AML Compliance Guidelines: Hong Kong

Hong Kong, a special administrative region of China, is also among the world’s largest and most advanced financial centers. Its economy is characterized by free capital flow, simple and low taxes, tax-free ports, and preferential access to mainland China’s manufacturing hubs. These longstanding strengths not only bring business and investment opportunities but also pose risks of money laundering and terrorism financing (ML/TF). To address these risks, Hong Kong has put in place a very robust and effective regulatory framework in line with international standards set by the Financial Action Task Force.

Money Laundering and Terrorist Financing Offenses in Hong Kong

Money Laundering: Under Article 25(1) of the Drug Trafficking (Recovery of Proceeds) Ordinance (DTROPO) and Article 25(1) of the Organized and Serious Crimes Ordinance (OSCO), any person who deals with a property having knowledge or reasonable grounds to believe that a property is representing directly or indirectly a person’s proceeds from drug trafficking or indictable crimes. A person convicted of a money laundering offense may face up to HK$ 5,000,000 fine and 14-year imprisonment.

Terrorist Financing: Articles 7 and 8 of the United Nations (Anti-Terrorism Measures) Ordinance (UNATMO), specify that providing or collecting funds for terrorist activities, or making funds available to terrorists or their associates is an offense that carries a penalty of an unlimited fine and up to 14 years imprisonment.

AML Regulated Sectors in Hong Kong:

• Virtual Assets Service Providers (VASPs)

Regulated by the Securities and Futures Commission (SFC), VASPs must meet customer due diligence (CDD) and record-keeping requirements including ongoing monitoring by applying a risk-based approach (RBA). The SFC provides VASPs with guidance to prevent ML/TF risks effectively. SFC’s Guideline on AML/CTF for VASPs recommends screening customers and beneficial owners in order to identify and meet obligations related to non-Hong Kong Politically Exposed Persons (PEPs). This guide also requires Virtual Asset Service Providers in Hong Kong to have a sanctions screening mechanism in place to avoid establishing business relationships or conducting transactions with any entity or individual on UN sanctions lists or a terrorist suspect on any watchlist.

• Licensed Corporations (Securities Sector)

The licensed corporations (LCs) are companies that engage in regulated activity such as securities and futures trading, leveraged foreign exchange trading, automated trading services, and asset management. These corporations are regulated by the SFC to ensure compliance with CDD and record-keeping as mandated by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO). SFC’s Guideline on AML/CTF for LCs outlines detailed procedures and policies for ongoing monitoring using a risk-based approach, PEP screening, sanctions screening, and suspicious activity monitoring.

• Insurance Sector

Insurance Institutions such as licensed insurers, reinsurers, insurance agencies, insurance brokerage companies, and individual insurance agents are overseen by the Insurance Authority (IA), which has issued guidelines to help them meet their AMLO obligations. IA’s AML/CTF Guideline for Insurance outlines risk indicators of suspicious transactions specific to the insurance sector and procedures for CDD, record-keeping, and ongoing monitoring. It also provides detailed policies and procedures for PEP screening/identification and sanction screening.

• Authorized Institutions (AIs)

The AIs such as banks and deposit-taking companies are regulated and supervised by the Monetary Authority of Hong Kong (HKMA), which supervises their compliance with the AML/CFT obligations set out by AMLO. HKMA’s Guideline on AML/CTF for Authorized Institutions advises banks and other deposit-taking institutions to take a risk-based approach to CDD, ongoing monitoring, and record-keeping. It mandates effective policies and procedures for PEP and sanctions screening. It also outlines some specific measures such as correspondent banking relationships with shell banks and adverse media screening before establishing private banking relationships.

• Stored Value Facility (SVF)

The SVFs is a retail payment product that typically involves small value transfers or payments. SVF products include stored value payment cards (such as Octopus Cards), and online stored value payment facilities (such as Alipay and Paypal). SVFs are regulated and supervised by the HKMA, which supervises their compliance with the AML/CFT obligations set out by AMLO. HKMA’s Guideline on AML/CTF for SVF sets out Anti-Money Laundering statutory and regulatory requirements and standards that SVF should meet in order to comply with the statutory requirements. These guidelines also recommend that SVF should implement an effective mechanism for Sanctions screening and PEP screening.

