China’s draft Amended Anti-Money Laundering (AML) Law1 (AML Law) was submitted to the Standing Committee of the National People's Congress (NPC) on September 10 for the second of what are generally three readings. This marks a significant step forward after the first reading by the Standing Committee in April 2024. If adopted in substantially its current form, this would constitute the first revision of the AML Law since its initial promulgation 17 years ago in 2007. The amendments aim to modernize and strengthen China's legal framework for combating money laundering and terrorist financing, reflecting evolving global standards and domestic needs.
As noted by Pan Gongsheng, Governor of the People's Bank of China, while China's AML legal regime has witnessed significant advancement, shortcomings remain. These include the inability of certain institutions to effectively fulfill their AML obligations, inefficiencies in the coordination mechanism for supervision and information sharing, and a need for stronger AML monitoring and enforcement. This is particularly important to address growing money laundering risks including corruption, cross-border gambling, 'underground banks,' and other illegal activity. Tightening regulation in these respects is critical for combating the evolving nature of financial crimes.2
The draft amended AML Law also includes more stringent penalties for illegal conduct.
We summarize the key changes below:
- Emphasis on National Security: For the first time, the AML Law would expressly provide that AML efforts must support national security and the public interest, alongside maintaining financial order. This highlights the government's increased focus on safeguarding financial security as an element of national security which China defines very broadly (Art. 1).
- Broadened Definition of Money Laundering: The AML Law currently defines money laundering as activity aimed at disguising or concealing the source and nature of proceeds and profits from crimes such as drug trafficking, organized crime, terrorism, smuggling, corruption, bribery, financial management crimes, and financial fraud. The amended AML Law would expand this definition to also include activity which conceals the proceeds and profits from any criminal activity, including terrorist financing (Art. 2)
- Expanded AML Compliance Obligations to "Specific Non-Financial Institutions": Under the existing AML Law, only financial institutions (e.g., banks, securities and futures brokerage firms, insurance companies, and payment institutions) are required to fulfill AML obligations. The amended AML Law would extend such obligations to specified non-financial institutions, including real estate developers and intermediaries, accounting firms, law firms, notary offices involved in real estate transactions, fund and securities management, and client fund-raising activity, as well as dealers in precious metals and gemstones (Articles 6 and 64).
- Expanded AML Compliance Obligations to "Specific Non-Financial Institutions": Under the existing AML Law, only financial institutions (e.g., banks, securities and futures brokerage firms, insurance companies, and payment institutions) are required to fulfill AML obligations. The amended AML Law would extend such obligations to specific non-financial institutions, including real estate developers and intermediaries, accounting firms, law firms, notary offices involved in real estate transactions, fund and securities management, and client fund-raising activity, as well as dealers in precious metals and gemstones (Articles 6 and 64).
- Obligation to Cooperate in KYC and AML Investigations: The amended AML Law would prohibit all entities and individuals in China from facilitating money laundering activity and require that they cooperate with financial institutions and specified non-financial institutions in the conduct of Know Your Customer (KYC) processes in accordance with law (Articles 7 and 38)
- Protection of Personal Information: The amended AML Law would significantly enhance the protection of Personal Information, as defined in Chinese law. It would stipulate that Personal Information obtained during the fulfillment of AML duties—such as customer identity data, transaction details, and investigative information—must be kept confidential, with disclosure to any entity or individual prohibited unless required by law.
Moreover, the amended AML Law would clarify that financial institutions and their employees providing AML services must handle relevant data and Personal Information appropriately, ensuring its confidentiality and security. It also imposes obligations on government agencies to safeguard Personal Information confidentiality and restricts the use of such information to specific purposes. For instance, AML authorities may only utilize customer identity information and transaction data for AML investigations and enforcement, while judicial authorities may use this information only in AML criminal litigation (Art. 8).
- Extended Jurisdiction over Overseas Money Laundering Activity: The amended AML Law will have extraterritorial application, extending its jurisdiction over any overseas money laundering and terrorist financing activity that occurs outside China but poses a threat to China's sovereignty and security, infringes on the lawful rights and interests of its citizens, legal entities, and other organizations, or disrupts the domestic financial order. Such activity would be subject to investigation and prosecution under the amended AML Law (Art. 12). In addition, Chinese authorities may request that foreign financial institutions and their domestic agents cooperate in money laundering and terrorist financing investigations based on the principles of reciprocity or mutual agreement (Art. 49).
