Feb 23, 2022
6 min read

How to Comply With KYC/AML-related Regulatory Developments in Hong Kong

In 2021, Hong Kong regulators encouraged financial institutions to strengthen anti-money laundering (AML) and counter-financing of terrorism (CFT) compliance. The two regulatory authorities responsible were the Hong Kong Monetary Authority (HKMA)—the leading banking regulator—and the Securities and Futures Commission (SFC), responsible for regulating local businesses, securities, and futures markets.

Both authorities issued new regulatory guidelines. The HKMA issued its “Fintech 2025” strategy to encourage fintech adoption and formulate supportive policies for the future fintech ecosystem. Meanwhile, the SFC introduced several AML/CFT Guideline updates, providing practical guidance on strengthening CDD requirements (such as additional requirements for cross-border correspondent relationships).

It’s high time for regulated companies to get prepared. Let’s look closer at the amended requirements to stay compliant.

AML/CFT Guideline updates

In September 2021, the SFC issued an updated version of its Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations), which includes the following initiatives:

  • institutional risk assessment to help financial institutions assess ML/TF vulnerability levels;
  • adopting a risk-based approach to simplified and enhanced Customer Due Diligence (CDD) requirements;
  • identifying indicators for suspicious transactions involving third-party deposits and payments;
  • updated CDD requirements and measures for cross-border correspondent banking relationships.

It’s worth mentioning that most of the regulatory amendments from the AML/CFT Guideline are not particularly extensive. There are, however, two changes that deserve special attention: 1) additional CDD requirements for cross-border correspondent relationships and 2) red flag indicators of suspicious transactions and activities.

Additional CDD requirements for cross-border correspondent relationships

After March 30th, 2022, financial institutions will need to meet updated requirements for cross-border correspondent relationships, which aim to align with the FATF’s Guidance for a Risk-Based Approach for the Securities Sector (October 2018). Accordingly, the FATF requires financial institutions to apply additional due diligence and risk-based measures for business relationships in the securities sector, as well as for cross-border correspondent banking relationships.
The updated AML/CFT Guideline states that:

  • cross-border correspondent relationships occur when a financial institution (referred to as “correspondent institution”) provides services to another financial institution located outside Hong Kong (referred to as a “respondent institution”). These services include:
    1. dealing in securities;
    2. dealing in futures contracts;
    3. leveraged foreign exchange trading.

According to the Guideline, financial institutions may establish cross-border correspondent relationships with respondent institutions around the world. For example, a Hong Kong securities broker can execute trades for a foreign broker who provides services for customers outside Hong Kong.

Red-flag indicators of suspicious transactions and activities

Financial institutions should determine the red flags relevant to them by considering the nature of their customer transactions, as well as the risk profiles of their customers and business relationships.

Financial institutions should review transactions and ask for additional CDD information from a customer when:

  • transactions are unusual and don’t correspond with the customer’s business, risk profile, or source of funds;
  • transactions are complex and involve substantial amounts of money;
  • transactions have no apparent economic or lawful purpose.

Financial institutions should be alert to these red flags to prevent money laundering, terrorist financing and fraud.

How to comply with the AML/CFT Guideline

First of all, financial institutions must apply situation-specific CDD measures. This includes taking a risk-based approach, performing ongoing monitoring, and record-keeping.

Risk-based approach

Financial institutions should evaluate the risks associated with new or existing business relationships to determine the degree, frequency, and extent of the CDD measures and ongoing monitoring required. The scope of CDD measures taken should vary according to the ML/TF risks assessed with regard to the customer.

Customer due diligence (CDD)

The following CDD measures are mandatory for financial institutions:

  1. identifying and verifying the customer using documents, data, or information provided by a reliable and independent source;
  2.  identifying and taking reasonable measures to verify the beneficial owner’s identity.

For natural persons, financial institutions should identify the customer by obtaining the following information:

  • full name;
  • date of birth;
  • nationality;
  • unique ID number (for example, identity card number or passport number) and document type.

Financial institutions are required to ensure that documents or information obtained to verify the customer’s identity is relevant. They also must understand the purpose and intended nature of the business relationship. Accordingly, the following information should be obtained:

  • the nature and details of the customer’s business/occupation/employment;
  • the expected level and nature of the business relationship (for example, the number of expected transactions);
  • the location of the customer;
  • the expected source and origin of the funds to be used in the business relationship;
  • initial and ongoing source(s) of wealth or income.

These are general CDD measures, and the extent of their application may vary according to the risks presented by the customer.

Politically exposed persons (PEPs)

The Guidance also requires financial institutions to implement appropriate risk management systems to identify PEPs. Once a PEP is detected, financial institutions need to:

  • get approval from senior management to establish or continue the business relationship;
  • take reasonable measures to establish the customer’s or the
  • beneficial owner’s source of wealth and source of funds;
  • conduct enhanced ongoing monitoring of the business relationship, should it continue.

PEP status doesn’t always mean that an individual is corrupt or involved in any criminal activity. However, close attention must still be paid to them, especially if the customer is from a foreign country widely known for bribery, corruption, and financial irregularity.

