Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) compliance is a cornerstone of Hong Kong's financial regulatory framework. Both the Securities and Futures Commission (SFC) and the Insurance Authority (IA) impose comprehensive AML/CFT obligations on their licensees. Failure to comply can result in severe penalties, including significant fines, licence suspension or revocation, and criminal prosecution. This guide provides a detailed overview of the AML/CFT requirements applicable to SFC and IA licensees, along with practical guidance for implementation.

1. AML/CFT Regulatory Framework in Hong Kong

Hong Kong's AML/CFT framework is built on several key pieces of legislation and regulatory guidance:

Primary Legislation

• Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615): The principal legislation governing AML/CFT obligations for financial institutions and designated non-financial businesses and professions (DNFBPs) in Hong Kong. AMLO establishes the legal requirements for customer due diligence (CDD) and record keeping.
• Drug Trafficking (Recovery of Proceeds) Ordinance (DTROP, Cap. 405): Criminalizes money laundering in connection with drug trafficking offences.
• Organized and Serious Crimes Ordinance (OSCO, Cap. 455): Extends money laundering offences to all indictable offences and establishes the framework for suspicious transaction reporting.
• United Nations (Anti-Terrorism Measures) Ordinance (UNATMO, Cap. 575): Implements UN Security Council resolutions relating to terrorist financing and weapons of mass destruction proliferation financing.

Regulatory Guidelines

• SFC: The Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) provides detailed guidance on how SFC licensees should comply with their AML/CFT obligations.
• IA: The Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Insurance Intermediaries) sets out the AML/CFT standards and expectations for IA licensees.

Hong Kong is a member of the Financial Action Task Force (FATF) and is committed to implementing the FATF's internationally recognized standards on AML/CFT. The territory underwent its most recent FATF Mutual Evaluation in 2019, which acknowledged significant progress but also identified areas for improvement.

2. SFC AML/CFT Requirements

SFC-licensed corporations are subject to the AMLO's CDD and record-keeping requirements, as well as the SFC's own AML/CFT guidelines. Key obligations include:

• Conducting customer due diligence before establishing a business relationship or carrying out occasional transactions above prescribed thresholds
• Identifying and verifying the identity of customers and beneficial owners
• Understanding the purpose and intended nature of business relationships
• Conducting ongoing due diligence and monitoring of business relationships
• Applying enhanced due diligence (EDD) for higher-risk customers and situations
• Filing suspicious transaction reports (STRs) with the Joint Financial Intelligence Unit (JFIU)
• Maintaining adequate records for a minimum of six years
• Screening customers against sanctions lists
• Implementing adequate internal policies, controls, and procedures
• Providing regular AML/CFT training to staff

3. IA AML/CFT Requirements

IA licensees are subject to AML/CFT requirements that are broadly similar to those applicable to SFC licensees, with some insurance-specific considerations:

• Scope: AML/CFT requirements primarily apply to long-term (life) insurance business, as this is considered higher risk for money laundering. However, the IA also expects licensed intermediaries dealing in general insurance to have appropriate AML/CFT measures in place.
• CDD triggers: CDD must be conducted when a business relationship is established (e.g., when a long-term insurance policy is sold), when there is a suspicion of money laundering or terrorist financing, and when there are doubts about the accuracy of previously obtained customer identification information.
• Beneficiary assessment: For life insurance policies, the beneficiary must be identified and, where the beneficiary is a legal person or arrangement, verified. The risk assessment should consider the beneficiary designation.
• Claims and payouts: Appropriate CDD should be conducted at the time of payout or claim settlement, particularly for large payouts.

