AML CTF Compliance Documents for 2026

What Are AML/CTF Compliance Documents and Why They Matter for Licensed Businesses in Hong Kong

Anti-money laundering and counter-terrorist financing (AML/CTF) compliance documents are the written policies, procedures, risk assessments, and records that a licensed business must maintain to meet Hong Kong’s regulatory obligations. For firms holding a Trust or Company Service Provider (TCSP) licence, these documents are not optional paperwork—they are a legal requirement under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) and the guidelines issued by the Companies Registry. The primary search question “AML CTF 合規文件香港 2026-05-1” reflects a practical need: how to align your internal documentation with your licensed activities so that your business remains compliant, passes regulatory inspections, and mitigates financial crime risk.

In practice, AML/CTF compliance documents serve as the operational backbone of a TCSP’s risk management framework. They translate high-level legal duties into day-to-day actions—such as customer due diligence (CDD), ongoing monitoring, and suspicious transaction reporting. The Companies Registry, which administers the TCSP licensing regime, expects every licensee to have a documented AML/CTF programme that is proportionate to the size and complexity of the business. Without proper documentation, a TCSP risks licence revocation, financial penalties, and reputational damage. This article outlines the core document categories, how they integrate with licensed operations, and what the Companies Registry and other authorities look for during supervision.

Who Should Prioritise AML/CTF Compliance Documentation and Key Planning Decisions

Entities and Professionals Directly Affected

Any business operating under a Trust or Company Service Provider (TCSP) licence in Hong Kong must integrate robust Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) compliance documents into its daily operations. This includes company secretarial firms, corporate service providers, and professional intermediaries that assist with company formation, registered office provision, or acting as a company secretary. According to the Hong Kong Companies Registry’s TCSP licensing regime, licensees are required to implement and maintain effective AML/CTF policies, procedures, and controls tailored to their specific business risks (source: 香港公司註冊處 – TCSP 牌照制度). Additionally, businesses that handle client money or provide money-changing or remittance services may also fall under the Money Service Operator (MSO) licensing requirements administered by the Customs and Excise Department (source: 香港海關 – 金錢服務經營者牌照), further expanding the scope of entities that must consider AML/CTF documentation.

Main Planning Decisions for Compliance Documentation

When preparing AML/CTF compliance documents for a licensed business, several critical planning decisions arise. First, firms must assess their inherent risk exposure based on client profiles, geographical reach, and service types. This risk assessment directly informs the depth and frequency of customer due diligence (CDD) and ongoing monitoring measures. Second, the documentation must align with the specific licensing conditions and regulatory expectations, whether the entity is newly incorporating a local limited company (source: 香港公司註冊處 – 成立本地有限公司) or maintaining an existing TCSP registration. Third, businesses should decide on the structure and accessibility of their compliance manuals—ensuring they are clear, practical, and readily available for staff training and regulatory inspections. A well-planned documentation framework not only satisfies legal obligations but also streamlines internal processes, reducing the likelihood of inadvertent non-compliance. Early engagement with legal or compliance professionals can help tailor these documents to the firm’s operational reality while meeting the statutory requirements under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO).

Preparing Your AML/CTF Compliance Documentation: Essential Information to Gather

Before drafting or updating your anti-money laundering and counter-terrorist financing (AML/CTF) compliance documents, it is critical to assemble all foundational information about your licensed business. This preparation stage ensures that your policies, procedures, and controls are tailored to your specific operations and meet the expectations of regulators such as the Companies Registry under the Trust or Company Service Provider (TCSP) licensing regime. Start by reviewing your business registration details and company structure, as these define the scope of your AML/CTF obligations. The 香港公司註冊處 – TCSP 牌照制度 outlines that TCSP licensees must implement appropriate AML/CTF measures commensurate with their business nature and size. Gather your certificate of incorporation, business registration certificate from the Inland Revenue Department, and any relevant TCSP licence details. If your business also handles money services, consult the 香港海關 – 金錢服務經營者牌照 requirements, as additional customer due diligence and record-keeping rules may apply. Next, compile a clear description of your services, client types, and geographic markets, as these factors influence your risk assessment. Collect existing internal policies, previous compliance reviews, and any correspondence with regulators to identify gaps. This groundwork not only streamlines document creation but also demonstrates a proactive approach to compliance, which is essential for maintaining your licence and passing inspections.

