AML/KYC requirements for a Hong Kong crypto company

AML/KYC requirements for a — Consulting24
CRYPTO LICENSE GUIDE · 2026AML/KYC requirements for aCrypto licensing across 15+ jurisdictionsCONSULTING24.CO

Hong Kong's forthcoming crypto licensing regime imposes stringent AML/KYC obligations on virtual asset service providers, requiring strong customer due diligence and transaction monitoring frameworks.

The Legal Basis for AML/KYC in Hong Kong

Hong Kong's anti-money laundering and counter-terrorist financing (AML/CFT) requirements for crypto businesses are primarily governed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), which was amended in 2022 to bring virtual asset service providers (VASPs) under its scope. The Securities and Futures Commission (SFC) is the principal regulator, and it has issued detailed guidelines on AML/CFT for licensed platforms. These rules align with the Financial Action Task Force (FATF) recommendations, ensuring Hong Kong's regime meets international standards.

Under the new licensing regime, any entity operating a virtual asset trading platform in Hong Kong must obtain a license from the SFC. As part of the licensing process, the applicant must demonstrate a strong AML/CFT framework. This includes appointing a compliance officer, a money laundering reporting officer (MLRO), and a deputy MLRO. The SFC expects these officers to be based in Hong Kong and have sufficient seniority and authority to implement AML policies effectively.

The 4 stages of getting licensed1Choose jurisdictionmatch your customers2Incorporateset up the entity3AML / KYC programthe banking key4Open bankingfiat on/off-ramps

Customer Due Diligence (CDD) Requirements

Licensed crypto platforms must conduct customer due diligence on all users, including identifying and verifying their identity using reliable, independent source documents. For individual customers, this typically means obtaining a government-issued photo ID (e.g., passport or Hong Kong identity card) and proof of address. For corporate clients, the platform must identify the legal entity, its beneficial owners, and the individuals who control or manage it. Enhanced due diligence (EDD) is required for high-risk customers, such as those from jurisdictions with weak AML controls or politically exposed persons (PEPs).

The SFC requires that CDD be performed before any transaction is executed. However, in some limited circumstances, verification may be completed after account opening, provided that adequate safeguards are in place. The platform must also maintain ongoing monitoring of customer transactions to ensure they are consistent with the customer's profile and risk level. Any discrepancies or suspicious activities must be reported to the Joint Financial Intelligence Unit (JFIU) via a suspicious transaction report (STR).

Record Keeping and Transaction Monitoring

Hong Kong's AML regulations mandate that VASPs keep all records related to CDD, transactions, and communication for at least seven years after the business relationship ends. This includes copies of identification documents, account files, and business correspondence. Records must be stored in a manner that allows for prompt retrieval by the SFC or other authorities upon request. Failure to maintain adequate records can result in significant penalties, including fines and revocation of the license.

Transaction monitoring systems must be capable of detecting unusual or suspicious patterns, such as rapid trading, structuring, or transactions involving high-risk jurisdictions. The SFC expects platforms to use automated monitoring tools that can generate alerts for manual review. Additionally, platforms must screen all customers and transactions against sanctions lists maintained by the United Nations, the Hong Kong government, and other relevant bodies. Any matches must be reported immediately.

Internal Policies, Procedures, and Controls

A licensed crypto platform must establish and maintain written AML/CFT policies and procedures that are approved by senior management. These policies should cover all aspects of AML compliance, including CDD, EDD, transaction monitoring, record keeping, and reporting. The platform must also conduct regular independent audits or reviews of its AML framework to ensure its effectiveness. The SFC may request copies of these audit reports during inspections.

Staff training is another critical component. All employees, especially those in customer-facing and compliance roles, must receive regular training on AML/CFT obligations, including how to identify red flags and report suspicious activities. The platform must keep training records for at least seven years. Failure to provide adequate training can lead to regulatory sanctions.

Reporting Obligations and Regulatory Oversight

Licensed VASPs must file suspicious transaction reports with the JFIU as soon as practicable after forming a suspicion of money laundering or terrorist financing. There is no de minimis threshold for reporting; even small transactions can be reported if they raise suspicion. The platform must also submit periodic regulatory reports to the SFC, including annual AML/CFT returns and notifications of any material changes to its AML framework.

