Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.216.200

AMLO Compliance in Hong Kong: AML Obligations for Licensed Corporations & VASPs

TL;DR

  • AMLO (Cap. 615) is Hong Kong’s core AML/CTF law; VASPs came under its scope on 1 June 2023 via SFC licensing.
  • Core obligations: Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) for high-risk clients, Suspicious Transaction Reports (STRs) to the JFIU, and 5-year record retention.
  • EDD applies to PEPs, high-risk jurisdictions, and VASP transfers above the HK$8,000 Travel Rule threshold.
  • SFC enforces via thematic inspections, on-site reviews, and annual self-assessments; penalties range from reprimands to multi-million HKD fines and licence rejection.
  • Both AMLO and the EU’s MiCA use a 25% UBO threshold; the real difference is structural, not the ownership bar.

Hong Kong’s Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) is the legal backbone of every financial firm’s compliance programme in the territory. Since the Securities and Futures Commission (SFC) brought Virtual Asset Service Providers (VASPs) into AMLO’s scope on 1 June 2023, the question facing operators is no longer whether they need to comply. It’s whether the controls already in place will survive an SFC inspection in 2026.

This guide breaks down the anti-money laundering (AML) obligations that apply to Licensed Corporations (LCs) and VASPs in Hong Kong, what the SFC actually checks during enforcement, and how Hong Kong’s approach compares with the EU’s Markets in Crypto-Assets Regulation (MiCA). It’s written for compliance leads, money laundering reporting officers (MLROs), and operations teams who need a working answer rather than a regulatory recap.

What AMLO Covers and Why It Matters in 2026

AMLO (Cap. 615) was enacted in 2012 to bring Hong Kong’s AML and counter-terrorist financing (CTF) regime in line with Financial Action Task Force (FATF) standards. Schedule 2 of the Ordinance contains the operational rulebook. It lays out customer due diligence, record-keeping, ongoing monitoring, and suspicious transaction reporting.

Two amendments matter most.

  • The 2018 changes extended AMLO to designated non-financial businesses and professions, including lawyers, accountants, real estate agents, and trust or company service providers.
  • The 2022 amendment, effective 1 June 2023, created a dedicated licensing regime for VASPs and gave the SFC direct authority over centralised crypto exchanges operating in or marketing to Hong Kong. Firms that ran on the legacy “opt-in” framework had a 12-month transition window to bring their controls up to the new standard.

The stakes have grown. The SFC’s enforcement reports show repeated disciplinary action against firms for AML breaches, with sanctions ranging from public reprimands to multi-million-HKD fines. FATF’s mutual evaluation work on Hong Kong reaffirmed the territory’s “Compliant” or “Largely Compliant” rating on most recommendations. But supervisors specifically called out the need for stronger oversight of newer VASP licensees.

Who Falls Under AMLO?

AMLO’s reach covers four categories of “financial institutions” in Hong Kong: authorised institutions regulated by the Hong Kong Monetary Authority (HKMA), LCs and associated entities under the SFC, insurance institutions under the Insurance Authority (IA), and money service operators under Customs and Excise. As of 2023, licensed VASPs sit under the SFC umbrella too.

For an LC, AMLO applies the moment a client relationship begins. That covers firms dealing in securities, advising on corporate finance, or operating a Type 9 asset management licence. For a VASP, AMLO applies to every customer onboarded onto the platform, every fiat-to-crypto trade, and every withdrawal above the territory’s reporting threshold.

Core AML Obligations Under AMLO

The day-to-day Hong Kong AML obligations sit in four areas.

Customer Due Diligence (CDD)

Customer Due Diligence (CDD) is mandatory at onboarding and at trigger events such as a material change in the client relationship or a suspicion of money laundering. Standard CDD requires identifying the customer and verifying that identity using reliable independent source documents, identifying any beneficial owner with 25% or more ownership, and understanding the purpose and intended nature of the relationship.