Step-by-Step Process for Aligning AML/CTF Compliance Documents with Licensed Business Operations in Hong Kong

1. Identify Your Licensing Requirements

Before drafting or updating your AML/CTF compliance documents, determine which regulatory regime applies to your business. If you provide trust or company services, you must hold a Trust or Company Service Provider (TCSP) licence under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), as detailed on the TCSP Licensing System website of the Hong Kong Companies Registry. For money service operators, a Money Service Operator (MSO) licence from the Customs and Excise Department is required, as outlined on the Money Service Operators Licensing System portal. Each licence type carries distinct AML/CTF obligations, and your compliance documents must reflect the specific statutory requirements.

2. Conduct a Business-Specific Risk Assessment

A foundational step is performing a thorough risk assessment of your business. This involves evaluating factors such as customer types, geographic exposure, delivery channels, and the nature of services offered. The risk assessment forms the basis for your AML/CTF policies and procedures, ensuring they are proportionate and effective. While the Companies Registry does not prescribe a single format, the TCSP Licensing System guidance indicates that a documented risk assessment is a core expectation for licensees. Your compliance manual should clearly articulate how risks are identified, assessed, and mitigated.

3. Draft or Update Core AML/CTF Documents

Based on the risk assessment, prepare or revise the following key documents:

• AML/CTF Policy Statement: A high-level commitment from senior management to comply with the AMLO and relevant guidelines.
• Customer Due Diligence (CDD) Procedures: Detailed steps for identifying and verifying customers and beneficial owners, including enhanced due diligence for higher-risk situations. These must align with the requirements set out in the AMLO and elaborated in guidance from the Companies Registry and Customs and Excise Department.
• Record-Keeping Protocols: Procedures for maintaining records of transactions, CDD information, and suspicious activity reports for the statutory periods.
• Suspicious Transaction Reporting (STR) Procedures: Clear internal processes for identifying, documenting, and reporting suspicious activities to the Joint Financial Intelligence Unit (JFIU).
• Staff Training Program: A plan for regular, documented training on AML/CTF obligations, tailored to employee roles.

4. Integrate with Business Registration and Corporate Records

Your AML/CTF compliance framework must be consistent with your company’s legal structure and registration details. Ensure that the business name, address, and nature of activities in your compliance documents match those filed with the Companies Registry (for local limited companies, as per the Incorporation of Local Limited Company service) and the Inland Revenue Department (for business registration, as described on the Business Registration page). Any changes to company particulars should trigger a review of your AML/CTF documents to maintain alignment.

5. Implement and Monitor

Once documents are finalized, implement them across your operations. Appoint a compliance officer and ensure all staff are trained. Regularly monitor transactions and customer activity against your risk criteria. The TCSP and MSO regimes require ongoing compliance, and your documents should be living instruments, updated as regulations, risks, or business activities evolve. Maintain evidence of reviews and updates to demonstrate active compliance to regulators.

Core AML/CTF Compliance Documents for Licensed TCSPs in Hong Kong

Under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), a licensed trust or company service provider (TCSP) must maintain a robust set of compliance documents. These records not only demonstrate adherence to statutory duties but also serve as the first line of defence during inspections by the Companies Registry. Below is a practical checklist of essential AML/CTF compliance documents, with an explanation of why each category matters for your licensed business.

