China’s new AML laws are an upgrade, but could prove a risk

China’s new Anti-Money Laundering (AML) Law has been adopted by the National People’s Congress and will take effect on 1 January. 2025. This represents the first major revision since the law’s initial enactment in 2007 and will strengthen AML measures to address evolving money laundering risks, align with global standards, and adapt to China’s current financial landscape. However, certain measures ensuring continued government control over various elements of AML compliance and data sharing, alongside enhanced abilities for Communist Party control over private enterprise continue to be a risk, particularly for multinationals operating in China. Here are the key changes:

National security emphasis: For the first time, the AML Law would mandate that AML efforts support national security, reflecting China’s broad definition of security (Art. 1). Given China’s authoritarian control of private enterprise, this will give China’s government direct influence over the AML policies of companies operating in the country.

Expanded definition of money laundering: The law will now cover activities to hide proceeds from any criminal activity, including terrorist financing, broadening the scope beyond specific crimes as was previously the case (Art. 2). The risk here is that entities or individuals who are marked as enemies of the People’s Republic could see their assets confiscated under the guise of AML.

Extended obligations for non-financial institutions: Compliance obligations will expand to include non-financial sectors such as real estate, accounting, law, and precious metals dealers, increasing their AML responsibilities (Arts. 6, 64). This should go some way to regularising China’s vast informal economy.

KYC and AML cooperation mandate: Entities and individuals must support financial institutions in conducting Know Your Customer (KYC) and AML processes by law (Arts. 7, 38).

Stricter personal information protection: AML data will be subject to confidentiality laws, limiting its use to specified legal purposes and enhancing personal data protection (Art. 8).

Extraterritorial reach: The law extends jurisdiction to AML-related offences outside China that impact Chinese security or disrupt financial order. Foreign financial institutions may be asked to cooperate based on reciprocity (Arts. 12, 49). This could result in more legal challenges outside of China to prevent countries from sharing information with Chinese authorities.

Beneficial ownership identification: The law requires financial institutions to verify beneficial ownership information, ensuring they know the true owners of client accounts (Art. 19). This should help entities dealing with proliferation financing risks and sanctions compliance, of which China remains a risk.

Enhanced customer due diligence: Financial institutions face more rigorous due diligence requirements, including mandatory customer verification and risk assessments for high-risk transactions (Chapter 3).

Continuous monitoring and documentation: Financial institutions must monitor customers continuously and retain records for ten years post-relationship termination, doubling the previous period (Art. 34).

Cross-border data compliance: Data sharing with foreign entities requires Chinese authorisation, especially if it involves sensitive information. This may challenge multinational firms operating in China (Art. 50) who could require government approval to undertake routine monitoring.

Increased Penalties for Non-Compliance: Penalties will significantly increase, with fines up to RMB 10 million for severe violations and heightened responsibilities for management and directors (Arts. 51-59).

China’s new law also requires financial institutions pay attention to risks stemming from “the use of new technologies and products”, with experts highlighting that virtual assets have become a frequently used tool by money launderers and are a pressing challenge.

In 2022, the Chinese police arrested 63 people accused of laundering 12 billion yuan ($1.6 billion) in criminal proceeds through the cryptocurrency Tether despite the trade in cryptocurrencies being illegal in China. In 2022, China launched a three-year crackdown on money laundering, which has seen prosecutions triple from 707 in 2020 to nearly 3,000 in 2023. Key risk factors in Chinese money laundering remain illegal gambling in South-east Asia including Vietnam and Cambodia.

Download the guide to high risk jurisdictions for money laundering.

 

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.