New KYC Requirements for Financial Institutions


KYC requirements are an important feature in combatting money laundering. In January 2022, the People's Bank of China (“PBoC”), the China Banking and Insurance Regulatory Commission (“CBIRC”) and the China Securities Regulatory Commission (“CSRC”) jointly released the Administrative Measures for Financial Institutions on Customer Due Diligence Investigations and Keeping of Customer Identity Information and Transaction Records (“New Measures”). The New Measures were planned to come into effect on 1 March 2022. Simultaneously, the current Administrative Measures for Financial Institutions on Customer Identification and Keeping of Customer Identity Information and Transaction Records (“Old Measures”), which have been effective since 1 August 2007, should cease to be in force.

On 21 February 2022, the PBoC issued an announcement (公 告(附答记者问) ( to postpone the planned implementation of the New Measures because, after the release of the New Measures, some medium and small-sized financial institutions have reported that they will need to amend and improve their internal management system, information system, business process and train their staff due to the detailed criteria and requirements under the New Measures on different financial products. We understand that such postponement is only to give financial institutions, in particular medium and small-sized ones, more time to adjust their internal management and system for the enhanced KYC requirements under the New Measures. Therefore, we do not expect that the PBoC will amend the content of the New Measures but will just postpone implementation. We will follow up on this and public a follow-up alert once the PBoC has decided when to implement the New Measures.

1. Background

The Old Measures mainly regulate two topics in relation to “Know Your Customer” (“KYC”) obligations of financial institutions: (i) customers' ID identification (which means (1) for individuals: name, gender, nationality, occupation, domicile, ID certificate; (2) for companies: company name, registered address, business license or other incorporation documents) and (ii) keeping of customers' ID information and transaction records. The key difference between the New Measures and the Old Measures is that the New Measures have substantially updated and supplemented the obligation of "customers' ID identification" and transformed this obligation into a statutory requirement of "customer due diligence investigations".

Such requirement is not new under PRC law and has always been addressed, but in a very vague and general way, in various bank-related regulations. For instance, the PBoC released in 2018 a Circular on Further Strengthening Anti-Money Laundering by Financial Institutions to require all PRC banks to carry out continuous customer due diligence investigations. This requirement is, in particular, in line with the recent Amended Draft of the PRC Anti-Money Laundering Law which was released by the PBoC on 1 June 2021 for public comments. According to this amended draft, financial institutions and certain non-financial institutions shall conduct due diligence investigations on their customers to prevent and restrain money laundering, terrorism financing and related illegal and criminal activities. Such requirement is not stipulated in the current PRC Anti-Money Laundering Law (promulgated by the Standing Committee of the PRC National People's Congress and effective since 1 January 2007).

Now, the New Measures provide additional more detailed provisions on customer due diligence investigations. Provisions on "keeping of customers' ID information and transaction records" under the Old Measures have basically remained unchanged under the New Measures.

Below is an overview of the new and key provisions in the New Measures regarding the requirement on financial institutions to conduct customer due diligence investigations.

2. Enlarged Scope of Entities Subject to the Obligation of Customer Due Diligence

According to Article 2 of both the Old Measures and the New Measures, obliged entities under these measures include all types of financial institutions determined and announced by the PBoC, e.g. commercial banks, securities companies, futures companies, insurance companies, financing companies, etc. The New Measures have enlarged the scope of the obliged entities under the Old Measures and added entities like finance companies of enterprise groups, loan companies, wealth management companies, insurance agencies and brokers.

It needs to be noted that "finance companies of enterprise groups" have now been explicitly included as financial institutions subject to the obligation of customer due diligence. According to the PRC Administrative Measures for Finance Companies of Enterprise Groups, "finance companies" as used in these measures refer to non-banking financial institutions which provide financial management services to enterprise group member entities for the purpose of strengthening the centralized management of enterprise group funds and improving the efficiency of the utilization of the funds. Therefore, as of 1 March 2022, finance companies of enterprise groups will be obliged to conduct due diligence investigations, as far as applicable and required under the New Measures, on their customers which normally include affiliated companies of such finance companies within the same enterprise group.

