How to prepare for Companies Registry AML/CFT Compliance Inspection for TCSP Licensees in Hong Kong

For TCSP licensees in Hong Kong, AML/CFT compliance inspections conducted by the Companies Registry (“CR”) are an integral part of ongoing regulatory supervision. At its core, these inspections are designed to evaluate how a firm manages its exposure to money laundering and terrorist financing risks. It involves a close examination of the firm’s risk assessment framework, customer due diligence processes, screening and ongoing monitoring systems, and record-keeping practices.

Given the severe consequences of non-compliance, preparation for a CR inspection should not be treated as a last-minute exercise. It requires a structured and proactive approach that ensures alignment with the requirements under Schedule 2 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615 of the Laws of Hong Kong) (“AMLO”) and the “Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees)” (“TCSP AML Guidelines”).

This article sets out the key areas that TCSP licensees should focus on to ensure they are well-positioned to meet regulatory expectations during an inspection.

1. What is AML and CFT compliance for TCSPs?

AML and CFT compliance refers to the systems, controls, and procedures a TCSP licensees must establish and maintain to prevent its services from being misused for money laundering or terrorist financing. Compliance goes beyond simply having written policies. It focuses on whether those controls are effectively implemented and operating in practice.

As a licensed TCSP, key AML/CFT obligations include assessing money laundering and terrorist financing risks at both an institutional and customer level, maintaining effective procedures for customer due diligence, record-keeping, and suspicious transaction reporting to the Joint Financial Intelligence Unit. During inspections, the CR typically focuses on whether these requirements are properly implemented and capable of being evidenced by complete, accurate and up-to-date documentation.

Supervisory Measures Undertaken by the Companies Registry

To monitor the compliance of TCSP licensees with the AMLO and the TCSP AML Guidelines, the CR typically adopts a combination of the following compliance monitoring activities:

• Interview
• Inspection (surprise inspection or by appointment)
• Desktop review

How should TCSP licensees be prepared for the AML/CFT inspections conducted by the CR?

Key focuses of the  AML/CFT inspections conducted by the CR focuses on the compliance with (i) Schedule 2 of the AMLO and (ii) the TCSP AML Guidelines. This includes assessing the following key areas during the AML/CFT inspections:

• Customer Due Diligence (CDD) process;
• Risk Assessment;
• Record-Keeping;
• Customer Screenings;
• Ongoing Monitoring;
• Suspicious Transactions Reporting (STR);
• Customer not physically present for identification; and
• CDD Process for person purports to act on behalf of the customer.
  

Why this matters for TCSP firms

A. Enforcement Actions by the CR

Where a TCSP licensee is found to have contravened AML/CFT requirements, the CR may exercise one or more enforcement powers proportionate to the nature, seriousness, and circumstances of the contravention. These powers include:

• Warning or advisory letter: The CR may issue warning or advisory letter for a TCSP licensee that fails to comply with the AML/CFT obligations. 
• Public Reprimand: The CR may publicly reprimand the licensee.
• Remedial Orders: The CR may direct the licensee to take specific actions, within a period specified by the CR, for the purpose of remedying the contravention.
• Pecuniary Penalty: The CR may order the licensee to pay a pecuniary penalty not exceeding HKD 500,000, in accordance with section 53Z(3) of the AMLO.
• Revocation and suspension of licence: In more severe non-compliance of the AML/CFT obligations, the CR may revoke or suspend the licence of a TCSP.
• Prosecution: Legal proceedings may be initiated by CR for serious breaches, which may result in fines, disqualification of licences or other court-imposed penalties.

These enforcement powers may be imposed individually or in combination, depending on the circumstances of each case.

B. Disciplinary Action Against Directors of Corporate Licensees

Under paragraph 13.2 of the Guideline on Licensing of Trust or Company Service Providers (“Licensing Guideline”), where the TCSP Licensee is a corporation, the CR may also take the above enforcement action against the director of the TCSP Licensee if:

• the corporation contravenes any customer due diligence or record-keeping requirement; and
• the contravention was caused or permitted by the director, or occurred because the director failed to take reasonable steps to prevent the contravention.

