Hong Kong - Anti-Money Laundering and Counter-Terrorist Financing Ordinance

    Hong Kong

    Hong Kong - Anti-Money Laundering and Counter-Terrorist Financing Ordinance

    The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (‘the AMLO’) includes requirements relating to customer due diligence and record-keeping on specified financial institutions and designated non-financial businesses and professions (‘DNFBP’).

    The AMLO also provides for the powers of the relevant authorities and regulatory bodies to supervise compliance requirements, the regulation of the operation of a money service and the licensing of money service operatorsthe regulation of the operation of a trust or company service and the licensing of trust or company service provider. In addition, the AMLO establishes a review tribunal to review certain decisions made by the relevant authorities. 

    Last Updated: July 22, 2019


  • Requirements

    According to the AMLO, financial institutions and DNFBP’s are required to take all reasonable measures to ensure proper safeguards exist to prevent a contravention of requirements in Parts 2 and 3 of Schedule 2 of the AMLO and to mitigate money laundering and terrorist financing risks.  

    To do this financial institutions and DNFBP’s should adopt: 

    Anti-Money Laundering (‘AML/CTF’) Systems 

    Having regard to the nature, size and complexity of its businesses, as well as the extent to which the practise is dealing through intermediaries or third parties, a financial institution should implement adequate and appropriate AML/CFT systems which should include:   

    • compliance management arrangements;  
    • independent audit function;  
    • employee screening procedures; and  
    • an ongoing employee training programme.

    Customer Due Diligence 

    Financial institutions must: 

    • identify the customer and verify the customer’s identity using documents, data or information provided by a reliable and independent source;  
    • where there is a beneficial owner in relation to the customer, identify and take reasonable measures to verify the beneficial owner’s identity so that the financial institution is satisfied that it knows who the beneficial owner is, including, in the case of a legal person or trust, measures to enable the financial institutions to understand the ownership and control structure of the legal person or trust;  
    • obtain information on the purpose and intended nature of the business relationship (if any) established with the financial institution unless the purpose and intended nature are obviousand  
    • if a person purports to act on behalf of the customer identify the person and take reasonable measures to verify the person’s identity using documents, data or information provided by a reliable and independent source and verify the person’s authority to act on behalf of the customer. 

    Note that practises may rely on an intermediary to perform any part of the CDD measures above.  

    Ongoing Monitoring 

    A financial institution must continuously monitor its business relationship with a client by:   

    • reviewing from time to time documents, data and information relating to the customer that have been obtained by the financial institution for the purpose of complying with the requirements imposed under Part 2 of Schedule 2 of the AMLO to ensure that they are up to-date and relevant;  
    • conducting appropriate scrutiny of transactions carried out for the customer to ensure that they are consistent with the financial institute’s knowledge of the customer, the customer’s business, risk profile and source of funds; and  
    • identifying transactions that are complex, unusually large in amount or of an unusual pattern, and have no apparent economic or lawful purpose, and examining the background and purposes of those transactions and setting out the findings in writing. 

    Note that the extent of the monitoring is linked to the risk profile of the client and whether the business relationship poses more risk, including through the use of intermediaries.  

    Risk Based Approach 

    In the context of CDD and ongoing monitoring, the general principle for applying such approach is that where customers are assessed to be of higher AML/CTF risks, a financial institution should take enhanced measures to manage and mitigate those risks, and that correspondingly where the risks are lower, simplified measures may be applied. In other words, the degree, frequency or extent of CDD measures and ongoing monitoring conducted vary in accordance with the assessed AML/CTF risks associated with third party risks. 

    Record Keeping 

    A financial institution should maintain CDD information, transaction records and other records that are necessary and sufficient to meet the record-keeping requirements under the AMLOThe AMLO also states that the original or copies of records and documents relating to customers’ accounts should be kept throughout the business relationship and for a period of six years after the end of the relationship and for five years after the 1 March 2018 amendments. 

    Staff Training and Communication 

    It is the financial institutions responsibility to provide adequate training for its staff so that they are adequately trained to implement its AML/CFT systems. The scope and frequency of training should be tailored to the specific risks faced by the financial institution and pitched according to the job functions, responsibilities and experience of the staff. New staff should be required to attend initial training as soon as possible after being hired or appointed. Apart from the initial training, financial institutions should also provide refresher training regularly to ensure that its staff are reminded of their responsibilities and are kept informed of new developments related to AML/CTF. 

  • How OneTrust Helps

    OneTrustVendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews. 

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrustVendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions. 

    For additional details on Vendorpedia, read more here.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.