AML/CFT Compliance in Hong Kong: HKMA, AMLO, and the 2026 Regulatory Landscape
Hong Kong's AML/CFT regime is undergoing significant changes, driven by the evolving threat landscape and the need for stricter regulations. The Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) have intensified their enforcement efforts, with a focus on virtual asset service providers (VASPs), Trust or Company Service Providers (TCSPs), and other financial institutions. The recent amendments to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) have expanded the regulatory scope to include VASPs, and the licensing regime for these providers has been in effect since June 2023.
Key Facts at a Glance
- Primary regulator
- HKMA (banks, SVF), SFC (capital markets and VASPs from 2023), Insurance Authority
- Primary AML law
- Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615), as amended by AMLO 2023 extending to VASPs
- Criminal Offences
- Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP, Cap. 405), Organized and Serious Crimes Ordinance (OSCO, Cap. 455), United Nations (Anti-Terrorism Measures) Ordinance (UNATMO, Cap. 575)
- FIU
- Joint Financial Intelligence Unit (JFIU), joint customs-police body
- SAR filing
- STREAMS system
- Key 2023-2025 developments
- VASP licensing regime effective 1 June 2023 with 12-month transition, HashKey and OSL as first licensed exchanges, JPEX scandal (2023) drove enforcement wave, AML/CFT for stablecoin issuers under Stablecoin Ordinance 2024, TCSP licensing since 2018
The Regulatory Landscape
Hong Kong's AML/CFT framework is built around the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), which has been amended to include virtual asset service providers (VASPs) within its scope. The HKMA and SFC are the primary regulators, overseeing banks, SVFs, capital markets, and VASPs. The Insurance Authority also plays a crucial role in regulating the insurance sector.
The AMLO amendments, effective April 1, 2023, grant the SFC direct oversight over crypto exchanges and VASPs, requiring them to meet certain licensing standards to operate legally in Hong Kong. The licensing regime for VASPs has been in effect since June 1, 2023, with a 12-month transition period. The Stablecoin Ordinance 2024 also introduces AML/CFT requirements for stablecoin issuers.
HKMA and SFC Guidance
The HKMA and SFC have issued guidance on AML/CFT compliance, including the HKMA's Risk-Based Supervisory Approach and the SFC's Guidance on Virtual Asset Service Providers. These guidelines emphasize the importance of a risk-based approach, customer due diligence, and ongoing monitoring.
Customer Due Diligence and KYC
Hong Kong's CDD obligations follow the international standards, requiring financial institutions to verify the identity of customers, beneficial owners, and controllers. The AMLO and HKMA Guidance provide details on the CDD process, including the verification of natural persons, legal entities, and beneficial owners.
The SFC's Guidance on Virtual Asset Service Providers also emphasizes the importance of CDD and KYC for VASPs, requiring them to implement documented AML/CFT systems and controls.
Sanctions Screening
Hong Kong's sanctions regime is based on the United Nations (Anti-Terrorism Measures) Ordinance (UNATMO) and the EU's sanctions lists. Financial institutions are required to screen their customers, transactions, and assets against these lists, and to report any suspicious activities to the Joint Financial Intelligence Unit (JFIU).
Hong Kong's sanctions regime is closely aligned with the EU and UN sanctions lists. Financial institutions must ensure that their sanctions screening processes are documented and effective in identifying and reporting suspicious activities.
SAR/STR Reporting
Suspicious Activity Reports (SARs) must be filed with the Joint Financial Intelligence Unit (JFIU) via the STREAMS system. The AMLO and HKMA Guidance provide details on the SAR/STR reporting requirements, including the content, timing, and filing procedures.
Risk-Based Approach
Hong Kong's AML/CFT regime emphasizes a risk-based approach, requiring financial institutions to implement AML/CFT systems and controls proportionate to their risk exposure. The HKMA's Risk-Based Supervisory Approach and the SFC's Guidance on Virtual Asset Service Providers provide guidance on the risk-based approach.
Crypto-Assets and VASPs
The AMLO amendments have introduced regulatory requirements for VASPs, including licensing, AML/CFT compliance, and ongoing monitoring. The HKMA and SFC have also issued guidance on the regulation of VASPs, covering governance, risk management, and transaction monitoring.
Recent Enforcement
The HKMA and SFC have intensified their enforcement efforts, with notable actions including the HKMA's reprimand and fine of Hang Seng Bank HK$66.4 million for misconduct in selling practices, and the SFC's fine of Kylin HK$9 million for AML control failures.
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| 2025 | Hang Seng Bank | HK$66.4m | Misconduct in selling practices |
| 2025 | Kylin | HK$9.0m | AML control failures |
Practical Compliance Checklist for Hong Kong Institutions
Minimum Documentation Set Under the AMLO
- Institution-wide risk assessment under the AMLO, refreshed annually and on material change.
- Internal safeguards manual under the AMLO, covering customer due diligence, ongoing monitoring, sanctions screening, training, and reporting.
- Written CDD procedures aligned with the AMLO and HKMA Guidance.
- Sanctions screening policy covering UN, EU, and HK sanctions lists with documented matching logic and false-positive review procedure.
- SAR/STR procedures referencing the AMLO, the STREAMS system, and the same-day/next-working-day standard.
- PEP identification and EDD procedure including the 12-month post-departure continuation requirement.
- Designated AML Officer and deputy notified to HKMA under the AMLO.
- Staff training programme under the AMLO, with documented annual refresher cycles.
Common Pitfalls
Three patterns dominate recent enforcement files. The first is SAR latency: institutions that have built escalation processes around weekly compliance committees rather than daily filing capacity find themselves systemically late. The HKMA and SFC have emphasized the importance of timely SAR/STR reporting.
The second is fragmented governance: where AML investigations sit across multiple business lines, multiple geographies, or multiple legal entities, the HKMA and SFC treat the resulting coordination failures as substantive breaches in their own right.
The third is over-reliance on commercial screening tools without documented rationale. The HKMA and SFC accept the use of third-party PEP and sanctions databases but expect the obliged entity to be able to evidence the matching algorithms applied, the false-positive thresholds set, the data quality controls in place, and the periodic validation of the vendor.
The regulatory landscape in Hong Kong is expected to continue evolving, with a focus on stricter AML/CFT regulations and increased enforcement. Institutions should treat the period ahead as a transition window: build now to AMLO and HKMA/SFC standards using the guidance and regulations as a forward-looking interpretation, rather than waiting for further developments.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for Hong Kong institutions, citing the AMLO, HKMA Guidance, and applicable regulations directly in the text. Generated documents include the institution-wide risk assessment, AML/CFT policy manual, KYC/CDD procedures aligned with the AMLO and HKMA Guidance, sanctions screening policy referencing the UN, EU, and HK sanctions lists, SAR/STR procedures keyed to the AMLO and the STREAMS system, and the staff training programme required under the AMLO.
Generate your Hong Kong AML documentation in minutes
Stop paying for templated consultancy outputs. RegMantle produces audit-ready, AMLO-compliant documentation in under ten minutes.
Start Free →