top of page
banner bkgd.png


1. No Tolerance to Money Laundering and Terrorist Financing

OCTO3 have no tolerance for money laundering, the financing of terrorism or any other form of illicit activity, and are committed to implementing appropriate policies, procedures and controls to prevent those activities. OCT3’s policies are shaped by industry best practices, a risk-based approach and the effective anti-money laundering standards applied in Hong Kong and worldwide.


The purpose of this text is to provide to OCTO3’s Clients, Providers, Partners, Vendors, Contractors, Employees, Law enforcement and other concerned stakeholders a high-level and summarized overview of OCTO3’s main AML/CTF policies and procedures. By no means is this content to be considered as the whole set of all policies, procedures and controls that are implemented and in place by OCTO3 for prevention of money laundering, financing of terrorism and other forms of illicit activity.


This document and all underlying policies, processes and procedures are prepared in line with provisions, requirements and recommendations as contained in applicable laws of Hong Kong and FATF Guidance.


OCTO3 has decided to comply with the Money Laundering and Terrorist Financing Prevention laws which require OCTO3 to identify and verify its clients’ identities appropriately, conduct ongoing monitoring of their activity (including transaction monitoring), maintain records of clients’ activity and related documents for five years and report suspicious transactions to the authorities.

Accordingly, it is OCTO3 policy to apply suspicious transaction reporting and financial sanctions related procedures to all clients, in particular the customer due diligence (CDD) and ongoing monitoring procedures, as specified hereinbelow.

OCTO3 understands Money Laundering as:

  • The conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action;

  • The concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity;

  • the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;

  • Participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points above.

  • Tax evasion such as that specified in Section 82 of the Inland Revenue Ordinance.  Fraud or false accounting under Sections 16A or 19 respectively of the Theft Ordinance. Dealing in property known or believed to represent the proceeds of an indictable offence under Section 25(1) of the Organized and Serious Crimes Ordinance (“OSCO”,) or drug trafficking under Section 25(1) of the Drug Trafficking (Recovery of Proceeds) Ordinance (“DTROP”) (and “property” has a broad definition under the relevant legislation), various bribery offences under the Prevention of Bribery Ordinance.  Breaches of targeted financial sanctions.


OCTO3 understands Terrorist Financing as:

Providing funds for terrorist activity, meaning as the provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences within the meaning of the law. This activity is done by intentionally killing, seriously harming or endangering a person, causing substantial property damage that is likely to seriously harm people or by seriously interfering with or disrupting essential services, facilities or systems.


2. Risk-Based Approach

OCTO3 takes a risk-based approach (“RBA”) towards assessing and containing the money laundering and terrorist financing risks arising from any transactions it has with clients and uses all available data when reviewing client activity.

OCTO3 performs a risk-based due diligence and collects necessary information and documentation on each prospective client in order to assess the risk profile. Before entering into a client relationship, necessary checks are conducted in line with the RBA so as to ensure that the identity of the clients does not match with an entity with a known criminal background or with banned entities, such as terrorist organizations. Enhanced due diligence is required for clients who are deemed to be of high risk, especially those for whom the business activity (sources of funds) are not clear, or for transactions of higher value and frequency, which can be determined by OCTO3 at its sole and absolute discretion.


OCTO3’s employees exercise care, due diligence and good judgement in determining the overall profile and business nature of its clients. OCTO3 conducts its business in accordance with the highest ethical standards and may decide not to enter into a client relationship that can adversely affect OCTO3’s reputation.


For the purpose of identification, assessment and analysis of risks related to its activities, OCTO3 has established a risk assessment, taking account of the following factors:

  • Client risk;

  • Geographical risk;

  • Product risk;

  • Delivery channel risk.


After the risk assessed and attributed to a particular client. Depending on the assigned degree of risk, it will be revised periodically upon knowledge of the client and its activities.