Enhanced Due Diligence (EDD)

Enhanced Due Diligence (EDD) is required for higher-risk relationships. The SFC’s AML Guideline for Licensed Corporations lists the typical triggers. These include politically exposed persons (PEPs), customers from FATF-listed high-risk jurisdictions, complex ownership structures, and unusually large or unexplained transactions. EDD measures cover senior management approval, source of funds and source of wealth verification, and enhanced ongoing monitoring.

For VASPs, EDD applies in practice to cross-border transfers above the HK$8,000 Travel Rule threshold and to any transaction involving an unhosted wallet. These are the areas where the SFC has been most vocal about its expectations under the SFC AML requirements VASP regime and where most enforcement attention has landed since the 2023 licensing rollout.

Suspicious Transaction Reporting

When a firm knows or suspects that property represents proceeds of an indictable offence, it must file a Suspicious Transaction Report (STR) with the Joint Financial Intelligence Unit without delay. Failure to file is a criminal offence under section 25A of both the Drug Trafficking (Recovery of Proceeds) Ordinance and the Organised and Serious Crimes Ordinance.

Record-Keeping

CDD records and transaction records must be retained for at least five years after the end of the customer relationship or the date of the transaction. Records must be sufficient for the SFC or law enforcement to reconstruct individual transactions on request.

How the SFC Enforces AMLO

SFC supervision relies on three mechanisms. Thematic inspections sweep across cohorts of similar firms. On-site reviews follow intelligence or whistleblower reports. Annual self-assessment returns force firms to surface their own gaps. Recent enforcement patterns make the priorities clear.

Recent disciplinary actions show the SFC fining brokerages multi-million-HKD sums for inadequate CDD procedures and failure to identify beneficial owners on corporate accounts. A separate action against a VASP licensing Hong Kong applicant resulted in licence rejection because the firm could not demonstrate effective ongoing monitoring controls. The SFC has also issued public statements warning that firms relying on outdated identity verification methods, particularly paper-based know-your-customer (KYC) for remote onboarding, will struggle to satisfy the current standard.

The pattern is consistent. The SFC penalises firms for documentation gaps, weak beneficial ownership identification, and verification systems that cannot detect synthetic or manipulated identity documents. Inspections increasingly focus on whether onboarding evidence can be reconstructed end-to-end, not whether a CDD policy exists on paper.

AMLO vs EU MiCA: Where Hong Kong Stands

Compliance teams running multi-jurisdictional programmes often ask how AMLO compares with MiCA, which became fully applicable across the EU on 30 December 2024. The two frameworks share a goal but differ in structure.

MiCA is a single EU-wide regulation that covers crypto-asset service providers (CASPs) directly, layering on top of the EU’s AML Regulation (AMLR) and Sixth Anti-Money Laundering Directive (6AMLD). AMLO, by contrast, is a Hong Kong-specific Ordinance that integrates VASP supervision into an existing AML framework rather than creating a new one.

For practitioners, the operational delta is narrower than the structural difference suggests. Both regimes mandate CDD, EDD for high-risk relationships, STR filing, ultimate beneficial owner (UBO) identification, and the FATF Travel Rule for crypto transfers. Both regimes converge on a 25% UBO threshold, so compliance teams shouldn’t assume Hong Kong is materially lighter on beneficial ownership than the EU. The real operational gap is in the FATF Travel Rule and VASP-specific licensing conditions.

How Shufti Supports Hong Kong AMLO Compliance

Identity verification sits at the centre of every AMLO obligation. CDD, EDD, ongoing monitoring, and STR-supporting evidence all depend on knowing who the customer actually is. Shufti’s verification stack is built around the controls the SFC scrutinises during inspection.

