Establishing a Robust Anti-Money Laundering Due Diligence Framework for Licensed Sponsors

The Securities and Futures Commission’s (SFC) thematic review of anti-money laundering (AML) systems at licensed sponsors, published in Q1 2025, found that 62% of the 34 firms inspected had material deficiencies in their customer due diligence (CDD) procedures for initial public offering (IPO) applicants. This finding, detailed in the SFC’s Report on Thematic Inspection of AML/CFT Systems of Licensed Corporations (March 2025), marks a sharp escalation in regulatory focus. With Hong Kong’s IPO pipeline showing a 28% year-on-year increase in listing applications for the first half of 2025, reaching 198 filings, the risk of processing proceeds from illicit sources has intensified. The SFC’s 2024-2026 strategic plan explicitly targets sponsor compliance, warning that failures in AML frameworks will attract direct enforcement action under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). For licensed sponsors holding Type 6 (advising on corporate finance) and Type 6A (sponsoring) regulated activities, the margin for error has narrowed to zero. This article dissects the structural requirements for a robust AML due diligence framework, anchored in the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (paragraph 17.2) and the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (December 2023 revision).

The SFC’s Enforcement Trajectory and the 2025 Baseline

The SFC imposed a total of HKD 187 million in fines on sponsors between 2020 and 2024, with AML-related breaches accounting for 43% of that total, according to the SFC’s Annual Enforcement Reports (2020-2024). The 2025 thematic review revealed that 34% of inspected firms lacked adequate risk-based procedures for verifying the source of wealth (SOW) for IPO applicants’ controlling shareholders. This is not a theoretical concern: in the SFC v. [Redacted Sponsor] disciplinary action (SFC, 2023), the regulator found that the sponsor accepted a single bank statement as proof of SOW for a beneficial owner with HKD 2.8 billion in assets, without cross-referencing against public registries or commercial databases. The resulting fine of HKD 45 million and a 12-month suspension of the sponsor’s Type 6 licence underscores the cost of non-compliance.

The Risk-Based Approach as a Regulatory Imperative

Paragraph 17.2 of the SFC’s Code of Conduct mandates that sponsors must apply a risk-based approach (RBA) to CDD, calibrating the intensity of due diligence to the specific risks posed by the client, the jurisdiction, and the transaction structure. The 2025 thematic review found that 28% of sponsors failed to document their RBA methodology, effectively making their CDD procedures a checklist exercise rather than a dynamic risk assessment. For sponsors handling IPO applicants from high-risk jurisdictions—such as those on the Financial Action Task Force (FATF) grey list, which as of June 2025 includes 23 countries—the SFC expects enhanced due diligence (EDD) measures that go beyond standard CDD.

Key RBA Components

• Client risk scoring: Must incorporate quantitative factors such as transaction volume, geographic exposure, and beneficial ownership complexity. The SFC’s Guideline on AML/CFT (paragraph 4.12) requires a documented scoring matrix that is reviewed at least annually.
• Jurisdictional risk calibration: Sponsors must maintain an internal country risk list that aligns with FATF statements and the Hong Kong Monetary Authority’s (HKMA) Supervisory Policy Manual (AML-1, 2024 revision), which identifies 15 jurisdictions with strategic AML deficiencies.
• Transaction structure risk: For IPO structures involving special purpose vehicles (SPVs) in the Cayman Islands or British Virgin Islands (BVI), the SFC expects sponsors to trace the chain of ownership through each entity, a process that the 2025 review found was incomplete in 39% of cases.

The SOW and SOF Verification Gap

The most common deficiency identified in the 2025 thematic review was the failure to independently verify the source of wealth (SOW) and source of funds (SOF) for IPO applicants’ ultimate beneficial owners (UBOs). The SFC’s Guideline on AML/CFT (paragraph 5.8) requires that for high-risk clients, sponsors obtain documentary evidence of the economic activities generating the wealth, such as audited financial statements, tax returns, or commercial contracts. The review found that 47% of sponsors relied solely on self-declarations from UBOs, a practice the SFC explicitly rejects as insufficient.

Practical Verification Protocols

• For UBOs with wealth derived from operating businesses in the PRC, sponsors should request the latest three years of audited financial statements from the business entity, cross-referenced against the PRC State Administration of Taxation’s public filing records.
• For UBOs holding assets in Hong Kong, sponsors should verify real estate holdings through the Land Registry’s Integrated Registration Information System (IRIS), which provides ownership history dating back to 1980.
• For UBOs with wealth from investment portfolios, sponsors should obtain custodian bank statements covering at least 12 months, with the account holder’s name matching the UBO’s identity documents.