3. Client Due Diligence

OCTO3 may require its business clients to undergo proper due diligence or Know Your Business (KYB) checks before using OCTO3 services. This includes, without limitation:

  • A high-resolution, clearly readable, non-expired, detailed and verifiable copy of the company incorporation document. This must include details on the ownership of the company, its address, tax number, website, purpose and activities;

  • A description of the sector and business activities and corresponding online website. The website must be registered under the same entity name as the certificate of incorporation provided;

  • Details of the bank account of the client.


Additionally, for any clients deem to be of high risk, the Identity Verification may include:

  • A high-resolution, clearly readable, non-expired copy of the business beneficial owners’ government-issued ID or IDs (passport, national identity card and/or a driver’s license);

  • A high-resolution, clearly readable, non-expired proof of address document not older than 3 months old. The document must carry the client’s business name and address (recent utility bill or bank statement);

  • A video conference with the account holder/business contact person and/or company director(s), if deemed necessary.


Further documentation may be required for businesses operating in certain regulated, restricted or high-risk sectors of activity.


Care must be taken that all documents provided are true copies of the original. Providing false, forged, modified or documents meant to deceive will be considered fraud and treated as such. Such activity may also be reported to the relevant authorities.


OCTO3 may use recognized and specialized electronic providers for the technical acquisition of the identity data. OCTO3 may also decide to use the following non-documentary methods of verifying identity:


  • Independently verifying the client’s identity through the comparison of information provided by the client with information obtained from a consumer reporting agency, public database or other source;

  • Checking references with other institutions;

  • Analyzing whether there is logical consistency between the identifying information provided, such as the client’s name, street address, postal code, and date of birth;

  • Utilizing complex device identification (such as “digital fingerprints” or IP geolocation checks); and

  • Obtaining a notarized or certified true copy of an owner, manager, shareholder or government-issued ID for valid identification.


When there shall be any suspicion of illicit activity including money laundering or terrorism financing activities, or where there shall be any doubt about the adequacy or veracity of previously obtained clients’ identification data, further due diligence measures shall be undertaken, including verifying the identity of the client again and obtaining information regarding the purpose and intended nature of the relationship with OCTO3.


4. Compliance Officer

OCTO3 to have Compliance Officer, who performs the AML/CTF duties and obligations of OCTO3. Compliance Officer to report directly to the management board and has the competence, means and access to relevant information across all the structural units of OCTO3.

The duties of Compliance Officer include, among others:

  • Organization of the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing;

  • Reporting to Joint Financial Intelligence Unit (JFIU) the event of suspicion of money laundering or terrorist financing;

  • Periodic submission of written statements on compliance with the requirements to the management board of OCTO3;

  • Performance of other duties and obligations related to compliance with the requirements of OCTO3;

  • Responsible for managing OCTO3’s reporting procedures, liaising with JFIU where consent is required, keeping OCTO3’s policies and procedures up-to-date and communicating those policies and procedures to principals, staff and sub- contractors;

  • Overall responsibility for ensuring that OCTO3’s policies and procedures are complied with and are sufficient to meet the requirements of the law and the HKICPA Guidelines. This will involve periodic testing (at least annually) of OCTO3’s systems, including reviewing relevant records to ensure that the policies and procedures are operating properly;

  • Updating internal policy document, business and client risk assessment regularly.


All principals and managers are responsible for ensuring that these policies, together with the accompanying procedures in the manual are followed for their clients.


The Compliance Officer is responsible for ensuring that all principals and relevant staff have received adequate training and are aware of OCTO3’s policies and procedures.

5. Rules of Procedure and Internal Controls

OCTO3 may develop and implement rules of procedure that allow for effective mitigation and management of risks relating to money laundering and terrorist financing.


The rules of procedure may include the following:

  • a procedure for the application of due diligence measures regarding a client, including a procedure for the application of simplified and enhanced due diligence measures;

  • a model for identification and management of risks relating to a client and its activities and the determination of the client’s risk profile;

  • the methodology and instructions where OCTO3 have a suspicion of money laundering and terrorist financing or an unusual transaction or circumstance is involved as well as for instructions for performing the reporting obligation;

  • the procedure for data retention and making data available;

  • instructions for effectively identifying whether a person is a politically exposed person or a local politically exposed person subject to international sanctions.


