Optimising Business Compliance Efficiency: Key Takeaways and Q&A from Our Webinar
We recently held an insightful webinar on Optimising Compliance Workflows Through Effective Data Visualisation, hosted by the HKMA’s Commercial Data Interchange (CDI). The session was engaging, featuring valuable discussions and numerous thoughtful questions from attendees.
In this Q&A section, we’ve compiled key questions and their answers to provide further clarity on our solutions and the topics covered. Our expert team explored how we can help financial institutions access accurate company data from over 140 official registries, streamline compliance processes, and transform complex data into visually compelling insights.
We appreciate the interest and contributions from all participants, and we look forward to sharing more insights as we continue to enhance CDI’s engagement in the Hong Kong community.
1. Can your company check the beneficial owner information of offshore companies in the BVI, Samoa, and the Cayman Islands?
Yes, but only to a certain extent. This depends on what information is publicly available within the registry. If that information is not accessible, we will be unable to retrieve it. The system still delivers huge value uncovering the corporate structure through multiple levels up to this point and it includes functions to manage documents and information retrieved in a manual way.
2. The solution has access to company registries across 140+ countries. Does it include China?
Yes.
3. What is the coverage percentage of companies in Hong Kong and China?
It is 100% for both. Our system operates as a pass-through live access to the company registries and so every single entity legally registered is also in our system.
4. Can we run a batch query?
Yes.
5. Do we need customer authorisation before the query?
As the information is publicly available, this is not a requirement. In CDI technical terms this is consent type=no consent required.
6. Will end users be able to retrieve protected information from ICRIS once we subscribe to the service?
Yes, using your firm’s CR special account credentials, our system automatically retrieves the protected information from ICRIS.
7. Can CDI unwrap the masked information of the Hong Kong company registry?
Yes, with special account handling, including full names, ID/passport numbers, and residential addresses.
8. Do you include court information?
We can obtain judgement details.
9. How do you manage data from different countries (Hong Kong, UK, US, Singapore, and China) given their varying regulations?
Data will reside where the account is based, i.e., data residency (Hong Kong clients’ data is stored in Microsoft data centers in Hong Kong or in Singapore/China/Europe, etc.). The AML rules are based on FATF standards but tailored to each jurisdiction.
10. What is the difference between obtaining data from you and getting it directly from ICRIS?
The data is the same, but we help structure the information more effectively, manage account balances, facilitate automatic unravelling of shareholders, and provide special account handling plus added BR documents from the IRD.
11. How much effort (time and cost) would it typically take to connect to CPI to retrieve the information?
It would take around two months to connect directly to CPI (costing 2-3 developers).
12. Is IRD information publicly available? (This refers to business registration from the IRD)
Yes, the Business Registration copy is available through our system for all company types. In addition, we supply BR data and documents for corporate entities that are not registered with the IRD such as sole proprietors and partnerships. The solutions for the Companies Registry and IRD are not separate modules but can be accessed through the system.
13. What information/data can we obtain from the IRD? Does it include tax data?
No, it only includes business data.
14. How does KYC help us compare data differences (such as addresses and beneficial ownership) across different years?
The responsibility always lies with the bank; the golden source is from the company registry. KYC data accuracy is crucial, and all information from the Hong Kong Companies Registry is directly sourced. Data comparison is a mature product used by banks and financial institutions globally and by regulators.
15. How is the cost determined if we choose your solution through CDI?
It is based on the number of cases and the licensing fee.
16. For visualising company structures (with multiple levels), does KYC conduct this automatically when identifying another company in the ownership structure?
Yes, this is done automatically based on established rules. For any company, if a shareholder owns more than 25%, we will identify the ultimate beneficial owner (UBO).
17. Can your solution retrieve bought/sold note information?
No.
18. Does the HKMA consider Know Your Customer as a golden source?
There is no definitive answer; banks should understand the full process of obtaining data from the golden source (Companies Registry). But in Hong Kong, KYC retrieves the data via a direct connection to the CR and the CR is considered a golden source.
