation about the Customer related to their existence, business or occupation, expected activity and<br />
purpose of the account. This process enables the assessment of the Financial Crime risk in accordance<br />
with the Financial Crime Compliance Risk Assessment Model and the subsequent management of those<br />
risks.<br />
2.1.2. One of the outcomes of the <strong>CDD</strong> process is the determination of the Customer’s final Financial Crime Risk<br />
Rating (FCRR). The final FCRR (i.e. this may differ from the initial FCRR as the FCRR may be manually<br />
increased through the completion of the <strong>CDD</strong> onboarding template) will determine the level of due diligence<br />
required, levels of approval required and on-going monitoring including frequency of the periodic review<br />
cycle.<br />
2.1.3. This Section provides an overview of each part of the Customer Due Diligence (<strong>CDD</strong>) <strong>Process</strong> including<br />
roles and responsibilities, Pre-<strong>CDD</strong>, initial FCRR, <strong>CDD</strong> at onboarding, final FCRR and on-going <strong>CDD</strong>.<br />
2.2 Roles & Responsibilities<br />
2.2.1 The Group has adopted a risk management and internal control structure, referred to as Three Lines of<br />
Defence 1 . This structure is in place to ensure that HSBC meets its regulatory and legal requirements while<br />
achieving its commercial aims and meeting its responsibilities to shareholders, Customers and staff.<br />
2.2.2 First Line of Defence: Comprising the majority of employees, identifies the risks and ensures that the right<br />
controls are in place to prevent, manage, and reduce the risks.<br />
2.2.3 Second Line of Defence: a much smaller group of employees, sets policy and guidelines for managing<br />
operational risks, and provides advice and guidance to support these policies. It also challenges the First<br />
Line of Defence to ensure that its risk management activities are working effectively. The Second Line of<br />
Defence is independent of the day to day commercial risk-taking activities undertaken by the First Line of<br />
Defence.<br />
2.2.4 Third Line of Defence: Global Internal Audit forms the Third Line of Defence. Global Internal Audit<br />
independently assures that the Group is managing operational risk effectively. The table below outlines the<br />
roles relevant to the <strong>CDD</strong> process within each Line of Defence. Regional and Country terms will be defined<br />
within the Regional and Country Procedures.<br />
1<br />
Please see GCL 150011 - <strong>Refresh</strong>ed Three Lines of Defence Roles & Responsibilities, for additional information.<br />
INTERNAL<br />
Page | 12
2.2.5 Under the Three Lines of Defence for <strong>RBWM</strong>, there are key roles and responsibilities for the Business,<br />
<strong>CDD</strong> Operating Unit (where applicable), and FCC, specific to the <strong>CDD</strong> <strong>Process</strong>. Specific roles and<br />
responsibilities will be defined throughout the <strong>RBWM</strong> procedures where appropriate to do so at a global<br />
level.<br />
2.2.6 These Procedures outline the <strong>CDD</strong> <strong>Process</strong> to be undertaken at:<br />
(i)<br />
(ii)<br />
On-boarding of the Customer, and<br />
As part of the on-going Customer management<br />
2.3 Customer Type Determination and Pre-<strong>CDD</strong> 2<br />
2.3.1 Definitions<br />
For the purpose of the Global <strong>CDD</strong> Procedural Standards the terms Customer and Connected Parties are<br />
defined as noted below:<br />
a) Customer: The term “Customer” can be used instead of “Client”. In general, the Customer is the<br />
party, or parties, with whom a business relationship is established by providing a product or service,<br />
or for whom a transaction is carried out. A relationship need not involve an actual physical<br />
transaction or the provision of a banking product, giving advice can constitute establishing a<br />
business relationship.<br />
b) Connected Parties: A Connected Party is a term used to describe a party (can be a natural person<br />
or legal entity) who has the power to direct or influence the activities of the Customer through the<br />
management or ownership structure and/or is a Beneficial Owner of the Customer. Connected<br />
Parties may include Beneficial Owners, Key Controllers, Trustees, Settlors/Grantors/Founders,<br />
Protectors, or other defined beneficiaries of a legal arrangement.<br />
2.3.2 Customer Type Determination and Pre-<strong>CDD</strong><br />
Within <strong>RBWM</strong>, the majority of customers will be Individuals. Different types of Customers pose different<br />
Financial Crime risks and as a result, different data points and procedures are required for each Customer<br />
Type in order to assess the Financial Crime Risk of the Customer appropriately. The data points and<br />
specific procedures for each Customer Type are outlined in the specific Customer Type <strong>CDD</strong> Procedures<br />
and Templates.<br />
2.3.3 In order to determine which Customer Type <strong>CDD</strong> Procedures must be followed, the Customer Type must<br />
be identified first by collecting sufficient information from and/or about the Customer to be able to identify<br />
which Customer Type they fall under. In <strong>RBWM</strong> the most frequent Customer Type will be Individual. Other<br />
Customer Types include Trusts, Private Investment Vehicles (PICs and PIFs), and Sole Traders.<br />
2.3.4 Once the Customer Type is determined, the specific Customer Type <strong>CDD</strong> requirements must be followed to<br />
collect the information and documentation required throughout the <strong>CDD</strong> processes.<br />
2.3.5 <strong>RBWM</strong> has published <strong>CDD</strong> Procedures for the types of customers that accounts are most frequently<br />
opened for. Where <strong>RBWM</strong> has not produced a <strong>CDD</strong> Line of Business Procedure for a specific customer<br />
type (e.g. a bank, religious organisation, foundations etc), the entity/organisation should either be referred<br />
to another Line of Business or Country FCC.<br />
2.4 Financial Crime Risk Rating (FCRR)<br />
2.4.1 The Financial Crime Compliance Risk Assessment Model (FCC-RAM) has been developed to assess the<br />
Financial Crime risk associated with specific Customer Types. The FCC-RAM risk assesses Customers as<br />
High, Medium, or Low or classifies customers as Special Categories of Customers (SCC). Please see the<br />
Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and Prohibited Products-<br />
Chapter 10 for additional information on SCCs.<br />
2<br />
Pre-<strong>CDD</strong> is referred to as the stage preceding the formal commencement of <strong>CDD</strong>. Its components, approach and timing may vary by LoB,<br />
Customer Type and applicable operating model. Pre-<strong>CDD</strong>, typically, does not apply to Individual Customers.<br />
INTERNAL<br />
Page | 13
2.4.2 The FCC-RAM uses information obtained during Pre-<strong>CDD</strong> to determine the Customer’s initial Financial<br />
Crime Risk Rating (FCRR) which determines the level of <strong>CDD</strong> to be performed.<br />
2.4.3 FCC-RAM inputs may be re-visited through the <strong>CDD</strong> process based on additional information received.<br />
Initial data points collected during the determination of the initial FCRR will be replaced with valid and actual<br />
data points which may affect the final computed (i.e. calculated) FCRR. There may be a final adjusted Risk<br />
Rating following manual adjustment (see Section 2.6)<br />
2.5 <strong>CDD</strong> at Onboarding<br />
2.5.1 The specific requirements for <strong>CDD</strong> based on the Customer Type and the customer’s initial FCRR are<br />
outlined in the Customer Type <strong>CDD</strong> Procedures.<br />
2.5.2 <strong>CDD</strong> is performed through Identification & Verification (ID&V), Know Your Customer (KYC) and where<br />
applicable, Enhanced Due Diligence (EDD).<br />
Identification & Verification (ID&V): Identifying who the Customer and their Connected Parties are<br />
by gathering information about their identity; and verifying some or all of the information gathered<br />
using reliable and independent documentary and/or electronic sources<br />
Know Your Customer (KYC): The purpose of KYC is to obtain a thorough understanding of the<br />
Customer. This is performed by screening, collecting information and documentation about what<br />
the Customer does (e.g. business type, country of operation, source of wealth and source of funds),<br />
and understanding the intended purpose, use and activity of the account.<br />
Enhanced Due Diligence: Certain Customer Types and Customers with certain characteristics pose<br />
a higher risk of financial crime (e.g. High Risk and SCCs). Enhanced Due Diligence must be<br />
performed to mitigate the increased risk of Financial Crime associated with these Customers.<br />
2.5.3 <strong>CDD</strong> applies to the Customer, Connected Parties 3 to the Customer and other relevant parties as defined in<br />
the specific Customer Type <strong>CDD</strong> Procedures.<br />
2.5.4 In some markets, duplicate customer profiles and / or Customer IDs are created, for example if the<br />
customer uses different ID sources at onboarding.<br />
2.5.5 <strong>Process</strong>es and systems must be in place to prevent the creation of duplicate customer profiles as this will<br />
impact the effective risk rating of the customer, screening and the customer’s overall risk profile will not be<br />
fully considered.<br />
2.5.6 However, where the creation of duplicate profiles is unavoidable, Countries must agree a process to<br />
manage this. 4<br />
2.6 <strong>Final</strong> FCRR<br />
2.6.1 Based on the information obtained during <strong>CDD</strong> (ID&V, KYC and where applicable, EDD) the FCC-RAM is<br />
re-run and the Customer’s final FCRR is determined.<br />
2.6.2 The final FCRR determines the level of approval required for the Customer, and the level of on-going<br />
monitoring including the Periodic Review cycle.<br />
2.6.3 The final FCRR may be manually adjusted based on information received during the <strong>CDD</strong> process or as a<br />
result of an outcome following the escalation of a Financial Crime Indicator. Adjustments can take three<br />
forms:<br />
Policy driven adjustments:<br />
<br />
The SCC Policy requires that certain Customers be marked as SCC irrespective of the FCC-RAM<br />
driven FCRR. (See the Restricted and Prohibited Customers, Special Categories of Customers<br />
(SCCs) and Prohibited Products)<br />
Country Regulation Adjustments<br />
<br />
Where country regulation requires an adjustment, this will be captured in the Country addenda<br />
(please see AML Governance <strong>LoBP</strong> for further guidance).<br />
3<br />
<strong>RBWM</strong> are not required to Risk Rate Connected Parties<br />
4<br />
The Global Target Operating Model provides the necessary guidance<br />
INTERNAL<br />
Page | 14
Local risk factors also need to be considered for localisation of RAM methodology.<br />
Judgmental adjustments:<br />
As a result of analysing data collected during the <strong>CDD</strong> process or as a result of an outcome<br />
following the escalation of a Financial Crime Indicator, the Customer’s FCRR may be adjusted<br />
upwards at the discretion of the Country FCC.<br />
2.6.4 An adjustment to the final calculated FCRR can only serve to move the Customer into a higher risk<br />
category.<br />
2.6.5 If the rationale for the manual adjustment is no longer applicable, the FCRR may revert to the FCC-RAM<br />
calculated FCRR (for removal of SCC status, see Restricted and Prohibited Customers, Special Categories<br />
of Customers (SCCs) and Prohibited Products Chapter).<br />
2.6.6 The figure below demonstrates the factors that may lead to a difference between the initial FCRR and the<br />
final FCRR.<br />
2.7 On-going <strong>CDD</strong><br />
2.7.1 To ensure that <strong>CDD</strong> information and documentation is kept up to date, complete and accurate, On-going<br />
<strong>CDD</strong> is performed through Periodic or Event Driven Reviews. Please refer to the Periodic and Event Driven<br />
Reviews Chapter.<br />
INTERNAL<br />
Page | 15
3. Screening<br />
Key Objective(s)<br />
How will the<br />
Objective(s) be<br />
achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
To understand the nature of HSBC’s Customer, its business and any associated Financial Crime<br />
risks posed by the Customer.<br />
Screening enables HSBC to identify high risk indicators that have not been identified elsewhere<br />
in <strong>CDD</strong> or that the Customer has failed to bring to our attention.<br />
Customer screening plays an integral part of HSBC’s <strong>CDD</strong> processes and helps to identify those<br />
Customers who may pose a higher risk of financial crime to HSBC. Customer screening takes<br />
the form of two types:<br />
(i)<br />
(ii)<br />
Screening Official Sanctions, Terrorist, PEP and Other lists<br />
Negative News Screening<br />
3.1 Introduction<br />
3.2 Key Screening Principles<br />
3.3 Screening against Official and Other lists<br />
3.4 Negative News Screening<br />
3.5 Screening, Negative News and Negative Facts Tools<br />
Escalations<br />
Politically Exposed Persons (PEPs)<br />
Approvals<br />
Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and Prohibited<br />
Products<br />
Global AML Policy<br />
Global Sanctions Policy<br />
<strong>RBWM</strong> Sanctions Policy<br />
Customer Selection and Exit Management<br />
The Global Sanctions Manual Screening Guidance link here.<br />
https://team.global.hsbc/sites/FinancialCrimeCompliance/SitePages/Home.aspx<br />
Page | 16<br />
INTERNAL
3.1 Introduction<br />
3.1.1 Customer screening is an integral part of HSBC’s <strong>CDD</strong> processes. It is conducted at onboarding and on an<br />
on-going basis and consists of two elements:<br />
a) Screening against the Official Lists 5 and Other lists<br />
b) Negative News/Facts Screening<br />
3.1.2 Screening against Official and Other lists helps to identify those Customers who may pose a higher risk of<br />
Financial Crime to HSBC, due to their presence on an internal or external blocked or restricted activity list.<br />
3.1.3 Negative NewsScreening allows us to identify further information on the Customer which contributes to<br />
establishing a full understanding of the Financial Crime risks associated with the relationship.<br />
3.1.4 This section outlines the key process elements of Customer screening. <strong>RBWM</strong> will define how Customer<br />
screening is operationalised in country in their Country <strong>LoBP</strong>s.<br />
3.2 Key Screening Principles<br />
3.2.1 Screening must be undertaken on the Customer and its Connected Parties identified. The specific parties<br />
which require Screening are set out in the Customer Type <strong>CDD</strong> Procedural Documents, e.g. Individuals.<br />
3.2.2 Screening against Official and Other Lists must be conducted in line with AML Policy and the Global<br />
Sanctions Policy.<br />
3.2.3 Where beneficiaries of deceased customers (excluding those related to Insurance products) have not<br />
been identified, it is mandatory to complete screening prior to any payment being made to these parties.<br />
3.2.4 For Insurance; where beneficiaries are defined as Connected Parties who “control”, “direct” or “contribute”<br />
to an insurance product and therefore subject to ID&V (as stipulated in <strong>RBWM</strong> <strong>CDD</strong> Customer <strong>LoBP</strong><br />
Section 1.8); the following screening principles will apply:<br />
a. At on-boarding of an insurance product: Should such a beneficiary be listed / known during the onboarding<br />
of a product; the beneficiary must be screened; and<br />
b. Change in beneficiary: At any point when such a beneficiary is added or an existing beneficiary<br />
replaced by a new one, the new beneficiary must be screened.<br />
3.2.5 In addition to this; it is mandatory to complete <strong>CDD</strong> and screening on all insurance beneficiaries when<br />
proceeds of a policy become due; prior to payment of such proceeds. This is regardless of whether the<br />
beneficiary has been identified previously as a Connected Party (defined above) or whether they are only<br />
a named beneficiary with no influence over an insurance product (e.g. nominated beneficiary). Also refer<br />
to <strong>RBWM</strong> AML <strong>LoBP</strong> Section 4 – Insurance; paragraph G.2.1.3.<br />
3.2.6 Screening for named members under an insurance group scheme should be completed as set out in the<br />
<strong>RBWM</strong> AML <strong>LoBP</strong> Section 4 – Insurance; paragraph G.2.1.5.<br />
3.3 Screening against Official and Other Lists<br />
Types of Official and Other Lists<br />
3.3.1 Screening must be completed against Official Lists and Other Lists which are defined as follows:<br />
5<br />
The Official Lists are the lists of individuals, entities or organisations who have been designated as sanctioned targets by the UN, UK, US, EU<br />
or HK. The Official Lists which must be screened are set out in the Global Sanctions Policy.<br />
INTERNAL<br />
Page | 17
Official/Other List<br />
Description<br />
Official Lists<br />
Sanctions and Counter<br />
Terrorist Financing lists<br />
HSBC must comply with Sanctions and Counter Terrorist Financing laws. Identified details<br />
must be checked against the Official Sanctions Lists outlined in Appendix C of the Global<br />
Sanctions Policy. These included the lists issued by:<br />
g) United Nations<br />
h) European Union<br />
i) US Treasury OFAC<br />
j) HM Treasury (UK)<br />
k) Hong Kong Monetary Authority<br />
l) USA PATRIOT Act Section 311 Special Measures<br />
Other Official Lists issued by the Competent Authorities in the jurisdictions in which HSBC<br />
operates, as required by local regulations. If applicable, registration should be made with<br />
local authorities in order to receive any local sanctions lists. Link to the Global Policy<br />
appendix with the Global Sanctions Lists:<br />
http://fim.ghq.hsbc/FIM/home.nsf/ByRef/UKWE9H5P7818032912032014?Open&language=EN<br />
Other Lists<br />
Scion (or other internal<br />
watch list systems)<br />
Politically Exposed<br />
Persons (PEPs) list<br />
Other Country-specific<br />
lists<br />
HSBC maintains an internal list of parties against who are not designated but whom<br />
HSBC believes present an unacceptable Financial Crime risk to HSBC.<br />
Group Policy requires the Business to identify Politically Exposed Persons.<br />
At country-level, HSBC entities may maintain lists of parties that pose a Financial Crime<br />
risk, e.g. an additional list of persons as determined by local authorities. If applicable,<br />
registration should be made with local authorities in order to receive any search lists.<br />
Information to be Screened<br />
3.3.2 The data points for the Customer and any Connected Parties which must be screened against the Official<br />
and Other Lists are outlined in the Global Sanctions Policy and are set out in the table below.<br />
3.3.3 If it is known that a Customer has changed their name in the past, Screening against Official and Other<br />
lists must include both the new name as well as the previous name(s).<br />
3.3.4 Where manual screening is undertaken as part of onboarding or periodic or event driven reviews,<br />
Screening against the Official and Other Lists must be undertaken via an automated screening solution in<br />
accordance with the criteria outlined in the Global Sanctions Policy.<br />
3.3.5 The table below identifies the information which must be screened against Official and Other Lists.<br />
INTERNAL<br />
Page | 18
Party<br />
Customers<br />
Customers – Individuals<br />
Customers - Entities<br />
Information to be Screened<br />
Automated Screening<br />
Full Legal Names identified during ID&V<br />
Nationality/Citizenship<br />
Gender, name of employer, address of<br />
employer. City and country of residential<br />
address (includes current and permanent if<br />
different as well as any other<br />
correspondence address) identified during<br />
ID&V<br />
Full Legal Names, any “Trading As” names<br />
City and country of Registered Office<br />
address in country of Incorporation and city<br />
and country of Business address identified<br />
during ID&V<br />
City & Country of business (if different from<br />
the registered office address).<br />
Information to be Screened<br />
Manual Screening<br />
Full legal Names identified during ID&V<br />
Full legal Names and any “Trading As”<br />
names identified during ID&V<br />
Connected Parties<br />
Beneficial Owners<br />
Full legal Name of the individuals or legal<br />
entity identified including the Ultimate<br />
Beneficial Owner and Intermediate Owner.<br />
Individuals - city and country of residential<br />
address (includes current and permanent if<br />
different as well as any other<br />
correspondence address) identified during<br />
ID&V<br />
Legal entity - city and country of Registered<br />
Office address in country of Incorporation<br />
and city and country of Business address<br />
identified during ID&V<br />
City & Country of business (if different from<br />
the registered office address).<br />
Full legal Name of the individuals or legal<br />
entity identified including the Ultimate<br />
Beneficial Owner and Intermediate Owner<br />
identified during ID&V<br />
Key Controllers<br />
Full legal name of the individuals and legal<br />
entities<br />
Individuals - City and country of residential<br />
address (includes current and permanent if<br />
different as well as any other<br />
correspondence address) identified during<br />
ID&V<br />
Legal entity - City and country of Registered<br />
Office address in country of Incorporation<br />
and city and country of Business address<br />
identified in ID&V<br />
City & Country of business (if different from<br />
the registered office address).<br />
Full legal name of the individuals and legal<br />
entities identified during ID&V<br />
INTERNAL<br />
Page | 19
Party<br />
Other Directors, not<br />
identified as Key<br />
Controllers<br />
Direct Appointees<br />
Information to be Screened<br />
Automated Screening<br />
Full legal name of the Individuals identified<br />
in ID&V<br />
City and country of residential address<br />
(includes current and permanent if different<br />
as well as any other correspondence<br />
address) identified during ID&V<br />
Full legal name of the Individuals identified<br />
in ID&V<br />
Individuals - City and country of residential<br />
address (includes current and permanent if<br />
different as well as any other<br />
correspondence address) identified during<br />
ID&V<br />
Legal entity - City and country of Registered<br />
Office address in country of Incorporation<br />
and city and country of Business address<br />
identified during ID&V<br />
City & Country of business (if different from<br />
the registered office address).<br />
Information to be Screened<br />
Manual Screening<br />
Full legal name of the Individuals identified<br />
in ID&V<br />
Full legal name of the Individuals identified<br />
in ID&V<br />
Other Connected Parties<br />
Full legal name and any “Trading as” names<br />
identified in ID&V<br />
Individuals - City and country of residential<br />
address (includes current and permanent if<br />
different as well as any other<br />
correspondence address) identified during<br />
ID&V<br />
Legal entity - City and country of Registered<br />
Office address in country of Incorporation<br />
and city and country of Business address<br />
identified during ID&V<br />
City & Country of business (if different from<br />
the registered office address).<br />
Full legal Names and any “Trading As”<br />
names identified during ID&V<br />
Timing of ‘Official’ List Screening<br />
3.3.6 Screening against Official Lists must be undertaken in two situations:<br />
a. Initial Screening at onboarding– New Customer and Connected Party relationships<br />
At onboarding, the Business must screen the Customer and any identified Connected Parties against the<br />
Official Lists referenced in Section 3.3.1. This will identify True or Potential matches of the Customer and<br />
Connected Party information to the details of an individual, entity or organisation included in the Official<br />
Lists.<br />
b. Automated screening should be conducted as soon as possible but no later than 48 hours after the<br />
account has been opened or the relationship established. Any alerts must be investigated and discounted<br />
within the timeframes approved by the appropriate Screening Committee. <strong>RBWM</strong> Sanctions Policy<br />
Official list Screening must be conducted and any alerts discounted, before any economic benefit i.e. loans,<br />
overdrafts and credit cards or the ability to perform any transactions is made available to the customer.<br />
INTERNAL<br />
Page | 20
A manual World-Check search of the Customer and Key Connected Parties must be undertaken. The<br />
Global Sanctions Manual Screening Guidance link here should be referenced for the process to follow.<br />
3.3.7 On-going Screening (Official & Other Lists) – Existing Customer relationships<br />
a. Once a Customer has been on-boarded, on-going Screening is required. All customer records will be<br />
screened against official lists, daily through HSBC’s automated screening solutions.<br />
b. During Periodic and Event-Driven Reviews, Screening against Official and Other lists is limited to the<br />
names (i.e. Customer name, Trading As Name, Connected Parties) that have changed since the last<br />
review, or to any new Connected Parties that have been identified. Where such changes have taken place,<br />
these names must be screened by the Business, refer to Section 3.3.4 6 .<br />
c. On-going Screening of beneficiaries to Insurance policies is not required as it is only completed prior to<br />
payment.<br />
Timing of ‘Other’ List Screening<br />
3.3.8 Screening against ‘Other’ Lists must be undertaken in two situations:<br />
a) Initial Screening at onboarding– New Customer relationships<br />
<br />
<br />
<br />
During the onboarding process, the Business must screen the Customer and any identified<br />
Connected Parties against the Other Lists referenced in Section 3.3.1. This screening process may<br />
