Hong Kong AML Audit for Financial Institutions: The Role of Independent Auditors and Scope of Review

The SFC issued a thematic review report in March 2025 examining anti-money laundering (AML) systems at 50 licensed corporations. The findings were stark: 34% of firms had not conducted an independent AML audit within the preceding 24 months, and 22% lacked any documented audit scope covering their virtual asset services. These figures come directly from the SFC’s Thematic Review of AML/CFF Systems of Licensed Corporations (March 2025). The regulator warned that non-compliance with the statutory audit requirement under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615, “AMLO”) would result in enforcement action, including licence conditions or suspension. For any financial institution operating in Hong Kong — whether a licensed corporation under the SFC, an authorised institution under the HKMA, or a money service operator under the Customs and Excise Department — the independent AML audit is not optional. It is a mandatory condition of licensure. This article sets out the legal basis for the audit, the scope of review expected by regulators, and the practical steps to engage an independent auditor who meets the competence and independence requirements under AMLO.

The Statutory Basis for the Independent AML Audit

The requirement for an independent AML audit is codified in section 20 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). The legislation provides that a financial institution must arrange for an independent audit of its AML/CFT policies, procedures, and controls at least once every 24 months. The audit must be conducted by a person who is independent of the institution’s AML compliance function.

Who Must Conduct the Audit

The auditor must satisfy the independence criteria set out in the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (paragraph 12.3) and the HKMA’s Supervisory Policy Manual module AML-1. The legislation provides that an internal audit team may conduct the audit only if it reports directly to the board or audit committee and has no operational responsibility for AML processes. External auditors, such as certified public accountants (CPA) firms, are the more common choice. The SFC’s March 2025 thematic review noted that 18% of firms used an internal audit function that failed to meet the independence test because the same staff who designed the AML controls also audited them.

The 24-Month Cycle and Trigger Events

The 24-month clock starts from the date of the last audit report. The legislation does not allow a grace period beyond 24 months. If a firm changes its business model, adds a new product line (such as virtual asset trading), or receives a regulatory warning letter, the SFC expects a fresh audit within 12 months of that trigger event. The HKMA’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing (November 2023) states that authorised institutions must conduct a full-scope independent audit within 6 months of any material change in their AML risk profile.

Scope of the Independent AML Review

The scope of the audit must cover the institution’s entire AML/CFT framework, not just a sample of transactions. The SFC’s Thematic Review of AML/CFT Systems (March 2025) identified the five mandatory components that every audit must address.

Customer Due Diligence (CDD) Procedures

The auditor must test the institution’s CDD processes against the requirements of Schedule 2 to AMLO. This includes verification of beneficial ownership, identification of politically exposed persons (PEPs), and the adequacy of ongoing due diligence for high-risk customers. The SFC’s review found that 28% of firms did not have documented procedures for verifying beneficial ownership of corporate customers. The audit must quantify the percentage of customer files that fail CDD checks and report the root cause.

Transaction Monitoring and Suspicious Transaction Reporting

The auditor must assess the effectiveness of the institution’s transaction monitoring system, including whether it detects unusual patterns such as structuring, rapid in-and-out movements, or transactions involving high-risk jurisdictions. The audit must also review the institution’s suspicious transaction report (STR) filing rate against peer benchmarks. The HKMA’s Supervisory Policy Manual AML-1 requires the auditor to test at least 10% of all alerts generated by the monitoring system during the audit period.

Record-Keeping and Data Retention

AMLO requires financial institutions to retain CDD records for at least 6 years after the business relationship ends and transaction records for at least 6 years after the transaction date. The auditor must verify that the institution’s data retention system meets these statutory periods. The SFC’s March 2025 review noted that 15% of firms had deleted CDD records before the 6-year retention period expired, citing “storage cost” as the reason. The auditor must flag any deletion of records within the retention period as a regulatory breach.

Staff Training and Competence

The auditor must review the institution’s AML training programme. The SFC’s Code of Conduct requires that all relevant staff complete AML training at least once every 12 months. The audit must verify that training records are maintained and that training content covers the latest regulatory updates, including the Guidelines on Anti-Money Laundering and Counter-Financing of Terrorism (November 2023) issued by the SFC and the HKMA.

Governance and Board Oversight

The audit must assess whether the institution’s board or senior management has approved the AML policy and whether the board receives quarterly AML compliance reports. The SFC’s thematic review found that 12% of firms had no board-level AML committee. The auditor must report any deficiency in governance structure as a material weakness.

Engaging an Independent Auditor: Practical Steps

The process of engaging an independent auditor requires careful planning to avoid the common pitfalls identified by the SFC and HKMA.

Step 1: Define the Audit Scope in Writing

The institution must prepare a written terms of reference (TOR) for the auditor. The TOR must specify the audit period, the scope of review (including the five mandatory components above), and the reporting format. The SFC’s Thematic Review (March 2025) recommends that the TOR be approved by the board or audit committee before the audit begins. The TOR should also list any specific regulatory concerns, such as virtual asset services or cross-border payment corridors.

Step 2: Select an Auditor with Relevant Expertise

The auditor must have demonstrable experience in AML audits for financial institutions. The SFC does not maintain a list of approved auditors, but the HKMA publishes a list of recognised CPA firms for authorised institutions. For SFC-licensed corporations, the auditor should hold a practising certificate under the Professional Accountants Ordinance (Cap. 50) and have completed at least three AML audits in the preceding 24 months. The SFC’s March 2025 report noted that 9% of firms used an auditor whose only relevant experience was in auditing non-financial businesses.

Step 3: Provide Full Access to Records

The auditor must have unrestricted access to all customer files, transaction data, compliance reports, and board minutes. The institution cannot redact or limit access to any document. The AMLO provides that the auditor may request information from any employee, and the institution must comply within 14 days. Failure to provide access is itself a breach of the audit requirement.

Step 4: Review the Audit Report and Remediate Findings

The auditor’s report must be submitted to the board or audit committee within 30 days of completion. The report must include a rating of the institution’s AML controls (e.g., adequate, partially adequate, inadequate) and a list of findings with remediation deadlines. The SFC expects the institution to implement corrective actions within 90 days for high-risk findings and within 180 days for medium-risk findings. The institution must document the remediation in a follow-up report to the board.

Step 5: File the Audit Report with the Regulator

The SFC’s Code of Conduct requires that the audit report be filed with the SFC within 14 days of board approval. The HKMA requires the report to be filed within 30 days. The report must be accompanied by a summary of the remediation plan. The SFC’s March 2025 thematic review found that 7% of firms did not file the audit report at all, and 11% filed it more than 60 days late.

Key Takeaways for Compliance Officers and Licence Applicants

1. The independent AML audit is a statutory requirement under AMLO section 20, not a voluntary best practice — every licensed financial institution must complete one every 24 months, with no grace period for late filings.

2. The audit scope must cover all five mandatory components: CDD, transaction monitoring, record-keeping, staff training, and governance — an audit that omits any one of these components is incomplete and exposes the firm to regulatory enforcement.

3. The auditor must be independent of the AML compliance function — using an internal audit team that designed the AML controls is a common compliance failure cited in the SFC’s March 2025 thematic review.

4. Trigger events such as new product lines, regulatory warnings, or material changes in risk profile require a fresh audit within 6 to 12 months, resetting the 24-month cycle.

5. The audit report must be filed with the relevant regulator within 14 to 30 days of board approval — late filing or non-filing is a separate regulatory breach that can result in licence conditions or suspension.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。