⏰ 於 12 月 24 日前預約演示,即可獲得 HK$1,800 篩查配額及 30 天免費試用!

Resources

/

5 Steps to Ensure AML Compliance When Onboarding a New Client (For TCSPs in Hong Kong)

Sean Ng
Article
Hong Kong Businessmen and businesswomen ensuring AML compliance when registering a new client for a TCSP licensees

Onboarding a new client as a trust or company service provider (“TCSP”) in Hong Kong is far more than a simple administrative exercise. It is a legal obligation governed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615 of the laws of Hong Kong) and the “Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees)”  (“TCSP AML Guidelines”) issued by the Hong Kong Companies Registry (“CR”).

Together, these instruments require TCSP licensees to maintain robust internal controls and customer due diligence (“CDD”) procedures to identify, verify, and monitor clients in order to prevent their services being misused for money laundering, terrorist financing, or proliferation financing activities.

This article provides a general guide on how TCSP licensees should conduct client onboarding in compliance with Hong Kong’s AML/CFT framework. 

It outlines the following five essential steps:

  1. identifying and verifying a client’s identity; 
  2. confirming their business purpose and source of funds or wealth; 
  3. assessing risk at both the client and transaction level; 
  4. applying enhanced due diligence for high-risk relationships; and 
  5. maintaining complete, retrievable records for regulatory inspection and audit.

1. Identify and verify the client’s identity with reliable documents and conduct AML/CFT screenings

The foundation of AML/CFT compliance for TCSPs is a robust Know Your Client (“KYC”) and CDD process. Under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) and the TCSP AML Guidelines, TCSPs must take reasonable measures to identify the client, verify their identity using reliable and independent documents, and screen all relevant parties for AML/CFT risks before establishing a business relationship with the customer, or before carrying an occasional transaction involving an amount equal to or above HK$120,000 or an equivalent amount in any other currency for the customer.

Under paragraph 4.3.1 of the TCSP AML Guidelines, TCSPs must identify and verify the identity of  their clients by reference to documents, data or information provided by a government body, the CR or other regulated authority, or other independent and reliable sources.

For individual clients, acceptable verification documents include a Hong Kong Identity Card or passport, recent utility bill, and bank statement showing address. 

For corporate clients, acceptable documents include a certificate of incorporation, business registration certificate, constitutional documents, register of directors, and register of members.

For the beneficial owners in relation to a legal person, TCSPs must also identify and verify beneficial owners holding more than 25 percent of shares or voting rights, or otherwise exercising ultimate control over the management of the legal entity, as required by Schedule 2 of the AMLO. Where ownership is dispersed (e.g. there is no natural person holds more than 25% shares or interest in the legal person), the TCSPs should identify and verify the senior managing official of the legal entity. According to the “Commonly Raised Questions by respondents and the Companies Registry’s response”(the “Response”) issued by the CR, examples of senior managing official include chief executive officer, chief financial officer, managing or executive director, president, or natural persons who has significant authority over a legal person’s financial relationships or ongoing financial affairs or has the ability to establish material business relationships for a legal person. TCSPs may rely on the information provided by the customer during the CDD process to identify who is the “senior managing official”. 

TCSPs must also identify the person purporting to act on behalf of the client (“PPTA”) to establish the business relationship with the TCSP licensee. Furthermore, the TCSPs should verify the identity and authority of the PPTA.  For corporate clients, this typically requires obtaining a board resolution or written authorisation confirming the person’s authority to act. As a general rule, the Response suggests that each legal person customer should have at least one PPTA but there may be multiple PPTAs.

In addition to identification and verification of the client, TCSPs must conduct AML/CFT screening before onboarding. This includes screening the client, beneficial owners, and PPTAs against the United Nations sanctions list, the list of terrorists or terrorist associates , politically exposed person (“PEP”) databases, and adverse media. Screening results should be documented clearly and refreshed periodically as part of ongoing monitoring.

Pro Tip: KYC Management provides a client-facing portal for CDD. Clients can securely login to the CDD Portal to upload required documents, eliminating the need for lengthy email exchanges and enabling a faster, more efficient document collection process. 

KYC Management further provides AML screening and ongoing monitoring solutions. The comprehensive datasets on KYC Management allows TCSPs to screen individuals and businesses against sanctions, PEP, financial regulatory, law enforcement, and adverse media lists covering real-time data from 230+ jurisdictions and 43,000 global sources.

This streamlines manual and duplicated tasks and ensures that client verification and screening procedures are performed in one place.

2. Confirm the client’s business purpose, source of funds, and source of wealth

TCSPs must obtain sufficient information to understand the nature and purpose of the client’s business relationship and the source of funds (SoF) involved in the transaction or structure. If the client presents higher ML/TF risks, the TCSP must also establish and verify the client’s source of wealth (SoW).