The SFC conducts on-site inspections and off-site reviews to assess compliance with AML requirements. Non-compliance can result in disciplinary actions, including public reprimands, fines, suspension or revocation of the license, and criminal prosecution. To mitigate these risks, many platforms engage external AML consultants to help design and implement their compliance programs. Consulting24 can assist with developing tailored AML/KYC frameworks that meet SFC expectations.

How to Choose the Right Jurisdiction

Work the decision in this order — customers first, everything else second:

  • Who are your customers? EU retail means you need a MiCA passport (Lithuania, Malta or another EU CASP). US customers mean state-by-state money-transmitter licensing or a FinCEN MSB — consider a Canada MSB or a US setup. Latin America, Asia or HNW clients mean an offshore or territorial base such as Panama is usually the better fit.
  • Do you need a regulator badge? A public-facing exchange chasing institutional partners and fundraising often needs the reputational lift of an EU, Swiss or VARA licence. An OTC desk or token treasury usually does not.
  • What is your budget and timeline? Offshore and territorial routes set up in weeks for tens of thousands; premium onshore licences take many months and six figures.
  • What about tax? Territorial-tax jurisdictions like Panama charge 0% on foreign-source income; EU jurisdictions apply standard corporate tax. Factor total cost of ownership, not just setup fees.

For many offshore-first founders, Panama lands at the intersection of fast incorporation, low cost and 0% tax on foreign-source income, which is why it features so heavily in our work. But the honest answer is that the “best” jurisdiction is the one that matches the four answers above — and that is a conversation worth having before you spend a cent. See our cost breakdown and application process to ground the decision in real numbers.

Banking and Compliance: Where Most Setups Actually Stall

Incorporation is the easy part of any crypto project. Banking is where timelines slip and where under-prepared founders lose months. Since 2023, banks and payment processors worldwide have tightened their onboarding of crypto-adjacent businesses, and they now expect a genuinely professional application — not a one-page business summary. A thin file is simply rejected, and re-applying with the same bank is far harder than getting it right the first time.

Three documents do the heavy lifting. The first is a written AML/KYC compliance program: your customer-onboarding flow, transaction-monitoring rules, sanctions and PEP screening, a named compliance officer, and record-keeping policies. The second is a clear, evidenced source-of-funds file for both the company and its beneficial owners. The third is a coherent business description that explains who your customers are, how money moves, and what volumes you project. Banks approve businesses they understand; ambiguity reads as risk.

Sequencing matters as much as substance. The correct order is: incorporate the operating entity, build the compliance program, assemble the source-of-funds package, and only then approach banking — ideally through a warm introduction rather than a cold application. Founders who approach banks mid-setup, before their file is complete, create the very delays they are trying to avoid. We make direct introductions to banks and crypto-friendly payment rails as part of every engagement, but the introduction only works if the file behind it is ready.

None of this is optional, and none of it changes much from one jurisdiction to the next — the compliance bar is now broadly global. What changes is the appetite of local banks and the speed of onboarding. Our requirements checklist sets out exactly what you need to assemble before you approach a bank.

Crypto Licensing in 2026: The Bigger Picture

Choosing where to license a crypto business in 2026 is no longer a simple cost calculation. The regulatory map has hardened considerably over the last three years. In the European Union, the Markets in Crypto-Assets Regulation (MiCA) has replaced the patchwork of national VASP registers with a single Crypto-Asset Service Provider (CASP) authorisation that passports across all 27 member states. That passport is powerful — but it comes with capital requirements, governance obligations and a multi-month authorisation process that smaller projects often underestimate.

Outside the EU, the picture is more varied. Offshore and territorial-tax jurisdictions compete on speed, cost and privacy, while major financial centres such as Switzerland, the UAE and Singapore compete on credibility and institutional access. The Financial Action Task Force (FATF) sits over all of them: its “travel rule” and AML standards now apply, in some form, almost everywhere a serious crypto business would consider basing itself. Jurisdictions that ignore FATF expectations end up grey-listed, which quietly closes correspondent-banking doors for every company registered there.