3. Customer Due Diligence Investigation Measures

a) Legitimate Reasons for Customer Due Diligence Investigation Measures

According to Article 3 and 7 of the New Measures, a financial institution shall conduct corresponding and continuous due diligence investigation measures on customers, business relationships and transactions. During the period when a financial institution establishes a business relationship, handles a one-off transaction above specified thresholds (e.g. single cash transaction by natural persons at/above RMB 50,000 or foreign exchange equivalent to USD 10,000, certain insurance contracts with total premiums at/above RMB 50,000 or foreign exchange equivalent to USD 10,000), and maintains a business relationship with a customer, such financial institution shall conduct customer due diligence investigations basically in the following 2 scenarios

(1) if it suspects that the customer and its transaction are involved in money laundering or terrorist financing;

(2) if it has doubts about the authenticity, validity or completeness of the previously obtained customer identity information

(item (1) and (2) jointly referred to as "Legitimate Reasons").

The New Measures do not require financial institutions to substantiate or prove the occurrence of any Legitimate Reasons. In practice, it will be possible that, for instance, the banks conduct due diligence investigations on their customers just because the customer identity information recorded by the banks is not complete or up-to-date. Therefore, it will be difficult and not predictable for customers to know when and for what reasons their banks will investigate them. Whether the competent authorities will issue clearer, and practicable implementing rules remains to be seen. It, however, will not harm that customers ensure that they are doing their business and handling bank formalities strictly in accordance with PRC law. And they are further recommended to consult their banks whether their ID information recorded at the banks are authentic, valid, complete and up-to-date. This can contribute to reducing the possibility of due diligence investigations to avoid unnecessary expenditure of time and cost.

b) General Due Diligence Investigation Measures

According to Article 7 of the New Measures, general due diligence investigation measures which may be conducted are:

(1) identifying the customer and verifying the customer's identity through well-sourced and independent proof materials, data or information;

(2) understanding the purpose and nature of the customer's business relationship and transaction, and obtaining relevant information according to the risk status;

(3) for any circumstance with high money laundering or terrorist financing risks, understanding the source and purpose of the customer's funds, and taking enhanced due diligence measures according to the risk status;

(4) during the existence of a business relationship, taking continuous due diligence measures for the customer and reviewing the status of the customer and its transactions to confirm that the services and transactions provided for the customer are in line with the financial institution's understanding of the customer's identity background, business needs, risk status and source and purpose of funds;

(5) if the customer is a legal person or a non-legal person organization, identifying and taking reasonable measures to verify the beneficial owner of the customer. (See below item c) for more details regarding "Corporate Customers".)

c) Due Diligence Measures for Corporate Customers

According to Article 22 of the New Measures, if the customer is a legal person or a non-legal person organization ("Corporate Customer"), the concerned financial institution shall, in addition to the standard customer identification process, understand the business nature of the Corporate Customer, its ownership and control structure, identify and take reasonable measures to verify its beneficial owners which are one or more natural persons ultimately owning or actually controlling the Corporate Customer ("Beneficial Owners"). Beneficial ownership is constituted, if either of the following requirements is met:

(1) directly or indirectly owning 25% or more of the equity or partnership interests of the Corporate Customer;

(2) individually or jointly exercising actual control over the Corporate Customer, including but not limited to exercising control through agreements, kinship and other means such as deciding on the appointment and removal of directors or senior managements, deciding on the formulation or implementation of major business and management decisions, deciding on financial revenue and expenditure, and dominating the use of important assets or major funds by long-term practice;

(3) directly or indirectly enjoying 25% or more of the income/ earning rights of the Corporate Customer.

A financial institution shall comprehensively check whether any of the above requirements is met to identify and verify the Beneficial Owners. If no Beneficial Owner can be identified because none of the above requirements is met, the senior management of such Corporate Customer shall be identified.

Further, if a Corporate Customer or its Beneficial Owners are foreign dignitaries, senior managers of international organizations, or specific related persons of the said foreign dignitaries or senior managers, the relevant financial institution shall adopt risk management measures to know the sources and use purposes of the properties or assets of such Corporate Customer or its Beneficial Owners. Business establishment and maintenance with such Corporate Customer shall be subject to approval of the banks' senior management and enhanced continuous monitoring measures.