Understanding the business purpose allows the TCSP to assess whether the proposed structure, transaction, or service is consistent with the client’s stated objectives. Information gathered should describe the client’s business activities, the jurisdictions involved, the expected scale of operations, and the intended use of any entities that will be formed or managed.

TCSPs should also obtain information relating to the source of funds, which refers to the specific origin of the money used for the transaction or engagement. This includes determining whether the funds come from the client’s own bank account, a third party, or a jurisdiction with elevated ML/TF risk. Depending on the risk level, the TCSP may request supporting documents such as bank statements, remittance slips, invoices, contracts, or audited financial statements.

For clients classified as high risk, TCSPs must go further and should obtain additional documentations regarding the intended nature of the business relationship, the source of funds and the source of wealth of the clients. Source of Wealth refers to how the client acquired their overall financial standing and accumulated assets. Supporting evidence may include tax assessments, employment records, business ownership documents, inheritance records, property sale agreements, or other independent documents that demonstrate the origin of the client’s wealth.

The TCSP AML Guidelines requires TCSPs to record all enquiries, assessments, and conclusions relating to the client’s business purpose, SoF, and SoW. The file should clearly show what information was obtained, how it was evaluated, and whether any inconsistencies were identified before proceeding.

Pro Tip: Use KYC Management’s Document Management System to record enquiries, supporting documents, and SoF or SoW assessments. Keeping all evidence and notes within a single client profile provides a clear audit trail and helps TCSPs demonstrate that all necessary checks were properly documented.

3. Conduct risk assessments for the client and the proposed transaction

TCSPs must assess the money laundering and terrorist financing risks associated with each client before establishing a business relationship. This requirement is set out in both the AMLO and the TCSP AML Guidelines. A proper risk assessment ensures that the level of due diligence applied to the client is proportionate to the risks identified.

A comprehensive risk assessment should consider several factors. These include customer risk, country risk, product, service and transaction risk, and delivery channel risk. TCSPs should assess the client’s background, business activities, ownership structure, jurisdictional ties, and intended business relationship and transactions in conducting the risk assessment of the customer.

Based on the risk factors identified, the TCSP should classify the client as low, medium, or high risk. This classification determines the extent of CDD required, and the level and type of ongoing monitoring. For example, a client with a complex ownership structure, involvement in high-risk jurisdictions, or a history of adverse media will generally require more in-depth checks.

The TCSP AML Guidelines highlight that risk assessment is not a one-time activity. TCSPs must conduct ongoing assessments throughout the business relationship, particularly when there are changes that could affect the client’s risk profile. These changes may include amendments to ownership or control, new jurisdictions involved in the client’s activities, the use of higher-risk products or services, or unusual transaction patterns.

All risk assessments must be documented. The file should record the factors considered, the client’s risk rating, and the rationale for the decision. Periodic reviews should also be recorded, and any changes in risk rating should trigger a corresponding adjustment in the level of ongoing monitoring.

Pro Tip: KYC Management’s assisted risk assessment and risk scoring feature offers recommended risk ratings and industry specific templates that align with Hong Kong regulatory standards for TCSPs. The platform automatically generates auditable risk assessment reports with timestamps, which helps firms remain inspection ready at all times.

4. Apply enhanced client due diligence for high-risk clients

When a client or transaction presents higher money laundering or terrorist financing risks, TCSPs must apply Enhanced Due Diligence, often referred to as EDD. This requirement is set out in Schedule 2 of the AMLO and further explained in paragraph 4.9 of the TCSP AML Guidelines. EDD ensures that a TCSP gathers additional information to mitigate risks that cannot be addressed through standard due diligence measures.

EDD is required in a range of situations as set out in paragraph 4.9.5 of the TCSP AML Guidelines. These include unusually large, complex, or illogical transactions, clients that present high-risk features based on the firm’s risk assessment, and clients or beneficial owners with connections to non-cooperative jurisdictions identified by the Financial Action Task Force, or countries that are subject to sanctions issued by the United Nations. 

EDD is required for all non-Hong Kong PEPs. For former PEPs, Hong Kong PEPs and international organisationsPEPs, the TCSP should conduct a risk assessment to determine whether EDD is necessary. EDD should only be applied when the risk of the business relationship is genuinely high.

When EDD applies, TCSPs must collect additional information about the client’s background, business activities, financial history, and the purpose of the transaction. The firm must verify the client’s source of wealth and source of funds with independent evidence and additional information. TCSPs may also conduct more frequent updates on the identification data of the customer and the beneficial owners. 