be carried out via overnight batch within 48 hours of the account being activated or the<br />
product/service being issued.<br />
This will identify True or Potential matches of the Customer and Connected Party information to the<br />
details of an individual, entity or organisation included in the Other Lists.<br />
Any alerts must be investigated and discounted within the timeframes prescribed by the appropriate<br />
Screening Committee. In the event that a true PEP match is identified, the customer may continue<br />
to transact on their account while any additional due diligence procedures are completed. All ‘Other’<br />
list matches must be immediately escalated to local FCC for further instruction.<br />
b) On-going Screening – Existing Customer relationships<br />
Once a Customer has been on-boarded, on-going Screening is required. All customer records will<br />
be screened against official lists, daily through HSBC’s automated screening solutions.<br />
During Periodic and Event-Driven Reviews, Screening against Other lists is limited to the names<br />
(i.e. Customer name, Trading As Name, Connected Parties) that have changed since the last<br />
review, or to any new Connected Parties that have been identified. Where such changes have<br />
taken place, these names must be screened by the Business, refer to Section 3.3.4 7 .<br />
On-going Screening of beneficiaries to Insurance policies is not required as it is only completed<br />
prior to payment.<br />
Resolution of Screening Matches<br />
3.3.9 During the Screening process, if Customer or Connected Party information appears to be a match on one<br />
of the Official/Other Lists, this is classified as a Potential Match. Where a Potential Match is identified,<br />
further data points of the subject of the Potential Match must be checked e.g. date of birth or address, in<br />
6<br />
Where the business does not screen existing customers through an automated screening solution, the Customer and all Connected Parties<br />
must be screened during the Periodic and Event Driven Reviews even where there have not been any changes to such parties since the last<br />
review.<br />
7<br />
Where the business does not screen existing customers through an automated screening solution, the Customer and all Connected Parties<br />
must be screened during the Periodic and Event Driven Reviews even where there have not been any changes to such parties since the last<br />
review.<br />
INTERNAL<br />
Page | 21
order to determine whether or not they are a “True Match”. Where there is any doubt the Potential Match<br />
must be escalated.<br />
3.3.10 Where a Potential or True Match has been identified, the parties who can resolve the Match will vary. The<br />
table below outlines the parties who can resolve Potential and True Matches 8 .<br />
Official/Other List Potential Match True Match<br />
Sanctions and Counter<br />
Terrorist Financing lists<br />
Scion (or other internal<br />
list systems)<br />
Politically Exposed<br />
Persons (PEPs) list<br />
Other Country-specific<br />
Watch lists<br />
Business<br />
Immediate escalation to FCC (see<br />
Escalations Chapter)<br />
Immediate escalation to FCC (see<br />
Escalations Chapter)<br />
Conduct PEP EDD (see PEPs<br />
Chapter for EDD requirements) then<br />
escalate to FCC at Approval (see<br />
Approvals Chapter) in line with PEP<br />
SCC determination<br />
Immediate escalation to FCC (see<br />
Escalations Chapter)<br />
3.3.11 For all Potential and True Matches, the <strong>CDD</strong> profile must be updated to record the action taken and the<br />
rationale for the decision made, i.e. to discount a Potential Match or to escalate a Potential Match or True<br />
Match to Country FCC.<br />
3.3.12 Where a True match has already been resolved (i.e. at a previous review) and documented, it should only<br />
be re-escalated to FCC when additional information is identified (e.g. the Potential Match is against a<br />
different list or the same list with updated information (e.g. a PEP who is now included on a sanctions<br />
list)).<br />
3.3.13 If it is determined that an account must be closed or declined, then the Client Selection and Exit<br />
Management (CSEM) policy must be followed.<br />
3.4 Negative News Screening<br />
Definitions<br />
3.4.1 Negative NewsScreening is a key mechanism for identifying adverse information about a Customer. This<br />
ensures necessary steps are taken to protect HSBC’s reputation.<br />
3.4.2 HSBC applies a risk based approach to its Negative News Screening. The approach to be undertaken is<br />
dependent on the Customer Type and is outlined in the relevant Customer Type <strong>CDD</strong> Chapter. The<br />
following guidance should be read in conjunction with Global Guidance on Minimum Standards for<br />
Negative News Searches (including via an Internet Search Engine). See Appendix A<br />
Definition<br />
Negative News<br />
An indication of adverse information about an individual, a legal entity or Connected Party that<br />
may or may not be factual. Negative News may be speculative and is often not supported by<br />
documentary evidence.<br />
Negative News involves public source searches using Group-approved tools and requires a<br />
judgmental assessment of the relevance and materiality of any finding. Further investigation may<br />
be required to determine the veracity of the information.<br />
8<br />
Regional and Country procedures will outline who within the Business will be authorised to resolve a Potential Match.<br />
Page | 22<br />
INTERNAL
Timing of Negative News Screening<br />
3.4.3 Negative News Screening, similar to ‘Other’ Lists referred above in 3.3.1 must be performed by <strong>RBWM</strong> as<br />
part of the Customer onboarding process, during a Periodic Review and following a Material Trigger Event<br />
unless automated adverse news Screening is in place.<br />
Application of Screening - Negative News Screening<br />
3.4.4 Screening must be carried out against a media archive that contains, at a minimum, global coverage of<br />
financial-crime relevant news, as reported in credible sources. For searches carried out using an internet<br />
search engine, the aggregate of free, publicly-available internet content shall be deemed to satisfy these<br />
requirements.<br />
3.4.5 The default internet search engine for internet-based negative news searches is Google.com. In some<br />
cases, CAMLO may specify a different search engine (for example, where there are difficulties accessing<br />
Google.com, or where another search engine is shown to provide superior search quality for a particular<br />
language or character set). This must be set out in the Country AML Addenda.<br />
3.4.6 Negative News Screening should be undertaken on a Risk Based Approach. The depth and breadth of<br />
the Negative News search is to be adjusted based on the potential risk posed by the Customer. This is<br />
based on two factors:<br />
1. Length of History: The time horizon of the search should be restricted to five years (at<br />
onboarding) or the period since the last search was conducted. In certain circumstances, for<br />
instance, where Negative News is identified, this time horizon may be extended to establish a fuller<br />
understanding.<br />
2. Search strings 9 : The minimum standards for internet-based negative news searches in English<br />
are set out in the Guidance in Appendix A. Where <strong>RBWM</strong> CAMLO has determined that internet<br />
searches are required to be carried out in languages other than English, the default keyword strings<br />
will be defined by <strong>RBWM</strong> CAMLO, with guidance from the Global AML and Sanctions Screening<br />
Team. A search will have a validity period of 90 days in support of onboarding a customer. Where<br />
the 90 days is exceeded a new search should be undertaken.<br />
3.4.7 Please refer to the Individuals Chapter for the filters to be applied to Manual Negative News Screening<br />
based on the Customer FCRR.<br />
3.4.8 If it is known that the Customer’s name has changed within the last five years (at onboarding) or since the<br />
last review, both the new and previous name(s) must be subject to Negative News Screening.<br />
3.4.9 Where a result provides a link to an internet site that can only be accessed by subscription holders, and<br />
the link cannot be discounted based on the information available about its content (such as the title and<br />
preview made available freely by the publishers) access to the site should be requested. Access to the<br />
internet is managed by the Information Security Policy and access to blocked sites can be requested by<br />
following the instructions provided in the blocking message shown when access is attempted. Where<br />
access to the site is denied on security grounds, its content need not be reviewed as the credibility of such<br />
sites is reduced.<br />
3.4.10 Where the only potential Negative News result provides a link to an internet site that can only be<br />
accessed by subscription holders and the link cannot be discounted by reviewing the freely available<br />
information such as the title or review, this should be referred to the appropriate person (e.g. RM, Portfolio<br />
Management Team, Line Manager) to determine materiality.<br />
3.4.11 Where the appropriate person is not able to determine materiality they should seek guidance from local<br />
country FCC.<br />
Materiality of Negative News Screening<br />
3.4.12 Where Negative News is identified, consideration must be given to its materiality and impact on the<br />
Customer relationship.<br />
9<br />
List of numbers and characters used when searching for Negative News. Search strings will be agreed with the appropriate Country Business<br />
Risk function as part of locally defined search strings.<br />
INTERNAL<br />
Page | 23
3.4.13 This assessment is judgemental. However, Negative News/Facts must be considered material where the<br />
information is relevant to determining whether the Customer poses a higher risk of Financial Crime.<br />
3.4.14 By way of guidance, the following would be indicative of material Negative News:<br />
a) Criminal and Regulatory enforcement action, Financial Crime violation or other illegal activity<br />
conducted or facilitated by the Customer or Connected Party<br />
b) Information which prompts an assessment as to whether the Customer would be considered to be<br />
a Prohibited or Restricted Customer as outlined in the Restricted and Prohibited Customers,<br />
Special Categories of Customers (SCCs) and Prohibited Products Chapter<br />
c) Information which may qualify the Customer as SCC as outlined in the Restricted and Prohibited<br />
Customers, Special Categories of Customers (SCCs) and Prohibited Products Chapter<br />
d) Information which highlights Financial Crime Indicators as defined in the Escalation Chapter<br />
e) Information which raises a serious reputational risk concern from HSBC’s association with the<br />
Customer<br />
3.4.15 Other factors to consider when determining whether Negative News is material include:<br />
a) The seriousness of the News: For example, information about low level litigation brought against<br />
or by Customers is generally not material<br />
b) Aging of the News : Historic Negative News is generally less material than a recent event.<br />
c) Reliability and number of sources: Information which is hearsay or from a single nonestablished<br />
source may be less material than information obtained from a reputable source and/or<br />
where several sources are used to corroborate the Negative News.<br />
3.4.16 Where there is uncertainty in respect of whether an item of Negative News is material, FCC must be<br />
consulted by initiating the Escalation <strong>Process</strong>.<br />
Resolution of Negative News matches<br />
3.4.17 The table below outlines the parties who can resolve Potential and True Negative News Matches 10 :<br />
Potential Matches<br />
Non Material<br />
True Matches<br />
Material<br />
Negative News/Facts Business Business FCC<br />
3.4.18 For all Potential and True Negative News Matches, the <strong>CDD</strong> profile must be updated to record the action<br />
taken, including any escalation to Country FCC (see Escalations Chapter).<br />
3.4.19 Records of Potential and non-material True Matches must be maintained to demonstrate an auditable trail<br />
of discounted matches. This must include details of the match found, who discounted it and the rationale<br />
for the discount.<br />
Screening Negative News Tools<br />
3.4.20 Screening and Negative News tools may be either manual or automated.<br />
3.4.21 Whilst the default Internet search engine for Internet-based negative news searches is Google.com any<br />
request to use alternative solutions tools must be submitted to the <strong>RBWM</strong> Head of AML and then to the<br />
Global Head of AML for review and approval and subsequent approval by the Global Head of AML<br />
Systems Analytics, ensuring that the search tools used are effective and suitable for use across the<br />
jurisdictions where they are applied<br />
10<br />
Regional and Country procedures will outline who within the Business will be authorised to resolve a Potential Match.<br />
INTERNAL<br />
Page | 24
3.4.22 Where Country FCC recommend appropriate Negative News solutions for use in their jurisdiction, such a<br />
request must include a risk analysis of the proposed tool, its relevant parameters, the scope of its<br />
intended usage (i.e. RBMW and Customer Type limitations) and local language application.<br />
INTERNAL<br />
Page | 25
Appendix A<br />
Global Guidance on Minimum Standard for Negative News Searches v2.0<br />
Page | 26<br />
INTERNAL
4. Periodic and Event-Driven Reviews<br />
Key objective<br />
How will the Objective<br />
be achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
To understand on an on-going basis who our existing Customers are and to ensure <strong>CDD</strong><br />
information and documentation is kept up to date, complete and accurate, such that<br />
Financial Crime Risks are effectively managed.<br />
On-going monitoring processes such as Periodic Reviews of <strong>CDD</strong> Profiles and responding<br />
to Trigger Events will ensure that <strong>CDD</strong> information and documentation is kept up to date, is<br />
complete and accurate such that Financial Crime Risks are effectively managed.<br />
Certain concerns (whether they relate to commercial, Financial Crime Risks, or<br />
reputational risk) may result in a decision to Exit a Customer relationship. In such cases,<br />
appropriate due diligence must be undertaken until such time whereby the Exit is<br />
completed.<br />
At all times throughout the Customer relationship, consideration must be given to<br />
escalating Unusual Activity and Suspicious Activity Reporting (SAR) obligations.<br />
4.1 Introduction to <strong>CDD</strong> Reviews<br />
4.2 Trigger Events and Event Driven Reviews<br />
4.3 Periodic <strong>CDD</strong> Reviews - Principles and Approach<br />
4.4 First Time File Reviews (FTFR)<br />
4.5 Periodic Review Frequency<br />
4.6 <strong>CDD</strong> and EDD requirements at Periodic Review<br />
4.7 Requirements applicable to Entities<br />
4.8 Requirements applicable to Individuals<br />
4.9 Roles and Responsibilities during Periodic Review<br />
4.10 <strong>CDD</strong> Review Approvals<br />
4.11 <strong>CDD</strong> Reviews for Exit Customer<br />
Customer Data Management, Verification Requirements, KRIs & MI<br />
Escalations<br />
Customer Due Diligence (<strong>CDD</strong>) <strong>Process</strong><br />
Politically Exposed Persons (PEPs)<br />
Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and<br />
Prohibited ProductsApprovals<br />
Individuals<br />
Corporates and Partnerships<br />
Financial Crime Country Risk Model<br />
Financial Crime Compliance Risk Assessment Model<br />
Customer Selection and Exit Management<br />
Global Sanctions Policy<br />
Page | 27<br />
INTERNAL
4.1 Introduction to <strong>CDD</strong> Reviews<br />
4.1.1 Maintaining up-to-date <strong>CDD</strong> information throughout the life of the Customer relationship is an important<br />
element of Financial Crime Risk Management.<br />
4.1.2 Performing processes such as Periodic Reviews of <strong>CDD</strong> Profiles and responding to Trigger Events will<br />
ensure that <strong>CDD</strong> information and documentation is kept up to date, complete and accurate.<br />
4.1.3 There are three situations where updates to the <strong>CDD</strong> Profile may be required:<br />
i. Customer Specific Trigger Events that result in an Event Driven Review (see Section 4.2);<br />
ii.<br />
Policy Driven Trigger Events (see Section 4.2); and<br />
iii. Periodic Reviews (see Section 4.3).<br />
4.1.4 Certain concerns may result in a decision to Exit a Customer relationship. In such cases, appropriate due<br />
diligence must be undertaken leading up to the planned Exit.<br />
4.2 Trigger Events and Event Driven Reviews<br />
Types of Trigger Events<br />
4.2.1 Trigger Events are defined as changes in circumstances occurring after onboarding or between Periodic<br />
Reviews which affect an existing Customer or its relationship with HSBC. Trigger Events require the<br />
Customer’s <strong>CDD</strong> Profile to be updated and their Financial Crime Risk Rating (FCRR) to be re-assessed.<br />
4.2.2 Appendix 1 lists Trigger Events for each Customer Type. Appendix 1 is not intended to be exhaustive but<br />
sets out the global minimum requirements.<br />
4.2.3 Trigger Events can take two forms:<br />
a) Customer Specific Trigger Events<br />
b) Policy Driven Trigger Events<br />
Customer Specific Trigger Events<br />
4.2.4 Customer Specific Trigger Events are defined as changes as a result of:<br />
a) New or changed information about a Customer being identified between Periodic Reviews; or<br />
b) New products being taken on by a Customer.<br />
4.2.5 The materiality of a Customer Specific Trigger Event is dependent on the Customer Type and the nature of<br />
the event. The necessary action following a Customer Specific Trigger Event depends on the impact of the<br />
event itself, classified as either:<br />
a) Material; or<br />
b) Administrative<br />
4.2.6 Once a Customer Specific Trigger Event is identified, the Trigger Event process must be initiated.<br />
INTERNAL<br />
Page | 28
Trigger Event <strong>Process</strong> for Customer Specific Trigger Events<br />
4.2.7 The following table describes the impact of Customer Specific Trigger Events and the extent of <strong>CDD</strong><br />
required:<br />
Impact<br />
Description & <strong>CDD</strong> Review Requirements<br />
Material Material Trigger Events are those that either:<br />
<br />
<br />
i. Increase the Customer’s FCRR; or<br />
Administrative Administrative Trigger Events:<br />
<br />
<br />
ii.<br />
Indicate a fundamental shift in a Customer’s business activity or relationship<br />
with HSBC.<br />
As a result of a Material Trigger Event, a Customer review must be undertaken<br />
(see Section 4.6 (Individuals) and 4.7 (Entities) on Periodic Reviews).<br />
As a result of a Material Trigger Event, the next Periodic Review date will be reset<br />
(see Figure 4.1) in line with the new FCRR Periodic Review frequency (see section<br />
4.4).<br />
i. do not result in an increase in the FCRR<br />
ii.<br />
do not indicate a fundamental shift in a Customer’s business activity or<br />
relationship with HSBC<br />
Changes should be updated in core banking systems following business as usual<br />
processes and added to the <strong>CDD</strong> profile (and associated ID&V and Screening,<br />
where required)<br />
The next Periodic Review date will not be reset in the event of an Administrative<br />
Trigger Event (see Figure 4.1)<br />
Figure 4.1: Example of Trigger Event Impact on Periodic Review Cycle (3-Year Cycle)<br />
Policy Driven Trigger Events<br />
4.2.8 Policy Driven Trigger Events are changes which affect the Policy framework used to assess Customer risk,<br />
e.g. as a result of an amendment to the Global Financial Crime Country Risk Model (FCCRM) or to local<br />
legislation. The relevant AML office or FCC Sanctions in line with the AML Governance Guidance will<br />
determine if a Policy change will result in a Policy Driven Trigger Event.<br />
4.2.9 Policy Driven Trigger Events will occur periodically to reflect HSBC’s on-going monitoring of Financial Crime<br />
Risk and changes in both the operating and regulatory environments. Examples include external changes,<br />
e.g. the introduction of sanctions for a jurisdiction, or internal changes, e.g. an upward shift in a country risk<br />
rating.<br />
4.2.10 In response to a Policy Driven Trigger Event, an assessment is required as to how changes are to be<br />
applied. The Business in conjunction with the <strong>RBWM</strong> Global Head of AML or FCC Sanctions must decide<br />
which categories of Customers need to be remediated (i.e. a structural portfolio review) and which will be<br />
revisited at their next scheduled Periodic or Event Driven Review.<br />
INTERNAL<br />
Page | 29
4.4<br />
4.3 Periodic Reviews – Principles and Approach<br />
4.3.1 The purpose of conducting a Periodic Review is to confirm that the Customer’s <strong>CDD</strong> profile, including KYC,<br />
product information, and the FCRR are accurate, up to date and complete based on reasonable due<br />
diligence, and the Customer relationship remains within HSBC’s risk appetite. “The next Periodic Review<br />
date should be set based on the completion date and profile finalisation of the current Periodic Review”<br />
4.3.2 In addition to the above, for Retail Business Banking customers, an assessment must be undertaken to<br />
ensure that the relationship remains within the RBB portfolio criteria. In line with <strong>CDD</strong> Risk Acceptance,<br />
where changes are identified, referral should be made to the Country Head of RBB and FCC to establish if<br />
the customer relationship should continue to be managed by <strong>RBWM</strong>.<br />
4.3.3 At Periodic Review the FCRR must be recalculated using the Financial Crime Compliance Risk Assessment<br />
Model.<br />
4.3.4 Any changes must be documented to the onboarding standard. It is not required to re-verify <strong>CDD</strong><br />
information which has remained constant.<br />
4.3.5 For the purpose of this document, the following definitions will apply:<br />
<br />
<br />
<br />
Verification - verifying some or all of the identity information gathered using reliable and independent<br />
documentary and/or electronic sources (For further information refer to Individuals KYC chapter).<br />
Validation - describes the process of corroborating (i.e. supporting with evidence) KYC information<br />
(For further information refer to Individuals KYC chapter).<br />
Confirmation – a process to affirm details relating to the Customer which will be provided by the<br />
Customer themselves, or the Business (generally the RM) in lieu of the Customer. (For further<br />
information refer to Individuals KYC chapter).<br />
4.4 First Time File Review (Remediation of existing customers)<br />
4.4.1 <strong>RBWM</strong> must identify the review cycle for customers who have not been risk rated using the current version<br />
of the Global Standards RAM and where a review isn't already scheduled. Remediating existing customers<br />
through undertaking a First Time File Review will ensure that all of the <strong>CDD</strong> requirements are gathered to<br />
complete the <strong>CDD</strong> Profile in line with the Global AML Policy. This may require customer contact.<br />
4.4.2 <strong>RBWM</strong> must use available information on the customer to assign a Financial Crime Risk Rating (FCRR),<br />
aligned to the Financial Crime Customer Risk Assessment Methodology (FCC-RAM).<br />
4.4.3 For Retail Low Risk Individuals, remediation of the customer will be undertaken following a Material Trigger<br />
Event. For Retail Low Risk Individuals, the <strong>CDD</strong> profile may not be completed until the Material Trigger and<br />
FTFR has been completed.<br />
4.4.4 All other customers and entities will be scheduled for remediation based on their risk rating. once they have<br />
been uploaded into the <strong>CDD</strong> Review Tool following the approved roll out strategy.<br />
4.4.5 Subsequent Periodic Reviews will be scheduled in line with the customer's risk rating once the Remediation<br />
is completed during FTFR. See the table below for the review schedules.<br />
4.4.6 The <strong>RBWM</strong> <strong>CDD</strong> Line of Business Procedures identify where there is a difference in approach between<br />
Periodic Review and Remediation (First Time File) Review.<br />
4.5 Periodic Review Frequency<br />
4.5.1 The frequency of Periodic Reviews is determined by the Customer Type and the Customer’s FCRR.<br />
4.5.2 The following table specifies the minimum Periodic Review frequencies that apply:<br />
INTERNAL<br />
Page | 30
Periodic Review Cycle (Years)<br />
Customer FCRR<br />
High Net Worth<br />
Individuals & <strong>RBWM</strong><br />
Entities*<br />
Retail Individuals<br />
High and SCC 1 1<br />
Medium 3 5<br />
Low 5 Material Trigger Alerts**<br />
*Entities include Retail Business Banking Sole Traders and Corporates & Partnerships, Trusts, Clubs & Societies<br />
** For Low Risk Retail Individuals reliance is placed on Material Trigger Events for updates to the <strong>CDD</strong> Profile and monitoring and identifying any<br />
significant changes in account activity.<br />
.<br />
4.5.3 At the time of Periodic Review or Trigger Event the classification of the customer between HNWI and Retail<br />
needs to be checked. If a customer no longer qualifies for HNWI the RM should conduct the review and<br />
action the trigger as described, remove the HNWI classification and set the Periodic Review Cycle based<br />
on the new classification and Risk Rating.<br />
4.6 <strong>CDD</strong> and EDD Requirements at Periodic Review<br />
4.6.1 It is important to recognise that characteristics and resulting <strong>CDD</strong> and Enhanced Due Diligence (EDD)<br />
procedures will differ by Customer Type. The following section outlines the <strong>CDD</strong> and EDD procedures for<br />
Entity and Individual Customer Types.<br />
4.6.2 Periodic reviews should not commence more than two months in advance of the profile expiry date, but<br />