This is why the question behind AML/KYC requirements for a is rarely “which licence is cheapest?” It is “which regime matches my customers, my risk appetite and my banking needs?” An EU-retail exchange and an offshore OTC desk serving high-net-worth clients in Latin America have almost nothing in common in terms of the right base. Getting this decision right at the start saves you from the single most expensive mistake in the industry: licensing in the wrong place and having to re-domicile a live business.

Consulting24 has guided more than 200 crypto company setups across 15+ jurisdictions since 2017, which means we have seen how each of these regimes behaves in practice rather than just on paper. The summary below is the same framework we use with clients — and we are always happy to map it to your specific model. Start with our Panama vs Lithuania comparison to see how the trade-offs play out between an offshore base and an EU-passported one.

Common Mistakes to Avoid

The failures we see when founders research AML/KYC requirements for a on their own are remarkably consistent, and almost all of them are avoidable. The first is licensing to the headline tax rate. A 0% jurisdiction is worthless if your customers legally require a regulated provider you cannot become there — you will simply have to start again. Decide who you are allowed to serve first, then optimise for tax.

The second is treating the compliance program as paperwork. The AML/KYC program is not a formality to satisfy a regulator; it is the document your bank reads most closely. A generic template downloaded from the internet is transparent to any compliance officer and will sink your banking application. It needs to reflect your actual product, customer base and risk profile.

The third is underestimating banking lead time. Founders routinely budget for incorporation and forget that the bank account — the thing that actually lets the business operate — can take longer than the licence itself. Build banking into your launch timeline from day one, not as an afterthought.

The fourth is ignoring personal tax residency. A company in a low-tax jurisdiction does not erase your obligations where you personally live. Many founders create unexpected liabilities by structuring the company perfectly and ignoring themselves. We introduce qualified tax advisors precisely to close this gap.

The fifth and most expensive is choosing a provider on price alone. The cheapest setup that results in a rejected bank application or a re-domiciliation is far more expensive than doing it properly once. Ask any provider to itemise their fee and explain their banking track record before you commit.

What Happens After You Are Licensed

Getting licensed and banked is the start, not the finish. Every regulated or registered crypto business carries ongoing obligations, and letting them lapse is how companies lose their standing — and their banking. At minimum you will maintain a registered agent or local presence, file annual renewals or supervision fees, keep accounting records, and keep your compliance program live with periodic reviews and updated sanctions and PEP screening lists.

Most jurisdictions also expect you to keep your beneficial-ownership information current and to report material changes — new directors, new shareholders, a pivot in business activity — promptly. Transaction monitoring is not a one-time setup either; screening rules need tuning as your volumes and customer mix evolve. Banks may request periodic refreshes of your KYC and source-of-funds documentation, particularly after a year of trading or a significant change in activity.

This is why we offer ongoing maintenance on an annual retainer rather than treating setup as a one-off transaction. The cost of staying compliant is a fraction of the cost of losing a banking relationship and having to rebuild one from scratch. Plan for it in your year-two budget from the outset, and treat your compliance function as a living part of the business rather than a box you ticked at launch.

It is also worth planning ahead for growth. A structure that suits a pre-revenue startup may not suit the same company once it is processing meaningful volume, adding new product lines, or expanding into new markets. Many of the businesses we work with begin in a fast, low-cost offshore base to validate the model, then add a second regulated entity — an EU CASP, for example — once revenue justifies the cost and the market access genuinely matters. Designing the first structure with that possible second step in mind keeps your options open and avoids a disruptive re-domiciliation later. We map this growth path out with clients during the initial planning stage so the early decisions support, rather than constrain, where the business is heading.

Ready to set up your AML/KYC requirements for a?

Consulting24 has completed 200+ crypto company setups across 15+ jurisdictions. Talk to our team for a fixed-fee proposal and realistic timeline.

