Global Regulations and Requirements for KYC Onboarding
(powered by KYCC small icon KYC-Chain)

Contact us

date of birthnationality
namedate of birthresidential address permanent addressnationalityidentification documentspassportidentity card
certificate of incorporationbusiness registrationcompany's memorandum copyarticles of associationsearch enquiry of registrycompany reportdetails of ownershipidentification documents of directorsprincipal shareholderaccount signatries
Hong Kong Identity Card
Anti-Money Laundering and Counter-Terrorist Financing (Financial Institutions) Ordinance – April 2012 (“AMLO”); b) Drug Trafficking (Recovery of Proceeds) Ordinance - 1989 (amended 2005) (“DTROP”); c) Organised and Serious Crimes Ordinance - 1994 (amended 2012) (“OSCO”); and d) United Nations (Anti-Terrorism Measures) Ordinance - 2002 (amended 2012) (“UNATMO”)
The Hong Kong Monetary Authority (“HKMA”)
The Securities and Futures Commission (“SFC”) is the regulator for AML controls for securities ,
No, although under the revised guidelines, enhanced AML assessment requirements are expected to be applied to all customers, including existing customers. As part of their ongoing AML due diligence process, intermediaries should consider and determine whether additional identification information, in line with the current standards, should be obtained from all existing customers, particularly those customers in higher risk categories. In particular, authorised institutions regulated by the HKMA are required to conduct a review, at least once annually, on all high risk customers to ensure that the customer's records maintained are up-to-date and relevant. Under the AMLO, the identity of pre-existing customers is not subject to retrospective verification. The AMLO only requires the financial institution to review the documents, data and information relating to the customer that is held at the time it conducts the review.
Generally speaking, the current legislation does not specifically set out minimum transaction thresholds where customer due diligence is or is not required. However, less stringent due diligence requirements would be permitted in certain circumstances, such as: a) a remittance/exchange transaction carried out by remittance agents/money changers, where the transaction amount is less than HKD8,000 or equivalent; or b) a transaction carried out by
The identity of an individual including his/her name, residential address (and permanent address - if different), date of birth and nationality, etc. should be obtained. Identification should be from documents issued by official or reputable sources, i.e. passports or identity cards. The address should be checked by appropriate means, e.g. by reviewing utility or rates bills or checking the electoral roll.
The following documents or information should be obtained, including the Certificate of Incorporation and Business Registration Certificate, copy of the company’s memorandum and articles of association, a company search enquiry of the registry and a company report, details of ownership and structure control of the company, the board resolution evidencing the opening of the account and conferring authority on those who will operate it, identification documents of the directors, principal shareholders and account signatories, as required. Additional requirements will arise for higher risk customers
There is a requirement to identify the beneficial ownership and control, i.e. to determine which individual(s) ultimately own(s) or control(s) the direct customer, and/or the person on whose behalf a transaction is being conducted. For corporates, the identity of the principal shareholders (e.g. those holding 10% or more voting interests) should be identified. The identity of all shareholders holding 25% (for normal risk circumstance) /10% (for high risk circumstances) or more of the voting rights or share capital are required to be verified.
Enhanced due diligence is required for higher risk categories of customers, business relationships or transactions. These may include companies with unduly complex ownership structure, PEPs, business relationships and transactions with persons from or in jurisdictions that do not meet international AML standards, customers who are not physically present for identification purposes, or remittance transactions for which the remittance messages do not contain complete originator information.
Local regulatory guidance includes a requirement to gather sufficient information from a new customer and check publicly available information to establish whether or not the customer is a PEP. The decision to open an account for a PEP should be taken at a senior management level. A number of risk factors that institutions should consider in handling a business relationship with a PEP are also outlined.
A bank providing correspondent banking services is required to gather sufficient information about its respondent banks to understand their business. Approval from senior management should be sought before establishing new correspondent banking relationships and the respective responsibilities of each institution should be documented. A corresponding banking relationship should not be established unless it is satisfied that the AML/CFT controls of the proposed respondent bank are adequate and effective. Particular care is required if a correspondent banking relationship is maintained with banks incorporated in jurisdictions that do not meet international AML standards, or where the respondent banks allow the direct use of the correspondent account by their customers to transact business on their own behalf (i.e. payable–through accounts).
