Hong Kong remains one of the world’s most sophisticated international financial centres. With its global connectivity, however, comes heightened exposure to money laundering and terrorist financing risks. For financial institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs), AML compliance in Hong Kong is not merely a regulatory formality—it is a statutory obligation backed by serious criminal and regulatory consequences.
The urgency of compliance was underscored in 2026 when the SFC fined Kylin International (HK) Co., Limited HK$9 million for AML/CTF control failures and governance deficiencies. This guide explains how to achieve AML compliance in Hong Kong under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), with practical steps to help regulated entities remain inspection-ready and enforcement-resilient.
Hong Kong AML Compliance Framework
Hong Kong’s AML compliance regime is built on a legislative framework aligned with the Financial Action Task Force (FATF). The cornerstone legislation is the AMLO, which sets out requirements for customer due diligence (CDD), record-keeping, and regulatory oversight.
AML supervision in Hong Kong is sector-specific. Each regulator issues practical AML guidelines to ensure firms meet their legal obligations under AMLO.
- SFC – Licensed Corporations and VASPs
- HKMA – Banks and Stored Value Facilities
- Insurance Authority (IA) – Insurance sector
- Customs & Excise Department (CED) – MSOs and DPMS
- Companies Registry – TCSPs and Money Lenders
- Law Society & HKICPA – Legal and accounting professionals
Which Entities Must Comply with AML Requirements?
Customer Due Diligence (CDD) Requirements Under AMLO
Under Schedule 2 of AMLO, regulated entities must:
- Identify and verify the customer’s identity
- Identify and verify beneficial owners
- Understand ownership and control structure
- Obtain information on the purpose and intended nature of the business relationship
Failure to conduct proper CDD may result in fines of up to HK$1,000,000 and imprisonment.
When is CDD Required?
CDD must be performed:
- Before establishing a business relationship
- Before occasional transactions above statutory thresholds
- When suspicious of ML/TF risks
- When doubts arise about previously collected information
Ongoing monitoring is equally critical. Institutions must ensure transactions are consistent with the customer’s risk profile and source of funds.
Enhanced Due Diligence (EDD) & PEP Screening in Hong Kong
Enhanced Due Diligence (EDD) is required where higher risks are identified, including:
- Non-face-to-face onboarding
- Politically Exposed Persons (PEPs)
- High-risk jurisdictions
- Complex or unusual transactions
Who Are Politically Exposed Persons (PEPs)?
AMLO defines a PEP primarily as an individual entrusted with prominent public functions outside Hong Kong, including heads of state, senior politicians, and senior judicial or military officials.
Obligations for non-Hong Kong PEPs include:
- Senior management approval
- Establishing source of wealth
- Establishing source of funds
- Enhanced ongoing monitoring
Suspicious Transaction Reporting (STR) Obligations in Hong Kong
Sections 25A of DTROPO and OSCO, and Section 12 of UNATMO, impose a universal reporting obligation on all persons in Hong Kong—not only regulated entities.
Reports must be filed with the Joint Financial Intelligence Unit (JFIU) when there is knowledge or suspicion of criminal proceeds.
Failure to report may result in:
- HK$50,000 fine
- 3 months imprisonment
SAFE Approach Recommended by JFIU
The JFIU promotes the “SAFE” approach:
- Screen transactions
- Ask questions
- Find red flags
- Escalate appropriately
Sanctions Screening & Compliance Requirements in Hong Kong
All individuals and entities must comply with:
- UN Security Council sanctions (mandatory)
- Terrorist designations
- Proliferation financing measures
International firms must also consider exposure to OFAC and EU sanctions, especially where cross-border operations are involved.
Required Sanctions Screening Mechanisms
Effective AML compliance in Hong Kong requires:
- Screening new customers and beneficial owners
- Ongoing screening against updated sanctions lists
- Adverse media monitoring
- Internal escalation procedures
Breaches may result in unlimited fines and imprisonment of up to 7 years under the United Nations Sanctions Ordinance, and up to 14 years under the United Nations (Anti-Terrorism Measures) Ordinance.
Risk-Based Approach (RBA) in AML/CFT Compliance
Hong Kong’s AML regime is founded on a risk-based approach (RBA) aligned with FATF guidance.