Learn more WhatsApp us

Email mardo@consulting24.co · Phone +372 58155779

About Consulting24 & Mardo Soo

MS
Mardo Soo
Founder & CEO, Consulting24 · LinkedIn

Consulting24 is an eight-year-old advisory firm that has completed 200+ crypto company setups across 15+ jurisdictions since 2017. Founder and CEO Mardo Soo and the team specialise in crypto, VASP and exchange licensing — from Panama and the EU (MiCA) to Dubai, Canada and the offshore world. We don't push a single “best” jurisdiction; we map your business to the regime that actually fits, then handle incorporation, the AML/KYC compliance program, and banking and payment-processor introductions end to end.

Every engagement begins with an honest conversation about your customers, budget and timeline and ends with a fixed-fee proposal, so you know the all-in number before you commit. We also introduce vetted local lawyers and tax advisors wherever your structure requires them.

Operated by X24Consulting OÜ (Estonian Business Register code 16971898), Põrdi tn 3-63, 10156 Tallinn, Estonia · mardo@consulting24.co · +372 58155779

Frequently Asked Questions

What is the primary legislation governing AML/KYC for crypto companies in Hong Kong?

The primary legislation is the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), as amended in 2022 to include virtual asset service providers. The Securities and Futures Commission (SFC) enforces these rules.

Do crypto companies need to appoint a compliance officer?

Yes, licensed virtual asset trading platforms must appoint a compliance officer, a money laundering reporting officer (MLRO), and a deputy MLRO. These officers must be based in Hong Kong.

What documents are needed for individual customer verification?

For individual customers, a government-issued photo ID (e.g., passport or Hong Kong identity card) and proof of address are typically required. The documents must be from a reliable, independent source.

What is enhanced due diligence (EDD) and when is it required?

EDD involves additional verification steps for high-risk customers, such as those from jurisdictions with weak AML controls or politically exposed persons (PEPs). It includes obtaining information on the source of funds and wealth.

How long must records be kept under Hong Kong AML rules?

All records related to CDD, transactions, and communication must be kept for at least seven years after the business relationship ends. This includes copies of identification documents and transaction records.

What are the penalties for non-compliance with AML/KYC requirements?

Penalties can include public reprimands, fines, suspension or revocation of the license, and criminal prosecution. The SFC takes non-compliance seriously.

Do crypto companies need to screen customers against sanctions lists?

Yes, licensed platforms must screen all customers and transactions against sanctions lists maintained by the United Nations, the Hong Kong government, and other relevant bodies. Any matches must be reported immediately.

Can a crypto company outsource its AML compliance functions?

While some functions like transaction monitoring can be outsourced, the ultimate responsibility for AML compliance remains with the licensed entity. The SFC expects the platform to have adequate oversight of any outsourced functions.

Related reading

More crypto-license guides on this blog

Crypto licenses by jurisdiction and topic

Compare every route we cover, each with cost, capital, timeline and requirements on consulting24.co:

Abu Dhabi Crypto LicenseAnjouan Crypto LicenseApplication ProcessBahamas Crypto LicenseBelize Crypto LicenseBermuda Crypto LicenseBest Country for Crypto LicenseBulgaria Crypto LicenseBVI Crypto LicenseCanada Crypto LicenseCASP LicenseCayman Islands Crypto LicenseCayman vs BVI Crypto LicenseCheapest Crypto LicenseCompany SetupCostCosta Rica Crypto LicenseCroatia Crypto LicenseCrypto Broker License BVICrypto Broker License CanadaCrypto Broker License CyprusCrypto Broker License Czech RepublicCrypto Broker License El SalvadorCrypto Broker License SingaporeCrypto Broker License SwitzerlandCrypto Broker License USACrypto Exchange License BVICrypto Exchange License CanadaCrypto Exchange License Cayman IslandsCrypto Exchange License CyprusCrypto Exchange License Czech RepublicCrypto Exchange License El SalvadorCrypto Exchange License MaltaCrypto Exchange License SeychellesCrypto Exchange License SingaporeCrypto Exchange License SwitzerlandCrypto Exchange License USACrypto Fund License BVICrypto Fund License CanadaCrypto Fund License CyprusCrypto Fund License Czech RepublicCrypto Fund License DubaiCrypto Fund License El SalvadorCrypto Fund License MaltaCrypto Fund License SwitzerlandCrypto Fund License USACrypto Gambling License BVICrypto Gambling License CanadaCrypto Gambling License Cayman IslandsCrypto Gambling License CyprusCrypto Gambling License DubaiCrypto Gambling License EstoniaCrypto Gambling License MaltaCrypto Gambling License PolandCrypto Gambling License SeychellesCrypto Gambling License SwitzerlandCrypto Gambling License USACrypto NFT Marketplace License BVICrypto NFT Marketplace License CyprusCrypto NFT Marketplace License Czech RepublicCrypto NFT Marketplace License DubaiCrypto NFT Marketplace License El SalvadorCrypto NFT Marketplace License EstoniaCrypto NFT Marketplace License MaltaCrypto NFT Marketplace License SeychellesCrypto NFT Marketplace License SwitzerlandCrypto NFT Marketplace License USACrypto OTC Desk License CanadaCrypto OTC Desk License CyprusCrypto OTC Desk License Czech RepublicCrypto OTC Desk License DubaiCrypto OTC Desk License El SalvadorCrypto OTC Desk License MaltaCrypto OTC Desk License SeychellesCrypto OTC Desk License SingaporeCrypto OTC Desk License SwitzerlandCrypto OTC Desk License USACrypto Payment Institution License BVICrypto Payment Institution License CanadaCrypto Payment Institution License CyprusCrypto Payment Institution License DubaiCrypto Payment Institution License El SalvadorCrypto Payment Institution License EstoniaCrypto Payment Institution License MaltaCrypto Payment Institution License PanamaCrypto Payment Institution License PolandCrypto Payment Institution License SeychellesCrypto Payment Institution License SwitzerlandCrypto Payment Institution License USACrypto Stablecoin License BVICrypto Stablecoin License CanadaCrypto Stablecoin License Cayman IslandsCrypto Stablecoin License CyprusCrypto Stablecoin License DubaiCrypto Stablecoin License El SalvadorCrypto Stablecoin License EstoniaCrypto Stablecoin License MaltaCrypto Stablecoin License PolandCrypto Stablecoin License SeychellesCrypto Stablecoin License SwitzerlandCrypto Stablecoin License USACrypto Staking License BVICrypto Staking License CanadaCrypto Staking License Cayman IslandsCrypto Staking License CyprusCrypto Staking License DubaiCrypto Staking License El SalvadorCrypto Staking License MaltaCrypto Staking License PolandCrypto Staking License SwitzerlandCrypto Staking License USACrypto Token Issuance License BVICrypto Token Issuance License CanadaCrypto Token Issuance License Cayman IslandsCrypto Token Issuance License CyprusCrypto Token Issuance License DubaiCrypto Token Issuance License El SalvadorCrypto Token Issuance License EstoniaCrypto Token Issuance License MaltaCrypto Token Issuance License PolandCrypto Token Issuance License SwitzerlandCrypto Token Issuance License USACrypto Wallet Custody License BVICrypto Wallet Custody License CanadaCrypto Wallet Custody License CyprusCrypto Wallet Custody License Czech RepublicCrypto Wallet Custody License DubaiCrypto Wallet Custody License El SalvadorCrypto Wallet Custody License MaltaCrypto Wallet Custody License SeychellesCrypto Wallet Custody License SingaporeCrypto Wallet Custody License SwitzerlandCrypto Wallet Custody License USACryptocurrency LicenseCyprus Crypto LicenseCzech Republic Crypto LicenseDubai Crypto LicenseDubai vs Cayman Crypto LicenseEasiest Crypto LicenseEl Salvador Crypto LicenseEl Salvador vs Panama Crypto LicenseEstonia Crypto LicenseEstonia vs Lithuania Crypto LicenseExchange LicenseFastest Crypto LicenseFrance Crypto LicenseGeorgia Crypto LicenseGermany Crypto LicenseGreece Crypto LicenseHow to Get a Crypto LicenseHungary Crypto LicenseIreland Crypto LicenseIsle of Man Crypto LicenseItaly Crypto LicenseLabuan Crypto LicenseLatvia Crypto LicenseLithuania Crypto LicenseLithuania vs Dubai Crypto LicenseLithuania vs Estonia Crypto LicenseLithuania vs Poland Crypto LicenseMalta Crypto LicenseMalta vs Cyprus Crypto LicenseMarshall Islands Crypto LicenseMauritius Crypto LicenseMiCA LicenseMSB LicenseNetherlands Crypto LicensePanama vs Dubai Crypto LicensePoland Crypto LicensePortugal Crypto LicenseQatar Crypto LicenseReady Made Crypto LicenseRequirementsRomania Crypto LicenseSaint Lucia Crypto LicenseSaudi Arabia Crypto LicenseSeychelles Crypto LicenseSingapore Crypto LicenseSlovakia Crypto LicenseSouth Africa Crypto LicenseSouth Korea Crypto LicenseSpain Crypto LicenseStablecoin LicenseSwitzerland Crypto LicenseSwitzerland vs Liechtenstein Crypto LicenseUAE Crypto LicenseUSA Crypto LicenseVanuatu Crypto LicenseVARA LicenseVASP Licensevs Lithuania