19. How long does it take to return the data?
In Hong Kong, it takes a minimum of 55 seconds to obtain all data and documents.
20. The Companies Registry is also connected to CDI but could not access protected information through this channel. How does your company retrieve protected information? Is it through ICRIS?
Yes, we access ICRIS, which involves a process to retrieve masked information.
21. What is the difference between KYC@CDI and CR@CDI?
- 140+ countries vs just Hong Kong
- Addition of BR documents
- Automatic unravelling across jurisdictions
- Special accounts
22. How frequently is the data updated?
There is no update cycle involved at all. All access is live and direct through our system to the company registries. We maintain a live registry connection to ensure that the data is always the latest.
23. For case fees, are they determined by the number of layers or charged per case?
Fees are charged based on the number of corporate entity layers (including users, cases, and jurisdiction). This corresponds well to the effort a manual team would need to spend.
24. Will effective holding be considered?
Yes, we calculate the effective percentage to determine the UBO.
25. Do you have additional information to share regarding data privacy issues, especially when other jurisdictions are involved?
We adhere to all regulations; certain jurisdictions (such as Hong Kong data privacy and EU GDPR (General Data Protection Regulation)) require encryption and have ISO27001 processes in place to always protect sensitive information.
26. When conducting KYC/KYB, are there indicators for classifying customers as high, medium, or low risk (possibly direct or indirect) via the network?
Risk is generally assessed through different modules (such as the country of the company, name screening results, product risk – what products the customer uses, and the medium of interaction – whether face-to-face or online).
27. Can we obtain both data and documents in one go for a single price, or do we need to pay separately?
Data and documents are considered one cost since we always retrieve the documents and convert these into structured data.
28. If we terminate the service with your company after subscribing, can we still retrieve historical company search records (to fulfil the retention period set by the HKMA)?
Yes, we offer a service to offload data.
29. How does the report indicate whether bearer shares are involved?
We are working on functionality to flag bearer shares but will of course not be able to indicate who holds a given set of bearer shares at any point in time.
30. If I am correct, there are regulatory requirements for Chinese data going overseas. Are there any conditions or restrictions for KYC when retrieving Chinese company data?
We can’t give legal advice. Please discuss the data transfer restrictions with your in-house legal counsel. That said, we are much below the limits requiring a Chinese security assessment and there is an exemption in the PIP for when the transfer is necessary to fulfill legal obligations that likely applies in your due diligence work as well.
31. Following up on the data privacy issue, you mentioned that consent is obtained. However, we can only secure consent from the direct customers, including beneficial owners and directors, but not from companies and their connected parties in intermediate layers and ultimate controllers.
We can’t give legal advice, so please discuss the PDPO and GDPR aspects with your in-house legal counsel.
From what we have seen in HK and overseas, our clients rely on this data, being exempt from the privacy provisions. In the PDPO, section 58 (exemption for the prevention of crime) or section 63B (exemption for due diligence exercises) are probably relevant. In the GDPR, it is usually Article 6(1)(c) (Compliance with a Legal Obligation) that allows processing without consent.
32. Are there any monitoring or notifications for updates?
Yes, coming Q4-2024, we are adding a monitoring function that can be set up to alert the users about specific changes immediately after they are published with the CR.
Until then, there is already a periodic KYC refresh function that can be set up to retrieve the full set of information automatically, for example, every 1,3, or 5 years according to risk.
33. Do you foresee the evolution of Web3 and increased anonymity/decentralisation of information influencing KYC solutions in any way?
We believe KYC as a concept (and therefore also the systems and services of Know Your Customer Limited) will be in higher demand than ever before in a more decentralised financial world. In our estimate, it is unlikely that the world powers will relent in their drive to move the Web3/Crypto economy from a largely anonymous to a trusted system.