OCTO3, where relevant, may apply the following due diligence measures:

  • ask client to provide a Hong Kong Identity document or in case of foreigner a valid international passport or other travel document;

  • ask for a current national (i.e., government or state-issued) identity card bearing the photograph of the individual;

  • ask for a current valid national (i.e., government or state-issued) driving license incorporating photographic evidence of the identity of the applicant, issued by a competent national or state authority;

  • Requests identification of the company based on documentation submitted by the client;

  • Requests identification of the company’s sector of activity, place of incorporation and public profile (where applicable);

  • Verifies the company-related information and documentation submitted by the client;

  • Requests identification of the beneficial owner(s) at the proper tier level, for the purpose of verifying their identity, taking measures to the extent that allows OCTO3 to make certain that it knows who the beneficial owner is, and understands the ownership and control structure of the client;

  • Performing additional due diligence for the client and its transactions, as necessary per established risk assessment policies and procedures;

  • Maintains ongoing monitoring of the business relationship and transactions.


6. Simplified Due Diligence 

OCTO3 may apply simplified due diligence (“SDD“) measures where a risk assessment prepared on the basis of these rules of procedure identifies that, in the case of the jurisdiction, economic sector of activity or amounts transacted the risk of money laundering or terrorist financing is lower than usual.


Before the application of SDD measures to a client, an employee of OCTO3 establishes that the business relationship, transaction or act is of a lower risk and OCTO3 attributes to the transaction, act or client a lower degree of risk.


The application of SDD measures is permitted to the extent that OCTO3 ensures sufficient monitoring of transactions, acts and business relationships, so that it would be possible to identify unusual transactions and allow for notifying of suspicious transactions in accordance with these rules of procedure.


7. Enhanced Due Diligence 

OCTO3 may apply enhanced due diligence (“EDD“) measures in order to adequately manage and mitigate a higher-than-usual risk of money laundering and terrorist financing.


EDD measures may be applied when:

  • Upon analysis of submitted client information and documents, there are reasonable doubts as to the truthfulness of the submitted data, authenticity of the documents or the true purpose of its business activities;

  • The client is engaged in a sector or activity classified as high risk;

  • The client is incorporated in a jurisdiction classified as high risk (eg: in jurisdictions that have not established effective AML/CTF systems that are in accordance with the recommendations of the Financial Action Task Force).


OCTO3 also applies EDD measures whereas the assessment of risk is assessed as higher, in accordance to its internal policies and procedures.


8. Sector and Jurisdiction Restrictions

 While it’s beyond OCTO3’s scope to set policies for the client’s own business dealings, OCTO3 reserves the right to not serve clients who themselves have business activities, clients or otherwise accept purchases originating from certain jurisdictions.


9. Politically Exposed Persons

Politically Exposed Persons (“PEP“) (as well as their families and persons known to be close associates, as described below) are required to be subject to enhanced scrutiny by reporting entities. This is because international standards issued by the Financial Action Task Force recognize that a PEP may be in a position to abuse their public office for private gain and a PEP may use the financial system to launder the proceeds of this abuse of office.


PEP means a natural person who is or who has been entrusted with prominent public functions including:

  • head of State;

  • head of government;

  • minister and deputy or assistant minister;

  • a member of parliament or of a similar legislative body;

  • a member of a governing body of a political party;

  • a member of a supreme court;

  • a member of a court of auditors or of the board of a central bank;

  • an ambassador, a chargé d’affaires and a high-ranking officer in the armed forces;

  • a member of an administrative, management or supervisory body of a State-owned enterprise;

  • a director, deputy director and member of the board or equivalent function of an international organization.


PEPs do not include middle-ranking or more junior officials.


Family member of a PEP means the spouse, or a person considered to be equivalent to a spouse, of a PEP or local PEP; a child and their spouse, or a person considered to be equivalent to a spouse, of a PEP or local PEP; a parent of a PEP or local PEP.


A person known to be a close associate of a PEP means a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a PEP or a local PEP; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a PEP or local PEP.