must be completed by the profile expiry date. This will allow the Business time to collect any additional <strong>CDD</strong><br />
information, recalculate the FCRR, escalate issues and complete the review and approval before the end of<br />
the review cycle (profile expiry date).<br />
4.6.3 If a case is overdue, it must be reported as part of Management Information. Management Information will<br />
report on profiles 0-29 days overdue, 30-59 days overdue and 60 plus days overdue from the expiry date of<br />
the Customer’s <strong>CDD</strong> Profile. There must be escalation to Business Line Management and Country FCC<br />
where cases remain overdue.<br />
4.6.4 A risk based approach needs to be taken when considering the action to take upon the expiry of a <strong>CDD</strong><br />
profile, encouraging customers to respond and preventing unnecessary exits.<br />
4.6.5 A decision to retain a customer when the profile has expired should be treated as a <strong>CDD</strong> Risk Acceptance<br />
request and the <strong>CDD</strong> Risk Acceptance <strong>LoBP</strong> (Chapter 7) should be followed<br />
4.6.6 All requests to exit a customer, irrespective of the whether the <strong>CDD</strong> Profile review is overdue or not, will<br />
need to be approved at Client Selection Committee (CSC) who will make the final decision<br />
4.6.7 The approach should be documented on the customers <strong>CDD</strong> profile to maintain a full audit trail<br />
4.6.8 Pending the CSC decision, accounts must be restricted (where the restriction of accounts is allowed by<br />
local regulation etc.)<br />
4.6.9 For further information regarding exiting customers, refer to CSEM Policy.<br />
4.6.10 If Financial Crime Risk indicators are identified during the course of the Periodic Review the Business must<br />
follow the Escalation process (See Chapter 5 - Escalations).<br />
4.6.11 Dormant accounts are subject to Operational Risk FIM requirements. A Periodic Review is not required for<br />
Customers where all accounts, products and services are dormant. However, an Event Driven Review must<br />
be completed prior to the reactivation of a dormant relationship.<br />
INTERNAL<br />
Page | 31
4.6.12 An Event Driven Review must be completed prior to the reactivation of a dormant relationship. Where a<br />
credit is received to repay or reduce the balance of a written off account, providing the credit is received<br />
from an account in the customer’s name, directly via a Collection Agency or the customer is seen face to<br />
face, the credit may be applied to the account and the account balance closed or reduced until such time as<br />
the balance is repaid.<br />
4.7 Requirements Applicable to Individuals<br />
Customer Risk Rating at <strong>CDD</strong> Review<br />
4.7.1 Changes to the Customer Profile identified during Periodic Review may result in a change to the<br />
Customer’s FCRR. <strong>CDD</strong> must be completed in accordance with the final FCRR of the Customer.<br />
Periodic Review Requirements<br />
4.7.2 The following table outlines categories of <strong>CDD</strong> requirements applicable to Individuals at onboarding and<br />
Periodic Review.<br />
4.7.3 At Periodic Review confirmation is required of any changes to the key risk drivers as outlined in the table<br />
below. Where a change has been identified, the onboarding requirements must be followed, as outlined in<br />
the relevant Customer Type Procedural Standards.<br />
4.7.4 There are several key differences between on-boarding and Periodic Review requirements for Individuals<br />
which are outlined in Sections (4.7.5 - 4.7.12).<br />
<strong>CDD</strong> Requirements<br />
Customer ID&V<br />
Address Verification<br />
Know Your Customer (KYC)<br />
Account Activity Review<br />
Screening of Customer and<br />
Connected Parties<br />
Customer Contact and<br />
Visitation (where applicable)<br />
Enhanced Due Diligence (EDD)<br />
Where EDD has been<br />
performed.<br />
Periodic<br />
Review<br />
Requirements<br />
<br />
(4.7.5)<br />
<br />
(4.7.6 – 4.7.9)<br />
Key Risk Drivers<br />
Risk based approach to the remediation<br />
of address verification information for<br />
existing customers as noted below<br />
The Account Activity Review will determine<br />
the extent to which the actual account<br />
activity is consistent with expected account<br />
activity and all key information contained in<br />
the <strong>CDD</strong> profile. (including ongoing Source<br />
of Wealth (SOW)).<br />
Screening at Periodic Review will ensure any<br />
(4.7.10 – 4.7.12) new developments are identified (i.e. by<br />
Negative News/Facts Screening)<br />
<br />
(see Individuals<br />
KYC Chapter –<br />
2.8)<br />
<br />
(see Individuals,<br />
SCC &<br />
Prohibited<br />
Customers and<br />
PEP Chapters)<br />
<br />
Contact or Visitation are required to remain<br />
up-to-date with the Customer’s professional,<br />
business or personal activities, investment<br />
profile and financial requirements.<br />
Where an earlier determination requires<br />
EDD, the key facts must be updated at<br />
periodic review.<br />
INTERNAL<br />
Page | 32
Customer ID&V<br />
4.7.5 Where a gap is identified in relation to residential address verification for an existing customer then,<br />
provided the following conditions have been met, it is not necessary to request additional documentary<br />
evidence to fill the gap:<br />
<br />
<br />
<br />
<br />
<br />
The individual's account was opened more than 2 years ago, and the customer has maintained an<br />
uninterrupted relationship with HSBC since then; and<br />
The customer is a resident in the country where the account is held; and<br />
The business holds the customer's residential address (primary and other, where applicable) and any<br />
correspondence address (where known to be different to his/her residential address); and<br />
Correspondence has not been returned to HSBC as undelivered; and<br />
There is no Financial Crime Risk issues identified during the period based on available information;<br />
andAddress verification is not required by local regulations or used to evidence compliance with<br />
FATCA.<br />
Note: Information may also be captured during other customer contact, for example, CRS processes and the<br />
capture of Tax residency and Tax Identification number.<br />
4.7.6 If the conditions above have not been met, the customer's residential address must be verified in line with<br />
<strong>CDD</strong> procedures. In this instance, an HSBC issued letter or statement received by the customer at their<br />
address (but not a print-out from an HSBC system) can be provided by the customer as acceptable<br />
evidence of the customer’s residential address for both domestic and international account opening.<br />
4.7.7 Residential address verification is not required each time a customer moves address.<br />
Know Your Customer (KYC)<br />
Account Activity Review<br />
4.7.8 Account Activity must be assessed to determine that it is in line with the <strong>CDD</strong> Profile during each review.<br />
4.7.9 The Account Activity review must assess if the Customer has conducted any transaction activity<br />
inconsistent with expected behaviour or any business related transactions via their retail personal account.<br />
Further guidance on determining if the account has been used for business purposes is provided in<br />
Appendix 2.<br />
4.7.10 Guidance on the nature and extent of the review can be found in Appendix 2.<br />
Ongoing Source of Wealth (SoW)<br />
4.7.11 Source of Wealth information for Individuals must be identified and validated, in line with risk rating, if the<br />
Source of Wealth has previously been obtained for the Customer and there is evidence of significant<br />
changes in Customer circumstances, e.g. through Transaction Monitoring or other evidence of change.<br />
4.7.12 Where Source of Wealth has not previously been obtained, when conducting a First Time File Review, this<br />
information must be identified and verified in line with onboarding standards and risk rating.<br />
4.7.13 Care should be taken where it may prove difficult for the customer to provide evidence of the SoW,<br />
especially at FTFR.<br />
4.7.14 SoW should be obtained, as per onboarding procedures, where a material change results in an Individual<br />
moving into a category where SoW information is now required or had previously not been obtained. (see<br />
Figure 2.5 in Individuals Chapter, KYC Section).<br />
Screening of the Customer and Connected Parties<br />
4.7.15 Where screening of Customer and Connected Parties recorded at on-boarding is automated (e.g. reverse<br />
PEP or Sanctions screening), this does not need to be repeated at Periodic Review.<br />
4.7.16 Negative News and Negative Facts Screening is only required to be performed incrementally, i.e. for the<br />
period from the date of the last review to the date of current review.<br />
INTERNAL<br />
Page | 33
4.7.17 For all newly identified Connected Parties, screening must occur in line with onboarding requirements. (see<br />
Individuals Chapter, KYC Section).<br />
Connected Parties ID&V<br />
4.7.18 If identified at Periodic Review, newly identified Connected Parties will be subject to the ID&V requirements<br />
specified at onboarding (See Chapter 1 - Individuals).<br />
4.8 Requirements Applicable to Entities (Customer Types applicable to <strong>RBWM</strong> are:<br />
Sole Traders, RBB Corporates and Partnerships, Trusts, Clubs & Societies and Personal<br />
Investment Vehicles)<br />
Customer Risk Rating at <strong>CDD</strong> Review<br />
4.8.1 Changes to the <strong>CDD</strong> Profile identified during Periodic Review may result in a change to the Customer’s<br />
FCRR. <strong>CDD</strong> must be completed in accordance with the final FCRR of the Customer.<br />
Periodic Review Requirements<br />
4.8.2 The following table outlines categories of <strong>CDD</strong> requirements applicable to Entities at Periodic Review.<br />
4.8.3 At Periodic Review confirmation is required of any changes to the key risk drivers as outlined in the table<br />
below. Where a change has been identified, the onboarding requirements must be followed, as outlined in<br />
the relevant Customer Type sections.<br />
4.8.4 There are several additional requirements at Periodic Review for Entities which are outlined in Sections<br />
(4.8.5 - 4.8.20).<br />
<strong>CDD</strong> Requirements<br />
Customer ID&V<br />
Existence of Customer and<br />
Legal Entity Status<br />
Listed or Regulated Status<br />
Connected Party ID&V<br />
Beneficial Owners<br />
(BOs and UBOs)<br />
Key Controllers and Other<br />
Connected Parties<br />
Periodic Review<br />
Requirements<br />
<br />
(4.8.5)<br />
<br />
(4.8.5)<br />
<br />
(4.8.6 – 4.8.7)<br />
<br />
(4.8.6 – 4.8.7)<br />
Key Risk Driver<br />
Confirmation that the legal entity still exists is critical, both from a risk management<br />
and operational standpoint.<br />
Changes to the listed status of the Customer entity or Parent may result in changes<br />
to the levels of transparency, disclosure and corporate governance.<br />
Beneficial Owners have the potential to exploit the Customer entity’s relationship<br />
with HSBC to launder money or commit other financial crimes because they<br />
exercise ultimate control over the Customer via their ownership interest or voting<br />
power.<br />
Changes in the ownership structure may result in changes to the risk profile. This<br />
may be due to (i) PEPs, negative news orsanctionsssues identified in the new<br />
ownership structure, (ii) change in legal entity type (iii) change in AML control<br />
framework (AML controls at new owner are different or inferior).<br />
Changes in Key Controllers may impact the risk profile of the Customer. Key<br />
Controllers, given their influence on activities, have the potential to be able to exploit<br />
the Customer entity's relationship with HSBC to launder money or commit other<br />
financial crimes.<br />
At periodic review, the focus will be on identifying new risks, for example new PEPs<br />
in the control structure, sanctioned entities and/or individuals and/or negative news<br />
associated with new or existing Key Controllers.<br />
Know Your Customer (KYC)<br />
Nature of Business<br />
(or equivalent as per<br />
Customer Type).<br />
Account Activity Review<br />
<br />
<br />
(4.8.8 – 4.8.9)<br />
Certain business activities are more susceptible to money laundering or other<br />
financial crimes, and changes in the nature or scope of business activities may<br />
result in changes to the risk profile of the Customer. Changes in jurisdictions in<br />
which the Customer operates may also present sanctions risks.<br />
At Periodic Review, the focus is on identification of changes in Customer activity that<br />
would impact risk profile, or a change in the Customer’s sanctions exposure (e.g. an<br />
increase or decrease in the Customer’s indirect risk exposure to a Sensitive<br />
Sanctioned Country).<br />
Certain products and services are more susceptible to misuse. At Periodic Review,<br />
the focus is on identification of any new product activity that may impact the money<br />
INTERNAL<br />
Page | 34
Visitation (if required per<br />
Customer Type)<br />
Screening of Customer and<br />
Connected Parties<br />
<br />
(see AML Policy: <strong>CDD</strong><br />
Standards -<br />
Corporates &<br />
Partnerships)<br />
<br />
(4.8.10 – 4.8.14)<br />
laundering or Sanctions Risk of the Customer. Changes to the products or services<br />
being utilised may also indicate a change in the underlying Customer’s business<br />
activities.<br />
Where applicable visitation will support assessment of the nature of business to<br />
ensure it is consistent with the information contained in the <strong>CDD</strong> profile.<br />
Screening at Periodic Review will ensure any adverse changes are identified (i.e. by<br />
negative news/facts and sanctions screening). In addition, this will identify any new<br />
risks associated with PEP identification and screening against Official and Other<br />
Lists (as defined in the Section 3 – Screening).<br />
Enhanced Due Diligence (EDD)<br />
Requirements for PEPs<br />
Exposure to Sensitive<br />
Sanctioned Countries<br />
Exposure to Sixth Filter<br />
Countries (rated High Risk<br />
on the FCCRM in which<br />
HSBC does not have a<br />
presence)<br />
<br />
(see AML Policy: <strong>CDD</strong><br />
Standards – PEPs)<br />
<br />
(4.8.15 – 4.8.17)<br />
<br />
(4.8.18 – 4.8.19)<br />
Where an earlier determination has been made to raise the FCRR of a Customer,<br />
the key facts must be updated at Periodic Review to ensure that the risk issues are<br />
still applicable (e.g. PEP status, sanctions, etc.), and updated to reflect any case<br />
developments (e.g. negative news).<br />
Customer ID&V<br />
4.8.5 Based on a review of the key risk drivers above, the Periodic Review must seek to identify any changes to<br />
the Customer e.g. existence, legal or listed status of the entity.<br />
Connected Parties ID&V<br />
4.8.6 At Periodic Review, the ownership structure and existing Connected Parties who retain control of the<br />
Customer need to be confirmed. However they do not need to be re-verified.<br />
4.8.7 Any new Connected Parties identified at Periodic Review need to be ID&V’d to onboarding standards.<br />
Know Your Customer (KYC)<br />
Account Activity Review<br />
4.8.8 By using information obtained at onboarding, and any new information captured, the Account Activity<br />
Review will assess the extent to which the expected account activity is consistent with actual account<br />
activity and that the actual activity is in line with the rest of the <strong>CDD</strong> Profile. Any unusual activity identified<br />
must be adequately investigated and may require escalation to FCC.<br />
4.8.9 The nature and extent of the review will be determined by Customer Type, Product type and the Customer’s<br />
FCRR.<br />
Screening of the Customer and Connected Parties<br />
4.8.10 Where screening of Customer and Connected Parties recorded at on-boarding is automated or real-time<br />
(e.g. reverse PEP or Sanctions screening), this does not need to be repeated at Periodic Review.<br />
4.8.11 As a result, Screening at Periodic Review relates only to those parties who have not previously been<br />
identified (e.g. new Connected Parties) or screening requirements that are not satisfied through automated<br />
processes, which can include Negative News and/or Negative Facts screening.<br />
4.8.12 For all newly identified Connected Parties, screening must occur in line with onboarding requirements.<br />
4.8.13 Negative News and/or Negative Facts Screening is only required to be performed incrementally, i.e. for the<br />
period from the date of the last review to the date of current review.<br />
4.8.14 The following table outlines which existing parties are required to be screened at Periodic Review where<br />
there is no automated Screening. Where a hit against an Official or Other Lists is identified, these should<br />
be escalated per the Screening Chapter.<br />
INTERNAL<br />
Page | 35
Existing Parties to be<br />
Screened at Periodic Review<br />
Customer<br />
X<br />
Connected Parties<br />
Beneficial Owners<br />
Key Controllers<br />
Other identified<br />
Connected Parties<br />
X<br />
X<br />
X<br />
Enhanced Due Diligence (EDD)<br />
Exposure to Sensitive Sanctioned Countries<br />
4.8.15 For Customers with known exposure to Sensitive Sanctioned Countries, the information pertaining to a<br />
Customer’s exposure must be reviewed at least annually, irrespective of a Customer’s final FCRR and<br />
subsequent Periodic Review cycle.<br />
4.8.16 The information pertaining to a Customer’s exposure may be reviewed outside of the Periodic Review Cycle<br />
at the request of FCC Sanctions.<br />
4.8.17 The Customer must be escalated to FCC in the following instances:<br />
a) Where there is an increase in exposure of the Customer to a Sensitive Sanctioned Country;<br />
b) Where there is a change in the type of exposure a Customer has to a Sensitive Sanctioned<br />
Country, (i.e. between Direct Relationship, Direct Support or Indirect Risk Exposure);<br />
c) Where there is a change in the Sensitive Sanctioned Countries that the Customer or a Connected<br />
Party has exposure to; and/or<br />
d) Where there is a change in the Customer’s primary business activity in relation to the Sensitive<br />
Sanctioned country.<br />
4.8.18 Where exposure to Sensitive Sanctioned Countries is newly identified at a Review, e.g. an Indirect Risk<br />
Exposure to a Sensitive Sanctioned Country that was not previously identified the Enhanced Due Diligence<br />
Procedures should be followed.<br />
Exposure to Sixth Filter Countries rated High Risk on the FCCRM and where HSBC does not have a<br />
physical presence 11<br />
4.8.19 For Customers with known exposure to Sixth Filter jurisdictions rated High Risk on the FCCRM in which<br />
HSBC does not have a physical presence, this exposure must be reviewed as part of the Periodic Review.<br />
4.8.20 Reputational Risk and Client Selection Committee (RR&CSC) approval will be required where the<br />
Customer’s exposure to countries rated High Risk on the FCCRM in which HSBC does not have a physical<br />
presence is greater than 10% for any one jurisdiction, or 25% for any combination of such jurisdictions.<br />
4.8.21 Event-driven examples of increased Customer exposure may include:<br />
a) Additional HSBC products and services requested by the Customer; and/or<br />
11<br />
For more information on Sixth Filter refer to the Global Risk FIM B.2.21.4 Sixth Filter<br />
INTERNAL<br />
Page | 36
) A significant increase in exposure (e.g. an increase which results in greater than 10% of total<br />
ownership, sales, supplies and/or investment pertaining to a TI CPI ≤ 22 countries) not previously<br />
identified:<br />
i. A change in the jurisdictions rated High Risk on the FCCRM in which HSBC does not have<br />
a physical presence that the Customer has exposure to; and/or<br />
ii.<br />
A change in the Customer’s primary business activity or a significant business operation in<br />
relation to a sixth filter jurisdiction, e.g. where a new local partner is identified.<br />
4.9 Roles and Responsibilities during Periodic Review<br />
4.9.1 Country <strong>RBWM</strong> Procedures should define Roles and Responsibilities detailing who performs which element<br />
of a review.<br />
4.10 <strong>CDD</strong> Review Approvals<br />
4.10.1 The approval process for <strong>CDD</strong> Reviews depends on the Customer’s FCRR and whether any material<br />
updates to the <strong>CDD</strong> profile have been made (see Approvals Chapter).<br />
4.11 <strong>CDD</strong> Reviews for Exit Customers<br />
4.11.1 This section should be read in conjunction with the Client Selection and Exit Management (CSEM) Policy<br />
which outlines the Global approach to Customer selection decisioning and Exit Management.<br />
4.11.2 Where a Notice to Exit has been initiated there is no requirement to conduct a Periodic Review. All other<br />
<strong>CDD</strong> requirements must continue to be complied with during the notice period, including Event Driven<br />
Reviews and Sanctions Screening. Should the decision be taken to retain the customer periodic reviews<br />
must recommence<br />
INTERNAL<br />
Page | 37
Appendix 1<br />
Trigger Events<br />
Trigger Events<br />
Matrix July <strong>2016</strong>.xlsx<br />
Page | 38<br />
INTERNAL
APPENDIX 2:<br />
Account Activity Review – Periodic Review<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
At onboarding, the policy requires <strong>RBWM</strong> to understand the customer’s intended account usage<br />
The focus of the Account Activity review is therefore to review actual account usage against the customer’s<br />
stated intended account usage.<br />
Transactional activity must be reviewed based on the customer Risk Rating over a defined time period (see<br />
table below).<br />
Account Activity reviews should pay particular attention to any product where the following activity can be<br />
identified:<br />
o type, volumes and values of transactions<br />
o patterns of deposits or withdrawals to the account<br />
o review of cash transactions<br />
o regular payments (direct debits / standing orders)<br />
o large and / or unexplained transactions<br />
o Intermingling of personal and business transactions (see Appendix x)<br />
o Transaction monitoring alerts<br />
Where actual account activity is identified which does not match the intended / expected activity, the<br />
differences must be investigated.<br />
Where it is not clear from information held, the customer must be contacted to discuss and understand the<br />
changes.<br />
Concerns regarding the account activity should be escalated in line with the Escalations Guidance, which<br />
may also warrant the raising of a UAR (following UAR Guidance)<br />
Account Activity Review Period<br />
Customers FCRR Retail Individuals Retail Entities HNWI<br />
Low & Medium 3 Months 3 Months 3 Months<br />
High 3 Months 3 Months 6 Months<br />
SCC 6 Months 6 Months 6 Months<br />
<br />
The above review periods are the minimum requirement. It is expected that any variances between<br />
intended and actual account activity will be identified in the above time scales. However, the period of<br />
review can be extended depending on the information gathered and at the discretion of the reviewer.<br />
Page | 39<br />
INTERNAL
APPENDIX 2 (cont):<br />
Account Activity Review – First Time File Review (FTFR)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
First Time File Review (FTFR) is undertaken for customers who were onboarded prior to the<br />
implementation of Global Standards <strong>CDD</strong>.<br />
Where a FTFR is required the principle of conducting an Account Activity Review is the same as that for<br />
Periodic Review. However, there will not be any information regarding the customer’s intended account<br />
usage to review.<br />
Therefore the review must focus on the available actual account activity to determine if it is reasonable<br />
based on what we know about the customer.<br />
Particular attention should be given to:<br />
o Is the Customer’s Account Activity (credits and debits) in line with their known salary or income?<br />
o Are there any debits or credits which appear inconsistent with the known employment status and<br />
profile of the customer?<br />
o Are there any unexplained or unknown deposits or depositors?<br />
o Does the Customer’s cash activity appear reasonable based on their employment status?<br />
o Are there any unusual cross border transactions or other transactions which are not in-line with<br />
what is known about the Customer?<br />
o Have there been any “spikes” in activity during the period of review which require further<br />
investigation?<br />
o Is there any identifiable Intermingling of personal and business transactions on any of the<br />
Customer’s accounts? (see guidance for the intermingling of business and personal transactions<br />
below.)<br />
<strong>RBWM</strong> should establish if the customer is intending to continue to transact as they have been historically.<br />
This will capture ongoing intent.<br />
Updated purpose and usage of account information must be recorded on the Customers <strong>CDD</strong> Profile, inline<br />
with the KYC requirements specific to the Customer type.<br />
Concerns regarding the account activity (historic or intended) should be escalated in line with the<br />
Escalations Guidance, which may also warrant the raising of a UAR (following UAR Guidance)<br />
As a result of the First Time File Review process the FCRR for the Customer will be recalculated. The<br />
Periodic Review frequency for all future reviews will follow the guidance in Section 4.4.2 applicable to each<br />
risk rating.<br />
Account Activity Review Period<br />
The Account Activity Review period at FTFR will be risk-based as per the table below:<br />
Customers FCRR Retail Individuals Retail Entities HNWI<br />
Low & Medium 3 Months 3 Months 3 Months<br />
High 3 Months 3 Months 6 Months<br />
SCC 6 Months 6 Months 6 Months<br />
<br />
This period can be extended depending on the information gathered and at the discretion of the reviewer<br />
Page | 40<br />
INTERNAL
Appendix 2 (cont):<br />
Intermingling of Business and Personal Transactions<br />