In such circumstances, the director may be subject to disciplinary action as if he or she were a licensee, except where the director is an accounting professional or a legal professional.

2. Preparing for an AML/CFT Inspection by the CR

The following highlights the key areas that a TCSP should prioritise when preparing for an AML/CFT inspection by the CR:

A. Implement a robust AML/CFT system and internal policy

An AML/CFT system should be formally documented through written internal policies and procedures that set out how the TCSP implement its AML/CFT controls in practice. During AML/CFT inspections, the CR assesses whether the policy is complete, up to date, and supported by adequate records evidencing effective and consistent implementation across the organisation.

A robust and well-documented AML/CFT framework is essential for TCSP licensees in Hong Kong. TCSP licensee is expected to establish, maintain, and effectively implement a written AML/CFT policy that is proportionate to its size, nature of business, and risk profile.

The AML/CFT Policy should set out structured and clearly defined procedures covering the below key areas:

• customer due diligence measures;
• customer risk assessment;
• institutional risk assessment;
• screening of customers against the lists of sanction designations and terrorists, and screening of beneficial owners of customers on politically exposed persons (“PEPs”);
• ongoing monitoring;
• procedures for filing suspicious transaction reports;
• record-keeping obligations;
• risk assessment and risk management;
• audit of the internal policies, procedures and controls; and
• employee screening procedures.

In the “Points to Note for Applicants / Holders of TCSP Licences” issued by the CR on 20 November 2025 (“2025 Guidance”), the CR noted that certain TCSP licensees had not established a formal written AML/CFT policy statement, while others had adopted policy statements that lacked adequate detail in key compliance areas. In particular, the CR expects the AML/CFT policy to adequately address the following key areas, which are commonly omitted:

• Institutional Risk Assessment
  
  The institutional risk assessment was introduced by the revised Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees) which took place on 3 March 2025. Please refer to our Article “Key Changes to the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For TCSP Licensees)” for more information.
  
  The AML/CFT policy should set out a structured framework for conducting and maintaining an institutional risk assessment, including documented processes for identifying and assessing risks using qualitative and quantitative analysis. All relevant risk factors should be considered to determine the overall risk level and appropriate mitigation measures. The institutional risk assessment must be reviewed and approved by senior management and subject to periodic review. As a general rule, the institutional risk assessment should be conducted at least every two years and following any material triggering events affecting the TCSP licensee’s business or risk exposure.
  
  
• Customer Due Diligence and Verification of Person Purports to Act On Behalf of the Customer
  
  Clear and detailed customer due diligence procedures should be documented in the AML/CFT policy statement, including detailed requirements for the identification and verification of customers and beneficial owners. The policy should also specify the procedures and documentation required to verify individuals purporting to act on behalf of customers, including confirmation of their authority and identity using reliable and independent sources.
  
  
• Measures for Non-Face-to-Face Customers
  
  Where customers are not physically present for identification purposes, the AML/CFT policy should prescribe additional risk-mitigating measures. These may include the use of reliable electronic identification systems, independent verification or certification of identity documents, and enhanced ongoing monitoring.

Compliance management arrangement is another key focus area. TCSP licensees are expected to appoint a Compliance Officer and a Money Laundering Reporting Officer (“MLRO”), define their roles and responsibilities, and ensure that these roles are effectively overseen by senior management. Where the staff identifies suspicious transactions, the policy should set out the procedures for internal reporting lines, how compliance issues should be addressed and how it should be reported to the Joint Financial Intelligence Unit (“JFIU”) where necessary.

Finally, TCSP firms should ensure that AML/CFT policies are reviewed regularly and updated to reflect regulatory developments, inspection feedback, and changes in the firm’s money laundering or terrorist financing (“ML/TF”) risks and profile.