• Money Service Operators (MSO)

Every money service operator (that is Remittance Agents and Money Changers) in Hong Kong, needs to be registered and licensed by the Customs and Excise Department (CED). The Money Service Supervision Bureau (MSSB) of the C&ED supervises and ensures compliance of the MSOs with the customer due diligence and record-keeping obligations under the AMLO. The CED’s Guideline on AML/CFT for MSOs sets out relevant AML/CFT statutory and regulatory obligations and standards that need to be followed by MSOs. Non-compliance with these guidelines may result in disciplinary actions by the regulator.

Designated Non-Financial Businesses and Professions (DNFBPs)

• Accounting Sector

Professional accountants are regulated under AML laws in Hong Kong. The Hong Kong Institute of Certified Public Accountants (HKICPA) ensures that professional accountants perform client due diligence before establishing any business relationship, meet record-keeping requirements, and screen all their customers against UN Sanctions lists. HKICPA’s Guideline for Professional Accountants assists the regulated entities in developing policies, procedures, and controls that meet the standard of the specific sector to ensure their compliance with the legal obligations under the AMLO.

• Legal Sector

The Law Society of Hong Kong (LSHK) supervises and regulates independent solicitors and law firms in Hong Kong in order to ensure their compliance with AML obligations. These obligations include customer due diligence and record-keeping requirements mandated by AMLO. Practice Guidance of LSHK includes guidelines for solicitors to counter money laundering and combat terrorist financing. Some of these guidelines are advisory in nature whereas others are mandatory.

• Real Estate Sector

All Individuals and companies carrying out estate agency work must register and obtain a license from Estate Agents Authority (EAA) to operate. EAA is also responsible to monitor and ensure the compliance of the estate agents and estate agency companies with the customer due diligence and record-keeping requirements under the AMLO. The EAA has also provided guidelines to the real estate sector to comply with their obligations under AMLO in Circular No. 23-01.

• Dealers in Precious Metals and Stones (DPMS)

Any dealer in precious metals and stones who seeks to engage in cash transaction(s) which equal to HK$120,000 during the course of their business must register as a Category B Registrant (CBRs) with the Customs and Excise Department (CED) of Hong Kong and are subject to AML/CFT supervision. CBRs are required to comply with customer due diligence and record-keeping obligations set out by AMLO. Non-compliance with these requirements may result in a fine of up to HK$$500,000. CED has also published practical guidance to help DPMS devise policies, procedures, and controls to meet statutory and regulatory requirements considering their special circumstances.

• Trust and Company Service Providers (TCSPs)

TCSPs need to be registered and licensed by the Companies Registry (CR), which also monitors and ensures their compliance with customer due diligence and record-keeping requirements under the AMLO. Company Registry has also published specific guidelines for TCSPs to assist their compliance with obligations under AMLO and sanctions screening requirements under UNATOM and UNSO. This guideline recommends that TCSP licensees will need to ensure that they have an appropriate Sanctions Screening system to check their customers against the UN lists including any other relevant sanctions lists (such as OFAC designations).

• Money Lenders

Money Lenders are required to be registered and licensed by the Companies Registry (CR), which also monitors and ensures their compliance with customer due diligence and record-keeping. Company Registry has also published specific guidelines for the money lenders to assist their compliance with obligations under AMLO and sanctions screening requirements under UNATOM and UNSO. Company Registry’s guidelines on suspicious transaction reporting also suggest when assessing the risk of a customer one should consider the results of adverse media screening through publicly available information or against commercially available databases.

Key AML and Sanctions Legislations:

Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”)

The AMLO sets out the statutory obligations for customer due diligence and record-keeping for specified financial institutions and designated non-financial businesses and professions (DNFBPs). It also empowers designated authorities with regulatory and supervisory roles including issuing guidelines and prescribing penalties for non-compliance with these obligations.

Drug Trafficking (Recovery of Proceeds) Ordinance (“DTROPO”)

The DTROPO enables the tracing and confiscation of proceeds generated from drug trafficking and also criminalizes the handling of proceeds generated from such offenses. It also imposes a universal obligation on all persons and entities to report suspicious transactions they suspect or have knowledge of that involve proceeds from drug trafficking.