1: The use of retail personal accounts for business purposes is not permitted by <strong>RBWM</strong> for the following reasons:<br />
Reduced ability to undertake effective transaction monitoring to identify suspicious or unusual activity,<br />
therefore increasing the risk of failing to identify transactions connected to money laundering or terrorist<br />
financing<br />
Regulatory requirements of certain regions and countries formally prevent the use of personal accounts for<br />
business purposes<br />
<strong>CDD</strong> activities will have been completed to the requirements for Individual Customers rather than Sole<br />
Traders, therefore will not have identified the required Nature of Business information. Please see Chapter<br />
5: Sole Traders for further Nature of Business guidance.<br />
2: Potential indicators that the Customer has been utilising their personal account for business transactions would<br />
include:<br />
Recurring large remittances to unrelated 3 rd parties<br />
Transaction remarks that indicate invoice payments or business settlements<br />
Regular transactions to corporate accounts<br />
Where a Customer holds both a business and retail personal account, any transfers between these<br />
accounts that are subsequently paid onwards to a 3 rd party in their entirety.<br />
3: Where it is identified that a Customer has been conducting business transactions via their retail personal<br />
account(s) then the Customer should be contacted to understand the transactions and discuss their options.<br />
4: The review of the transactions may warrant a UAR to be raised as deemed appropriate by the business. For<br />
additional information on UAR requirements please refer to the UAR guidance (UAR Guidance). Where there is no<br />
indication of financial crime resulting from the review of the UAR the Customer should be managed as per the<br />
following guidance.<br />
5: In countries where <strong>RBWM</strong> operates a Retail Business Banking (RBB) portfolio, the Customer can continue to be<br />
managed by <strong>RBWM</strong> and be provided with a suitable RBB product to meet their needs. Customers retained by<br />
<strong>RBWM</strong> in this manner must have an RBB marker applied to their record to identify them to ensure that <strong>CDD</strong><br />
requirements are conducted appropriately for their Customer type. E.g. Sole Trader.<br />
6: Where there is no Retail Business Banking portfolio, the customer should be referred to a Relationship Manager<br />
within CMB following local referral procedures. CMB will present them with products and services that would better<br />
suit their business needs. Please refer to the appropriate <strong>LoBP</strong> for further Customer Type definition information<br />
7. In Countries where CMB does not operate, <strong>RBWM</strong> should seek to exit the relationship with the Customer by<br />
serving notice to terminate the account. The Customer’s account should then be closed after the 60 day notice<br />
period.<br />
8: Where it is agreed with the Customer to retain their personal retail account and cease conducting business<br />
transactions, the account should continue to be monitored for a period of 30 days from initial Customer contact. If<br />
there are no further business transactions then <strong>RBWM</strong> can retain the account.<br />
9: If further business transactions are identified, the <strong>CDD</strong> Profile must be considered as expired and the ongoing<br />
retention of the Customer should be considered as <strong>CDD</strong> Risk Acceptance (Chapter 7 provides further guidance on<br />
<strong>CDD</strong> Risk Acceptance)<br />
10: If further business transactions are identified the Customer should be contacted once more and must be advised<br />
that if they continue to use the account for business rather than personal needs they will be served notice to<br />
terminate the account. After the second 30 day period if there is no change in customer behaviour the customer’s<br />
account should be closed after the 60 day notice period. Customer should only be escalated to Country FCC with a<br />
view to exiting in line with the CSEM policy if there are financial crime issues.<br />
11: Where the customer has been onboarded as an Individual and the account activity review has identified the<br />
account is being used for business purposes, the <strong>CDD</strong> profile will need to be updated, ensuring that the<br />
requirements outlined in the Sole Trader procedure are followed.<br />
12. An Entity Customer utilising their business account for personal transactions would also constitute intermingling of<br />
business and personal transactions. Where it is possible to identify this intermingling behaviour on the Customer’s<br />
corporate account the Customer should be contacted to discuss the transactions and to make them aware that<br />
they will need to open a separate retail personal account to meet their needs.<br />
13. Where this is the case the guidance detailed in points 8 - 10 regarding monitoring periods and the required next<br />
steps if further transactions are identified should be followed.<br />
INTERNAL<br />
Page | 41
5. Escalation <strong>Process</strong><br />
Key Objective<br />
To outline the Escalation process, stakeholders involved in the process and the outcomes<br />
of the Escalation.<br />
How will the Objective<br />
be achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
The results of the <strong>CDD</strong> processes undertaken at onboarding are recorded on the <strong>CDD</strong><br />
Profile.<br />
As a result of analysing data collected during the <strong>CDD</strong> process, Financial Crime Risks may<br />
be identified whereby it is appropriate to escalate a <strong>CDD</strong> Profile to Financial Crime<br />
specialists.<br />
5.1 Introduction<br />
5.2 Escalation <strong>Process</strong><br />
Customer Due Diligence (<strong>CDD</strong>) <strong>Process</strong><br />
Periodic and Event-Driven Review<br />
Global Standards Manual - Chapter 5: Compliance and Reputational Risk<br />
HTS FIM B 6.2 Records Retention<br />
Customer Selection and Exit Management<br />
Financial Crime Compliance Risk Assessment Model (FCC-RAM)<br />
Reputational Risk and Client Selection Committee (RR&CSC)<br />
Page | 42<br />
INTERNAL
5.1. Introduction<br />
5.1.1 During the <strong>CDD</strong> process and throughout the Customer relationship 12 , information may be identified which<br />
indicates a heightened risk of Financial Crime. This information may require Escalation and the<br />
engagement of a Financial Crime specialist, or the upward revision of the initial Financial Crime risk rating.<br />
5.2. Escalation <strong>Process</strong><br />
5.2.1 The Escalation <strong>Process</strong> is a mechanism for managing Financial Crime Indicators with respect to a<br />
Customer and engaging a Financial Crime specialist, where appropriate, to address the concerns.<br />
5.2.2 Financial Crime Indicators are defined as information or situations which are considered to indicate<br />
potential Financial Crime. A list of Financial Crime Indicators has been compiled to provide guidance, (see<br />
Appendix 1). This list is not exhaustive and any indicators of Financial Crime are subject to the Escalation<br />
<strong>Process</strong>.<br />
5.2.3 Different Escalation paths exist depending on the type of Financial Crime Indicator. These include:<br />
a) Reputational Risk and Financial Crime Concerns which are escalated to Country FCC.<br />
b) Specific matters may be routed to other specialists as directed by Country FCC (e.g. Financial<br />
Intelligence Unit (FIU), Financial Crime Investigations Unit (FCI) Regional Fraud or Tax) 13 .<br />
c) Relevant policy or procedural breaches must be escalated to Country FCC or Regulatory<br />
Compliance (refer to FIM B2.1.4 Escalation, Exception Reporting & Follow-Up). Please refer to<br />
the AML Governance Chapter for additional information.<br />
d) Counterparty Fraud or Credit Risk concerns are escalated to Fraud and Credit Risk<br />
respectively (out of scope of these Procedures).<br />
5.2.4 Please note that the above list is not exhaustive and FCC must be consulted if there is any doubt as to the<br />
appropriate Escalation path.<br />
5.2.5 A Financial Crime Indicator may warrant an Unusual Activity Report “UAR” to be raised, as deemed<br />
appropriate by the Business. The raising of a UAR or any reference to potential Money Laundering must not<br />
be recorded on the <strong>CDD</strong> profile. For additional information on UAR requirements refer to the UAR Guidance<br />
document (UAR Guidance).<br />
5.2.6 Figure 5.1 below summarises the Escalation <strong>Process</strong> flow:<br />
Fig 5.1: Escalations <strong>Process</strong> Flow<br />
12<br />
For Escalations relating to Whistleblowing see Global Standards Manual, Chapter 5: Compliance and Reputational Risk and 5.5<br />
Whistleblowing<br />
13<br />
Changes to the Guidance may occur based on the outcomes of work being performed on UARs/SARs and by AML Investigations.<br />
INTERNAL<br />
Page | 43
Initiating the Escalation <strong>Process</strong><br />
5.2.7 The Escalation <strong>Process</strong> must be initiated where Financial Crime Indicators are identified, at any time during<br />
the <strong>CDD</strong> <strong>Process</strong> or during the course of the Customer relationship.<br />
5.2.8 Financial Crime Indicators identified during the <strong>CDD</strong> <strong>Process</strong> (at onboarding, Periodic or Event-Driven<br />
Reviews) will be escalated to FCC. All Escalations raised are to be resolved prior to submitting the <strong>CDD</strong><br />
profile for Approval.<br />
5.2.9 Financial Crime Indicators identified at any other time throughout the relationship with the Customer may be<br />
classified as a Material Trigger Event and treated accordingly as well as escalated to FCC (see Periodic<br />
and Event-Driven Reviews Chapter).<br />
5.2.10 All Escalations to FCC must be logged. Logs will be maintained by the Business and FCC to ensure that all<br />
issues are tracked through resolution. Business and FCC logs will be maintained at country level and<br />
cases escalated to Regional FCC which may further escalate to Global FCC, as appropriate.<br />
5.2.11 At a minimum, the following details must be logged:<br />
a) Customer name and unique identifier (as applicable)<br />
b) Reason for Escalation<br />
c) Date of Escalation<br />
d) Name and Title of Individual who raised the concern and other relevant parties involved in the<br />
Escalation <strong>Process</strong>.<br />
e) Interim Business Restrictions imposed (if applicable)<br />
f) <strong>Final</strong> Outcome including mitigation actions<br />
Outcomes from the Escalation <strong>Process</strong><br />
5.2.12 Actions to be taken as a result of the Escalation <strong>Process</strong> include the following:<br />
a) Do not proceed with the onboarding, or for existing Customers consider Exiting. (see CSEM<br />
Policy)<br />
b) Proceed with the onboarding/existing relationship, but adjust the FCRR to a higher level, e.g. to<br />
High Risk/SCC and conduct required EDD (see Customer Due Diligence (<strong>CDD</strong>) <strong>Process</strong><br />
Chapter)<br />
c) Proceed with the onboarding/existing relationship, maintaining the FCRR as determined by the<br />
FCC-RAM, i.e. no adjustment<br />
d) Request additional EDD, e.g. Specific ID&V or KYC<br />
e) AML Investigations file a SAR<br />
5.2.13 Pending the final outcome of the Escalation <strong>Process</strong>, interim Business Restrictions may be imposed if<br />
agreed by the Business and FCC.<br />
5.2.14 In all cases, risk issues identified, the actions agreed and outcome of the Escalation <strong>Process</strong> will be<br />
documented and recorded in accordance with the Customer Data Management Policy (see HTS FIM B.6.2<br />
Record Retention).<br />
5.2.15 Where the Business and FCC fail to agree regarding the outcome of an Escalation, the case must be<br />
escalated up the respective management lines of the Business and FCC in parallel until agreement is<br />
reached and documented accordingly.<br />
5.2.16 If the Business or FCC does not agree with the conclusion, the relevant Risk Committees, e.g. RR&CSC or<br />
equivalent may act as a decision forum (see CSEM Policy).<br />
INTERNAL<br />
Page | 44
Escalation of Suspicious Tax Evasion Behaviour<br />
5.2.17 All <strong>RBWM</strong> employees who know, or have reasonable grounds for suspecting that, an existing and/or<br />
potential new customer intends to use <strong>RBWM</strong> services to engage in financial crime, including tax evasion,<br />
must follow unusual activity escalation guidance.<br />
5.2.18 Where compliance teams investigating unusual activity (i.e. AML Investigations) have reason to believe that<br />
the investigation may relate to potential tax evasion, and have queries regarding a customer’s tax<br />
obligations, investigative employees must escalate to their respective Group/<strong>RBWM</strong> Tax function. (See<br />
Individuals ID&V Chapter Appendix 2) for the list of tax evasion indicators).<br />
5.2.19 The following is a non-exhaustive list of circumstances where Compliance teams may wish to seek<br />
guidance from or escalate to their respective Group/<strong>RBWM</strong> Tax function as a result of suspicious tax<br />
evasion behaviour by the customer. The below list does not substitute existing money laundering escalation<br />
procedures or related policies (e.g., global exit policy).<br />
<br />
<br />
<br />
<br />
Customer's country of tax residence is unclear from the file or arising from conversations with<br />
the Customer;<br />
Customer has or intends to regularise his/her tax affairs whilst continuing to bank with HSBC;<br />
Customer wishes to negotiate the tax representation clause included in our general terms and<br />
conditions;<br />
Customer does not wish to comply with <strong>RBWM</strong> tax specific policies, as applicable.<br />
INTERNAL<br />
Page | 45
Appendix 1 - Financial Crime Risk Indicators<br />
This list is not exhaustive and any indicators of Financial Crime are subject to the Escalation <strong>Process</strong>.<br />
Financial Crime Indicators<br />
Sanctions<br />
Regulatory Issues<br />
Visitation<br />
Bankers<br />
Custodian<br />
Adverse Media<br />
Does the Customer operate in, or have links to, a sanctioned<br />
country or Entity?<br />
Are you aware of any significant regulatory issues, such as<br />
fines or non-compliance relating to this Customer?<br />
Has a visit to the Customer’s premises or a meeting with<br />
appropriate senior company officials raised any concerns? (See<br />
Individuals KYC Section 2.8 for Visitation requirements)<br />
If the Customer deals with other bankers, is the distribution of<br />
their banking business out of line with your expectations?<br />
If HSBC has been appointed as Custodian for this Customer, do<br />
you have any concerns regarding the Customer’s investment<br />
advisor or fund manager?<br />
<br />
<br />
Reputation or the relevance of their experience<br />
Appropriateness – do they act in any other capacity?<br />
Are you aware of any Negative news, Negative Facts or adverse<br />
media reports about this Customer which raise any Financial<br />
Crime concerns?<br />
Politically Exposed Person<br />
(PEP)<br />
Key Connected Parties<br />
Business Operations<br />
Could this Customer or any Connected Party be considered as a<br />
Politically Exposed Person (PEP)?<br />
PEP – Judiciary<br />
Current or former Heads of State or member of ruling<br />
royal family<br />
Politician – current/former senior or high profile<br />
politicians or high ranking officials or political parties or<br />
public enterprises<br />
High ranking military officials and personnel<br />
Persons connected to/associated with a Public Official<br />
i.e. immediate family, aides and close advisors, business<br />
associates<br />
Corporate PEP (refer to <strong>RBWM</strong> AML Policy PEP<br />
Guidance Chapter 13 for full details)<br />
Do any of the following Connected Parties raise any concerns?<br />
Auditors<br />
Advisors including law firms or consultant<br />
Does the Customer operate in, or have links to, any of the<br />
following business operations?<br />
<br />
<br />
<br />
Government /State-Owned body (GSB)<br />
Money Services Business (MSB) e.g. bureau de<br />
change, cambio<br />
Gaming operations e.g. casinos including online gaming<br />
and/or internet gambling<br />
Page | 46<br />
INTERNAL
Company Structure<br />
<br />
<br />
<br />
<br />
Production or distribution of arms or other military<br />
products<br />
Manufacture or distribution of jewellery, precious stones<br />
or metals<br />
Voluntary sector as a charity, not-for-profit organisation<br />
(NPO) or non-governmental organisation (NGO)<br />
A sector perceived as ethically, environmentally or<br />
socially unsound<br />
Do you have any concerns regarding the Customer’s company<br />
structure or common attributes between related entities?<br />
Operating Model - the line of business, products,<br />
suppliers/customers; any commonality between them; or<br />
any material changes to the operating model.<br />
Corporate Governance - Customer’s corporate board or<br />
governance<br />
Group Structure - subsidiaries or other related<br />
companies<br />
Supply Chain – concerns over the existence of the<br />
Customer’s buyers or suppliers, their credentials or<br />
business performance<br />
Change of Terms – such as requests for extensions of<br />
loans or any increase in Past Due Bills<br />
Controlling Individuals such as directors, senior<br />
managers and shareholders of the Customer or a related<br />
company, supplier or customer<br />
Is the ownership vested in Bearer Shares<br />
Collateral<br />
Customer’s Behaviour/<br />
Performance<br />
Do you have any concerns regarding the existence, or common<br />
attributes between, the value of key operations, premises or<br />
assets against which credit lines are secured?<br />
Has the Customer’s behaviour or performance raised any of the<br />
following concerns?<br />
“Too good to be true” – the Customer is<br />
outperforming their competitors or the broader market<br />
Financial Distress –the Customer’s behaviour<br />
indicates any financial distress<br />
Transparency – nature or transparency of their<br />
dealings with HSBC<br />
Expertise –the Customer does not possess the<br />
requisite expertise to undertake their activities<br />
Page | 47<br />
INTERNAL
6. Approvals<br />
Key Objective<br />
How will the Objective<br />
be achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
HSBC requires that the Business assesses the Financial Crime risks associated with each<br />
Customer and through the Approvals process determines if a Customer is to be on<br />
boarded, maintained or exited.<br />
Approval matrices have been established to reflect the various levels of Approval required<br />
at Customer onboarding, Periodic Review and in the case of Risk Acceptance.<br />
In addition to approvals, this Chapter also describes various situations where a Customer<br />
relationship may involve internal Business Restrictions resulting in limitations to the scope<br />
of the products and services offered.<br />
6.1 Introduction<br />
6.2 Approval <strong>Process</strong><br />
6.3 Approval <strong>Process</strong> – Online Account Opening<br />
6.4 Meaning of Approval by Role<br />
6.5 Approval Matrix for Customer Onboarding<br />
6.6 Approval Matrix for Periodic and Event Driven Reviews<br />
6.7 Approval Matrix for Requested <strong>CDD</strong> Risk Acceptance<br />
6.8 Rejection of <strong>CDD</strong> Profile<br />
6.9 Business Restrictions<br />
6.10 Attestation – Same Jurisdiction<br />
Quality Control and Quality Assurance<br />
Periodic and Event-Driven Reviews<br />
<strong>CDD</strong> Risk Acceptance<br />
Escalations<br />
Customer Data Management, Verification Requirements KRIs & MI<br />
Global Risk FIM B2.21Reputational Risk and Client Selection<br />
Customer Selection and Exit Management<br />
HTS FIM B 6.2 Records Retention<br />
Page | 48<br />
INTERNAL
6.1 Introduction<br />
6.1.1 To manage the Financial Crime risks faced by HSBC effectively and to ensure the Customer relationship<br />
remains within HSBC’s risk appetite, a Risk Based Approach to the approval of <strong>CDD</strong> Profiles is required.<br />
6.1.2 Approval matrices have been established reflecting the various levels of sign-off required for each Financial<br />
Crime Risk Rating (FCRR) at onboarding, Periodic Review and in the case of <strong>CDD</strong> Risk Acceptance<br />
requests (see sections 6.4, 6.5 and 6.6).<br />
6.2 Approval <strong>Process</strong><br />
6.2.1 It is the responsibility of the Business to return and complete relevant <strong>CDD</strong> information in line with<br />
procedural standards.<br />
6.2.2 All mandatory information and documentation must be complete or a <strong>CDD</strong> Risk Acceptance obtained prior<br />
to, or on, submission for Approval.<br />
6.2.3 It should be noted that no individual staff member can approve at more than one level. Furthermore,<br />
approvals can only be delegated to more junior members of staff by GCB2s or higher where prior approval<br />
has been provided by the Global Head of <strong>RBWM</strong> FCC.<br />
6.2.4 Certain higher risk cases (as defined in the Reputational Risk and Client Selection Policy) require the<br />
relevant Reputational Risk and Client Selection Committee (RR&CSC) to review and approve a Customer<br />
Relationship (e.g. Sixth Filter cases).<br />
6.2.5 An audit trail of the appropriate <strong>CDD</strong> approval and sign-off process, including dates and full records of any<br />
rejections, must be documented and recorded in accordance with the Customer Data Management Policy 14<br />
(see Section 9.2)<br />
6.3 Approval <strong>Process</strong> – Online Account Opening<br />
6.3.1 Where a customer is onboarded through an online channel, where there is no customer contact as<br />
standard, the approval process may need to be different.<br />
6.3.2 The controls applied to the online channel will vary by market, but there are consistent principles and<br />
controls to be applied, as follows:<br />
<br />
<br />
<br />
Online account opening does not need to be restricted by customer risk rating, however,<br />
consideration should be given to the most appropriate operating model for customers where<br />
EDD may be needed.<br />
Exits from the online journey or a journey "pause" must be in place in order to mitigate the risk<br />
posed by some customers which will be difficult to manage online. Examples may include,<br />
exposure to Sensitive Sanctioned Countries, customers with Connected Parties, detailed Source<br />
of Funds / Source of Wealth questions<br />
System fields should be mandatory, they must include "real" data i.e. responses which are<br />
relevant to the field. To help achieve this drop down box options are preferable. Where free<br />
format text is unavoidable, reports should be developed and reviewed to monitor input of<br />
sequential numbers and characters<br />
14<br />
See HTS FIM B.6.2 Records Retention<br />
INTERNAL<br />
Page | 49
6.4 Meaning of Approval by Role<br />
6.4.1. The following table outlines the definitions of the different approval levels for First and Second Line of<br />
Defence.<br />
Function<br />
Role Role Description Responsibility<br />
Approval Approval Definitions Definitions<br />
Descripti within <strong>RBWM</strong><br />
on<br />
Preparer<br />
Where there is a Preparer distinct from the Business Owner, it is the responsibility of<br />
Onboarding Staff<br />
Premier Relationship the Preparer Where to there collate is a relevant Preparer <strong>CDD</strong> distinct information from the into Business the <strong>CDD</strong> Owner, profile. it is The the Preparer responsibility is of<br />
Preparer Officer<br />
responsible the Preparer for confirming to collate that relevant the information <strong>CDD</strong> information on the <strong>CDD</strong> into Profile the <strong>CDD</strong> is complete, profile. The Preparer is<br />
properly recorded and technically accurate. The Preparer must also ensure that the<br />
Onboarding Relationship Manager responsible for confirming that the information on the <strong>CDD</strong> Profile is complete,<br />
profile properly meets the recorded relevant and policy technically and procedural accurate requirements, in line with <strong>RBWM</strong> in line <strong>CDD</strong> with Country Procedures.<br />
Staff<br />
Customer Services<br />
legal and regulatory standards.<br />
Representative<br />
<strong>CDD</strong> Analyst<br />
The Business owner is responsible for:<br />
a) Approving that the Financial Crime and reputational risk attached to a Customer<br />
Relationship Manager<br />
is<br />
The<br />
acceptable<br />
Business<br />
and<br />
owner<br />
that onboarding/Periodic<br />
is responsible for:<br />
or Event Driven Review should<br />
Customer Services proceed. a) Approving This will that be based the Financial upon the Crime information and reputational provided, risk the Business attached to Owner’s a Customer<br />
Representative knowledge is acceptable, of the Customer based relationship, the information the jurisdictions provided by where the customer, the Customer the Financial<br />
Business owner<br />
<strong>CDD</strong> Senior Analyst operates Crime and Risk incorporated, Rating,the Business as well as Owner’s the AML knowledge risks and mitigants of the customer identified; and a<br />
and holistic understanding of the customer relationship;<br />
Business (Generally a Relationship<br />
Manager or Customer<br />
b) Acknowledging b) Approving that that they have Periodic read or and Event understood Driven Review the information has been provided completed in<br />
owner<br />
Business<br />
the <strong>CDD</strong> accurately Profile and that the the information <strong>CDD</strong> profile within has been is consistent updated with accordingly, their knowledge based on any<br />
Services Representative)<br />
Business<br />
of the Customer. new information provided and the revised or existing Financial Crime Risk Rating<br />
(First Line<br />
(First Where the Business owner is also the Preparer, the Preparer Approval Definition<br />
of Defence) Line<br />
