The Companies Registry (CR) has updated the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) for Trust or Company Service Provider Licensees (TCSPs), set to take effect on 3 March 2025, in order to align with the latest international standards and best practices recommended by the Financial Action Task Force (FATF).

As the regulatory landscape evolves, it is crucial for TCSPs to stay informed and prepare for these changes to ensure compliance and mitigate risks. In this article, we will explore the implications of these updates and the necessary action to comply with the new regulatory framework.

Key Amendments to the CR’s AML/CFT Guideline for TCSPs

A. 30-Day Identity Verification Timeline

B. Introduction of Institutional Risk Assessment

C. Guidance on AML/CFT Policies, Procedures, and Controls

D. Guidance on Simplified and Enhanced Due Diligence

A. 30-Day Identity Verification Timeline

As outlined in the updated Guideline, the timeframe for completing identity verification under customer due diligence has been revised from within 60 days to within 30 days. This change emphasizes the importance of timely identity verification by TCSPs. Specifically:

TCSPs must complete identity verification within 30 working days of establishing a business relationship.
If verification is not completed within this timeframe, the licensee must suspend the business relationship and halt further transactions, except to return funds to their sources.
Should such verification remain uncompleted after 120 working days, the TCSP is required to terminate the business relationship with the customer.

(Refer to Paragraph 4.7.3 of the Guideline)

B. Introduction of Institutional Risk Assessment (IRA) and Customer Risk Assessment (CRA)

The revised Guideline introduces a requirement for TCSP licensees to conduct money laundering and terrorist financing (ML/TF) risk assessments at an institutional level.

Conducting an institutional level assessment means that AML/CFT policies, procedures, and controls must be applied organization-wide, apart from individual customer interactions. This comprehensive approach involves evaluating the overall ML/TF risk that the TCSP may be exposed to, identifying potential vulnerabilities across all operations, and implementing effective measures to mitigate these risks.

(Refer to Paragraph 2.2 to 2.9 of the Guideline)

The revised Guideline reinforces the need to perform Customer Risk Assessment. Unlike Institutional Risk Assessment, Customer Risk Assessment is performed for each and every customer that the TCSP has business relationship with. This risk assessment is done as part of the Customer Due Diligence process and will provide the basis for the type of risk mitigating measures that should be deployed during the course of doing business with the customer.

(Refer to Paragraph 2.12 to 2.15 of the Guideline)

By combining both institutional-level and customer-level risk assessment, TCSPs can more effectively respond to the evolving ML/TF threats.

i. The difference between Institutional Risk Assessment (IRA) and Customer Risk Assessment (CRA)

	*Institutional Risk Assessment (IRA)*	*Customer Risk Assessment (CRA)*
Scope	Institution/ Company/ Firm as a whole. (Firm-wide risk assessment)	Each customer (Individual/ Entity) or business relationship.
Focus	Overall institutional/ companywide/ firm-wide risks.	Customer specific risks.
Objective	Identify and mitigate institutional vulnerabilities.	Assessment customer risk level.
Outcome	Institutional risk profile. (e.g. Our firm’s key ML/FT risks come from…)	Customer risk rating. (e.g. Customer ABC is a low risk customer because…)

ii. 4 Main Risk Identification under Risk-based Approach (RBA)

The institutional ML/TF risk assessment must adhere to the risk-based approach (RBA), enabling TCSP licensees to understand their vulnerabilities to money laundering and terrorist financing commensurate with the nature, size and complexity of their business.

TCSP licensees are required to identify, assess, and understand their ML/TF risks, categorizing them as Low, Medium, or High across four main risk identification areas:

Risk Identification	Examples
Customer Risks	(i) The target markets and customer segments served by the TCSPs; (ii) the number and proportion of customers identified as high risk
Country or Jurisdiction Risks	(i) (i) the countries or jurisdictions the TCSPs have operations in and its customers are from or in, especially those identified with relatively higher level of corruption or organised crime, or lacking effective AML/CFT regimes;
Product, Service, or Transaction Risks	(i) the nature, scale, diversity and complexity of services provided by the TCSP (ii) the characteristics of products and services offered, and the vulnerabilities to ML/TF abuse; (iii) the volume and size of the transactions;
Delivery Channel Risks	(i) The channels used to deliver products or services directly to customers (ii) The reliance on third parties to conduct CDD (iii) The use of technology in service delivery (iv) and the vulnerability of these channels to ML/TF abuse.
Other Risks	(i) the nature, scale and quality of available ML/TF risk management resources, including appropriately qualified staff with access to ongoing AML/CFT training and development; (ii) compliance and regulatory findings; (iii) results of internal or external audits.

(Refers to Paragraph 2.4 of the Guideline)

iii. Risk Mitigation Strategies

When TCSPs identify Medium or High risks related to AML/CFT breaches or offenses, implementing effective control measures becomes essential. To mitigate AML/CFT risks, TCSPs should enhance the Degree, Detail, and Frequency of their control measures for higher-risk customers:

Increase the Degree of Control: Employ additional independent methods, such as requiring higher-risk customers to conduct transactions through bank channels, to verify the legitimacy of funds.
Enhance the Detail Level of Control: Request comprehensive documentation, including proof of the source of funds, bank statements, or business verification documents (e.g., invoices from top suppliers), to gather more information and reduce customer risk levels.
Augment the Frequency of Control: Regularly review customer CDD information and monitor transaction volumes for different customer types to ensure ongoing compliance and risk management.

