AML/CFT Compliance Deficiencies in Hong Kong TCSP Firms: Key Areas Identified by the Companies Registry

Common deficiencies identified during interviews and inspections

In the “Points to Note for Applicants / Holders of TCSP Licences” issued by the Companies Registry (“CR”) on 20 November 2025 (the “2025 Guidance”), the Companies Registry has publicly identified a number of recurring deficiencies observed during interviews and compliance inspections of TCSP licensees. These findings reflect areas where firms are frequently unable to demonstrate effective implementation of AML/CFT requirements.

The most common deficiencies identified by the Companies Registry include the following:

1. Policy statements

Many TCSP licensees are unable to demonstrate that they have established their own written AML/CFT policy statements, or that existing policies adequately cover all required areas. Common issues include:

• No written AML/CFT policy statement in place.
• Policy statements that omit key areas, including:
  • Institutional risk assessment;
  • Customer due diligence (“CDD”) procedures and required documentation on persons purporting to act on behalf of the customers;
  • Additional CDD measures for customers not physically present for identification purposes;
  • Screening of customers against sanctions and terrorist designation lists;
  • Screening of beneficial owners against politically exposed person (PEP) lists;
  • Employee screening procedures; and
  • An independent audit or review function.

2. Risk assessment

Risk assessment continues to be a recurring area of weakness identified during interviews and inspections. The 2025 Guidance notes that TCSP licensees frequently fail to demonstrate the following:

• Inability to demonstrate that institutional risk assessment has been conducted;
• Inability to demonstrate that customer risk assessments have been conducted; and
• Absence of documented risk assessment records or results.

3. Customer screening

Deficiencies in screening procedures are commonly identified during interviews and inspections, particularly in relation to sanctions, terrorist financing, and PEP risks. These include:

• Failure to screen customers against updated sanctions and terrorist designation lists.
• Screenings are not conducted as soon as practicable after relevant lists are updated.
• Failure to screen beneficial owners of customers against PEP lists.
• No screening records or results are kept.

4. Customers not physically present for identification

Non-face-to-face onboarding continues to be regarded as a higher-risk area and the CR considers that enhanced due diligence measures should be applied to those clients who are not physically present for identification. The CR has identified the following deficiencies:

• Rely primarily on online interviews as the sole verification method.
• Accept screenshots or photographs of customers holding identification documents during the online interviews without additional safeguards.
• Fail to apply enhanced due diligence or other additional measures to address the increased money laundering and terrorist financing risks.

5. Ongoing monitoring

Weaknesses in ongoing monitoring are identified, particularly where firms cannot demonstrate continued awareness of changes in client information. Common deficiencies include:

• Lack of awareness of changes in the particulars of customers and their beneficial owners; and
• Inability to demonstrate that customer information is kept up to date and relevant.

6. Persons purporting to act on behalf of customers

For non-individual clients, the CR frequently identifies failures relating to authority verification. These include:

• No verification of the authority of persons purporting to act on behalf of corporate customers.
• Absence of authorisation documents issued by the corporate customer to show that the person is authorised to give instructions or enter into arrangements on behalf of the customer.

Recent disciplinary actions by the Companies Registry

Recent disciplinary actions taken by the CR provide practical insight into how AML/CFT deficiencies are identified and enforced in practice. The underlying findings reveal consistent patterns of control weaknesses that frequently arise during compliance inspections.

A review of recent cases shows that enforcement action most commonly relates to failures under Schedule 2 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (“AMLO”), particularly section 19 (failure to establish and maintain effective AML/CFT procedures) and section 23 (failure to put in place proper safeguards to prevent AML/CFT breaches and mitigate ML/TF risks).

The following cases illustrate the types of deficiencies that regularly lead to disciplinary action:

1. Jun Gang Business Secretary (Hong Kong) Co., Limited

The licensee failed to take reasonable measures to ensure that proper AML/CFT safeguards were in place, in breach of section 23 of Schedule 2 of the AMLO. The deficiencies related to the absence of effective controls to prevent AML/CFT contraventions and to mitigate ML/TF risks.

2. Ruiheng HK Enterprise Registration Services Center Co., Limited

The licensee failed to establish and maintain adequate AML/CFT policies, procedures and controls, as evidenced by policy statements or other written documents, contrary to Condition 2 of their licence and sections 19(3) and 23 of Schedule 2 of the AMLO. The firm lacked effective procedures to discharge core statutory duties, including customer due diligence and other measures to mitigate money laundering and terrorist financing risks.

3. Royal Assets Corporate Services Limited

The licensee failed to maintain effective procedures for identifying politically exposed persons (PEPs) and failed to establish effective AML/CFT procedures, in breach of sections 19(1), 19(3), and 23 of Schedule 2 of the AMLO.

4. Champion Corporate Limited

The licensee failed to conduct ongoing monitoring of customer relationships and failed to maintain effective PEP identification procedures. These deficiencies constituted breaches of sections 5(1), 19(1), 19(3), and 23 of Schedule 2 of the AMLO, reflecting weaknesses in customer due diligence and ongoing monitoring measures.

5. Open Up Business Co. Limited

The licensee failed to properly verify customer and beneficial owner identities, failed to maintain effective PEP screening procedures, and failed to implement adequate AML/CFT safeguards, in breach of sections 2(1), 19(1), and 23 of Schedule 2 of the AMLO.

