AML Compliance for Fund Managers and Investment Managers in Hong Kong

Anti-money laundering and counter-financing of terrorism (AML/CFT) compliance is one of the most operationally demanding areas of SFC regulation for fund managers and investment managers in Hong Kong. The regulatory framework is multi-layered — drawing from statute, SFC guidelines, FATF recommendations, and increasingly, enforcement precedents — and the consequences of non-compliance range from regulatory censure and licence conditions to criminal prosecution and civil liability.

This guide sets out the core AML/CFT obligations that apply to SFC-licensed corporations managing funds or discretionary portfolios in Hong Kong, and explains what a robust compliance programme should look like.

The Regulatory Framework

The primary legislation is the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) (Cap. 615), which came into full force in 2012 and has been significantly amended since. AMLO applies to all "financial institutions" as defined in Schedule 1, which includes corporations licensed under the Securities and Futures Ordinance (SFO).

AMLO is supplemented by:

• The SFC's AML/CFT guidelines issued under section 7 of AMLO — these are statutory guidelines and carry significant weight in enforcement
• The Financial Action Task Force (FATF) Recommendations, which Hong Kong implements as a member of the FATF network
• HKMA-issued guidance (for banks that are also fund management groups)
• The Drug Trafficking (Recovery of Proceeds) Ordinance and Organized and Serious Crimes Ordinance, which impose the underlying money laundering offences

Non-compliance with AMLO can result in civil liability (fines of up to HK$1,000,000 per contravention), while the underlying money laundering and terrorist financing offences carry criminal penalties including imprisonment.

Who Is Covered?

The AML/CFT obligations under AMLO and SFC guidelines apply to any SFC-licensed corporation, including:

• Type 9 (asset management) licensees managing funds or discretionary accounts
• Type 4 (advising on securities) and Type 1 (dealing in securities) licensees that handle client assets
• Fund management subsidiaries of banking groups
• Hedge fund managers, private equity managers, and REIT managers

Importantly, the SFC takes the position that AML/CFT responsibilities apply not just to the licensed entity but to its senior management and responsible officers (ROs), who may be held personally liable for systematic compliance failures.

Customer Due Diligence (CDD)

Customer due diligence — commonly known as KYC (know your customer) — is the foundation of any AML/CFT programme. Under AMLO, financial institutions must conduct CDD:

• When establishing a new business relationship
• When conducting an occasional transaction above HK$120,000 (or its equivalent)
• When there is suspicion of money laundering or terrorist financing
• When there is doubt about the accuracy of previously obtained identification information

Standard CDD requires: verifying the customer's identity using reliable, independent source documents; understanding the nature and purpose of the intended business relationship; and conducting ongoing monitoring of the relationship.

Enhanced Due Diligence (EDD)

Where a customer or transaction presents a higher risk of money laundering or terrorist financing, enhanced due diligence must be applied. The SFC's AML/CFT guidelines specify categories of higher-risk customers that require EDD, including:

• Politically exposed persons (PEPs) — individuals who hold or have held prominent public functions — and their family members and close associates
• Customers from jurisdictions identified by FATF as having strategic AML/CFT deficiencies (the FATF "grey list" and "black list")
• Customers whose business structure or ownership appears unusual or overly complex without apparent economic rationale
• Cash-intensive businesses
• Customers who are unwilling to provide information or who provide inconsistent information

EDD measures include obtaining additional information on the customer's source of wealth and source of funds, applying enhanced ongoing monitoring, and obtaining senior management approval for establishing or continuing the relationship.

Simplified Due Diligence (SDD)

In limited circumstances where the risk of money laundering or terrorist financing is demonstrably lower, simplified due diligence measures may be applied. SDD is permitted for certain low-risk institutional clients, listed companies in well-regulated markets, and regulated financial institutions in equivalent jurisdictions. However, SDD does not eliminate the obligation to monitor transactions.

Beneficial Ownership Identification

One of the most significant aspects of CDD is identifying the ultimate beneficial owners (UBOs) of corporate and trust clients. For fund managers, this is particularly relevant when the investor is an institutional entity — a company, partnership, trust, or fund vehicle — rather than a natural person.

Under the SFC's guidelines, a financial institution must identify all natural persons who ultimately own or control a legal entity customer. The standard threshold used in practice is beneficial ownership or control of 25% or more, though the SFC expects financial institutions to look beyond the 25% threshold where risk factors indicate that a lower-percentage shareholder exercises effective control.

For trust structures, the relevant natural persons include the settlor, trustee(s), protector (if any), beneficiaries, and any other persons exercising effective control over the trust. For discretionary trusts where the beneficiaries are a class, the financial institution should identify the class and any persons who can benefit in the near term.

Fund managers should be aware that many of their investors will themselves be institutional vehicles — feeder funds, fund of funds, or insurance wrappers — and that the look-through obligation extends to those vehicles in turn.

Ongoing Monitoring

CDD is not a one-time event. AMLO requires financial institutions to conduct ongoing monitoring of their business relationships, which includes:

• Scrutinising transactions to ensure they are consistent with the institution's knowledge of the customer, their business, and their risk profile
• Keeping documents and data obtained under CDD up to date
• Identifying transactions that are unusual, inconsistent with the customer's known profile, or that otherwise warrant further enquiry

For fund managers, ongoing monitoring applies both to investor relationships (periodic re-verification, re-assessment of risk) and, importantly, to the fund's own investment activities (monitoring of counterparties and portfolio companies in certain contexts).