It is crucial for TCSPs to document all risk assessments and the actions taken to mitigate risks. This documentation serves as an important audit trail for regulatory inspections and suspicious transaction reports (STRs).

iv. Importance of management oversight

Management oversight plays a critical role in the effectiveness of AML/CFT compliance programs within TCSPs. The success of a risk-based approach (RBA) to AML/CFT relies heavily on robust leadership and guidance from senior management in both designing and executing the RBA throughout the TCSP licensee. Senior management must possess a clear awareness of the money laundering and terrorism financing (ML/TF) risks facing the organization and a solid grasp of how the AML/CFT control framework functions to address and reduce those risks.

C. Guidance on (“AML/CFT”) Policies, Procedures, and Controls (“AML/CFT Systems”)

A TCSP licensee must implement appropriate AML/CFT Systems following the RBA to mitigate risks of ML/TF and prevent contravention of requirements under Part 2 (Customer Due Diligence) or Part 3 (Record-keeping Requirements) of Schedule 2 of AMLO, as stated in paragraph 3.1 of the Guideline. To be effective, the TCSP should rely on the firm-wide Institutional Risk Assessment performed to decide the nature, scale and complexity of the AML/CFT Systems – simplifying the procedures and controls where risks are low and enhancing the procedures and controls where the risks are high. Notably, the TCSP shall not simplify their procedures and controls when there is suspicion of ML/TF. In addition, the AML/CFT Systems must include:

Compliance management arrangements
An independent audit function
Employee screening procedures and
An ongoing employee training programme.

The AML/CFT Systems must be approved by the TCSP’s senior management and regularly reviewed by the senior management.

(Refer to Paragraph 3.2 and 3.3 of the Guideline)

D. Guidance on Simplified and Enhanced Due Diligence

To assist TCSPs in understanding the application of simplified due diligence (SDD) and enhanced due diligence (EDD), the revised Guideline provide practical guidance, including examples of potential lower and higher risk factors, as well as examples of possible SDD and EDD measures. These SDD and EDD measures should be part of the AML/CFT Systems.

Table Example

	Simplified Due Diligence (SDD)	Simplified Due Diligence (SDD)
	Examples of potentially lower risk factors include (Refer to Paragraph 4.8.7):	Examples of potentially higher risk factors include (Refer to Paragraph 4.9.5):
Customer risk factor	a government entity or a public body in Hong Kong or in an equivalent jurisdiction; a corporation listed on a stock exchange and subject to disclosure requirements (e.g. either by stock exchange rules, or through law or enforceable means), which impose requirements to ensure adequate transparency of beneficial ownership; a financial institution (FI) as defined in the AMLO, or other FI incorporated or established in an equivalent jurisdiction and is subject to and supervised for compliance with AML/CFT requirements consistent with standards set by the FATF; or a collective investment scheme authorised for offering to the public in Hong Kong or in an equivalent jurisdiction.	business relationship is conducted in unusual circumstances (e.g. significant unexplained geographic difference between the TCSP licensee and the customer); legal persons or legal arrangements that involve a shell vehicle without a clear and legitimate commercial purpose; companies that have nominee shareholders, nominee directors, bearer shares or bearer share warrants; cash intensive business; or the ownership structure of the legal person or legal arrangement appears unusual or excessively complex given the nature of the legal person’s or legal arrangement’s business.
Product, service, transaction or delivery channel risk factors:	a provident, pension, retirement or superannuation scheme (however described) that provides retirement benefits to employees, where contributions to the scheme are made by way of deduction from income from employment and the scheme rules do not permit the assignment of a member’s interest under the scheme; an insurance policy for the purposes of a provident, pension, retirement or superannuation scheme (however described) that does not contain a surrender clause and cannot be used as a collateral; a life insurance policy in respect of which: (A) an annual premium of no more than $8,000 or an equivalent amount in any other currency is payable; or (B) a single premium of no more than $20,000 or an equivalent amount in any other currency is payable.	anonymous transactions (which may involve cash); or frequent payments received from unknown or unassociated third parties.
Country risk factors:	countries or jurisdictions identified by credible sources, such as mutual evaluation or detailed assessment reports, as having effective AML/CFT Systems; or countries or jurisdictions identified by credible sources as having a lower level of corruption or other criminal activity.	countries or jurisdictions identified by credible sources, such as mutual evaluation or detailed assessment reports, as not having effective AML/CFT Systems; countries or jurisdictions identified by credible sources as having a significant level of corruption or other criminal activity; countries or jurisdictions subject to sanctions, embargoes or similar measures issued by, for example, the United Nations; countries, jurisdictions or geographical areas identified by credible sources as providing funding or support for terrorist activities, or that have designated terrorist organisations operation.
	Examples of possible SDD measures (Refer to Paragraph 4.8.8):	Examples of possible EDD measures (Refer to Paragraphs 4.9.6):
Examples of possible measures	(a) accepting other documents, data or information (e.g. proof of FI’s licence, listed status or authorization status etc.), other than examples provided in paragraphs 4.3.7 and 4.3.12, for a customer falling within any category specified in paragraph 4.8.7(a); (b) adopting simplified customer due diligence in relation to beneficial owners as specified in paragraphs 4.8.9 to 4.8.17; (c) reducing the frequency of updates of customer identification information; (d) reducing the degree of ongoing monitoring and scrutiny of transactions based on a reasonable monetary threshold; or (e) not collecting specific information or carrying out specific measures to understand the purpose and intended nature of the business relationship, but inferring the purpose and intended nature from the type of transactions or business relationship established.	(a) obtaining additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet, etc.), and updating more regularly the identification data of customer and beneficial owner; (b) obtaining additional information on the intended nature of the business relationship; (c) obtaining information on the source of wealth of the customer (see paragraph 4.9.25); (d) obtaining information on the source of funds of the customer (see paragraph 4.9.26); (e) obtaining information on the reasons for intended or performed transactions; or (f) requiring the first payment to be carried out through an account in the customer’s name with a bank subject to similar CDD standards.