Firms are required to apply effective customer identification procedures to satisfy the true identity of the customer. Such procedures may include: a) requisition of additional documents to complement those required for face-to-face customers; b) taking supplementary measures to verify all the information provided by the customer; and c) requiring the first payment from the account to be made through an account in the customer’s name with a bank having satisfactory customer due diligence standards.
Joint Financial Intelligence Unit (“JFIU”) and relevant authority, HKMA, SFC, OCI , , ,
Financial institutions shall report to JFIU if there is knowledge or suspicion of ML/TF. Examples include, inter alia: a) customers are reluctant to provide normal information when opening an account, providing minimal or fictitious information or, when applying to open an account, providing information that is complex or expensive for the institution to verify; and/or b) customers who decline to provide information that in normal circumstances would make the customer eligible for credit or for other banking services that would be regarded as valuable.
Institutions are required to refrain from carrying out transactions which they know or suspect to be related to money laundering until they have informed the JFIU which consents to the institution carrying out the transactions. Where it is impossible to refrain or if this is likely to frustrate efforts to pursue the beneficiaries of a suspected money laundering operation, institutions may carry out the transactions and notify JFIU on their own initiative and as soon as it is reasonable for them to do so.
There are no explicit restrictions on “offshore” transactions monitoring provided that the other regulatory requirements, in particular the outsourcing and record keeping requirements, are fulfilled.
As above, an independent review of the Program is required on a ‘regular’ basis. In practice this is conducted based on the bank’s risk-based approach, with many banks choosing to conduct the independent review on an annual basis. The report must be provided to the governing board and senior management. The regulator also requests a copy during their reviews. This does not constitute part of the financial statement audit
The scope of work varies depending upon the circumstances which trigger the review as mandated by the HKMA. However, in a comprehensive AML review carried out by external auditors, sample testing of KYC files/SAR reports and examination of risk assessments would normally form part of the scope of work
The primary data protection law in Hong Kong is the Personal Data (Privacy) Ordinance (“PDPO”). Under the PDPO, personal data means any data relating directly or indirectly to a living individual; from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable. The PDPO does not define corporate data or sensitive data.
The PDPO stipulates that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose (i.e. any purpose other than the purpose for which the data was to be used at the time of the collection of the data or a purpose directly related to it. There is prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances
additional documentsfirst party bank wire
Children are required to obtain their first identity card at the age of 11 and must change to an adult identity at the age of 18.
HKD 8,000
The law excludes wills, powers of attorney, government leases and some real estate transactions.
Section 6(1) states that an electronic signature may be used to satisfy the legal requirement for a handwritten signature. Section 17(2) states that electronic records may be used in place of paper records and that those records will have the same legal enforceability as paper records. Summary of law Hong Kong follows the European Union and the UNCITRAL model law in that its laws provide for the enforcement of both simple electronic signatures and digital signatures (sometimes called advanced electronic signatures). It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. One must get consent to do business electronically, but that consent doesn’t need to be explicit. It can be inferred from behavior such as receiving and signing documents electronically.
The AMLO became effective on 1 April 2012. Previous AML regime was governed by DTROP, OSCO and UNATMO
The Officer of the Commissioner of Insurance (“OCI”) is the regulator for AML controls for insurance sector
It is expected that financial institutions should adopt a risk based approach to customer due diligence and ongoing monitoring
Copies of identification documentation should generally be checked against original documents. However, reliance may be placed on a ‘suitable’ certifier to certify that the copy document is a complete and an accurate copy of the original. Such certifiers include, inter alia, officer of an embassy, member of the judiciary, Justice of the Peace, etc.
We are not aware of any such laws or regulations that may significantly impact upon the transfer of information to Hong Kong.
There is no specific bank secrecy law in Hong Kong. It should, however, be noted that banks are subject to confidentiality obligations which are applicable under common law (i.e. the legal framework adopted by Hong Kong) and the regulators also expect that banks duly protect the use of its customer data in the normal course of business.