- Obligation to Identify Beneficial Ownership: The AML authorities, in collaboration with other regulatory agencies, will establish a system to manage information regarding the beneficial owners of legal entities and non-legal organizations. In performing their duties, AML authorities may utilize such information on beneficial ownership. Financial institutions and specific non-financial institutions are required to inquire about and verify the beneficial ownership information of their customers as part of their AML obligations (Art. 19). The amended AML Law would define “beneficial owner” as a natural person who ultimately owns or controls a legal entity or non-legal entity, or who benefits from such entity, with specific standards to be established by the AML authorities and other relevant agencies (Art. 19). This new requirement for identifying beneficial ownership would impose additional compliance obligations on financial institutions, requiring them to conduct KYC due diligence not only on legal ownership but also on beneficial ownership.
- Enhanced Customer Due Diligence Requirements: Chapter 3 of the amended AML would provide more comprehensive guidance on the measures and procedures that financial institutions must implement to fulfill their AML compliance obligations. In contrast to the current AML Law, which contains 8 articles addressing customer due diligence requirements, the amended AML Law would include 16 articles, significantly expanding and tightening the due diligence obligations on financial institutions.
For example, financial institutions would be expressly prohibited from opening accounts for customers using someone else’s identity, necessitating verification of authorization in such cases (Art. 28). Financial institutions must conduct customer due diligence in the following situations: (i) when establishing a business relationship with a customer or providing one-time financial services above a specified amount; (ii) when there are reasonable grounds to suspect that the customer or its transactions are involved in money laundering activity; and (iii) when there are reasonable doubts about the authenticity, validity, or completeness of previously obtained customer identity information.
Customer due diligence must encompass identifying and taking reasonable measures to verify the identity of both the customer and its beneficial owner, understanding the purpose of the business relationship and transactions, and, for high-risk transactions, assessing the source and intended use of the relevant funds. For transactions assessed as lower risk for money laundering, financial institutions have the flexibility to simplify the due diligence process accordingly (Art. 29).
When a customer conducts business through an agent, the financial institution is required to verify the agency relationship and identify and verify the agent's identity. Finally, when entering into contracts such as life insurance or trust agreements where the beneficiary is not the customer, the financial institution must identify and verify the identity of the ultimate beneficiary (Art. 31).
- Obligations for Continuous Customer Monitoring and Extended Document Retention Period: The amended AML Law would clarify the obligations of financial institutions to continuously monitor customers and their transactions. Throughout the duration of a business relationship, financial institutions are required to consistently assess the overall status of the customer and their transactions, as well as understand the associated money laundering risks. For suspicious transactions, financial institutions may implement risk management measures based on the customer's money laundering risk profile and the necessity to mitigate such risks. These measures may include ongoing monitoring and verification of the customer and their transactions, restricting transaction methods, amounts or frequency, limiting the types of business, refusing to process transactions, or terminating the business relationship (Art. 30).
In conducting customer due diligence, financial institutions would be permitted to collaborate with public security and business registration authorities, as well as other regulatory agencies, such as civil affairs, taxation, immigration, and telecommunications departments, thereby significantly enhancing cooperation and information sharing (Art. 33). Moreover, the retention period for customer documents would be extended from 5 years to 10 years following the termination of the business relationship (Art. 34).
- Third-Party Service Providers: While the amended AML Law would permit financial institutions to engage third-party service providers to conduct KYC due diligence, it would require that such institutions assess the risk profile of such providers and their capability to fulfill AML obligations. If a third-party service provider is deemed high-risk or lacks the necessary capacity to perform AML duties or implement relevant due diligence measures, financial institutions must refrain from using such provider for customer due diligence. The amended AML Law would also emphasize that financial institutions remain responsible for the KYC due diligence conducted by third-party service providers (Art. 32).
- Legal Remedies Available to Customers: Financial institutions have the authority to restrict, suspend, or terminate a customer’s account if that customer refuses to cooperate with the institution in fulfilling AML due diligence requirements. Individuals and entities which object to the money laundering risk management measures implemented by financial institutions may seek relief by lodging complaints with the financial institution, filing administrative petitions with the AML authorities, or initiating litigation in a people’s court (Art. 39).
- Delegation of Investigation Authority to Lower-Level Enforcement Agencies: Under the current AML Law, only provincial-level AML enforcement agencies possess investigative powers. The amended AML Law would decentralize such investigation authority down to municipal-level agencies, which will likely improve the efficiency of AML investigations (Art. 43).