Additional CDD requirements and measures for cross-border correspondent relationships

Financial institutions should establish and maintain adequate measures for reducing the risks associated with cross-border correspondent relationships. When a financial institution establishes a cross-border correspondent relationship, they should:

  • collect enough information about the respondent institution to understand the nature of its business;
  • determine the reputation of the respondent institution;
  • evaluate the effectiveness of the respondent institution’s AML/CFT controls;
  • obtain approval from its senior management;
  • understand the AML/CFT responsibilities of financial and respondent institutions within the cross-border correspondent relationship.

Not all cross-border correspondent relationships pose the same ML/TF risk levels. Therefore, additional CDD measures vary depending on several factors:

  • the purpose of the cross-border correspondent relationship;
  • the nature and expected volume and value of transactions;
  • how the respondent institution provides services to its main customers through the correspondent account;
  • the types of main customers;
  • the quality and effectiveness of AML regulation in the region where the respondent institution operates.

If any cross-border correspondent relationship presents higher risks, an in-depth review of the respondent institution’s AML/CFT controls should be conducted, including:

  • interviewing compliance officers;
  • conducting an on-site visit;
  • reviewing the findings reported by internal or external auditors.

There is also a provision for the staff of licensed corporations to avoid tipping off the CDD process. Tipping-off means disclosing that a suspicious transaction report or anything related has been filed. This can include the following behaviour:

  • changing the way the financial institution handles the account;
  • informing people unrelated to the investigation of the suspicions;
  • disputing the customer’s explanation.

If the financial institution reasonably suspects that performing the CDD process will tip off the customer, it may stop the process.

Ongoing monitoring

Financial institutions should review existing CDD records of customers on a regular basis and/or upon trigger events such as substantial transactions. This is to ensure that documents, data, and information about a customer is up-to-date and relevant.


Record-keeping is essential to detect, investigate, and confiscate criminal property or funds. Check results, together with all screening records, must be documented or recorded electronically throughout the business relationship with the customer and for at least five years after the end of the business relationship.

Who’s affected

Amendments to the AML/CFT Guideline will affect financial institutions operating in Hong Kong. As stated in the Guideline, the term “financial institutions” refers to licensed corporations involved in the following regulated activities:

  • Dealing in securities, including:
    • Virtual asset trading platforms, that can be regulated by choice;
    • Security token offerings that are regulated by default.
  • Dealing in futures contracts, including:
    • Cryptocurrency providers, such as bitcoin futures.
  • Leveraged foreign exchange trading;
  • Advising on securities;
  • Advising on futures contracts;
  • Advising on corporate finance;
  • Providing automated trading services;
  • Securities margin financing;
  • Asset management;
  • Providing credit rating services.

In the context of cross-border correspondent relationships, the term “financial institution” refers to businesses falling under the definition set by the FATF Recommendations.

It’s worth mentioning that changes will not only affect local businesses but also overseas companies that have cross-border correspondent relationships with financial institutions in Hong Kong.

“Fintech 2025” Strategy

In June 2021, HKMA issued a new strategy, “Fintech 2025,” focused on the complete digitalization of financial institutions by 2025. This strategy encourages the financial sector to adopt new measures, including regulatory technology (Regtech), to combat new money laundering and fraud challenges in the digital era. These measures include:

  • driving fintech demand by facilitating the application of technology by banks;
  • enhancing data infrastructure to enable fintech application;
  • growing the ecosystem for the HK fintech industry.

This means that financial institutions should get ready for complete digitalization and the resulting impacts on AML/CTF measures.

Who’s affected

The following industries will face changes:

  • Banks

In 2017, the Smart Banking Era Strategy was announced, in which HKMA promotes the adoption of fintech by Hong Kong banks by digitizing operations from front-end to back-end. The HKMA will assess banks’ current and planned stages of fintech adoption in the coming years to identify weaknesses and provide help if necessary.

  • Central Bank Digital Currencies (CBDC)

The HKMA has been working with the BIS Innovation Hub Hong Kong Centre to research retail CBDCs and the e-HKD to discover its use cases, benefits, and related risks. The HKMA will also continue collaborating with the People’s Bank of China to support technical testing of the e-CNY in Hong Kong to provide convenient cross-boundary payments for domestic and mainland residents.

  • Various industry key players and policy-makers

The HKMA will establish a Fintech Cross-Agency Coordination Group to collaborate with key industry players to formulate supportive policies for the Hong Kong fintech ecosystem. Moreover, the Fintech Supervisory Sandbox will provide funding support to qualified fintech projects.

To meet the above objectives, the HKMA consulted the management of financial institutions to make sure they have sufficient resources and relevant subject matter experts to get ready for new technology initiatives.

It’s evident that financial regulators in Hong Kong are raising their compliance standards, which comes with both economic and legal consequences. Since the new requirements are already approved, businesses should start preparing now.

AMLFinancial InstitutionsFintechHong KongRed FlagsRisk-Based Approach