4. Institutional Risk Assessment

Both SFC and IA licensees are required to conduct an institutional risk assessment (IRA) to identify, assess, and understand the money laundering and terrorist financing (ML/TF) risks to which the firm is exposed. The IRA should be:

• Comprehensive: Cover all aspects of the firm's business, including customer types, products and services, delivery channels, and geographic exposure
• Documented: The assessment and its findings must be properly documented and maintained
• Regularly updated: The IRA should be reviewed and updated at least annually, or more frequently if there are material changes to the business or the risk environment
• Approved by senior management: The IRA should be reviewed and approved by the firm's senior management or board of directors

Risk Factors to Consider

• Customer risk: Types of customers served (e.g., politically exposed persons, high-net-worth individuals, corporate entities with complex structures)
• Product/service risk: Products or services that may be more susceptible to ML/TF (e.g., investment-linked products, products allowing large cash deposits)
• Delivery channel risk: Channels that may increase anonymity (e.g., non-face-to-face business, third-party introductions)
• Geographic risk: Countries or regions with higher ML/TF risk (e.g., countries subject to FATF calls for action, countries with inadequate AML/CFT frameworks)

5. Customer Due Diligence (CDD)

CDD is the foundation of any AML/CFT program. The key components of CDD include:

Customer Identification and Verification

• Individual customers: Obtain and verify the customer's full name, date of birth, nationality, residential address, and unique identification number (e.g., HKID number, passport number). Verification should be conducted using reliable, independent source documents (e.g., government-issued photo ID).
• Corporate customers: Obtain and verify the company's name, legal form, proof of existence (e.g., certificate of incorporation), registered address, principal place of business, names of directors, and powers that regulate and bind the company.

Beneficial Ownership

Identify and take reasonable measures to verify the identity of the beneficial owners of the customer. For companies, this typically means identifying natural persons who ultimately own or control more than 25% of the shares or voting rights, or who otherwise exercise ultimate control over the company.

Purpose and Nature of Business Relationship

Understand the purpose and intended nature of the business relationship. This includes understanding the customer's occupation or business, source of funds, and expected pattern of activity.

6. Enhanced Due Diligence (EDD)

EDD measures must be applied in situations that present higher ML/TF risk. Common triggers for EDD include:

• Politically Exposed Persons (PEPs): Customers who are or have been entrusted with prominent public functions, including heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned enterprises, and important political party officials. EDD requirements extend to the PEP's family members and close associates.
• Higher-risk countries or territories: Customers from or transactions involving countries identified by the FATF as having strategic AML/CFT deficiencies
• Complex or unusual transactions: Transactions that appear unusually complex or have no apparent economic or lawful purpose
• Non-face-to-face business: Relationships established without the customer being physically present
• Correspondent relationships: Cross-border correspondent relationships with financial institutions

EDD Measures

• Obtaining senior management approval for establishing or continuing the business relationship
• Taking reasonable measures to establish the source of wealth and source of funds
• Conducting enhanced ongoing monitoring of the business relationship
• Obtaining additional identification and verification information

7. Ongoing Monitoring

CDD is not a one-time exercise. Licensed firms must conduct ongoing monitoring throughout the life of the business relationship:

• Transaction monitoring: Review transactions to ensure they are consistent with the firm's knowledge of the customer, their business, risk profile, and source of funds. Unusual or suspicious transactions must be identified and investigated.
• CDD review: Periodically review and update customer information and CDD records to ensure they remain current and relevant. The frequency of reviews should be risk-based.
• Sanctions screening: Screen customers and transactions against applicable sanctions lists (UN, US OFAC, EU, HK), both at onboarding and on an ongoing basis as sanctions lists are updated.
• PEP screening: Screen customers to identify politically exposed persons, both at onboarding and periodically thereafter.

8. Suspicious Transaction Reports (STRs)

One of the most critical AML/CFT obligations is the requirement to file Suspicious Transaction Reports (STRs) with the Joint Financial Intelligence Unit (JFIU) of the Hong Kong Police Force and the Customs and Excise Department.

When to File an STR

An STR must be filed when a licensed firm knows or suspects, or has reasonable grounds to know or suspect, that any property:

• Represents the proceeds of an indictable offence
• Was used, is being used, or is intended for use in connection with an indictable offence
• Is terrorist property or is connected to terrorist financing

Filing Process

• STRs should be filed promptly upon forming the suspicion — there is no prescribed time limit, but unreasonable delay can itself be a compliance failure
• STRs are filed with the JFIU through its designated channels
• The firm should maintain internal records of all STRs filed
• After filing an STR, the firm should not proceed with the transaction unless it receives consent from the JFIU or a specified period has elapsed