Structuring the AML Due Diligence Framework

A robust AML framework for licensed sponsors must be embedded in the firm’s operational workflow from the client onboarding stage through to the post-listing monitoring period. The SFC’s Code of Conduct (paragraph 17.3) requires that sponsors maintain a written AML/CFT policy that is approved by the board of directors and reviewed at least annually. The 2025 thematic review found that 22% of sponsors had not updated their AML policies since 2022, leaving them non-compliant with the December 2023 revision of the Guideline on AML/CFT.

Client Onboarding and Initial CDD

The initial CDD process must be completed before the sponsor enters into any engagement letter with the IPO applicant. This is a strict requirement under paragraph 5.1 of the Guideline on AML/CFT, which prohibits the establishment of a business relationship without first identifying and verifying the client’s identity. For corporate clients, this means obtaining:

• Certificate of incorporation and business registration certificate from the Hong Kong Companies Registry or equivalent authority in the jurisdiction of incorporation (e.g., the Cayman Islands Registrar of Companies).
• Register of directors and shareholders, with names and residential addresses for all directors and UBOs holding 25% or more of the shares.
• For PRC-based applicants, the business license issued by the PRC State Administration for Market Regulation, which must be verified against the National Enterprise Credit Information Publicity System.

Documentation Standards

• All identification documents must be current (issued within the last six months for identity cards, within the last three months for utility bills or bank statements used for address verification).
• For non-Hong Kong residents, the sponsor must obtain a certified copy of the passport and a recent utility bill or bank statement from the country of residence. The SFC’s 2025 review found that 31% of sponsors accepted uncertified copies, which is a direct violation of paragraph 5.3 of the Guideline.

Enhanced Due Diligence for High-Risk Clients

When a client is assessed as high-risk under the RBA, the sponsor must apply EDD measures that go beyond standard CDD. Paragraph 5.14 of the Guideline on AML/CFT specifies that EDD must include:

• Obtaining additional information on the client’s business and the source of funds for the transaction.
• Conducting more frequent and intensive monitoring of the business relationship.
• For clients from jurisdictions on the FATF grey list, obtaining senior management approval before establishing the business relationship.

Case Example: High-Risk Jurisdiction Client A sponsor handling an IPO applicant with UBOs resident in a FATF grey-listed jurisdiction (e.g., Myanmar, as of June 2025) must:

1. Obtain a legal opinion from a qualified lawyer in that jurisdiction confirming the legitimacy of the UBO’s business activities.
2. Request independent verification of the UBO’s SOW from a third-party commercial database, such as Dow Jones Risk & Compliance or World-Check.
3. Submit the client relationship for approval by the sponsor’s AML Compliance Officer, who must document the rationale for proceeding in a written memorandum.

Ongoing Monitoring and Suspicious Transaction Reporting

The AML framework does not end at the IPO listing date. Paragraph 5.20 of the Guideline on AML/CFT requires sponsors to conduct ongoing monitoring of the business relationship, including reviewing transactions against the client’s risk profile and updating CDD information at least annually. For listed companies, this means monitoring the trading activities of controlling shareholders and significant UBOs for unusual patterns.

Suspicious Transaction Reporting (STR) Obligations

• Under section 25A of the Organized and Serious Crimes Ordinance (Cap. 455), a sponsor must file an STR with the Joint Financial Intelligence Unit (JFIU) if it knows or suspects that any property is proceeds of crime.
• The SFC’s 2025 review found that 18% of sponsors had no documented procedures for identifying and escalating suspicious transactions, creating a gap that exposes the firm to criminal liability.
• Sponsors must maintain a log of all STRs filed, with the date, transaction details, and rationale for the suspicion. This log must be available for inspection by the SFC during routine examinations.

The Role of Technology and Third-Party Providers

The SFC’s Guideline on AML/CFT (paragraph 6.1) permits sponsors to rely on third-party providers for CDD, but the sponsor retains full responsibility for the adequacy of the due diligence performed. The 2025 thematic review found that 26% of sponsors outsourced CDD to external vendors without conducting any independent verification of the vendor’s outputs, a practice the SFC considers a breach of paragraph 6.3.

Automated Screening and Transaction Monitoring

The adoption of automated AML screening tools is now a baseline expectation, not a competitive advantage. The SFC’s 2025 review noted that 14% of sponsors still relied on manual screening of client names against sanctions lists, a method that is inadequate given the volume of updates—the United Nations Security Council updates its sanctions lists an average of 12 times per year, while the U.S. Office of Foreign Assets Control (OFAC) issues over 200 updates annually.