1. Customer Due Diligence (CDD) Records

CDD is the foundation of any AML/CTF programme. For every client, you must collect and retain identification documents—such as passports, identity cards, or certificates of incorporation—along with proof of address and, where applicable, information on beneficial owners and the purpose and intended nature of the business relationship. These records enable you to verify the client’s identity and assess the risk they pose. Without complete CDD files, a TCSP cannot demonstrate that it knows its customers, which is a fundamental requirement under the Companies Registry’s TCSP licensing regime.

2. Risk Assessment Documentation

A documented risk assessment is required for both the business as a whole and for individual clients. The firm-wide risk assessment should consider factors such as customer types, geographical exposure, and delivery channels, while client-specific assessments assign a risk rating (e.g., low, medium, high) based on CDD findings. These documents justify the level of ongoing monitoring applied and are closely scrutinised during regulatory reviews. They also help you allocate compliance resources efficiently.

3. Ongoing Monitoring and Transaction Records

For higher-risk clients, enhanced ongoing monitoring is mandatory. This includes periodic reviews of CDD information, scrutiny of transactions to ensure they are consistent with the client’s profile, and records of any unusual activity. Maintaining a clear audit trail of monitoring activities shows that your firm is actively managing risk throughout the business relationship, not just at onboarding.

4. Suspicious Transaction Reports (STRs)

When you suspect that property represents proceeds of crime or is related to terrorist financing, you must file an STR with the Joint Financial Intelligence Unit. While the report itself is confidential, your internal records should note the date, reason for suspicion, and any follow-up actions. These records evidence your firm’s vigilance and compliance with reporting obligations under the law.

5. Staff Training Records

All relevant employees must receive regular AML/CTF training. Document the content, dates, and attendees of training sessions. These records prove that your staff are equipped to identify and handle suspicious activities, a key expectation of the Companies Registry and a requirement for licence renewal.

6. Independent Audit and Review Reports

Periodic independent reviews of your AML/CTF systems are recommended—and often expected—to ensure policies remain effective. Retain the auditor’s report and any management responses. This demonstrates a commitment to continuous improvement and can be decisive in the event of a regulatory enquiry.

Each document category plays a distinct role in building a defensible compliance framework. Together, they form the evidence a TCSP needs to show that it is meeting its obligations under Hong Kong’s AML/CTF regime, as overseen by the Companies Registry.

Aligning AML/CTF Documentation with Your Licensed Business in Hong Kong: Practical Scenarios for 2026

Scenario 1: Launching a New TCSP and Establishing the Initial AML/CTF Framework

When setting up a new trust or company service provider (TCSP) in Hong Kong, the first step is to register the company with the Companies Registry and obtain a valid Business Registration Certificate from the Inland Revenue Department. Once incorporated, the firm must apply for a TCSP licence under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO). The TCSP licensing regime requires every applicant to demonstrate that it has in place a comprehensive AML/CTF programme before commencing operations. This includes a written risk assessment, customer due diligence (CDD) procedures, ongoing monitoring protocols, record-keeping policies, and a clear reporting mechanism for suspicious transactions. For a newly licensed TCSP, the compliance documents must be tailored to the specific services offered—whether it is company formation, registered office provision, or nominee directorship—and reflect the actual client base and geographic exposure. A common pitfall is adopting generic templates that do not address the firm’s unique risk profile, which can lead to regulatory scrutiny during the first compliance review.

Scenario 2: Adding a Money Service Operator (MSO) Licence to an Existing TCSP

Many TCSPs expand into money services, such as remittance or currency exchange, which requires a separate Money Service Operator licence from the Customs and Excise Department. This triggers a need to update the AML/CTF documentation to cover the additional risks associated with cash transactions, cross-border fund flows, and higher-risk jurisdictions. The integrated compliance manual must now include procedures for verifying the source of funds, enhanced due diligence for politically exposed persons (PEPs), and transaction monitoring thresholds specific to money services. The firm must also ensure that its record-keeping systems can segregate TCSP and MSO client files to facilitate audits by different regulators. A practical decision point is whether to maintain a single unified AML/CTF policy or separate manuals for each licence; the former is often more efficient but requires careful cross-referencing to avoid gaps.

