Hong Kong Customer Due Diligence: KYC Requirements Under the Anti-Money Laundering Ordinance

The Hong Kong Monetary Authority (HKMA) issued a circular in September 2025 reminding all authorised institutions that the enhanced due diligence (EDD) threshold for politically exposed persons (PEPs) now applies to all family members and close associates by default, not just those posing a prima facie higher risk. This shift, codified in the HKMA’s updated Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (September 2025 revision), closes a long-standing interpretation gap that allowed some institutions to apply standard due diligence to a PEP’s immediate circle unless a specific red flag was raised. For any firm applying for a Securities and Futures Commission (SFC) licence or maintaining a regulated activity under the Securities and Futures Ordinance (Cap. 571), the cost of non-compliance with customer due diligence (CDD) rules has never been higher. The SFC’s 2024-25 annual report recorded 23 disciplinary actions directly related to anti-money laundering (AML) failures, a 64% increase over the prior year. The legislation governing this entire framework is the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615). This article explains the mandatory KYC steps, the timing rules, and the record-keeping obligations that every licensed corporation and authorised institution must follow.

The Statutory Framework: AMLO and the SFC Code of Conduct

The primary source of CDD obligations is Part 2 of the AMLO (Cap. 615). Section 5 of the AMLO creates a mandatory duty for any “financial institution” — defined in Schedule 1 to include SFC-licensed corporations, authorised institutions, and money service operators — to conduct CDD before establishing a business relationship. The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) reinforces this duty at paragraph 7.1, which requires licensed persons to comply with the AMLO and any relevant guidelines issued by the HKMA or the SFC itself.

The five mandatory CDD measures are set out in Section 5(1) of the AMLO. The institution must identify the customer; verify the customer’s identity using reliable, independent source documents; identify any beneficial owner; take reasonable measures to verify the beneficial owner’s identity; and understand the purpose and intended nature of the business relationship.

The timing of CDD is non-negotiable. Section 5(2) states that CDD must be completed before the business relationship is established. For occasional transactions — a single wire transfer exceeding HKD 80,000 or its equivalent in foreign currency — CDD must be performed before the transaction is executed. The only statutory exception is found in Section 5(3), which permits delayed CDD in “low risk” scenarios, but only if the delay is necessary to avoid interrupting the normal course of business and the CDD is completed as soon as reasonably practicable.

The definition of “beneficial owner” under the AMLO is broad. Schedule 1 defines a beneficial owner as any individual who ultimately owns or controls, directly or indirectly, 25% or more of the shares or voting rights of a legal person. For trusts, the beneficial owner includes the settlor, trustee, protector, and any beneficiary with a vested interest. The institution must document the ownership chain.

Customer Identification and Verification (Step 1)

The first operational step is to collect and verify the customer’s identity. For an individual, the AMLO requires the full legal name, date of birth, nationality, and residential address. The verification must come from an “independent and reliable source.” The HKMA’s Supervisory Policy Manual (AML-1, revised January 2025) specifies that a valid Hong Kong identity card, a passport, or a national identity card from a recognised jurisdiction qualifies as a primary document.

For corporate customers, the verification requirements extend to the entity itself and its controllers. The institution must obtain the certificate of incorporation, the business registration certificate (for Hong Kong companies), the memorandum and articles of association, and a register of directors and shareholders. These must be current — a certificate of incorporation issued more than six months before the CDD date is presumptively stale. The SFC’s Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (October 2024) states at paragraph 4.3 that the institution must verify the existence of the corporate entity through a government registry or a recognised company registry search.

The beneficial owner must be identified by name and address, and the ownership percentage must be recorded. If the corporate structure involves a chain of ownership — for example, a Hong Kong company owned by a British Virgin Islands entity owned by a Cayman Islands trust — the institution must trace the chain until it reaches one or more natural persons. Section 5(4) of the AMLO permits reliance on a corporate register or a written representation from the customer, but the institution must assess whether that representation is consistent with the available documentation.