B. Comply with the customer due diligence requirements under the AMLO

Customer due diligence (“CDD”) requirements applicable to TCSP licensees are set out in Schedule 2 to the AMLO and elaborated in the TCSP AML Guidelines. TCSP licensees must apply CDD measures on a risk-based basis and retain records to demonstrate compliance.

CDD measures at the establishment of a business relationship

Before establishing a business relationship, a TCSP licensee must:

• identify the customer and verify the customer’s identity using documents, data, or information from a reliable and independent source;
• where the customer has a beneficial owner, identify the beneficial owner and take reasonable measures to verify the beneficial owner’s identity, including understanding the ownership and control structure of a legal person or trust;
• obtain information on the purpose and intended nature of the business relationship; and
• where a person purports to act on behalf of the customer, identify and verify the identity of that person and verify their authority to act on behalf of the customer.

Failure to retain documentary evidence supporting the above measures is commonly treated by the CR as a CDD deficiency during inspections.

Ongoing monitoring obligations

CDD obligations continue throughout the business relationship. TCSP licensees must conduct ongoing monitoring to:

• review customer information periodically to ensure it remains up to date and accurate;
• identify changes in ownership, control, business activities, or risk profile; and
• apply enhanced due diligence (“EDD”) measures where higher ML/TF risks are identified.

Ongoing monitoring activities, risk reassessments, and follow-up actions must be documented and retained as part of the audit trail.

Non-face-to-face customers

The AMLO allows TCSP licensees to establish business relationships through non-face-to-face channels. Where a customer is not physically present for identification purposes, the TCSP licensee must apply additional measures to mitigate the increased ML/TF risk.

Except in the limited circumstances specified in paragraph 4.10.2 of the TCSP AML/CFT Guideline, a TCSP licensee must apply at least one of the following measures:

• further verification of the customer’s identity using reliable and independent information not previously used;
• supplementary measures to verify customer information already obtained; or
• ensuring that the payment in relation to the transaction is made through an account in the customer’s name with an authorised institution, or with an institution in an equivalent jurisdiction subject to AML/CFT requirements comparable to Schedule 2 of the AMLO.

Reliance solely on online interviews or copies of identification documents does not satisfy the requirement to apply additional measures. TCSP licensees should retain records demonstrating which additional measure(s) were applied.

C. Comply with the record-keeping requirements under the AMLO

Under the AMLO, TCSP licensees are required to keep records relating to customer due diligence, ongoing monitoring, risk assessment, screenings and other AML/CFT records related to the transaction. This includes records of customer identification and verification, risk assessments, screening results, source of funds or source of wealth enquiries (where applicable), and internal decisions.

As a general rule, these records should be retained for at least five years after the end of the business relationship or the completion of an occasional transaction. Records should be stored securely and be capable of being retrieved promptly, whether they are maintained electronically or in physical form.

TCSP licensees should periodically review client files to confirm that records are complete andup to date. A clear and well-maintained audit trail not only supports compliance with AMLO requirements, but also enables the firm to respond confidently and efficiently during CR inspections.

D. Risk assessments

Risk assessments are another key focus of CR’s inspections. TCSP licensees are expected to adopt a risk-based approach, which means that the level of customer due diligence measures should be proportionate to the level of ML/TF risks presented by a client or transaction.

According to paragraph 2.4 of the TCSP AML Guidelines, at a firm-wide level, TCSPs should conduct an institutional ML/TF risk assessment that considers the nature and scale of their business. This typically includes assessing risks relating to customer types, services provided, jurisdictions involved, delivery channels (including non-face-to-face arrangements), and internal factors such as staff with access to ongoing AML/CFT training and development, compliance and regulatory findings, and the results of internal or external audits. The institutional risk assessment should be reviewed every two years and updated when there are material changes to the TCSP licensee’s business and risk exposure.

In addition to the institutional assessment, TCSP licensees are expected to perform customer-level risk assessments. These assessments help determine whether a client is low, medium, or high risk and guide the extent of customer due diligence. CR inspections often assess whether customer risk ratings are supported by risk assessment records and whether higher-risk ratings resulted in enhanced due diligence measures.