c) Acknowledging that they have read and understood the information provided in<br />
additionally the applies. <strong>CDD</strong> Profile and that the information within is consistent with their knowledge<br />
of Defence)<br />
of the Customer.<br />
Business Manager<br />
(Generally Branch Manager<br />
or Contact Centre Team<br />
Manager where relevant)<br />
Branch Manager<br />
All of the information provided by the Customer, the Financial Crime Risk Rating and a<br />
The Business holistic understanding Manager (typically of the the customer Business relationship owner’s Line should Manager) be considered is in a position in the<br />
to take decision a broader making view of process how a particular Customer’s risk fits within the Country<br />
Business. Where By the approving Business the owner <strong>CDD</strong> Profile is also (based the Preparer, on the the information Preparer provided), Approval the Definition<br />
Business additionally Manager applies. is confirming that the Customer poses an acceptable Financial<br />
Crime and reputational risk for the local HSBC entity.<br />
The Business Manager is in a position to take a broader view of how a particular<br />
Business Contact Centre Team Customer’s risk fits within the Country Business. By approving the <strong>CDD</strong> Profile (based<br />
Manager Business Executive Manager<br />
on the information provided), the Business Manager is confirming that the Customer<br />
The Business<br />
poses an<br />
Executive<br />
acceptable<br />
is of<br />
Financial<br />
a higher<br />
Crime<br />
grade<br />
and<br />
than<br />
reputational<br />
a Business<br />
risk<br />
Manager<br />
for the<br />
and<br />
local<br />
is also<br />
HSBC<br />
in<br />
entity.<br />
a<br />
(Generally Area Manager) position to take a broader view of how a particular Customer’s risk fits within the<br />
Regional Business<br />
Business.<br />
Global Business<br />
Executives are sometimes based in Regional/Global locations. (Location varies by<br />
market)<br />
Business Area Manager<br />
The Business Executive is of a higher grade than a Business Manager and is also in a<br />
Executive Regional Manager position to take a broader view of how a particular Customer’s risk fits within the<br />
Country Business. FCC have a deep understanding of the relevant Local regulations, global<br />
policies Executives and procedures are sometimes to provide based independent Regional/Global control over locations. the Financial (Location Crime varies risk by<br />
management market) activities. FCC will act independently to the Business and will provide<br />
Compliance<br />
oversight of <strong>CDD</strong>.<br />
Country FCC will take a risk based approach to the review of <strong>CDD</strong> Profiles including<br />
(Second<br />
concurrence Country of FCC the profile have a as deep part understanding of the <strong>CDD</strong> <strong>Process</strong> of the and relevant Quality Local Assurance regulations, (see global<br />
Line of Country FCC<br />
Quality policies Control and and procedures Quality Assurance to provide Chapter). independent control over the Financial Crime risk<br />
Defence)<br />
management activities. FCC will act independently to the Business and will provide<br />
Any review and subsequent concurrence of the profile as part of the <strong>CDD</strong> <strong>Process</strong><br />
Compliance<br />
oversight of <strong>CDD</strong>.<br />
must include considerations such as Financial Crime Risk and the extent to which the<br />
risk has Country been properly FCC will<br />
(Second Line<br />
assessed take a risk and based managed approach by the to Business. the review of <strong>CDD</strong> Profiles including<br />
concurrence of the profile as part of the <strong>CDD</strong> <strong>Process</strong> and Quality Assurance (see<br />
of Defence) Country<br />
Country FCC should determine when it is appropriate to escalate cases to the MLRO/<br />
Quality Control and Quality Assurance Chapter).<br />
FCC<br />
Head of AML for approval.<br />
Any review and subsequent concurrence of the profile as part of the <strong>CDD</strong> <strong>Process</strong><br />
must include considerations such as Financial Crime Risk and the extent to which the<br />
Regional FCC<br />
Where additional Regional or Global FCC is required, this is defined within this<br />
risk has been properly assessed and managed by the Business.<br />
Global FCC<br />
Chapter.<br />
Country FCC should determine when it is appropriate to escalate cases to the MLRO/<br />
Head of AML for approval.<br />
Regional<br />
FCC<br />
Global FCC<br />
Where additional Regional or Global FCC concurrence is required, the <strong>LoBP</strong>s will<br />
determine this.<br />
Page | 50<br />
INTERNAL
6.4.2. The level of approval required is driven by the:<br />
a) FCRR of the Customer;<br />
b) Reason for review (onboarding, Periodic or Event Driven Review or <strong>CDD</strong> Risk Acceptance).<br />
c) Other discrete characteristics 15<br />
6.4.3. The following sub sections of this chapter outline the Approval matrices to be followed for each Approval<br />
Request type:<br />
a) At Customer on-boarding, (See Section 6.4).<br />
b) At Periodic Review or Event Driven Review (see Section 6.5).<br />
c) In the case of a <strong>CDD</strong> Risk Acceptance (see Section 6.6).<br />
6.4.4. This document sets out the Global <strong>RBWM</strong> minimum approval requirements. Jurisdictions are expected to<br />
ensure adherence to these requirements in addition to any additional country requirements specified by<br />
Compliance.<br />
6.5 Approval Matrix for Customer Onboarding<br />
6.5.1. The following matrix identifies the minimum approval requirements for Customers at on-boarding.<br />
* Where frontline staff have the appropriate system privileges to fulfil the full account opening process, there may be no distinction<br />
between the roles of Preparer and Business Owner, therefore only one Approval will be applicable. In all other cases the above<br />
Table will apply<br />
** FCC provide concurrence only<br />
6.5.2. In addition to these approvals, additional approval requirements may apply in accordance with the CSEM<br />
Policy, e.g. relevant RR&CSC for Sixth Filter exposure.<br />
6.6 Approval Matrix for Periodic and Event Driven Reviews<br />
6.6.1. Periodic Reviews may result in updates to the <strong>CDD</strong> profile. Material changes are those changes that, had<br />
they been identified as a Trigger Event, then they would have been a Material Trigger Event (see Periodic<br />
and Event-Driven Reviews Chapter).<br />
6.6.2. The level of approval required for Periodic Reviews is based on the level of change following the Review<br />
(i.e. Material vs. No Material change).<br />
6.6.3. If there are no Material Changes at Periodic Review, lower approval levels are acceptable (except for SCC<br />
Customers).<br />
6.6.4. If an Administrative Trigger Event is identified between Periodic Reviews, the <strong>CDD</strong> profile is to be updated<br />
reflecting the change but does not require approval. (see Periodic and Event-Driven Reviews Chapter).<br />
6.6.5. The matrix below identifies the minimum approval requirements dependant on the level of change and the<br />
FCRR.<br />
15<br />
Other discrete characteristics include Customer Type and PEPs. Refer to Trusts, Individuals ID&V, KYC and EDD <strong>LoBP</strong>s for exceptional<br />
circumstances which may necessitate escalation to Business Risk/ FCC for approval, beyond the minimum approval requirements outlined in<br />
6.3.3. See: Global <strong>RBWM</strong> AML Policy Chapter 13: PEPs<br />
INTERNAL<br />
Page | 51
* Where frontline staff have the appropriate system privileges to fulfil the profile review process, there may be no distinction between<br />
the roles of Preparer and Business Owner, therefore only one Approval will be applicable. In all other cases the above Table will<br />
apply<br />
** FCC provide concurrence only<br />
6.7 Approval Matrix for requested <strong>CDD</strong> Risk Acceptance<br />
6.7.1 Please refer to the <strong>CDD</strong> Risk Acceptance Chapter for the matrix identifying the minimum approval<br />
requirements for Risk Acceptance.<br />
6.8 Rejection of <strong>CDD</strong> Profile<br />
6.8.1. At any stage during the approval process, the <strong>CDD</strong> Profile may be returned with guidance to the Preparer<br />
or Business owner or rejected.<br />
6.8.2. Approval may be refused when:<br />
a) Profile is returned: Incorrect or missing information is identified within the <strong>CDD</strong> Profile or the<br />
approver requests additional information/documentation. In such instances, the <strong>CDD</strong> Profile will<br />
need to be returned to the Preparer or Business owner with guidance, explaining why approval<br />
was not given and what resultant action is required.<br />
b) Profile is rejected: The Financial Crime Risk (including reputational risk) posed by the<br />
Customer is deemed to be too high/outside of business risk appetite. In such circumstances, the<br />
Customer should not be on-boarded or in the case of an existing Customer, should be exited<br />
(see B2.21.3 Customer Selection and Exit Management).<br />
6.8.3. Where Approval has been refused during the <strong>CDD</strong> Approval process, the refusal and the reason for the<br />
refusal must be recorded in the <strong>CDD</strong> Profile.<br />
6.8.4. In the case of disagreement between the Business, i.e. the risk owner and First Line of Defence, and<br />
Compliance as the Second Line of Defence, the Escalation <strong>Process</strong> must be followed (see Escalations<br />
Chapter).<br />
6.9 Business Restrictions<br />
6.9.1. In certain situations, the type of business that a Customer is approved to undertake with HSBC may be<br />
subject to internal restrictions e.g. where the Customer is only authorised to engage with a given HSBC<br />
entity and/or for a prescribed set of products and services. Lifting of a Business Restriction is a Material<br />
Trigger Event.<br />
6.10 Attestation<br />
6.10.1. For shared customers, attestation refers to the process whereby a Business Owner (for example a<br />
Relationship Banker/Manager who owns the customer relationship, Account Service Rep. etc) from one<br />
LoB attests to another HSBC party (e.g. Product Provider, Preparer or product line of another LoB)<br />
regarding the integrity of the <strong>CDD</strong> profile of the Customer, including confirmation that the <strong>CDD</strong> profile is<br />
complete, it is maintained in accordance with HSBC Group Policy, and is consistent with the applicable<br />
Country LoB <strong>CDD</strong> Procedures.<br />
6.10.2. Attestation must be given prior to the other LoB or product provider accepting new business<br />
INTERNAL<br />
Page | 52
6.10.3. The Business Owner has primary responsibility for the management of the overall customer relationship<br />
and attests to the ongoing management of <strong>CDD</strong> including informing the impacted product provider in the<br />
event that the attesting LoB exits the Customer or imposes a business restriction in line with paragraph<br />
6.8.1. Further information on Exits can be found in the CSEM Global Risk FIM policy (B2.21.3 Customer<br />
Selection and Exit Management).<br />
6.10.4. This process only applies where both the Business and the Product lines are within the same jurisdiction, or<br />
where outsourcing arrangements are in place between HSBC legal entities in according with AML and<br />
Sanctions Outsourcing Guidance. Where these conditions are not met, full due diligence will be required<br />
within the receiving entity. This can be satisfied through the receipt of the due diligence documentation held<br />
by the home country. Where this is prevented by data sharing laws and regulations, or where the<br />
documentation is unsatisfactory, the receiving country should perform their own due diligence.<br />
6.10.5. Where, in the same jurisdiction, multiple HSBC legal entities have access to the same <strong>CDD</strong> Profile,<br />
approval by one entity can be deemed to apply for all, unless regulatory requirements specify otherwise.<br />
6.10.6. Attestation recipients may audit and monitor performance to confirm the adequacy of processes and<br />
controls of the LoB on whom reliance is placed.<br />
6.10.7. HSBC Affiliates will share <strong>CDD</strong> information on joint customers across jurisdictions, unless prohibited from<br />
doing so by local data protection legislation (see the Customer Data Management, Verification<br />
Requirements and KRIs & MI Chapter).<br />
6.10.8. Country procedural standards must document where attestation is / is not acceptable due to local<br />
regulation. This guidance must be approved by Regional FCC<br />
INTERNAL<br />
Page | 53
7. <strong>CDD</strong> Risk Acceptance<br />
Key Objective<br />
How will the Objective<br />
be achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
To identify and deal with Risk Acceptance that arises during the <strong>CDD</strong> Profile completion<br />
process in an appropriate manner in order to safeguard against Financial Crime risks.<br />
HSBC is committed to ensuring that <strong>CDD</strong> for each Customer is performed, completed and<br />
approved before a new account is opened or a new business relationship is established.<br />
Where variances to <strong>CDD</strong> requirements are identified, <strong>CDD</strong> Risk Acceptance may be<br />
requested. The processes and approval requirements outlined in this chapter must be<br />
adhered to.<br />
7.1 Introduction<br />
7.2 Customer <strong>CDD</strong> Risk Acceptance<br />
7.3 <strong>CDD</strong> Procedural Standards Breaches<br />
Escalations<br />
Restricted and Prohibited Customers, Special Categories of Customers (SCCs) and<br />
Prohibited Products<br />
Global Risk FIM, Compliance Risk Management, B 2.1.4 Escalations, Exception Reporting<br />
& Follow Up<br />
Page | 54<br />
INTERNAL
7.1 Introduction<br />
7.1.1 HSBC is committed to ensuring that <strong>CDD</strong> for each Customer is performed, completed and approved by the<br />
appropriate employee before a product is provided, or a new business relationship is established.<br />
7.1.2 HSBC has a very limited appetite for granting <strong>CDD</strong> Risk Acceptances, unless otherwise mandated by<br />
regulatory requirements. However, where Risk Acceptance to the <strong>CDD</strong> requirements is requested, these<br />
must be dealt with to safeguard against Financial Crime Risks.<br />
7.1.3 This section outlines the processes and approval requirements to be adhered to with respect to: (i)<br />
requested Customer <strong>CDD</strong> Risk Acceptance; and (ii) identified <strong>CDD</strong> Procedural Standards Breaches.<br />
7.2 Customer <strong>CDD</strong> Risk Acceptance<br />
7.2.1 This section details the requirements and necessary governance to manage risks in a commercially<br />
sensitive and Customer centric manner whilst safeguarding against Financial Crime Risks.<br />
7.2.2 Customer <strong>CDD</strong> Risk Acceptance may be applied upon receipt of appropriate approval. There are two forms<br />
of <strong>CDD</strong> Risk Acceptance:<br />
a) Temporary <strong>CDD</strong> Risk Acceptance (see Section 7.2.3)<br />
b) Permanent <strong>CDD</strong> Risk Acceptance (see Section 7.2.9)<br />
Temporary <strong>CDD</strong> Risk Acceptance<br />
7.2.3 In limited instances, the Business may be authorised to provide a product to a Customer where they have<br />
been unable to provide all necessary <strong>CDD</strong> information/documentation to complete the <strong>CDD</strong> profile. This can<br />
occur at any stage during the <strong>CDD</strong> process, including onboarding and periodic & event driven review.<br />
7.2.4 Temporary <strong>CDD</strong> Risk Acceptance is defined as having a lifespan up to and including 60 calendar days.<br />
7.2.5 Temporary <strong>CDD</strong> Risk Acceptance requests can only be considered for approval where the following<br />
minimum standards have been met, unless regulatory or contractual obligations apply:<br />
a) There is an expectation that the necessary information/documentation will be received within a<br />
specified time;<br />
b) Sufficient Customer identification information has been obtained to enable Customer Screening to<br />
be performed;<br />
c) Any Financial Crime Risk exposure arising from incomplete verification of the Customer or<br />
Connected Party identity is reasonably mitigated and documented;<br />
d) The permitted activity is appropriate to the LoB;<br />
e) There is capacity to exit on expiry of the Risk Acceptance period; and<br />
f) A Risk Acceptance Request Form has been completed (see paragraph 7.2.17).<br />
g) Where a temporary <strong>CDD</strong> Risk Acceptance is required at onboarding we must have obtained at<br />
least one verification document<br />
7.2.6 In all circumstances a check, independent to the Business Owner (usually within operations), is required to<br />
confirm that the <strong>CDD</strong> Risk Acceptance has been resolved before the <strong>CDD</strong> Risk Acceptance period expires.<br />
7.2.7 Throughout the <strong>CDD</strong> Risk Acceptance period, the Business must continue to obtain the outstanding <strong>CDD</strong><br />
information/documentation. Internal reminders are to be sent to the Business at regular intervals to ensure<br />
timely prompts can be sent to Customers to request the outstanding information/documentation.<br />
7.2.8 On expiry of a Temporary <strong>CDD</strong> Risk Acceptance period, reasons for not obtaining the information must be<br />
clearly understood. The Business and FCC must agree on what action is to be taken. This may include<br />
retaining the customer (see below) or Customer exit (subject to local regulatory requirements and<br />
contractual limitations – refer to CSEM Policy.<br />
7.2.9 If the reason for applying Temporary <strong>CDD</strong> Risk Acceptance has been satisfied e.g. supporting evidence has<br />
been provided, the approval of the <strong>CDD</strong> profile must follow the requirements outlined in the Approval<br />
Chapter.<br />
INTERNAL<br />
Page | 55
<strong>CDD</strong> Profile Expiry - Temporary <strong>CDD</strong> Risk Acceptance Expiry & Periodic Review<br />
7.2.10 A <strong>CDD</strong> profile expiry occurs in the following circumstances:<br />
a) A Temporary <strong>CDD</strong> Risk Acceptance period has expired<br />
Customer Retention<br />
b) A profile review conducted at Periodic Review has become overdue<br />
7.2.11 Where the <strong>CDD</strong> profile has expired and the customer remains within the risk appetite of the bank, to<br />
encourage the customer to respond and to avoid unnecessary exit the following steps can be considered:<br />
a) Staff and / or customer incentives may be considered where appropriate to encourage the<br />
customer to respond. This must be governed jointly by the Business, Risk and Marketing as<br />
appropriate<br />
b) Service disruption may be applied to customer accounts if they do not respond or provide<br />
adequate <strong>CDD</strong> documentation once the profile has expired. This may include:<br />
Reduced access to new products and / or services<br />
Internet Banking restrictions<br />
Reducing withdrawal thresholds at ATM<br />
Reducing credit card limits<br />
Withdrawing existing products<br />
c) Service disruption should not prevent a customer from making regular payments from the<br />
primary bank account e.g. household bills<br />
d) The RM should continue to make every effort to contact the customer via different channels, as<br />
many times as appropriate, making it easy for the customer to respond and provide the<br />
necessary information.<br />
e) The case will continue to report as overdue.<br />
7.2.12 Service disruption should be used cautiously and appropriate processes and resources made available to<br />
ensure restrictions can be easily and quickly lifted once a customer responds.<br />
7.2.13 It is important to ensure that Legal sign off or input is obtained to ensure that any restrictions are allowed<br />
under T’s & C’s.<br />
7.2.14 Once the profile reaches 60 days overdue, the following must be considered:<br />
<br />
<br />
<br />
<br />
Outside Risk Appetite – Exit via CSEM (A, B or C Exit Category)<br />
Commercially Unviable – Exit via CSEM (F Exit Category)<br />
PVC 16 (significant Reputational Risk) – Apply Permanent <strong>CDD</strong> Risk Acceptance<br />
Retain But Not Risk Accepted – Mark Operationally Dormant & Inhibit Relationship<br />
7.2.15 The MI reporting for expired profiles needs to differentiate between both expired Temporary <strong>CDD</strong> Risk<br />
Acceptance and expired profile reviews at Periodic Review. This requirement reflects the different risk<br />
posed to the Bank between new customers, where there will not have been a valid profile created<br />
(Temporary <strong>CDD</strong> Risk Acceptance expiry) and existing customers (profile expiry at Period Review).<br />
Permanent <strong>CDD</strong> Risk Acceptance<br />
7.2.16 It should be noted that only in very rare circumstances will Permanent <strong>CDD</strong> Risk Acceptance be granted<br />
and only in cases where appropriate risk mitigants have been identified e.g. law enforcement reason for<br />
why documentation is not available.<br />
7.2.17 Permanent <strong>CDD</strong> Risk Acceptance is defined as having a lifespan beyond 60 calendar days. These are<br />
cases where the Business is unable to collect the necessary <strong>CDD</strong> information/documentation from the<br />
Customer.<br />
16<br />
It is expected that the volumes of these cases will be low, where there are unique customer circumstances and information / evidence will not<br />
be available. Cases are subject to formal FCC approval as per the requirements of Permanent Risk Acceptance.<br />
INTERNAL<br />
Page | 56
7.2.18 The process for applying for a Permanent <strong>CDD</strong> Risk Acceptance is the same to that of Temporary <strong>CDD</strong><br />
Risk Acceptance.<br />
7.2.19 The retention of a Prohibited Customer is considered a Permanent <strong>CDD</strong> Risk Acceptance. There is no<br />
appetite to on-board new Prohibited Customers ( See Chapter 10 - Restricted and Prohibited Customers,<br />
Special Categories of Customers (SCCs) and Prohibited Products).<br />
7.2.20 Permanent <strong>CDD</strong> Risk Acceptance is subject to an annual sign-off in line with the requirements described in<br />
paragraph 7.2.24<br />
Retail Business Banking – <strong>CDD</strong> Risk Acceptance<br />
7.2.21 Where <strong>RBWM</strong> has a Retail Business Banking portfolio, if the customer does not meet the established<br />
criteria for a Retail Business Banking customer, approval to onboard or retain must be provided by the<br />
Country Heads of Retail Business Banking and FCC.<br />
7.2.22 A decision to approve or retain will be treated as Permanent <strong>CDD</strong> Risk Acceptance.<br />
7.2.23 Where <strong>RBWM</strong> do not want to onboard the customer, where there are no financial crime concerns, the<br />
customer can be referred to CMB.<br />
Approval of a Customer <strong>CDD</strong> Risk Acceptance<br />
7.2.24 The level of approval required to grant a <strong>CDD</strong> Risk Acceptance follows a risk based approach and is<br />
dependent on the FCRR of the Customer and whether the request is a Temporary or Permanent <strong>CDD</strong> Risk<br />
Acceptance.<br />
7.2.25 The following tables outline the approvals required to grant a <strong>CDD</strong> Risk Acceptance:<br />
Function Role Description Low Medium High SCC<br />
Business owner<br />
Business<br />
(Generally RM or Customer <br />
Services Representative)<br />
Business Management<br />
(First Line of Defence)<br />
<br />
(Generally Branch Manager)<br />
Business Executive*<br />
<br />
(Generally Area Manager)<br />
Compliance Local FCC <br />
(Second Line of Defence) Country Head of FCC<br />
<br />
Regional FCC<br />
Global LoB FCC<br />
Temporary Risk Acceptance<br />
Function Role Description Low Medium High SCC<br />
Business<br />
(First Line of Defence)<br />
*Business Executive is defined as a GCB3 or above<br />
Business owner<br />
(Generally RM or Customer <br />
Services Representative)<br />
Business Management<br />
<br />
(Generally Branch Manager)<br />
Business Executive*<br />
<br />
(Generally Area Manager)<br />
Compliance Local FCC <br />
(Second Line of Defence) Country Head of FCC <br />
Regional FCC<br />
<br />
Global LoB FCC<br />
Permanent Risk Acceptance<br />
7.2.26 High and SCC Customers with <strong>CDD</strong> Risk Acceptance must be approved at a senior level by the Business<br />
and FCC.<br />
INTERNAL<br />
Page | 57
<strong>CDD</strong> Risk Acceptance – Other Considerations<br />
7.2.27 In requesting a <strong>CDD</strong> Risk Acceptance, the following details must be provided for both Temporary and<br />
Permanent requests:<br />
a) A full analysis of the request (including the rationale for the request i.e. what <strong>CDD</strong><br />
information/documentation is missing and why, relevant policy / procedural standard, <strong>CDD</strong> review<br />
type);<br />
b) Details of any risks posed as a result of the <strong>CDD</strong> Risk Acceptance being granted and<br />
corresponding mitigants to manage the risks;<br />
c) Details of the risk presented to the Bank by the Customer relationship;<br />
d) The requested duration of the <strong>CDD</strong> Risk Acceptance period; and<br />
e) Any applicable Business Restrictions.<br />
7.2.28 In providing concurrence with the <strong>CDD</strong> Risk Acceptance, FCC is required to confirm:<br />
a) The time period for the <strong>CDD</strong> Risk Acceptance;<br />
b) Business restrictions to be imposed;<br />
c) Compliance of the request with the applicable regulations; and<br />
d) Satisfaction with the risk assessment and mitigating controls put in place by the Business.<br />
7.2.29 <strong>CDD</strong> Risk Acceptance requests must be recorded in the <strong>CDD</strong> profile, along with the outcome, the rationale<br />
and any Business Restrictions applied.<br />
7.2.30 A register of Permanent <strong>CDD</strong> Risk Acceptances is to be maintained by the Business (First Line of Defence)<br />
and must be made available to the appropriate AML Offices.<br />
