Anti-Money Laundering Policy (AMLO) Hong Kong

An Anti-Money Laundering Policy (AMLO) in Hong Kong documents the organisation's approach and the obligations placed on those it covers.

The legal foundation for AML/CFT compliance in Hong Kong rests on Cap. 615 and a suite of related ordinances. The Organized and Serious Crimes Ordinance (Cap. 455), section 25A, creates a statutory obligation to report suspicions of money laundering. The United Nations (Anti-Terrorism Measures) Ordinance (Cap. 575), section 12, imposes equivalent reporting obligations in relation to terrorist financing. Cap. 615 itself requires covered entities — financial institutions and designated non-financial businesses and professions (DNFBPs) as defined in Schedule 1 — to establish and maintain effective AML/CFT systems, conduct customer due diligence (CDD), perform ongoing monitoring, and keep records for at least six years.

Hong Kong's AML/CFT framework is designed to meet the standards of the Financial Action Task Force (FATF), the international standard-setter for AML/CFT policy. Hong Kong is a member of the Asia/Pacific Group on Money Laundering (APG) and undergoes periodic mutual evaluation assessments that review the adequacy of its AML/CFT framework. The results of these evaluations directly influence the regulatory expectations placed on covered entities operating in Hong Kong.

Four principal regulators supervise and enforce AML/CFT compliance in Hong Kong across different sectors. The Hong Kong Monetary Authority (HKMA) supervises licensed banks and other authorised institutions under the Banking Ordinance (Cap. 155). The Securities and Futures Commission (SFC) supervises licensed corporations under the Securities and Futures Ordinance (Cap. 571). The Insurance Authority (IA) supervises licensed insurers and insurance intermediaries under the Insurance Ordinance (Cap. 41). The Customs and Excise Department supervises licensed money service operators (money changers and remittance businesses) under Cap. 615 directly.

Following the 2022 and 2023 amendments to Cap. 615, virtual asset service providers (VASPs) — specifically virtual asset exchanges seeking to serve retail investors and over-the-counter (OTC) virtual asset trading operators — became subject to a mandatory licensing regime administered by the SFC, with full AML/CFT obligations equivalent to those imposed on traditional financial institutions. This expansion reflects Hong Kong's commitment to confirming that the emerging virtual asset sector is subject to equivalent oversight to the traditional financial sector.

An AML/CFT policy document addresses the full lifecycle of the AML/CFT compliance programme: the risk assessment framework, the governance structure (including the designation of a Money Laundering Reporting Officer (MLRO) and the Board's oversight responsibilities), the CDD procedures for new and existing customers, the enhanced due diligence (EDD) procedures for higher-risk customers and transactions, the ongoing transaction monitoring system, the suspicious transaction reporting (STR) process and the relationship with the Joint Financial Intelligence Unit (JFIU), the employee training programme, and the independent audit or review of the AML/CFT programme. A well-drafted AML/CFT policy is both a compliance document and a practical operational guide for staff at all levels of the organisation.

A Hong Kong AML/CFT Policy is required by every entity that falls within the definition of a 'specified person' under Schedule 1 to Cap. 615, and must be in place before the entity commences its regulated activity. The policy is not a one-time document — it must be reviewed and updated whenever there are material changes to the business, the regulatory environment, or the entity's risk profile.

A licensed bank or restricted licence bank under the Banking Ordinance (Cap. 155) must have an AML/CFT policy that satisfies the detailed requirements of the HKMA's Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (issued under section 7(3) of the HKMA Guideline). Without an approved and implemented policy, the HKMA will not grant or continue a banking licence.

An SFC-licensed corporation seeking authorisation to carry on any regulated activity under the Securities and Futures Ordinance (Cap. 571) must demonstrate to the SFC that it has adequate AML/CFT policies and procedures as a condition of licensing. The SFC's Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) sets out the detailed requirements. Ongoing compliance is monitored through the SFC's inspection programme.

An insurance broker company or insurance agent seeking authorisation from the Insurance Authority under the Insurance Ordinance (Cap. 41) must have AML/CFT policies appropriate to the scale and nature of its insurance broking activities, particularly for long-term (life) insurance products. Life insurance products — particularly investment-linked assurance schemes (ILAS) and policies with surrender values — are recognised as carrying elevated ML/TF risk.

A licensed money service operator (money changer or remittance company) must hold a money service operator licence under Cap. 615 and must implement full AML/CFT procedures appropriate to the inherently higher risk of money service businesses, including enhanced CDD under Schedule 2 to Cap. 615 for all transactions above the prescribed threshold. The Customs and Excise Department conducts regular inspections of licensed MSOs and scrutinises AML/CFT policy compliance closely.