As highlighted in the 2025 Guidance, a common inspection finding is the inability to demonstrate that risk assessments were actually conducted or documented. To address these shortcomings, TCSPs should ensure that both institutional and customer risk assessments are fully documented, with clear reasoning and supporting evidence to substantiate how each risk rating has been derived.

E. Enhanced due diligence (EDD) for high-risk clients

EDD is required where a client or transaction presents a higher ML/TF risk. During CR inspections, TCSP licensees should be able to demonstrate in their records why EDD is triggered, what additional measures were applied, and how those measures addressed the identified risks.

High-risk situations commonly include clients with complex ownership structures, connections to higher-risk jurisdictions, PEPs, or arrangements involving cash intensive business or nominee shareholders and directors. In these cases, TCSP firms are expected to go beyond standard customer due diligence and apply additional customer due diligence measures that are proportionate to the level of risk.

In practice, EDD may involve obtaining more detailed information and supplementary documentations on the client’s background, ownership and control, source of funds, or source of wealth, as well as conducting more frequent or more in-depth ongoing monitoring. During the CR inspections, TCSP licensees should be able to demonstrate that these enhanced measures were properly documented.

F. Suspicious transaction reporting requirements

Suspicious transaction reporting is a critical part of the AML/CFT framework. TCSP licensees are expected to have clear internal procedures for identifying and reporting suspicions of money laundering or terrorist financing.

Where a TCSP licensee knows or suspects that property represents the proceeds of crime or is related to terrorist financing, a Suspicious Transaction Report (“STR”) should be filed with the JFIU. TCSP firms should ensure that internal reporting lines are clearly defined and documented. Staff should report any suspicious activities related to the ML/TF to the Money Laundering Reporting Officer (“MLRO”) and understand the internal reporting process.

TCSP firms must ensure that staff strictly avoid any disclosure that could prejudice an investigation, commonly referred to as “tipping off”. This includes informing a client that an STR has been filed or indicating that their activities are under review.

Conclusion

 While regulatory inspections may seem daunting, TCSP licensees that adopt a proactive and structured approach to AML/CFT compliance can significantly reduce uncertainty during the process. By maintaining clear policies and procedures, ensuring staff are adequately trained, and keeping documentation up to date, firms can demonstrate compliance with the AMLO and the TCSP AML Guidelines. Inspections should be approached with transparency and cooperation. Where gaps are identified, TCSP licensees should engage openly with the inspectors to implement appropriate remedial measures.

Disclaimer: This publication is provided for general information and guidance only. The views and comments expressed herein do not constitute, and should not be relied upon as, legal advice or a legal opinion.

AML/CFT Compliance Checklist for TCSP Licensees

To help TCSP licensees translate the key themes discussed in this article into actionable preparation steps, the following checklist provides a practical tool to assess inspection readiness. It is designed to help firms identify common gaps, test internal controls, and ensure that documentation and processes are aligned with Companies Registry expectations before an inspection takes place.

Governance and internal controls

• AML/CFT policy statement is complete, up to date, and tailored to the firm’s business.
• Compliance Officer and MLRO are appointed, clearly identified, and supported by management.
• Reporting lines and procedures are documented and understood by staff.
• Changes to directors, owners, or key personnel are notified to the Companies Registry within the required timeframe.

Risk assessments

• Institutional ML/TF risk assessment is documented and reviewed regularly.
• Customer risk assessments are completed for all clients and well documented.
• Risk ratings and the level of Customer due diligence required. For example, the assessment of whether enhanced due diligence and ongoing monitoring should be adopted.
• Risk assessments are updated when client or business circumstances change.

Customer due diligence (CDD)

• Customer identities are properly verified using reliable and independent sources.
• Beneficial owners of the customers are identified, verified, and documented.
• Persons purporting to act on behalf of customers are verified and the authority to act on behalf of the customers is verified.
• Source of funds or source of wealth checks are conducted for high-risk clients and transactions.