Shufti’s KYC verification covers identity document authentication across more than 9,000 document types from 240+ countries. That coverage matters when a Hong Kong VASP onboards retail clients from across Asia-Pacific. AML screening checks customers against global sanctions lists, PEP databases, and adverse media in real time, with continuous monitoring that flags status changes between annual reviews. For higher-risk cases, enhanced due diligence workflows pull source-of-wealth documentation, UBO data, and risk-scored profiles that satisfy the SFC’s documentation expectations.

The platform supports the structured audit trail Hong Kong AMLO compliance requires. Every check, every screening hit, and every reviewer decision is logged and exportable in a format that maps to the SFC’s record-keeping standard.

Get AMLO-Ready Verification That Stands Up to SFC Scrutiny

Hong Kong’s AMLO regime rewards firms that can prove their controls work, not just describe them. Shufti’s identity verification, AML screening, and EDD workflows give licensed corporations and VASPs the audit trail SFC examiners ask for. Talk to our team to see how the platform fits your compliance programme.

Frequently Asked Questions

What AML obligations does AMLO impose on Hong Kong VASPs?

VASPs must conduct CDD on every customer, apply EDD to high-risk relationships, file STRs with the JFIU, retain records for five years, and follow the FATF Travel Rule for crypto transfers above the HK$8,000 threshold set by the SFC.

How does SFC enforce AMLO compliance for licensed corporations?

The SFC uses thematic inspections, on-site reviews, and annual self-assessment returns. Penalties include public reprimands, multi-million-HKD fines, licence suspension, and rejection of new licence applications. Documentation gaps and weak UBO identification are the most common findings.

What CDD requirements apply to high-risk clients under Hong Kong AMLO?

High-risk clients require enhanced due diligence. This means senior management approval, verification of source of funds and source of wealth, and enhanced ongoing monitoring. Triggers include PEPs, high-risk jurisdictions, and complex ownership structures.

How do Hong Kong AMLO obligations compare to EU MiCA requirements?

Both AMLO and MiCA use a 25% UBO threshold. The structural difference is regulatory: MiCA is a single EU-wide regulation, while AMLO integrates VASP supervision into Hong Kong's existing AML framework rather than creating a standalone one. MiCA is an EU-wide regulation. AMLO is a Hong Kong-specific ordinance integrated with the existing AML framework.

Related Posts

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

AMLR 2027: What the EU’s new anti-money laundering rulebook means for compliance teams

AMLR 2027: What the EU’s new anti-money laundering rulebook means for compliance teams

Explore More

Shufti Blog

AMLO Compliance in Hong Kong: AML Obligations for Licensed Corporations & VASPs

AMLO Compliance in Hong Kong: AML Obligations for Licensed Corporations & VASPs

Explore More

Shufti Blog

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Explore More

Shufti Blog

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Requires in 2026

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Requires in 2026

Explore More

Shufti Blog

What happens during a Shufti identity check?

What happens during a Shufti identity check?

Explore More

Shufti Blog

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

Explore More

Shufti Blog

What Is Transaction Screening? Definition, Process, and How It Works

What Is Transaction Screening? Definition, Process, and How It Works

Explore More

Shufti Blog

AMLR 2027: What the EU’s new anti-money laundering rulebook means for compliance teams

AMLR 2027: What the EU’s new anti-money laundering rulebook means for compliance teams

Explore More

Shufti Blog

AMLO Compliance in Hong Kong: AML Obligations for Licensed Corporations & VASPs

AMLO Compliance in Hong Kong: AML Obligations for Licensed Corporations & VASPs

Explore More

Shufti Blog

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Transaction Monitoring for Neobanks: Reducing False Positives Without Missing SAR Triggers

Explore More

Shufti Blog

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Requires in 2026

Corporate Transparency Act & FinCEN’s BOI Rule: What AML Requires in 2026

Explore More

Shufti Blog

What happens during a Shufti identity check?

What happens during a Shufti identity check?

Explore More

Shufti Blog

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

EU AML Regulation 2027 Germany: What Happens to VideoIdent When BaFin Rules Are Replaced?

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started