Under RBA, institutions must:
- Conduct an enterprise-wide ML/TF risk assessment, taking into account customer types, products, services, delivery channels, and geographic exposure;
- Classify customers into appropriate risk categories (low, medium, high);
- Apply proportionate CDD measures based on the assessed risk level;
- Implement ongoing monitoring procedures tailored to the customer’s risk profile;
- Establish effective PEP screening and sanctions screening mechanisms.
Examples of low-risk customers may include listed companies or regulated financial institutions. High-risk indicators include opaque ownership structures and high-risk jurisdictions.
Kylin Case 2026: SFC Enforcement Highlights AML Compliance Failures in Asset Management
In February 2026, the SFC reprimanded and fined Kylin International (HK) Co., Limited HK$9 million for serious regulatory failures in managing private funds between 2018 and 2021. This case serves as a timely reminder that AML compliance in Hong Kong is closely linked to broader governance and fund management obligations.
Kylin, licensed for Type 9 (asset management) regulated activity, acted as investment manager or consultant for six Cayman-incorporated sub-funds. The SFC identified five major areas of misconduct:
- Failure to properly manage and disclose conflicts of interest relating to loans extended by the firm or its director to sub-funds;
- Failure to conduct monthly reconciliations, regular asset valuations, or appoint an independent auditor;
- Inadequate know-your-client (KYC) procedures and suitability assessments;
- Failure to maintain proper records demonstrating compliance with AML/CTF requirements; and
- Misrepresentation to investors that suitability obligations did not apply because they were “professional investors.”
Of particular relevance to Hong Kong AML compliance, the SFC criticized Kylin for failing to maintain adequate AML/CTF systems and controls, including insufficient documentation to evidence compliance with statutory obligations under AMLO. The regulator emphasized that AML record-keeping is not a formality—firms must be able to demonstrate compliance during inspections.
Importantly, the SFC underscored senior management accountability. The firm’s Responsible Officer and Chief Executive Officer, along with a director responsible for AML/CTF and other core functions, were found to have failed in discharging their supervisory duties. Separate disciplinary actions were taken against them. This reinforces a key regulatory principle in Hong Kong: AML compliance responsibility ultimately rests with senior management.
In determining the HK$9 million penalty, the SFC stated that:
- The misconduct had the potential to undermine market integrity;
- A strong deterrent message was necessary;
- The regulator will impose harsher penalties for similar misconduct in future;
- Senior management bears direct responsibility for compliance failures.
Although Kylin has since ceased regulated activities and its licence was revoked in January 2025, the case sends a clear message to the market. The SFC has expressly indicated it will intensify enforcement against substandard conduct in private fund management and AML compliance.
For asset managers, this case highlights three practical lessons:
- AML/CTF record-keeping must be demonstrable and inspection-ready;
- Suitability and KYC controls cannot be bypassed even for professional investors;
- Senior management oversight must be active, documented, and effective.
Practical Checklist to Achieve AML Compliance in Hong Kong
The SFC has publicly indicated it will step up disciplinary actions and impose harsher penalties for substandard fund management and AML failures. Firms operating in Hong Kong should therefore reassess their AML framework, internal controls, and compliance monitoring mechanisms to avoid similar enforcement risks.
Reinforce Your AML/CFT Compliance Now
AML/CFT compliance in Hong Kong is not a one-time exercise. Given the increasing enforcement actions by the SFC, firms must adopt a proactive and risk-based compliance strategy to mitigate criminal liability and reputational risks.
For financial institutions and regulated entities seeking structured and ongoing support, Heinbro provides integrated AML/CFT compliance solutions tailored to Hong Kong’s regulatory environment. Its dedicated services focus on strengthening AML governance, enhancing CDD and EDD processes, improving sanctions and PEP screening systems, and ensuring inspection readiness. Through continuous compliance reviews and practical implementation support, Heinbro helps fund managers and asset management firms maintain robust, regulator-ready AML/CFT frameworks in an increasingly demanding supervisory environment.
Partnering with experienced advisors ensures your AML framework is not only compliant but inspection-ready and scalable. Email heinbro@heinbro.com or call +852 2811 1708 to arrange a complimentary consultation with Heinbro.