7.2.31 All <strong>CDD</strong> Risk Acceptance requests must be logged in a <strong>CDD</strong> Risk Acceptance Log and include the<br />
following details:<br />
a) Customer name and unique identifier<br />
b) Nature of <strong>CDD</strong> Risk Acceptance<br />
c) Reason for <strong>CDD</strong> Risk Acceptance and risk mitigants<br />
d) Date of approval<br />
e) Expected date of resolution (for Temporary <strong>CDD</strong> Risk Acceptance)<br />
f) Details of <strong>CDD</strong> Risk Acceptance if not resolved within agreed timelines<br />
g) Name and role of Approvers<br />
h) Business restrictions<br />
7.2.32 Due to contractual obligations entered into at the point of provision of Insurance products, additional<br />
controls apply to the sale of Insurance products to Customer, subject to Country FCC approving a <strong>CDD</strong><br />
Risk Acceptance:<br />
a) There is no appetite to provide Insurance Products to Customers with Temporary <strong>CDD</strong> Risk<br />
Acceptance.<br />
b) Customers with Permanent <strong>CDD</strong> Risk Acceptance require approval by Insurance FCC prior to the<br />
sale of an Insurance product.<br />
7.2.33 Sufficient MI to enable an understanding of the risks underlying the <strong>CDD</strong> Risk Acceptance requested and<br />
granted must be generated for the Business and FCC to review on a regular basis. This will help support an<br />
assessment of the effectiveness of the applicable standards and whether any remedial action is necessary<br />
(including training, review of policy and review of <strong>CDD</strong> requirements) (See Customer Data Management,<br />
Verification Requirements and Key Risk Indicators & Management Information Chapter).<br />
7.2.34 Business Executive and FCC must confirm on an annual basis (generally via MLRO reporting) that the<br />
number and nature of Permanent <strong>CDD</strong> Risk Acceptance is within the Business risk appetite.<br />
INTERNAL<br />
Page | 58
7.2.35 Where there is disagreement between the Business and FCC in relation to whether a <strong>CDD</strong> Risk<br />
Acceptance should be granted, the Escalation <strong>Process</strong> must be followed (see Escalations Chapter).<br />
7.3 <strong>CDD</strong> Procedural Standards Breaches<br />
7.3.1 A <strong>CDD</strong> Procedural Standards Breach is defined as trading, entering into, or continuing a relationship<br />
without full <strong>CDD</strong> information/documentation being in place and without a valid <strong>CDD</strong> Risk Acceptance in<br />
place. Examples of these Breaches can include:<br />
a) Accounts becoming operational where <strong>CDD</strong> is non-compliant with the Global <strong>CDD</strong> Procedures,<br />
without a dispensation or a <strong>CDD</strong> Risk Acceptance being in place;<br />
b) An expired Temporary <strong>CDD</strong> Risk Acceptance request that is not resolved; or<br />
c) Missing documentation/information that is a specific regulatory requirement under local legislation.<br />
7.3.2 It is not considered to be a <strong>CDD</strong> Procedural Standards Breach if a Customer is included in an approved<br />
remediation plan.<br />
7.3.3 If a Breach is identified, the matter must immediately be escalated to FCC and Business Management (refer<br />
to Global Risk FIM, Compliance Risk Management, B 2.1.4 Escalations, Exception Reporting & Follow Up).<br />
7.3.4 MI on Breaches needs to be sufficiently granular to understand the type of Breach.<br />
7.3.5 Completion of remediation and closure of the Breach must be tracked by the Business.<br />
INTERNAL<br />
Page | 59
8 Quality Control and Quality Assurance<br />
Key Objective(s)<br />
How will the<br />
Objective(s) be<br />
achieved?<br />
To ensure that <strong>CDD</strong> information and documentation held on file is complete, accurate and<br />
up to date.<br />
To ensure that <strong>CDD</strong> processes have been undertaken in accordance with internal policies<br />
and regulatory requirements.<br />
Information and documentation obtained during the <strong>CDD</strong> process will be reviewed for<br />
completeness, accuracy and timeliness as part of the Quality Control (QC) and Quality<br />
Assurance (QA) procedures performed by the Business.<br />
Testing, and other self-assessments will be performed to ensure compliance with the<br />
applicable internal policies and regulatory requirements.<br />
The requirements in these procedures must be applied commensurate with the<br />
respective operating processes, customer types, and financial crime risks within<br />
the <strong>RBWM</strong> Business.<br />
Scope of Chapter<br />
In Scope<br />
This Guidance outlines minimum standards and principles to assist proceduralise<br />
<strong>CDD</strong> QC & QA processes. All Customers profiles that go through the <strong>CDD</strong><br />
process are in scope of this Guidance which is focused on 1st Line<br />
responsibilities.(BRCM QA Activity is out of scope of this Guidance).<br />
Related Chapters<br />
<strong>CDD</strong> <strong>Process</strong> Chapters<br />
<strong>CDD</strong> Customer Type Chapters<br />
<strong>CDD</strong> Reliance Chapter<br />
Chapter 18.01 – Record Keeping and Retention Requirements<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
Three Lines of Defence Model (GCL 150011)<br />
Global <strong>CDD</strong> Operations – <strong>RBWM</strong> <strong>CDD</strong> QC & QA Framework<br />
Page | 60<br />
INTERNAL
8.1 Introduction<br />
8.1.1 Throughout the relationship with the Customer and during the <strong>CDD</strong> process, information and<br />
documentation are obtained about the Customer. In order to assess appropriately the financial crime risk<br />
associated with the Customer, it is critical that the information and documentation obtained within the <strong>CDD</strong><br />
Profile complies with <strong>CDD</strong> standards. The Quality Control (QC) and Quality Assurance (QA) processes<br />
are therefore key to effectively managing the risks associated with incomplete, inaccurate or unverified<br />
information and documentation retained in the <strong>CDD</strong> Customer Profile.<br />
8.1.2 Quality Control (QC) checks will look at the completeness,accuracy and timeliness of the information and<br />
documentation captured in the <strong>CDD</strong> Profile, identify any errors in the application of the <strong>CDD</strong> process. For<br />
example, that adequate information is retained in the <strong>CDD</strong> Profile to support the customer’s final<br />
recommended Financial Crime Risk Rating (FCRR). 17 These procedures are key to effectively managing<br />
the risks associated with incomplete or inaccurate information and documentation retained in the <strong>CDD</strong><br />
Profile.<br />
8.1.3 QA is an independent, post approval process, that tests and reviews customer <strong>CDD</strong> profiles against<br />
internal policies and established procedures including approvals, decisions made, and quality of data<br />
captured to ensure that key controls are operating effectively. QA is undertaken on a sample basis and<br />
will look at the quality of the data collected, the decisions made, and the actual processes themselves.<br />
8.1.4 In some instances a portion or all of the <strong>CDD</strong> requirements may be performed by third parties. In these<br />
cases the Bank places reliance on third parties and therefore limited due diligence is performed internally.<br />
Such arrangements must be aligned to the requirements set out in the Global AML Policy External<br />
Outsourcing AML Guidance and <strong>CDD</strong> Reliance Chapter, which also outlines the Bank’s Control Testing<br />
processes to cover the third parties’ activities.<br />
8.1.5 The QC and QA procedures reinforce the Group's Risk Management Framework of the Three Lines of<br />
Defence. 18<br />
8.2 Quality Control & Quality Assurance (QC&QA)<br />
Responsibility<br />
8.2.1 QC & QA procedures are the responsibility of the <strong>RBWM</strong> Business and must be performed by an<br />
independent person. i.e someone who is suitably trained to ensure testing is applied consistently (e.g.<br />
Branch Manager or <strong>CDD</strong> Utility Quality team). and with the appropriate segregation of duties within the<br />
Line of Business or <strong>CDD</strong> Operating Unit.<strong>RBWM</strong> <strong>CDD</strong> Quality Control and Quality Assurance Frameworks<br />
should be referenced to determine specific QC & QA processes and procedures. (See Appendix A)<br />
Timing and Frequency<br />
8.2.2 QC & QA must be undertaken for new customer account opening (post approval), periodic and event<br />
driven reviews. Both should be performed independently of eachother, on an ongoing basis after the<br />
Approval process is complete, and results reported each month to the Regional & Global Risk<br />
Management Committee. The QA would undertake reviews and sample from <strong>CDD</strong> Profiles approved<br />
within the previous 30 days. Samples should include accounts opened from all channels where staff<br />
interaction is involved. Straight Through <strong>Process</strong>ing (STP) does not require QC or QA sampling.<br />
QC/QA Minimum Sample Sizes<br />
8.2.3 Samples should be representative of the Country/operational area population. An operational area is<br />
defined as the country or region size and structure. The volume and criteria for sample selection and size<br />
17<br />
The Financial Crime Customer Risk Assessment Model (FCC-RAM) is used to calculate a Financial Crime Risk Rating (FCRR) for each<br />
customer – i.e. High, Medium or Low risk. See the Risk Models AML Guidance for further information. These FCRRs determine the level of <strong>CDD</strong><br />
that is required to manage the risk posed by that customer and the frequency that the relationship is reviewed.<br />
18<br />
Please refer to the Thee Lines of Defence Model on the Group’s Risk website and the Group Standards Manual Chapter 10 for additional<br />
information on Three Lines of Defence Model and the applicable roles and responsibilities of each line of defence. Please note that this Guidance<br />
focusses only on the 1 st Line requirements.<br />
INTERNAL<br />
Page | 61
is to be defined by Operational area and documented within the Country <strong>LoBP</strong>. Using statistical sampling<br />
the following guidelines are to be applied. These equate to a 90% level of reliability19.<br />
8.2.4 Quality Control (QC) checks will look at the completeness,accuracy and timeliness of the information and<br />
documentation captured in the <strong>CDD</strong> Profile, identify any errors in the application of the <strong>CDD</strong> process. For<br />
example, that adequate information is retained in the <strong>CDD</strong> Profile to support the customer’s final<br />
recommended Financial Crime Risk Rating (FCRR).20 These procedures are key to effectively managing<br />
the risks associated with incomplete or inaccurate information and documentation retained in the <strong>CDD</strong><br />
Profile.<br />
QC Sample Selection Requirements - New customer account opening, periodic and event driven reviews<br />
8.2.5 This guidance outlines minimum sampling requirements in 8.2.3 above which must be applied.<br />
The sample selected must ensure that each member of staff with responsibility for conducting <strong>CDD</strong><br />
have at least 1 account sampled on an annual basis.<br />
A sample size of 10% (minimum 10) of all new accounts opened / new relationships formed must be<br />
undertaken within each legal entity within each Country on a monthly basis.<br />
The sample should cover the complete NTB high risk and SCC relationships established during the<br />
month.<br />
The sample should cover all customer relationships / products opened / different distribution Channels<br />
and should otherwise be random.<br />
The sample should be taken from accounts opened within the previous 30 days as the sample is being<br />
undertaken to ensure areas of concern are identified in a timely manner.<br />
The Business QC/QA framework (see Appendix A) for process application will increase the level of<br />
QC/QA sampling, on a risk based approach, e.g: following the implementation of new policies and<br />
procedures, hiring of new staff, shifts in responsibilities, where systemic errors identified etc. until it is<br />
determined that the changes are consistently and effectively implemented or the issues are appropriately<br />
managed.<br />
Where appropriate, this could be done through the use of thematic reviews (i.e. a focussed review on a<br />
specific topic or area of change to identify any issues For QA specifically, the sample must ensure that<br />
the relevant <strong>CDD</strong> process and procedures themselves are also in scope of the review.<br />
Following completion of a Periodic or Event Driven Review, QC & QA checks must be performed to<br />
ensure that the relevant <strong>CDD</strong> requirements have been performed to the necessary standard. Please<br />
refer to the Periodic and Event Driven Reviews Chapter for further information.<br />
The table below outlines the minimum sample sizes required within the overall sample taken for the<br />
various populations of periodic and event driven reviews. These reviews must be conducted in line<br />
with the guidance provided in the below checklist.<br />
Population<br />
High Risk and SCC Periodic Review<br />
Medium Risk Periodic Review<br />
Event Driven Reviews<br />
Sample Size<br />
20% of reviews in the month<br />
10% of reviews in the month<br />
10% of reviews in the month<br />
19<br />
A reliability level is a statistical term used to indicate the reliability of an estimate in an unknown population. It is used to indicate how likely or<br />
probable the results you get from your samples are to be representative of the entire population of whatever you are sampling.<br />
20<br />
The Financial Crime Customer Risk Assessment Model (FCC-RAM) is used to calculate a Financial Crime Risk Rating (FCRR) for each<br />
customer – i.e. High, Medium or Low risk. See the Risk Models AML Guidance for further information. These FCRRs determine the level of <strong>CDD</strong><br />
that is required to manage the risk posed by that customer and the frequency that the relationship is reviewed.<br />
INTERNAL<br />
Page | 62
QA Sample Selection<br />
8.2.6 This guidance outlines miminum sampling requirements in 8.2.3 above which must be applied.<br />
The sample selected must include accounts that have been through the QC process as well as those<br />
that have not on a monthly basis.<br />
The sample should cover the complete NTB high risk and SCC relationships established during the<br />
month.<br />
The sample should cover all customer relationships / products opened / different distribution channels<br />
and should otherwise be random.<br />
The sample should comprise of New To Bank customers; Existing customers (i.e. periodic or event<br />
based reviews);<br />
The sample should be taken from accounts approved/completed within the previous 30 days.<br />
The QA framework document will increase the level of QA sampling, on a risk based approach, e.g.:<br />
following the implementation of new policies and procedures, hiring of new staff, shifts in responsibilities,<br />
where systemic errors identified etc. until it is determined that the changes are consistently and<br />
effectively implemented or the issues are appropriately managed.<br />
Where appropriate, this could be done through the use of thematic reviews (i.e. a focussed review on a<br />
specific topic or area of change) to identify any issues For QA specifically, the sample must ensure that<br />
the relevant <strong>CDD</strong> process and procedures themselves are also in scope of the review. Please refer to<br />
the QA framework document for further details.<br />
Volume of Customers<br />
Operational areas with large<br />
volumes (>770 profiles per<br />
month):<br />
Operational areas with low<br />
volumes (
A QC process must be in place for <strong>CDD</strong> Analyst accreditation (i.e. formal recognition of competence<br />
and authorisation to perform specific tasks) of new to bank employees and employees who are new to<br />
performing <strong>CDD</strong>.<br />
The accreditation process must require that 100% of the employees work be checked during the first<br />
two weeks performing their role. The learning curve / time horizon may be extended if low volumes of<br />
work have been completed / checked.<br />
Where satisfactory performance is evidenced and no issues have been identified (i.e. errors at 3% or<br />
less), the level of checking may be reduced to 50% for week 3. If, there are still no issues at the end of<br />
week 3, sampling may be reduced to 20% for week 4.<br />
After week 4 if the individual’s work is satisfactory with no issues identified, QC can revert to the<br />
standard level for all employees in the Country. (see Section 8.2.3)<br />
In the event that errors are identified at the end of week 2, checking must remain at 100%. If errors are<br />
identified during week 3 or 4, the sample size should revert to the previous level until such time as<br />
quality has improved and the sample may be reduced in line with the phased approach outlined above.<br />
Where a member of staff is not improving or there are repeat errors identified then consideration<br />
should be given to putting in place a formal Personal Improvement Plan and identifying training needs<br />
in conjunction with their line manager.<br />
QC & QA Checklist<br />
8.2.7 The QC & QA checks must include the following as a minimum:<br />
<br />
<br />
Check of ID&V documentation and information recorded/held on the customer’s file or record to<br />
ensure it meets with ID&V requirements as defined in the ID&V matrix and Country procedures.<br />
Check of <strong>CDD</strong> (KYC information) including any EDD to ensure the information completed is correct,<br />
makes sense and that no fields have been left blank or have non meaningful data completed.<br />
8.2.8 Check of any additional supporting information that is provided relevant to the <strong>CDD</strong>/EDD e.g. evidence of<br />
source of wealth for a high risk customer or source of funds validation for accounts to be funded with<br />
cash, etc. A standard baseline checklist has been developed for <strong>RBWM</strong> globally and must be used to<br />
ensure consistency of testing and reporting of errors identified among monitoring staff, across different<br />
monitoring reviews and over a period of time (See Appendix A for checklist). It also allows for any errors<br />
identified to be consistently categorised.<br />
8.2.9 Tasks / results recorded on the checklist should be structured so as to determine whether the business<br />
processes and controls effectively manage regulatory compliance risk; for example, that minimum ID&V<br />
requirements are captured.<br />
8.2.10 The global baseline checklist will be reviewed regularly (at least on an annual basis) by <strong>RBWM</strong> <strong>CDD</strong> AML<br />
<strong>CDD</strong> Standards, Global Standards. Variations to the baseline checklist, with input from the respective in<br />
country FCC team, will be requried to ensure that it remains relevant to the underlying regulation and<br />
associated business processes and controls. These variances should be logged and approved with<br />
Country FCC and captured within the <strong>LoBP</strong> Addenda.<br />
Findings<br />
INTERNAL<br />
A feedback process must be established for both QC & QA functions to ensure that staff are provided<br />
with details of any errors identified in their work.<br />
Whilst responsibility for remediating the finding may rest elsewhere, the staff member who committed<br />
the error must be notified of it to ensure they can learn from this and understand the mistake that was<br />
made and how to avoid this in the future.<br />
Findings should be categorised as ‘Regulatory’, ‘Policy and Procedural’ and ‘Administrative Error’ to<br />
provide a distinction and allow for differentiation in consequence management. From a Reporting & MI<br />
perspective these will be captured as Material and Non-Material errors.<br />
- Material = Regulatory & Policy and Procedural Errors<br />
- Non-Material = Administrative Error<br />
Page | 64
A Regulatory Error is defined as any deficiency in the Customer profile or supporting documentation<br />
that may put HSBC at regulatory risk from an AML/KYC perspective. For example, opening an account<br />
for a sanctioned entity.<br />
A Policy and Procedural Error is defined as any deficiency in the Customer Profile that does not meet<br />
HSBC Policy and <strong>RBWM</strong> <strong>CDD</strong> LOBP requirements. For example, not performing a Negative News<br />
search<br />
The scoring methodology should be consistent between QC & QA to ensure it accurately reflects the<br />
position across both functions. A profile is considered to be a ‘fail’ when the score of the profile review<br />
is
various <strong>CDD</strong> processes. The production of MI must be provided based on a consistent approach between<br />
QC & QA to ensure it accurately refects the position across both functions. MI reporting should include<br />
numerical data, supporting narratives, and clear action plans where required.<br />
8.2.18 MI metrics must also be reported in line with the Global Financial Crime Compliance (FCC) Risk Appetite<br />
Framework (RAF), which in turn is aligned to the FCC Risk Appetite Statement (RAS) reporting.<br />
8.2.19 Key <strong>CDD</strong>-related QC and QA metrics must include:<br />
<br />
<br />
<br />
<br />
<br />
MI data segmented between New to Bank, Remediation and Reviews;<br />
Number of profiles sampled & percentage profiles<br />
Ratio utilized between low, medium, high risk and SCC customers, as appropriate;<br />
Numbers of errors identified;<br />
Number of profiles that fail according to the materiality of the error;<br />
o<br />
o<br />
o<br />
Clearly state the total number errors identified during the review period as well as<br />
separate figures to show the number of:Regulatory Errors;<br />
Policy and Procedural Errors; and<br />
Administrative Errors.<br />
<br />
<br />
Number of profiles that fail due to multiple non-material errors;<br />
Trending analysis with supporting narratives, particularly where there is a downward or consistent<br />
negative trend. A broad snapshot of the number of profiles completed and the level of profile<br />
successful at operational area. This should include but not limited to:<br />
<br />
o The concern areas - Top Regulatory & Policy Procedural errors for the month<br />
o Number of Regulatory, Policy & Procedural and Administrative errors<br />
o Number of Data Quality, KYC and ID &V errors<br />
o Root cause analysis of errors identified<br />
o Trend analysis captured and reported<br />
o Recommendations to improve quality of <strong>CDD</strong> onboarding or periodic review process<br />
o Feedback to training team to enable continuous improvement<br />
o Remediation Status of the profiles including breaches of the 60 days without resolution<br />
The MI report must cover a 12 month rolling period to ensure that any emerging trends can be<br />
identified. The MI must also show how many Regulatory and Policy and Procedural errors recorded<br />
each month are still to be remediated.<br />
8.2.20 The results must also be reported to the Regional <strong>RBWM</strong> FCC team for consolidation into a Regional<br />
report and onward submission to the Global <strong>RBWM</strong> FCC team.<br />
8.2.21 The KRIs shown below must be be utilised. Where the KRI is anything other than ‘Green’ an explanation<br />
should be given as to the root cause and the action being taken to address the negative trend.<br />
8.2.22 If the QC/QA process reporting Country reports ‘amber’ or ‘red’ QC/QA results for 3 consecutive months,<br />
this must be escalated to Regional <strong>RBWM</strong> FCC for consideration to be given to increasing the sample<br />
size for that Country until compliance rates show a sustained level of improvement.<br />
Error rate observed in sample RAG<br />
3% or below Green<br />
More than 3% but less than 5%<br />
Amber<br />
5% or above 21 Red<br />
21<br />
A Failure Rate of 6.4% would make the operational area Red as it is outside the Risk Tolerance level of 5%, based on the RAS01 metric as of<br />
March <strong>2016</strong>.<br />
INTERNAL<br />
Page | 66
8.3 KYC Quality Analysis<br />
8.3.1 First Line of Defence, the Business, must perform regular analysis to establish overall quality of KYC, using<br />
existing data sources, including but not limited to, BRCM reviews, Audit findings and Compliance Testing.<br />
This will typically be coordinated on a Regional basis.<br />
8.3.2 Thematic deficiencies must be identified, with interventions scheduled and tracked to address improvement<br />
areas.<br />
8.3.3 The findings of analysis and proposed interventions must be reported to Regional and then Global RMC on<br />
a quarterly basis. Progress against agreed interventions must be reported monthly at Regional RMC.<br />
8.3.4 Further guidance on the approach to be used is documented in the KYC Quality Continuous Improvement<br />
Cycle in appendix B.<br />
8.4 Quality Assurance – Compliance / Second Line of Defence<br />
8.4.1 The QA performed by Compliance / Second Line of Defence on the First Line of Defence is documented in<br />
the Group Risk Compliance FIM B2.1.3.1 Financial Crime Compliance Monitoring & TestingPlease refer to<br />
the Procedural Standard for Monitoring and Testing for additional information<br />
INTERNAL<br />
Page | 67
Appendix A – Quality Control & Quality Assurance Checklist<br />
<strong>RBWM</strong> QC & QA<br />
Goldcopy Checklist v1.3<br />
BRQA Framework<br />
Document <strong>RBWM</strong> Ver 1.0.doc<br />
Page | 68<br />
INTERNAL
Appendix B - KYC Quality Continuous Improvement Cycle<br />
Page | 69<br />
INTERNAL
9. Customer Data Management, Verification Requirements<br />
and Key Risk Indicators & Management Information<br />
Key Objective(s)<br />
How will the<br />
Objective(s) be<br />
achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
To maintain an audit trail concerning Customer Due Diligence, as evidence of<br />
compliance with legal and regulatory obligations, and to assist in any financial<br />
investigation conducted by law enforcement.<br />
