AML/KYC Laws and Regulations in Hong Kong (2024)

Hong Kong is a leading global financial center with transparent markets that correspond with the international standards. Year after year, it retains the leading spot as the least complex jurisdiction for doing business in the Asia-Pacific (APAC) region. Hong Kong’s low tax rate and eagerness to introduce new technologies, such as AI, to its financial markets make the city especially attractive for investors. 

Yet, when you launch in Hong Kong, it’s essential to understand the current state of anti-money laundering (AML) and what regulations you should follow in order to stay compliant.

Money laundering in Hong Kong

Hong Kong’s authorities are actively confronting the spread of money laundering. Earlier this year, Hong Kong customs managed to nab seven people involved in laundering over HK$14 billion (approximately $1.8 billion), linked to a mobile scam scheme originating in India. This case, along with similar instances, demonstrate that Hong Kong’s authorities are taking proactive measures to minimize the number of money laundering activities in the country. 

The Financial Action Task Force (FATF) has concluded that “Hong Kong has a good legal structure to combat money laundering (ML) and terrorist financing (TF)” in its latest mutual evaluation report. 

To understand Hong Kong’s current regulatory framework and the path it’s planning to take in the near future, we at Sumsub have prepared this guide with all the necessary information.

Who is affected?

AML regulations apply to all financial institutions (fiS) and Designated Non-Financial Businesses and Professionals (DNFBPs). 

Financial institutions (FIs) include: 

• Authorized insurers
• Licensed individual insurance agents
• Licensed insurance agencies
• Licensed insurance broker companies
• Licensed money service operators
• The Postmaster General
• An SVF licensee
• Fintech providers, such as Payment Service Providers, neo-banks as well as Non-bank financial institutions, which include non-bank lenders, online lenders, peer-to-peer lenders
• Investment managers and financial planners
• Cryptocurrency service providers
• Banks, building societies, and credit unions
• Asset managers, hedge fund managers, and fund managers
• Cash in transit service providers responsible for the movement of physical cash

DNFBPs include:

• Accounting professionals
• Estate agents
• Legal professionals
•  Trust or Company Service Providers (TCSP) licensee 
•  Category B PMS registrants

Hong Kong AML regulations

While there are many regulations that businesses need to comply with in Hong Kong, the main one is the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO). The regulation provides the framework for recordkeeping and risk-based customer due diligence requirements. It also grants power to relevant authorities to oversee affected institutions. 

Hong Kong’s government bodies are constantly issuing new regulations and amending existing ones. For example, in September 2021, the Securities and Futures Commission (SFC) issued an updated version of its Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations), which includes the following initiatives:

• Institutional risk assessment to help financial institutions assess ML/TF vulnerability levels
• FI(s) are required to establish and implement adequate and appropriate AML and CFT policies, procedures and controls, on a risk-based approach—meaning that they can take into account the products and services offered, types of customers, geographical locations and other factors prescribed in the AML/CFT Guideline
• Adopting a risk-based approach to simplified and enhanced Customer Due Diligence (CDD) requirements
• Identifying indicators for suspicious transactions involving third-party deposits and payments. As part of the suspicious activity identification process, FIs are expected to take further steps and obtain additional information (for example, asking customers appropriate questions, evaluating any justifications provided by customers, and checking their records)
• FIs should only accept third-party deposits or payments under exceptional circumstances and when they are reasonably in line with the customer’s profile and normal commercial practices
• Updated CDD requirements and measures for cross-border correspondent banking relationships

In February 2023, the Hong Kong Monetary Authority updated its guidelines on transaction monitoring, screening, and reporting. The requirements were introduced to strengthen Hong Kong’s AML system and follow the Financial Action Task Force’s (FATF) recommendations. 

Suggested read: Crypto Regulations in Hong Kong

Who are the regulators?

• Hong Kong Monetary Authority (HKMA) supervises banks and other financial institutions, ensuring that they comply with AML regulations. 
• The Securities and Futures Commission (SFC) enforces the regulations within the securities and investment industry. 
• The Financial Services and the Treasury Bureau (FSTB) formulates and implements policies on AML. 
• The Insurance Authority, Customs and Excise Department, and Hong Kong Police Force (HKPF) play a crucial role in investigating and combating money laundering and terrorism financing offenses in Hong Kong, collaborating with other regulatory bodies and intelligence agencies to address financial crimes.

Hong Kong KYC requirements

When it comes to KYC requirements in Hong Kong, the following CDD measures are mandatory for financial institutions:

• Identifying and verifying customers using documents, personal data, or information provided by a reliable and independent source
•  Identifying and taking reasonable measures to verify the beneficial owner’s identity

Financial institutions should identify customers who are natural persons by obtaining the following information:

• Full name
• Date of birth
• Nationality
• Unique ID* number (for example, an identity card number or passport number) and document type. 

*IDs that can be used to verify one’s identity in Hong Kong include: 

• National Identity Card (HKID)
• Driver’s Licence
• Passport

Address Verification

The following documents are considered proof of address in Hong Kong: 

• Current utility bills (gas, electric, telephone or mobile, etc.) issued no later than three months ago with the client’s address and name;
• Bank statements (issued no more than three months ago and showing the end-user’s address and name); 
• A government-issued document that shows the applicant’s name and address. 

Financial institutions are required to ensure all documents and information obtained to verify the customer’s identity is relevant. They also must understand the purpose and intended nature of the business relationship. Accordingly, the following information should be obtained:

• The nature and details of the customer’s business/occupation/employment
• The expected nature of the business relationship (for example, the number of expected transactions)
• The location of the customer
• The expected source and origin of the funds to be used in the business relationship
• Initial and ongoing source(s) of wealth or income

How to comply with AML/KYC regulations

Financial institutions must apply situation-specific CDD measures. This includes taking a risk-based approach, performing ongoing monitoring, and record-keeping.