Scenario 3: Responding to a Regulatory Inspection or Audit

During a routine inspection by the Companies Registry or the Customs and Excise Department, the firm will be asked to produce its AML/CTF documents, including the risk assessment, CDD records, and training logs. A well-prepared firm will have a centralised compliance repository where all documents are version-controlled and easily retrievable. The inspectors will look for evidence that the policies are not just on paper but are actively implemented—for example, that staff have completed annual AML training and that suspicious transaction reports have been filed when necessary. If gaps are found, the regulator may issue a warning or impose conditions on the licence. To avoid this, firms should conduct periodic self-audits using a checklist aligned with the latest regulatory guidelines, and update their AML/CTF documents accordingly. This proactive approach demonstrates a culture of compliance and can mitigate enforcement risks.

Common Mistakes, Risk Controls, and Practical Next Steps for AML/CTF Compliance Documentation in Hong Kong (2026-05-1)

Even well-intentioned TCSP licensees often stumble over recurring documentation pitfalls that can trigger regulatory scrutiny. One frequent error is treating customer due diligence (CDD) as a one-time checkbox rather than an ongoing obligation. Under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, firms must conduct periodic reviews and update records whenever there is a material change in the client’s profile or risk level. Another common mistake is over-reliance on generic risk assessment templates that fail to capture the specific money laundering and terrorist financing risks inherent to the services provided. For instance, a firm handling complex multi-jurisdictional structures should document enhanced measures tailored to those exposures, not merely recycle a standard form.

Strengthening Internal Controls

Robust risk controls begin with clear, documented policies that assign responsibility for AML/CTF compliance to named individuals within the organization. These policies should detail procedures for identifying and reporting suspicious transactions to the Joint Financial Intelligence Unit, as well as protocols for record-keeping that meet the statutory retention period of at least five years. Regular independent audits of the AML/CTF framework—whether conducted internally or by an external professional—help identify gaps before they become compliance failures. Additionally, staff training must be role-specific and refreshed at least annually, with records maintained to demonstrate to regulators that the firm takes its obligations seriously. The Hong Kong Companies Registry’s TCSP licensing regime emphasizes that licensees must have adequate systems in place, and documentation is the primary evidence of such systems.

Practical Next Steps for License Holders

To align your AML/CTF compliance documents with your licensed business activities, start by mapping your actual client onboarding and transaction flows against your written procedures. Any discrepancies should be reconciled promptly. Next, review your risk assessment methodology to ensure it reflects the nature and complexity of your services, as outlined in guidance from the Hong Kong Companies Registry and the Customs and Excise Department for money service operators. Finally, consider engaging a compliance consultant to perform a health check on your documentation suite, particularly if your firm is preparing for a regulatory inspection or expanding into higher-risk markets. Proactive remediation not only reduces legal exposure but also reinforces trust with banks and counterparties that increasingly demand evidence of sound AML/CTF controls.

Closing Section: Maintaining Ongoing AML/CTF Compliance

AML/CTF compliance is not a one-time exercise but an ongoing obligation for licensed TCSPs in Hong Kong. As regulatory expectations evolve, firms must regularly review and update their compliance documents to reflect changes in the law, business operations, and emerging risks. The Companies Registry, as the primary regulator under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), expects licensees to maintain robust internal controls and to keep records of customer due diligence and transactions for at least five years, as outlined on the TCSP licensing regime page of the Companies Registry. Proactive engagement with compliance—through periodic independent audits, staff training, and policy refreshes—helps mitigate the risk of enforcement action and supports the integrity of Hong Kong’s financial system. By embedding a culture of compliance, TCSPs not only satisfy legal requirements but also build trust with clients and counterparties.

Frequently Asked Questions