System Requirements

• The screening tool must cover all applicable sanctions lists, including the UN Consolidated List, the OFAC Specially Designated Nationals (SDN) List, the EU Consolidated List, and the Hong Kong United Nations Sanctions Ordinance (Cap. 537) lists.
• The system must generate an audit trail for every screening result, including the name screened, the list matched, the date, and the disposition of the alert.
• For transaction monitoring, the system must flag transactions above a threshold set by the sponsor’s RBA—typically HKD 500,000 for IPO-related transactions—and generate alerts for unusual patterns, such as rapid movements of funds between unrelated accounts.

Vendor Due Diligence

When using a third-party provider for CDD, the sponsor must conduct initial and periodic due diligence on the vendor. Paragraph 6.4 of the Guideline on AML/CFT requires that the sponsor:

• Obtain the vendor’s AML/CFT policy and procedures.
• Verify that the vendor is licensed or registered in its home jurisdiction for AML services.
• Conduct an on-site review of the vendor’s operations at least once every two years.

Contractual Safeguards

• The service agreement must include a clause allowing the sponsor to audit the vendor’s AML systems and records at any time.
• The vendor must agree to notify the sponsor immediately of any material changes to its AML procedures or any regulatory action taken against it.
• The sponsor must retain copies of all CDD records provided by the vendor for at least five years after the termination of the business relationship, as required under paragraph 7.1 of the Guideline.

The Compliance Officer and Internal Controls

The SFC’s Code of Conduct (paragraph 17.4) mandates that every licensed sponsor appoint a compliance officer who is responsible for overseeing the AML/CFT framework. The 2025 thematic review found that 24% of sponsors had compliance officers who also held business development roles, creating a conflict of interest that the SFC considers unacceptable.

The Compliance Officer’s Mandate

The compliance officer must have direct access to the board of directors and the authority to approve or reject client relationships based on AML risk. The officer must:

• Conduct at least two AML training sessions per year for all sponsor staff, with attendance records maintained for SFC inspection.
• Prepare a quarterly AML compliance report for the board, detailing the number of high-risk clients onboarded, any STRs filed, and any deficiencies identified in internal audits.
• Maintain a register of all AML-related incidents, including near-misses, with root cause analysis and corrective actions taken.

Staff Training Requirements

• The SFC’s Guideline on AML/CFT (paragraph 8.2) requires that training cover the sponsor’s AML policies, the RBA methodology, the process for identifying suspicious transactions, and the legal obligations under Cap. 615.
• Training must be tailored to the staff member’s role. Deal team members should receive practical training on verifying SOW documents, while compliance staff should focus on the technical aspects of sanctions screening and STR filing.
• The 2025 review found that 37% of sponsors provided generic training that did not address the specific risks of IPO transactions, a gap that the SFC flagged as a priority for remediation.

Internal Audit and Independent Review

Paragraph 8.4 of the Guideline requires that sponsors subject their AML/CFT framework to an independent audit at least once every two years. The audit must be conducted by a person or firm that is not involved in the sponsor’s day-to-day AML operations. The 2025 review found that 19% of sponsors had not conducted an independent audit since 2022, leaving them vulnerable to undetected deficiencies.

Audit Scope

• The audit must assess the effectiveness of the RBA methodology, the adequacy of CDD documentation, the accuracy of sanctions screening, and the timeliness of STR filing.
• The auditor must issue a written report with findings and recommendations, which must be presented to the board within 30 days of completion.
• The sponsor must document its response to each audit finding, including the timeline for remediation.

Actionable Takeaways for Licensed Sponsors

1. Conduct an immediate gap analysis against the SFC’s March 2025 thematic review findings, focusing on the 62% deficiency rate in CDD procedures, and remediate any identified shortfalls within 90 days to pre-empt enforcement action.
2. Implement a documented risk-based approach methodology that includes a quantitative scoring matrix for client, jurisdictional, and transaction risks, updated at least annually and approved by the board.
3. Mandate independent verification of source of wealth for all IPO applicant UBOs, requiring audited financial statements or tax returns for operating businesses and custodian bank statements for investment portfolios, with no reliance on self-declarations alone.
4. Deploy automated AML screening tools that cover all applicable sanctions lists and generate audit trails for every screening result, with a transaction monitoring threshold calibrated to the sponsor’s risk appetite.
5. Appoint a dedicated compliance officer with no conflicting business development responsibilities, ensuring quarterly AML reporting to the board and biannual staff training tailored to IPO-specific risks.