Enhanced due diligence (EDD)

• High-risk clients and transactions are clearly identified and EDD measures are applied to high-risk clients
• EDD measures are applied consistently and proportionately.
• Additional EDD measures are in place for clients who are onboarded through a non-face-to-face meeting.
• EDD decisions and measures are clearly documented.

Screening and ongoing monitoring

• Sanctions, terrorist, and PEP screenings are conducted against the customers and its beneficial owners (if applicable) at onboarding and on an ongoing basis
• Screening results and follow-up actions are recorded.
• Ongoing monitoring is carried out to ensure the information of the customers are up-to-date and relevant.

Suspicious transaction reporting (STR)

• Staff understand how to identify and report suspicious activities to their senior management.
• Internal reporting procedures to the MLRO are clear and followed.
• STRs are filed with the JFIU where required, without undue delay.
• Staff are aware of the offence of “tipping off” and should avoid it .

Record keeping

• Client due diligence, enhanced due diligence, screening results, and risk assessments records are complete and properly maintained.
• Records are retained for at least five years after the end of the relationship or transaction.

Staff training

• Adequate AML/CFT training is provided to the staff regularly.
• The scope and frequency of training should be tailored to the specific risks faced by the TCSP licensee and provided according to the job functions, responsibilities and experience of the staff.
• TCSP licensees should maintain training records detailing the names of staff who participated in the training, the training dates, and the type of training provided, for a minimum period of three years.

Disclaimer: This publication is provided for general information and guidance only. The views and comments expressed herein do not constitute, and should not be relied upon as, legal advice or a legal opinion.

How KYC Management can help

KYC Management is specifically designed to enable TCSP licensees to complete the entire AML/CFT process in minutes, not hours. From customer due diligence and risk assessments to screening and ongoing monitoring, KYC Management expedites traditionally manual and complex AML/CFT processes into a simple, compliant and efficient workflow.

By eliminating fragmented and manual procedures, KYC Management enables firms to onboard clients faster, reduce compliance risk, and improve operational efficiency without compromising regulatory standards.

Some of our key features include:

• A Client-Facing Portal for Onboarding: Your clients can securely login to upload required documents, drastically cutting down the time for drafting back-and-forth emails and speeding up onboarding.
• Comprehensive Datasets for AML Checks: Screen individuals and businesses against sanctions, PEPs, financial regulatory, law enforcement, and adverse media lists covering real-time data from 230+ jurisdictions and 43,000 global sources.
• Never Miss a Deadline with Automated Reminders: Our system provides customised reminders for annual CDD reviews and expiring documents. Seamlessly integrated with our CDD Portal, our automated reminders make follow-ups and ongoing management faster and easier.

To learn more about how KYC Management supports TCSP licensees, visit the Trust or Company Service Providers section on our website.

Book a Demo

If you want to see how KYC Management can help your firm strengthen AML/CFT controls, improve inspection readiness, and reduce operational friction, book a demo now to see the platform in action.

References

For more information about TCSP licensing, compliance obligations, and AML guidelines in Hong Kong, please refer to the following official resources:

1. Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615 of the Laws of Hong Kong)
2. Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees)”  (“TCSP AML Guidelines”) issued by the Companies Registry in March 2025
3. Guideline on Licensing of Trust or Company Service Provider issued by Companies Registry in May 2025
4. Commonly Raised Questions by respondents and the Companies Registry’s response issued by Companies Registry on 6 December 2024
5. Points to Note for Applicants / Holders of TCSP Licences issued by the Companies Registry on 20 November 2025

Simplify Your AML/CFT Workflow Today

KYC Management enables firms to complete the entire AML/CFT process in minutes - not hours. From customer due diligence and risk assessments to screening and ongoing monitoring, KYC Management expedites traditionally manual and complex AML/CFT processes into a simple and compliant workflow.

Interested in learning more? Let's talk