6. Hung Kai Registrations (HK) Limited

The licensee failed across multiple core obligations, including beneficial ownership verification, ongoing monitoring, non-face-to-face customer measures, PEP screening, and the maintenance of effective AML/CFT safeguards. These failures constituted breaches of sections 2(1), 5, 9, 19(1), 19(3), and 23 of Schedule 2 of the AMLO.

Key regulatory themes arising from recent cases

A review of recent disciplinary actions involving the six TCSP licensees above shows a consistent enforcement focus by the CR. While the factual circumstances differ, the underlying compliance failures fall into a small number of recurring themes.

1. Failure to establish and maintain effective AML/CFT systems

Across multiple cases, the Companies Registry cited breaches of section 19(3) and section 23 of Schedule 2 to the AMLO, reflecting failures to establish effective AML/CFT procedures and safeguards. In practice, this often stemmed from incomplete or poorly implemented internal controls. The Registry’s approach indicates that the existence of written procedures alone is insufficient if they are not demonstrably effective in operation.

2. Deficiencies in politically exposed person (PEP) identification

Several licensees were found to have breached section 19(1) of Schedule 2, having failed to establish and maintain effective procedures to determine whether customers or beneficial owners were PEPs. These findings suggest that PEP screening remains a closely scrutinised area, particularly where firms cannot show records of the relevant screening results.

3. Poor customer due diligence and beneficial ownership verification

Failures to properly verify customer identities and beneficial owners were a common feature, with breaches cited under section 2(1) of Schedule 2. These cases demonstrate that basic CDD obligations, including verification of the identity of the beneficial owners, continue to be a frequent source of enforcement action, especially where records are incomplete or verification steps are inadequately documented.

4. Inadequate controls for non-face-to-face client onboarding

Where customers were not physically present for identification purposes, the CR frequently identified breaches of section 9 of Schedule 2 of the AMLO, relating to the failure to apply additional client due diligence measures for these customers. Reliance on online interviews or visual checks alone, without further verification or safeguards, was repeatedly treated as insufficient to mitigate ML/TF risks.

5. Failures in ongoing monitoring

Some cases involved breaches of section 5(1) of Schedule 2 of the AMLO, reflecting failures to continuously monitor business relationships and keep customer information up to date. The Registry’s findings highlight that client due diligence is not a one-off exercise and that TCSP licensees are expected to demonstrate periodic review and active management of existing client relationships.

6. Systemic rather than isolated compliance weaknesses

Taken together, the cases show that disciplinary action is most often driven by systemic control weaknesses, rather than single procedural lapses. Failures in the establishment of proper records for client due diligence, risk assessment, screening, and ongoing monitoring frequently overlap, indicating broader governance and implementation issues within the AML/CFT framework.

These six cases illustrate how the CR applies AML/CFT requirements in practice. While the factual circumstances differ, the underlying contraventions arise from a small number of recurring control failures. These patterns provide a useful reference point for TCSP licensees when assessing the adequacy of their own AML/CFT frameworks and readiness for inspection.

Disclaimer: This publication is provided for general information and guidance only. The views and comments expressed herein do not constitute, and should not be relied upon as, legal advice or a legal opinion.

How KYC Management can help

KYC Management is specifically designed to enable TCSP licensees to complete the entire AML/CFT process in minutes, not hours. From customer due diligence and risk assessments to screening and ongoing monitoring, KYC Management expedites traditionally manual and complex AML/CFT processes into a simple, compliant and efficient workflow.

By eliminating fragmented and manual procedures, KYC Management enables firms to onboard clients faster, reduce compliance risk, and improve operational efficiency without compromising regulatory standards.

Some of our key features include:

• A Client-Facing Portal for Onboarding: Your clients can securely login to upload required documents, drastically cutting down the time for drafting back-and-forth emails and speeding up onboarding.
• Comprehensive Datasets for AML Checks: Screen individuals and businesses against sanctions, PEPs, financial regulatory, law enforcement, and adverse media lists covering real-time data from 230+ jurisdictions and 43,000 global sources.
• Never Miss a Deadline with Automated Reminders: Our system provides customised reminders for annual CDD reviews and expiring documents. Seamlessly integrated with our CDD Portal, our automated reminders make follow-ups and ongoing management faster and easier.

To learn more about how KYC Management supports TCSP licensees, visit the Trust or Company Service Providers section on our website.

Book a Demo

If you want to see how KYC Management can help your firm strengthen AML/CFT controls, improve inspection readiness, and reduce operational friction, book a demo now to see the platform in action.

References

For more information about TCSP licensing, compliance obligations, and AML guidelines in Hong Kong, please refer to the following official resources:

1. Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615 of the Laws of Hong Kong)
2. Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees)”  (“TCSP AML Guidelines”) issued by the Companies Registry in March 2025
3. Guideline on Licensing of Trust or Company Service Provider issued by Companies Registry in May 2025
4. Commonly Raised Questions by respondents and the Companies Registry’s response issued by Companies Registry on 6 December 2024
5. Points to Note for Applicants / Holders of TCSP Licences issued by the Companies Registry on 20 November 2025

Simplify Your AML/CFT Workflow Today

KYC Management enables firms to complete the entire AML/CFT process in minutes - not hours. From customer due diligence and risk assessments to screening and ongoing monitoring, KYC Management expedites traditionally manual and complex AML/CFT processes into a simple and compliant workflow.

Interested in learning more? Let's talk