To obtain and verify the appropriate <strong>CDD</strong> documentation in accordance with<br />
legal and regulatory obligations.<br />
To report to Business and Compliance executives, providing them with the<br />
necessary information to take appropriate action in the prevention of Financial<br />
Crime and to fulfill their regulatory obligations.<br />
An effective data management framework must be adhered to with respect to<br />
data sharing, documentation storage and retention of documents. The<br />
framework must be consistent across the business based on the standards<br />
outlined in this document.<br />
Minimum requirements for verification documentation to be obtained as part of<br />
the <strong>CDD</strong> process must be established. These standards must address where<br />
non-approved documentation (including documentation in a non-local language)<br />
is obtained and where discrepancies are identified in the documentation<br />
obtained.<br />
Key Risk Indicators (KRIs) and Management Information (MI) must be reported<br />
on a periodic basis and be relevant and of sufficient detail to provide meaningful<br />
and actionable analysis.<br />
9.1 Introduction<br />
9.2 Customer Data Management<br />
9.3 Verification Requirements<br />
9.4 Discrepancies to ID&V<br />
9.5 ID&V Related Provisions<br />
9.6 Key Risk Indicators & Management Information<br />
<strong>CDD</strong> Risk Acceptance<br />
Governance<br />
HTS FIM – B 6.2 Records Retention<br />
Risk FIM – B.10 Information Security Risk<br />
Compliance FIM - B2.4.5 Privacy, Data Protection and Cross-Border Data<br />
Transfer<br />
Page | 70<br />
INTERNAL
9.1 Introduction<br />
9.1.1 Within the parameters of what is legally permissible, an effective data management framework must be<br />
adhered to with respect to data sharing, documentation storage and retention. This chapter provides further<br />
guidance on these requirements as well as the verification of documents, key risk indicators and<br />
management information.<br />
9.2 Customer Data Management<br />
9.2.1 The <strong>CDD</strong> process requires Customer data to be collected and shared for risk management and Customer<br />
service purposes. As a result, it is important that regulatory legislation, both on a global and country level,<br />
is adhered to with respect to:<br />
(i) data sharing (including data transfer, processing, data storage and outsourcing)<br />
(ii) data protection<br />
(iii) bank secrecy<br />
(iv) other specific legislation governing data 22<br />
9.2.2 Any country or global procedures or regulatory guidance that conflict with Group policies on information<br />
sharing, privacy and protection must be approved by Legal.<br />
Data Retention<br />
9.2.3 All documentation obtained to support the <strong>CDD</strong> Profile must be retained in accordance with the HTS FIM<br />
B.6.2 Records Retention.<br />
Storage Methods<br />
9.2.4 Group requirements for records management are defined in the Knowledge Management FIM (B 6.2<br />
Records Retention).<br />
9.2.5 The methods for retaining and storing required <strong>CDD</strong> information and documentation will depend on HSBC’s<br />
global <strong>CDD</strong> suite of systems.<br />
9.2.6 The overarching global requirement is that all <strong>CDD</strong> information and documentation is readily accessible and<br />
retrievable e.g. for AML programme purposes or in the case of a law enforcement or regulatory request.<br />
Unless physical documents are required, the preferred method of storage is electronic.<br />
9.2.7 Minimum identification information required to be captured in relation to the Customer and Connected Parties<br />
must be recorded in the applicable <strong>RBWM</strong> system in order to facilitate automated sanctions screening. Refer<br />
to the Global Risk FIM Customer Sanctions Screening Sanctions B2.19.5 for details of the minimum screening<br />
requirements.<br />
9.3 Verification Requirements<br />
ID&V Definitions<br />
9.3.1 For the purpose of identification and verification of customers, identification, verification and validation have<br />
been defined below:<br />
<br />
<br />
<br />
Identification - identifying who the Customer and Connected Parties are by gathering information<br />
about their identity from the Customer, RM or publicly available sources<br />
Verification - verifying some or all of the identity information gathered using reliable and<br />
independent documentary and/or electronic sources<br />
Validation – describes the process of corroborating (i.e. supporting with evidence) KYC<br />
information.<br />
9.3.2 The Customer specific verification information requirements are documented in the ID&V Section within the<br />
Customer Type Procedures e.g. the number and type of documentary sources.<br />
22<br />
Group requirements for data sharing are outlined within the Compliance FIM B2.4.5 Privacy, Data Protection and Cross-Border Data Transfer<br />
INTERNAL<br />
Page | 71
9.3.3 Where entities are in the process of being formed and draft documents are used to evidence the existence<br />
of the entity, this must follow the <strong>CDD</strong> Risk Acceptance <strong>Process</strong>. Please see the <strong>CDD</strong> Risk Acceptance<br />
Chapter for additional information. The final documents must be obtained on a timely basis in accordance<br />
with the Risk Acceptance granted.<br />
9.3.4 The lists of ID&V sources e.g. Documentary sources, Electronic sources, Business Information (third party)<br />
sources and Independent sources as noted in the Global ID&V Matrix must be adapted to the local<br />
jurisdictional requirements, for instance based on common law and civil law requirements, and must be<br />
equivalent to the standard documents described in the Global ID&V Matrices. Country FCC must ensure<br />
that the local ID&V matrix is reviewed on an annual basis.<br />
9.3.5 Please refer to the Governance Chapter for specific roles and responsibilities relating to the maintenance<br />
and approval of the localised lists of ID&V sources.<br />
9.3.6 Requests to use ID&V sources outside of the localised list of ID&V sources on a one-off basis must be<br />
treated as a Risk Acceptance. Please refer to the <strong>CDD</strong> Risk Acceptance Chapter.<br />
Documentary Sources, Approved Electronic Sources and Sources from Approved Third<br />
Party Vendors<br />
9.3.7 The following outlines the high level classification of Documentary Sources, Electronic Sources, Business<br />
Information and Public Sources. Please refer to the specific Customer Type ID&V Matrices for acceptable<br />
documents for each Customer Type where below sources can be used.<br />
Documentary<br />
Primary<br />
&Secondary<br />
Sources<br />
Primary Sources:<br />
For an Individual, Primary sources are documents issued by governments and contain a photograph<br />
or other safeguard such as an identification number or a date of birth (e.g. passport, driver’s license,<br />
national ID cards, or other government issues identity document).<br />
For Entities, this would include documents that evidence the legal existence of a Corporation,<br />
Partnership, Trust, Limited Liability Company or other entity (e.g. Articles of Incorporation or a Trust<br />
Deed).<br />
Primary Documents must be current at the time of initial review / collection, i.e. unexpired.<br />
Secondary Sources:<br />
Secondary sources include other original government or local government-issued documents,<br />
certified/notarised documents or documents issued by public utilities. Secondary documents also<br />
include documents issued by recognised financial institutions and, in some cases, universities or<br />
employers. The utilisation of employers letters needs to be considered on a country by country basis<br />
and documented in the Country ID&V Matrix following approval from Country FCC<br />
Secondary Documents must be of recent date (please refer to the ID&V Matrices for specific<br />
timeframes regarding the relevant documents for each Customer Type).<br />
Electronic<br />
Sources<br />
Business<br />
Information (third<br />
party) Sources<br />
Public Sources<br />
Electronic Sources are used to verify the Customer’s or Connected Parties identity independently,<br />
i.e. a comparison of information provided by the Customer with information obtained from credible<br />
and reliable external sources (e.g. Credit Bureau Records).<br />
Identification, Verification and Validation may be completed through Country FCC-approved third<br />
party data providers (e.g. LexisNexis, Bloomberg). Please refer to the ID&V Matrices for approved<br />
ID&V sources for each Customer Type.<br />
Identification, Verification and Validation may be completed through public sources other than<br />
approved business information sources (e.g. documents held in the public domain such as audited<br />
financials published on a company website)<br />
9.4 Discrepancies to ID&V<br />
9.4.1 Once the identity of a Customer has been verified satisfactorily, there is no obligation to re-verify identity<br />
(unless doubts arise as to the authenticity or adequacy of the evidence previously obtained for the purposes<br />
of Customer identification or as a result of a Trigger Event or Periodic Review e.g. name change) even if the<br />
documentation used to verify the Customer has expired.<br />
INTERNAL<br />
Page | 72
9.4.2 In the course of the ID&V process, discrepancies may arise between the information obtained from the<br />
Customer and the information that is obtained from reliable and independent approved sources. When there<br />
are doubts as to the authenticity of the document / information, consideration must be given to verifying the<br />
authenticity of the document with its issuer.<br />
9.4.3 All discrepancies must be investigated and, where possible, resolved by:<br />
a) Confirming that the information received from the Customer is correct and/or<br />
b) Obtaining additional sources to verify the information<br />
9.4.4 Where the Business cannot resolve a discrepancy in ID&V, it must escalate to FCC.<br />
9.4.5 A complete record of any discrepancies, together with any actions taken to resolve each discrepancy and<br />
approvals obtained must be maintained in accordance with the HTS FIM B 6.2 Records Retention.<br />
9.4.6 Concerns regarding the authenticity of a document must be escalated to Fraud who will communicate with<br />
FCC as appropriate. A concern may warrant a UAR to be raised, as deemed appropriate by the Business.<br />
For UAR procedural standards refer to the UAR Procedural Standard.<br />
9.5 ID&V Related Provisions<br />
Minimum requirements for certification and reliance on non-local language documents<br />
9.5.1 Where ID&V documents are in a language other than those approved for business use within the local<br />
jurisdiction (non-local languages), they require certification according to the process outlined below.<br />
9.5.2 Non-local language documents may be relied upon to satisfy <strong>CDD</strong> requirements; a word-for-word<br />
translation of the document is not necessary, unless required under local regulations.<br />
9.5.3 To be reasonably satisfied that the non-local language document provides evidence of the Customer’s<br />
identity (or other parties being identified), and/or fulfils the purpose required for <strong>CDD</strong>, a set of minimum<br />
information requirements must be documented which include:<br />
a) The name, the type of document, issuer and, if applicable, the expiration date and the<br />
date of issue<br />
b) The purpose and function of the document in the <strong>CDD</strong> process<br />
c) The specific contents of the document that are material to its purpose and function in the<br />
<strong>CDD</strong> process and details of any restrictions<br />
d) Signed certification from person reviewing the document(s) that they are fluent to business<br />
proficiency in the document’s language. Where there are any doubts concerning the legal<br />
language within the document, this must be escalated to Legal or FCC.<br />
9.5.4 Translations and certifications as noted above must be retained with the source document.<br />
9.5.5 Within <strong>RBWM</strong>, certification may be performed by employees, with appropriate training to undertake the<br />
task, and fluent in the relevant language or with sufficient knowledge of the document to confirm that it<br />
meets requirements. <strong>RBWM</strong>’s default position is for the cost of translation to be borne by the Customer.<br />
However the overall commercial situation of the Customer should be considered.<br />
9.5.6 The Risk FIM B.10 Information Security Risk governs Information Security, including the use of translation<br />
websites for non-public information. Specifically, anything other than public information concerning our<br />
Customers should not be translated using online translation sites. Public information is information that is in<br />
the public domain and as such is common knowledge in the market. Examples of non-public information<br />
may include any information related to a confidential transaction or subject to a confidentiality agreement.<br />
Technological Limitations and Legible Copies<br />
9.5.7 Every effort should be made to obtain legible copies of all documents required.<br />
9.5.8 In instances where copies of documents are difficult to read, for example, on the rare occasion where a<br />
scanning process has made a document difficult to read, and re-scanning the document does not improve<br />
the position or is not possible, it is permissible for the Business to transcribe the <strong>CDD</strong> data manually on the<br />
INTERNAL<br />
Page | 73
copy of the document or on a separate attached sheet. Where information is transcribed, this must be<br />
performed with the original document at the time it is obtained. The staff completing this process must<br />
provide their name, staff number and signature. In certain cases and dependent on the channel of<br />
onboarding (e.g. non face-to-face), it may be necessary to contact the Customer for copies of legible<br />
documentation.<br />
9.6 Key Risk Indicators and Management Information (“KRIs & MI”)<br />
9.6.1 Identification, measurement and reporting of KRIs and MI on the <strong>CDD</strong> <strong>Process</strong> provides Business,<br />
Compliance, and Management with data, trends, analysis and risk indicators required to assess the<br />
effectiveness of Financial Crime Risk Management controls within the organisation and analyse and<br />
manage the performance of the <strong>CDD</strong> process on an on-going basis.<br />
9.6.2 It is the responsibility of the Business to provide KRI and MI reporting as required to manage the financial<br />
crime risk of their business. Additionally, KRIs and MI may be required from Group Functions or for<br />
regulatory reporting.<br />
9.6.3 Reporting must reflect risk related MI as well as operational / process performance MI.<br />
9.6.4 KRI and MI reporting may be Global, Regional, Country and by Line of Business.<br />
9.6.5 KRIs and MI must be captured in sufficient detail to allow for meaningful review by the Business,<br />
Compliance, and Management.<br />
PLACEHOLDER<br />
Global <strong>RBWM</strong> and FCC will define in conjunction with Global AML the minimum set of<br />
KPI and MI requirements that countries must produce.<br />
An Appendix to the chapter will be added once the minimum requirements have been<br />
approved.<br />
INTERNAL<br />
Page | 74
10.Restricted and Prohibited Customers, Special<br />
Categories of Customer (SCCs) and Prohibited Products<br />
Key Objective(s)<br />
How will the<br />
Objective(s) be<br />
achieved?<br />
Scope of Chapter<br />
Related Chapters<br />
To identify, assess and mitigate the risks associated with specific customer relationships,<br />
which pose a higher risk of exposure to Financial Crime.<br />
By defining Prohibited Customers; Restricted Customers, including Special Categories of<br />
Customers; High Risk customers and the related procedures, assessment criteria,<br />
approvals and other considerations required for these types of Customers.<br />
10.1 Introduction<br />
10.2 Special Categories of Customer (SCC)<br />
10.3 Prohibited & Restricted Customers<br />
10.4 High Risk Business Types<br />
Politically Exposed Persons (PEPs)<br />
Approvals<br />
Periodic and Event-Driven Reviews<br />
Other Related<br />
Documents and<br />
<strong>Process</strong>es<br />
10.1.1 .<br />
Global Sanctions Policy<br />
Client Selection and Exit Management (CSEM) Policy<br />
Reputational Risk and Client Selection Committee (RRCSC)<br />
AML Policy FIM B.2.17.8 – Prohibited Customers, Restricted Customers and Prohibited<br />
Accounts & Services<br />
AML Policy FIM B.2.17.9 - Special Categories of Customer (SCC)<br />
Transaction Monitoring<br />
Page | 75<br />
INTERNAL
10.1 Introduction<br />
10.1.1 Different customer types pose different inherent levels of financial crime risk to HSBC. The main way that<br />
these risks are identified and managed is through the Financial Crime Customer Risk Assessment Model<br />
(FCC-RAM), which allocates a Financial Crime Risk Rating (FCRR) to each customer of either Low<br />
(sometimes referred to as Standard), Medium or High within <strong>RBWM</strong>. These risk ratings then dictate the<br />
level of Customer Due Diligence (<strong>CDD</strong>) requirements that need to be applied.<br />
10.1.2 However, there are certain customer types that are more vulnerable to significant financial crime. To help<br />
the bank manage the risk, these customer types are therefore:<br />
a) Prohibited Customers - Certain entities or types of individual are Prohibited. This is driven by<br />
regulations. HSBC will not provide products or services to these customers.<br />
b) Restricted Customers – Certain customer types are restricted due to vulnerability to significant<br />
financial crime risk. HSBC has a reduced risk appetite for Restricted Customers and they can only<br />
be onboarded or retained where comprehensive controls are in place 23 , which are proportionate to<br />
the nature, scale and complexity of the money laundering or other financial crime risks associated<br />
with the Customer; and that the Customer is:<br />
<br />
<br />
<br />
<br />
Legally permissible by Local regulations;<br />
Classified as Special Category of Customer (SCC) and subject to an increased level of<br />
ongoing scrutiny and approval; including<br />
Approval by the appropriate Reputational Risk Client Selection Committee (RRCSC);<br />
and<br />
Is tracked in a SCC Register, that is made accessable to the appropriate AML Office,<br />
where legally permissible.<br />
10.1.3 Special Categories of Customer (SCC) – Specific types of customers are deemed to pose an inherently<br />
high risk of exposure to financial crime owing to the type or nature of their role or business. These types of<br />
customers are categorised under the term SCC. Restricted customers that are retained or maintained by<br />
permenant exception are also considered as SCC<br />
10.1.4 High Risk Business Types – There are a number of customers that have inherent financial crime risks,<br />
which need to be considered during the onboarding and review processes; however, those risks are not<br />
prohibitive and do not require the same level of additional <strong>CDD</strong> requirements that are applied to Restricted<br />
or SCC Customers. The risk posed by these customers’ needs to be considered in light of the <strong>CDD</strong><br />
gathered – for example, given the business type, does the nature of business and purpose of account<br />
appear consistent; does the source of wealth make sense.<br />
10.1.5 The Global AML Policy and AML Procedure provides the minimum requirements for managing the<br />
financial crime risk posed by the above Customers. These procedures provide further guidance on the<br />
treatment of such customers and should be read in conjunction with the Global AML Policy and applicable<br />
Customer Type Procedures.<br />
10.1.6 Prohibited Accounts and Services - This Procedure also outlines the Accounts and Services prohibited as<br />
indicated by HSBC ‘s Global AML Policy.<br />
10.1.7 Certain Accounts and Services (referred to collectively as Products) are prohibited from being offered by<br />
HSBC to its customers. These products are prohibited because they are outside of the bank’s risk appetite<br />
given the level of money laundering risk they pose and the lack of appropriate and/or proportional controls<br />
available to mitigate those risks.<br />
10.1.8 See Appendix D for a list of Prohibited Products.<br />
10.1.9 The provision of Hold Mail Accounts is also prohibited by the Global AML Policy. A Hold Mail Account is<br />
one where the customer has instructed all documentation related to the account to be held on their behalf<br />
until collection and/or where the customer uses an HSBC location as their mailing address. Where Hold<br />
Mail Accounts are identified, countries must take steps to ensure that an appropriate correspondence<br />
address is on file for the customer and that all relevant documentation is sent to this address. If the<br />
customer refuses to provide a correspondence address or declines to receive documentation at this<br />
23<br />
Comprehensive Controls are required by both the Customer and by the Business Unit maintaining the relationship.<br />
INTERNAL<br />
Page | 76
address then <strong>RBWM</strong> must proceed with exiting the relationship through the Client Selection and Exit<br />
Management <strong>Process</strong>.<br />
10.1.10 Some countries may have additional regulatory requirements to restrict or prohibit certain types of<br />
customers. These categories must be recorded and approved in Country AML Addenda and Variance<br />
Log. Refer to the AML Governance Procedure for further information.<br />
<strong>RBWM</strong> can identify additional Resticted Customer and/or SCC categories. These must be recorded and<br />
approved in <strong>RBWM</strong> <strong>LoBP</strong>’s and Variance Log. Refer to the AML Governance Procedure for further<br />
information.<br />
Identifying Impacted Customers<br />
10.1.11 Customers can be identified as Prohibited, Restricted, SCC or other High Risk Business Type, based on<br />
information gathered through the <strong>CDD</strong> <strong>Process</strong>es at on-boarding, or during a Periodic or Event-based<br />
Review.<br />
10.1.12 Over the course of the <strong>CDD</strong> process, information may be identified that automatically makes the customer<br />
Restricted (e.g. an entity which operates as a money service business) or Prohibited (e.g. individual which<br />
was previously exited for AML reason) or SCC (e.g. PEP).<br />
10.2 Special Categories of Customer (SCC)<br />
Identification of SCCs<br />
10.2.1 The SCC designation overrides the Customer’s FCC-RAM derived risk rating, forcing a higher risk<br />
designation and additional controls (e.g. EDD) to manage the risk. See Appendix B for the SCC<br />
designated categories.<br />
10.2.2 SCCs must be assigned to a named Relationship Manager. Where a relationship management team is in<br />
place and to be utilised rather than of a named Relationship Manager this is possible, but should be<br />
approved by <strong>RBWM</strong> Regional FCC.<br />
10.2.3 SCCs are subject to:<br />
<br />
<br />
<br />
Enhanced Due Diligence (EDD) in addition to the Identification and Verification (ID&V) and Know your<br />
Customer (KYC) requirements as determined by the relevant Customer Type <strong>CDD</strong> Procedures. Please<br />
note, if EDD is required after the customer has already been through the approval process, then that<br />
EDD must be completed and the customer resubmitted through the approval process. Please refer to<br />
Chapter 3 in the <strong>RBWM</strong> <strong>CDD</strong> Customer <strong>LoBP</strong>.<br />
Annual periodic review. Please refer to the Periodic and Event Driven Review Chapter<br />
Ongoing monitoring controls<br />
10.2.4 If a customer meets more than one SCC category e.g. a PEP with a known material level of exposure to a<br />
Sensitive/Sanctioned country then the EDD requirements for each SCC categorisation must be completed<br />
and each SCC category recorded on the customer profile in the appropriate system and/or on the SCC<br />
Register where legally permissible. 24<br />
10.2.5 When determining if an Entity is SCC, the Business should also consider whether part of the Entity’s<br />
Nature of Business has a link to a SCC category. In these cases, consideration should be given to<br />
whether the SCC-related activity is material (e.g. generates a material amount of revenue) and therefore<br />
should be categorised as an SCC to ensure the potential risk is managed appropriately. Examples<br />
include:<br />
24<br />
There may be exceptions to this, for example where there is a PEP and GSB connection. See the respective Customer Type <strong>CDD</strong> Chapters<br />
for further guidance.<br />
Page | 77<br />
INTERNAL
Some travel agencies also operate as currency dealers or exchangers, which could make the<br />
customer a money service business (MSB). See the MSB <strong>CDD</strong> Chapter for further guidance.<br />
Companies manufacturing/supplying part components for Arms purposes e.g. components of hand<br />
guns<br />
Businesses that have gambling machines on their premises, which are additional to their overall Nature<br />
of Business (e.g recreational vehicle/caravan parks or gas stations); or where a gambling license is<br />
included as part of another license (e.g. an off-license or cinema); etc. See the Gambling <strong>CDD</strong> Chapter<br />
for further guidance.<br />
10.2.6 If it is uncertain regarding the classification of a customer as SCC, please refer to local <strong>RBWM</strong> FCC in the<br />
first instance.<br />
SCC Approvals<br />
10.2.7 SCC Customers must go through the following minimum Approval stages at on-boarding and periodic and<br />
event-based review:<br />
a) The Preparer (where distinct from Business Owner);<br />
b) Business Owner;<br />
c) Business Management; and<br />
d) FCC Concurrence - once the business has approved, it must be submitted to FCC for consideration<br />
of the financial crime risk posed and the extent that the risk has been assessed and managed.<br />
e) Certain SCC categories may require additional approval requirements. Please refer to the relevant<br />