Risk-based approach

Financial institutions should evaluate the risks associated with new or existing business relationships to determine the degree, frequency, and extent of the CDD measures and ongoing monitoring required. The scope of CDD measures taken should vary according to the ML/TF risks assessed with regard to the customer.

Politically exposed persons (PEPs)

The Guidance also requires financial institutions to implement appropriate risk management systems to identify PEPs. Once a PEP is detected, financial institutions need to:

• Get approval from senior management to establish or continue the business relationship
• Distinguish between Hong Kong, non-Hong kong, and former Hong Kong PEPs
• Determine the beneficial owner’s source of wealth and source of funds
• Conduct enhanced ongoing monitoring of the business relationship
• Consider and analyze the seniority of the customer’s position as well as the influence they can exercise
• Evaluate the social, economic, and cultural structure of the PEP’s jurisdiction 

PEP status doesn’t always mean that an individual is corrupt or involved in any criminal activity. Therefore a risk-based approach can be adopted depending on the jurisdiction, position, influence, and transactions relevant to the PEP. However, close attention must still be paid to them, especially if the customer is from a foreign country widely known for bribery, corruption, and financial irregularity.

Additional CDD requirements

Financial institutions should establish and maintain adequate measures for reducing the risks associated with cross-border correspondent relationships. When a financial institution establishes a cross-border correspondent relationship, they should:

• Collect adequate information about the respondent institution to understand the nature of its business
• Determine the reputation of the respondent institution
• Construct and assess the economic profile of the institution
• Evaluate the effectiveness of the respondent institution’s AML/CFT controls
• Obtain approval from its senior management
• Understand the AML/CFT responsibilities of financial and respondent institutions within the cross-border correspondent relationship

Not all cross-border correspondent relationships pose the same ML/TF risk levels. Therefore, additional CDD measures vary depending on several factors:

• The purpose of the cross-border correspondent relationship
• The nature and expected volume and value of transactions
• How the respondent institution provides services to its main customers through the correspondent account
• The types of main customers
• The quality and effectiveness of AML regulation in the region where the respondent institution operates

If any cross-border correspondent relationship presents higher risks, an in-depth review of the respondent institution’s AML/CFT controls should be conducted, including:

• Interviewing compliance officers
• Conducting an on-site visit
• Reviewing the findings reported by internal or external auditors
• Reviewing financial statements

There is also a provision for the staff of licensed corporations to avoid tipping off the CDD process. Tipping-off means disclosing that a suspicious transaction report or anything related has been filed. This can include the following behavior:

• Changing the way the financial institution handles the account
• Informing people unrelated to the investigation of suspicions
• Disputing the customer’s explanation

If the financial institution reasonably suspects that performing the CDD process will tip off the customer, it may stop the process.

Ongoing monitoring

Financial institutions should review existing CDD records of customers on a regular basis and/or upon triggering events such as substantial transactions and appearance of adverse media. This is to ensure that documents, data, and information about a customer is up-to-date and relevant.

Record-keeping

Record-keeping is essential to detect, investigate, and confiscate criminal property or funds. Check results, together with all screening records, must be documented or recorded electronically throughout the business relationship with the customer and for at least five years after the end of the business relationship.

Suggested read: Compliance Guidelines: Hong Kong

What are the penalties?

Penalties may include fines, license revocation, and imprisonment. If a company violates obligations provided by the AMLO, the fine may go up to HK$1,000,000 (approximately $128,000) with imprisonment of up to seven years, depending on the circumstances. If a person conducts a money laundering offense, the penalty may go up to HK$5,000,000 (approximately $640,000) and 14 years imprisonment.

Fintech 2025 Strategy

In June 2021, HKMA issued a new strategy, “Fintech 2025,” focused on the complete digitalization of financial institutions by 2025. This strategy encourages the financial sector to adopt new measures, including regulatory technology (Regtech), to combat new money laundering and fraud challenges in the digital era. These measures include:

• Driving fintech demand by facilitating the application of new technology by banks
• Enhancing data infrastructure to enable fintech application
• Growing the ecosystem for the HK fintech industry

This means that financial institutions should get ready for complete digitalization and the resulting impacts on AML/CTF measures.

The following industries will face changes:

Banks

In 2017, the Smart Banking Era Strategy was announced, promoting fintech adoption by Hong Kong banks by digitizing operations from front-end to back-end. The HKMA will assess banks’ current and planned stages of fintech adoption in the coming years to identify weaknesses and provide help if necessary.

Central Bank Digital Currencies (CBDC)

The HKMA has been working with the BIS Innovation Hub Hong Kong Centre to research retail CBDCs and the e-HKD to discover use cases, benefits, and related risks. The HKMA will also continue collaborating with the People’s Bank of China to support technical testing of the e-CNY in Hong Kong to provide convenient cross-boundary payments for domestic and mainland residents.

Key industry players and policymakers

The HKMA will establish a Fintech Cross-Agency Coordination Group to collaborate with key industry players to formulate supportive policies for the Hong Kong fintech ecosystem. Moreover, the Fintech Supervisory Sandbox will provide funding support to qualified fintech projects.

To meet the above objectives, the HKMA consulted the management of financial institutions to make sure they have sufficient resources and relevant subject matter experts to get ready for new technology initiatives.

It’s evident that financial regulators in Hong Kong are raising their compliance standards, which comes with both economic and legal consequences. Since the new requirements are already approved, businesses should start preparing now.