Hong Kong Banks Take Low-Tech Approach to Customer Due Diligence

Thompson Reuters Regulatory Intelligence / Compliance Complete published this article by Trond Vargen about identifying customers in 201r. This is picked up from a syndicated copy at The Hong Kong Lawyer magazine.

Fraudsters have been able to use stolen ID cards to set up accounts and launder money through Hong Kong banks, the territory's banking regulator said.

The Hong Kong Monetary Authority (“HKMA”) made it clear, however, that the banks involved had complied with the required know-your-client requirements, and this has led some to question whether the KYC processes required under the territory's anti-money laundering regulations are too lenient.

In a recent circular, the HKMA said a bank had been used for money laundering purposes by a fraudster using a stolen Hong Kong ID card. The fraudster was able to pass the bank's customer due diligence (“CDD”) processes during the account-opening stage and was only discovered after having made some suspicious transactions that were reported to the authorities.

Under ss 4.2 and 4.8.8 of the HKMA's Guideline on Anti-Money Laundering and Counter-Terrorist Financing, banks are required to verify a new customer's identity by checking the customer's ID card or passport, as well as obtaining a proof of residence.
These requirements are echoed in the Code of Banking Practice produced by the Hong Kong Association of Banks, a local industry trade body.

To bypass the bank's CDD process, the fraudster must then have been able to produce a convincing fake address in addition to the stolen ID card, a process which Nigel Morris-Cotterill, founder of the Anti-Money Laundering Network, said was straightforward.

"Resourceful criminals are able to bypass the normal checks, and having a genuine ID card is a great way to start," he said. Morris-Cotterill said anyone with an advanced scanner and printer would be able to produce good copies of official documents and that shops offering this sort of service were commonly found in Thailand or India.

A spokeswoman for the HKMA, meanwhile, said the regulator had found "no non-compliance from banks' handling of the cases". The regulator's circular to the industry said, however, that one of the Hong Kong banks that had been subjected to this sort of fraud had later introduced a requirement to have an additional member of staff be present when verifying the customer's identity in the account-opening process.

The HKMA spokeswoman also said the customer identification and verification requirements stipulated in the Guideline on Anti-Money Laundering and Counter Terrorist Financing were in line with internationally accepted standards and practices.

The Humble ID Card

Given Hong Kong's role as an international financial centre and the size of its banking sector, it may be unreasonable to expect banks to catch all fraudsters at the customer due diligence stage. The territory does however have an advantage over many similar jurisdictions in that it has an efficient and high-tech ID card system, but the banking sector has not adopted this resource, commentators said.

"Since the launch of Hong Kong's 'Smart ID' card in 2003, it has carried a digital representation of the holder's thumbprints, known as a 'template'," said David Webb, a local corporate governance activist and founder of Webb-Site.com. "The processor on the card has the ability perform a secure check of a person's thumbprint against the template. Unfortunately, the government has never activated this function, and the thumbprint templates are only used by the immigration department at border checkpoints. So the card has, in reality, functioned as a 'dumb ID card' and is open to abuse by anyone with a resemblance to the person whose face appears in a small monochrome photo on the card. This is a great shame. Biometric identification would undoubtedly reduce fraud," he said.

The Hong Kong Association of Banks did not reply to requests for comment on whether it had considered petitioning the government for permission to adopt ID card scanners. Several Hong Kong government departments and the public libraries system use such scanners, replacing the need to carry a separate library card.

Webb said the Hong Kong ID card could also carry a digital certificate or "e-Cert", which allowed the holder, with a PIN, to sign emails and other electronic documents digitally to prove his identity.

"Unfortunately, the government made the e-Cert optional and take-up was low," he said. "Such a system of either e-Cert or thumbprint (or both) authentication allows online verification of identity: in theory, a bank or brokerage account could be opened without ever setting foot in high-rent physical branches or sending snail-mail, but to this day, everything is still over-the-counter and paper-based, and cards are seen but not tested."

Other Options

ID card scanners may not be a solution in the short term but there are other options for banks to verify new customers' identities. Julian Russell, director at Pacific Risk in Hong Kong, said there was a precedent for the use of identity cards in the private sector.

"Employers in Hong Kong are required to ensure that the people they employ are legally allowed to be employed in Hong Kong," he said. Hence, banks should also be able to confirm if a Hong Kong ID is genuine, or has been reported stolen, by contacting the Immigration Department.

"[It's] not a 100 percent solution, however. The banks are only required to make simple checks; they are not required to be detectives," Russell said.

Banks could also consider making home visits, and insist customers open accounts at the branch nearest their homes, Morris-Cotterill said. "Accounts can be held pending until a visit takes place. A customer who is never available would be suspicious."

Such an approach would be costly because small retail customers were marginal in terms of the bank's profitability, he said.

Morris-Cotterill said one approach was for future ID cards to include data on iris scans, which would allow a cardholder to verify their identity via an encrypted link from the ID card by conducting an eye scan.

"Iris scanning can be done with reasonable accuracy with a high-resolution mobile camera. Mobile phones are not far away from this, and no personal data would be stored on devices that are easily lost or stolen."