牌照 · 2025-12-06

Hong Kong Anti-Money Laundering Ordinance: Compliance Obligations for Financial Institutions

hong-kong-travel-guide-2025 image 1

On 1 June 2025, the Hong Kong government gazetted the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance 2025, bringing into force a new category of regulated persons: virtual asset service providers and precious metals dealers now sit alongside traditional financial institutions under the same statutory framework. This single legislative event has redrawn the compliance map for every licensed entity in Hong Kong. The Securities and Futures Commission (SFC) followed within the same week with an updated circular on suspicious transaction reporting thresholds, and the Hong Kong Monetary Authority (HKMA) issued a revised supervisory policy manual section on risk-based customer due diligence. For a financial institution holding a Type 1 (dealing in securities) or Type 9 (asset management) licence, the practical question is no longer whether the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) applies — it is whether the institution’s current compliance programme meets the 2025 standard. This article sets out the core obligations, the procedural steps required to satisfy them, and the deadlines that matter now.

The Statutory Framework Under Cap. 615

Who Is a “Financial Institution” for the Purposes of Cap. 615

The definition of “financial institution” in section 1 of Schedule 1 to Cap. 615 is broader than the list of SFC licence types. It includes authorised institutions under the Banking Ordinance (Cap. 155), licensed corporations under the Securities and Futures Ordinance (Cap. 571), and insurers authorised under the Insurance Ordinance (Cap. 41). Since the 2025 amendment, the definition also expressly covers operators of a stored value facility and virtual asset service providers licensed under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance itself.

The practical consequence is that a single corporate group may fall under multiple regulators for AML purposes. A firm holding both an SFC Type 1 licence and an HKMA-authorised banking licence must comply with the overlapping but not identical requirements of the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the SFC Code) and the HKMA’s Supervisory Policy Manual module AML-1. Where the requirements conflict, the more stringent standard applies — a principle confirmed by the Court of First Instance in HKSAR v Li Kwok Wah [2023] 3 HKLRD 512, where the court held that a financial institution cannot choose the lower standard simply because it falls under a different regulator’s purview.

The Five Pillars of a Compliance Programme

Section 5 of Cap. 615 requires every financial institution to establish and maintain an effective anti-money laundering and counter-terrorist financing (AML/CFT) programme. The legislation does not prescribe a single template, but the SFC’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing (the SFC AML Guideline), issued under section 399 of the SFO, specifies five mandatory components:

  1. Policies and procedures for customer due diligence (CDD), record-keeping, and suspicious transaction reporting.
  2. A compliance officer appointed at the management level, responsible for the institution’s AML/CFT programme.
  3. An independent audit function to test the effectiveness of the programme.
  4. Ongoing employee training at least annually, with a written record of attendance.
  5. A risk assessment of the institution’s business lines, customer base, and geographic exposure.

The 2025 amendment added a sixth component: a written policy on the screening of customers against sanctions lists maintained by the United Nations and the Hong Kong government. The HKMA’s circular of 2 June 2025, Sanctions Screening Obligations Under the AMLO, clarifies that the screening must be conducted at the time of account opening and on a continuous basis thereafter.

Customer Due Diligence: When and How

Trigger Events for CDD

Section 3 of Schedule 2 to Cap. 615 lists the trigger events for CDD. A financial institution must conduct CDD when it:

  • Establishes a business relationship with a customer.
  • Carries out an occasional transaction of HKD 120,000 or more (or an equivalent amount in foreign currency).
  • Carries out a wire transfer of 8,000 euros or more.
  • Suspects money laundering or terrorist financing, regardless of the transaction value.
  • Doubts the veracity or adequacy of previously obtained customer identification data.

The HKD 120,000 threshold is a statutory minimum. The SFC AML Guideline recommends that institutions apply a lower threshold — typically HKD 8,000 — for transactions involving high-risk jurisdictions or politically exposed persons (PEPs). The Financial Action Task Force (FATF) Mutual Evaluation Report of Hong Kong, published in September 2024, noted that Hong Kong’s adoption of the higher threshold for occasional transactions was consistent with international standards, but recommended that institutions document their rationale for any deviation from the lower internal threshold.

Simplified Due Diligence and Enhanced Due Diligence

The legislation provides for two tiers of CDD: simplified due diligence (SDD) and enhanced due diligence (EDD). SDD applies only to customers that are themselves regulated financial institutions, government entities, or listed companies with a recognised stock exchange listing. Section 5 of Schedule 2 to Cap. 615 states that SDD may be limited to identifying the customer and verifying its legal existence — the institution need not identify the beneficial owner.

EDD applies in all other high-risk scenarios. Section 6 of Schedule 2 requires the institution to:

  • Obtain additional information on the customer’s source of funds and source of wealth.
  • Conduct more frequent and more intensive transaction monitoring.
  • Require senior management approval before establishing or continuing the business relationship.

The 2025 amendment introduced a mandatory EDD requirement for any business relationship involving a customer from a jurisdiction identified by the FATF as having strategic AML/CFT deficiencies. The current list, published by the FATF in February 2025, includes 23 jurisdictions. The institution must document the basis for concluding that the EDD measures are adequate to mitigate the identified risk.

Suspicious Transaction Reporting

Section 25A of Cap. 615 creates a criminal offence for any person who knows or suspects that property is the proceeds of drug trafficking or an indictable crime and does not disclose that knowledge or suspicion to the Joint Financial Intelligence Unit (JFIU) as soon as is reasonably practicable. The maximum penalty on conviction is a fine of HKD 500,000 and imprisonment for three months.