Customer Type <strong>CDD</strong> Chapter, which are noted in Appendix 2, for further information.<br />
SCC Register<br />
10.2.8 A Register of current SCCs must be maintained at a country level. It must be managed by the Business.<br />
10.2.9 The Register must be accessible by the applicable Country AML Office and Country LoB FCC, and by the<br />
Regional AML Office (where possible given local data sharing restrictions).<br />
10.2.10 Management Information (MI) taken from the Registers must also be made available to the respective<br />
Regional AML Office, the Global AML Office and Global Line of Business AML teams when requested (as<br />
possible given local data sharing restrictions).<br />
10.2.11 While <strong>RBWM</strong> Regions may choose to increase the information required to be escalated within MI the<br />
following data points must be captured at a minimum (as applicable):<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SCC Category<br />
Unique Identifier (CIN)<br />
Region<br />
Country<br />
HSBC Legal Entity<br />
Country of Incorporation/Establishment<br />
Country of Business Address of Legal Entity<br />
Country of Residential Address<br />
Country of Nationality<br />
Country of Political Exposure (where PEP holds Office)<br />
Highest Risk PEP (Y/N)<br />
INTERNAL<br />
Page | 78
SCC Classification across Organisational Groups – RBB only<br />
10.2.12 Where a subsidiary or Parent is classified as SCC, other companies within the group do not automatically<br />
need to be classified as SCC. The reason for the SCC categorisation should be assessed for those other<br />
group entities, and:<br />
<br />
<br />
If the SCC category directly impacts the other entity, they must also be categorised as SCC and<br />
subject to the requirements outlined in this procedure. For example, subsidiary 1 has a Uulitamate<br />
Beneficial Owner (UBO) who is a PEP - that PEP is also a UBO of subsidiary 2.<br />
If the SCC categorisation is not applicable, then that entity should be risk rated separately, as per the<br />
FCC-RAM. The subsequent <strong>CDD</strong> will be based on that risk rating. Please note that it is possible for<br />
the other entity to be subject to a different SCC categorisation. For example, subsidiary 1 has a PEP<br />
as a UBO, making it SCC02. The PEP does not have any ownership over subsidiary 2 in that group.<br />
However, subsidiary 2 has a material level of exposure to a sensitive sanctioned country, making it<br />
SCC11.<br />
10.2.13 Where an entity is classified as SCC, a branch of that entity may also be classified as SCC since the<br />
branch is legally part of the entity. However, this can also be assessed on a case-by-case basis where<br />
the nature of business and control of each branch is materially independent.<br />
Removal of SCC Categorisation<br />
10.2.14 Local FCC must provide concurrence on the removal of the SCC categorisation. Once the concurrence is<br />
provided the SCC category recorded on the customer profile may be removed and the customer removed<br />
from the SCC Register<br />
10.2.15 For the removal of SCC Categorisation for PEPs (SCC 01), PEP Associates or Connected persons,<br />
Corporate PEPs (SCC 02), please refer to the PEP Chapter for further guidance.<br />
10.3 Identification of Prohibited & Restricted Customers<br />
Prohibited Customers<br />
10.3.1 Based on information gathered over the course of <strong>CDD</strong> <strong>Process</strong>es, it may be determined that the<br />
Customer is a Prohibited Customer as defined in Section 4 of the Global AML Policy or in the Customer<br />
Type <strong>CDD</strong> Procedures.<br />
10.3.2 If a Prohibited Customer is identified, the on-boarding or <strong>CDD</strong> Periodic or Event-based review should be<br />
suspended. <strong>RBWM</strong> Business must proceed with exiting the relationship through the Client Selection and<br />
Exit Management (CSEM) <strong>Process</strong>. The Customer may also warrant escalation through the UAR process<br />
given the nature of the change or activity and which could be considered unusual from a financial crime<br />
perspective given the change in profile behaviour. See Appendix A for a list of Prohibited Customer Types<br />
Restricted Customers<br />
10.3.3 If a Restricted Customer is identified, comprehensive controls must be in place, which are proportionate to<br />
the nature, scale and complexities of the money laundering risks associated with the customer, in order to<br />
onboard or retain the customer. If the proper controls 25 are established with both the Customer, and the<br />
Business area maintaining the relationship, the customer may be on-boarded or retained after receiving<br />
the appropriate controls.Where retained or onboarded, Restricted Customers must be classified as SCC.<br />
See Appendix B for the list of SCC Categories and section 10.3 for further information on SCCs.<br />
10.3.4 Individuals that have an identified material financial ownership (e.g. 10% or above), close association or<br />
otherwise assert control over an entity that, if it were a Customer, would be a Restricted Customer, must<br />
also be considered a Restricted Customer (see SCC 12).<br />
25<br />
Consideration should be given to controls outlined in the various <strong>CDD</strong> Chapters, some of which are focused on the specific customer types.<br />
Plus the approvals outlined in this section and the requirements outlined in the SCC section below.<br />
INTERNAL<br />
Page | 79
Restricted Customer Approvals<br />
10.3.5 Restricted Customers must go through the following minimum Approval stages at on-boarding and<br />
periodic and event-based review:<br />
<br />
<br />
<br />
<br />
<br />
The Preparer (where distinct from Business Owner);<br />
Business Owner;<br />
Business Management; and<br />
FCC Concurrence - once the business has approved, it must be submitted to Local FCC for<br />
consideration of the financial crime risk posed and the extent that the risk has been assessed and<br />
managed<br />
At on-boarding, or where newly discovered only: Where the customer has gone through the approval<br />
process and the decision is made to on-board or retain the Restricted Customer, further approval is<br />
required from the appropriate Reputational Risk and Client Selection Committee (RRCSC).<br />
The following types of customers are restricted:<br />
Money Services Businesses (MSBs), i.e. licensed and/or registered<br />
companies offering services involving money/currency exchange, money<br />
transfer, cheque cashing, and issuing or selling travellers cheques,<br />
money orders;<br />
Third Party Payment Providers (TPPPs) e.g. companies that provide<br />
payment processing services to merchants and other business entities;<br />
Issuers/Dealers of Virtual Currency, i.e., companies that provide or trade<br />
in a medium of exchange that operates like a currency in some<br />
environments but is not issued or backed by a central bank or public<br />
authority nor has legal tender status in any jurisdiction;<br />
Certain Government and State Owned Body (GSB)/Embassy<br />
Relationships;<br />
Where retained or<br />
onboard –<br />
applicable SCC<br />
Category<br />
SCC 05<br />
SCC 05<br />
SCC 05<br />
SCC 04<br />
Certain Gaming/Gambling Operations; SCC 06<br />
Certain Customers, mainly pharmaceutical, where a portion of or all of<br />
their operations relate to medical marijuana where not prohibited by local<br />
law e.g. U.S.<br />
SCC 09<br />
Page | 80<br />
INTERNAL
10.4 High Risk Business Types<br />
10.4.1 High Risk Business Types are customers that pose an additional level of financial crime risk, usually given<br />
the nature of their business. For the purpose of this Procedure, these types of business are seperate to<br />
the SCC categories. However, please note that some parts of the bank may reference some SCCs or<br />
Prohibited customer types under the term High Risk Business<br />
10.4.2 High Risk Business Types are identified to assist the bank in managing the risks that they pose. The bank<br />
does this in a number of ways, including:<br />
<br />
<br />
FCC-RAM: High Risk Business Types are used by the FCC-RAM as one of the elements that<br />
determines the overall FCRR of a customer.<br />
Enterprise Wide Risk Assessment (EWRA): High Risk Business Types assist the bank in capturing and<br />
understanding its financial crime risk exposure, beyond the SCC categories.<br />
10.4.3 The focus in this Procedure is on what the Business should consider from a <strong>CDD</strong> perspective if a High<br />
Risk Business Type customer is identified. The use of High Risk Business Types by the FCC-RAM or<br />
EWRA is out of scope.<br />
10.4.4 The level of <strong>CDD</strong> required for High Risk Business Types is determined by their FCRR. They are not SCC<br />
and therefore do not require the additional SCC requirements. However, these types of customer do pose<br />
an additional level of risk, and therefore special attention should be on whether, taken collectively, the<br />
<strong>CDD</strong> information gathered makes sense.<br />
10.4.5 When a High Risk Business is identified (regardless of the customer’s FCRR) some considerations<br />
include:<br />
<br />
<br />
<br />
<br />
Does the nature of business, purpose of account, Source of Wealth and Source of Funds make<br />
business sense when looked at together?<br />
Is the entity acceptably publically listed or equivalently regulated? This could give some level of<br />
reassurance given the level of disclosure and transparency that would entail.<br />
Is the customer required to be licensed or registered with an appropriate body, and if so, are they?<br />
Are they incorporated in or operating out of a Free Trade Zone? Does this make business sense given<br />
what is known about the nature of business?<br />
10.4.6 When a High a High Risk Business is identified (regardless of the customer’s FCRR) some considerations<br />
include:<br />
<br />
the Approval process for High Risk Business Types (as defined in this Procedure) is as per their FCRR.<br />
Please see the <strong>CDD</strong> <strong>Process</strong> Chapter 6 on Approvals for further information.<br />
See Appendix C for non-exhaustive examples of High Risk Business Types, including further<br />
considerations to assist in managing the risk.<br />
INTERNAL<br />
Page | 81
Appendix A – Prohibited Customers<br />
Description<br />
Additional information<br />
Supporting<br />
Guidance<br />
Sanctioned Persons, Entities, governments or<br />
countries or Entities & Individuals on Internal<br />
Watchlists<br />
Individuals or Entities and their Connected<br />
Parties or other relevant parties included on the<br />
HSBC Global or applicable Local Lists used for<br />
Sanctions Screening (e.g. Section 311 of the<br />
USA PATRIOT Act)<br />
Entities and Individuals that are recorded on<br />
internal lists (e.g. Scion or Customers previously<br />
exited for Financial Crime) for Financial Crime<br />
purposes.<br />
Refer to the Global<br />
Sanctions Policy for<br />
more information.<br />
Anonymous or Numbered Accounts or<br />
customers seeking to maintain an account in an<br />
obviously fictitious name<br />
A bank account that has no features identifying<br />
its owner<br />
Customers whose identities are not known or<br />
cannot be verified<br />
i. Customers exited for financial crime<br />
reasons, due to a strong suspicion or direct<br />
evidence that criminal activity has taken place,<br />
where a criminal offence has been committed<br />
and charges have been brought or where there<br />
is a suspicion of terrorist financing;<br />
ii.<br />
list.<br />
Are on HSBC’s applicable country level<br />
Shell Banks<br />
Unlicensed/registered non-bank financial<br />
institutions (NBFIs), including<br />
Unlicensed/registered Money Service<br />
Businesses (MSBs).<br />
Certain Gambling Operations<br />
Any individual or entity prohibited from holding<br />
an account by local law outside their home<br />
jurisdiction (eg certain Politically Exposed<br />
Persons)<br />
Capable and issued bearer share companies<br />
that have not satisfied mitigating controls<br />
Where the Customer’s identity is not known or<br />
cannot be verified or if the Customer refuses to<br />
participate in the required <strong>CDD</strong> process and<br />
provide transparent answers<br />
iii. Where Customers are known to have<br />
been convicted of a financial crime, including<br />
money laundering, drug trafficking, human<br />
trafficking, terrorism financing, tax evasion,<br />
political corruption, sanctions violations; or<br />
cause a reasonable basis for suspecting that the<br />
potential customer is involved in, or whose<br />
wealth / funding comes from such activities<br />
A “shell bank” is an entity that has no physical<br />
existence in the country in which it is<br />
incorporated and licensed, and which is<br />
unaffiliated with a regulated financial group that<br />
is subject to effective consolidated supervision.<br />
Physical presence means mind and<br />
management located within a country<br />
NBFIs which are not licensed or registered in<br />
jurisdictions which require license and/or<br />
registration.<br />
a. Category 2 e.g. remote gambling services;<br />
and<br />
b. Certain operations under Category 1 e.g.<br />
junket operations.<br />
iv. Refer to<br />
Customer Selection<br />
and Exit Management<br />
(CSEM) Policy<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 8 -<br />
Banks<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 11 -<br />
NBFIs<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 16 -<br />
Gambling<br />
See section 7.4 of<br />
Corporates &<br />
Partnerships EDD<br />
Chapter<br />
INTERNAL<br />
Page | 82
Appendix B – Group SCC Categories<br />
# Description Additional information<br />
SCC<br />
01<br />
SCC<br />
02<br />
Politically Exposed Persons (PEPs)<br />
PEP Associates or Connected persons<br />
(includes family members and close<br />
associates)<br />
Corporate PEPs are also classified as<br />
SCC 02.<br />
As a general principle, a PEP is designated as<br />
SCC.<br />
However, after a period of time when a PEP has<br />
left office, PEPs can be declassified from SCC<br />
status, subject to at least the same level of<br />
approval that is required for SCC classification.<br />
They must, however, continue to be denoted as<br />
a PEP.<br />
As above.<br />
A Connected person may also be declassified as<br />
a PEP in situations where the Connected person<br />
becomes disassociated with the PEP, subject to<br />
the same level of approval that is required for<br />
SCC classification.<br />
Supporting<br />
Guidance<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 4 -<br />
PEPs<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 4 -<br />
PEPs<br />
SCC<br />
03<br />
Charities, Not-for-Profit Organisations<br />
(NPO), Non-governmental Organisations<br />
(NGOs), religious organisations that<br />
exhibit high risk characteristics.<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 14 -<br />
NPOs<br />
SCC<br />
04<br />
Government and State Owned Bodies<br />
(GSBs) that exhibit High Risk<br />
Characteristics and Embassies<br />
Foreign Embassies, Consulates, and Foreign<br />
Missions.<br />
GSBs of countries where the country’s TI CPI<br />
score is 35 or lower.<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 12 -<br />
GSBs<br />
SCC<br />
05<br />
v. Crowdfunding platforms, Third<br />
Party Payment <strong>Process</strong>ors (TPPPs),<br />
Issuers/Dealers of Virtual Currency and<br />
Money Services Businesses (MSBs).<br />
vi. I.e. companies offering services involving<br />
money/currency exchange, money transfer,<br />
cheque cashing, and issuing or selling travellers<br />
cheques.<br />
vii. See <strong>CDD</strong><br />
Customer Types<br />
Chapter 11 - NBFIs<br />
SCC<br />
06<br />
SCC<br />
07<br />
Gambling Operations<br />
Companies that manufacture or sell<br />
weapons, e.g., Arms dealers and<br />
manufacturers.<br />
Some companies are prohibited under the<br />
Defence Equipment Policy, B.21.5.3.<br />
For those Gambiling customers that are not<br />
prohibited – i.e. some of Catergory 1<br />
Where the customer is ‘Restricted’, and<br />
therefore can be retained as they are not<br />
prohibited under the Defence Equipment Policy,<br />
then they must be classified as SCC.<br />
Where an Exception is approved by the Global<br />
Risk Management Meeting;<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 16 -<br />
Gambling<br />
Defence Equipment<br />
Policy, B.21.5.3 26 .<br />
SCC<br />
08<br />
SCC<br />
09<br />
Certain Bearer Share Corporations that<br />
are:<br />
<br />
Entities and individuals that pose<br />
significant reputational risk to HSBC<br />
e.g., customers who are have been<br />
accused or convicted of money<br />
laundering, terrorist financing, tax<br />
Have their Issued Bearer Share Companies<br />
(IBSC) beneficial ownership verified through an<br />
approved third party assurance process (M5);<br />
IBSC that has agreed to cancel their bearer<br />
shares and re-issue them in a registered form or<br />
to put them in custody (M3 and M4), must be<br />
classified as SCC until they meet the relevant<br />
requirements.<br />
For example, Under Group's Sustainability Risk<br />
Management Policy, "Group members must<br />
ensure that the financial services which they<br />
provide to customers do not indirectly result in<br />
unacceptable impacts on people or on the<br />
environment."<br />
See section 7.4 of<br />
Corporates &<br />
Partnerships EDD<br />
Chapter<br />
26<br />
http://fim.ghq.hsbc/fim/home.nsf/ByRef/UKWE77TKZ916162109102007?open&language=en<br />
Page | 83<br />
INTERNAL
SCC<br />
10<br />
SCC<br />
11<br />
SCC<br />
12<br />
<br />
evasion, bribery, or corruption, human<br />
trafficking, proliferation, organised<br />
crime, as well as those entities that<br />
pose sustainability/environmental<br />
concerns.<br />
Any Restricted customers which do<br />
not fall under a prescribed SCC<br />
category.<br />
Offshore Banking License<br />
Individuals or entities with a known and<br />
material level of exposure to a Sensitive<br />
Sanctioned country<br />
Individuals, who effectively own, operate<br />
or exercise any significant control in<br />
relation to any of the<br />
businesses/activities listed above<br />
Certain Customers, mainly pharmaceutical,<br />
where a portion of or all of their operations relate<br />
to medical marijuana where not prohibited by<br />
local law e.g. U.S."<br />
Bank customers solely operating under an offshore<br />
licence.<br />
I.e. Where the Global Sanctions Policy 27<br />
requires an SCC rating to be provided where a<br />
Customer has obtained Customer Sanctions<br />
Risk Approval (CSRA) 28 .<br />
E.g. Individuals linked to SCC 03, SCC 04, SCC<br />
05, SCC 06, SCC 07, SCC 08, or SCC 10<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 8 -<br />
Banks<br />
Refer to the Global<br />
Sanctions Policy for<br />
more information.<br />
27 Refer to the Global Risk FIM - D2.19.2 Appendix B of The Global Sanctions Policy.<br />
28<br />
Required for Customers that have exposure to Sanctioned Countries.<br />
Page | 84<br />
INTERNAL
Appendix C – Examples of High Risk Business Types<br />
Higher Risk<br />
Nature of<br />
Business<br />
Transportation<br />
of Goods<br />
Cash Intensive<br />
High Value<br />
Products<br />
Exposure to<br />
potential<br />
criminal<br />
activities<br />
Dual Use Goods<br />
Business<br />
Services<br />
Rationale for Higher Risk<br />
Potential for money laundering<br />
through shipments of physical<br />
cash or other illicit goods, and<br />
potential breaches of<br />
sanctions, human trafficking<br />
and terrorism.<br />
High exposure to stolen goods.<br />
For example, Criminals may<br />
target pawnbrokers to obtain<br />
funds due to the reduced<br />
requirements for obtaining a<br />
loan (the customer only needs<br />
an item to provide as<br />
collateral).<br />
Increased risk of being used at<br />
the placement and integration<br />
stages of money laundering to<br />
conceal or legitimise funds<br />
through the buying and selling<br />
of high value products.<br />
Potential exposure to criminal<br />
activities such as:<br />
Human Trafficking<br />
Tobacco smuggling<br />
Hydrocarbon theft<br />
Terrorist Financing<br />
Considered high risk as linked<br />
to the production, import or<br />
export of precursor goods that<br />
may be used for chemical<br />
weapons or explosives.<br />
Can potentially facilitate the<br />
establishment and acquisition<br />
of shell companies.<br />
Can potentially assist in<br />
disguising ownership control of<br />
a legal person or entity.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Examples of Potentially Impacted<br />
Business Types<br />
Freight forwarders<br />
Freight shipping companies<br />
Import/ export traders<br />
Virtual Importers/Exporters<br />
Equipment rental and<br />
manufacturing related to transport<br />
Charterers or Operators of Ships,<br />
Vehicles or Aircraft<br />
Couriers<br />
Night clubs<br />
Pawnbrokers<br />
Independently Owned (i.e. not part<br />
of a large organisation) Cash<br />
Intensive: including: beauty/hair<br />
salons, taxi and limousine drivers,<br />
convenience stores, independent<br />
gasoline stations, laundromats,<br />
vending machine operators,<br />
restaurants, taverns, bars, and<br />
parking garages.<br />
Privately owned ATMs/teller<br />
machines – the cash used to supply<br />
the machines may come from<br />
illegitimate sources.<br />
Precious metals, stones, jewellery<br />
dealers or wholesalers, particularly<br />
gold and diamonds<br />
Art & Antiques<br />
Auctioneers<br />
Real estate developers, brokers<br />
and appraisers<br />
Sex industry establishments<br />
Tobacco Wholesalers<br />
Hydrocarbon Trading/Investing<br />
Telephone card/phone centres and<br />
distributors<br />
Construction companies<br />
Extractive Industries, e.g. mining<br />
Pharmacedutical Companies<br />
Chemical Companies<br />
Nominee Incorporation services<br />
(NIS)<br />
Attorneys<br />
Accountants<br />
Example <strong>CDD</strong> Considerations<br />
What countries does the entity<br />
do business with? Does this<br />
make sense given what is<br />
known about the entity?<br />
Is there any adverse media<br />
reporting?<br />
Does the Transaction picture<br />
make sense given what is<br />
known about the nature of<br />
business?<br />
Would a site visit be useful? I.e.<br />
to check that the business is real<br />
and understand what controls<br />
they have in place.<br />
Does the source of wealth and<br />
funds make sense?<br />
Would a site visit be useful? I.e.<br />
to check that the business is real<br />
and understand what controls<br />
they have in place.<br />
Is there any adverse media<br />
reporting?<br />
Does the source of wealth and<br />
source of funds make sense<br />
given what is known about the<br />
nature of business?<br />
Is there any adverse media<br />
reporting?<br />
What countries does the entity<br />
trade with? Does this make<br />
sense given what is known<br />
about the entity?<br />
Does the entity have appropriate<br />
trading licenses in place?<br />
Are they registered or licensed<br />
with an appropriate authority?<br />
Is there any adverse media<br />
reporting?<br />
Page | 85<br />
INTERNAL
Appendix D - Prohibited Accounts and Services<br />
Description Additional information Supporting Guidance<br />
HSBC does not allow domestic or foreign bank<br />
Payable-through-accounts through domestic or<br />
customers to provide payable-through-accounts to<br />
foreign bank customers<br />
their customers on their HSBC accounts.<br />
Where the customer has instructed all<br />
documentation related to the account are to be<br />
held on their behalf until collection;<br />
Hold Mail<br />
And, Customers that use an HSBC location as<br />
their mailing address.<br />
Remittance Services for Non-Customers<br />
viii. Direct control of internal concentration or<br />
suspense accounts by customers<br />
Travellers Cheques, Pre-Paid Travel Cards and U.S<br />
Postal Money Orders<br />
The physical transportation of currency and monetary<br />
instruments by employees. e.g. bulk cash<br />
Wholesale cross border banknotes trading business<br />
Payments and Cash Management services to any<br />
Gaming/Gambling customers<br />
Virtual Currency<br />
Additional prohibited accounts, as required by the<br />
Country AML Policy and local AML laws, rules, and<br />
regulations<br />
Any other product or service as determined by the<br />
Global Head of AML<br />
Issue of demand drafts and origination, wire<br />
transfers or other same-day value payment<br />
systems such as Automated Clearing House<br />
(ACH);<br />
ix.<br />
Sale of Travellers Cheques and sale of Pre-Paid<br />
travel cards (such as those issued by Visa or<br />
American Express) by Group Offices;<br />
Travellers Cheques Deposits and encashments;<br />
Any ongoing servicing provided for existing Pre-<br />
Paid travel cards;<br />
Accepting/negotiation of a U.S. Domestic Postal<br />
Money Order bearing the proviso, “Negotiable only<br />
in the US and possessions” by Group Offices<br />
outside the United States, its possessions and<br />
freely associated states”;<br />
Including:<br />
Buying, selling and shipping large volumes of bank<br />
notes cross border typically shipped via plane,<br />
armoured car or containerised cargo.<br />
Receiving large shipments of currency<br />
Directly when taking possession of an actual<br />
shipment.<br />
Indirectly when taking possession of the economic<br />
equivalent of a currency shipment such as cash<br />
being delivered to the central bank vault or third<br />
party vault<br />
A medium of exchange that operates like a<br />
currency in some environments but is not issued<br />
by a central bank or public authority nor does it<br />
have legal tender status in any jurisdiction e.g.,<br />
Bitcoin.<br />
E.g. Entities subject to Section 311 Designations<br />
in the US.<br />
x. Concentration and<br />
Omnibus Accounts<br />
Guidance<br />
Monetary Instruments<br />
Guidance<br />
Cash Services Guidance<br />
Cash Services Guidance<br />
See <strong>CDD</strong> Customer<br />
Types Chapter 16 -<br />
Gambling<br />
Cash Services Guidance<br />
INTERNAL<br />
Page | 86