10. Sanctions

Dealing with persons against which imposed international sanctions poses a great risk to OCTO3, its directors, officers and owners. Per its established policy, OCTO3 does not do business with companies under sanctions. Sanction lists considered include, among others:

All verified matches are automatically blocked and the matter escalated to a Compliance Officer for further analysis and appropriate actions.

11. Suspicious Activity Monitoring and Reporting

An investigation into suspicious activity will try to establish the true motivation behind the activity in question. This may result in confirmation of the suspicious activity or removal of reasonable doubt. If suspicious activity is confirmed, the issue will be escalated accordingly both internally and externally. When such suspicious activity is detected, the Compliance Officer will determine whether a filing with any law enforcement authority is necessary.

Where OCTO3 identifies an activity or facts whose characteristics refer to the use of criminal proceeds or terrorist financing or other criminal offences or an attempt thereof or with regard to which OCTO3 suspects or knows that it constitutes money laundering or terrorist financing or the commission of another criminal offence, a Compliance Officer must report it to JFIU diligently.

When such suspicious activity is detected, the Compliance Officer will determine whether a filing with any law enforcement authority is necessary. OCTO3 and all its employees, officers and directors are prohibited to inform a person, its beneficial owner, representative or third party about a report submitted on them to the JFIU, an intention to submit such a report as well as about the commencement of criminal proceedings.

12. Termination of Services 

OCTO3 reserves the right to deny or terminate servicing a client or account at any time in line with the terms stipulated in the User Agreement if suspicion arises that a client is involved with or connected with money laundering, criminal activity, terrorist financing or any other predicate offense to money laundering or terrorist financing.


13. Data Retention

OCTO3 is obligated to retain all following documents and information which served for identification and verification of the client, for at least [five] years from the end of the business relationship or the date of the transaction as applicable:

  •  CDD checks

  • details of beneficial ownership

  • know-your-client forms

  • evidence of staff training

  • internal reports to the MLRO

  • external reports to JFIU

  • OCTO3’s risk assessment

  • OCTO3’s compliance checks

  • transaction files


The latest records of CDD checks, details of beneficial ownership and know-your-client forms for clients with whom OCTO3 had a business relationship will be kept for at least [five] years from the end of the relationship.


OCTO3 implements necessary rules for the protection of personal data upon application of the requirements arising from its obligations hereunder.


OCTO3 is allowed to process personal data gathered upon implementation of these rules only for the purpose of preventing money laundering and terrorist financing.


14. Training and Hiring

The Compliance Officer shall ensure that OCTO3’s employees are fully aware of their legal obligations under the AML/CTF regime. All relevant staff to have training on the following:


  • Guidelines on Anti-Money Laundering and Counter-Terrorist Financing for Professional Accountants issued by the HKICPA

  • Applicable sections of the following ordinances:
    AMLO - Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions and Designated Non-Financial Businesses and Professions) Ordinance (Cap. 615);
    DTROP - Drug Trafficking (Recovery of Proceeds) Ordinance (Cap. 405)
    OSCO - Organized and Serious Crimes Ordinance (Cap. 455);
    UNATMO - United Nations (Anti-Terrorism Measures) Ordinance (Cap. 575);

  • Guideline on Compliance of Anti-Money Laundering and Counter-Terrorist Financing Requirements for Trust or Company Service Providers, issued by the Companies Registry.

The Compliance Officer to make employees aware of OCTO3’s policies and procedures to prevent money laundering and combat terrorist financing and to give to the employees regular updates on identifying and dealing with suspicious transactions. This will generally be at least annually.

The timing and content of the training provided is determined according to the needs of OCTO3. The frequency of the training can vary depending on the amendments of legal and/or regulatory requirements, employees’ duties as well as any other changes in the business model. The training program aims at educating OCTO3’s employees on the latest developments in the prevention of money laundering and terrorist financing.


15. Cooperation and Information Requests

 OCTO3 may cooperate with supervisory and law enforcement authorities in preventing money laundering and terrorist financing, thereby communicating information available to OCTO3 and replying to queries within a reasonable time, following the duties, obligations and restrictions arising from legislation.

bottom of page