An estate agent licensed under the Estate Agents Ordinance (Cap. 511) must implement AML/CFT controls when assisting in property sale and purchase transactions involving cash or large funds transfers. The Estate Agents Authority (EAA) provides guidance on AML/CFT compliance for estate agents acting as DNFBPs. A legal or accounting professional who assists clients in property transactions or complex financial structuring must also implement AML/CFT controls when acting in that capacity.

A virtual asset exchange or OTC virtual asset trading operator seeking a licence from the SFC under the amended Cap. 615 must demonstrate full AML/CFT compliance as part of the licensing process, with requirements equivalent to those for traditional financial institutions.

A compliant Hong Kong AML/CFT Policy under Cap. 615 must address the following key components to satisfy the requirements of the HKMA, SFC, IA, and other relevant regulators.

The risk assessment and risk appetite statement establishes the foundation of the entire AML/CFT programme. The policy must describe how the organisation assesses its exposure to money laundering and terrorist financing risk, having regard to its customer base (including the jurisdictions of origin of customers), products and services, delivery channels, and geographic presence. The risk assessment should identify inherent risks, the controls in place to mitigate those risks, and the residual risk. The Board and senior management must approve the risk appetite — the level of ML/TF risk the organisation is willing to accept — as part of their governance responsibilities.

The governance and accountability section designates the Money Laundering Reporting Officer (MLRO) and the Deputy MLRO, defines the MLRO's responsibilities (including receipt of internal suspicious activity reports, assessment of whether to file an STR with the Joint Financial Intelligence Unit (JFIU), and maintenance of the STR log), and establishes the Board's oversight role. The MLRO must be a senior officer with sufficient authority, resources, and access to information to perform their function effectively. Under the SFC's and HKMA's guidelines, the MLRO must be a member of senior management.

The customer due diligence (CDD) procedures must specify, by reference to the entity's risk categories, the identification and verification requirements for each category of customer. For individual customers, the policy must specify the acceptable identity documents (HKID, passport) and address verification documents. For corporate customers, the policy must require verification of the entity's incorporation, registered office, directors, shareholders, and ultimate beneficial owners (UBOs) — individuals ultimately owning or controlling more than 25% of the shares or voting rights. The policy must address the circumstances triggering enhanced CDD, including transactions involving high-risk jurisdictions on the FATF grey or black lists, politically exposed persons (PEPs), and transactions of unusual size or structure.

The ongoing monitoring section describes the transaction monitoring system — whether automated, manual, or a combination — used to identify unusual or suspicious transactions. The policy must specify the monitoring scenarios, thresholds, and escalation procedures. Transaction monitoring should be calibrated to the entity's specific risk profile and business model. The policy should also address the periodic review of existing customer relationships to confirm CDD information remains current and accurate.

The suspicious transaction reporting (STR) procedures must set out the internal reporting chain — how staff who form a suspicion report it to the MLRO, how the MLRO evaluates the report, and how a decision is made whether to file an STR with the JFIU through the Suspicious Transaction Automated Reporting System (STARS). The policy must emphasise the tipping-off prohibition under section 25A of Cap. 455 — it is a criminal offence to alert a customer or third party that an STR has been or may be filed.

The record-keeping requirements section specifies that CDD records must be retained for at least six years after the end of the business relationship, and transaction records must be kept for at least six years from the date of the transaction, in compliance with Schedule 2 to Cap. 615. The format, storage, and retrieval requirements for records must be addressed, including requirements for electronic records to be accessible and available to regulators on request.

The training programme section describes the mandatory AML/CFT training for all staff, including frequency, content, and assessment. All new staff must receive AML/CFT training before commencing customer-facing duties. Senior management and the Board must receive appropriate training on their governance responsibilities. Frontline staff must be trained to recognise red flags and suspicious behaviour. Training records must be maintained.

The independent review section describes the mechanism for periodic independent assessment of the AML/CFT programme — whether by internal audit, external auditors, or an independent compliance consultant. The results of independent reviews must be reported to senior management and the Board, and action plans must be implemented to address any deficiencies identified. Under Section 24 of Cap. 615, the HKMA and SFC have statutory powers to require authorised institutions and licensed corporations to commission independent AML/CFT reviews, and findings from these reviews may be used in subsequent supervisory proceedings. The Financial Intelligence Evaluation Bureau (FIEB) and the JFIU coordinate cross-sector AML/CFT intelligence under the Drug Trafficking (Recovery of Proceeds) Ordinance (Cap. 405) and Cap. 455. Forms-legal.com provides an AML/CFT Policy template for Hong Kong covering all requirements under Cap. 615, Schedule 2 to Cap. 615, Section 25A of Cap. 455, and the HKMA, SFC, and Insurance Authority regulatory guidelines.