Necessary Actions Checklist for TCSPs: Complying with Updates to CR’s Guideline

To ensure compliance with the latest updates to the CR’s Guideline on AML/CFT, TCSPs are advised to undertake the following actions in timely manner.

Review and Update Internal AML/CFT Policies, Procedures and Control (AML/CFT Systems):
Conduct a comprehensive review of existing AML/CFT Systems to ensure alignment with the revised Guideline. This process should identify any gaps or inconsistencies while incorporating best practices to enhance overall effectiveness. Additionally, it is essential to facilitate training sessions to ensure that all staff members are well-informed and equipped to consistently implement the updated policies.

→ If you have not yet developed AML/CFT Systems or wish to expedite the establishment or update of your policies, procedures and control, consider purchasing an AML/CFT Policies, Procedures and Controls template that meets the latest requirements. Now you can enjoy a 10% discount offered by Ingenique Solutions until 31 May 2025.

Click here to learn more about the AML/CFT Policies, Procedures and Controls template and get 10% discount
Risk Assessment:
Reassess the institutional ML/TF risk assessment to accurately identify any changes in risk factors that may have emerged as a result of the updated Guideline. This reassessment should involve a detailed analysis of customer segments, products, and services to pinpoint new vulnerabilities. The findings from this assessment should guide necessary modifications to AML/CFT Systems, ensuring they are robust and responsive to evolving risks. Regular updates to this assessment will help maintain a proactive approach to risk management.
Enhance Due Diligence Measures:
Revise and strengthen the Simplified Due Diligence (SDD) and Enhanced Due Diligence (EDD) measures in accordance with the updated Guideline. This may involve refining customer onboarding processes, enhancing identity verification protocols, and adopting more rigorous monitoring practices tailored to identified risk levels.

→ TCSPs can utilize advanced AML/CFT solutions such as SentroWeb to effectively screen clients and implement a guided Customer Due Diligence (CDD) process. SentroWeb AML/CFT Solutions are designed to streamline the CDD process while ensuring that due diligence efforts are thorough and tailored to the specific risk profiles of clients.

Click here to learn more about SentroWeb AML/CFT Solutions and get up to 18% discounts
Facilitate independent AML/CFT audit review
Conducting an independent AML/CFT audit is not only critical to evaluate of the effectiveness of the organization’s AML/CFT policies and procedures, but also a new requirement highlighted in the last update to the CR Guideline. It is essential to engage independent professionals with expertise in AML/CFT to assess compliance with regulatory requirements, identify weaknesses, and recommend improvements. By facilitating this independent AML/CFT compliance review, TCSPs can enhance their risk management framework and ensure compliance.

→ Get your company’s AML/CFT framework audited by Ingenique Solutions’ professional experts and receive a detailed report and certificate.

Click here to learn more about the AML/CFT compliance review program

Conclusion

By reviewing and updating policies, re-evaluating risk assessments, refining due diligence measures, and facilitating independent audits, TCSPs can ensure they remain compliant with the recent updates to the CR Guideline on AML/CFT.

As the landscape of AML/CFT compliance continues to evolve, it is imperative for TCSPs to stay updated on the changes in the regulatory standards and trends of financial crime, as well as take proactive measures to enhance their AML/CFT frameworks. These actions not only bolster the effectiveness of your AML/CFT systems but also contribute to a culture of compliance and integrity within the organization.

Reference:

About Ingenique Solutions

Ingenique Solutions Pte Ltd delivers Anti-Money Laundering & Know Your Customer (KYC) screening and due diligence solutions to help small businesses and large enterprises meet their AML/CFT compliance requirements. It is trusted by 2,000+ companies in Hong Kong, Singapore, Malaysia, China and Taiwan, including government Ministry/ Agency, public listed companies, and top leading firms in various sectors.

Recent Posts: