(Guideline Chapter 5)

CDD is intended to enable GRDA to form a reasonable belief that it knows the true identity of each customer and, with an appropriate degree of confidence, knows the type of business and transactions the customer is likely to undertake. The CDD requirements are set out in Schedule 2 to the AMLO. Depending on specific circumstances, GRDA may also need to conduct additional measures referred to as enhanced customer due diligence (“EDD”) or, alternatively, may conduct simplified customer due diligence (“SDD”).

customer due diligence

What are GRDA CDD measures ?

The CDD measures applicable to GRDA under section 2 of Part 2 of Schedule 2 to the AMLO are:

  • identifying the customer and verifying the customer’s identity;
  • identifying and taking reasonable measures to verify the beneficial owner’s identity;
  • obtaining information on the purpose and intended nature of the business relationship (if any) established with GRDA;
  • if a person purports to act on behalf of the customer:
    • identifying the person and taking reasonable measures to verify the person’s identity;
    • verifying the person’s authority to act on behalf of the customer.

When must GRDA apply CDD ?

GRDA must apply CDD :

  • before establishing a business relationship with the customer;
  • before carrying out for the customer an occasional transaction that involves an amount equal to or exceeding an aggregate value of HK$120,000, whether carried out in a single operation or several operations that appear to be linked;
  • when GRDA suspects that the customer or the customer’s account is involved in ML/TF regardless of the levels of transaction of (2) above;
  • when GRDA doubts the veracity or adequacy of any information previously obtained for the purpose of identifying the customer or for the purpose of verifying the customer’s identity.

Can CDD be completed after the creation of a business relationship ?

GRDA must complete the CDD process before establishing any business relationship or before carrying out a specified occasional transaction. Where GRDA is unable to complete the CDD process, it must not establish a business relationship or carry out any occasional transaction with that customer and should assess whether this failure provides grounds for knowledge or suspicion of ML/TF and filing a STR with the JFIU.

What if fail to complete verification of identity after business relationship ?

After 60 working days of establishment of a business relationship with a customer

  • GRDA must suspend the business relationship and refrain from carrying out further transactions (except to return funds to their sources, to the extent that this is possible)

After 120 working days of establishment of a business relationship with a custom

  • GRDA must terminate the business relationship with the customer.
  • when terminating a relationship where funds or other assets have been received, GRDA must return the funds or assets to the source from which they were received. GRDA can not return the funds or assets to third party, this means that the funds or assets should be returned to the customer/account holder. (not applicable where GRDA is served a restraint order or confiscation order.)

Is re-verification needed ?

GRDA is obligated to take steps from time to time to ensure that customers’ information obtained for the purposes of complying with the requirements of sections 2 and 3 of Part 2 of Schedule 2 to the AMLO is up-to-date and relevant. GRDA policy is to undertake periodic reviews of existing records of customers and conduct review under circumstances of certain triggering events, including:

  • when a significant transaction (i.e. in terms of monetary value or where the transaction is unusual or not in line with the licensee’s knowledge of the customer) is to take place;
  • when a material change occurs in the way the customer’s account is operated;
  • when GRDA's customer  documentation standards change substantially; or
  • when GRDA is aware that it lacks sufficient information about the customer concerned.


All high-risk customers should be subject to a minimum of an annual review, and more frequently if deemed necessary by GRDA, of their profile to ensure the CDD information retained remains up-to-date and relevant.