New guidance from LSAG: Chinese underground banks and funds from China

What your firm needs to know about transactions from China

The Legal Sector Affinity Group (LSAG) recently published an advisory notice on the risks involved in Chinese transactions that do not use the normal banking system or have not complied with Chinese currency controls.

Bottom line: A customer misleading the Chinese authorities about the reasons for a currency transfer is not a crime in the UK. But… it is something to consider. 

The main issue for firms is establishing that the funds come from a legitimate source and if the client misrepresented the reason for the transfer, why and what it’s really for.  

Bypassing Chinese currency controls can happen in a few ways. Informal value transfer systems (IVTS)  move money outside the banking system. The use of such systems can be for entirely legitimate purposes, but understanding the source of the UK funds used in the inwards remittance is key. 

Also, under Chinese law, taking funds out of China is capped at $50,000 annually and only for certain purposes (i.e. training, study, travel or family support). “Splitting” involves breaking up a transaction into smaller transactions – explicitly banned under Chinese law but not necessarily connected to the proceeds of crime. It does make it harder to establish the source of funds, as doing so requires checking all the parties involved.

There is also “daigou” which is a Chinese term for the purchase and sale of high-value goods and has been used in conjunction with underground banking to provide inward remittances for customers.

The red flags

What could indicate suspicious activities? Some examples of what you might find on a client’s banking transactions and supporting documentation: 

  • Transfers received that are just below the threshold of currency controls that apply in China ($50,000)
  • Multiple/lump sums received from third party individuals or companies with no obvious connection to the transaction
  • Multiple payments made to high value goods retailers/brands (could indicate that the person is a “daigou” participant)
  • Multiple sums received in unusually similar or rounded figures
  • Information given in support of transfers that appears false or contradictory 
  • The client insisting on translating their own bank statements and/or supporting due diligence documents

When conducting your client due diligence (CDD), LSAG advises looking for reasons for the transaction and the source of funds. Firms should get as much CDD evidence as they need to feel comfortable. Of course, if they cannot complete CDD, they should not carry out the transaction and should terminate the business relationship. 

Ultimately, the UK Financial Intelligence Unit does not advise for or against submitting suspicious activity reports (SARs) or Defence Against Money Laundering requests (DAML) one way or the other. Firms need to consider each case individually and they need to decide whether to report suspicion based on all of the information available. 

Read the advisory note here.

AML Onboarding Solution

VinciWorks’ AML client onboarding solution facilitates a seamless onboarding experience for organisations of all sizes. Our solution provides regulatory confidence through up-to-date guidance and best practice. Use our centralised platform to conduct risk assessments, client due diligence (CDD) and ongoing monitoring on your clients.

Complete the form below to book a demo.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.