The TCSP AML Guidelines specifically requires that senior management or senior partner approval is obtained before establishing or continuing a relationship with a high-risk client. The TCSP must also conduct enhanced ongoing monitoring throughout the relationship, which includes reviewing CDD documents more frequently and performing more frequent screening checks on the client and beneficial owners.

All EDD measures must be clearly recorded. The file must show what information was requested, what was received, how it was verified, and what conclusions were drawn.

TCSPs must avoid disclosing to any person any information that could prejudice an investigation, as doing so may constitute the offence of ‘tipping off.’ For example, informing a customer that a report has been filed could compromise the investigation and would amount to an offence. 

Pro Tip: For high risk clients, KYC Management offers daily ongoing monitoring solutions to help minimise risk exposure for TCSPs. Its centralised document management system consolidates all EDD records, enabling TCSPs to easily generate reports and documentation for the EDD measures performed. As a result, TCSPs can confidently demonstrate that EDD measures were properly executed and backed by comprehensive, well-documented evidence.

5. Maintain detailed records of client due diligence and risk assessment for future audits

TCSPs must maintain complete and accurate records of all client due diligence, enhanced due diligence, screening results, and risk assessments. This requirement is set out in Schedule 2 of the AMLO and further emphasised in paragraph 8 of the TCSP AML Guidelines, which states that proper record keeping is an essential part of an effective AML and CFT framework. Comprehensive records allow regulators to determine whether a TCSP has taken appropriate steps to identify and manage risks throughout the client relationship.

Records should be sufficiently detailed to demonstrate what information was obtained from the client, how it was verified, the results of any screenings, and the conclusions reached from the firm’s risk assessment. The file should also show the rationale for decisions made, including the decision to establish or continue a business relationship with a higher-risk client. Any enquiries relating to source of funds or source of wealth, as well as how inconsistencies were resolved, must be documented clearly.

The AMLO sets out minimum retention periods for records relating to CDD and transactions, and TCSPs must follow these statutory requirements. According to section 20 of  Schedule 2 of the AMLO, client identification documents, transaction records, screening results, and risk assessments must be kept throughout the continuance of the business relationship with the customer and for at least five years after the end of the business relationship or until such time as may be specified by the Registrar.

TCSPs should periodically review and update their client records to reflect any changes in ownership, risk profile, or business operations. Timely updates to client records help TCSPs effectively manage and mitigate client-related and regulatory risks .

Pro Tip: KYC Management’s document management system provides a centralised hub that enables TCSPs to retrieve client due-diligence records, screening results, and risk assessments with ease. By organising and automatically filing documents into designated client profiles, the system streamlines record-keeping and enhances accessibility of AML records for TCSPs. Exportable audit ready reports and CDD records allow firms to respond quickly to regulatory inspections and demonstrate compliance with record-keeping requirements under the AMLO.

Conclusion

Effective AML/CFT compliance during client onboarding is essential for TCSPs to identify and manage risks from the very beginning of the client relationship. Non-compliance with statutory requirements under the AMLO and the TCSP AML Guidelines can lead to serious consequences for TCSPs in Hong Kong, including regulatory sanctions, financial penalties, and reputational harm. As the regulatory landscape continues to evolve, TCSPs must ensure that their procedures for client due diligence, enhanced due diligence, screening, and ongoing monitoring are regularly updated and proportionate to the risks they face.

By adopting a clear and structured approach to the five key steps outlined in this article, TCSPs are better equipped to safeguard their operations and provide services that comply with Hong Kong’s AML/ CFT framework. A strong compliance culture not only protects the firm but also promotes trust, accountability, and transparency in the wider corporate services environment.

How robust are your current onboarding procedures? Strengthen your AML/ CFT compliance with KYC Management, which provides solutions tailored to the needs of TCSPs in Hong Kong.

References

For more information about TCSP licensing, compliance obligations, and AML guidelines in Hong Kong, refer to the following official resources:

  1. Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615 of the Laws of Hong Kong)
  2. Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Trust or Company Service Provider Licensees)”  (“TCSP AML Guidelines”) issued by the Companies Registry in March 2025
  3. Guideline on Licensing of Trust or Company Service Provider issued by Companies Registry in May 2025
  4. Commonly Raised Questions by respondents and the Companies Registry’s response issued by Companies Registry on 6 December 2024
Disclaimer: This publication is provided for general information and guidance only. The views and comments expressed herein do not constitute, and should not be relied upon as, legal advice or a legal opinion.

Simplify Your AML/CFT Workflow Today

KYC Management enables firms to complete the entire AML/CFT process in minutes - not hours. From customer due diligence and risk assessments to screening and ongoing monitoring, KYC Management expedites traditionally manual and complex AML/CFT processes into a simple and compliant workflow.

Interested in learning more? Contact us today!

5 Steps to Ensure AML Compliance When Onboarding a New Client (for TCSPs in Hong Kong)