9. Record Keeping

Licensed firms must maintain comprehensive records relating to their AML/CFT activities:

• CDD records: Copies of identification documents, verification records, and CDD findings must be retained for at least 6 years after the end of the business relationship
• Transaction records: Records of all transactions must be retained for at least 6 years after the date of the transaction
• STR records: Records relating to STRs, including internal deliberations and the STR filing itself, must be retained for at least 6 years
• Training records: Records of AML/CFT training provided to staff should be maintained
• Format: Records may be maintained in electronic or physical form, but must be readily retrievable for inspection by the regulators

10. Training Requirements

Both the SFC and IA require that licensed firms provide adequate AML/CFT training to their staff. Key requirements include:

• Initial training: All new staff must receive AML/CFT training as part of their induction
• Ongoing training: Regular refresher training must be provided to all relevant staff, at least annually
• Content: Training should cover the firm's AML/CFT policies and procedures, how to identify and report suspicious transactions, CDD requirements, sanctions obligations, and relevant legal provisions
• Role-specific: Training should be tailored to the roles and responsibilities of different staff members. Front-line staff who interact with customers will need more detailed training on CDD and identifying suspicious activity.
• Senior management: Senior management and the board should also receive appropriate training to understand their oversight responsibilities
• Records: The firm should maintain records of all training provided, including attendance, content covered, and dates

11. Penalties for Non-Compliance

The consequences of AML/CFT non-compliance in Hong Kong are severe:

Criminal Penalties

• Money laundering: Under OSCO and DTROP, the offence of dealing with property known or believed to represent the proceeds of crime carries a maximum penalty of 14 years' imprisonment and a fine of HK$5,000,000
• Failure to report: Failing to file an STR when there are reasonable grounds for suspicion is a criminal offence, with a maximum penalty of 3 months' imprisonment and a fine of HK$25,000
• Tipping off: Tipping off carries a maximum penalty of 3 years' imprisonment and a fine of HK$500,000

Regulatory Penalties

• SFC: The SFC can impose fines of up to HK$10,000,000 or three times the profit gained or loss avoided (whichever is higher) for breaches of AML/CFT requirements. It can also suspend or revoke licences, issue public or private reprimands, and impose conditions on licences.
• IA: The IA has similar enforcement powers, including the ability to impose pecuniary penalties, suspend or revoke licences, and take other disciplinary actions against licensees who fail to comply with AML/CFT requirements.

12. Practical Implementation Tips

Based on our experience advising licensed firms on AML/CFT compliance, here are practical tips for effective implementation:

1. Start with a robust risk assessment: Your IRA is the foundation of your entire AML/CFT program. Invest time and effort in making it comprehensive and realistic.
2. Adopt a risk-based approach: Not all customers, products, and geographies present the same level of risk. Allocate your compliance resources proportionally — more resources for higher-risk areas, streamlined processes for lower-risk areas.
3. Invest in technology: Manual processes are prone to errors and inefficiency. Consider implementing screening software for sanctions and PEP checks, transaction monitoring systems, and electronic CDD management tools.
4. Create a culture of compliance: AML/CFT compliance should not be viewed as a box-ticking exercise. Build a culture where all staff understand the importance of AML/CFT and feel empowered to raise concerns.
5. Designate a Compliance Officer: Appoint a senior individual with overall responsibility for AML/CFT compliance. This person should have the authority, resources, and access to senior management necessary to fulfil the role effectively.
6. Document everything: Regulators place great emphasis on documentation. If it is not documented, it did not happen. Maintain thorough records of all CDD, monitoring, decision-making, and reporting activities.
7. Test your systems regularly: Conduct periodic reviews and testing of your AML/CFT systems and controls to ensure they are working effectively. Consider engaging independent reviewers or auditors.
8. Stay current: AML/CFT regulations and guidance evolve constantly. Subscribe to regulatory updates, attend industry seminars, and regularly review and update your policies and procedures.
9. Engage with your peers: Industry associations and working groups can provide valuable insights into best practices and emerging risks.
10. Seek professional guidance: If you are unsure about any aspect of your AML/CFT obligations, consult with experienced compliance professionals. The cost of getting it wrong far exceeds the cost of professional advice.