Organized and Serious Crimes Ordinance (“OSCO”)

The OSCO provides for the investigation and confiscation of proceeds generated from certain crimes and creates offenses related to the handling of proceeds or property generated from such indictable crimes. Like the DTROPO it also imposes a universal obligation on all persons and entities to report suspicious transactions they have knowledge of or suspect that it involve proceeds from organized and indictable crimes.

United Nations (Anti-Terrorism Measures) Ordinance (“UNATMO”)

The UNATMO enforces counterterrorism measures as mandated by the United Nations Security Council Resolutions 1373. Under the UNATMO, an individual commits the offense of terrorist financing if they knowingly provide or make funds or property available with the intent that it will be used for terrorism. It also imposes a universal obligation on all persons and entities in Hong Kong to report suspicious transactions that they suspect or have knowledge of involving property or proceeds connected to terrorist acts. Conviction for terrorist financing can result in unlimited fines and 14 years imprisonment.

United Nations Sanctions Ordinance (“UNSO”)

The UNSO enacts economic and trade sanctions mandated by the UN Security Council on persons or entities outside the People’s Republic of China. Violation of these sanctions can result in an unlimited fine or up to 7 years imprisonment.

Joint Financial Intelligence Unit (JFIU)

The JFIU is the financial intelligence unit of Hong Kong, which receives and analyzes suspicious activity reports. JFIU also provides insights on risk typology, trends, and practical guidance to deal with such risks to the industry. JFIU suggests applying the “SAFE” approach to identify and report suspicious transactions effectively. Detailed guidance on SAFE approach could be looked up on the JFIU website.

Suspicious Transaction Reporting (STR) Obligations in Hong Kong

It is worth noting here that the duty to report suspicious transactions is not just limited to AML-regulated entities in Hong Kong. Under section 25(A) of the DTROPO, section 25(A) of the OSCO, and Section 12 of the UNATMO, all persons and entities in Hong Kong are obliged to report suspicious transactions to the JFIU if they have suspicion or knowledge that it involves proceeds of property generated from or intended to be used for drug trafficking, indictable crimes or terrorist acts. Non-compliance can result in a fine of HK$50,000 or 3 months imprisonment.

Customer Due Diligence Requirements

Following customer due diligence (CDD) measures are mandated for financial institutions and DNFBPs under the AMLO in Hong Kong:

• Identifying the customer and verifying their identity
• If a customer is a legal person or trust taking reasonable measures to identify the beneficial owner(s) and verify their identity
• Taking reasonable measures to understand the ownership and control structure of a legal person or trust
• Obtaining information on the purpose and intended nature of the business relationship

Financial institutions and DNFBPs must carry out these measures in certain circumstances including:

• Before establishing a business relationship
• Before conducting an occasional transaction subject to certain limits
• When the financial institution or the DNFBP suspects risk of money laundering or terrorist financing
• When the FI or DNFBP doubts the accuracy or adequacy of the previously obtained information

Ongoing Monitoring

Financial Institutions and DNFBPs are obligated to continuously monitor the business relationship with a customer by;

• Periodically reviewing that the identification documents meet the regulatory requirements and are up to date
• Reviewing transactions to ensure they’re consistent with the customer’s business, risk profile, and source of funds
• Identifying transactions that are complex, unusually large in amount, or lack apparent economic or lawful purpose,
• Examining the background and purposes of those transactions and writing down their findings.

Risk based Approach (RBA)

The regulatory framework in Hong Kong is guided through the application of a risk-based approach (RBA) in line with international standards set by the FATF. RBA allows the optimal use of resources by focusing them on higher-risk activities. The RBA approach requires that regulated entities decide the extent of due diligence measures, based on thorough risk assessment and special circumstances, applicable in a particular case.

Simplified Due Diligence

In general financial institutions and DNFBPs are obligated to carry out all four measures required for CDD before establishing a business relationship or executing an occasional transaction and continuously monitoring its business relationship (ongoing monitoring). The extent of four CDD measures and ongoing monitoring should be determined by applying a risk-based approach. Some examples of low-risk customers are companies listed on the stock exchange, AML-regulated financial institutions, and any government or public body in Hong Kong, etc.