- Cross-Border Investigation and Data Sharing: The amended AML Law would impose more stringent requirements regarding cross-border investigations and data sharing. Article 50 would stipulate that if a foreign country or organization requests a domestic financial institution to provide customer identity information or transaction details, freeze or transfer domestic funds or assets, or undertake other action without adhering to the principle of reciprocity or reaching a mutual agreement with China, the financial institutions may not comply without authorization and must promptly report to the relevant Chinese authority.
Furthermore, Article 50 states that if a foreign country or organization requests that a domestic financial institution provide compliance information, business information, or similar data for overseas compliance and regulatory purposes, the institution may provide or cooperate only after reporting to the relevant Chinese authority. If the data involved includes important data or Personal Information, financial institutions must also comply with China's data security laws and Personal Information protection regulations.
The aforementioned requirements may present significant challenges for multinational financial institutions operating in China. For instance, these institutions are often obligated to adhere to group-level compliance policies as well as AML and economic sanctions laws from their home countries, including Office of Foreign Assets Control (OFAC) regulations in the U.S. and the EU sanctions regime. During the screening process, if a customer appears on a sanctions list (e.g., Specially Designated Nationals or SDN), the subsidiaries of international financial institutions in China are typically required to implement compliance measures. Such measures may include ceasing transactions, blocking payments, freezing accounts, terminating business relationships, and reporting the customer’s identity and related transactions to their overseas head office to fulfill compliance obligations.
However, the amended AML Law would seem to prohibit Chinese subsidiaries of international financial institutions from undertaking such actions or sharing information about blocked transactions with their head offices unless those actions are conducted on a reciprocal basis and an agreement has been reached between the foreign country and China. Furthermore, if the exported data includes Important Data or Personal Information, it may trigger regulatory requirements for standard contract filing or an outbound data transfer security assessment in China under China’s Data Security Law and/or Personal Information Protection Law. In such cases, subsidiaries of international financial institutions in China must submit an application to the Cyberspace Administration of China (CAC) for clearance.
- Substantial Increase in Penalties for Violations: Articles 51 to 59 would significantly enhance the penalties for breach of AML obligations. Fines for minor violations, such as failure to establish a robust internal AML compliance system or neglecting to conduct customer due diligence as required by law, would be raised to RMB 2 million from the previous limit of RMB 500,000. For serious violations that result in the concealment or disguise of criminal proceeds or the occurrence of terrorist financing, financial institutions face fines of up to RMB 10 million if the amount involved is below RMB 10 million, or between 20% to 200% of the amount involved if it exceeds RMB 10 million.
Moreover, directors, supervisors, senior management, and other individuals directly responsible within financial institutions may also face substantial fines for misconduct, Finally, financial institutions and their accountable personnel may face restrictions or bans on conducting business imposed by relevant financial regulatory authorities.
In sum, the amended AML would bolster China’s capabilities in monitoring and combating money laundering activity, particularly those linked to emerging technologies like virtual currencies, livestreaming platforms, online game currencies, and digital platforms. The amended Law would constitute significant enhancement of requirements related to beneficial ownership and continuous monitoring obligations, while also streamlining AML investigations and enforcement processes.
Moreover, the amended AML may present particular challenges for multinational financial institutions operating in China, especially concerning the stricter requirements for cross-border data sharing and the implementation of group-level compliance policies. The prohibition on Chinese subsidiaries of international financial institutions from providing customer identity information, transaction details, or taking actions such as blocking, freezing, or terminating customer accounts without prior reporting to Chinese authorities may create substantial hurdles in adhering to the compliance policies of their overseas corporate parents. Additionally, restrictions on cross-border data transfers may impose a significant regulatory burden on these subsidiaries, particularly given the high volume of data exchanges that could easily trigger obligations related to standard contract filings or security assessments under China’s Data Security Law and Personal Information Protection Law.
Furthermore, the incorporation of national security considerations within the amended AML may lead to enforcement actions that extend beyond traditional AML concerns, encompassing a broader range of national security considerations. Conversely, more stringent enforcement of money laundering activity may hamper the ability of entities to engage in transactions which breach sanctions imposed by foreign jurisdictions.
Finally, it can be anticipated that AML regulations, including those governing the reporting of suspicious or large transactions, will also be revised after the amended AML is finalized. Consequently, the full impact and reach of the amended AML Law remains to be seen.
Footnotes