This article reflects 2026 market conditions and is general guidance, not legal or tax advice. Regulations change — confirm specifics with qualified counsel before acting. Consulting24 (X24Consulting OÜ, Estonian reg. 16971898) introduces vetted local lawyers and tax advisors during every engagement.

Comments

Post a Comment

Popular posts from this blog

Setting Up a Crypto Exchange in Panama: License, Structure and Banking

Image
CRYPTO LICENSE GUIDE · 2026 Panama crypto exchange license Crypto licensing across 15+ jurisdictions CONSULTING24.CO Running an exchange from Panama is entirely viable in 2026 — provided you understand that there is no named exchange license and that your real gating factor is banking and compliance, not a regulator badge. There Is No Named Exchange License Because Panama has no dedicated VASP regime, you do not apply for an 'exchange license' as such. You incorporate a Sociedad AnĂ³nima, run the exchange under existing financial-services and AML law, and operate a compliance program supervised in spirit by UAF Panama. Our exchange license page walks through how this works in practice for order-book, brokerage and OTC models. The 4 stages of getting licensed 1 Choose jurisdiction match your customers 2 Incorporate set up the entity 3 AML / KYC program the banking key 4 Open banking fiat on/off-ramps Structuring the Operating Entity Most exchange operators use a...
Read more

Panama Crypto License Requirements: The 2026 Documentation Checklist

Image
CRYPTO LICENSE GUIDE · 2026 Panama crypto license requirements Crypto licensing across 15+ jurisdictions CONSULTING24.CO The single biggest cause of delay in a Panama crypto setup is incomplete paperwork. This is the exact documentation checklist we work through with clients before incorporation and banking. Corporate Documents You will need passport copies and proof of address for every director and beneficial owner, a chosen company name (we check availability), and the intended business activity description. A Panama S.A. needs three directors; nominees are permitted where you prefer privacy. The full intake list is on our requirements page . The 4 stages of getting licensed 1 Choose jurisdiction match your customers 2 Incorporate set up the entity 3 AML / KYC program the banking key 4 Open banking fiat on/off-ramps AML/KYC Compliance Program Banks and payment processors will not onboard a crypto business without a documented compliance program. This covers your KYC onbo...
Read more

Panama vs Lithuania for a Crypto License: Which Should You Choose in 2026?

Image
CRYPTO LICENSE GUIDE · 2026 Crypto License Comparison Crypto licensing across 15+ jurisdictions CONSULTING24.CO The single most common question we get: should I license in Panama or Lithuania? The honest answer depends entirely on who your customers are. Here is the decision framework we use with clients. The Headline Trade-off Lithuania gives you an EU MiCA passport — the ability to serve EU retail customers under a recognised European regulator. That credibility costs money and time: roughly $50,000–$120,000 to set up and 4–8 months to authorise. Panama gives you speed, low cost and territorial-tax efficiency, but no EU passport. Setup is $15,000–$45,000 and 6–12 weeks. It is built for offshore-first operations that do not need to touch EU retail. The 4 stages of getting licensed 1 Choose jurisdiction match your customers 2 Incorporate set up the entity 3 AML / KYC program the banking key 4 Open banking fiat on/off-ramps Choose Lithuania If......
Read more