Enhanced Due Diligence (Step 2): PEPs, High-Risk Jurisdictions, and Complex Structures

The AMLO imposes a mandatory obligation to apply enhanced due diligence (EDD) in three categories: where the customer is a PEP, where the customer is from a high-risk jurisdiction, and where the business relationship involves complex or unusually large transactions. Section 5(5) of the AMLO lists these triggers.

For PEPs, the definition covers individuals entrusted with prominent public functions in Hong Kong or abroad. The HKMA’s September 2025 circular clarified that the PEP status attaches to the individual’s immediate family members — defined as the spouse, children, parents, and siblings — and close associates. The institution must take reasonable measures to determine whether the customer or the beneficial owner is a PEP. This is not a one-time check; Section 5(7) requires ongoing monitoring, and the institution must re-assess PEP status at least annually.

For high-risk jurisdictions, the Financial Action Task Force (FATF) list is the starting point, but not the end. The SFC expects institutions to maintain their own risk assessment that considers the FATF’s “jurisdictions under increased monitoring” and the “high-risk jurisdictions subject to a call for action.” As of the FATF’s October 2025 plenary, there were 25 jurisdictions on the increased-monitoring list. A customer with a registered address or a principal place of business in any of those jurisdictions triggers mandatory EDD.

EDD measures include obtaining additional information on the customer’s source of funds and source of wealth. The institution must request documentation that traces the origin of the funds being used in the transaction — for example, bank statements, audited financial statements, or tax returns. The source of wealth inquiry goes further, requiring an understanding of how the customer accumulated their total net worth. The SFC’s enforcement record shows that failure to document the source-of-wealth analysis was a contributing factor in 11 of the 23 disciplinary actions cited in the 2024-25 annual report.

Ongoing Monitoring and Record-Keeping (Step 3)

CDD is not a one-off event. Section 6 of the AMLO imposes a continuous duty to monitor the business relationship. The institution must scrutinise transactions to ensure they are consistent with the institution’s knowledge of the customer, the customer’s business, and the customer’s risk profile.

The frequency of review depends on the risk category. For low-risk customers, a periodic review every three years is the baseline. For medium-risk customers, the review must occur every two years. For high-risk customers, including PEPs and customers from high-risk jurisdictions, the review must be annual. The SFC’s Guideline on AML/CFT (October 2024) states at paragraph 6.8 that the institution must document the date of each review and the reason for any change in the risk category.

Record-keeping obligations under Section 20 of the AMLO require retention for at least seven years after the business relationship ends. The records must include copies of all CDD documents, transaction records, and correspondence related to the CDD process. The records must be kept in Hong Kong unless the SFC has granted a specific exemption. The SFC’s Code of Conduct at paragraph 7.2 adds that the records must be retrievable within 48 hours upon request by the SFC.

The institution must file a suspicious transaction report (STR) with the Joint Financial Intelligence Unit (JFIU) if it suspects money laundering or terrorist financing. Section 12 of the AMLO creates a mandatory reporting duty. The threshold for suspicion is low — it does not require proof. The JFIU’s 2024 annual report recorded 92,000 STRs filed, a 15% increase over 2023. The institution must not tip off the customer that a report has been made.

Actionable Takeaways

1. Verify the beneficial ownership chain to the ultimate natural person for every corporate customer, regardless of the jurisdiction of incorporation.
2. Apply enhanced due diligence to all PEP family members and close associates as a default position, not only when a risk indicator is present.
3. Document the source of wealth and source of funds for every high-risk customer, and retain that documentation for seven years after the relationship ends.
4. Conduct an annual PEP re-assessment and a risk-category review for every customer, and record the date and rationale for any change.
5. File a suspicious transaction report with the JFIU at the point of suspicion, not after gathering further evidence, to comply with the mandatory reporting duty under Section 12 of the AMLO.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。