The identification and verification of Beneficial Owners is not a new requirement under PRC law. For instance, the Circular on Strengthening Customers Identification for Anti-Money Laundering released by the PBoC on 20 October 2017 already contains such requirement in a similar way. The New Measures have now unified and updated the relevant similar provisions that have so far been issued by the PBoC. It needs to be emphasized that such identification measure allows financial institutions to look deeper into the corporate structure of Corporate Customers for the purpose of (allegedly) required due diligence investigations. In practice, this means that, in case of an (alleged) Legitimate Reason, a bank is entitled to require a Corporate Customer to disclose the identity of its individual Beneficial Owners (or its senior management personnel if no Beneficial Owner can be identified) who will then be subject to more exposure to banks and even to other PRC authorities.

d) Enhanced Due Diligence Measures

According to Article 30 of the New Measures, for cases of high money laundering or terrorist financing risks and for customers with high risks, financial institutions shall take one or more of the corresponding enhanced due diligence measures as follows according to the risks:

(1) obtaining relevant information on business relationships, transaction purpose and nature, source and purpose of funds, and when necessary, requiring the customer to provide supporting materials for verification;

(2) understanding the customer's economic or business status through on-site visits and other means;

(3) enhancing the monitoring and analysis of the customer and its transactions;

(4) increasing the frequency of examining and updating information on the customer and their Beneficial Owners;

(5) requiring the approval of senior management when establishing, maintaining business relationships or handling busines with customers.

In our experience so far, it is very rare that banks conduct on-site visits to its (potential) customers to know their economic and business status. However, the banks will be expressly entitled to do so in the future, as one sole measure or in combination with the others, if they claim to have a Legitimate Reason and regard the relevant risks of potential money laundering or terrorist financing as high.

e) Consequences of Customer Due Diligence Investigations

According to Article 28 para. 2 of the New Measures, if the identity certificate or other identity documents previously submitted by the customer have expired, and the customer has failed to update them accordingly within a reasonable period and without reasonable grounds after having been notified by the financial institution, the financial institution shall suspend handling banking business for the customer.

According to Article 30 of the New Measures, , the financial institution shall impose reasonable restrictions on the customer's transaction method, transaction scale and transaction frequency, or even refuse the transaction or terminate the established business relationship if it believes that it is necessary to manage the customer's risks of money laundering or terrorist financing after the financial institution has adopted enhanced due diligence investigation measures as mentioned under above item d).

According to Article 32 of the New Measure, if the financial institution is unable to complete the customer due diligence investigation measures stipulated in the New Measures, it shall refuse to establish a business relationship, take necessary restrictive measures or refuse transactions, or terminate the established business relationship, and submit a suspicious transaction report to the competent department of the PBoC according to the circumstances of the risks.

Considering the potential risks of restriction and suspension of banking transactions, which will substantially affect the normal business operation of the concerned customer, we recommend that, just to be safer, bank customers including Corporate Customers should proactively consult their banks to reduce the risks of being suspected of money laundering or terrorist financing. In case the banks have announced to carry out due diligence investigations, the customers should cooperate with the banks to complete such investigations as soon as possible.

f) Time limits for Due Diligence on Existing Customers

The New Measures set time limits for financial institutions to complete due diligence investigations on their existing customers who do not satisfy the requirements of the due diligence thereof:

(1) for existing customers with higher risks of money laundering or terrorist financing, the relevant financial institutions shall complete the due diligence within one year as of 1 March 2022, i.e. latest by 28 February 2023; and

(2) for all other existing customers, the relevant financial institutions shall complete the due diligence within two years as of 1 March 2022, i.e. latest by 29 February 2024.

4. Conclusion

Instead of a rather simple customer identification process as so far stipulated under the Old Measures, the New Measures have introduced a stricter, more structured customer due diligence investigation system aiming at intensified prevention and restraining of the risk of money laundering and terrorist financing. Such system is adopted in line with international banking practice and also to accommodate the rapid and diversified economic development in China and the huge amount of its global business transactions. On the other hand, stricter customer due diligence investigations will further prolong the KYC process and may delay or even hinder banking transactions. Customers of financial institutions are recommended to maintain full compliance in their business and banking affairs. This can contribute to reducing the risk of complicated due diligence measures. If such measures are indeed necessary and carried out, full cooperation with the investigating financial institutions are recommend so that the process will be smoothened and adverse impact on the business can be mitigated.