Enhanced Due Diligence

Under Sec 5 (3) of Schedule 2 of AMLO, Financial Institutions, and DNFBPs are required to apply additional or special measures in the following situations if:

• Customer is not physically present for identification purposes
• Customer is identified as a politically exposed person
• Situations determined to be high risk by the relevant regulatory body or any other situation that by its nature may present a high risk of ML/TF

Politically Exposed Persons (PEPs)

Schedule 2 of AMLO requires financial institutions and DNFBPs to apply special measures for handling politically exposed persons (PEPs). The initial step in applying these measures is to determine whether any existing or prospective customers meet the criteria for classification as a PEP.

Definition of PEP

A politically exposed person (PEP) as defined in AMLO only includes an individual who is or has been entrusted with a prominent public function in a place outside Hong Kong such a head of state, head of government, senior politician, senior government, judicial or military official, senior executive of a state-owned corporation and an important political party official. This definition doesn’t include a middle-ranking or more junior official in any of the mentioned categories. In line with FATF standards immediate family members and close associates are also included in the definition of the PEP.

PEP Screening/Identification

All relevant regulatory and supervisory bodies obligate that regulated entities should establish and maintain effective procedures (for example making reference to publicly available information and/or screening against commercially available databases) to determine whether a customer or a beneficial owner is a non-Hong Kong PEP.

Special Measures for PEPs

Regulations and statutory guidelines in Hong Kong mandate using a risk-based approach in determining the extent of enhanced due diligence measures when a customer is categorized as a Hong Kong PEP or an International Organization PEPs. However, the measures to be followed when a customer or a beneficial owner is identified as a non-Hong Kong PEP are strictly defined in AMLO that includes:

• Obtaining senior management approval before establishing or continuing existing business relationship
• Obtaining a source of wealth and source of funds that will be involved in a business relationship

A regulated entity isn’t required to apply enhanced due diligence measures in respect of a former PEP if, based on appropriate risk assessment, it determines that the former PEP doesn’t pose a high risk of money laundering or terrorist financing.

Penalties

Under Section 5 of AMLO, a financial institution that knowingly violates due diligence or record-keeping provisions may, upon conviction on indictment, face a fine of up to HK$1,000,000 and imprisonment for up to two years. The penalty of imprisonment increases to 7 years if such a violation involves the intent to defraud any relevant regulatory authority. Similar penalties also apply to employees or management of the financial institution who knowingly permit or cause financial institutions to contravene such provisions.

Sanctions Screening Requirements in Hong Kong

Scope of Sanction

All individuals and entities in Hong Kong are obliged to comply with financial sanctions, terrorist designations, and travel bans imposed by UNSC Resolutions. Regulated entities should additionally assess the scope and implications of regional (such as EU Sanctions) or unilateral sanctions (such as those issued by The Office of Foreign Assets Control (OFAC) of the USA) that may apply, particularly those relevant to their international operations.

Sanctions Compliance

All regulated entities should establish and maintain effective policies, procedures, and controls to ensure compliance with the relevant regulations and legislation on terrorism financing, financial sanctions, and proliferation financing. Breaching sanctions in Hong Kong may result in penalties like unlimited fines and up to 7 years imprisonment under the United Nations Sanctions Ordinance and up to 14 years imprisonment under the United Nations (Anti-Terrorism Measures) Ordinance.

Sanctions Screening Using Commercially Available Databases in Hong Kong

Identifying and reporting transactions with sanctioned persons, terrorist suspects, and designated parties is obligatory. To achieve compliance with these obligations regulated entities should maintain an up-to-date database containing names and details of all such individuals and entities. Maintaining such an extensive database that needs frequent updates sourced from various jurisdictions across the globe requires the availability of resources, expertise, and investments for infrastructure. Alternatively, regulated entities could resort to commercially available databases (such as those maintained by some screening software or Regtech products).

To avoid establishing business relationships or conducting transactions with any terrorist suspects, designated or sanctioned individual entities or groups, regulated entities should implement an effective screening mechanism, which should include:

• screening new customers, connected parties, and any beneficial owners of the customers against sanctions and terrorist lists at the establishment of the relationship
• screening existing customers whenever there’s a change or update in sanctions or terrorist lists

Authorities in Hong Kong are encouraging the adoption of AML Regtech solutions to strengthen their risk assessment, screening, and transaction monitoring systems to tackle the harms caused by digital fraud and other financial crimes. Regulated businesses that adopt reliable AML software can enhance the efficiency of their operations, improve risk identification, and avoid administrative penalties and reputational risks.