Financial institutions must conduct client due diligence, which is similar to the process for “know your clients" adopted by international financial institutions. This is designed to help financial institutions verify their clients’ identities, confirm they’re not on any prohibited lists, and assess their risk factors.  

Client due diligence is an ongoing process that begins as soon as a client applies for an account and continues until the account is closed. An effective client due diligence process normally involves the following steps:

1) Identity Authentication – During this stage of the process, a client’s information should be gathered and then authenticated.

In fact, identity authentication was introduced in the Provisions on Individual Deposit Accounts Under Real Names (in Chinese: 个人存款账户实名制规定) early in the year 2000 and was reinforced by Anti-money Laundering Law (in Chinese: 反洗钱法) in 2006 and subsequent regulations. However, it appears that financial institutions have not properly adhered to these laws and regulations because of outdated technology, a performance-driven culture, and other factors, as seen by the frequency of telecom and online fraud.

ATOFL satisfied the need for identification in order to combat fraud and demonstrated that this could be accomplished with the aid of systems for information-sharing set up by the relevant authorities (i.e., the authorities overseeing the areas of finance, telecom, market regulation, and tax), which should substantially resolve the issue of identifying illegitimate users that had plagued financial institutions for many years.

2) Checks on Number of Accounts – Upon the identification of the client, financial institutions will have to check on the number of accounts that the client already possesses.

This is because financial institutions must limit the number of accounts to be opened for their clients. There are a number of reasons why restricting the number of accounts limits risk. From the perspective of ATOFL, it is intended to reduce the possibility of financial accounts being used for criminal offenses and to facilitate criminal investigations.

The Notice on the Work Regarding the Banking Industry's Crackdown on New Illegal Crimes in Telecom Networks (in Chinese:关于银行业打击治理电信网络新型违法犯罪有关工作事项的通知) issued by China Banking Regulatory Commission in 2015 already specified that the maximum number of bank accounts each client is permitted to have in a single commercial bank is four.

The number of accounts that can be opened at non-banking payment services, such as Tencent Pay, is yet to be provided by relevant regulations. Due to the lack of uniform rules, non-banking payment services usually implement their own policies on the number of accounts their clients are permitted to have; for instance, five in Tencent Pay and six in Alipay.

3) Risk Level Categorization – Once the identity of the client is verified and vetted, financial institutions must then categorize the level of risk the client poses and determine the appropriate level of risk management to avoid telecom and online fraud activities.

Transaction monitoring is the practice of proactively and reactively identifying outlier events, such as money laundering, using rules and data to flag suspicious transactions for the purpose of fighting financial crime. When carrying out such monitoring, financial institutions are advised to take note of the following requirements:

1) Anti-fraud Mechanisms – Financial institutions must develop and implement mechanisms to detect telecom and online fraud. The mechanisms should be designed to enable the institutions to monitor abnormal accounts and suspicious transactions. Further, the mechanisms might be such that in high-priority situations, data can be smoothly passed to public security or other authorities.

2) Preventive Measures – When financial institutions detect any abnormal, suspicious, or malicious account activity, they should immediately take preventive measures, including but not limited to, verifying the transaction, re-authenticating the client’s identity, deferring the settlement, or even restricting or suspending the accounts or transactions, as appropriate.

3) Complaint and Appeal – Financial institutions must inform clients of the reasons for any measures taken against their accounts, and of the means to dispute any such measures. Disputes should be handled in a timely manner.

4) Data Collection – Financial institutes are expressly authorized by ATOFL to collect clients’ internet protocol (IP) addresses, media access control (MAC) addresses, point-of-sale terminal information, and other necessary transaction or device-location information. Unless the client consents, however, the institutions must not use the information for any purpose other than to combat fraud.

Financial institutions have the obligation to raise their clients’ awareness of telecom and online fraud, including by urging them to exercise caution when conducting business and promptly alerting them to new scamming techniques. Financial institutions are also obliged to educate clients with respect to their legal liabilities if they in any way support fraud-related crimes by lending or selling financial accounts.

In general, ATOFL reiterates the importance of client due diligence and demands that financial institutions implement risk management measures and establish internal fraud prevention and detection systems. Furthermore, ATOFL removes the legal barriers that prevent financial institutions from taking appropriate emergency measures on their own, allows them to proactively take measures to prevent fraudulent acts, and establishes a complaint channel. At the same time, ATOFL enhances the legal responsibility of financial institutions, requiring them to be more proactive in detecting and combating fraudulent activities. It is therefore important for financial institutions to review their current anti-scam systems to ensure compliance with ATOFL.