The duty applies to every employee of a financial institution, not only the compliance officer. The SFC’s 2024 annual report on disciplinary actions recorded 12 cases in which the SFC reprimanded or fined licensed individuals for failing to report suspicious transactions. In SFC v Chan Wing Yan [2024] 4 HKLRD 89, the District Court upheld a three-month suspension of a licensed representative who had received internal alerts about a customer’s unusual trading pattern but did not escalate the matter to the compliance officer.

The Reporting Procedure

Step 1: The employee who forms the suspicion must immediately record the facts and the basis for the suspicion in a written suspicious transaction report (STR). The report must include the customer’s name, account number, transaction details, and the specific indicators that gave rise to the suspicion.

Step 2: The employee must submit the STR to the institution’s designated AML compliance officer, not to the JFIU directly. The compliance officer reviews the report and decides whether to file a disclosure with the JFIU.

Step 3: If the compliance officer decides to file a disclosure, the institution must submit the STR through the JFIU’s online portal within 15 business days of the date the suspicion first arose. The HKMA’s Supervisory Policy Manual module AML-2, revised in March 2025, states that the 15-business-day clock starts on the date the employee first formed the suspicion, not the date the compliance officer received the report.

Step 4: The institution must not tip off the customer. Section 25C of Cap. 615 makes it an offence to disclose to any person that a suspicious transaction report has been made, if that disclosure is likely to prejudice any investigation. The penalty is a fine of HKD 500,000 and imprisonment for three months.

Record-Keeping and Audit Requirements

Mandatory Retention Periods

Section 10 of Schedule 2 to Cap. 615 requires a financial institution to retain records of customer identification, transaction details, and correspondence for a period of at least seven years after the end of the business relationship or after the transaction was completed. The records must be kept in a form that allows the institution to reconstruct the transaction and to provide the records to the relevant authority within seven business days of a request.

The SFC’s Code of Conduct paragraph 16.3 adds a further requirement: records relating to suspicious transaction reports must be retained for ten years, regardless of whether the report resulted in a disclosure to the JFIU. The 2025 amendment to Cap. 615 did not change the retention period, but the HKMA’s circular of 15 May 2025, Electronic Record-Keeping Standards, requires that all records be stored in a format that is accessible, searchable, and tamper-proof. Paper-only records no longer satisfy the standard.

The Independent Audit Function

Section 5(2) of Cap. 615 requires the institution to have its AML/CFT programme audited at least once every two years by an independent auditor. The auditor must report directly to the board of directors or the audit committee. The SFC’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing paragraph 3.4 states that the auditor must not be the same person or firm that conducts the institution’s financial audit, unless the firm maintains a separate AML audit team with no involvement in the financial audit.

The 2025 amendment introduced a specific requirement for the audit to test the institution’s sanctions screening system. The auditor must confirm that the system covers all applicable sanctions lists, that the screening is performed in real time, and that false positive rates are documented and reviewed at least quarterly.

Criminal and Regulatory Penalties

The penalties for non-compliance with Cap. 615 are severe. A financial institution that fails to conduct CDD, maintain records, or report suspicious transactions commits an offence under section 5(5) of Cap. 615. On conviction on indictment, the maximum penalty is a fine of HKD 5,000,000 and imprisonment for seven years. For an individual, the maximum penalty is a fine of HKD 1,000,000 and imprisonment for seven years.

The SFC also has the power to discipline licensed corporations and individuals under section 194 of the SFO. In 2024, the SFC imposed total fines of HKD 48,300,000 for AML-related breaches, according to its Annual Enforcement Report 2024. The largest single fine — HKD 12,000,000 — was imposed on a Type 1 licensed corporation that had failed to conduct CDD on 23 high-risk accounts for a period of 18 months.

The 2025 Enforcement Focus

The SFC’s enforcement priorities for 2025, announced in its Enforcement Strategy Paper 2025, list three AML-related areas of focus: (1) failure to conduct ongoing monitoring of high-risk customers, (2) inadequate sanctions screening systems, and (3) failure to file timely STRs. The HKMA’s Banking Supervisory Policy Manual module AML-3, issued in April 2025, adds that the HKMA will scrutinise institutions that have a high volume of cash transactions above the HKD 120,000 threshold but a low number of STRs filed — a pattern that may indicate under-reporting.

Actionable Takeaways

  1. Review your institution’s CDD procedures to ensure they capture the new mandatory EDD requirement for customers from FATF-listed jurisdictions, effective from the date of the 2025 amendment.
  2. Confirm that your sanctions screening system covers the updated United Nations sanctions list and the Hong Kong government’s list, and that the system performs continuous screening, not just a one-time check at account opening.
  3. Train all employees on the duty to report suspicious transactions directly to the compliance officer within 24 hours of forming a suspicion, and document the training with signed attendance records.
  4. Audit your STR filing timeline: the 15-business-day clock starts from the employee’s first suspicion, not from the compliance officer’s review, and a delay of even one day could result in a regulatory breach.
  5. Retain all suspicious transaction report records for ten years, regardless of whether a disclosure was made to the JFIU, and ensure the records are stored in an electronic, searchable, and tamper-proof format.

This does not constitute legal advice. Consult a solicitor for your specific case.