Risk-based ongoing monitoring is acceptable under the SFC's guidelines — higher-risk relationships should be monitored more frequently and intensively than lower-risk ones. The SFC expects that the frequency and intensity of monitoring is documented and justified in the firm's risk assessment.

Suspicious Transaction Reporting (STR)

Any SFC-licensed corporation that knows or suspects that a transaction or proposed transaction involves proceeds of drug trafficking, an organised or serious crime, or terrorist property is under a statutory obligation to file a suspicious transaction report (STR) with the Joint Financial Intelligence Unit (JFIU), operated jointly by the Hong Kong Police Force and the Customs and Excise Department.

The obligation to report arises as soon as suspicion is formed — there is no minimum threshold. Critically, it is an offence under the Organised and Serious Crimes Ordinance to tip off the customer or any other person that an STR has been filed or that a money laundering investigation is underway. This tipping-off restriction creates significant operational challenges: the licensed corporation must continue to deal with the customer normally while the JFIU review is pending, without disclosing the reason for any delay or additional inquiry.

In practice, STR decisions require careful legal judgment. Filing an STR when there is no genuine suspicion does not constitute a "safe harbour"; the obligation is to report actual suspicion, not to file speculatively. Fund managers should ensure their compliance teams are trained to identify red flags and escalate appropriately, and that the decision to file (or not to file) is documented.

Record-Keeping

AMLO requires financial institutions to keep records of:

• CDD documents and information for a minimum of six years from the date the business relationship ends
• Transaction records for a minimum of six years from the date of the transaction

Records must be kept in a form that enables their timely retrieval — the SFC has been explicit that it expects firms to be able to produce CDD files and transaction records within a reasonable timeframe during inspections. Cloud-based document management systems are acceptable, provided the records are complete and retrievable.

Risk Assessment and AML/CFT Policies

The SFC requires licensed corporations to conduct and document a firm-wide AML/CFT risk assessment, identifying the money laundering and terrorist financing risks inherent in the firm's business model, client base, products, geographic exposure, and transaction types. This risk assessment should be reviewed and updated at least annually, or upon any material change to the business.

Based on the risk assessment, the firm must implement written AML/CFT policies, procedures, and controls that are proportionate to the identified risks. These policies must address: the CDD process and risk classification; EDD triggers and procedures; the STR escalation process; training requirements; and the roles and responsibilities of the compliance function and senior management.

The SFC's guidelines also require firms to designate a senior officer responsible for AML/CFT compliance — in practice, this is typically the Compliance Officer or Money Laundering Reporting Officer (MLRO). The MLRO must have sufficient seniority, authority, and resources to fulfil the role effectively.

Staff Training

All relevant staff — including front-office personnel, compliance staff, and senior management — must receive regular AML/CFT training. Training should cover:

• The firm's legal and regulatory obligations under AMLO and SFC guidelines
• How to identify red flags and suspicious transactions
• The firm's internal escalation and reporting procedures
• The tipping-off prohibition

Training records should be maintained and made available for inspection. The SFC expects training to be refreshed periodically — typically at least annually — and to be updated when the regulatory framework or the firm's risk profile changes.

SFC Inspections and Enforcement Trends

The SFC conducts routine and targeted on-site inspections of licensed corporations, during which AML/CFT is a standard area of focus. Common deficiencies identified by the SFC in AML/CFT inspections include:

• Inadequate or outdated CDD documentation (particularly for existing clients)
• Failure to identify or properly verify beneficial owners of corporate clients
• Absence of a documented firm-wide risk assessment
• Inadequate ongoing monitoring procedures
• Insufficient training records
• Failure to apply EDD to PEP clients or clients from high-risk jurisdictions

In recent years, the SFC has taken enforcement action against licensed corporations and their senior management for AML/CFT failings. Penalties have included public reprimands, fines, and licence suspensions. The trend is towards greater personal accountability for ROs and MLROs where the failures reflect systemic gaps rather than isolated oversights.

Key Practical Considerations

For fund managers building or reviewing their AML/CFT compliance programmes, the following practical points deserve emphasis. First, documentation is critical — the SFC inspects files, and an undocumented CDD process is treated as an absent one. Second, the risk-based approach requires genuine risk differentiation, not a uniform procedure applied to all clients regardless of risk level. Third, investor CDD at the fund level must be coordinated with fund administrator CDD procedures to avoid duplication and gaps. Fourth, for closed-ended private equity and venture funds with limited liquidity, the SFC expects that CDD is refreshed at key events (new closings, secondary transfers, distributions). Fifth, in fund-of-funds and feeder structures, reliance on the underlying fund's CDD is permissible in limited circumstances under AMLO's reliance provisions, but the primary responsibility remains with the SFC-licensed entity.

How Alan Wong LLP Can Help

Alan Wong LLP advises SFC-licensed fund managers, investment managers, and regulated entities on the full range of AML/CFT compliance matters, including: structuring and reviewing AML/CFT policies and procedures; advising on CDD requirements for complex investor structures; assisting with SFC inspection preparation and responses; advising on STR obligations; and providing regulatory training for compliance teams and senior management. We work with both established fund management groups and newly licensed boutique managers to build compliance frameworks that are rigorous, practical, and proportionate to the firm's risk profile.